New submission from Daniel Kang <[email protected]>: ffmpeg crashes on tif files with invalid headers. When reading in bpp data, the check for count occurs after data is read. For invalid count, the tif decoder crashes. I have attached a patch that moves the check before reading in data.
gdb run:
(gdb) r -i ../fuzzed.tif del.jpg
Starting program: ffmpeg/ffmpeg_g -i ../fuzzed.tif del.jpg
[Thread debugging using libthread_db enabled]
FFmpeg version git-605594b, Copyright (c) 2000-2011 the FFmpeg developers
built on Jan 6 2011 14:25:38 with gcc 4.4.5
configuration: --enable-gpl
libavutil 50.36. 0 / 50.36. 0
libavcore 0.16. 0 / 0.16. 0
libavcodec 52.102. 0 / 52.102. 0
libavformat 52.92. 0 / 52.92. 0
libavdevice 52. 2. 3 / 52. 2. 3
libavfilter 1.72. 0 / 1.72. 0
libswscale 0.12. 0 / 0.12. 0
Program received signal SIGSEGV, Segmentation fault.
tiff_decode_tag (avctx=<value optimized out>, data=<value optimized out>,
data_size=<value optimized out>, avpkt=<value optimized out>) at
libavcodec/tiff.c:275
275 for(i = 0; i < count; i++) s->bpp += tget(&buf, type,
s->le);
(gdb) bt
#0 tiff_decode_tag (avctx=<value optimized out>, data=<value optimized out>,
data_size=<value optimized out>, avpkt=<value optimized out>) at
libavcodec/tiff.c:275
#1 decode_frame (avctx=<value optimized out>, data=<value optimized out>,
data_size=<value optimized out>, avpkt=<value optimized out>) at
libavcodec/tiff.c:498
#2 0x0000000000756190 in avcodec_decode_video2 (avctx=0x1202260,
picture=0x7fffffffd160, got_picture_ptr=0x7fffffffd43c, avpkt=0x1206910) at
libavcodec/utils.c:632
#3 0x00000000004d7850 in try_decode_frame (ic=0x11ff510) at
libavformat/utils.c:2080
#4 av_find_stream_info (ic=0x11ff510) at libavformat/utils.c:2361
#5 0x000000000043162b in opt_input_file (filename=0x7fffffffdafe
"../fuzzed.tif") at ffmpeg.c:3214
#6 0x000000000043b7ec in parse_options (argc=4, argv=0x7fffffffd758,
options=<value optimized out>, parse_arg_function=0x438200 <opt_output_file>) at
cmdutils.c:208
#7 0x00000000004377f2 in main (argc=4, argv=0x7fffffffd758) at ffmpeg.c:4343
(gdb) disass $pc-32 $pc+32
Dump of assembler code from 0x747010 to 0x747050:
0x0000000000747010 <decode_frame+4032>: add %cl,(%rdi)
0x0000000000747012 <decode_frame+4034>: mov -0x74bb0001(%rsp,%rsi,8),%ds
0x0000000000747019 <decode_frame+4041>: mov (%rcx,%rax,1),%edi
0x000000000074701c <decode_frame+4044>: add %al,(%rax)
0x000000000074701e <decode_frame+4046>: xor %ecx,%ecx
0x0000000000747020 <decode_frame+4048>: xor %eax,%eax
0x0000000000747022 <decode_frame+4050>: test %r9d,%r9d
0x0000000000747025 <decode_frame+4053>: jne 0x747388 <decode_frame+4920>
0x000000000074702b <decode_frame+4059>: cmp $0x4,%edi
0x000000000074702e <decode_frame+4062>: je 0x747053 <decode_frame+4099>
0x0000000000747030 <decode_frame+4064>: movzwl (%rsi),%edx
0x0000000000747033 <decode_frame+4067>: add $0x1,%eax
0x0000000000747036 <decode_frame+4070>: add $0x2,%rsi
0x000000000074703a <decode_frame+4074>: ror $0x8,%dx
0x000000000074703e <decode_frame+4078>: movzwl %dx,%edx
0x0000000000747041 <decode_frame+4081>: add %edx,%ecx
0x0000000000747043 <decode_frame+4083>: cmp %r10d,%eax
0x0000000000747046 <decode_frame+4086>: mov %ecx,0x138(%rbx)
0x000000000074704c <decode_frame+4092>: jne 0x747030 <decode_frame+4064>
0x000000000074704e <decode_frame+4094>: jmpq 0x7464ad <decode_frame+1117>
End of assembler dump.
(gdb) info all-registers
rax 0x103a7 66471
rbx 0x1202720 18884384
rcx 0x11bf2d 1163053
rdx 0x0 0
rsi 0x123d000 19124224
rdi 0x3 3
rbp 0x121c8b2 0x121c8b2
rsp 0x7fffffffcfb0 0x7fffffffcfb0
r8 0x2 2
r9 0x0 0
r10 0x50000043 1342177347
r11 0x0 0
r12 0x2 2
r13 0x121c994 18991508
r14 0x2011 8209
r15 0x120e9c0 18934208
rip 0x747030 0x747030 <decode_frame+4064>
eflags 0x10283 [ CF SF IF RF ]
cs 0x33 51
ss 0x2b 43
ds 0x0 0
es 0x0 0
fs 0x0 0
gs 0x0 0
st0 0 (raw 0x00000000000000000000)
st1 0 (raw 0x00000000000000000000)
st2 0 (raw 0x00000000000000000000)
st3 0 (raw 0x00000000000000000000)
st4 0 (raw 0x00000000000000000000)
st5 0 (raw 0x00000000000000000000)
st6 0 (raw 0x00000000000000000000)
st7 0 (raw 0x00000000000000000000)
fctrl 0x37f 895
fstat 0x0 0
ftag 0xffff 65535
fiseg 0x0 0
fioff 0x0 0
foseg 0x0 0
fooff 0x0 0
fop 0x0 0
xmm0 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double =
{0x8000000000000000, 0x8000000000000000}, v16_int8 = {0x0, 0x0, 0x0, 0x0, 0xff,
0xff, 0xff, 0xff, 0x0,
0x0, 0x0, 0x0, 0xff, 0xff, 0xff, 0xff}, v8_int16 = {0x0, 0x0, 0xffff,
0xffff, 0x0, 0x0, 0xffff, 0xffff}, v4_int32 = {0x0, 0xffffffff, 0x0,
0xffffffff},
v2_int64 = {0xffffffff00000000, 0xffffffff00000000}, uint128 =
0xffffffff00000000ffffffff00000000}
---Type <return> to continue, or q <return> to quit---
xmm1 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0},
v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0}, uint128 =
0x00000000000000000000000000000000}
xmm2 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0,
0x8000000000000000}, v16_int8 = {0x0 <repeats 13 times>, 0xff, 0xff, 0xff},
v8_int16 = {0x0, 0x0,
0x0, 0x0, 0x0, 0x0, 0xff00, 0xffff}, v4_int32 = {0x0, 0x0, 0x0, 0xffffff00},
v2_int64 = {0x0, 0xffffff0000000000}, uint128 =
0xffffff00000000000000000000000000}
xmm3 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double =
{0x8000000000000000, 0x8000000000000000}, v16_int8 = {0x0, 0xff <repeats 15
times>}, v8_int16 = {0xff00,
0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff}, v4_int32 =
{0xffffff00, 0xffffffff, 0xffffffff, 0xffffffff}, v2_int64 =
{0xffffffffffffff00,
0xffffffffffffffff}, uint128 = 0xffffffffffffffffffffffffffffff00}
xmm4 {v4_float = {0x0, 0x0, 0x0, 0x1e400000}, v2_double =
{0x8000000000000000, 0x8000000000000000}, v16_int8 = {0x54, 0x72, 0x69, 0x65,
0x64, 0x20, 0x74,
0x6f, 0x20, 0x63, 0x6f, 0x70, 0x79, 0x20, 0x41, 0x56}, v8_int16 = {0x7254,
0x6569, 0x2064, 0x6f74, 0x6320, 0x706f, 0x2079, 0x5641}, v4_int32 = {0x65697254,
0x6f742064, 0x706f6320, 0x56412079}, v2_int64 = {0x6f74206465697254,
0x56412079706f6320}, uint128 = 0x56412079706f63206f74206465697254}
xmm5 {v4_float = {0x0, 0x1, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0x0, 0x0, 0x0, 0xe0, 0x95, 0x9c, 0xe7, 0x3f, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0, 0x0,
0x0}, v8_int16 = {0x0, 0xe000, 0x9c95, 0x3fe7, 0x0, 0x0, 0x0, 0x0}, v4_int32
= {0xe0000000, 0x3fe79c95, 0x0, 0x0}, v2_int64 = {0x3fe79c95e0000000, 0x0},
uint128 = 0x00000000000000003fe79c95e0000000}
xmm6 {v4_float = {0x0, 0x1, 0x0, 0x0}, v2_double = {0x1, 0x0},
v16_int8 = {0x6d, 0x7d, 0xbf, 0xbb, 0x27, 0xaf, 0xf5, 0x3f, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0,
0x0, 0x0}, v8_int16 = {0x7d6d, 0xbbbf, 0xaf27, 0x3ff5, 0x0, 0x0, 0x0, 0x0},
v4_int32 = {0xbbbf7d6d, 0x3ff5af27, 0x0, 0x0}, v2_int64 = {0x3ff5af27bbbf7d6d,
0x0},
uint128 = 0x00000000000000003ff5af27bbbf7d6d}
xmm7 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0x0, 0x0, 0x0, 0x0, 0x68, 0xc8, 0xbc, 0x3b, 0x0, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0,
0x0}, v8_int16 = {0x0, 0x0, 0xc868, 0x3bbc, 0x0, 0x0, 0x0, 0x0}, v4_int32 =
{0x0, 0x3bbcc868, 0x0, 0x0}, v2_int64 = {0x3bbcc86800000000, 0x0},
uint128 = 0x00000000000000003bbcc86800000000}
xmm8 {v4_float = {0x0, 0xfffffffd, 0x0, 0x0}, v2_double =
{0xffffffffffffffd2, 0x0}, v16_int8 = {0xe0, 0xe6, 0x35, 0x67, 0x9e, 0x6, 0x47,
0xc0, 0x0, 0x0,
0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v8_int16 = {0xe6e0, 0x6735, 0x69e, 0xc047,
0x0, 0x0, 0x0, 0x0}, v4_int32 = {0x6735e6e0, 0xc047069e, 0x0, 0x0}, v2_int64 = {
0xc047069e6735e6e0, 0x0}, uint128 = 0x0000000000000000c047069e6735e6e0}
xmm9 {v4_float = {0x0, 0x1, 0x0, 0x0}, v2_double = {0x1, 0x0},
v16_int8 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xf0, 0x3f, 0x0, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0,
0x0}, v8_int16 = {0x0, 0x0, 0x0, 0x3ff0, 0x0, 0x0, 0x0, 0x0}, v4_int32 =
{0x0, 0x3ff00000, 0x0, 0x0}, v2_int64 = {0x3ff0000000000000, 0x0},
uint128 = 0x00000000000000003ff0000000000000}
xmm10 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0x0, 0x0, 0x46, 0x84, 0x24, 0x59, 0xd6, 0x3e, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0, 0x0,
0x0}, v8_int16 = {0x0, 0x8446, 0x5924, 0x3ed6, 0x0, 0x0, 0x0, 0x0}, v4_int32
= {0x84460000, 0x3ed65924, 0x0, 0x0}, v2_int64 = {0x3ed6592484460000, 0x0},
uint128 = 0x00000000000000003ed6592484460000}
xmm11 {v4_float = {0x9689a800, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0x6a, 0xa2, 0x65, 0x50, 0xf2, 0xea, 0x8f, 0xbd, 0x0, 0x0, 0x0, 0x0,
0x0,
0x0, 0x0, 0x0}, v8_int16 = {0xa26a, 0x5065, 0xeaf2, 0xbd8f, 0x0, 0x0, 0x0,
0x0}, v4_int32 = {0x5065a26a, 0xbd8feaf2, 0x0, 0x0}, v2_int64 =
{0xbd8feaf25065a26a,
0x0}, uint128 = 0x0000000000000000bd8feaf25065a26a}
xmm12 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0x29, 0xf2, 0x88, 0x6c, 0xa6, 0x49, 0xde, 0x3e, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0,
0x0, 0x0}, v8_int16 = {0xf229, 0x6c88, 0x49a6, 0x3ede, 0x0, 0x0, 0x0, 0x0},
v4_int32 = {0x6c88f229, 0x3ede49a6, 0x0, 0x0}, v2_int64 = {0x3ede49a66c88f229,
0x0},
uint128 = 0x00000000000000003ede49a66c88f229}
xmm13 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0xb3, 0x12, 0x58, 0x17, 0x64, 0x46, 0xe6, 0x3b, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0,
0x0, 0x0}, v8_int16 = {0x12b3, 0x1758, 0x4664, 0x3be6, 0x0, 0x0, 0x0, 0x0},
v4_int32 = {0x175812b3, 0x3be64664, 0x0, 0x0}, v2_int64 = {0x3be64664175812b3,
0x0},
uint128 = 0x00000000000000003be64664175812b3}
xmm14 {v4_float = {0x0, 0x3, 0x0, 0x0}, v2_double = {0x2d, 0x0},
v16_int8 = {0xc0, 0x9, 0xf2, 0x16, 0xb5, 0xdf, 0x46, 0x40, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0,
0x0, 0x0}, v8_int16 = {0x9c0, 0x16f2, 0xdfb5, 0x4046, 0x0, 0x0, 0x0, 0x0},
v4_int32 = {0x16f209c0, 0x4046dfb5, 0x0, 0x0}, v2_int64 = {0x4046dfb516f209c0,
0x0},
uint128 = 0x00000000000000004046dfb516f209c0}
xmm15 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0},
v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0}, uint128 =
0x00000000000000000000000000000000}
mxcsr 0x1fa0 [ PE IM DM ZM OM UM PM ]
----------
files: tif_move_check_up.diff
messages: 13255
priority: normal
status: open
substatus: open
title: ffmpeg crashes on tif files with invalid headers
type: bug
________________________________________________
FFmpeg issue tracker <[email protected]>
<https://roundup.ffmpeg.org/issue2500>
________________________________________________
tif_move_check_up.diff
Description: Binary data
