[libav-bugs] [Bug 929] New: libav mp4 file Memory corruption

bugzilla at libav.org bugzilla at libav.org
Tue Mar 8 06:15:04 CET 2016


https://bugzilla.libav.org/show_bug.cgi?id=929

            Bug ID: 929
           Summary: libav mp4 file Memory corruption
           Product: Libav
           Version: git HEAD
          Hardware: X86
                OS: Linux
            Status: NEW
          Severity: enhancement
          Priority: ---
         Component: general
          Assignee: bugzilla at libav.org
          Reporter: riusksk at qq.com

Created attachment 575
  --> https://bugzilla.libav.org/attachment.cgi?id=575&action=edit
trigger to crash

libav avconv tool have a memory corruption when parse mp4 file, which can lead
to crash or possbile exec arbitrary code.

diff normal file and poc file(modify 'stsz' to 'dref', may be a MP4 Box Type
Confusion ):

=== PoC File ===
0000480: 0000 4464 7265 6600 0000 0000 0000 0000  ..Ddref.... | 
=== Normal File ===
0000480: 0000 4473 7473 7a00 0000 0000 0000 0000  ..Dstsz....

root at Ubuntu:~/libav-11.6# ./avconv -i ./poc.mp4 -f null -                       
avconv version 11.6, Copyright (c) 2000-2014 the Libav developers
  built on Mar  7 2016 13:55:26 with gcc 4.8 (Ubuntu 4.8.2-19ubuntu1)
[mov,mp4,m4a,3gp,3g2,mj2 @ 0x60480001f280] error reading header: -12
ASAN:SIGSEGV
=================================================================
==9329== ERROR: AddressSanitizer: SEGV on unknown address 0x000000000008 (pc
0x000000a6f8a4 sp 0x7fff19350460 bp 0x000000000000 T0)
AddressSanitizer can not provide additional info.
    #0 0xa6f8a3 (/root/libav-11.6/avconv+0xa6f8a3)
    #1 0x4d020e (/root/libav-11.6/avconv+0x4d020e)
    #2 0x4d2c6f (/root/libav-11.6/avconv+0x4d2c6f)
    #3 0x54bfa2 (/root/libav-11.6/avconv+0x54bfa2)
    #4 0x458d10 (/root/libav-11.6/avconv+0x458d10)
    #5 0x459f46 (/root/libav-11.6/avconv+0x459f46)
    #6 0x44ccf8 (/root/libav-11.6/avconv+0x44ccf8)
    #7 0x7f49bef22ec4 (/lib/x86_64-linux-gnu/libc-2.19.so+0x21ec4)
    #8 0x44f1dd (/root/libav-11.6/avconv+0x44f1dd)
==9329== ABORTING

stack trace:

==20003==    at 0x1CD5F8C: av_free (mem.c:194)
==20003==    by 0x1CD5F8C: av_freep (mem.c:201)
==20003==    by 0x73F66E: mov_read_close (mov.c:3042)
==20003==    by 0x74D665: mov_read_header (mov.c:3087)
==20003==    by 0x9B1D7C: avformat_open_input (utils.c:299)
==20003==    by 0x525399: open_input_file (avconv_opt.c:709)
==20003==    by 0x52913E: open_files (avconv_opt.c:2127)
==20003==    by 0x52913E: avconv_parse_options (avconv_opt.c:2164)
==20003==    by 0x4ED5BE: main (avconv.c:2630)

Breakpoint 1, mov_read_close (s=s at entry=0x60480001f280) at
libavformat/mov.c:3042
3042                av_freep(&sc->drefs[j].path);
gdb-peda$ p *sc
$1 = {
  pb = 0x0, 
  ffindex = 0x0, 
  next_chunk = 0x0, 
  chunk_count = 0x0, 
  chunk_offsets = 0x0, 
  stts_count = 0x1, 
  stts_data = 0x600a0000ede0, 
  ctts_count = 0xa, 
  ctts_data = 0x0, 
  stsc_count = 0x3, 
  stsc_data = 0x600e0000dca0, 
  stps_count = 0x0, 
  stps_data = 0x0, 
  ctts_index = 0x0, 
  ctts_sample = 0x0, 
  sample_size = 0x0, 
  sample_count = 0x0, 
  sample_sizes = 0x0, 
  keyframe_absent = 0x0, 
  keyframe_count = 0x0, 
  keyframes = 0x0, 
  time_scale = 0xc, 
  time_offset = 0x0, 
  current_sample = 0x0, 
  bytes_per_frame = 0x0, 
  samples_per_frame = 0x0, 
  dv_audio_container = 0x0, 
  pseudo_stream_id = 0x0, 
  audio_cid = 0x0, 
  drefs_count = 0x1, 
  drefs = 0x0,    <===== this null pointer lead to crash
  dref_id = 0x1, 
  wrong_dts = 0x0, 
  width = 0x30, 
  height = 0x90, 
  dts_shift = 0x1, 
  palette = {0x0 <repeats 256 times>}, 
  has_palette = 0x0, 
  data_size = 0x0, 
  track_end = 0xc, 
  rap_group_count = 0x0, 
  rap_group = 0x0, 
  display_matrix = 0x0
}
gdb-peda$ p sc->drefs[j]
Cannot access memory at address 0x0

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.libav.org/pipermail/libav-bugs/attachments/20160308/7a40e6de/attachment-0001.html>


More information about the libav-bugs mailing list