[FFmpeg-trac] #11692(swscale:new): [Security] heap-buffer-overflow on alphablend.c:77

[FFmpeg]

#11692: [Security]  heap-buffer-overflow on alphablend.c:77
------------------------------------+--------------------------------------
             Reporter:  flyfish101  |                     Type:  defect
               Status:  new         |                 Priority:  important
            Component:  swscale     |                  Version:  git-master
             Keywords:  fuzz        |               Blocked By:
             Blocking:              |  Reproduced by developer:  0
Analyzed by developer:  0           |
------------------------------------+--------------------------------------
 Summary of the bug:


 {{{
 fuzz@Fuzz2:~/Desktop/projects_oss/FFmpeg/tools/fuzzout/sws_fuzz$
 ./target_sws_fuzzer_1519
 
/home/fuzz/Desktop/projects_oss/FFmpeg/tools/fuzzout/sws_fuzz/out_sws_1519/default/crashes/id:000000,sig:06,src:000005+000654_time:74588_execs:28040_op:splice_rep:8
 Reading 168 bytes from
 
/home/fuzz/Desktop/projects_oss/FFmpeg/tools/fuzzout/sws_fuzz/out_sws_1519/default/crashes/id:000000,sig:06,src:000005+000654_time:74588_execs:28040_op:splice_rep:8
 4514 x 1 yuva420p9be -> 1 x 1 yuv420p (alphablend: checkerboard)
 =================================================================
 ==3958937==ERROR: AddressSanitizer: heap-buffer-overflow on address
 0x625000004c80 at pc 0x555555c49927 bp 0x7fffffffc1d0 sp 0x7fffffffc1c8
 READ of size 2 at 0x625000004c80 thread T0
     #0 0x555555c49926 in ff_sws_alphablendaway
 /home/fuzz/Desktop/projects_oss/FFmpeg/libswscale/alphablend.c:77:57
     #1 0x55555599dfec in scale_internal
 /home/fuzz/Desktop/projects_oss/FFmpeg/libswscale/swscale.c:1160:15
     #2 0x5555559b35d5 in scale_cascaded
 /home/fuzz/Desktop/projects_oss/FFmpeg/libswscale/swscale.c:987:15
     #3 0x555555997eef in scale_internal
 /home/fuzz/Desktop/projects_oss/FFmpeg/libswscale/swscale.c:1056:16
     #4 0x5555559aa66a in sws_scale
 /home/fuzz/Desktop/projects_oss/FFmpeg/libswscale/swscale.c:1514:12
     #5 0x555555969dd8 in LLVMFuzzerTestOneInput
 /home/fuzz/Desktop/projects_oss/FFmpeg/tools/./target_sws_fuzzer1519.c:215:5
     #6 0x55555595f37d in ExecuteFilesOnyByOne
 
/home/fuzz/Desktop/DDGF_Project/AFLplusplus/utils/aflpp_driver/aflpp_driver.c:255:7
     #7 0x55555595f188 in LLVMFuzzerRunDriver
 /home/fuzz/Desktop/DDGF_Project/AFLplusplus/utils/aflpp_driver/aflpp_driver.c
     #8 0x55555595ed48 in main
 
/home/fuzz/Desktop/DDGF_Project/AFLplusplus/utils/aflpp_driver/aflpp_driver.c:300:10
     #9 0x7ffff7c3b082 in __libc_start_main /build/glibc-
 B3wQXB/glibc-2.31/csu/../csu/libc-start.c:308:16
     #10 0x555555869fdd in _start
 
(/home/fuzz/Desktop/projects_oss/FFmpeg/tools/fuzzout/sws_fuzz/target_sws_fuzzer_1519+0x315fdd)

 0x625000004c80 is located 0 bytes to the right of 9088-byte region
 [0x625000002900,0x625000004c80)
 allocated by thread T0 here:
     #0 0x55555591951c in posix_memalign /home/fuzz/Desktop/fuzz-
 introspector/build/llvm-project/compiler-
 rt/lib/asan/asan_malloc_linux.cpp:145:3
     #1 0x555556376614 in av_malloc
 /home/fuzz/Desktop/projects_oss/FFmpeg/libavutil/mem.c:107:9
     #2 0x555556377abb in av_mallocz
 /home/fuzz/Desktop/projects_oss/FFmpeg/libavutil/mem.c:258:17
     #3 0x55555596bb0e in alloc_plane
 /home/fuzz/Desktop/projects_oss/FFmpeg/tools/./target_sws_fuzzer1519.c:66:23
     #4 0x5555559685b6 in LLVMFuzzerTestOneInput
 /home/fuzz/Desktop/projects_oss/FFmpeg/tools/./target_sws_fuzzer1519.c:176:11
     #5 0x55555595f37d in ExecuteFilesOnyByOne
 
/home/fuzz/Desktop/DDGF_Project/AFLplusplus/utils/aflpp_driver/aflpp_driver.c:255:7

 SUMMARY: AddressSanitizer: heap-buffer-overflow
 /home/fuzz/Desktop/projects_oss/FFmpeg/libswscale/alphablend.c:77:57 in
 ff_sws_alphablendaway
 Shadow bytes around the buggy address:
   0x0c4a7fff8940: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
   0x0c4a7fff8950: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
   0x0c4a7fff8960: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
   0x0c4a7fff8970: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
   0x0c4a7fff8980: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 =>0x0c4a7fff8990:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
   0x0c4a7fff89a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
   0x0c4a7fff89b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
   0x0c4a7fff89c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
   0x0c4a7fff89d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
   0x0c4a7fff89e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
 Shadow byte legend (one shadow byte represents 8 application bytes):
   Addressable:           00
   Partially addressable: 01 02 03 04 05 06 07
   Heap left redzone:       fa
   Freed heap region:       fd
   Stack left redzone:      f1
   Stack mid redzone:       f2
   Stack right redzone:     f3
   Stack after return:      f5
   Stack use after scope:   f8
   Global redzone:          f9
   Global init order:       f6
   Poisoned by user:        f7
   Container overflow:      fc
   Array cookie:            ac
   Intra object redzone:    bb
   ASan internal:           fe
   Left alloca redzone:     ca
   Right alloca redzone:    cb
 ==3958937==ABORTING
 }}}
-- 
Ticket URL: <https://trac.ffmpeg.org/ticket/11692>
FFmpeg <https://ffmpeg.org>
FFmpeg issue tracker

_______________________________________________
FFmpeg-trac mailing list
FFmpeg-trac@avcodec.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-trac

To unsubscribe, visit link above, or email
ffmpeg-trac-requ...@ffmpeg.org with subject "unsubscribe".