#11392: Null pointer dereference on malformed buffersink expression in filter
graph
-------------------------------------+-------------------------------------
Reporter: somehacker | Type: defect
Status: new | Priority: minor
Component: avfilter | Version: git-
Keywords: null | master
avfilter filter filters | Blocked By:
Blocking: | Reproduced by developer: 1
Analyzed by developer: 1 |
-------------------------------------+-------------------------------------
Summary of the bug:
There is a null pointer dereference introduced in commit
b8bf2f4e1758a9f7f34160245b5f663d53159c2d when parsing a specially crafted
filter graphs involving buffersinks.
How to reproduce:
{{{
% ffmpeg -i input -vf "abuffersink=::a" output
ffmpeg version git-2024-12-27-5f38c82 Copyright (c) 2000-2024 the FFmpeg
developers
built with gcc 13 (Ubuntu 13.3.0-6ubuntu2~24.04)
configuration:
libavutil 59. 53.100 / 59. 53.100
libavcodec 61. 28.100 / 61. 28.100
libavformat 61. 9.102 / 61. 9.102
libavdevice 61. 4.100 / 61. 4.100
libavfilter 10. 6.101 / 10. 6.101
libswscale 8. 13.100 / 8. 13.100
libswresample 5. 4.100 / 5. 4.100
built on Description: Ubuntu 24.04.1 LTS (windows WSL)
}}}
This bug occurs regardless of the contents of the input file as the bug is
in the processing of the filter graph command line argument.
I discovered this bug via fuzzing the filter graph parsing. I wrote up a
report of that here in a blog post:
https://personnumber3377.github.io/projects/fuzzing_ffmpeg_avfilter_graph_parse_ptr.html
#fixing-the-fuzzer . This bug is caused by this commit:
https://github.com/FFmpeg/FFmpeg/commit/b8bf2f4e1758a9f7f34160245b5f663d53159c2d
because I tried with the previous commit and it did not crash with the
same input. In the same blog post I also described my development of a
fuzzer for these filter graphs, because looking at the codebase there
doesn't appear to be such a fuzzer for filter graphs.
Here is the output from my fuzzer:
{{{
oof@elskun-lppri:~/ffmpegfuzzerthing/myfork/FFmpeg/tools/fuzzingcampaign$
./target_graph_fuzzer final.bin
INFO: Running with entropic power schedule (0xFF, 100).
INFO: Seed: 1544958777
INFO: Loaded 1 modules (1514265 inline 8-bit counters): 1514265
[0x564dd6f9bc38, 0x564dd710d751),
INFO: Loaded 1 PC tables (1514265 PCs): 1514265
[0x564dd710d758,0x564dd88288e8),
./target_graph_fuzzer: Running 1 inputs 1 time(s) each.
Running: final.bin
[Parsed_abuffersink_0 @ 0x511000000180] The "sample_fmts" option is
deprecated: set the supported sample formats
[Parsed_abuffersink_0 @ 0x511000000180] The "sample_rates" option is
deprecated: set the supported sample rates
[Parsed_abuffersink_0 @ 0x511000000180] The "ch_layouts" option is
deprecated: set a '|'-separated list of supported channel layouts
libavfilter/buffersink.c:208:25: runtime error: applying zero offset to
null pointer
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior
libavfilter/buffersink.c:208:25
libavfilter/buffersink.c:208:24: runtime error: null pointer passed as
argument 1, which is declared to never be null
/usr/include/string.h:61:62: note: nonnull attribute specified here
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior
libavfilter/buffersink.c:208:24
AddressSanitizer:DEADLYSIGNAL
=================================================================
==459309==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000
(pc 0x7fa74f5ce500 bp 0x7ffe69af11f0 sp 0x7ffe69af09b8 T0)
==459309==The signal is caused by a WRITE memory access.
==459309==Hint: address points to the zero page.
#0 0x7fa74f5ce500 in __memset_avx2_unaligned_erms
string/../sysdeps/x86_64/multiarch/memset-vec-unaligned-erms.S:378
#1 0x564dd174729e in __asan_memset
(/home/oof/ffmpegfuzzerthing/myfork/FFmpeg/tools/fuzzingcampaign/target_graph_fuzzer+0x41ee29e)
(BuildId: c1e736a748ca18c0ca919e9db2eaf1561ad2f67a)
#2 0x564dd147507d in common_init
/home/oof/ffmpegfuzzerthing/myfork/FFmpeg/libavfilter/buffersink.c:208:17
#3 0x564dd1964a90 in avfilter_init_dict
/home/oof/ffmpegfuzzerthing/myfork/FFmpeg/libavfilter/avfilter.c:939:15
#4 0x564dd17e82ab in avfilter_graph_segment_init
/home/oof/ffmpegfuzzerthing/myfork/FFmpeg/libavfilter/graphparser.c:634:19
#5 0x564dd17ecabc in avfilter_graph_parse_ptr
/home/oof/ffmpegfuzzerthing/myfork/FFmpeg/libavfilter/graphparser.c:948:11
#6 0x564dd1787bae in LLVMFuzzerTestOneInput
/home/oof/ffmpegfuzzerthing/myfork/FFmpeg/tools/target_graph_fuzzer.c:104:11
#7 0x564dd1695174 in fuzzer::Fuzzer::ExecuteCallback(unsigned char
const*, unsigned long)
(/home/oof/ffmpegfuzzerthing/myfork/FFmpeg/tools/fuzzingcampaign/target_graph_fuzzer+0x413c174)
(BuildId: c1e736a748ca18c0ca919e9db2eaf1561ad2f67a)
#8 0x564dd167e2a6 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*,
unsigned long)
(/home/oof/ffmpegfuzzerthing/myfork/FFmpeg/tools/fuzzingcampaign/target_graph_fuzzer+0x41252a6)
(BuildId: c1e736a748ca18c0ca919e9db2eaf1561ad2f67a)
#9 0x564dd1683d5a in fuzzer::FuzzerDriver(int*, char***, int
(*)(unsigned char const*, unsigned long))
(/home/oof/ffmpegfuzzerthing/myfork/FFmpeg/tools/fuzzingcampaign/target_graph_fuzzer+0x412ad5a)
(BuildId: c1e736a748ca18c0ca919e9db2eaf1561ad2f67a)
#10 0x564dd16ae516 in main
(/home/oof/ffmpegfuzzerthing/myfork/FFmpeg/tools/fuzzingcampaign/target_graph_fuzzer+0x4155516)
(BuildId: c1e736a748ca18c0ca919e9db2eaf1561ad2f67a)
#11 0x7fa74f46f1c9 in __libc_start_call_main
csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#12 0x7fa74f46f28a in __libc_start_main csu/../csu/libc-start.c:360:3
#13 0x564dd1678e74 in _start
(/home/oof/ffmpegfuzzerthing/myfork/FFmpeg/tools/fuzzingcampaign/target_graph_fuzzer+0x411fe74)
(BuildId: c1e736a748ca18c0ca919e9db2eaf1561ad2f67a)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV string/../sysdeps/x86_64/multiarch/memset-
vec-unaligned-erms.S:378 in __memset_avx2_unaligned_erms
==459309==ABORTING
}}}
--
Ticket URL: <https://trac.ffmpeg.org/ticket/11392>
FFmpeg <https://ffmpeg.org>
FFmpeg issue tracker
_______________________________________________
FFmpeg-trac mailing list
FFmpeg-trac@avcodec.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-trac
To unsubscribe, visit link above, or email
ffmpeg-trac-requ...@ffmpeg.org with subject "unsubscribe".
