[FFmpeg-trac] #8249(undetermined:new): stack-buffer-overflow at libavfilter/vf_signalstats.c:634
FFmpeg
trac at avcodec.org
Fri Oct 11 07:25:52 EEST 2019
#8249: stack-buffer-overflow at libavfilter/vf_signalstats.c:634
-------------------------------------+-------------------------------------
Reporter: Suhwan | Type: defect
Status: new | Priority: normal
Component: | Version: git-
undetermined | master
Keywords: asan | Blocked By:
Blocking: | Reproduced by developer: 0
Analyzed by developer: 0 |
-------------------------------------+-------------------------------------
Summary of the bug:
There is a stack-buffer-overflow at libavfilter/vf_signalstats.c:634 in
filter_frame8
I compiled ffmpeg with "--toolchain=clang-asan" to check the heap buffer
overflow and attached log file.
How to reproduce:
{{{
% ffmpeg_g -t 1 -stream_loop 7 -y -r 120 -i $PoC -filter_complex
signalstats -target dvd -loglevel 99 -c:a:112 y41p -c:v:143 vorbis
-disposition:s:2 pcm_s8_planar -disposition:v:61 prores_aw -r 44 -ab 633k
-strict 3 tmp.aac
ffmpeg version N-95314-g1331e00179 Copyright (c) 2000-2019 the FFmpeg
developers
built with clang version 6.0.0-1ubuntu2 (tags/RELEASE_600/final)
configuration: --cc=clang --cxx=clang++ --ld=clang --enable-debug
--toolchain=clang-asan
}}}
Here's ASAN log
{{{
=================================================================
==14934==ERROR: AddressSanitizer: stack-buffer-overflow on address
0x7fffffffa020 at pc 0x000001294ae2 bp 0x7fffffff8c10 sp 0x7fffffff8c08
READ of size 4 at 0x7fffffffa020 thread T0
#0 0x1294ae1 in filter_frame8
ffmpeg/libavfilter/vf_signalstats.c:634:42
#1 0x827289 in ff_filter_activate_default
ffmpeg/libavfilter/avfilter.c:1071:11
#2 0x827289 in ff_filter_activate ffmpeg/libavfilter/avfilter.c:1430
#3 0x870182 in push_frame ffmpeg/libavfilter/buffersrc.c:187:15
#4 0x870182 in av_buffersrc_add_frame_internal
ffmpeg/libavfilter/buffersrc.c:261
#5 0x86ebc2 in av_buffersrc_add_frame_flags
ffmpeg/libavfilter/buffersrc.c:170:16
#6 0x666867 in ifilter_send_frame ffmpeg/fftools/ffmpeg.c:2196:11
#7 0x666867 in send_frame_to_filters ffmpeg/fftools/ffmpeg.c:2270
#8 0x6075f7 in decode_video ffmpeg/fftools/ffmpeg.c:2469:11
#9 0x6075f7 in process_input_packet ffmpeg/fftools/ffmpeg.c:2623
#10 0x64ab67 in process_input ffmpeg/fftools/ffmpeg.c:4518:5
#11 0x5e7157 in transcode_step ffmpeg/fftools/ffmpeg.c:4638:11
#12 0x5e7157 in transcode ffmpeg/fftools/ffmpeg.c:4692
#13 0x5db65b in main ffmpeg/fftools/ffmpeg.c:4894:9
#14 0x7ffff5c93b96 in __libc_start_main /build/glibc-
OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
#15 0x41def9 in _start (ffmpeg/ffmpeg_g+0x41def9)
Address 0x7fffffffa020 is located in stack of thread T0 at offset 5120 in
frame
#0 0x128d7ef in filter_frame8 ffmpeg/libavfilter/vf_signalstats.c:550
This frame has 11 object(s):
[32, 40) 'in.addr'
[64, 192) 'metabuf' (line 559)
[224, 1248) 'histy' (line 560)
[1376, 2400) 'histu' (line 560)
[2528, 3552) 'histv' (line 560)
[3680, 5120) 'histhue' (line 560) <== Memory access at offset 5120
overflows this variable
[5248, 6272) 'histsat' (line 560)
[6400, 6412) 'filtot' (line 579)
[6432, 6456) 'td_huesat' (line 588)
[6496, 6512) 'td' (line 644)
[6528, 6656) 'metaname' (line 755)
HINT: this may be a false positive if your program uses some custom stack
unwind mechanism or swapcontext
(longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow
ffmpeg/libavfilter/vf_signalstats.c:634:42 in filter_frame8
}}}
Please confirm.
Thanks
--
Ticket URL: <https://trac.ffmpeg.org/ticket/8249>
FFmpeg <https://ffmpeg.org>
FFmpeg issue tracker
More information about the FFmpeg-trac
mailing list