New submission from Daniel Kang <[email protected]>: ffmpeg crashes on bfi files with invalid frame sizes. When decoding a frame, it will over read the buffer if the frame size (calculated by the resolution) is larger than the actual frame.
The patch attached fixes this issue.
gdb run:
(gdb) r -i ../fuzzed.bfi del.avi
Starting program: ffmpeg/ffmpeg_g -i ../fuzzed.bfi del.avi
[Thread debugging using libthread_db enabled]
FFmpeg version git-a4f892e, Copyright (c) 2000-2011 the FFmpeg developers
built on Jan 5 2011 23:11:09 with gcc 4.4.5
configuration: --enable-gpl
libavutil 50.36. 0 / 50.36. 0
libavcore 0.16. 0 / 0.16. 0
libavcodec 52.102. 0 / 52.102. 0
libavformat 52.92. 0 / 52.92. 0
libavdevice 52. 2. 3 / 52. 2. 3
libavfilter 1.72. 0 / 1.72. 0
libswscale 0.12. 0 / 0.12. 0
[bfi @ 0x11ff510] Estimating duration from bitrate, this may be inaccurate
Input #0, bfi, from '../fuzzed.bfi':
Duration: 00:01:18.77, start: 0.000000, bitrate: 88 kb/s
Stream #0.0: Video: bfi, pal8, 320x131212, 9 tbr, 9 tbn, 9 tbc
Stream #0.1: Audio: pcm_u8, 11025 Hz, 1 channels, u8, 88 kb/s
[NULL @ 0x12067b0] Requested sampling rate unsupported using closest supported
(16000)
File 'del.avi' already exists. Overwrite ? [y/N] y
[buffer @ 0x1204540] w:320 h:131212 pixfmt:pal8
[ffsink @ 0x1207f80] auto-inserting filter 'auto-inserted scaler 0' between the
filter 'src' and the filter 'out'
[scale @ 0x1208280] w:320 h:131212 fmt:pal8 -> w:320 h:131212 fmt:yuv420p
flags:0xa0000004
Output #0, avi, to 'del.avi':
Metadata:
ISFT : Lavf52.92.0
Stream #0.0: Video: mpeg4, yuv420p, 320x131212, q=2-31, 200 kb/s, 9 tbn, 9
tbc
Stream #0.1: Audio: mp2, 16000 Hz, 1 channels, s16, 64 kb/s
Stream mapping:
Stream #0.0 -> #0.0
Stream #0.1 -> #0.1
Press [q] to stop encoding
Warning, using s16 intermediate sample format for resampling
frame= 2 fps= 2 q=8.0 size= 2082kB time=0.14 bitrate=118448.6kbits/s
Program received signal SIGSEGV, Segmentation fault.
bfi_decode_frame (avctx=0x1201eb0, data=<value optimized out>, data_size=<value
optimized out>, avpkt=<value optimized out>) at libavcodec/bfi.c:98
98 unsigned int byte = *buf++, av_uninit(offset);
(gdb) bt
#0 bfi_decode_frame (avctx=0x1201eb0, data=<value optimized out>,
data_size=<value optimized out>, avpkt=<value optimized out>) at
libavcodec/bfi.c:98
#1 0x0000000000755f50 in avcodec_decode_video2 (avctx=0x1201eb0,
picture=0x7fffffffc4d0, got_picture_ptr=0x7fffffffc70c, avpkt=0x7fffffffc650)
at libavcodec/utils.c:632
#2 0x0000000000434ad9 in output_packet (ist=0x1206e00, ist_index=0,
ost_table=<value optimized out>, nb_ostreams=<value optimized out>,
pkt=0x7fffffffd4b0)
at ffmpeg.c:1550
#3 0x00000000004368d7 in transcode (nb_output_files=<value optimized out>,
nb_input_files=<value optimized out>, stream_maps=<value optimized out>,
nb_stream_maps=<value optimized out>, input_files=<value optimized out>,
output_files=<value optimized out>) at ffmpeg.c:2643
#4 0x0000000000437843 in main (argc=4, argv=<value optimized out>) at
ffmpeg.c:4363
(gdb) disass $pc-32 $pc+32
Dump of assembler code from 0x4fdd69 to 0x4fdda9:
0x00000000004fdd69 <bfi_decode_frame+281>: mov %ecx,%edx
0x00000000004fdd6b <bfi_decode_frame+283>: mov %rcx,0x8(%rsp)
0x00000000004fdd70 <bfi_decode_frame+288>: callq 0x4048d8 <mem...@plt>
0x00000000004fdd75 <bfi_decode_frame+293>: mov 0x8(%rsp),%rcx
0x00000000004fdd7a <bfi_decode_frame+298>: add %rcx,%rbx
0x00000000004fdd7d <bfi_decode_frame+301>: add %rcx,%rbp
0x00000000004fdd80 <bfi_decode_frame+304>: cmp %rbp,%r12
0x00000000004fdd83 <bfi_decode_frame+307>: je 0x4fdee0
<bfi_decode_frame+656>
0x00000000004fdd89 <bfi_decode_frame+313>: movzbl (%rbx),%eax
0x00000000004fdd8c <bfi_decode_frame+316>: add $0x1,%rbx
0x00000000004fdd90 <bfi_decode_frame+320>: mov %eax,%edx
0x00000000004fdd92 <bfi_decode_frame+322>: shr $0x6,%edx
0x00000000004fdd95 <bfi_decode_frame+325>: and $0xffffff3f,%eax
0x00000000004fdd9a <bfi_decode_frame+330>: je 0x4fdd10
<bfi_decode_frame+192>
0x00000000004fdda0 <bfi_decode_frame+336>: cmp $0x1,%edx
0x00000000004fdda3 <bfi_decode_frame+339>: jne 0x4fdd2a
<bfi_decode_frame+218>
0x00000000004fdda5 <bfi_decode_frame+341>: add $0x1,%rbx
End of assembler dump.
(gdb) info all-registers
rax 0x7fffdfe0cd25 140736949439781
rbx 0x382ed000 942592000
rcx 0x0 0
rdx 0x0 0
rsi 0x382ed000 942592000
rdi 0x7fffdfe0cd25 140736949439781
rbp 0x7fffdfe0cd25 0x7fffdfe0cd25
rsp 0x7fffffffc230 0x7fffffffc230
r8 0x428e01129502400 299735739532321792
r9 0x4fa1c5c852e144e3 5738084864421348579
r10 0x2c678355c3723658 3199670464644527704
r11 0x1098 4248
r12 0x7fffe1d6cf10 140736982339344
r13 0x1201eb0 18882224
r14 0x1450cc0 21302464
r15 0x9 9
rip 0x4fdd89 0x4fdd89 <bfi_decode_frame+313>
eflags 0x10216 [ PF AF IF RF ]
cs 0x33 51
ss 0x2b 43
ds 0x0 0
es 0x0 0
fs 0x0 0
gs 0x0 0
st0 -nan(0x00000002f) (raw 0xffff000000000000002f)
st1 -nan(0x000000011) (raw 0xffff0000000000000011)
st2 -inf (raw 0xffff0000000000000000)
st3 -nan(0xe758471c71c72000) (raw 0xffffe758471c71c72000)
st4 -nan(0x9800980078007d) (raw 0xffff009800980078007d)
st5 -nan(0x4e004100660083) (raw 0xffff004e004100660083)
st6 -nan(0xe758000000000000) (raw 0xffffe758000000000000)
st7 -inf (raw 0xffff0000000000000000)
fctrl 0x37f 895
fstat 0x0 0
ftag 0xffff 65535
fiseg 0x0 0
fioff 0x0 0
foseg 0x0 0
fooff 0x0 0
fop 0x0 0
xmm0 {v4_float = {0x0, 0x1, 0x0, 0x1}, v2_double = {0x0, 0x0},
v16_int8 = {0x1c, 0xc7, 0x71, 0x1c, 0xc7, 0x71, 0xcc, 0x3f, 0x0, 0x0, 0x0, 0x60,
0x7b, 0xd5,
0xa3, 0x3f}, v8_int16 = {0xc71c, 0x1c71, 0x71c7, 0x3fcc, 0x0, 0x6000,
0xd57b, 0x3fa3}, v4_int32 = {0x1c71c71c, 0x3fcc71c7, 0x60000000, 0x3fa3d57b},
v2_int64 = {
0x3fcc71c71c71c71c, 0x3fa3d57b60000000}, uint128 =
0x3fa3d57b600000003fcc71c71c71c71c}
---Type <return> to continue, or q <return> to quit---
xmm1 {v4_float = {0x0, 0x1, 0x0, 0x1}, v2_double = {0x0, 0x0},
v16_int8 = {0x1c, 0xc7, 0x71, 0x1c, 0xc7, 0x71, 0xcc, 0x3f, 0x0, 0x0, 0x0, 0x60,
0x7b, 0xd5,
0xa3, 0x3f}, v8_int16 = {0xc71c, 0x1c71, 0x71c7, 0x3fcc, 0x0, 0x6000,
0xd57b, 0x3fa3}, v4_int32 = {0x1c71c71c, 0x3fcc71c7, 0x60000000, 0x3fa3d57b},
v2_int64 = {
0x3fcc71c71c71c71c, 0x3fa3d57b60000000}, uint128 =
0x3fa3d57b600000003fcc71c71c71c71c}
xmm2 {v4_float = {0x0, 0x1, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0x3b, 0xdf, 0x4f, 0x8d, 0x97, 0x6e, 0xb2, 0x3f, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0,
0x0, 0x0}, v8_int16 = {0xdf3b, 0x8d4f, 0x6e97, 0x3fb2, 0x0, 0x0, 0x0, 0x0},
v4_int32 = {0x8d4fdf3b, 0x3fb26e97, 0x0, 0x0}, v2_int64 = {0x3fb26e978d4fdf3b,
0x0},
uint128 = 0x00000000000000003fb26e978d4fdf3b}
xmm3 {v4_float = {0x0, 0x3, 0x0, 0x0}, v2_double = {0x7d, 0x0},
v16_int8 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x40, 0x5f, 0x40, 0x0, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0,
0x0}, v8_int16 = {0x0, 0x0, 0x4000, 0x405f, 0x0, 0x0, 0x0, 0x0}, v4_int32 =
{0x0, 0x405f4000, 0x0, 0x0}, v2_int64 = {0x405f400000000000, 0x0},
uint128 = 0x0000000000000000405f400000000000}
xmm4 {v4_float = {0x0, 0x1, 0x0, 0x0}, v2_double = {0x1, 0x0},
v16_int8 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xf0, 0x3f, 0x0, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0,
0x0}, v8_int16 = {0x0, 0x0, 0x0, 0x3ff0, 0x0, 0x0, 0x0, 0x0}, v4_int32 =
{0x0, 0x3ff00000, 0x0, 0x0}, v2_int64 = {0x3ff0000000000000, 0x0},
uint128 = 0x00000000000000003ff0000000000000}
xmm5 {v4_float = {0x0, 0x3, 0x0, 0x0}, v2_double = {0x80, 0x0},
v16_int8 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x60, 0x40, 0x0, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0,
0x0}, v8_int16 = {0x0, 0x0, 0x0, 0x4060, 0x0, 0x0, 0x0, 0x0}, v4_int32 =
{0x0, 0x40600000, 0x0, 0x0}, v2_int64 = {0x4060000000000000, 0x0},
uint128 = 0x00000000000000004060000000000000}
xmm6 {v4_float = {0x0, 0x7, 0x0, 0x0}, v2_double = {0x8000, 0x0},
v16_int8 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xe0, 0x40, 0x0, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0,
0x0}, v8_int16 = {0x0, 0x0, 0x0, 0x40e0, 0x0, 0x0, 0x0, 0x0}, v4_int32 =
{0x0, 0x40e00000, 0x0, 0x0}, v2_int64 = {0x40e0000000000000, 0x0},
uint128 = 0x000000000000000040e0000000000000}
xmm7 {v4_float = {0x0, 0x1c, 0x0, 0x0}, v2_double = {0x80000000, 0x0},
v16_int8 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xe0, 0x41, 0x0, 0x0, 0x0, 0x0, 0x0,
0x0,
0x0, 0x0}, v8_int16 = {0x0, 0x0, 0x0, 0x41e0, 0x0, 0x0, 0x0, 0x0}, v4_int32
= {0x0, 0x41e00000, 0x0, 0x0}, v2_int64 = {0x41e0000000000000, 0x0},
uint128 = 0x000000000000000041e0000000000000}
xmm8 {v4_float = {0x0, 0xd0, 0x0, 0x0}, v2_double = {0x4380663abb8000,
0x0}, v16_int8 = {0x0, 0xe0, 0xae, 0x8e, 0x19, 0xe0, 0x50, 0x43, 0x0, 0x0, 0x0,
0x0,
0x0, 0x0, 0x0, 0x0}, v8_int16 = {0xe000, 0x8eae, 0xe019, 0x4350, 0x0, 0x0,
0x0, 0x0}, v4_int32 = {0x8eaee000, 0x4350e019, 0x0, 0x0}, v2_int64 = {
0x4350e0198eaee000, 0x0}, uint128 = 0x00000000000000004350e0198eaee000}
xmm9 {v4_float = {0x0, 0xb, 0x0, 0x0}, v2_double = {0x170cec, 0x0},
v16_int8 = {0x0, 0x0, 0x0, 0x0, 0xec, 0xc, 0x37, 0x41, 0x0, 0x0, 0x0, 0x0, 0x0,
0x0,
0x0, 0x0}, v8_int16 = {0x0, 0x0, 0xcec, 0x4137, 0x0, 0x0, 0x0, 0x0},
v4_int32 = {0x0, 0x41370cec, 0x0, 0x0}, v2_int64 = {0x41370cec00000000, 0x0},
uint128 = 0x000000000000000041370cec00000000}
xmm10 {v4_float = {0x0, 0x4b, 0x0, 0x0}, v2_double = {0x5ffffffffff,
0x0}, v16_int8 = {0x2c, 0xfd, 0xff, 0xff, 0xff, 0xff, 0x97, 0x42, 0x0, 0x0, 0x0,
0x0,
0x0, 0x0, 0x0, 0x0}, v8_int16 = {0xfd2c, 0xffff, 0xffff, 0x4297, 0x0, 0x0,
0x0, 0x0}, v4_int32 = {0xfffffd2c, 0x4297ffff, 0x0, 0x0}, v2_int64 = {
0x4297fffffffffd2c, 0x0}, uint128 = 0x00000000000000004297fffffffffd2c}
xmm11 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0xa, 0xc, 0x10, 0x99, 0xa6, 0x61, 0x6a, 0xbe, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0, 0x0,
0x0}, v8_int16 = {0xc0a, 0x9910, 0x61a6, 0xbe6a, 0x0, 0x0, 0x0, 0x0},
v4_int32 = {0x99100c0a, 0xbe6a61a6, 0x0, 0x0}, v2_int64 = {0xbe6a61a699100c0a,
0x0},
uint128 = 0x0000000000000000be6a61a699100c0a}
xmm12 {v4_float = {0x0, 0x1, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xe0, 0x3f, 0x0, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0,
0x0}, v8_int16 = {0x0, 0x0, 0x0, 0x3fe0, 0x0, 0x0, 0x0, 0x0}, v4_int32 =
{0x0, 0x3fe00000, 0x0, 0x0}, v2_int64 = {0x3fe0000000000000, 0x0},
uint128 = 0x00000000000000003fe0000000000000}
xmm13 {v4_float = {0x0, 0x1, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xe0, 0x3f, 0x0, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0,
0x0}, v8_int16 = {0x0, 0x0, 0x0, 0x3fe0, 0x0, 0x0, 0x0, 0x0}, v4_int32 =
{0x0, 0x3fe00000, 0x0, 0x0}, v2_int64 = {0x3fe0000000000000, 0x0},
uint128 = 0x00000000000000003fe0000000000000}
xmm14 {v4_float = {0x0, 0xb, 0x0, 0xb}, v2_double = {0x170cec,
0x170cec}, v16_int8 = {0x0, 0x0, 0x0, 0x0, 0xec, 0xc, 0x37, 0x41, 0x0, 0x0, 0x0,
0x0, 0xec,
0xc, 0x37, 0x41}, v8_int16 = {0x0, 0x0, 0xcec, 0x4137, 0x0, 0x0, 0xcec,
0x4137}, v4_int32 = {0x0, 0x41370cec, 0x0, 0x41370cec}, v2_int64 =
{0x41370cec00000000,
0x41370cec00000000}, uint128 = 0x41370cec0000000041370cec00000000}
xmm15 {v4_float = {0x0, 0x1, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0x87, 0xc7, 0xde, 0xfc, 0xd1, 0x21, 0x89, 0x3f, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0,
---Type <return> to continue, or q <return> to quit---
0x0, 0x0}, v8_int16 = {0xc787, 0xfcde, 0x21d1, 0x3f89, 0x0, 0x0, 0x0, 0x0},
v4_int32 = {0xfcdec787, 0x3f8921d1, 0x0, 0x0}, v2_int64 = {0x3f8921d1fcdec787,
0x0},
uint128 = 0x00000000000000003f8921d1fcdec787}
mxcsr 0x1fa0 [ PE IM DM ZM OM UM PM ]
----------
files: bfi_buffer_sanity_check.diff
messages: 13241
priority: normal
status: open
substatus: open
title: ffmpeg crashes on bfi files with invalid frame sizes
type: bug
________________________________________________
FFmpeg issue tracker <[email protected]>
<https://roundup.ffmpeg.org/issue2497>
________________________________________________
bfi_buffer_sanity_check.diff
Description: Binary data
