Source: ffmpeg
Version: 7:3.4-4
Severity: normal
Tags: security upstream
Control: found -1 7:3.4.1-1
Hi,
the following vulnerability was published for ffmpeg.
CVE-2017-17555[0]:
| The swri_audio_convert function in audioconvert.c in FFmpeg
| libswresample through 3.0.101, as used in FFmpeg 3.4.1, aubio 0.4.6,
| and other products, allows remote attackers to cause a denial of
| service (NULL pointer dereference and application crash) via a crafted
| audio file.
The issue is triggerable/demostrable with the POC attached to [1]:
$ ./aubio/build/examples/aubiomfcc ./crash-2-null-ptr
[mp3 @ 0x61b00080] Format mp3 detected only with low score of 1,
misdetection possible!
[mp3 @ 0x61b00080] Skipping 3350 bytes of junk at 0.
[mp3 @ 0x61b00080] Estimating duration from bitrate, this may be inaccurate
0.00-18.015953 -0.012183 -0.867832 -0.616462 0.813869 -1.063807
-0.276262 -0.236723 -1.673019 1.016008 -0.041898 0.450148 -0.699137
ASAN:DEADLYSIGNAL
=
==13255==ERROR: AddressSanitizer: SEGV on unknown address 0x (pc
0x7fd18a85df33 bp 0x0004 sp 0x7ffec8afd8e8 T0)
==13255==The signal is caused by a READ memory access.
==13255==Hint: address points to the zero page.
#0 0x7fd18a85df32 (/usr/lib/x86_64-linux-gnu/libswresample.so.2+0x11f32)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV
(/usr/lib/x86_64-linux-gnu/libswresample.so.2+0x11f32)
==13255==ABORTING
Backtrace:
Program received signal SIGSEGV, Segmentation fault.
0x72af0f33 in ff_int16_to_float_a_sse2.next ()
at src/libswresample/x86/audio_convert.asm:656
656 src/libswresample/x86/audio_convert.asm: No such file or directory.
(gdb) bt
#0 0x72af0f33 in ff_int16_to_float_a_sse2.next ()
at src/libswresample/x86/audio_convert.asm:656
#1 0x72ae78de in swri_audio_convert (ctx=0x60701740,
out=out@entry=0x632037d0, in=in@entry=0x632035b0, len=len@entry=384) at
src/libswresample/audioconvert.c:226
#2 0x72aee190 in swr_convert_internal (s=s@entry=0x63200800,
out=out@entry=0x63203e30, out_count=out_count@entry=384,
in=in@entry=0x632035b0, in_count=in_count@entry=384)
at src/libswresample/swresample.c:633
#3 0x72aef252 in swr_convert_internal (in_count=384,
in=0x632035b0, out_count=384, out=0x63203e30, s=0x63200800) at
src/libswresample/swresample.c:470
#4 0x72aef252 in swr_convert (s=0x63200800, out_arg=, out_count=, in_arg=, in_count=)
at src/libswresample/swresample.c:800
#5 0x76c08af5 in aubio_source_avcodec_readframe ()
at /usr/lib/x86_64-linux-gnu/libaubio.so.5
#6 0x76c08c65 in aubio_source_avcodec_do () at
/usr/lib/x86_64-linux-gnu/libaubio.so.5
#7 0x9db4 in examples_common_process (process_func=0x91fb
, print=0x9266 ) at
../examples/utils.c:160
#8 0x9875 in main (argc=2, argv=0x7fffeb88) at
../examples/aubiomfcc.c:66
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2017-17555
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17555
[1]
https://github.com/IvanCql/vulnerability/blob/master/An%20NULL%20pointer%20dereference(DoS)%20Vulnerability%20was%20found%20in%20function%20swri_audio_convert%20of%20ffmpeg%20libswresample.md
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
