[FFmpeg-trac] #5809(avcodec:new): av_parser_parse2 overflows input buffer (mpegaudio)
FFmpeg
trac at avcodec.org
Mon Aug 29 18:54:29 EEST 2016
#5809: av_parser_parse2 overflows input buffer (mpegaudio)
---------------------------------+---------------------------------------
Reporter: driegel | Type: defect
Status: new | Priority: normal
Component: avcodec | Version: unspecified
Keywords: | Blocked By:
Blocking: | Reproduced by developer: 0
Analyzed by developer: 0 |
---------------------------------+---------------------------------------
Summary of the bug:
When parsing mpegaudio, av_parser_parse2 doesn't respect input buffer size
and read beyond its limit. This overflow can lead to crashes.
FFmpeg version:
n3.1.2 (built from sources)
How to reproduce:
Compile with make (adjusted the Makefile if necessary), and run output
binary with valgrind.
Valgrind output:
{{{
$ valgrind ./test
==9820== Memcheck, a memory error detector
==9820== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al.
==9820== Using Valgrind-3.11.0 and LibVEX; rerun with -h for copyright
info
==9820== Command: ./test
==9820==
==9820== Invalid read of size 8
==9820== at 0x4C326C8: memcpy@@GLIBC_2.14 (in /usr/lib/valgrind
/vgpreload_memcheck-amd64-linux.so)
==9820== by 0x55CED85: memcpy (string3.h:53)
==9820== by 0x55CED85: ff_combine_frame (parser.c:298)
==9820== by 0x55657F8: mpegaudio_parse (mpegaudio_parser.c:111)
==9820== by 0x55CE9A0: av_parser_parse2 (parser.c:182)
==9820== by 0x400D0A: main (test.c:67)
==9820== Address 0x76a2258 is 0 bytes after a block of size 40 alloc'd
==9820== at 0x4C2FFC6: memalign (in /usr/lib/valgrind
/vgpreload_memcheck-amd64-linux.so)
==9820== by 0x4C300D1: posix_memalign (in /usr/lib/valgrind
/vgpreload_memcheck-amd64-linux.so)
==9820== by 0x63016CF: av_malloc (mem.c:97)
==9820== by 0x400C4D: main (test.c:53)
==9820==
==9820== Invalid read of size 8
==9820== at 0x4C326D6: memcpy@@GLIBC_2.14 (in /usr/lib/valgrind
/vgpreload_memcheck-amd64-linux.so)
==9820== by 0x55CED85: memcpy (string3.h:53)
==9820== by 0x55CED85: ff_combine_frame (parser.c:298)
==9820== by 0x55657F8: mpegaudio_parse (mpegaudio_parser.c:111)
==9820== by 0x55CE9A0: av_parser_parse2 (parser.c:182)
==9820== by 0x400D0A: main (test.c:67)
==9820== Address 0x76a2f80 is 8 bytes after a block of size 40 alloc'd
==9820== at 0x4C2FFC6: memalign (in /usr/lib/valgrind
/vgpreload_memcheck-amd64-linux.so)
==9820== by 0x4C300D1: posix_memalign (in /usr/lib/valgrind
/vgpreload_memcheck-amd64-linux.so)
==9820== by 0x63016CF: av_malloc (mem.c:97)
==9820== by 0x400C4D: main (test.c:53)
==9820==
==9820==
==9820== HEAP SUMMARY:
==9820== in use at exit: 40 bytes in 1 blocks
==9820== total heap usage: 734 allocs, 733 frees, 67,939 bytes allocated
==9820==
==9820== LEAK SUMMARY:
==9820== definitely lost: 0 bytes in 0 blocks
==9820== indirectly lost: 0 bytes in 0 blocks
==9820== possibly lost: 0 bytes in 0 blocks
==9820== still reachable: 40 bytes in 1 blocks
==9820== suppressed: 0 bytes in 0 blocks
==9820== Rerun with --leak-check=full to see details of leaked memory
==9820==
==9820== For counts of detected and suppressed errors, rerun with: -v
==9820== ERROR SUMMARY: 92 errors from 2 contexts (suppressed: 0 from 0)
}}}
Quick link to checkout the code and run test case:
https://github.com/d-k-c/ffmpeg-av_parser_parse2-bug
--
Ticket URL: <https://trac.ffmpeg.org/ticket/5809>
FFmpeg <https://ffmpeg.org>
FFmpeg issue tracker
More information about the FFmpeg-trac
mailing list