[FFmpeg-trac] #11065(ffmpeg:new): global-buffer-overflow in ffmpeg_DEMUXER_fuzzer
FFmpeg
trac at avcodec.org
Thu Jun 20 13:53:51 EEST 2024
#11065: global-buffer-overflow in ffmpeg_DEMUXER_fuzzer
-------------------------------------+-------------------------------------
Reporter: Giacomo | Type: defect
Priamo |
Status: new | Priority: normal
Component: ffmpeg | Version: git-
| master
Keywords: | Blocked By:
Blocking: | Reproduced by developer: 0
Analyzed by developer: 0 |
-------------------------------------+-------------------------------------
**Describe the bug**
AddressSanitizer: global-buffer-overflow in ffmpeg_DEMUXER_fuzzer
(`ipcm_decoder_configdecNumberCopy`).
**To Reproduce**
I cloned the latest version of ffmpeg, compiled it using the build script
from oss-fuzz, and fuzzed the ffmpeg_DEMUXER_fuzzer harness.
**ASAN Output**
{{{
./ffmpeg_DEMUXER_fuzzer testcase
==2936342==ERROR: AddressSanitizer: global-buffer-overflow on address
0x0000012273d8 at pc 0x000000761cdd bp 0x7ffdce7b2da0 sp 0x7ffdce7b2d98
READ of size 4 at 0x0000012273d8 thread T0
#0 0x761cdc in ipcm_decoder_config
ffmpeg/libavformat/iamf_parse.c:152:30
#1 0x75ec93 in codec_config_obu ffmpeg/libavformat/iamf_parse.c:241:15
#2 0x75e61b in ff_iamfdec_read_descriptors
ffmpeg/libavformat/iamf_parse.c:1079:19
#3 0x5caefe in iamf_read_header ffmpeg/libavformat/iamfdec.c:78:11
#4 0x4f8b24 in avformat_open_input ffmpeg/libavformat/demux.c:305:20
#5 0x4f157c in LLVMFuzzerTestOneInput
ffmpeg/tools/target_dem_fuzzer.c:202:11
#6 0x115bf4d in ExecuteFilesOnyByOne
utils/aflpp_driver/aflpp_driver.c:255:7
#7 0x115bd58 in LLVMFuzzerRunDriver utils/aflpp_driver/aflpp_driver.c
#8 0x115b918 in main utils/aflpp_driver/aflpp_driver.c:300:10
#9 0x7f6a68203082 in __libc_start_main (/lib/x86_64-linux-
gnu/libc.so.6+0x24082)
#10 0x43f49d in _start (target+0x43f49d)
0x0000012273d8 is located 8 bytes to the left of global variable
'sample_fmt' defined in 'libavformat/iamf_parse.c:143:33' (0x12273e0) of
size 24
0x0000012273d8 is located 31 bytes to the right of global variable
'<string literal>' defined in 'libavformat/iamf_parse.c:253:34'
(0x1227380) of size 57
'<string literal>' is ascii string 'Underread in codec_config_obu. %d
bytes left at the end
'
SUMMARY: AddressSanitizer: global-buffer-overflow
ffmpeg/libavformat/iamf_parse.c:152:30 in ipcm_decoder_config
Shadow bytes around the buggy address:
0x00008023ce20: f9 f9 f9 f9 00 00 00 00 00 00 00 02 f9 f9 f9 f9
0x00008023ce30: 00 f9 f9 f9 f9 f9 f9 f9 06 f9 f9 f9 f9 f9 f9 f9
0x00008023ce40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x00008023ce50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x00008023ce60: 00 00 00 03 f9 f9 f9 f9 00 00 00 04 f9 f9 f9 f9
=>0x00008023ce70: 00 00 00 00 00 00 00 01 f9 f9 f9[f9]00 00 00 f9
0x00008023ce80: f9 f9 f9 f9 00 00 00 07 f9 f9 f9 f9 00 00 00 00
0x00008023ce90: 00 00 00 00 f9 f9 f9 f9 00 00 00 00 00 00 00 03
0x00008023cea0: f9 f9 f9 f9 00 00 00 00 00 00 00 00 07 f9 f9 f9
0x00008023ceb0: f9 f9 f9 f9 00 00 00 00 00 00 00 02 f9 f9 f9 f9
0x00008023cec0: 00 00 00 06 f9 f9 f9 f9 00 06 f9 f9 f9 f9 f9 f9
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==2936342==ABORTING
}}}
**Environment info**
`uname -a` output: Linux ThinkPad 5.15.0-107-generic #117~20.04.1-Ubuntu
SMP Tue Apr 30 10:35:57 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux
Clang version: 12.0.1
**Testcase**
See attached testcase file
--
Ticket URL: <https://trac.ffmpeg.org/ticket/11065>
FFmpeg <https://ffmpeg.org>
FFmpeg issue tracker
More information about the FFmpeg-trac
mailing list