[FFmpeg-trac] #9517(avformat:new): Null pointer dereference
FFmpeg
trac at avcodec.org
Fri Nov 19 15:03:11 EET 2021
#9517: Null pointer dereference
-------------------------------------+-------------------------------------
Reporter: Yu3H0 | Type: defect
Status: new | Priority: important
Component: avformat | Version: git-
Keywords: Null | master
pointer dereference | Blocked By:
Blocking: | Reproduced by developer: 0
Analyzed by developer: 0 |
-------------------------------------+-------------------------------------
Summary of the bug:
During fuzzing, I found a null pointer dereference (CWE-476) in the latest
FFmpeg.
I have tested in the ffmpeg installed by Ubuntu 2004 apt install and the
version with a commit of 8c150d3d9794c29a54bbdf2f2a88066277c7197e both.
How to reproduce:
{{{
fuzzer at 757e029224c5:~$ ./FFmpeg/ffmpeg_g -ss 00:00:00 -i ./poc -frames 1
-vf "select=not(mod(n\,3)),scale=320:240,tile=2x3" out1.png -y
ffmpeg version N-104569-g08b4716a9e Copyright (c) 2000-2021 the FFmpeg
developers
built with Ubuntu clang version
11.1.0-++20210204121720+1fdec59bffc1-1~exp1~20210203232336.162
configuration: --prefix=/home/fuzzer/ffmpeg_build --pkg-config-
flags=--static --extra-cflags='-I/home/fuzzer/ffmpeg_build/include -fno-
omit-frame-pointer -g' --extra-cxxflags='-fno-omit-frame-pointer -g'
--extra-ldflags=-L/home/fuzzer/ffmpeg_build/lib --extra-libs='-lpthread
-lm' --bindir=/home/fuzzer/bin --enable-gpl --enable-gnutls --enable-
libass --enable-libfdk-aac --enable-libfreetype --enable-libmp3lame
--enable-libopus --enable-libvpx --enable-libx264 --enable-libx265
--enable-nonfree --cc=hfuzz-clang --cxx=hfuzz-clang++ --enable-debug
libavutil 57. 8.100 / 57. 8.100
libavcodec 59. 12.100 / 59. 12.100
libavformat 59. 9.100 / 59. 9.100
libavdevice 59. 0.101 / 59. 0.101
libavfilter 8. 16.102 / 8. 16.102
libswscale 6. 1.100 / 6. 1.100
libswresample 4. 0.100 / 4. 0.100
libpostproc 56. 0.100 / 56. 0.100
[av1 @ 0x619000000a80] No sequence header available
[mov,mp4,m4a,3gp,3g2,mj2 @ 0x617000000080] Could not find codec parameters
for stream 0 (Video: av1 (av01 / 0x31307661), none(tv, progressive),
320x240): unspecified pixel format
Consider increasing the value for the 'analyzeduration' (0) and
'probesize' (5000000) options
AddressSanitizer:DEADLYSIGNAL
=================================================================
==180210==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000008
(pc 0x0000013c47e4 bp 0x000000000000 sp 0x7ffff17d6cc0 T0)
==180210==The signal is caused by a READ memory access.
==180210==Hint: address points to the zero page.
#0 0x13c47e4 in mov_seek_fragment
/home/fuzzer/FFmpeg/libavformat/mov.c:8384:38
#1 0x13c47e4 in mov_seek_stream
/home/fuzzer/FFmpeg/libavformat/mov.c:8403:11
#2 0x138ca8e in mov_read_seek
/home/fuzzer/FFmpeg/libavformat/mov.c:8477:14
#3 0x1605453 in seek_frame_internal
/home/fuzzer/FFmpeg/libavformat/seek.c:616:15
#4 0x1605453 in av_seek_frame
/home/fuzzer/FFmpeg/libavformat/seek.c:648:11
#5 0x1608c53 in avformat_seek_file
/home/fuzzer/FFmpeg/libavformat/seek.c:700:19
#6 0x4d5cf6 in open_input_file
/home/fuzzer/FFmpeg/fftools/ffmpeg_opt.c:1291:15
#7 0x4ccfbb in open_files
/home/fuzzer/FFmpeg/fftools/ffmpeg_opt.c:3466:15
#8 0x4cc8d0 in ffmpeg_parse_options
/home/fuzzer/FFmpeg/fftools/ffmpeg_opt.c:3506:11
#9 0x524fd9 in main /home/fuzzer/FFmpeg/fftools/ffmpeg.c:4950:11
#10 0x7fc1df1120b2 in __libc_start_main /build/glibc-
eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
#11 0x4226ad in _start (/home/fuzzer/FFmpeg/ffmpeg_g+0x4226ad)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV
/home/fuzzer/FFmpeg/libavformat/mov.c:8384:38 in mov_seek_fragment
==180210==ABORTING
}}}
gdb result
{{{
(gdb) set args -ss 00:00:00 -i ./poc -frames 1 -vf
"select=not(mod(n\,3)),scale=320:240,tile=2x3" out1.png -y
(gdb) r
Starting program: /home/fuzzer/TestFF/ffmpeg_g -ss 00:00:00 -i ./poc
-frames 1 -vf "select=not(mod(n\,3)),scale=320:240,tile=2x3" out1.png -y
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
ffmpeg version N-104591-g8c150d3d97 Copyright (c) 2000-2021 the FFmpeg
developers
built with Ubuntu clang version
11.1.0-++20210204121720+1fdec59bffc1-1~exp1~20210203232336.162
configuration: --prefix=/home/fuzzer/ffmpeg_build_new --pkg-config-
flags=--static --extra-cflags='-I/home/fuzzer/ffmpeg_build_new/include
-fno-omit-frame-pointer -g -fsanitize=address' --extra-cxxflags='-fno-
omit-frame-pointer -g -fsanitize=address' --extra-
ldflags='-L/home/fuzzer/ffmpeg_build_new/lib -fsanitize=address' --extra-
libs='-lpthread -lm' --bindir=/home/fuzzer/bin_new --enable-gpl --enable-
gnutls --enable-libass --enable-libfdk-aac --enable-libfreetype --enable-
libmp3lame --enable-libopus --enable-libvpx --enable-libx264 --enable-
libx265 --enable-nonfree --cc=clang --cxx=clang++ --enable-debug
libavutil 57. 9.100 / 57. 9.100
libavcodec 59. 13.100 / 59. 13.100
libavformat 59. 9.101 / 59. 9.101
libavdevice 59. 0.101 / 59. 0.101
libavfilter 8. 17.100 / 8. 17.100
libswscale 6. 1.100 / 6. 1.100
libswresample 4. 0.100 / 4. 0.100
libpostproc 56. 0.100 / 56. 0.100
[av1 @ 0x619000000a80] No sequence header available
[mov,mp4,m4a,3gp,3g2,mj2 @ 0x617000000080] Could not find codec parameters
for stream 0 (Video: av1 (av01 / 0x31307661), none(tv, progressive),
320x240): unspecified pixel format
Consider increasing the value for the 'analyzeduration' (0) and
'probesize' (5000000) options
Program received signal SIGSEGV, Segmentation fault.
0x0000000000fcd5f2 in mov_seek_fragment (s=0x617000000080, st=<optimized
out>, timestamp=0) at libavformat/mov.c:8384
8384 if (!mov->frag_index.item[index].headers_read)
(gdb) bt
#0 0x0000000000fcd5f2 in mov_seek_fragment (s=0x617000000080,
st=<optimized out>, timestamp=0) at libavformat/mov.c:8384
#1 mov_seek_stream (s=0x617000000080, st=<optimized out>,
st at entry=0x618000000080, timestamp=timestamp at entry=0, flags=flags at entry=1)
at libavformat/mov.c:8403
#2 0x0000000000fa41dd in mov_read_seek (s=0x617000000080,
stream_index=<optimized out>, sample_time=<optimized out>,
flags=<optimized out>) at libavformat/mov.c:8477
#3 0x000000000115c62a in seek_frame_internal (s=0x617000000080,
stream_index=0, timestamp=0, flags=1) at libavformat/seek.c:616
#4 av_seek_frame (s=0x617000000080, stream_index=<optimized out>,
timestamp=<optimized out>, flags=1) at libavformat/seek.c:648
#5 0x000000000115d415 in avformat_seek_file (s=<optimized out>,
stream_index=-1, min_ts=-9223372036854775808, ts=0, max_ts=0,
flags=<optimized out>) at libavformat/seek.c:700
#6 0x00000000004cd3c1 in open_input_file (o=<optimized out>,
filename=<optimized out>) at fftools/ffmpeg_opt.c:1292
#7 0x00000000004cbb24 in open_files (l=<optimized out>, inout=<optimized
out>, open_file=<optimized out>) at fftools/ffmpeg_opt.c:3467
#8 0x00000000004cb556 in ffmpeg_parse_options (argc=<optimized out>,
argv=0x7fffffffe538) at fftools/ffmpeg_opt.c:3507
#9 0x000000000050b799 in main (argc=11, argv=0x7fffffffe538) at
fftools/ffmpeg.c:4955
}}}
Thank you
Yu3H0
--
Ticket URL: <https://trac.ffmpeg.org/ticket/9517>
FFmpeg <https://ffmpeg.org>
FFmpeg issue tracker
More information about the FFmpeg-trac
mailing list