[libav-bugs] [Bug 1001] New: Null pointer dereference in matroska_decode_buffer()

bugzilla at libav.org bugzilla at libav.org
Thu Dec 15 10:44:42 CET 2016


https://bugzilla.libav.org/show_bug.cgi?id=1001

            Bug ID: 1001
           Summary: Null pointer dereference in matroska_decode_buffer()
           Product: Libav
           Version: git HEAD
          Hardware: X86
                OS: Linux
            Status: NEW
          Severity: enhancement
          Priority: ---
         Component: libavformat
          Assignee: bugzilla at libav.org
          Reporter: fumfi.255 at gmail.com

Created attachment 628
  --> https://bugzilla.libav.org/attachment.cgi?id=628&action=edit
POC to trigger null pointer dereference (avconv)

After some fuzz testing I found a crashing test case.

Command: avconv -i libav_nullptr_matroska_decode_buffer -f /dev/null

Git Head: f22da2cdf90dc892d483e2d4003cffc0500816f6

ASAN:

==16994==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc
0x7fc5aa536086 bp 0x7fff5ff78e90 sp 0x7fff5ff78628 T0)
==16994==The signal is caused by a READ memory access.
==16994==Hint: address points to the zero page.
    #0 0x7fc5aa536085  (/lib/x86_64-linux-gnu/libc.so.6+0x14d085)
    #1 0x4a24ff in __asan_memcpy
/home/development/llvm/3.9.0/final/llvm.src/projects/compiler-rt/lib/asan/asan_interceptors.cc:413:3
    #2 0x6ac503 in matroska_decode_buffer
XYZ/libav/libavformat/matroskadec.c:1081:9
    #3 0x6afd81 in matroska_parse_frame
XYZ/libav/libavformat/matroskadec.c:2390:15
    #4 0x6afd81 in matroska_parse_block
XYZ/libav/libavformat/matroskadec.c:2563
    #5 0x6adfb5 in matroska_parse_cluster_incremental
XYZ/libav/libavformat/matroskadec.c:2622:19
    #6 0x6adfb5 in matroska_parse_cluster
XYZ/libav/libavformat/matroskadec.c:2644
    #7 0x6a7199 in matroska_read_packet
XYZ/libav/libavformat/matroskadec.c:2675:13
    #8 0x8c70b1 in ff_read_packet XYZ/libav/libavformat/utils.c:447:15
    #9 0x8ca5da in read_frame_internal XYZ/libav/libavformat/utils.c:932:15
    #10 0x8d47b0 in avformat_find_stream_info
XYZ/libav/libavformat/utils.c:2336:15
    #11 0x4f8701 in open_input_file XYZ/libav/avconv_opt.c:771:11
    #12 0x4f7394 in open_files XYZ/libav/avconv_opt.c:2408:15
    #13 0x4f6bd2 in avconv_parse_options XYZ/libav/avconv_opt.c:2445:11
    #14 0x51c0cf in main XYZ/libav/avconv.c:2876:11
    #15 0x7fc5aa40982f in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #16 0x41af48 in _start (/usr/local/bin/avconv+0x41af48)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (/lib/x86_64-linux-gnu/libc.so.6+0x14d085) 
==16994==ABORTING

Regards,
Kamil Frankowicz

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.libav.org/pipermail/libav-bugs/attachments/20161215/f683a0b7/attachment.html>


More information about the libav-bugs mailing list