[libav-bugs] [Bug 1005] New: Heap out of bounds read in pred8x16_top_dc_8_c()

bugzilla at libav.org bugzilla at libav.org
Mon Dec 19 14:35:19 CET 2016


https://bugzilla.libav.org/show_bug.cgi?id=1005

            Bug ID: 1005
           Summary: Heap out of bounds read in pred8x16_top_dc_8_c()
           Product: Libav
           Version: git HEAD
          Hardware: X86
                OS: Linux
            Status: NEW
          Severity: enhancement
          Priority: ---
         Component: libavcodec
          Assignee: bugzilla at libav.org
          Reporter: fumfi.255 at gmail.com

Created attachment 633
  --> https://bugzilla.libav.org/attachment.cgi?id=633&action=edit
POC to trigger heap out of bounds read (avprobe)

After some fuzz testing I found a crashing test case.

Command: avprobe libav_hoobr_pred8x16_top_dc_8_c

Git Head: f22da2cdf90dc892d483e2d4003cffc0500816f6

Output + ASAN:

avprobe version v13_dev0-631-g6aa4ba7, Copyright (c) 2007-2016 the Libav
developers
  built on Dec 13 2016 11:27:25 with clang version 3.9.0
(tags/RELEASE_390/final)
[h264 @ 0x619000000080] missing picture in access unit
[h264 @ 0x619000000080] slice type 32 too large at -1
[h264 @ 0x619000000080] decode_slice_header error
[h264 @ 0x619000000080] no frame!
=================================================================
==21898==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x62f00008c290 at pc 0x000001c493ee bp 0x7ffdab7ebe40 sp 0x7ffdab7ebe38
READ of size 1 at 0x62f00008c290 thread T0
    #0 0x1c493ed in pred8x16_top_dc_8_c
XYZ/libav/libavcodec/h264pred_template.c:632:15
    #1 0x1c497b5 in pred8x16_mad_cow_dc_l0t_8
XYZ/libav/libavcodec/h264pred_template.c:724:5
    #2 0x1b6e75a in hl_decode_mb_complex
XYZ/libav/libavcodec/h264_mb_template.c:162:17
    #3 0x1b5abee in ff_h264_hl_decode_mb XYZ/libav/libavcodec/h264_mb.c:806:9
    #4 0x1bcfb6a in decode_slice XYZ/libav/libavcodec/h264_slice.c:2342:17
    #5 0x1bce1c9 in ff_h264_execute_decode_slices
XYZ/libav/libavcodec/h264_slice.c:2503:15
    #6 0xbc5096 in decode_nal_units XYZ/libav/libavcodec/h264dec.c:588:27
    #7 0xbc5096 in h264_decode_frame XYZ/libav/libavcodec/h264dec.c:742
    #8 0x9f1d29 in avcodec_decode_video2 XYZ/libav/libavcodec/decode.c:320:19
    #9 0x9f0c4e in do_decode XYZ/libav/libavcodec/decode.c:168:15
    #10 0x9efdf2 in avcodec_send_packet XYZ/libav/libavcodec/decode.c:245:12
    #11 0x82d5ab in try_decode_frame XYZ/libav/libavformat/utils.c:1950:19
    #12 0x8270f3 in avformat_find_stream_info
XYZ/libav/libavformat/utils.c:2459:9
    #13 0x4f6659 in open_input_file XYZ/libav/avprobe.c:866:16
    #14 0x4f6659 in probe_file XYZ/libav/avprobe.c:944
    #15 0x4f6659 in main XYZ/libav/avprobe.c:1178
    #16 0x7f1569e5382f in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #17 0x41a948 in _start (/usr/local/bin/avprobe+0x41a948)

0x62f00008c290 is located 368 bytes to the left of 55696-byte region
[0x62f00008c400,0x62f000099d90)
allocated by thread T0 here:
    #0 0x4b9c07 in __interceptor_posix_memalign
/home/development/llvm/3.9.0/final/llvm.src/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:130:3
    #1 0x2289c15 in av_malloc XYZ/libav/libavutil/mem.c:71:9
    #2 0x22559da in av_buffer_alloc XYZ/libav/libavutil/buffer.c:72:12
    #3 0x2257e87 in pool_alloc_buffer XYZ/libav/libavutil/buffer.c:290:26
    #4 0x2257e87 in av_buffer_pool_get XYZ/libav/libavutil/buffer.c:326
    #5 0x9f5acf in video_get_buffer XYZ/libav/libavcodec/decode.c:698:23
    #6 0x9f5acf in avcodec_default_get_buffer2
XYZ/libav/libavcodec/decode.c:732
    #7 0x9f8965 in ff_get_buffer XYZ/libav/libavcodec/decode.c:868:11

SUMMARY: AddressSanitizer: heap-buffer-overflow
XYZ/libav/libavcodec/h264pred_template.c:632:15 in pred8x16_top_dc_8_c
Shadow bytes around the buggy address:
  0x0c5e80009800: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c5e80009810: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c5e80009820: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c5e80009830: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c5e80009840: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c5e80009850: fa fa[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c5e80009860: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c5e80009870: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c5e80009880: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c5e80009890: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c5e800098a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==21898==ABORTING

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.libav.org/pipermail/libav-bugs/attachments/20161219/cd6364fe/attachment.html>


More information about the libav-bugs mailing list