[libav-bugs] [Bug 988] New: Null pointer dereference in mov_read_close()

bugzilla at libav.org bugzilla at libav.org
Mon Nov 14 11:51:29 CET 2016


https://bugzilla.libav.org/show_bug.cgi?id=988

            Bug ID: 988
           Summary: Null pointer dereference in mov_read_close()
           Product: Libav
           Version: git HEAD
          Hardware: X86
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: ---
         Component: libavformat
          Assignee: bugzilla at libav.org
          Reporter: fumfi.255 at gmail.com

Created attachment 616
  --> https://bugzilla.libav.org/attachment.cgi?id=616&action=edit
POC to trigger null pointer dereference (avconv)

After some fuzz testing I found a crashing test case.

Command: avconv -v 9 -loglevel 99 -i nullptrderef -f /dev/null

Git Head: 72a19f4013ec2c7f8581416f8ad4bf81df163fb6

Output:

avconv version v13_dev0-369-g72a19f4, Copyright (c) 2000-2016 the Libav
developers
  built on Nov 10 2016 09:05:39 with clang version 3.9.0
(tags/RELEASE_390/final)
  configuration: --cc=clang --extra-cflags='-fsanitize=address -O1
-fno-omit-frame-pointer -g' --extra-ldflags='-fsanitize=address'
  libavutil     55. 29. 0 / 55. 29. 0
  libavcodec    57. 28. 4 / 57. 28. 4
  libavformat   57.  9. 0 / 57.  9. 0
  libavdevice   56.  1. 0 / 56.  1. 0
  libavfilter    6.  8. 0 /  6.  8. 0
  libavresample  3.  0. 0 /  3.  0. 0
  libswscale     4.  0. 0 /  4.  0. 0
Splitting the commandline.
Reading option '-v' ... matched as option 'v' (set libav* logging level) with
argument '9'.
Reading option '-loglevel' ... matched as option 'loglevel' (set libav* logging
level) with argument '99'.
Reading option '-i' ... matched as input file with argument 'nullptrderef'.
Reading option '-f' ... matched as option 'f' (force format) with argument
'/dev/null'.
Trailing options were found on the commandline.
Finished splitting the commandline.
Parsing a group of options: global .
Applying option v (set libav* logging level) with argument 9.
Successfully parsed a group of options.
Parsing a group of options: input file nullptrderef.
Successfully parsed a group of options.
Opening an input file: nullptrderef.
nsv_probe(), buf_size 836
[mov,mp4,m4a,3gp,3g2,mj2 @ 0x61a00001f280] Probed with size=2048 and score=100
[mov,mp4,m4a,3gp,3g2,mj2 @ 0x61a00001f280] type: 7461646d 'mdat' parent:'root'
sz: 405 0 836
[mov,mp4,m4a,3gp,3g2,mj2 @ 0x61a00001f280] type: 30303030 '0000' parent:'root'
sz: 108 405 836
[mov,mp4,m4a,3gp,3g2,mj2 @ 0x61a00001f280] type: 6b617274 'trak' parent:'root'
sz: 808464432 513 836
[mov,mp4,m4a,3gp,3g2,mj2 @ 0x61a00001f280] type: 30303030 '0000' parent:'trak'
sz: 92 0 315
[mov,mp4,m4a,3gp,3g2,mj2 @ 0x61a00001f280] type: 30303030 '0000' parent:'trak'
sz: 28 92 315
[mov,mp4,m4a,3gp,3g2,mj2 @ 0x61a00001f280] type: 64737473 'stsd' parent:'trak'
sz: 162 120 315
[mov,mp4,m4a,3gp,3g2,mj2 @ 0x61a00001f280] size=808464432 format=0x30303030
codec_type=2
[mov,mp4,m4a,3gp,3g2,mj2 @ 0x61a00001f280] overread end of atom 'stsd' by
808464286 bytes
[mov,mp4,m4a,3gp,3g2,mj2 @ 0x61a00001f280] type: 30303030 '0000' parent:'trak'
sz: 24 282 315
[mov,mp4,m4a,3gp,3g2,mj2 @ 0x61a00001f280] type: 64737473 'stsd' parent:'trak'
sz: 808464432 306 315
[mov,mp4,m4a,3gp,3g2,mj2 @ 0x61a00001f280] error reading header: -12
ASAN:DEADLYSIGNAL
=================================================================
==14824==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc
0x0000006484ef bp 0x000000000000 sp 0x7ffe8456bc80 T0)
==14824==The signal is caused by a READ memory access.
==14824==Hint: address points to the zero page.
    #0 0x6484ee in mov_read_close XYZ/libav/libavformat/mov.c:3463:21
    #1 0x645a56 in mov_read_header XYZ/libav/libavformat/mov.c:3496:9
    #2 0x7a4734 in avformat_open_input XYZ/libav/libavformat/utils.c:336:20
    #3 0x4f0d81 in open_input_file XYZ/libav/avconv_opt.c:754:11
    #4 0x4f01e4 in open_files XYZ/libav/avconv_opt.c:2408:15
    #5 0x4efc74 in avconv_parse_options XYZ/libav/avconv_opt.c:2445:11
    #6 0x50a46d in main XYZ/libav/avconv.c:2876:11
    #7 0x7f7b43e7282f in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #8 0x41a888 in _start (/usr/local/bin/avconv+0x41a888)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV XYZ/libav/libavformat/mov.c:3463:21 in
mov_read_close
==14824==ABORTING

Regards,
Kamil Frankowicz

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.libav.org/pipermail/libav-bugs/attachments/20161114/29c77965/attachment.html>


More information about the libav-bugs mailing list