[FFmpeg-trac] #9517(avformat:new): Null pointer dereference

FFmpeg trac at avcodec.org
Fri Nov 19 15:03:11 EET 2021


#9517: Null pointer dereference
-------------------------------------+-------------------------------------
             Reporter:  Yu3H0        |                     Type:  defect
               Status:  new          |                 Priority:  important
            Component:  avformat     |                  Version:  git-
             Keywords:  Null         |  master
  pointer dereference                |               Blocked By:
             Blocking:               |  Reproduced by developer:  0
Analyzed by developer:  0            |
-------------------------------------+-------------------------------------
 Summary of the bug:
 During fuzzing, I found a null pointer dereference (CWE-476) in the latest
 FFmpeg.
 I have tested in the ffmpeg installed by Ubuntu 2004 apt install and the
 version with a commit of 8c150d3d9794c29a54bbdf2f2a88066277c7197e both.
 How to reproduce:
 {{{
 fuzzer at 757e029224c5:~$ ./FFmpeg/ffmpeg_g -ss 00:00:00 -i ./poc -frames 1
 -vf "select=not(mod(n\,3)),scale=320:240,tile=2x3" out1.png -y
 ffmpeg version N-104569-g08b4716a9e Copyright (c) 2000-2021 the FFmpeg
 developers
   built with Ubuntu clang version
 11.1.0-++20210204121720+1fdec59bffc1-1~exp1~20210203232336.162
   configuration: --prefix=/home/fuzzer/ffmpeg_build --pkg-config-
 flags=--static --extra-cflags='-I/home/fuzzer/ffmpeg_build/include -fno-
 omit-frame-pointer -g' --extra-cxxflags='-fno-omit-frame-pointer -g'
 --extra-ldflags=-L/home/fuzzer/ffmpeg_build/lib --extra-libs='-lpthread
 -lm' --bindir=/home/fuzzer/bin --enable-gpl --enable-gnutls --enable-
 libass --enable-libfdk-aac --enable-libfreetype --enable-libmp3lame
 --enable-libopus --enable-libvpx --enable-libx264 --enable-libx265
 --enable-nonfree --cc=hfuzz-clang --cxx=hfuzz-clang++ --enable-debug
   libavutil      57.  8.100 / 57.  8.100
   libavcodec     59. 12.100 / 59. 12.100
   libavformat    59.  9.100 / 59.  9.100
   libavdevice    59.  0.101 / 59.  0.101
   libavfilter     8. 16.102 /  8. 16.102
   libswscale      6.  1.100 /  6.  1.100
   libswresample   4.  0.100 /  4.  0.100
   libpostproc    56.  0.100 / 56.  0.100
 [av1 @ 0x619000000a80] No sequence header available
 [mov,mp4,m4a,3gp,3g2,mj2 @ 0x617000000080] Could not find codec parameters
 for stream 0 (Video: av1 (av01 / 0x31307661), none(tv, progressive),
 320x240): unspecified pixel format
 Consider increasing the value for the 'analyzeduration' (0) and
 'probesize' (5000000) options
 AddressSanitizer:DEADLYSIGNAL
 =================================================================
 ==180210==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000008
 (pc 0x0000013c47e4 bp 0x000000000000 sp 0x7ffff17d6cc0 T0)
 ==180210==The signal is caused by a READ memory access.
 ==180210==Hint: address points to the zero page.
     #0 0x13c47e4 in mov_seek_fragment
 /home/fuzzer/FFmpeg/libavformat/mov.c:8384:38
     #1 0x13c47e4 in mov_seek_stream
 /home/fuzzer/FFmpeg/libavformat/mov.c:8403:11
     #2 0x138ca8e in mov_read_seek
 /home/fuzzer/FFmpeg/libavformat/mov.c:8477:14
     #3 0x1605453 in seek_frame_internal
 /home/fuzzer/FFmpeg/libavformat/seek.c:616:15
     #4 0x1605453 in av_seek_frame
 /home/fuzzer/FFmpeg/libavformat/seek.c:648:11
     #5 0x1608c53 in avformat_seek_file
 /home/fuzzer/FFmpeg/libavformat/seek.c:700:19
     #6 0x4d5cf6 in open_input_file
 /home/fuzzer/FFmpeg/fftools/ffmpeg_opt.c:1291:15
     #7 0x4ccfbb in open_files
 /home/fuzzer/FFmpeg/fftools/ffmpeg_opt.c:3466:15
     #8 0x4cc8d0 in ffmpeg_parse_options
 /home/fuzzer/FFmpeg/fftools/ffmpeg_opt.c:3506:11
     #9 0x524fd9 in main /home/fuzzer/FFmpeg/fftools/ffmpeg.c:4950:11
     #10 0x7fc1df1120b2 in __libc_start_main /build/glibc-
 eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
     #11 0x4226ad in _start (/home/fuzzer/FFmpeg/ffmpeg_g+0x4226ad)

 AddressSanitizer can not provide additional info.
 SUMMARY: AddressSanitizer: SEGV
 /home/fuzzer/FFmpeg/libavformat/mov.c:8384:38 in mov_seek_fragment
 ==180210==ABORTING
 }}}
 gdb result
 {{{
 (gdb) set args -ss 00:00:00 -i ./poc -frames 1 -vf
 "select=not(mod(n\,3)),scale=320:240,tile=2x3" out1.png -y
 (gdb) r
 Starting program: /home/fuzzer/TestFF/ffmpeg_g -ss 00:00:00 -i ./poc
 -frames 1 -vf "select=not(mod(n\,3)),scale=320:240,tile=2x3" out1.png -y
 [Thread debugging using libthread_db enabled]
 Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
 ffmpeg version N-104591-g8c150d3d97 Copyright (c) 2000-2021 the FFmpeg
 developers
   built with Ubuntu clang version
 11.1.0-++20210204121720+1fdec59bffc1-1~exp1~20210203232336.162
   configuration: --prefix=/home/fuzzer/ffmpeg_build_new --pkg-config-
 flags=--static --extra-cflags='-I/home/fuzzer/ffmpeg_build_new/include
 -fno-omit-frame-pointer -g -fsanitize=address' --extra-cxxflags='-fno-
 omit-frame-pointer -g -fsanitize=address' --extra-
 ldflags='-L/home/fuzzer/ffmpeg_build_new/lib -fsanitize=address' --extra-
 libs='-lpthread -lm' --bindir=/home/fuzzer/bin_new --enable-gpl --enable-
 gnutls --enable-libass --enable-libfdk-aac --enable-libfreetype --enable-
 libmp3lame --enable-libopus --enable-libvpx --enable-libx264 --enable-
 libx265 --enable-nonfree --cc=clang --cxx=clang++ --enable-debug
   libavutil      57.  9.100 / 57.  9.100
   libavcodec     59. 13.100 / 59. 13.100
   libavformat    59.  9.101 / 59.  9.101
   libavdevice    59.  0.101 / 59.  0.101
   libavfilter     8. 17.100 /  8. 17.100
   libswscale      6.  1.100 /  6.  1.100
   libswresample   4.  0.100 /  4.  0.100
   libpostproc    56.  0.100 / 56.  0.100
 [av1 @ 0x619000000a80] No sequence header available
 [mov,mp4,m4a,3gp,3g2,mj2 @ 0x617000000080] Could not find codec parameters
 for stream 0 (Video: av1 (av01 / 0x31307661), none(tv, progressive),
 320x240): unspecified pixel format
 Consider increasing the value for the 'analyzeduration' (0) and
 'probesize' (5000000) options

 Program received signal SIGSEGV, Segmentation fault.
 0x0000000000fcd5f2 in mov_seek_fragment (s=0x617000000080, st=<optimized
 out>, timestamp=0) at libavformat/mov.c:8384
 8384        if (!mov->frag_index.item[index].headers_read)
 (gdb) bt
 #0  0x0000000000fcd5f2 in mov_seek_fragment (s=0x617000000080,
 st=<optimized out>, timestamp=0) at libavformat/mov.c:8384
 #1  mov_seek_stream (s=0x617000000080, st=<optimized out>,
 st at entry=0x618000000080, timestamp=timestamp at entry=0, flags=flags at entry=1)
 at libavformat/mov.c:8403
 #2  0x0000000000fa41dd in mov_read_seek (s=0x617000000080,
 stream_index=<optimized out>, sample_time=<optimized out>,
 flags=<optimized out>) at libavformat/mov.c:8477
 #3  0x000000000115c62a in seek_frame_internal (s=0x617000000080,
 stream_index=0, timestamp=0, flags=1) at libavformat/seek.c:616
 #4  av_seek_frame (s=0x617000000080, stream_index=<optimized out>,
 timestamp=<optimized out>, flags=1) at libavformat/seek.c:648
 #5  0x000000000115d415 in avformat_seek_file (s=<optimized out>,
 stream_index=-1, min_ts=-9223372036854775808, ts=0, max_ts=0,
 flags=<optimized out>) at libavformat/seek.c:700
 #6  0x00000000004cd3c1 in open_input_file (o=<optimized out>,
 filename=<optimized out>) at fftools/ffmpeg_opt.c:1292
 #7  0x00000000004cbb24 in open_files (l=<optimized out>, inout=<optimized
 out>, open_file=<optimized out>) at fftools/ffmpeg_opt.c:3467
 #8  0x00000000004cb556 in ffmpeg_parse_options (argc=<optimized out>,
 argv=0x7fffffffe538) at fftools/ffmpeg_opt.c:3507
 #9  0x000000000050b799 in main (argc=11, argv=0x7fffffffe538) at
 fftools/ffmpeg.c:4955
 }}}
 Thank you

 Yu3H0
-- 
Ticket URL: <https://trac.ffmpeg.org/ticket/9517>
FFmpeg <https://ffmpeg.org>
FFmpeg issue tracker


More information about the FFmpeg-trac mailing list