[FFmpeg-trac] #9120(ffmpeg:new): heap buffer overflow write when extracting frames from the video
FFmpeg
trac at avcodec.org
Wed Feb 24 12:21:52 EET 2021
#9120: heap buffer overflow write when extracting frames from the video
--------------------------------+--------------------------------------
Reporter: bird | Type: defect
Status: new | Priority: normal
Component: ffmpeg | Version: git-master
Keywords: | Blocked By:
Blocking: | Reproduced by developer: 0
Analyzed by developer: 0 |
--------------------------------+--------------------------------------
Summary of the bug:
There is a heap buffer overflow write when extracting frames from the
video.
How to reproduce:
{{{
$ ./ffmpeg_g -ss 0 -i ./1 -s 320x240 -y -f image2 output.jpeg
ffmpeg version N-101261-g78d5e1c653 Copyright (c) 2000-2021 the FFmpeg
developers
built with clang version 6.0.0-1ubuntu2 (tags/RELEASE_600/final)
configuration: --prefix=/home/bird/ffmpeg_build_new --pkg-config-
flags=--static --extra-cflags='-I/home/bird/ffmpeg_build_new/include -fno-
omit-frame-pointer -g -fsanitize=address' --extra-cxxflags='-fno-omit-
frame-pointer -g -fsanitize=address' --extra-
ldflags='-L/home/bird/ffmpeg_build_new/lib -fsanitize=address' --extra-
libs='-lpthread -lm' --bindir=/home/bird/bin_new --enable-gpl --enable-
gnutls --enable-libass --enable-libfdk-aac --enable-libfreetype --enable-
libmp3lame --enable-libopus --enable-libvpx --enable-libx264 --enable-
libx265 --enable-nonfree --cc=clang --cxx=clang++ --enable-debug
libavutil 56. 66.100 / 56. 66.100
libavcodec 58.125.100 / 58.125.100
libavformat 58. 68.100 / 58. 68.100
libavdevice 58. 12.100 / 58. 12.100
libavfilter 7.107.100 / 7.107.100
libswscale 5. 8.100 / 5. 8.100
libswresample 3. 8.100 / 3. 8.100
libpostproc 55. 8.100 / 55. 8.100
[dss @ 0x61b000000080] Estimating duration from bitrate, this may be
inaccurate
=================================================================
==14599==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x60e000025af4 at pc 0x0000004e21ec bp 0x7ffc285d86e0 sp 0x7ffc285d7e90
WRITE of size 70 at 0x60e000025af4 thread T0
#0 0x4e21eb in __asan_memcpy
(/disk1/fuzzing/ffmpeg_latest/ffmpeg_g+0x4e21eb)
#1 0xdebec6 in avio_read
/disk1/fuzzing/ffmpeg_latest/libavformat/aviobuf.c:673:13
#2 0xe2ec18 in dss_sp_read_packet
/disk1/fuzzing/ffmpeg_latest/libavformat/dss.c:246:11
#3 0xe2ec18 in dss_read_packet
/disk1/fuzzing/ffmpeg_latest/libavformat/dss.c:321
#4 0x1136aa1 in ff_read_packet
/disk1/fuzzing/ffmpeg_latest/libavformat/utils.c:823:15
#5 0x113be26 in read_frame_internal
/disk1/fuzzing/ffmpeg_latest/libavformat/utils.c:1526:15
#6 0x113b14c in av_read_frame
/disk1/fuzzing/ffmpeg_latest/libavformat/utils.c:1730:17
#7 0x1142e4a in seek_frame_generic
/disk1/fuzzing/ffmpeg_latest/libavformat/utils.c:2388:31
#8 0x1142e4a in seek_frame_internal
/disk1/fuzzing/ffmpeg_latest/libavformat/utils.c:2461
#9 0x1142e4a in av_seek_frame
/disk1/fuzzing/ffmpeg_latest/libavformat/utils.c:2481
#10 0x11439ff in avformat_seek_file
/disk1/fuzzing/ffmpeg_latest/libavformat/utils.c:2533:19
#11 0x51dd2d in open_input_file
/disk1/fuzzing/ffmpeg_latest/fftools/ffmpeg_opt.c:1252:15
#12 0x51c42a in open_files
/disk1/fuzzing/ffmpeg_latest/fftools/ffmpeg_opt.c:3335:15
#13 0x51be55 in ffmpeg_parse_options
/disk1/fuzzing/ffmpeg_latest/fftools/ffmpeg_opt.c:3375:11
#14 0x55ba9f in main
/disk1/fuzzing/ffmpeg_latest/fftools/ffmpeg.c:4964:11
#15 0x7fcabf899bf6 in __libc_start_main /build/glibc-
S9d2JN/glibc-2.27/csu/../csu/libc-start.c:310
#16 0x423609 in _start
(/disk1/fuzzing/ffmpeg_latest/ffmpeg_g+0x423609)
0x60e000025af4 is located 12 bytes to the left of 68-byte region
[0x60e000025b00,0x60e000025b44)
allocated by thread T0 here:
#0 0x4e40f8 in __interceptor_posix_memalign
(/disk1/fuzzing/ffmpeg_latest/ffmpeg_g+0x4e40f8)
#1 0x3c0e14c in av_malloc
/disk1/fuzzing/ffmpeg_latest/libavutil/mem.c:86:9
#2 0x3c0e14c in av_mallocz
/disk1/fuzzing/ffmpeg_latest/libavutil/mem.c:239
#3 0x1134e51 in avformat_open_input
/disk1/fuzzing/ffmpeg_latest/libavformat/utils.c:581:30
#4 0x51d667 in open_input_file
/disk1/fuzzing/ffmpeg_latest/fftools/ffmpeg_opt.c:1174:11
#5 0x51c42a in open_files
/disk1/fuzzing/ffmpeg_latest/fftools/ffmpeg_opt.c:3335:15
#6 0x51be55 in ffmpeg_parse_options
/disk1/fuzzing/ffmpeg_latest/fftools/ffmpeg_opt.c:3375:11
#7 0x55ba9f in main
/disk1/fuzzing/ffmpeg_latest/fftools/ffmpeg.c:4964:11
#8 0x7fcabf899bf6 in __libc_start_main /build/glibc-
S9d2JN/glibc-2.27/csu/../csu/libc-start.c:310
SUMMARY: AddressSanitizer: heap-buffer-overflow
(/disk1/fuzzing/ffmpeg_latest/ffmpeg_g+0x4e21eb) in __asan_memcpy
}}}
--
Ticket URL: <https://trac.ffmpeg.org/ticket/9120>
FFmpeg <https://ffmpeg.org>
FFmpeg issue tracker
More information about the FFmpeg-trac
mailing list