[libav-bugs] [Bug 989] New: Global Out of bound read in mov_read_mac_string()

bugzilla at libav.org bugzilla at libav.org
Mon Nov 14 12:03:39 CET 2016


https://bugzilla.libav.org/show_bug.cgi?id=989

            Bug ID: 989
           Summary: Global Out of bound read in mov_read_mac_string()
           Product: Libav
           Version: git HEAD
          Hardware: Other
                OS: Linux
            Status: NEW
          Severity: enhancement
          Priority: ---
         Component: libavformat
          Assignee: bugzilla at libav.org
          Reporter: fumfi.255 at gmail.com

Created attachment 617
  --> https://bugzilla.libav.org/attachment.cgi?id=617&action=edit
POC to trigger out of bound read (avconv)

After some fuzz testing I found a crashing test case.

Command: avconv -v 9 -loglevel 99 -i gbo1 -f /dev/null

Git Head: 72a19f4013ec2c7f8581416f8ad4bf81df163fb6

avconv version v13_dev0-369-g72a19f4, Copyright (c) 2000-2016 the Libav
developers
  built on Nov 10 2016 09:05:39 with clang version 3.9.0
(tags/RELEASE_390/final)
  configuration: --cc=clang --extra-cflags='-fsanitize=address -O1
-fno-omit-frame-pointer -g' --extra-ldflags='-fsanitize=address'
  libavutil     55. 29. 0 / 55. 29. 0
  libavcodec    57. 28. 4 / 57. 28. 4
  libavformat   57.  9. 0 / 57.  9. 0
  libavdevice   56.  1. 0 / 56.  1. 0
  libavfilter    6.  8. 0 /  6.  8. 0
  libavresample  3.  0. 0 /  3.  0. 0
  libswscale     4.  0. 0 /  4.  0. 0
Splitting the commandline.
Reading option '-v' ... matched as option 'v' (set libav* logging level) with
argument '9'.
Reading option '-loglevel' ... matched as option 'loglevel' (set libav* logging
level) with argument '99'.
Reading option '-i' ... matched as input file with argument 'libav_gbo_1'.
Reading option '-f' ... matched as option 'f' (force format) with argument
'/dev/null'.
Trailing options were found on the commandline.
Finished splitting the commandline.
Parsing a group of options: global .
Applying option v (set libav* logging level) with argument 9.
Successfully parsed a group of options.
Parsing a group of options: input file libav_gbo_1.
Successfully parsed a group of options.
Opening an input file: libav_gbo_1.
nsv_probe(), buf_size 738
[mov,mp4,m4a,3gp,3g2,mj2 @ 0x61a00001f280] Probed with size=2048 and score=100
[mov,mp4,m4a,3gp,3g2,mj2 @ 0x61a00001f280] type: 7461646d 'mdat' parent:'root'
sz: 405 0 738
[mov,mp4,m4a,3gp,3g2,mj2 @ 0x61a00001f280] type: 30303030 '0000' parent:'root'
sz: 108 405 738
[mov,mp4,m4a,3gp,3g2,mj2 @ 0x61a00001f280] type: 6b617274 'trak' parent:'root'
sz: 808464432 513 738
[mov,mp4,m4a,3gp,3g2,mj2 @ 0x61a00001f280] type: 30303030 '0000' parent:'trak'
sz: 92 0 217
[mov,mp4,m4a,3gp,3g2,mj2 @ 0x61a00001f280] type: 30303030 '0000' parent:'trak'
sz: 36 92 217
[mov,mp4,m4a,3gp,3g2,mj2 @ 0x61a00001f280] type: 64737473 'stsd' parent:'trak'
sz: 808464432 128 217
[mov,mp4,m4a,3gp,3g2,mj2 @ 0x61a00001f280] size=808464432 format=0x31307661
codec_type=0
=================================================================
==23020==ERROR: AddressSanitizer: global-buffer-overflow on address
0x000001d99abc at pc 0x0000006447fa bp 0x7fffca9bcc10 sp 0x7fffca9bcc08
READ of size 4 at 0x000001d99abc thread T0
    #0 0x6447f9 in mov_read_mac_string XYZ/libav/libavformat/mov.c:165:13
    #1 0x6447f9 in mov_parse_stsd_video XYZ/libav/libavformat/mov.c:1442
    #2 0x6447f9 in ff_mov_read_stsd_entries XYZ/libav/libavformat/mov.c:1849
    #3 0x650533 in mov_read_stsd XYZ/libav/libavformat/mov.c:1916:11
    #4 0x644f52 in mov_read_default XYZ/libav/libavformat/mov.c:3291:23
    #5 0x65339f in mov_read_trak XYZ/libav/libavformat/mov.c:2559:16
    #6 0x644f52 in mov_read_default XYZ/libav/libavformat/mov.c:3291:23
    #7 0x645892 in mov_read_header XYZ/libav/libavformat/mov.c:3494:16
    #8 0x7a4734 in avformat_open_input XYZ/libav/libavformat/utils.c:336:20
    #9 0x4f0d81 in open_input_file XYZ/libav/avconv_opt.c:754:11
    #10 0x4f01e4 in open_files XYZ/libav/avconv_opt.c:2408:15
    #11 0x4efc74 in avconv_parse_options XYZ/libav/avconv_opt.c:2445:11
    #12 0x50a46d in main XYZ/libav/avconv.c:2876:11
    #13 0x7f0ad53d382f in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #14 0x41a888 in _start (/usr/local/bin/avconv+0x41a888)

0x000001d99abc is located 92 bytes to the right of global variable
'ff_qt_default_palette_256' defined in 'libavformat/qtpalette.h:54:22'
(0x1d99760) of size 768
SUMMARY: AddressSanitizer: global-buffer-overflow
XYZ/libav/libavformat/mov.c:165:13 in mov_read_mac_string
Shadow bytes around the buggy address:
  0x0000803ab300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0000803ab310: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0000803ab320: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0000803ab330: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0000803ab340: 00 00 00 00 00 00 00 00 00 00 00 00 f9 f9 f9 f9
=>0x0000803ab350: f9 f9 f9 f9 f9 f9 f9[f9]f9 f9 f9 f9 f9 f9 f9 f9
  0x0000803ab360: f9 f9 f9 f9 00 00 00 00 00 00 00 00 00 00 00 00
  0x0000803ab370: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0000803ab380: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0000803ab390: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0000803ab3a0: 00 00 00 00 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==23020==ABORTING

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.libav.org/pipermail/libav-bugs/attachments/20161114/1857b407/attachment.html>


More information about the libav-bugs mailing list