New submission from Daniel Kang <[email protected]>: For fli files with invalid frame sizes, ffmpeg crashes with a buffer overread. This is because ffmpeg does not check if the stream_ptr is larger than the buffer size. The patch attached adds a check for this.
gdb run:
(gdb) r -i ../fuzzed.fli del.mkv
Starting program: ffmpeg/ffmpeg_g -i ../fuzzed.fli del.mkv
[Thread debugging using libthread_db enabled]
FFmpeg version git-1fb4c1f, Copyright (c) 2000-2011 the FFmpeg developers
built on Jan 9 2011 14:47:50 with gcc 4.4.5
configuration: --enable-gpl
libavutil 50.36. 0 / 50.36. 0
libavcore 0.16. 0 / 0.16. 0
libavcodec 52.108. 0 / 52.108. 0
libavformat 52.92. 0 / 52.92. 0
libavdevice 52. 2. 3 / 52. 2. 3
libavfilter 1.72. 0 / 1.72. 0
libswscale 0.12. 0 / 0.12. 0
[flic @ 0x1202510] Estimating duration from bitrate, this may be inaccurate
Input #0, flic, from '../fuzzed.fli':
Duration: N/A, start: 0.000000, bitrate: N/A
Stream #0.0: Video: flic, pal8, 320x200, 35 tbr, 35 tbn, 35 tbc
File 'del.mkv' already exists. Overwrite ? [y/N] y
[buffer @ 0x120b500] w:320 h:200 pixfmt:pal8
[ffsink @ 0x12416c0] auto-inserting filter 'auto-inserted scaler 0' between the
filter 'src' and the filter 'out'
[scale @ 0x12419c0] w:320 h:200 fmt:pal8 -> w:320 h:200 fmt:yuv420p
flags:0xa0000004
Output #0, matroska, to 'del.mkv':
Metadata:
encoder : Lavf52.92.0
Stream #0.0: Video: mpeg4, yuv420p, 320x200, q=2-31, 200 kb/s, 1k tbn, 35
tbc
Stream mapping:
Stream #0.0 -> #0.0
Press [q] to stop encoding
Program received signal SIGSEGV, Segmentation fault.
0x00000000005bed26 in flic_decode_frame_8BPP (avctx=<value optimized out>,
data=<value optimized out>, data_size=<value optimized out>, avpkt=<value
optimized out>)
at libavcodec/flicvideo.c:183
183 chunk_size = AV_RL32(&buf[stream_ptr]);
(gdb) bt
#0 0x00000000005bed26 in flic_decode_frame_8BPP (avctx=<value optimized out>,
data=<value optimized out>, data_size=<value optimized out>,
avpkt=<value optimized out>) at libavcodec/flicvideo.c:183
#1 flic_decode_frame (avctx=<value optimized out>, data=<value optimized out>,
data_size=<value optimized out>, avpkt=<value optimized out>)
at libavcodec/flicvideo.c:713
#2 0x00000000007586d8 in avcodec_decode_video2 (avctx=0x1204eb0,
picture=0x7fffffffc4c0, got_picture_ptr=0x7fffffffc70c, avpkt=0x7fffffffc650)
at libavcodec/utils.c:637
#3 0x0000000000434c09 in output_packet (ist=0x1205800, ist_index=0,
ost_table=<value optimized out>, nb_ostreams=<value optimized out>,
pkt=0x7fffffffd4b0)
at ffmpeg.c:1550
#4 0x0000000000436a07 in transcode (nb_output_files=<value optimized out>,
nb_input_files=<value optimized out>, stream_maps=<value optimized out>,
nb_stream_maps=<value optimized out>, input_files=<value optimized out>,
output_files=<value optimized out>) at ffmpeg.c:2643
#5 0x0000000000437973 in main (argc=4, argv=<value optimized out>) at
ffmpeg.c:4365
(gdb) disass $pc-32 $pc+32
A syntax error in expression, near `$pc+32'.
(gdb) info all-registers
rax 0x20031a 2097946
rbx 0xfc 252
rcx 0x2 2
rdx 0x200301 2097921
rsi 0x100 256
rdi 0x1205c1c 18897948
rbp 0x1205c1b 0x1205c1b
rsp 0x7fffffffc1c0 0x7fffffffc1c0
r8 0x1205c1a 18897946
r9 0x31a 794
r10 0x100 256
r11 0x100 256
r12 0x20031a 2097946
r13 0x1 1
r14 0x1205900 18897152
r15 0x12f63a0 19882912
rip 0x5bed26 0x5bed26 <flic_decode_frame+2246>
eflags 0x10202 [ IF RF ]
cs 0x33 51
ss 0x2b 43
ds 0x0 0
es 0x0 0
fs 0x0 0
gs 0x0 0
st0 -nan(0x00000003c) (raw 0xffff000000000000003c)
st1 -nan(0x000000004) (raw 0xffff0000000000000004)
st2 -nan(0x000000002) (raw 0xffff0000000000000002)
st3 -nan(0x3000000000000000) (raw 0xffff3000000000000000)
st4 0 (raw 0x00000000000000000000)
st5 0 (raw 0x00000000000000000000)
st6 -nan(0x3000000000000000) (raw 0xffff3000000000000000)
st7 -inf (raw 0xffff0000000000000000)
fctrl 0x37f 895
fstat 0x0 0
ftag 0xffff 65535
fiseg 0x0 0
fioff 0x0 0
foseg 0x0 0
fooff 0x0 0
fop 0x0 0
xmm0 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0x80 <repeats 16 times>}, v8_int16 = {0x8080, 0x8080, 0x8080,
0x8080, 0x8080,
0x8080, 0x8080, 0x8080}, v4_int32 = {0x80808080, 0x80808080, 0x80808080,
0x80808080}, v2_int64 = {0x8080808080808080, 0x8080808080808080},
uint128 = 0x80808080808080808080808080808080}
---Type <return> to continue, or q <return> to quit---
xmm1 {v4_float = {0x0, 0x4d680000, 0x0, 0x0}, v2_double =
{0x8000000000000000, 0x0}, v16_int8 = {0x7d, 0xc3, 0x94, 0x25, 0xad, 0x49, 0xb2,
0x54, 0x0, 0x0,
0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v8_int16 = {0xc37d, 0x2594, 0x49ad, 0x54b2,
0x0, 0x0, 0x0, 0x0}, v4_int32 = {0x2594c37d, 0x54b249ad, 0x0, 0x0}, v2_int64 = {
0x54b249ad2594c37d, 0x0}, uint128 = 0x000000000000000054b249ad2594c37d}
xmm2 {v4_float = {0x2b020000, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0xfc, 0xa9, 0xf1, 0xd2, 0x4d, 0x62, 0x50, 0x3f, 0x0, 0x0, 0x0, 0x0,
0x0,
0x0, 0x0, 0x0}, v8_int16 = {0xa9fc, 0xd2f1, 0x624d, 0x3f50, 0x0, 0x0, 0x0,
0x0}, v4_int32 = {0xd2f1a9fc, 0x3f50624d, 0x0, 0x0}, v2_int64 =
{0x3f50624dd2f1a9fc,
0x0}, uint128 = 0x00000000000000003f50624dd2f1a9fc}
xmm3 {v4_float = {0x0, 0x4, 0x0, 0x0}, v2_double = {0x3e8, 0x0},
v16_int8 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x40, 0x8f, 0x40, 0x0, 0x0, 0x0, 0x0, 0x0,
0x0, 0xff,
0x0}, v8_int16 = {0x0, 0x0, 0x4000, 0x408f, 0x0, 0x0, 0x0, 0xff}, v4_int32 =
{0x0, 0x408f4000, 0x0, 0xff0000}, v2_int64 = {0x408f400000000000,
0xff000000000000},
uint128 = 0x00ff000000000000408f400000000000}
xmm4 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double =
{0x8000000000000000, 0x8000000000000000}, v16_int8 = {0x6c, 0x65, 0x72, 0x20,
0x70, 0x61, 0x72, 0x61,
0x6d, 0x20, 0x30, 0x0, 0x70, 0x61, 0x72, 0x61}, v8_int16 = {0x656c, 0x2072,
0x6170, 0x6172, 0x206d, 0x30, 0x6170, 0x6172}, v4_int32 = {0x2072656c,
0x61726170,
0x30206d, 0x61726170}, v2_int64 = {0x617261702072656c, 0x617261700030206d},
uint128 = 0x617261700030206d617261702072656c}
xmm5 {v4_float = {0x0, 0x1, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0x0, 0x0, 0x0, 0xe0, 0x95, 0x9c, 0xe7, 0x3f, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0, 0x0,
0x0}, v8_int16 = {0x0, 0xe000, 0x9c95, 0x3fe7, 0x0, 0x0, 0x0, 0x0}, v4_int32
= {0xe0000000, 0x3fe79c95, 0x0, 0x0}, v2_int64 = {0x3fe79c95e0000000, 0x0},
uint128 = 0x00000000000000003fe79c95e0000000}
xmm6 {v4_float = {0x0, 0x1, 0x0, 0x0}, v2_double = {0x1, 0x0},
v16_int8 = {0x6d, 0x7d, 0xbf, 0xbb, 0x27, 0xaf, 0xf5, 0x3f, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0,
0x0, 0x0}, v8_int16 = {0x7d6d, 0xbbbf, 0xaf27, 0x3ff5, 0x0, 0x0, 0x0, 0x0},
v4_int32 = {0xbbbf7d6d, 0x3ff5af27, 0x0, 0x0}, v2_int64 = {0x3ff5af27bbbf7d6d,
0x0},
uint128 = 0x00000000000000003ff5af27bbbf7d6d}
xmm7 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0x0, 0x0, 0x0, 0x0, 0x68, 0xc8, 0xbc, 0x3b, 0x0, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0,
0x0}, v8_int16 = {0x0, 0x0, 0xc868, 0x3bbc, 0x0, 0x0, 0x0, 0x0}, v4_int32 =
{0x0, 0x3bbcc868, 0x0, 0x0}, v2_int64 = {0x3bbcc86800000000, 0x0},
uint128 = 0x00000000000000003bbcc86800000000}
xmm8 {v4_float = {0x0, 0xfffffffd, 0x0, 0x0}, v2_double =
{0xffffffffffffffd2, 0x0}, v16_int8 = {0xe0, 0xe6, 0x35, 0x67, 0x9e, 0x6, 0x47,
0xc0, 0x0, 0x0,
0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v8_int16 = {0xe6e0, 0x6735, 0x69e, 0xc047,
0x0, 0x0, 0x0, 0x0}, v4_int32 = {0x6735e6e0, 0xc047069e, 0x0, 0x0}, v2_int64 = {
0xc047069e6735e6e0, 0x0}, uint128 = 0x0000000000000000c047069e6735e6e0}
xmm9 {v4_float = {0x0, 0x1, 0x0, 0x0}, v2_double = {0x1, 0x0},
v16_int8 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xf0, 0x3f, 0x0, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0,
0x0}, v8_int16 = {0x0, 0x0, 0x0, 0x3ff0, 0x0, 0x0, 0x0, 0x0}, v4_int32 =
{0x0, 0x3ff00000, 0x0, 0x0}, v2_int64 = {0x3ff0000000000000, 0x0},
uint128 = 0x00000000000000003ff0000000000000}
xmm10 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0x0, 0x0, 0x46, 0x84, 0x24, 0x59, 0xd6, 0x3e, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0, 0x0,
0x0}, v8_int16 = {0x0, 0x8446, 0x5924, 0x3ed6, 0x0, 0x0, 0x0, 0x0}, v4_int32
= {0x84460000, 0x3ed65924, 0x0, 0x0}, v2_int64 = {0x3ed6592484460000, 0x0},
uint128 = 0x00000000000000003ed6592484460000}
xmm11 {v4_float = {0x9689a800, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0x6a, 0xa2, 0x65, 0x50, 0xf2, 0xea, 0x8f, 0xbd, 0x0, 0x0, 0x0, 0x0,
0x0,
0x0, 0x0, 0x0}, v8_int16 = {0xa26a, 0x5065, 0xeaf2, 0xbd8f, 0x0, 0x0, 0x0,
0x0}, v4_int32 = {0x5065a26a, 0xbd8feaf2, 0x0, 0x0}, v2_int64 =
{0xbd8feaf25065a26a,
0x0}, uint128 = 0x0000000000000000bd8feaf25065a26a}
xmm12 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0x29, 0xf2, 0x88, 0x6c, 0xa6, 0x49, 0xde, 0x3e, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0,
0x0, 0x0}, v8_int16 = {0xf229, 0x6c88, 0x49a6, 0x3ede, 0x0, 0x0, 0x0, 0x0},
v4_int32 = {0x6c88f229, 0x3ede49a6, 0x0, 0x0}, v2_int64 = {0x3ede49a66c88f229,
0x0},
uint128 = 0x00000000000000003ede49a66c88f229}
xmm13 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0xb3, 0x12, 0x58, 0x17, 0x64, 0x46, 0xe6, 0x3b, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0,
0x0, 0x0}, v8_int16 = {0x12b3, 0x1758, 0x4664, 0x3be6, 0x0, 0x0, 0x0, 0x0},
v4_int32 = {0x175812b3, 0x3be64664, 0x0, 0x0}, v2_int64 = {0x3be64664175812b3,
0x0},
uint128 = 0x00000000000000003be64664175812b3}
xmm14 {v4_float = {0x0, 0x3, 0x0, 0x0}, v2_double = {0x2d, 0x0},
v16_int8 = {0xc0, 0x9, 0xf2, 0x16, 0xb5, 0xdf, 0x46, 0x40, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0,
0x0, 0x0}, v8_int16 = {0x9c0, 0x16f2, 0xdfb5, 0x4046, 0x0, 0x0, 0x0, 0x0},
v4_int32 = {0x16f209c0, 0x4046dfb5, 0x0, 0x0}, v2_int64 = {0x4046dfb516f209c0,
0x0},
uint128 = 0x00000000000000004046dfb516f209c0}
xmm15 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0},
---Type <return> to continue, or q <return> to quit---
v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0}, uint128 =
0x00000000000000000000000000000000}
mxcsr 0x1fa0 [ PE IM DM ZM OM UM PM ]
----------
files: fli_overread_check.diff
messages: 13324
priority: normal
status: open
substatus: open
title: ffmpeg crashes on fli files with invalid frame sizes
type: bug
________________________________________________
FFmpeg issue tracker <[email protected]>
<https://roundup.ffmpeg.org/issue2520>
________________________________________________
fli_overread_check.diff
Description: Binary data
