[FFmpeg-trac] #7980(ffmpeg:new): heap-buffer-overflow at ffmpeg/libavcodec/zmbvenc.c:97:30 in block_cmp by null pointer or undefined-behavior libavformat/nutenc.c:794:27
FFmpeg
trac at avcodec.org
Sun Jun 30 13:37:41 EEST 2019
#7980: heap-buffer-overflow at ffmpeg/libavcodec/zmbvenc.c:97:30 in block_cmp by
null pointer or undefined-behavior libavformat/nutenc.c:794:27
-------------------------------------+-------------------------------------
Reporter: Suhwan | Type: defect
Status: new | Priority: critical
Component: ffmpeg | Version: git-
Keywords: Heap buffer | master
overflow, ASAN, Null pointer, | Blocked By:
avformat |
Blocking: | Reproduced by developer: 0
Analyzed by developer: 0 |
-------------------------------------+-------------------------------------
Summary of the bug:
There's a heap-buffer-overflow ffmpeg/libavcodec/zmbvenc.c:97:30 in
block_cmp due to null pointer or undefined-behavior at
libavformat/nutenc.c:794:27.
How to reproduce:
{{{
input file: tmp.webm , output file: tmp_.nut
% ffmpeg_g -y -r 3 -i tmp.webm -map 0 -c:v zmbv -c:s adpcm_ms
-disposition:a:86 vc2 -disposition:s prores_ks -vframes 52 -r 8 -ar 22050
-b:v 928 -strict 2 tmp_.nut
ffmpeg version : N-94137-g89b96900fa Copyright (c) 2000-2019 the FFmpeg
developers
built with clang-9, clang-asan option.
}}}
Here's ASAN log below.
{{{
libavutil 56. 30.100 / 56. 30.100
libavcodec 58. 53.100 / 58. 53.100
libavformat 58. 28.101 / 58. 28.101
libavdevice 58. 7.100 / 58. 7.100
libavfilter 7. 55.100 / 7. 55.100
libswscale 5. 4.101 / 5. 4.101
libswresample 3. 4.100 / 3. 4.100
Input #0, matroska,webm, from 'tmp.webm':
Metadata:
encoder : Lavf53.17.0
Duration: 00:00:05.57, start: 0.000000, bitrate: 329 kb/s
Stream #0:0: Video: vp8, yuv420p(progressive), 560x320, SAR 1:1 DAR
7:4, 30 fps, 30 tbr, 1k tbn, 1k tbc (default)
Stream #0:1(eng): Audio: vorbis, 48000 Hz, mono, fltp (default)
[New Thread 0x7ffff025b700 (LWP 8902)]
[New Thread 0x7fffefa5a700 (LWP 8903)]
[New Thread 0x7fffef259700 (LWP 8904)]
[New Thread 0x7fffeea58700 (LWP 8905)]
[New Thread 0x7fffee257700 (LWP 8906)]
[New Thread 0x7fffeda56700 (LWP 8907)]
[New Thread 0x7fffed255700 (LWP 8908)]
[New Thread 0x7fffeca54700 (LWP 8909)]
[New Thread 0x7fffec253700 (LWP 8910)]
[New Thread 0x7fffeba52700 (LWP 8911)]
[New Thread 0x7fffeb251700 (LWP 8912)]
[New Thread 0x7fffeaa50700 (LWP 8913)]
[New Thread 0x7fffea24f700 (LWP 8914)]
Stream mapping:
Stream #0:0 -> #0:0 (vp8 (native) -> zmbv (native))
Stream #0:1 -> #0:1 (vorbis (native) -> mp2 (native))
Press [q] to stop, [?] for help
[New Thread 0x7fffe9a4e700 (LWP 8916)]
[New Thread 0x7fffe924d700 (LWP 8917)]
[New Thread 0x7fffe8a4c700 (LWP 8918)]
[New Thread 0x7fffe824b700 (LWP 8919)]
[New Thread 0x7fffe7a4a700 (LWP 8920)]
[New Thread 0x7fffe7249700 (LWP 8921)]
[New Thread 0x7fffe6a32700 (LWP 8922)]
[New Thread 0x7fffe621b700 (LWP 8923)]
[New Thread 0x7fffe5a04700 (LWP 8924)]
[New Thread 0x7fffe51ed700 (LWP 8925)]
[New Thread 0x7fffe49d6700 (LWP 8926)]
[New Thread 0x7fffe41bf700 (LWP 8927)]
[New Thread 0x7fffe372c700 (LWP 8930)]
[New Thread 0x7fffe2f15700 (LWP 8931)]
[New Thread 0x7fffe26fe700 (LWP 8932)]
[New Thread 0x7fffe1ee7700 (LWP 8933)]
[New Thread 0x7fffe16d0700 (LWP 8934)]
[New Thread 0x7fffe0eb9700 (LWP 8935)]
[New Thread 0x7fffe06a2700 (LWP 8936)]
[New Thread 0x7fffdfe8b700 (LWP 8937)]
[New Thread 0x7fffdf674700 (LWP 8938)]
[New Thread 0x7fffdee5d700 (LWP 8939)]
[New Thread 0x7fffde646700 (LWP 8940)]
[New Thread 0x7fffdde2f700 (LWP 8941)]
[zmbv @ 0x619000015480] Bitrate 928 is extremely low, maybe you mean 928k
The bitrate parameter is set too low. It takes bits/s as argument, not
kbits/s
Output #0, nut, to 'tmp/tmp_.nut':
Metadata:
encoder : Lavf58.28.101
Stream #0:0: Video: zmbv (ZMBV / 0x56424D5A), bgr0, 560x320 [SAR 1:1
DAR 7:4], q=2-31, 0 kb/s, 8 fps, 65536 tbn, 8 tbc (default)
Metadata:
encoder : Lavc58.53.100 zmbv
Stream #0:1: Audio: mp2 (P[0][0][0] / 0x0050), 22050 Hz, mono, s16,
160 kb/s (default)
Metadata:
X-Language : eng
encoder : Lavc58.53.100 mp2
libavformat/nutenc.c:794:27: runtime error: null pointer passed as
argument 2, which is declared to never be null
/usr/include/string.h:64:33: note: nonnull attribute specified here
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior
libavformat/nutenc.c:794:27 in
=================================================================
==8843==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x7fffdd32e7f0 at pc 0x00000632b075 bp 0x7fffffffa2d0 sp 0x7fffffffa2c8
READ of size 1 at 0x7fffdd32e7f0 thread T0
#0 0x632b074 in block_cmp ffmpeg/libavcodec/zmbvenc.c:97:30
#1 0x63249cb in zmbv_me ffmpeg/libavcodec/zmbvenc.c:153:18
#2 0x63249cb in encode_frame ffmpeg/libavcodec/zmbvenc.c:242
#3 0x3036600 in avcodec_encode_video2
ffmpeg/libavcodec/encode.c:296:11
#4 0x303979e in do_encode ffmpeg/libavcodec/encode.c:365:15
#5 0x3038e7a in avcodec_send_frame ffmpeg/libavcodec/encode.c:414:12
#6 0x631f2a in do_video_out ffmpeg/fftools/ffmpeg.c:1287:15
#7 0x629ae0 in reap_filters ffmpeg/fftools/ffmpeg.c:1504:17
#8 0x5bd503 in transcode_step ffmpeg/fftools/ffmpeg.c:4648:12
#9 0x5bd503 in transcode ffmpeg/fftools/ffmpeg.c:4692
#10 0x5b2c0b in main ffmpeg/fftools/ffmpeg.c:4894:9
#11 0x7ffff4fb2b96 in __libc_start_main /build/glibc-
OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
#12 0x41fb39 in _start (ffmpeg/ffmpeg_g+0x41fb39)
0x7fffdd32e7f0 is located 16 bytes to the left of 763424-byte region
[0x7fffdd32e800,0x7fffdd3e8e20)
allocated by thread T0 here:
#0 0x4ad2ad in posix_memalign opt/llvm/llvm-project/compiler-
rt/lib/asan/asan_malloc_linux.cc:226
#1 0x8334fc5 in av_malloc ffmpeg/libavutil/mem.c:87:9
#2 0x8334fc5 in av_mallocz ffmpeg/libavutil/mem.c:238
#3 0x6320250 in encode_init ffmpeg/libavcodec/zmbvenc.c:413:25
SUMMARY: AddressSanitizer: heap-buffer-overflow
ffmpeg/libavcodec/zmbvenc.c:97:30 in block_cmp
}}}
--
Ticket URL: <https://trac.ffmpeg.org/ticket/7980>
FFmpeg <https://ffmpeg.org>
FFmpeg issue tracker
More information about the FFmpeg-trac
mailing list