[libav-bugs] [Bug 993] New: Global Out of bounds read in decode_residual()

bugzilla at libav.org bugzilla at libav.org
Wed Dec 7 14:38:13 CET 2016


https://bugzilla.libav.org/show_bug.cgi?id=993

            Bug ID: 993
           Summary: Global Out of bounds read in decode_residual()
           Product: Libav
           Version: git HEAD
          Hardware: X86
                OS: Linux
            Status: NEW
          Severity: enhancement
          Priority: ---
         Component: libavcodec
          Assignee: bugzilla at libav.org
          Reporter: fumfi.255 at gmail.com

Created attachment 621
  --> https://bugzilla.libav.org/attachment.cgi?id=621&action=edit
POC to trigger global out of bounds read (avconv)

After some fuzz testing I found a crashing test case.

Command: avconv -v 9 -loglevel 99 -i libav_gbo_h264 -f /dev/null

Git Head: f22da2cdf90dc892d483e2d4003cffc0500816f6

Output + ASAN:

avconv version v13_dev0-588-gf22da2c, Copyright (c) 2000-2016 the Libav
developers
  built on Dec  7 2016 11:40:38 with clang version 3.9.0
(tags/RELEASE_390/final)
  configuration: --cc=afl-clang-fast
  libavutil     55. 29. 0 / 55. 29. 0
  libavcodec    57. 28. 4 / 57. 28. 4
  libavformat   57. 10. 0 / 57. 10. 0
  libavdevice   56.  1. 0 / 56.  1. 0
  libavfilter    6.  8. 0 /  6.  8. 0
  libavresample  3.  0. 0 /  3.  0. 0
  libswscale     4.  0. 0 /  4.  0. 0
Splitting the commandline.
Reading option '-v' ... matched as option 'v' (set libav* logging level) with
argument '9'.
Reading option '-loglevel' ... matched as option 'loglevel' (set libav* logging
level) with argument '99'.
Reading option '-i' ... matched as input file with argument 'libav_gbo_h264'.
Reading option '-f' ... matched as option 'f' (force format) with argument
'/dev/null'.
Trailing options were found on the commandline.
Finished splitting the commandline.
Parsing a group of options: global .
Applying option v (set libav* logging level) with argument 9.
Successfully parsed a group of options.
Parsing a group of options: input file libav_gbo_h264.
Successfully parsed a group of options.
Opening an input file: libav_gbo_h264.
nsv_probe(), buf_size 318
[h264 @ 0x61a00001f280] Probed with size=2048 and score=51
[h264 @ 0x61900001ea80] missing picture in access unit
IN delayed:0 pts:-9223372036854775808, dts:-9223372036854775808 cur_dts:0 st:0
pc:0x61300000db00
OUTdelayed:0/0 pts:-9223372036854775808, dts:-9223372036854775808 cur_dts:0
[AVBSFContext @ 0x60800000b6a0] nal_unit_type: 5, nal_ref_idc: 3
[h264 @ 0x61900001ea80] nal_unit_type: 5, nal_ref_idc: 3
[h264 @ 0x61900001ea80] slice type 32 too large at -1
[h264 @ 0x61900001ea80] decode_slice_header error
[h264 @ 0x61900001ea80] no frame!
IN delayed:0 pts:-9223372036854775808, dts:-9223372036854775808 cur_dts:0 st:0
pc:0x61300000db00
OUTdelayed:0/0 pts:-9223372036854775808, dts:-9223372036854775808 cur_dts:0
[AVBSFContext @ 0x60800000b6a0] nal_unit_type: 7, nal_ref_idc: 3
[AVBSFContext @ 0x60800000b6a0] nal_unit_type: 8, nal_ref_idc: 3
[AVBSFContext @ 0x60800000b6a0] nal_unit_type: 1, nal_ref_idc: 3
[h264 @ 0x61900001ea80] nal_unit_type: 7, nal_ref_idc: 3
[h264 @ 0x61900001ea80] nal_unit_type: 8, nal_ref_idc: 3
[h264 @ 0x61900001ea80] nal_unit_type: 1, nal_ref_idc: 3
[h264 @ 0x61900001ea80] Reinit context to 352x288, pix_fmt: 70
[h264 @ 0x61900001ea80] Frame num gap 268 262
[h264 @ 0x61900001ea80] Frame num gap 268 263
[h264 @ 0x61900001ea80] Frame num gap 268 264
[h264 @ 0x61900001ea80] Frame num gap 268 265
[h264 @ 0x61900001ea80] Frame num gap 268 266
[h264 @ 0x61900001ea80] no picture
=================================================================
==14390==ERROR: AddressSanitizer: global-buffer-overflow on address
0x00000258d630 at pc 0x000001c607e5 bp 0x7ffd5786e2d0 sp 0x7ffd5786e2c8
READ of size 1 at 0x00000258d630 thread T0
    #0 0x1c607e4 in decode_residual XYZ/libav/libavcodec/h264_cavlc.c:616:9
    #1 0x1c437a8 in decode_luma_residual
XYZ/libav/libavcodec/h264_cavlc.c:647:25
    #2 0x1c437a8 in ff_h264_decode_mb_cavlc
XYZ/libav/libavcodec/h264_cavlc.c:1116
    #3 0x1ce1cef in decode_slice XYZ/libav/libavcodec/h264_slice.c:2406:19
    #4 0x1cdf589 in ff_h264_execute_decode_slices
XYZ/libav/libavcodec/h264_slice.c:2503:15
    #5 0xc9e5f6 in decode_nal_units XYZ/libav/libavcodec/h264dec.c:588:27
    #6 0xc9e5f6 in h264_decode_frame XYZ/libav/libavcodec/h264dec.c:742
    #7 0xa9b549 in avcodec_decode_video2 XYZ/libav/libavcodec/decode.c:320:19
    #8 0xa9a46e in do_decode XYZ/libav/libavcodec/decode.c:168:15
    #9 0xa99612 in avcodec_send_packet XYZ/libav/libavcodec/decode.c:245:12
    #10 0x8dc07b in try_decode_frame XYZ/libav/libavformat/utils.c:1950:19
    #11 0x8d5bc3 in avformat_find_stream_info
XYZ/libav/libavformat/utils.c:2459:9
    #12 0x4f8701 in open_input_file XYZ/libav/avconv_opt.c:771:11
    #13 0x4f7394 in open_files XYZ/libav/avconv_opt.c:2408:15
    #14 0x4f6bd2 in avconv_parse_options XYZ/libav/avconv_opt.c:2445:11
    #15 0x51c0cf in main XYZ/libav/avconv.c:2876:11
    #16 0x7fabdb01182f in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #17 0x41af48 in _start (/usr/local/bin/avconv+0x41af48)

0x00000258d630 is located 0 bytes to the right of global variable
'ff_zigzag_scan' defined in 'libavcodec/mathtables.c:126:15' (0x258d620) of
size 16
SUMMARY: AddressSanitizer: global-buffer-overflow
XYZ/libav/libavcodec/h264_cavlc.c:616:9 in decode_residual
Shadow bytes around the buggy address:
  0x0000804a9a70: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
  0x0000804a9a80: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
  0x0000804a9a90: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
  0x0000804a9aa0: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
  0x0000804a9ab0: f9 f9 f9 f9 f9 f9 f9 f9 00 00 00 00 00 00 00 00
=>0x0000804a9ac0: f9 f9 f9 f9 00 00[f9]f9 f9 f9 f9 f9 00 00 00 00
  0x0000804a9ad0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0000804a9ae0: 00 00 00 00 00 00 00 00 05 f9 f9 f9 f9 f9 f9 f9
  0x0000804a9af0: 00 00 00 00 07 f9 f9 f9 f9 f9 f9 f9 00 00 05 f9
  0x0000804a9b00: f9 f9 f9 f9 00 00 00 f9 f9 f9 f9 f9 00 00 00 01
  0x0000804a9b10: f9 f9 f9 f9 00 00 04 f9 f9 f9 f9 f9 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==14390==ABORTING

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.libav.org/pipermail/libav-bugs/attachments/20161207/aeca331c/attachment-0001.html>


More information about the libav-bugs mailing list