[libav-bugs] [Bug 1002] New: Heap out of bounds read in ff_h2645_extract_rbsp()

bugzilla at libav.org bugzilla at libav.org
Thu Dec 15 11:05:43 CET 2016


https://bugzilla.libav.org/show_bug.cgi?id=1002

            Bug ID: 1002
           Summary: Heap out of bounds read in ff_h2645_extract_rbsp()
           Product: Libav
           Version: git HEAD
          Hardware: X86
                OS: Linux
            Status: NEW
          Severity: enhancement
          Priority: ---
         Component: libavcodec
          Assignee: bugzilla at libav.org
          Reporter: fumfi.255 at gmail.com

Created attachment 629
  --> https://bugzilla.libav.org/attachment.cgi?id=629&action=edit
POC to trigger heap out of bounds read (avconv)

After some fuzz testing I found a crashing test case.

Command: avconv -i libav_hoobr_ff_h2645_extract_rbsp -f /dev/null

Git Head: f22da2cdf90dc892d483e2d4003cffc0500816f6

ASAN:

==20744==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x60d00000cf20 at pc 0x000000c72562 bp 0x7ffd28f41f50 sp 0x7ffd28f41f48
READ of size 8 at 0x60d00000cf20 thread T0
    #0 0xc72561 in ff_h2645_extract_rbsp
XYZ/libav/libavcodec/h2645_parse.c:53:17
    #1 0xc73011 in ff_h2645_packet_split
XYZ/libav/libavcodec/h2645_parse.c:289:20
    #2 0xc9d5d7 in decode_nal_units XYZ/libav/libavcodec/h264dec.c:528:11
    #3 0xc9d5d7 in h264_decode_frame XYZ/libav/libavcodec/h264dec.c:742
    #4 0xa9b549 in avcodec_decode_video2 XYZ/libav/libavcodec/decode.c:320:19
    #5 0xa9a46e in do_decode XYZ/libav/libavcodec/decode.c:168:15
    #6 0xa99612 in avcodec_send_packet XYZ/libav/libavcodec/decode.c:245:12
    #7 0x8dc07b in try_decode_frame XYZ/libav/libavformat/utils.c:1950:19
    #8 0x8d5bc3 in avformat_find_stream_info
XYZ/libav/libavformat/utils.c:2459:9
    #9 0x4f8701 in open_input_file XYZ/libav/avconv_opt.c:771:11
    #10 0x4f7394 in open_files XYZ/libav/avconv_opt.c:2408:15
    #11 0x4f6bd2 in avconv_parse_options XYZ/libav/avconv_opt.c:2445:11
    #12 0x51c0cf in main XYZ/libav/avconv.c:2876:11
    #13 0x7fa4f835c82f in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #14 0x41af48 in _start (/usr/local/bin/avconv+0x41af48)

0x60d00000cf27 is located 0 bytes to the right of 135-byte region
[0x60d00000cea0,0x60d00000cf27)
allocated by thread T0 here:
    #0 0x4b9b0e in realloc
/home/development/llvm/3.9.0/final/llvm.src/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:77:3
    #1 0x239b52d in av_realloc XYZ/libav/libavutil/mem.c:116:12
    #2 0x9e241e in packet_alloc XYZ/libav/libavcodec/avpacket.c:75:11
    #3 0x9e241e in av_new_packet XYZ/libav/libavcodec/avpacket.c:87
    #4 0x9e241e in av_grow_packet XYZ/libav/libavcodec/avpacket.c:112
    #5 0x8c3f9d in append_packet_chunked XYZ/libav/libavformat/utils.c:98:15

SUMMARY: AddressSanitizer: heap-buffer-overflow
XYZ/libav/libavcodec/h2645_parse.c:53:17 in ff_h2645_extract_rbsp
Shadow bytes around the buggy address:
  0x0c1a7fff9990: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c1a7fff99a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c1a7fff99b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c1a7fff99c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c1a7fff99d0: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c1a7fff99e0: 00 00 00 00[07]fa fa fa fa fa fa fa fa fa 00 00
  0x0c1a7fff99f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 fa
  0x0c1a7fff9a00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c1a7fff9a10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c1a7fff9a20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c1a7fff9a30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==20744==ABORTING

Regards,
Kamil Frankowicz

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.libav.org/pipermail/libav-bugs/attachments/20161215/6c6a9b93/attachment-0001.html>


More information about the libav-bugs mailing list