[libav-bugs] [Bug 921] New: Stack Corruption from AFL test case

bugzilla at libav.org bugzilla at libav.org
Wed Feb 3 23:21:59 CET 2016


https://bugzilla.libav.org/show_bug.cgi?id=921

            Bug ID: 921
           Summary: Stack Corruption from AFL test case
           Product: Libav
           Version: 11
          Hardware: X86
                OS: Linux
            Status: NEW
          Severity: critical
          Priority: ---
         Component: libavformat
          Assignee: bugzilla at libav.org
          Reporter: cyoung at tripwire.com

While performing some fuzz testing, I found that a test case which previously
crashed ffmpeg currently causes a crash (with stack corruption) in libav's
avprobe tool.

The test input was actually produced by lcamtuf and is available in the AFL
source as an example vulnerability.  Here is a link to the file on a random
GitHub repository of the AFL source:
https://github.com/mcarpenter/afl/raw/master/docs/vuln_samples/ffmpeg-h264-call-stack-overflow.mp4
 (This file came from http://lcamtuf.coredump.cx/afl/releases/afl-latest.tgz)

GDB output from 'avprobe ffmpeg-h264-call-stack-overflow.mp4':
(gdb) bt
#0  0x00000000005743a0 in avio_seek (s=0x27680e0, offset=0, whence=1) at
libavformat/aviobuf.c:196
#1  0x0000000000000001 in ?? ()
#2  0x000000000275ffe0 in ?? ()
#3  0x000000000275f920 in ?? ()
#4  0x000000000275f920 in ?? ()
#5  0x0000000000000000 in ?? ()
(gdb) disass $pc-32,$pc+32
Dump of assembler code from 0x574380 to 0x5743c0:
   0x0000000000574380 <avio_seek+192>:  add    DWORD PTR [rax],eax
   0x0000000000574382 <avio_seek+194>:  mov    rax,QWORD PTR [rsp+0x10]
   0x0000000000574387 <avio_seek+199>:  mov    rcx,QWORD PTR [rsp+0x8]
   0x000000000057438c <avio_seek+204>:  mov    rdx,QWORD PTR [rsp]
   0x0000000000574390 <avio_seek+208>:  lea    rsp,[rsp+0x98]
   0x0000000000574398 <avio_seek+216>:  lea    rsp,[rsp-0x98]
=> 0x00000000005743a0 <avio_seek+224>:  mov    QWORD PTR [rsp],rdx
   0x00000000005743a4 <avio_seek+228>:  mov    QWORD PTR [rsp+0x8],rcx
   0x00000000005743a9 <avio_seek+233>:  mov    QWORD PTR [rsp+0x10],rax
   0x00000000005743ae <avio_seek+238>:  mov    rcx,0x95b7
   0x00000000005743b5 <avio_seek+245>:  call   0x58fe20 <__afl_maybe_log>
   0x00000000005743ba <avio_seek+250>:  mov    rax,QWORD PTR [rsp+0x10]
   0x00000000005743bf <avio_seek+255>:  mov    rcx,QWORD PTR [rsp+0x8]
End of assembler dump.
(gdb) info all-registers
rax            0x4eb    1259
rbx            0x27680e0        41320672
rcx            0x4eb    1259
rdx            0x1      1
rsi            0x0      0
rdi            0x27680e0        41320672
rbp            0x6b7470 0x6b7470 <mov_read_stsd>
rsp            0x7fffff7fefe8   0x7fffff7fefe8
r8             0x0      0
r9             0x1      1
r10            0x27684b9        41321657
r11            0x210    528
r12            0x0      0
r13            0x27680e0        41320672
r14            0x2760ea0        41291424
r15            0x331    817
rip            0x5743a0 0x5743a0 <avio_seek+224>
eflags         0x10206  [ PF IF RF ]
cs             0x33     51
ss             0x2b     43
ds             0x0      0
es             0x0      0
fs             0x0      0
gs             0x0      0
st0            0        (raw 0x00000000000000000000)
st1            0        (raw 0x00000000000000000000)
st2            0        (raw 0x00000000000000000000)
st3            0        (raw 0x00000000000000000000)
st4            0        (raw 0x00000000000000000000)
st5            0        (raw 0x00000000000000000000)
st6            0        (raw 0x00000000000000000000)
st7            0        (raw 0x00000000000000000000)
fctrl          0x37f    895
fstat          0x0      0
ftag           0xffff   65535
fiseg          0x0      0
fioff          0x0      0
foseg          0x0      0
fooff          0x0      0
fop            0x0      0
mxcsr          0x1fa0   [ PE IM DM ZM OM UM PM ]
ymm0           {v8_float = {0x0, 0x1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_double
= {0x1, 0x0, 0x0, 0x0}, v32_int8 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xf0, 0x3f,
0x0 <repeats 24 times>}, v16_int16 = {0x0,
    0x0, 0x0, 0x3ff0, 0x0 <repeats 12 times>}, v8_int32 = {0x0, 0x3ff00000,
0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_int64 = {0x3ff0000000000000, 0x0, 0x0, 0x0},
v2_int128 = {
---Type <return> to continue, or q <return> to quit---
    0x00000000000000003ff0000000000000, 0x00000000000000000000000000000000}}
ymm1           {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_double
= {0x0, 0x0, 0x0, 0x0}, v32_int8 = {0x0 <repeats 32 times>}, v16_int16 = {0x0
<repeats 16 times>}, v8_int32 = {0x0, 0x0,
    0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_int64 = {0x0, 0x0, 0x0, 0x0}, v2_int128 =
{0x00000000000000000000000000000000, 0x00000000000000000000000000000000}}
ymm2           {v8_float = {0x0, 0x1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_double
= {0x1, 0x0, 0x0, 0x0}, v32_int8 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xf0, 0x3f,
0x0 <repeats 24 times>}, v16_int16 = {0x0,
    0x0, 0x0, 0x3ff0, 0x0 <repeats 12 times>}, v8_int32 = {0x0, 0x3ff00000,
0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_int64 = {0x3ff0000000000000, 0x0, 0x0, 0x0},
v2_int128 = {
    0x00000000000000003ff0000000000000, 0x00000000000000000000000000000000}}
ymm3           {v8_float = {0x0, 0x1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_double
= {0x1, 0x0, 0x0, 0x0}, v32_int8 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xf0, 0x3f,
0x0 <repeats 24 times>}, v16_int16 = {0x0,
    0x0, 0x0, 0x3ff0, 0x0 <repeats 12 times>}, v8_int32 = {0x0, 0x3ff00000,
0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_int64 = {0x3ff0000000000000, 0x0, 0x0, 0x0},
v2_int128 = {
    0x00000000000000003ff0000000000000, 0x00000000000000000000000000000000}}
ymm4           {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_double
= {0x0, 0x0, 0x0, 0x0}, v32_int8 = {0x0 <repeats 32 times>}, v16_int16 = {0x0
<repeats 16 times>}, v8_int32 = {0x0, 0x0,
    0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_int64 = {0x0, 0x0, 0x0, 0x0}, v2_int128 =
{0x00000000000000000000000000000000, 0x00000000000000000000000000000000}}
ymm5           {v8_float = {0x0, 0x1e400000, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0},
v4_double = {0x8000000000000000, 0x0, 0x0, 0x0}, v32_int8 = {0x20, 0x63, 0x6f,
0x70, 0x79, 0x20, 0x41, 0x56,
    0x0 <repeats 24 times>}, v16_int16 = {0x6320, 0x706f, 0x2079, 0x5641, 0x0
<repeats 12 times>}, v8_int32 = {0x706f6320, 0x56412079, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0}, v4_int64 = {0x56412079706f6320, 0x0,
    0x0, 0x0}, v2_int128 = {0x000000000000000056412079706f6320,
0x00000000000000000000000000000000}}
ymm6           {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_double
= {0x0, 0x0, 0x0, 0x0}, v32_int8 = {0x61, 0x63, 0x6b, 0x65, 0x74, 0x73, 0x0
<repeats 26 times>}, v16_int16 = {0x6361,
    0x656b, 0x7374, 0x0 <repeats 13 times>}, v8_int32 = {0x656b6361, 0x7374,
0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_int64 = {0x7374656b6361, 0x0, 0x0, 0x0},
v2_int128 = {0x000000000000000000007374656b6361,
    0x00000000000000000000000000000000}}
ymm7           {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_double
= {0x0, 0x0, 0x0, 0x0}, v32_int8 = {0x0 <repeats 32 times>}, v16_int16 = {0x0
<repeats 16 times>}, v8_int32 = {0x0, 0x0,
    0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_int64 = {0x0, 0x0, 0x0, 0x0}, v2_int128 =
{0x00000000000000000000000000000000, 0x00000000000000000000000000000000}}
ymm8           {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_double
= {0x0, 0x0, 0x0, 0x0}, v32_int8 = {0x0 <repeats 32 times>}, v16_int16 = {0x0
<repeats 16 times>}, v8_int32 = {0x0, 0x0,
    0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_int64 = {0x0, 0x0, 0x0, 0x0}, v2_int128 =
{0x00000000000000000000000000000000, 0x00000000000000000000000000000000}}
ymm9           {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_double
= {0x0, 0x0, 0x0, 0x0}, v32_int8 = {0x0 <repeats 32 times>}, v16_int16 = {0x0
<repeats 16 times>}, v8_int32 = {0x0, 0x0,
    0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_int64 = {0x0, 0x0, 0x0, 0x0}, v2_int128 =
{0x00000000000000000000000000000000, 0x00000000000000000000000000000000}}
ymm10          {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_double
= {0x0, 0x0, 0x0, 0x0}, v32_int8 = {0x0 <repeats 32 times>}, v16_int16 = {0x0
<repeats 16 times>}, v8_int32 = {0x0, 0x0,
    0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_int64 = {0x0, 0x0, 0x0, 0x0}, v2_int128 =
{0x00000000000000000000000000000000, 0x00000000000000000000000000000000}}
ymm11          {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_double
= {0x0, 0x0, 0x0, 0x0}, v32_int8 = {0x0 <repeats 32 times>}, v16_int16 = {0x0
<repeats 16 times>}, v8_int32 = {0x0, 0x0,
    0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_int64 = {0x0, 0x0, 0x0, 0x0}, v2_int128 =
{0x00000000000000000000000000000000, 0x00000000000000000000000000000000}}
ymm12          {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_double
= {0x8000000000000000, 0x8000000000000000, 0x0, 0x0}, v32_int8 = {0x0, 0x0,
0x0, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
    0xff, 0xff, 0x0, 0xff, 0xff, 0xff, 0x0 <repeats 16 times>}, v16_int16 =
{0x0, 0xff00, 0xffff, 0xffff, 0xffff, 0xffff, 0xff00, 0xffff, 0x0, 0x0, 0x0,
0x0, 0x0, 0x0, 0x0, 0x0}, v8_int32 = {0xff000000,
    0xffffffff, 0xffffffff, 0xffffff00, 0x0, 0x0, 0x0, 0x0}, v4_int64 =
{0xffffffffff000000, 0xffffff00ffffffff, 0x0, 0x0}, v2_int128 =
{0xffffff00ffffffffffffffffff000000,
    0x00000000000000000000000000000000}}
ymm13          {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_double
= {0x0, 0x0, 0x0, 0x0}, v32_int8 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x80, 0x59, 0xbc,
0x0 <repeats 24 times>}, v16_int16 = {0x0,
    0x0, 0x8000, 0xbc59, 0x0 <repeats 12 times>}, v8_int32 = {0x0, 0xbc598000,
0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_int64 = {0xbc59800000000000, 0x0, 0x0, 0x0},
v2_int128 = {
    0x0000000000000000bc59800000000000, 0x00000000000000000000000000000000}}
ymm14          {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_double
= {0x0, 0x0, 0x0, 0x0}, v32_int8 = {0x8e, 0x85, 0x83, 0xe8, 0xf0, 0x24, 0x53,
0x3c, 0x0 <repeats 24 times>}, v16_int16 = {
    0x858e, 0xe883, 0x24f0, 0x3c53, 0x0 <repeats 12 times>}, v8_int32 =
{0xe883858e, 0x3c5324f0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_int64 =
{0x3c5324f0e883858e, 0x0, 0x0, 0x0}, v2_int128 = {
    0x00000000000000003c5324f0e883858e, 0x00000000000000000000000000000000}}
ymm15          {v8_float = {0x0, 0xffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0},
v4_double = {0x0, 0x0, 0x0, 0x0}, v32_int8 = {0xf6, 0x8f, 0xee, 0x21, 0xa8,
0x74, 0xd3, 0xbf, 0x0 <repeats 24 times>},
  v16_int16 = {0x8ff6, 0x21ee, 0x74a8, 0xbfd3, 0x0 <repeats 12 times>},
v8_int32 = {0x21ee8ff6, 0xbfd374a8, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_int64 =
{0xbfd374a821ee8ff6, 0x0, 0x0, 0x0}, v2_int128 = {
    0x0000000000000000bfd374a821ee8ff6, 0x00000000000000000000000000000000}}
(gdb)

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.libav.org/pipermail/libav-bugs/attachments/20160203/7b267534/attachment.html>


More information about the libav-bugs mailing list