[FFmpeg-trac] #9289(avcodec:new): ffmpeg decode aac crashed in get_bits function

FFmpeg trac at avcodec.org
Thu Jun 10 13:01:02 EEST 2021 

#9289: ffmpeg decode aac crashed in get_bits function
-------------------------------------+-------------------------------------
             Reporter:  hyhmaffia    |                    Owner:  (none)
                 Type:  defect       |                   Status:  new
             Priority:  critical     |                Component:  avcodec
              Version:  git-master   |               Resolution:
             Keywords:  get_bits     |               Blocked By:
  crashed                            |
             Blocking:               |  Reproduced by developer:  0
Analyzed by developer:  0            |
-------------------------------------+-------------------------------------
Description changed by hyhmaffia:

Old description:

> ffmpeg decode aac crashed in get_bits function on arm64 cpu
>
> the get_bits has a code : ldr w11, [x10, x11]
>

> (lldb) register read x10
>      x10 = 0x000000013bbffea0
> (lldb) register read x11
>      x11 = 0x000000000000015d
> (lldb) p/x 0x000000013bbffea0 + 0x000000000000015d
> (long) $12 = 0x000000013bbffffd
> (lldb) p *(GetBitContext*)0x000000017048a6c0
> (GetBitContext) $13 = {
>   buffer = 0x000000013bbffea0 "
>   buffer_end = 0x000000013bbffffe ""
>   index = 2792
>   size_in_bits = 2800
>   size_in_bits_plus8 = 2808
> }
> (lldb) p 0x000000013bbffffe - 0x000000013bbffffd
> (long) $14 = 1
> (lldb) p 0x000000013bc00000 - 0x000000013bbffffd
> (long) $15 = 3
>
> when index is 2792 and size_in_bits is 2800, we call then function
> get_bits(s, 3)
> the get_bits will read 32 bits, but we only left 8 bits to read, so it
> crashed
> it only crashed when the last byte in other memory
> page(0x000000013bc00000)
>
> the aac packet with adts header is: (350 byte)
>
> FFF15C802BDFFC216B44B5BA96CB40B090AC132839861B1029A6911717BBD4BC0318F0968D118EA36C32B80CEE092E16D98E230F90586D6F56CC312BD44DFCE56C2F4D08E0730B822240612F55E99BBCA15E79F9F972837C67555A4892CC4B0C70C414A838F91BE4130B2C25EFE39C126E038DB19D5A0DD0945D3EFB63F6CB19785F9CDB6515DB9E77977CECB9AE5E546D38402AAA259615B94F41255744F07666653ECA2C5954B2CBAAEBA108504B13B0C094185C55ADB763CA8550BE1175A520B949C263CBCB977E26F3946DF307DCBED83CD858AA162C1754F75B85D4FFC290EF5CD6FA4A6B56C3153BC0C456093CFB6354F09A910313F5797DE199ADEAB62272FB32A952A5E3E9A9BD18085F7B2D79247350A09F73EBC079C775A7CE7FFDA0752E19CE0006755BB1A20CD6AA6866C2440A7DCF45A0C775C8CAAA8445044D1FF70000000000006F05D12A32A26608274745FA2941D1D17E8A500000E0

New description:

 ffmpeg decode aac crashed in get_bits function on arm64 cpu
 Crash Screenshot please see the attachment

 the get_bits has a code : ldr w11, [x10, x11]


 (lldb) register read x10
      x10 = 0x000000013bbffea0
 (lldb) register read x11
      x11 = 0x000000000000015d
 (lldb) p/x 0x000000013bbffea0 + 0x000000000000015d
 (long) $12 = 0x000000013bbffffd
 (lldb) p *(GetBitContext*)0x000000017048a6c0
 (GetBitContext) $13 = {
   buffer = 0x000000013bbffea0 "
   buffer_end = 0x000000013bbffffe ""
   index = 2792
   size_in_bits = 2800
   size_in_bits_plus8 = 2808
 }
 (lldb) p 0x000000013bbffffe - 0x000000013bbffffd
 (long) $14 = 1
 (lldb) p 0x000000013bc00000 - 0x000000013bbffffd
 (long) $15 = 3

 when index is 2792 and size_in_bits is 2800, we call then function
 get_bits(s, 3)
 the get_bits will read 32 bits, but we only left 8 bits to read, so it
 crashed
 it only crashed when the last byte in other memory
 page(0x000000013bc00000)

 the aac packet with adts header is: (350 byte)

 FFF15C802BDFFC216B44B5BA96CB40B090AC132839861B1029A6911717BBD4BC0318F0968D118EA36C32B80CEE092E16D98E230F90586D6F56CC312BD44DFCE56C2F4D08E0730B822240612F55E99BBCA15E79F9F972837C67555A4892CC4B0C70C414A838F91BE4130B2C25EFE39C126E038DB19D5A0DD0945D3EFB63F6CB19785F9CDB6515DB9E77977CECB9AE5E546D38402AAA259615B94F41255744F07666653ECA2C5954B2CBAAEBA108504B13B0C094185C55ADB763CA8550BE1175A520B949C263CBCB977E26F3946DF307DCBED83CD858AA162C1754F75B85D4FFC290EF5CD6FA4A6B56C3153BC0C456093CFB6354F09A910313F5797DE199ADEAB62272FB32A952A5E3E9A9BD18085F7B2D79247350A09F73EBC079C775A7CE7FFDA0752E19CE0006755BB1A20CD6AA6866C2440A7DCF45A0C775C8CAAA8445044D1FF70000000000006F05D12A32A26608274745FA2941D1D17E8A500000E0

--
-- 
Ticket URL: <https://trac.ffmpeg.org/ticket/9289#comment:1>
FFmpeg <https://ffmpeg.org>
FFmpeg issue tracker

More information about the FFmpeg-trac mailing list