[FFmpeg-trac] #11389(avformat:new): heap-buffer-overflow at libavformat/dump.c:792:34 on ffmpeg

FFmpeg trac at avcodec.org
Tue Dec 31 09:12:14 EET 2024 

#11389: heap-buffer-overflow at libavformat/dump.c:792:34 on ffmpeg
----------------------------------+--------------------------------------
             Reporter:  0x20z     |                     Type:  defect
               Status:  new       |                 Priority:  important
            Component:  avformat  |                  Version:  git-master
             Keywords:  bugs      |               Blocked By:
             Blocking:            |  Reproduced by developer:  0
Analyzed by developer:  0         |
----------------------------------+--------------------------------------
 Summary of the bug:
 Dear developers,
 I discovered a heap overflow vulnerability while using format conversion.
 The POC file is attached to the session, and the version of ffmpeg is
 N-118197-gbb85423142, master branch. please confirm.

 How to reproduce:
 {{{
 git clone https://github.com/FFmpeg/FFmpeg.git
 cd FFmpeg
 ./configure --cc=clang --cxx=clang++ --toolchain=clang-asan --extra-
 cflags="-I$HOME/ffmpeg_build/include -O0 -fno-omit-frame-pointer -g"
 --extra-cxxflags="-O0 -fno-omit-frame-pointer -g" --extra-
 ldflags="-L$HOME/ffmpeg_build/include -fsanitize=address
 -fsanitize=undefined -lubsan" --disable-optimizations --disable-stripping
 --enable-cross-compile
 make -j30
 }}}

 ASAN log:
 {{{
 =================================================================
 ==1366945==ERROR: AddressSanitizer: heap-buffer-overflow on address
 0x613000001db8 at pc 0x5c82931d7ca9 bp 0x7ffc11d48a90 sp 0x7ffc11d48a88
 READ of size 8 at 0x613000001db8 thread T0
     #0 0x5c82931d7ca8  (FFmpeg/ffmpeg+0x13f0ca8) (BuildId:
 d9813d42ed110d0d0780865381db8c33a24a231c)
     #1 0x5c82927865a3  (FFmpeg/ffmpeg+0x99f5a3) (BuildId:
 d9813d42ed110d0d0780865381db8c33a24a231c)
     #2 0x5c82927c8e0b  (FFmpeg/ffmpeg+0x9e1e0b) (BuildId:
 d9813d42ed110d0d0780865381db8c33a24a231c)
     #3 0x5c82927f60ef  (FFmpeg/ffmpeg+0xa0f0ef) (BuildId:
 d9813d42ed110d0d0780865381db8c33a24a231c)
     #4 0x7ee34e629d8f in __libc_start_call_main
 csu/../sysdeps/nptl/libc_start_call_main.h:58:16
     #5 0x7ee34e629e3f in __libc_start_main csu/../csu/libc-start.c:392:3
     #6 0x5c82926b7ce4  (FFmpeg/ffmpeg+0x8d0ce4) (BuildId:
 d9813d42ed110d0d0780865381db8c33a24a231c)

 0x613000001db8 is located 0 bytes to the right of 376-byte region
 [0x613000001c40,0x613000001db8)
 allocated by thread T0 here:
     #0 0x5c829273af56 in realloc (FFmpeg/ffmpeg+0x953f56) (BuildId:
 d9813d42ed110d0d0780865381db8c33a24a231c)
     #1 0x5c82934420cd  (FFmpeg/ffmpeg+0x165b0cd) (BuildId:
 d9813d42ed110d0d0780865381db8c33a24a231c)
     #2 0x5c82931b05e8  (FFmpeg/ffmpeg+0x13c95e8) (BuildId:
 d9813d42ed110d0d0780865381db8c33a24a231c)
     #3 0x5c8292783233  (FFmpeg/ffmpeg+0x99c233) (BuildId:
 d9813d42ed110d0d0780865381db8c33a24a231c)
     #4 0x5c82927c8e0b  (FFmpeg/ffmpeg+0x9e1e0b) (BuildId:
 d9813d42ed110d0d0780865381db8c33a24a231c)
     #5 0x5c82927f60ef  (FFmpeg/ffmpeg+0xa0f0ef) (BuildId:
 d9813d42ed110d0d0780865381db8c33a24a231c)
     #6 0x7ee34e629d8f in __libc_start_call_main
 csu/../sysdeps/nptl/libc_start_call_main.h:58:16

 SUMMARY: AddressSanitizer: heap-buffer-overflow (FFmpeg/ffmpeg+0x13f0ca8)
 (BuildId: d9813d42ed110d0d0780865381db8c33a24a231c)
 Shadow bytes around the buggy address:
   0x0c267fff8360: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
   0x0c267fff8370: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fa fa
   0x0c267fff8380: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
   0x0c267fff8390: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
   0x0c267fff83a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 =>0x0c267fff83b0: 00 00 00 00 00 00 00[fa]fa fa fa fa fa fa fa fa
   0x0c267fff83c0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
   0x0c267fff83d0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
   0x0c267fff83e0: fd fd fd fa fa fa fa fa fa fa fa fa fa fa fa fa
   0x0c267fff83f0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
   0x0c267fff8400: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
 Shadow byte legend (one shadow byte represents 8 application bytes):
   Addressable:           00
   Partially addressable: 01 02 03 04 05 06 07
   Heap left redzone:       fa
   Freed heap region:       fd
   Stack left redzone:      f1
   Stack mid redzone:       f2
   Stack right redzone:     f3
   Stack after return:      f5
   Stack use after scope:   f8
   Global redzone:          f9
   Global init order:       f6
   Poisoned by user:        f7
   Container overflow:      fc
   Array cookie:            ac
   Intra object redzone:    bb
   ASan internal:           fe
   Left alloca redzone:     ca
   Right alloca redzone:    cb
 ==1366945==ABORTING

 }}}

 ffmpeg version:
 {{{
 # ./ffmpeg -version
 ffmpeg version N-118197-gbb85423142 Copyright (c) 2000-2024 the FFmpeg
 developers
 built with Ubuntu clang version 14.0.0-1ubuntu1.1
 configuration: --cc=clang --cxx=clang++ --ld=clang --enable-debug
 --toolchain=clang-asan --enable-cross-compile
 libavutil      59. 53.100 / 59. 53.100
 libavcodec     61. 28.100 / 61. 28.100
 libavformat    61.  9.102 / 61.  9.102
 libavdevice    61.  4.100 / 61.  4.100
 libavfilter    10.  6.101 / 10.  6.101
 libswscale      8. 13.100 /  8. 13.100
 libswresample   5.  4.100 /  5.  4.100

 }}}

 Found by:
 {{{
 Found by 0x20z
 }}}

 Thank you for your time and attention
-- 
Ticket URL: <https://trac.ffmpeg.org/ticket/11389>
FFmpeg <https://ffmpeg.org>
FFmpeg issue tracker

More information about the FFmpeg-trac mailing list