#11690: [Security] Null pointer deference on libswscale/swscale.c:1125
------------------------------------+--------------------------------------
Reporter: flyfish101 | Type: defect
Status: new | Priority: important
Component: swscale | Version: git-master
Keywords: fuzz | Blocked By:
Blocking: | Reproduced by developer: 0
Analyzed by developer: 0 |
------------------------------------+--------------------------------------
Summary of the bug:
{{{
fuzz@Fuzz2:~/Desktop/projects_oss/FFmpeg/tools/fuzzout/sws_fuzz$
./target_sws_fuzzer1143
/home/fuzz/Desktop/projects_oss/FFmpeg/tools/fuzzout/sws_fuzz/out_sws_1143/default/crashes/id:000444,sig:11,src:014509+008528_time:21110904_execs:14763970_op:splice_rep:16
Reading 134 bytes from
/home/fuzz/Desktop/projects_oss/FFmpeg/tools/fuzzout/sws_fuzz/out_sws_1143/default/crashes/id:000444,sig:11,src:014509+008528_time:21110904_execs:14763970_op:splice_rep:16
6171 x 2 bgr444be -> 142 x 2 yuv420p
libswscale/swscale.c:1125:21: runtime error: applying zero offset to null
pointer
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior
libswscale/swscale.c:1125:21 in
libswscale/swscale.c:1126:17: runtime error: applying zero offset to null
pointer
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior
libswscale/swscale.c:1126:17 in
libswscale/swscale.c:1127:17: runtime error: applying zero offset to null
pointer
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior
libswscale/swscale.c:1127:17 in
libswscale/swscale.c:1131:17: runtime error: applying zero offset to null
pointer
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior
libswscale/swscale.c:1131:17 in
libswscale/swscale.c:302:28: runtime error: applying zero offset to null
pointer
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior
libswscale/swscale.c:302:28 in
libswscale/swscale.c:303:29: runtime error: applying non-zero offset
18446744073709551312 to null pointer
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior
libswscale/swscale.c:303:29 in
libswscale/swscale.c:304:29: runtime error: applying non-zero offset
18446744073709551464 to null pointer
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior
libswscale/swscale.c:304:29 in
libswscale/vscale.c:273:22: runtime error: applying non-zero offset
18446744073709551576 to null pointer
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior
libswscale/vscale.c:273:22 in
libswscale/vscale.c:273:22: runtime error: member access within address
0xffffffffffffffd8 with insufficient space for an object of type 'struct
SwsFilterDescriptor'
0xffffffffffffffd8: note: pointer points here
<memory cannot be printed>
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior
libswscale/vscale.c:273:22 in
AddressSanitizer:DEADLYSIGNAL
=================================================================
==115787==ERROR: AddressSanitizer: SEGV on unknown address (pc
0x5555559f7a9f bp 0x7fffffffc410 sp 0x7fffffffc380 T0)
==115787==The signal is caused by a READ memory access.
==115787==Hint: this fault was caused by a dereference of a high value
address (see register values below). Disassemble the provided pc to learn
which register was used.
#0 0x5555559f7a9f in ff_init_vscale_pfn
/home/fuzz/Desktop/projects_oss/FFmpeg/libswscale/vscale.c:273:35
#1 0x55555596ec87 in ff_swscale
/home/fuzz/Desktop/projects_oss/FFmpeg/libswscale/swscale.c:387:5
#2 0x55555599bf54 in scale_internal
/home/fuzz/Desktop/projects_oss/FFmpeg/libswscale/swscale.c:1165:15
#3 0x5555559a94ca in sws_scale
/home/fuzz/Desktop/projects_oss/FFmpeg/libswscale/swscale.c:1514:12
#4 0x555555968c32 in LLVMFuzzerTestOneInput
/home/fuzz/Desktop/projects_oss/FFmpeg/tools/./target_sws_fuzzer1143.c:197:9
#5 0x55555595f37d in ExecuteFilesOnyByOne
/home/fuzz/Desktop/DDGF_Project/AFLplusplus/utils/aflpp_driver/aflpp_driver.c:255:7
#6 0x55555595f188 in LLVMFuzzerRunDriver
/home/fuzz/Desktop/DDGF_Project/AFLplusplus/utils/aflpp_driver/aflpp_driver.c
#7 0x55555595ed48 in main
/home/fuzz/Desktop/DDGF_Project/AFLplusplus/utils/aflpp_driver/aflpp_driver.c:300:10
#8 0x7ffff7c3b082 in __libc_start_main /build/glibc-
B3wQXB/glibc-2.31/csu/../csu/libc-start.c:308:16
#9 0x555555869fdd in _start
(/home/fuzz/Desktop/projects_oss/FFmpeg/tools/fuzzout/sws_fuzz/target_sws_fuzzer1143+0x315fdd)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV
/home/fuzz/Desktop/projects_oss/FFmpeg/libswscale/vscale.c:273:35 in
ff_init_vscale_pfn
==115787==ABORTING
-------------------------------------------------------------------
fuzz@Fuzz2:~/Desktop/projects_oss/FFmpeg/tools/fuzzout/sws_fuzz$
./target_sws_fuzzer1143
/home/fuzz/Desktop/projects_oss/FFmpeg/tools/fuzzout/sws_fuzz/out_sws_1143/default/crashes/id:000454,sig:11,src:010843_time:25643361_execs:18002259_op:havoc_rep:4
Reading 151 bytes from
/home/fuzz/Desktop/projects_oss/FFmpeg/tools/fuzzout/sws_fuzz/out_sws_1143/default/crashes/id:000454,sig:11,src:010843_time:25643361_execs:18002259_op:havoc_rep:4
5011 x 2 rgb444be -> 1 x 3 xv36le
libswscale/swscale.c:1125:21: runtime error: applying zero offset to null
pointer
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior
libswscale/swscale.c:1125:21 in
libswscale/swscale.c:1126:17: runtime error: applying zero offset to null
pointer
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior
libswscale/swscale.c:1126:17 in
libswscale/swscale.c:1127:17: runtime error: applying zero offset to null
pointer
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior
libswscale/swscale.c:1127:17 in
libswscale/swscale.c:1129:17: runtime error: applying zero offset to null
pointer
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior
libswscale/swscale.c:1129:17 in
libswscale/swscale.c:1130:17: runtime error: applying zero offset to null
pointer
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior
libswscale/swscale.c:1130:17 in
libswscale/swscale.c:1131:17: runtime error: applying zero offset to null
pointer
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior
libswscale/swscale.c:1131:17 in
libswscale/swscale.c:302:28: runtime error: applying zero offset to null
pointer
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior
libswscale/swscale.c:302:28 in
libswscale/swscale.c:303:29: runtime error: applying non-zero offset
18446744073709551312 to null pointer
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior
libswscale/swscale.c:303:29 in
libswscale/swscale.c:304:29: runtime error: applying non-zero offset
18446744073709551464 to null pointer
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior
libswscale/swscale.c:304:29 in
libswscale/vscale.c:298:18: runtime error: applying non-zero offset
18446744073709551576 to null pointer
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior
libswscale/vscale.c:298:18 in
libswscale/vscale.c:298:18: runtime error: member access within address
0xffffffffffffffd8 with insufficient space for an object of type 'struct
SwsFilterDescriptor'
0xffffffffffffffd8: note: pointer points here
<memory cannot be printed>
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior
libswscale/vscale.c:298:18 in
AddressSanitizer:DEADLYSIGNAL
=================================================================
==199274==ERROR: AddressSanitizer: SEGV on unknown address (pc
0x5555559f6b92 bp 0x7fffffffc410 sp 0x7fffffffc380 T0)
==199274==The signal is caused by a READ memory access.
==199274==Hint: this fault was caused by a dereference of a high value
address (see register values below). Disassemble the provided pc to learn
which register was used.
#0 0x5555559f6b92 in ff_init_vscale_pfn
/home/fuzz/Desktop/projects_oss/FFmpeg/libswscale/vscale.c:298:31
#1 0x55555596ec87 in ff_swscale
/home/fuzz/Desktop/projects_oss/FFmpeg/libswscale/swscale.c:387:5
#2 0x55555599bf54 in scale_internal
/home/fuzz/Desktop/projects_oss/FFmpeg/libswscale/swscale.c:1165:15
#3 0x5555559a94ca in sws_scale
/home/fuzz/Desktop/projects_oss/FFmpeg/libswscale/swscale.c:1514:12
#4 0x555555968c32 in LLVMFuzzerTestOneInput
/home/fuzz/Desktop/projects_oss/FFmpeg/tools/./target_sws_fuzzer1143.c:197:9
#5 0x55555595f37d in ExecuteFilesOnyByOne
/home/fuzz/Desktop/DDGF_Project/AFLplusplus/utils/aflpp_driver/aflpp_driver.c:255:7
#6 0x55555595f188 in LLVMFuzzerRunDriver
/home/fuzz/Desktop/DDGF_Project/AFLplusplus/utils/aflpp_driver/aflpp_driver.c
#7 0x55555595ed48 in main
/home/fuzz/Desktop/DDGF_Project/AFLplusplus/utils/aflpp_driver/aflpp_driver.c:300:10
#8 0x7ffff7c3b082 in __libc_start_main /build/glibc-
B3wQXB/glibc-2.31/csu/../csu/libc-start.c:308:16
#9 0x555555869fdd in _start
(/home/fuzz/Desktop/projects_oss/FFmpeg/tools/fuzzout/sws_fuzz/target_sws_fuzzer1143+0x315fdd)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV
/home/fuzz/Desktop/projects_oss/FFmpeg/libswscale/vscale.c:298:31 in
ff_init_vscale_pfn
==199274==ABORTING
}}}
How to reproduce:
{{{
% ffmpeg -i input ... output
ffmpeg version
built on ...
}}}
Patches should be submitted to the ffmpeg-devel mailing list and not this
bug tracker.
--
Ticket URL: <https://trac.ffmpeg.org/ticket/11690>
FFmpeg <https://ffmpeg.org>
FFmpeg issue tracker
_______________________________________________
FFmpeg-trac mailing list
FFmpeg-trac@avcodec.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-trac
To unsubscribe, visit link above, or email
ffmpeg-trac-requ...@ffmpeg.org with subject "unsubscribe".
