[FFmpeg-trac] #11407(undetermined:new): heap-buffer-overflow vulnerability find in in function mov_read_trun at /ffmpeg/libavformat/mov.c:5944

FFmpeg trac at avcodec.org
Thu Jan 9 04:54:06 EET 2025 

#11407: heap-buffer-overflow vulnerability find in in function mov_read_trun at
/ffmpeg/libavformat/mov.c:5944
-------------------------------------+-------------------------------------
             Reporter:  SuTong       |                     Type:  defect
               Status:  new          |                 Priority:  important
            Component:               |                  Version:  git-
  undetermined                       |  master
             Keywords:               |               Blocked By:
             Blocking:               |  Reproduced by developer:  0
Analyzed by developer:  0            |
-------------------------------------+-------------------------------------
 Summary of the bug: heap-buffer-overflow vulnerability in the latest
 version of ffmpeg
 How to reproduce:
 {{{
 % ffmpeg -y -i ./poc -c:v mpeg4 -c:a copy -f mp4 /dev/null

 >>   built with gcc 9 (Ubuntu 9.4.0-1ubuntu1~20.04.2)
 >>   configuration: --cc=gcc --cxx=g++ --extra-cflags=-g --extra-
 cxxflags=-g --disable-x86asm
 }}}
 gdb information:
 {{{
 # gdb --args ./ffmpeg_g -y -i
 ./id\:000000\,sig\:06\,src\:000027\,time\:8201187\,execs\:182576\,op\:havoc\,rep\:2
 -c:v mpeg4 -c:a copy -f mp4 /dev/null
 GNU gdb (Ubuntu 9.2-0ubuntu1~20.04.2) 9.2
 Copyright (C) 2020 Free Software Foundation, Inc.
 License GPLv3+: GNU GPL version 3 or later
 <http://gnu.org/licenses/gpl.html>
 This is free software: you are free to change and redistribute it.
 There is NO WARRANTY, to the extent permitted by law.
 Type "show copying" and "show warranty" for details.
 This GDB was configured as "x86_64-linux-gnu".
 Type "show configuration" for configuration details.
 For bug reporting instructions, please see:
 <http://www.gnu.org/software/gdb/bugs/>.
 Find the GDB manual and other documentation resources online at:
     <http://www.gnu.org/software/gdb/documentation/>.

 For help, type "help".
 Type "apropos word" to search for commands related to "word"...
 Reading symbols from ./ffmpeg_g...
 (gdb) r
 Starting program: /fuzz/oss-ffmpeg/ffmpeg-gdb/ffmpeg/ffmpeg_g -y -i
 ./id:000000,sig:06,src:000027,time:8201187,execs:182576,op:havoc,rep:2
 -c:v mpeg4 -c:a copy -f mp4 /dev/null
 warning: Error disabling address space randomization: Operation not
 permitted
 [Thread debugging using libthread_db enabled]
 Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
 ffmpeg version N-118236-g07e54f9b5c Copyright (c) 2000-2025 the FFmpeg
 developers
   built with gcc 9 (Ubuntu 9.4.0-1ubuntu1~20.04.2)
   configuration: --cc=gcc --cxx=g++ --extra-cflags=-g --extra-cxxflags=-g
 --disable-x86asm
   libavutil      59. 54.101 / 59. 54.101
   libavcodec     61. 29.100 / 61. 29.100
   libavformat    61.  9.104 / 61.  9.104
   libavdevice    61.  4.100 / 61.  4.100
   libavfilter    10.  6.101 / 10.  6.101
   libswscale      8. 13.100 /  8. 13.100
   libswresample   5.  4.100 /  5.  4.100
 [mov,mp4,m4a,3gp,3g2,mj2 @ 0x562b2c87c980] Broken file, trak/mdat not at
 top-level
 [mov,mp4,m4a,3gp,3g2,mj2 @ 0x562b2c87c980] overread end of atom 'stsd' by
 19133 bytes
 [mov,mp4,m4a,3gp,3g2,mj2 @ 0x562b2c87c980] Duplicated STTS atom

 Program received signal SIGSEGV, Segmentation fault.
 __memmove_avx_unaligned_erms () at ../sysdeps/x86_64/multiarch/memmove-
 vec-unaligned-erms.S:440
 440     ../sysdeps/x86_64/multiarch/memmove-vec-unaligned-erms.S: No such
 file or directory.
 (gdb) bt
 #0  __memmove_avx_unaligned_erms () at ../sysdeps/x86_64/multiarch
 /memmove-vec-unaligned-erms.S:440
 #1  0x0000562b12d964e9 in memmove (__len=<optimized out>, __src=<optimized
 out>, __dest=<optimized out>) at /usr/include/x86_64-linux-
 gnu/bits/string_fortified.h:40
 #2  mov_read_trun (c=c at entry=0x562b2c87d640, pb=pb at entry=0x562b2c8856c0,
 atom=...) at libavformat/mov.c:5944
 #3  0x0000562b12d8d71c in mov_read_default (c=c at entry=0x562b2c87d640,
 pb=pb at entry=0x562b2c8856c0, atom=...) at libavformat/mov.c:9488
 #4  0x0000562b12d8d71c in mov_read_default (c=0x562b2c87d640,
 pb=0x562b2c8856c0, atom=...) at libavformat/mov.c:9488
 #5  0x0000562b12d8d71c in mov_read_default (c=c at entry=0x562b2c87d640,
 pb=pb at entry=0x562b2c8856c0, atom=...) at libavformat/mov.c:9488
 #6  0x0000562b12da2afe in mov_read_header (s=0x562b2c87c980) at
 libavformat/mov.c:10519
 #7  0x0000562b12d23fa9 in avformat_open_input (ps=ps at entry=0x7ffcd75c6bc0,
     filename=filename at entry=0x7ffcd75c83ef "/out/0103-paflpp-
 ffmpeg_DEMUXER_fuzzer-
 pcguard/clien1/crashes/id:000000,sig:06,src:000027,time:8201187,execs:182576,op:havoc,rep:2",
     fmt=fmt at entry=0x0, options=0x562b2c87c558) at libavformat/demux.h:140
 #8  0x0000562b12a60afb in ifile_open (o=o at entry=0x7ffcd75c6f60,
 filename=<optimized out>, sch=sch at entry=0x562b2c87c040) at
 fftools/ffmpeg_demux.c:1727
 #9  0x0000562b12a77ebd in open_files (inout=inout at entry=0x562b138902a1
 "input", sch=sch at entry=0x562b2c87c040, open_file=0x562b12a60410
 <ifile_open>, l=<optimized out>, l=<optimized out>)
     at fftools/ffmpeg_opt.c:1363
 #10 0x0000562b12a79ea6 in ffmpeg_parse_options (argc=<optimized out>,
 argv=<optimized out>, sch=0x562b2c87c040) at fftools/ffmpeg_opt.c:1412
 #11 0x0000562b12a593e8 in main (argc=11, argv=0x7ffcd75c7c38) at
 fftools/ffmpeg.c:974

 }}}
-- 
Ticket URL: <https://trac.ffmpeg.org/ticket/11407>
FFmpeg <https://ffmpeg.org>
FFmpeg issue tracker

More information about the FFmpeg-trac mailing list