[FFmpeg-trac] #9120(ffmpeg:new): heap buffer overflow write when extracting frames from the video

[FFmpeg]

#9120: heap buffer overflow write when extracting frames from the video
--------------------------------+--------------------------------------
             Reporter:  bird    |                     Type:  defect
               Status:  new     |                 Priority:  normal
            Component:  ffmpeg  |                  Version:  git-master
             Keywords:          |               Blocked By:
             Blocking:          |  Reproduced by developer:  0
Analyzed by developer:  0       |
--------------------------------+--------------------------------------
 Summary of the bug:
 There is a heap buffer overflow write when extracting frames from the
 video.
 How to reproduce:
 {{{
 $ ./ffmpeg_g -ss 0 -i ./1 -s 320x240 -y -f image2 output.jpeg
 ffmpeg version N-101261-g78d5e1c653 Copyright (c) 2000-2021 the FFmpeg
 developers
   built with clang version 6.0.0-1ubuntu2 (tags/RELEASE_600/final)
   configuration: --prefix=/home/bird/ffmpeg_build_new --pkg-config-
 flags=--static --extra-cflags='-I/home/bird/ffmpeg_build_new/include -fno-
 omit-frame-pointer -g -fsanitize=address' --extra-cxxflags='-fno-omit-
 frame-pointer -g -fsanitize=address' --extra-
 ldflags='-L/home/bird/ffmpeg_build_new/lib -fsanitize=address' --extra-
 libs='-lpthread -lm' --bindir=/home/bird/bin_new --enable-gpl --enable-
 gnutls --enable-libass --enable-libfdk-aac --enable-libfreetype --enable-
 libmp3lame --enable-libopus --enable-libvpx --enable-libx264 --enable-
 libx265 --enable-nonfree --cc=clang --cxx=clang++ --enable-debug
   libavutil      56. 66.100 / 56. 66.100
   libavcodec     58.125.100 / 58.125.100
   libavformat    58. 68.100 / 58. 68.100
   libavdevice    58. 12.100 / 58. 12.100
   libavfilter     7.107.100 /  7.107.100
   libswscale      5.  8.100 /  5.  8.100
   libswresample   3.  8.100 /  3.  8.100
   libpostproc    55.  8.100 / 55.  8.100
 [dss @ 0x61b000000080] Estimating duration from bitrate, this may be
 inaccurate
 =================================================================
 ==14599==ERROR: AddressSanitizer: heap-buffer-overflow on address
 0x60e000025af4 at pc 0x0000004e21ec bp 0x7ffc285d86e0 sp 0x7ffc285d7e90
 WRITE of size 70 at 0x60e000025af4 thread T0
     #0 0x4e21eb in __asan_memcpy
 (/disk1/fuzzing/ffmpeg_latest/ffmpeg_g+0x4e21eb)
     #1 0xdebec6 in avio_read
 /disk1/fuzzing/ffmpeg_latest/libavformat/aviobuf.c:673:13
     #2 0xe2ec18 in dss_sp_read_packet
 /disk1/fuzzing/ffmpeg_latest/libavformat/dss.c:246:11
     #3 0xe2ec18 in dss_read_packet
 /disk1/fuzzing/ffmpeg_latest/libavformat/dss.c:321
     #4 0x1136aa1 in ff_read_packet
 /disk1/fuzzing/ffmpeg_latest/libavformat/utils.c:823:15
     #5 0x113be26 in read_frame_internal
 /disk1/fuzzing/ffmpeg_latest/libavformat/utils.c:1526:15
     #6 0x113b14c in av_read_frame
 /disk1/fuzzing/ffmpeg_latest/libavformat/utils.c:1730:17
     #7 0x1142e4a in seek_frame_generic
 /disk1/fuzzing/ffmpeg_latest/libavformat/utils.c:2388:31
     #8 0x1142e4a in seek_frame_internal
 /disk1/fuzzing/ffmpeg_latest/libavformat/utils.c:2461
     #9 0x1142e4a in av_seek_frame
 /disk1/fuzzing/ffmpeg_latest/libavformat/utils.c:2481
     #10 0x11439ff in avformat_seek_file
 /disk1/fuzzing/ffmpeg_latest/libavformat/utils.c:2533:19
     #11 0x51dd2d in open_input_file
 /disk1/fuzzing/ffmpeg_latest/fftools/ffmpeg_opt.c:1252:15
     #12 0x51c42a in open_files
 /disk1/fuzzing/ffmpeg_latest/fftools/ffmpeg_opt.c:3335:15
     #13 0x51be55 in ffmpeg_parse_options
 /disk1/fuzzing/ffmpeg_latest/fftools/ffmpeg_opt.c:3375:11
     #14 0x55ba9f in main
 /disk1/fuzzing/ffmpeg_latest/fftools/ffmpeg.c:4964:11
     #15 0x7fcabf899bf6 in __libc_start_main /build/glibc-
 S9d2JN/glibc-2.27/csu/../csu/libc-start.c:310
     #16 0x423609 in _start
 (/disk1/fuzzing/ffmpeg_latest/ffmpeg_g+0x423609)

 0x60e000025af4 is located 12 bytes to the left of 68-byte region
 [0x60e000025b00,0x60e000025b44)
 allocated by thread T0 here:
     #0 0x4e40f8 in __interceptor_posix_memalign
 (/disk1/fuzzing/ffmpeg_latest/ffmpeg_g+0x4e40f8)
     #1 0x3c0e14c in av_malloc
 /disk1/fuzzing/ffmpeg_latest/libavutil/mem.c:86:9
     #2 0x3c0e14c in av_mallocz
 /disk1/fuzzing/ffmpeg_latest/libavutil/mem.c:239
     #3 0x1134e51 in avformat_open_input
 /disk1/fuzzing/ffmpeg_latest/libavformat/utils.c:581:30
     #4 0x51d667 in open_input_file
 /disk1/fuzzing/ffmpeg_latest/fftools/ffmpeg_opt.c:1174:11
     #5 0x51c42a in open_files
 /disk1/fuzzing/ffmpeg_latest/fftools/ffmpeg_opt.c:3335:15
     #6 0x51be55 in ffmpeg_parse_options
 /disk1/fuzzing/ffmpeg_latest/fftools/ffmpeg_opt.c:3375:11
     #7 0x55ba9f in main
 /disk1/fuzzing/ffmpeg_latest/fftools/ffmpeg.c:4964:11
     #8 0x7fcabf899bf6 in __libc_start_main /build/glibc-
 S9d2JN/glibc-2.27/csu/../csu/libc-start.c:310

 SUMMARY: AddressSanitizer: heap-buffer-overflow
 (/disk1/fuzzing/ffmpeg_latest/ffmpeg_g+0x4e21eb) in __asan_memcpy
 }}}

--
Ticket URL: <https://trac.ffmpeg.org/ticket/9120>
FFmpeg <https://ffmpeg.org>
FFmpeg issue tracker