New submission from Daniel Kang <[email protected]>: ffmpeg does not check for invalid sym values in the indeo decoder. When one is encountered (e.g. negative or greater than 256), ffmpeg will crash with a buffer overread. The patch attached adds a check for this.
gdb run:
(gdb) r -i ../fuzzed.avi del.mkv
Starting program: /afs/csl.tjhsst.edu/students/2011/2011dkang/ffmpeg/ffmpeg_g -i
../fuzzed.avi del.mkv
[Thread debugging using libthread_db enabled]
FFmpeg version git-94559de, Copyright (c) 2000-2011 the FFmpeg developers
built on Jan 9 2011 18:09:59 with gcc 4.4.5
configuration: --enable-gpl
libavutil 50.36. 0 / 50.36. 0
libavcore 0.16. 0 / 0.16. 0
libavcodec 52.108. 0 / 52.108. 0
libavformat 52.92. 0 / 52.92. 0
libavdevice 52. 2. 3 / 52. 2. 3
libavfilter 1.72. 0 / 1.72. 0
libswscale 0.12. 0 / 0.12. 0
Input #0, avi, from '../fuzzed.avi':
Duration: 00:00:08.93, start: 0.000000, bitrate: 841 kb/s
Stream #0.0: Video: indeo5, yuv410p, 240x180, 15 tbr, 15 tbn, 15 tbc
Stream #0.1: Audio: pcm_s16le, 22050 Hz, 1 channels, s16, 352 kb/s
File 'del.mkv' already exists. Overwrite ? [y/N] y
[buffer @ 0x1209ee0] w:240 h:180 pixfmt:yuv410p
[ffsink @ 0x120a180] auto-inserting filter 'auto-inserted scaler 0' between the
filter 'src' and the filter 'out'
[scale @ 0x120a480] w:240 h:180 fmt:yuv410p -> w:240 h:180 fmt:yuv420p
flags:0xa0000004
Output #0, matroska, to 'del.mkv':
Metadata:
encoder : Lavf52.92.0
Stream #0.0: Video: mpeg4, yuv420p, 240x180, q=2-31, 200 kb/s, 1k tbn, 15
tbc
Stream #0.1: Audio: mp2, 22050 Hz, 1 channels, s16, 64 kb/s
Stream mapping:
Stream #0.0 -> #0.0
Stream #0.1 -> #0.1
Press [q] to stop encoding
[indeo5 @ 0x1204ee0] Empty macroblock in an INTRA picture!
[indeo5 @ 0x1204ee0] Error while decoding band: 0, plane: 0
Error while decoding stream #0.0
[indeo5 @ 0x1204ee0] Invalid frame type: 6
[indeo5 @ 0x1204ee0] Error while decoding picture header: -1
Error while decoding stream #0.0
[indeo5 @ 0x1204ee0] Empty band encountered!
[indeo5 @ 0x1204ee0] Error while decoding band: 0, plane: 1
Error while decoding stream #0.0
[indeo5 @ 0x1204ee0] Corrupted tile data encountered!
[indeo5 @ 0x1204ee0] Error while decoding band: 0, plane: 0
Error while decoding stream #0.0
[indeo5 @ 0x1204ee0] Corrupted tile data encountered!
[indeo5 @ 0x1204ee0] Error while decoding band: 0, plane: 0
Error while decoding stream #0.0
[indeo5 @ 0x1204ee0] Corrupted tile data encountered!
[indeo5 @ 0x1204ee0] Error while decoding band: 0, plane: 0
Error while decoding stream #0.0
[indeo5 @ 0x1204ee0] Corrupted tile data encountered!
[indeo5 @ 0x1204ee0] Error while decoding band: 0, plane: 0
Error while decoding stream #0.0
[indeo5 @ 0x1204ee0] Corrupted tile data encountered!
[indeo5 @ 0x1204ee0] Error while decoding band: 0, plane: 0
Error while decoding stream #0.0
[indeo5 @ 0x1204ee0] Corrupted tile data encountered!
[indeo5 @ 0x1204ee0] Error while decoding band: 0, plane: 0
Error while decoding stream #0.0
[indeo5 @ 0x1204ee0] Corrupted tile data encountered!
[indeo5 @ 0x1204ee0] Error while decoding band: 0, plane: 0
Error while decoding stream #0.0
[indeo5 @ 0x1204ee0] Corrupted tile data encountered!
[indeo5 @ 0x1204ee0] Empty band encountered!
[indeo5 @ 0x1204ee0] Error while decoding band: 0, plane: 1
Error while decoding stream #0.0
[indeo5 @ 0x1204ee0] Invalid picture start code!
[indeo5 @ 0x1204ee0] Error while decoding picture header: -1
Error while decoding stream #0.0
[indeo5 @ 0x1204ee0] Corrupted tile data encountered!
[indeo5 @ 0x1204ee0] Error while decoding band: 0, plane: 0
Error while decoding stream #0.0
[indeo5 @ 0x1204ee0] Corrupted tile data encountered!
[indeo5 @ 0x1204ee0] Error while decoding band: 0, plane: 0
Error while decoding stream #0.0
[indeo5 @ 0x1204ee0] Corrupted tile data encountered!
[indeo5 @ 0x1204ee0] Error while decoding band: 0, plane: 0
Error while decoding stream #0.0
[indeo5 @ 0x1204ee0] End marker missing!
[indeo5 @ 0x1204ee0] Error while decoding picture header: -1
Error while decoding stream #0.0
Program received signal SIGSEGV, Segmentation fault.
0x0000000000629f93 in ff_ivi_decode_blocks (gb=0x127e600, band=0x127fa40,
tile=<value optimized out>) at libavcodec/ivi_common.c:407
407 run = rvmap->runtab[sym];
(gdb) bt
#0 0x0000000000629f93 in ff_ivi_decode_blocks (gb=0x127e600, band=0x127fa40,
tile=<value optimized out>) at libavcodec/ivi_common.c:407
#1 0x000000000061b49b in decode_band (avctx=<value optimized out>, data=<value
optimized out>, data_size=<value optimized out>, avpkt=<value optimized out>)
at libavcodec/indeo5.c:615
#2 decode_frame (avctx=<value optimized out>, data=<value optimized out>,
data_size=<value optimized out>, avpkt=<value optimized out>) at
libavcodec/indeo5.c:765
#3 0x00000000007587e8 in avcodec_decode_video2 (avctx=0x1204ee0,
picture=0x7fffffffc4c0, got_picture_ptr=0x7fffffffc70c, avpkt=0x7fffffffc650)
at libavcodec/utils.c:637
#4 0x0000000000434c09 in output_packet (ist=0x1209d60, ist_index=0,
ost_table=<value optimized out>, nb_ostreams=<value optimized out>,
pkt=0x7fffffffd4b0)
at ffmpeg.c:1550
#5 0x0000000000436a07 in transcode (nb_output_files=<value optimized out>,
nb_input_files=<value optimized out>, stream_maps=<value optimized out>,
nb_stream_maps=<value optimized out>, input_files=<value optimized out>,
output_files=<value optimized out>) at ffmpeg.c:2643
#6 0x0000000000437973 in main (argc=4, argv=<value optimized out>) at
ffmpeg.c:4365
(gdb) disass $pc-32 $pc+32
A syntax error in expression, near `$pc+32'.
(gdb) info all-registers
rax 0x19 25
rbx 0x127ed56 19393878
rcx 0xffffffff 4294967295
rdx 0x23 35
rsi 0x6c3 1731
rdi 0x12cc5d0 19711440
rbp 0xffffffff 0xffffffff
rsp 0x7fffffffc000 0x7fffffffc000
r8 0x40 64
r9 0x127fae0 19397344
r10 0x4 4
r11 0x14 20
r12 0x127fa40 19397184
r13 0x127e600 19392000
r14 0xb 11
r15 0x9971a0 10056096
rip 0x629f93 0x629f93 <ff_ivi_decode_blocks+707>
eflags 0x10217 [ CF PF AF IF RF ]
cs 0x33 51
ss 0x2b 43
ds 0x0 0
es 0x0 0
fs 0x0 0
gs 0x0 0
st0 -nan(0x00000003c) (raw 0xffff000000000000003c)
st1 -nan(0x000000004) (raw 0xffff0000000000000004)
st2 -inf (raw 0xffff0000000000000000)
st3 -nan(0xf000000000000000) (raw 0xfffff000000000000000)
st4 0 (raw 0x00000000000000000000)
st5 0 (raw 0x00000000000000000000)
st6 -nan(0xf000000000000000) (raw 0xfffff000000000000000)
st7 -inf (raw 0xffff0000000000000000)
fctrl 0x37f 895
fstat 0x0 0
ftag 0xffff 65535
fiseg 0x0 0
fioff 0x0 0
foseg 0x0 0
fooff 0x0 0
fop 0x0 0
xmm0 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0},
v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0}, uint128 =
0x00000000000000000000000000000000}
xmm1 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0},
---Type <return> to continue, or q <return> to quit---
v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0}, uint128 =
0x00000000000000000000000000000000}
xmm2 {v4_float = {0x2b020000, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0xfc, 0xa9, 0xf1, 0xd2, 0x4d, 0x62, 0x50, 0x3f, 0x0, 0x0, 0x0, 0x0,
0x0,
0x0, 0x0, 0x0}, v8_int16 = {0xa9fc, 0xd2f1, 0x624d, 0x3f50, 0x0, 0x0, 0x0,
0x0}, v4_int32 = {0xd2f1a9fc, 0x3f50624d, 0x0, 0x0}, v2_int64 =
{0x3f50624dd2f1a9fc,
0x0}, uint128 = 0x00000000000000003f50624dd2f1a9fc}
xmm3 {v4_float = {0x0, 0x4, 0x0, 0x0}, v2_double = {0x3e8, 0x0},
v16_int8 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x40, 0x8f, 0x40, 0x0, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0,
0x0}, v8_int16 = {0x0, 0x0, 0x4000, 0x408f, 0x0, 0x0, 0x0, 0x0}, v4_int32 =
{0x0, 0x408f4000, 0x0, 0x0}, v2_int64 = {0x408f400000000000, 0x0},
uint128 = 0x0000000000000000408f400000000000}
xmm4 {v4_float = {0x0, 0x1, 0x0, 0x0}, v2_double = {0x1, 0x0},
v16_int8 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xf0, 0x3f, 0x0, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0,
0x0}, v8_int16 = {0x0, 0x0, 0x0, 0x3ff0, 0x0, 0x0, 0x0, 0x0}, v4_int32 =
{0x0, 0x3ff00000, 0x0, 0x0}, v2_int64 = {0x3ff0000000000000, 0x0},
uint128 = 0x00000000000000003ff0000000000000}
xmm5 {v4_float = {0x0, 0x14, 0x0, 0x0}, v2_double = {0x8000001, 0x0},
v16_int8 = {0x0, 0x0, 0x0, 0x2, 0x0, 0x0, 0xa0, 0x41, 0x0, 0x0, 0x0, 0x0, 0x0,
0x0,
0x0, 0x0}, v8_int16 = {0x0, 0x200, 0x0, 0x41a0, 0x0, 0x0, 0x0, 0x0},
v4_int32 = {0x2000000, 0x41a00000, 0x0, 0x0}, v2_int64 = {0x41a0000002000000,
0x0},
uint128 = 0x000000000000000041a0000002000000}
xmm6 {v4_float = {0x0, 0x2, 0x0, 0x0}, v2_double = {0x14, 0x0},
v16_int8 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x34, 0x40, 0x0, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0,
0x0}, v8_int16 = {0x0, 0x0, 0x0, 0x4034, 0x0, 0x0, 0x0, 0x0}, v4_int32 =
{0x0, 0x40340000, 0x0, 0x0}, v2_int64 = {0x4034000000000000, 0x0},
uint128 = 0x00000000000000004034000000000000}
xmm7 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0},
v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0}, uint128 =
0x00000000000000000000000000000000}
xmm8 {v4_float = {0x0, 0xd0, 0x0, 0x0}, v2_double = {0x4380663abb8000,
0x0}, v16_int8 = {0x0, 0xe0, 0xae, 0x8e, 0x19, 0xe0, 0x50, 0x43, 0x0, 0x0, 0x0,
0x0,
0x0, 0x0, 0x0, 0x0}, v8_int16 = {0xe000, 0x8eae, 0xe019, 0x4350, 0x0, 0x0,
0x0, 0x0}, v4_int32 = {0x8eaee000, 0x4350e019, 0x0, 0x0}, v2_int64 = {
0x4350e0198eaee000, 0x0}, uint128 = 0x00000000000000004350e0198eaee000}
xmm9 {v4_float = {0x0, 0x2, 0x0, 0x0}, v2_double = {0x2, 0x0},
v16_int8 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x40, 0x0, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0, 0x0},
v8_int16 = {0x0, 0x0, 0x0, 0x4000, 0x0, 0x0, 0x0, 0x0}, v4_int32 = {0x0,
0x40000000, 0x0, 0x0}, v2_int64 = {0x4000000000000000, 0x0},
uint128 = 0x00000000000000004000000000000000}
xmm10 {v4_float = {0x0, 0x4b, 0x0, 0x0}, v2_double = {0x5ffffffffff,
0x0}, v16_int8 = {0x2c, 0xfd, 0xff, 0xff, 0xff, 0xff, 0x97, 0x42, 0x0, 0x0, 0x0,
0x0,
0x0, 0x0, 0x0, 0x0}, v8_int16 = {0xfd2c, 0xffff, 0xffff, 0x4297, 0x0, 0x0,
0x0, 0x0}, v4_int32 = {0xfffffd2c, 0x4297ffff, 0x0, 0x0}, v2_int64 = {
0x4297fffffffffd2c, 0x0}, uint128 = 0x00000000000000004297fffffffffd2c}
xmm11 {v4_float = {0xa50e8e00, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0x47, 0x87, 0xd2, 0x4f, 0x79, 0x73, 0x64, 0xbe, 0x0, 0x0, 0x0, 0x0,
0x0,
0x0, 0x0, 0x0}, v8_int16 = {0x8747, 0x4fd2, 0x7379, 0xbe64, 0x0, 0x0, 0x0,
0x0}, v4_int32 = {0x4fd28747, 0xbe647379, 0x0, 0x0}, v2_int64 =
{0xbe6473794fd28747,
0x0}, uint128 = 0x0000000000000000be6473794fd28747}
xmm12 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0x29, 0xf2, 0x88, 0x6c, 0xa6, 0x49, 0xde, 0x3e, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0,
0x0, 0x0}, v8_int16 = {0xf229, 0x6c88, 0x49a6, 0x3ede, 0x0, 0x0, 0x0, 0x0},
v4_int32 = {0x6c88f229, 0x3ede49a6, 0x0, 0x0}, v2_int64 = {0x3ede49a66c88f229,
0x0},
uint128 = 0x00000000000000003ede49a66c88f229}
xmm13 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0xb3, 0x12, 0x58, 0x17, 0x64, 0x46, 0xe6, 0x3b, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0,
0x0, 0x0}, v8_int16 = {0x12b3, 0x1758, 0x4664, 0x3be6, 0x0, 0x0, 0x0, 0x0},
v4_int32 = {0x175812b3, 0x3be64664, 0x0, 0x0}, v2_int64 = {0x3be64664175812b3,
0x0},
uint128 = 0x00000000000000003be64664175812b3}
xmm14 {v4_float = {0x0, 0x3, 0x0, 0x0}, v2_double = {0x2d, 0x0},
v16_int8 = {0xc0, 0x9, 0xf2, 0x16, 0xb5, 0xdf, 0x46, 0x40, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0,
0x0, 0x0}, v8_int16 = {0x9c0, 0x16f2, 0xdfb5, 0x4046, 0x0, 0x0, 0x0, 0x0},
v4_int32 = {0x16f209c0, 0x4046dfb5, 0x0, 0x0}, v2_int64 = {0x4046dfb516f209c0,
0x0},
uint128 = 0x00000000000000004046dfb516f209c0}
xmm15 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0},
v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0}, uint128 =
0x00000000000000000000000000000000}
mxcsr 0x1fa0 [ PE IM DM ZM OM UM PM ]
----------
files: indeo_invalid_sym_check.diff
messages: 13330
priority: normal
status: open
substatus: open
title: ffmpeg doesn't check for invalid sym values in indeo decoder
type: bug
________________________________________________
FFmpeg issue tracker <[email protected]>
<https://roundup.ffmpeg.org/issue2523>
________________________________________________
indeo_invalid_sym_check.diff
Description: Binary data
