#11687: [Security] Null pointer deference on libswscale/slice.c
-------------------------------------+-------------------------------------
Reporter: flyfish101 | Type: defect
Status: new | Priority: important
Component: swscale | Version:
| unspecified
Keywords: scale | Blocked By:
Blocking: | Reproduced by developer: 0
Analyzed by developer: 0 |
-------------------------------------+-------------------------------------
Summary of the bug:
fuzz@Fuzz2:~/Desktop/projects_oss/FFmpeg/tools/fuzzout/sws_fuzz$
./target_sws_fuzzer1051
/home/fuzz/Desktop/projects_oss/FFmpeg/tools/fuzzout/sws_fuzz/out_sws_1051/default/crashes/id:000128,sig:11,src:000545+000155_time:144463_execs:66025_op:splice_rep:8
Reading 181 bytes from
/home/fuzz/Desktop/projects_oss/FFmpeg/tools/fuzzout/sws_fuzz/out_sws_1051/default/crashes/id:000128,sig:11,src:000545+000155_time:144463_execs:66025_op:splice_rep:8
1 x 10216 yuva420p10le -> 127 x 1 nv16
libswscale/slice.c:233:25: runtime error: applying zero offset to null
pointer
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior
libswscale/slice.c:233:25 in
libswscale/slice.c:233:25: runtime error: load of null pointer of type
'int'
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior
libswscale/slice.c:233:25 in
AddressSanitizer:DEADLYSIGNAL
=================================================================
==2824107==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000
(pc 0x555556091215 bp 0x7fffffffc890 sp 0x7fffffffc7a0 T0)
==2824107==The signal is caused by a READ memory access.
==2824107==Hint: address points to the zero page.
#0 0x555556091215 in get_min_buffer_size
/home/fuzz/Desktop/projects_oss/FFmpeg/libswscale/slice.c:233:25
#1 0x5555560878ca in ff_init_filters
/home/fuzz/Desktop/projects_oss/FFmpeg/libswscale/slice.c:265:5
#2 0x5555557b93f9 in ff_sws_init_single_context
/home/fuzz/Desktop/projects_oss/FFmpeg/libswscale/utils.c:1452:20
#3 0x5555559689db in LLVMFuzzerTestOneInput
/home/fuzz/Desktop/projects_oss/FFmpeg/tools/./target_sws_fuzzer1051.c:178:11
#4 0x55555595f37d in ExecuteFilesOnyByOne
/home/fuzz/Desktop/DDGF_Project/AFLplusplus/utils/aflpp_driver/aflpp_driver.c:255:7
#5 0x55555595f188 in LLVMFuzzerRunDriver
/home/fuzz/Desktop/DDGF_Project/AFLplusplus/utils/aflpp_driver/aflpp_driver.c
#6 0x55555595ed48 in main
/home/fuzz/Desktop/DDGF_Project/AFLplusplus/utils/aflpp_driver/aflpp_driver.c:300:10
#7 0x7ffff7c3b082 in __libc_start_main /build/glibc-
B3wQXB/glibc-2.31/csu/../csu/libc-start.c:308:16
#8 0x555555869fdd in _start
(/home/fuzz/Desktop/projects_oss/FFmpeg/tools/fuzzout/sws_fuzz/target_sws_fuzzer1051+0x315fdd)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV
/home/fuzz/Desktop/projects_oss/FFmpeg/libswscale/slice.c:233:25 in
get_min_buffer_size
==2824107==ABORTING
How to reproduce:
{{{
% ffmpeg -i input ... output
ffmpeg version
built on ...
}}}
Patches should be submitted to the ffmpeg-devel mailing list and not this
bug tracker.
--
Ticket URL: <https://trac.ffmpeg.org/ticket/11687>
FFmpeg <https://ffmpeg.org>
FFmpeg issue tracker
_______________________________________________
FFmpeg-trac mailing list
FFmpeg-trac@avcodec.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-trac
To unsubscribe, visit link above, or email
ffmpeg-trac-requ...@ffmpeg.org with subject "unsubscribe".
