#11389: heap-buffer-overflow at libavformat/dump.c:792:34 on ffmpeg
----------------------------------+--------------------------------------
Reporter: 0x20z | Type: defect
Status: new | Priority: important
Component: avformat | Version: git-master
Keywords: bugs | Blocked By:
Blocking: | Reproduced by developer: 0
Analyzed by developer: 0 |
----------------------------------+--------------------------------------
Summary of the bug:
Dear developers,
I discovered a heap overflow vulnerability while using format conversion.
The POC file is attached to the session, and the version of ffmpeg is
N-118197-gbb85423142, master branch. please confirm.
How to reproduce:
{{{
git clone https://github.com/FFmpeg/FFmpeg.git
cd FFmpeg
./configure --cc=clang --cxx=clang++ --toolchain=clang-asan --extra-
cflags="-I$HOME/ffmpeg_build/include -O0 -fno-omit-frame-pointer -g"
--extra-cxxflags="-O0 -fno-omit-frame-pointer -g" --extra-
ldflags="-L$HOME/ffmpeg_build/include -fsanitize=address
-fsanitize=undefined -lubsan" --disable-optimizations --disable-stripping
--enable-cross-compile
make -j30
}}}
ASAN log:
{{{
=================================================================
==1366945==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x613000001db8 at pc 0x5c82931d7ca9 bp 0x7ffc11d48a90 sp 0x7ffc11d48a88
READ of size 8 at 0x613000001db8 thread T0
#0 0x5c82931d7ca8 (FFmpeg/ffmpeg+0x13f0ca8) (BuildId:
d9813d42ed110d0d0780865381db8c33a24a231c)
#1 0x5c82927865a3 (FFmpeg/ffmpeg+0x99f5a3) (BuildId:
d9813d42ed110d0d0780865381db8c33a24a231c)
#2 0x5c82927c8e0b (FFmpeg/ffmpeg+0x9e1e0b) (BuildId:
d9813d42ed110d0d0780865381db8c33a24a231c)
#3 0x5c82927f60ef (FFmpeg/ffmpeg+0xa0f0ef) (BuildId:
d9813d42ed110d0d0780865381db8c33a24a231c)
#4 0x7ee34e629d8f in __libc_start_call_main
csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#5 0x7ee34e629e3f in __libc_start_main csu/../csu/libc-start.c:392:3
#6 0x5c82926b7ce4 (FFmpeg/ffmpeg+0x8d0ce4) (BuildId:
d9813d42ed110d0d0780865381db8c33a24a231c)
0x613000001db8 is located 0 bytes to the right of 376-byte region
[0x613000001c40,0x613000001db8)
allocated by thread T0 here:
#0 0x5c829273af56 in realloc (FFmpeg/ffmpeg+0x953f56) (BuildId:
d9813d42ed110d0d0780865381db8c33a24a231c)
#1 0x5c82934420cd (FFmpeg/ffmpeg+0x165b0cd) (BuildId:
d9813d42ed110d0d0780865381db8c33a24a231c)
#2 0x5c82931b05e8 (FFmpeg/ffmpeg+0x13c95e8) (BuildId:
d9813d42ed110d0d0780865381db8c33a24a231c)
#3 0x5c8292783233 (FFmpeg/ffmpeg+0x99c233) (BuildId:
d9813d42ed110d0d0780865381db8c33a24a231c)
#4 0x5c82927c8e0b (FFmpeg/ffmpeg+0x9e1e0b) (BuildId:
d9813d42ed110d0d0780865381db8c33a24a231c)
#5 0x5c82927f60ef (FFmpeg/ffmpeg+0xa0f0ef) (BuildId:
d9813d42ed110d0d0780865381db8c33a24a231c)
#6 0x7ee34e629d8f in __libc_start_call_main
csu/../sysdeps/nptl/libc_start_call_main.h:58:16
SUMMARY: AddressSanitizer: heap-buffer-overflow (FFmpeg/ffmpeg+0x13f0ca8)
(BuildId: d9813d42ed110d0d0780865381db8c33a24a231c)
Shadow bytes around the buggy address:
0x0c267fff8360: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c267fff8370: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fa fa
0x0c267fff8380: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
0x0c267fff8390: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c267fff83a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c267fff83b0: 00 00 00 00 00 00 00[fa]fa fa fa fa fa fa fa fa
0x0c267fff83c0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c267fff83d0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c267fff83e0: fd fd fd fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c267fff83f0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
0x0c267fff8400: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==1366945==ABORTING
}}}
ffmpeg version:
{{{
# ./ffmpeg -version
ffmpeg version N-118197-gbb85423142 Copyright (c) 2000-2024 the FFmpeg
developers
built with Ubuntu clang version 14.0.0-1ubuntu1.1
configuration: --cc=clang --cxx=clang++ --ld=clang --enable-debug
--toolchain=clang-asan --enable-cross-compile
libavutil 59. 53.100 / 59. 53.100
libavcodec 61. 28.100 / 61. 28.100
libavformat 61. 9.102 / 61. 9.102
libavdevice 61. 4.100 / 61. 4.100
libavfilter 10. 6.101 / 10. 6.101
libswscale 8. 13.100 / 8. 13.100
libswresample 5. 4.100 / 5. 4.100
}}}
Found by:
{{{
Found by 0x20z
}}}
Thank you for your time and attention
--
Ticket URL: <https://trac.ffmpeg.org/ticket/11389>
FFmpeg <https://ffmpeg.org>
FFmpeg issue tracker
_______________________________________________
FFmpeg-trac mailing list
FFmpeg-trac@avcodec.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-trac
To unsubscribe, visit link above, or email
ffmpeg-trac-requ...@ffmpeg.org with subject "unsubscribe".
