[FFmpeg-trac] #10743(avutil:new): heap-buffer-overflow at libavutil/imgutils.c:353:9 in image_copy_plane in FFmpeg
FFmpeg
trac at avcodec.org
Tue Dec 19 10:41:42 EET 2023
#10743: heap-buffer-overflow at libavutil/imgutils.c:353:9 in image_copy_plane in
FFmpeg
-------------------------------------+-------------------------------------
Reporter: | Type: defect
ZengYunxiang |
Status: new | Priority: important
Component: avutil | Version: git-
| master
Keywords: bugs | Blocked By:
Blocking: | Reproduced by developer: 0
Analyzed by developer: 0 |
-------------------------------------+-------------------------------------
Summary of the bug:
Dear developers,
We found the following heap-buffer-overflow bug on FFmpeg(version
N-113007-g8d24a28d06) when using doubleweave filter, please confirm.
The poc file(poc10ffmpeg) will be attached to this ticket.
How to reproduce:
{{{
git clone https://github.com/FFmpeg/FFmpeg.git ffmpeg
cd ffmpeg
./configure --cc=clang --cxx=clang++ --ld=clang --enable-debug --toolchain
=clang-asan
make -j30
./ffmpeg_g -y -i poc10ffmpeg -filter_complex doubleweave tmp.mp4
}}}
ASAN Log:
{{{
=================================================================
==3597225==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x62700006fbc0 at pc 0x557771a28efa bp 0x7feb34f8fc60 sp 0x7feb34f8f430
WRITE of size 88 at 0x62700006fbc0 thread T46
#0 0x557771a28ef9 in __asan_memcpy (/ffmpeg/ffmpeg_g+0x922ef9)
(BuildId: 8d6ccf457a75d047d11f9627d0b67208c2215c8c)
#1 0x557775087e79 in image_copy_plane
/ffmpeg/libavutil/imgutils.c:353:9
#2 0x557775087e79 in av_image_copy_plane
/ffmpeg/libavutil/imgutils.c:378:5
#3 0x55777210f0d4 in weave_slice /ffmpeg/libavfilter/vf_weave.c:110:9
#4 0x557771bdd8d4 in worker_func /ffmpeg/libavfilter/pthread.c:49:15
#5 0x5577750c81a6 in run_jobs /ffmpeg/libavutil/slicethread.c:65:9
#6 0x5577750c81a6 in thread_worker
/ffmpeg/libavutil/slicethread.c:89:13
#7 0x7feb4dc1eac2 (/lib/x86_64-linux-gnu/libc.so.6+0x94ac2) (BuildId:
a43bfc8428df6623cd498c9c0caeb91aec9be4f9)
#8 0x7feb4dcb0a3f (/lib/x86_64-linux-gnu/libc.so.6+0x126a3f)
(BuildId: a43bfc8428df6623cd498c9c0caeb91aec9be4f9)
0x62700006fbc0 is located 0 bytes to the right of 12992-byte region
[0x62700006c900,0x62700006fbc0)
allocated by thread T19 (fc0) here:
#0 0x557771a2a697 in __interceptor_posix_memalign
(/ffmpeg/ffmpeg_g+0x924697) (BuildId:
8d6ccf457a75d047d11f9627d0b67208c2215c8c)
#1 0x557775092abe in av_malloc /ffmpeg/libavutil/mem.c:105:9
#2 0x557775048f7c in av_buffer_alloc /ffmpeg/libavutil/buffer.c:82:12
#3 0x557775048f7c in av_buffer_allocz /ffmpeg/libavutil/buffer.c:95:24
#4 0x55777504b053 in pool_alloc_buffer
/ffmpeg/libavutil/buffer.c:363:26
#5 0x55777504b053 in av_buffer_pool_get
/ffmpeg/libavutil/buffer.c:401:15
#6 0x557771bcce16 in ff_frame_pool_get
/ffmpeg/libavfilter/framepool.c:217:29
#7 0x5577721733dd in ff_default_get_video_buffer2
/ffmpeg/libavfilter/video.c:94:13
#8 0x557772172f98 in ff_get_video_buffer
/ffmpeg/libavfilter/video.c:115:15
Thread T46 created by T19 (fc0) here:
#0 0x557771a12f9c in __interceptor_pthread_create
(/ffmpeg/ffmpeg_g+0x90cf9c) (BuildId:
8d6ccf457a75d047d11f9627d0b67208c2215c8c)
#1 0x5577750c7e28 in avpriv_slicethread_create
/ffmpeg/libavutil/slicethread.c:151:19
Thread T19 (fc0) created by T0 here:
#0 0x557771a12f9c in __interceptor_pthread_create
(/ffmpeg/ffmpeg_g+0x90cf9c) (BuildId:
8d6ccf457a75d047d11f9627d0b67208c2215c8c)
#1 0x557771ac1161 in task_start /ffmpeg/fftools/ffmpeg_sched.c:403:11
#2 0x557771adfe68 in transcode /ffmpeg/fftools/ffmpeg.c:922:11
#3 0x557771adfe68 in main /ffmpeg/fftools/ffmpeg.c:1050:11
#4 0x7feb4dbb3d8f (/lib/x86_64-linux-gnu/libc.so.6+0x29d8f) (BuildId:
a43bfc8428df6623cd498c9c0caeb91aec9be4f9)
SUMMARY: AddressSanitizer: heap-buffer-overflow
(/ffmpeg/ffmpeg_g+0x922ef9) (BuildId:
8d6ccf457a75d047d11f9627d0b67208c2215c8c) in __asan_memcpy
Shadow bytes around the buggy address:
0x0c4e80005f20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c4e80005f30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c4e80005f40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c4e80005f50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c4e80005f60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c4e80005f70: 00 00 00 00 00 00 00 00[fa]fa fa fa fa fa fa fa
0x0c4e80005f80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c4e80005f90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c4e80005fa0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c4e80005fb0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c4e80005fc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==3597225==ABORTING
}}}
ffmpeg version:
{{{
# ./ffmpeg -version
ffmpeg version N-113007-g8d24a28d06 Copyright (c) 2000-2023 the FFmpeg
developers
built with Ubuntu clang version 14.0.0-1ubuntu1.1
configuration: --cc=clang --cxx=clang++ --ld=clang --enable-debug
--toolchain=clang-asan
libavutil 58. 34.100 / 58. 34.100
libavcodec 60. 35.100 / 60. 35.100
libavformat 60. 18.100 / 60. 18.100
libavdevice 60. 4.100 / 60. 4.100
libavfilter 9. 14.100 / 9. 14.100
libswscale 7. 6.100 / 7. 6.100
libswresample 4. 13.100 / 4. 13.100
}}}
Credit:
{{{
Discovered by Zeng Yunxiang and Li Zeyuan.
}}}
Thanks for your time!
--
Ticket URL: <https://trac.ffmpeg.org/ticket/10743>
FFmpeg <https://ffmpeg.org>
FFmpeg issue tracker
More information about the FFmpeg-trac
mailing list