[libav-bugs] [Bug 1003] New: Global Out of bound read in mov_read_mac_string() #2

bugzilla at libav.org bugzilla at libav.org
Thu Dec 15 16:39:21 CET 2016


https://bugzilla.libav.org/show_bug.cgi?id=1003

            Bug ID: 1003
           Summary: Global Out of bound read in mov_read_mac_string() #2
           Product: Libav
           Version: git HEAD
          Hardware: X86
                OS: Linux
            Status: NEW
          Severity: enhancement
          Priority: ---
         Component: libavformat
          Assignee: bugzilla at libav.org
          Reporter: fumfi.255 at gmail.com

Created attachment 630
  --> https://bugzilla.libav.org/attachment.cgi?id=630&action=edit
POC to trigger global out of bounds read (avprobe)

After some fuzz testing I found a crashing test case.

Command: avprobe libav_goobr_mov_read_mac_string_l167

Git Head: f22da2cdf90dc892d483e2d4003cffc0500816f6

ASAN:

==15304==ERROR: AddressSanitizer: global-buffer-overflow on address
0x0000023d51f0 at pc 0x0000006d3686 bp 0x7ffcc573d5b0 sp 0x7ffcc573d5a8
READ of size 4 at 0x0000023d51f0 thread T0
    #0 0x6d3685 in mov_read_mac_string XYZ/libav/libavformat/mov.c:167:13
    #1 0x6d3685 in mov_parse_stsd_video XYZ/libav/libavformat/mov.c:1444
    #2 0x6d3685 in ff_mov_read_stsd_entries XYZ/libav/libavformat/mov.c:1851
    #3 0x6e436c in mov_read_stsd XYZ/libav/libavformat/mov.c:1918:11
    #4 0x6d408d in mov_read_default XYZ/libav/libavformat/mov.c:3532:23
    #5 0x6d4d38 in mov_read_header XYZ/libav/libavformat/mov.c:3738:16
    #6 0x8c59a7 in avformat_open_input XYZ/libav/libavformat/utils.c:336:20
    #7 0x4f7f2b in open_input_file XYZ/libav/avconv_opt.c:754:11
    #8 0x4f6e24 in open_files XYZ/libav/avconv_opt.c:2408:15
    #9 0x4f6662 in avconv_parse_options XYZ/libav/avconv_opt.c:2445:11
    #10 0x51bb5f in main XYZ/libav/avconv.c:2876:11
    #11 0x7f6d7b13f82f in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #12 0x41a9d8 in _start (/usr/local/bin/avconv+0x41a9d8)

0x0000023d51f0 is located 48 bytes to the right of global variable
'ff_qt_default_palette_256' defined in 'libavformat/qtpalette.h:54:22'
(0x23d4ec0) of size 768
SUMMARY: AddressSanitizer: global-buffer-overflow
XYZ/libav/libavformat/mov.c:167:13 in mov_read_mac_string
Shadow bytes around the buggy address:
  0x0000804729e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0000804729f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x000080472a00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x000080472a10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x000080472a20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x000080472a30: 00 00 00 00 00 00 00 00 f9 f9 f9 f9 f9 f9[f9]f9
  0x000080472a40: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
  0x000080472a50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x000080472a60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x000080472a70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x000080472a80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==15304==ABORTING

Regards,
Kamil Frankowicz

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.libav.org/pipermail/libav-bugs/attachments/20161215/84674f1c/attachment.html>


More information about the libav-bugs mailing list