#11687: [Security] Null pointer deference on libswscale/slice.c
-------------------------------------+-----------------------------------
Reporter: flyfish101 | Owner: (none)
Type: defect | Status: new
Priority: important | Component: swscale
Version: unspecified | Resolution:
Keywords: scale | Blocked By:
Blocking: | Reproduced by developer: 0
Analyzed by developer: 0 |
-------------------------------------+-----------------------------------
Description changed by flyfish101:
Old description:
> Summary of the bug:
> fuzz@Fuzz2:~/Desktop/projects_oss/FFmpeg/tools/fuzzout/sws_fuzz$
> ./target_sws_fuzzer1051
> /home/fuzz/Desktop/projects_oss/FFmpeg/tools/fuzzout/sws_fuzz/out_sws_1051/default/crashes/id:000128,sig:11,src:000545+000155_time:144463_execs:66025_op:splice_rep:8
> Reading 181 bytes from
> /home/fuzz/Desktop/projects_oss/FFmpeg/tools/fuzzout/sws_fuzz/out_sws_1051/default/crashes/id:000128,sig:11,src:000545+000155_time:144463_execs:66025_op:splice_rep:8
> 1 x 10216 yuva420p10le -> 127 x 1 nv16
> libswscale/slice.c:233:25: runtime error: applying zero offset to null
> pointer
> SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior
> libswscale/slice.c:233:25 in
> libswscale/slice.c:233:25: runtime error: load of null pointer of type
> 'int'
> SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior
> libswscale/slice.c:233:25 in
> AddressSanitizer:DEADLYSIGNAL
> =================================================================
> ==2824107==ERROR: AddressSanitizer: SEGV on unknown address
> 0x000000000000 (pc 0x555556091215 bp 0x7fffffffc890 sp 0x7fffffffc7a0 T0)
> ==2824107==The signal is caused by a READ memory access.
> ==2824107==Hint: address points to the zero page.
> #0 0x555556091215 in get_min_buffer_size
> /home/fuzz/Desktop/projects_oss/FFmpeg/libswscale/slice.c:233:25
> #1 0x5555560878ca in ff_init_filters
> /home/fuzz/Desktop/projects_oss/FFmpeg/libswscale/slice.c:265:5
> #2 0x5555557b93f9 in ff_sws_init_single_context
> /home/fuzz/Desktop/projects_oss/FFmpeg/libswscale/utils.c:1452:20
> #3 0x5555559689db in LLVMFuzzerTestOneInput
> /home/fuzz/Desktop/projects_oss/FFmpeg/tools/./target_sws_fuzzer1051.c:178:11
> #4 0x55555595f37d in ExecuteFilesOnyByOne
> /home/fuzz/Desktop/DDGF_Project/AFLplusplus/utils/aflpp_driver/aflpp_driver.c:255:7
> #5 0x55555595f188 in LLVMFuzzerRunDriver
> /home/fuzz/Desktop/DDGF_Project/AFLplusplus/utils/aflpp_driver/aflpp_driver.c
> #6 0x55555595ed48 in main
> /home/fuzz/Desktop/DDGF_Project/AFLplusplus/utils/aflpp_driver/aflpp_driver.c:300:10
> #7 0x7ffff7c3b082 in __libc_start_main /build/glibc-
> B3wQXB/glibc-2.31/csu/../csu/libc-start.c:308:16
> #8 0x555555869fdd in _start
> (/home/fuzz/Desktop/projects_oss/FFmpeg/tools/fuzzout/sws_fuzz/target_sws_fuzzer1051+0x315fdd)
>
> AddressSanitizer can not provide additional info.
> SUMMARY: AddressSanitizer: SEGV
> /home/fuzz/Desktop/projects_oss/FFmpeg/libswscale/slice.c:233:25 in
> get_min_buffer_size
> ==2824107==ABORTING
>
> How to reproduce:
> {{{
> % ffmpeg -i input ... output
> ffmpeg version
> built on ...
> }}}
> Patches should be submitted to the ffmpeg-devel mailing list and not this
> bug tracker.
New description:
Summary of the bug:
{{{
fuzz@Fuzz2:~/Desktop/projects_oss/FFmpeg/tools/fuzzout/sws_fuzz$
./target_sws_fuzzer1051
/home/fuzz/Desktop/projects_oss/FFmpeg/tools/fuzzout/sws_fuzz/out_sws_1051/default/crashes/id:000128,sig:11,src:000545+000155_time:144463_execs:66025_op:splice_rep:8
Reading 181 bytes from
/home/fuzz/Desktop/projects_oss/FFmpeg/tools/fuzzout/sws_fuzz/out_sws_1051/default/crashes/id:000128,sig:11,src:000545+000155_time:144463_execs:66025_op:splice_rep:8
1 x 10216 yuva420p10le -> 127 x 1 nv16
libswscale/slice.c:233:25: runtime error: applying zero offset to null
pointer
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior
libswscale/slice.c:233:25 in
libswscale/slice.c:233:25: runtime error: load of null pointer of type
'int'
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior
libswscale/slice.c:233:25 in
AddressSanitizer:DEADLYSIGNAL
=================================================================
==2824107==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000
(pc 0x555556091215 bp 0x7fffffffc890 sp 0x7fffffffc7a0 T0)
==2824107==The signal is caused by a READ memory access.
==2824107==Hint: address points to the zero page.
#0 0x555556091215 in get_min_buffer_size
/home/fuzz/Desktop/projects_oss/FFmpeg/libswscale/slice.c:233:25
#1 0x5555560878ca in ff_init_filters
/home/fuzz/Desktop/projects_oss/FFmpeg/libswscale/slice.c:265:5
#2 0x5555557b93f9 in ff_sws_init_single_context
/home/fuzz/Desktop/projects_oss/FFmpeg/libswscale/utils.c:1452:20
#3 0x5555559689db in LLVMFuzzerTestOneInput
/home/fuzz/Desktop/projects_oss/FFmpeg/tools/./target_sws_fuzzer1051.c:178:11
#4 0x55555595f37d in ExecuteFilesOnyByOne
/home/fuzz/Desktop/DDGF_Project/AFLplusplus/utils/aflpp_driver/aflpp_driver.c:255:7
#5 0x55555595f188 in LLVMFuzzerRunDriver
/home/fuzz/Desktop/DDGF_Project/AFLplusplus/utils/aflpp_driver/aflpp_driver.c
#6 0x55555595ed48 in main
/home/fuzz/Desktop/DDGF_Project/AFLplusplus/utils/aflpp_driver/aflpp_driver.c:300:10
#7 0x7ffff7c3b082 in __libc_start_main /build/glibc-
B3wQXB/glibc-2.31/csu/../csu/libc-start.c:308:16
#8 0x555555869fdd in _start
(/home/fuzz/Desktop/projects_oss/FFmpeg/tools/fuzzout/sws_fuzz/target_sws_fuzzer1051+0x315fdd)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV
/home/fuzz/Desktop/projects_oss/FFmpeg/libswscale/slice.c:233:25 in
get_min_buffer_size
==2824107==ABORTING
}}}
--
--
Ticket URL: <https://trac.ffmpeg.org/ticket/11687#comment:1>
FFmpeg <https://ffmpeg.org>
FFmpeg issue tracker
_______________________________________________
FFmpeg-trac mailing list
[email protected]
https://ffmpeg.org/mailman/listinfo/ffmpeg-trac
To unsubscribe, visit link above, or email
[email protected] with subject "unsubscribe".
