[libav-bugs] [Bug 972] New: global-buffer-overflow in mov_read_mac_string

bugzilla at libav.org bugzilla at libav.org
Sun Oct 9 15:09:43 CEST 2016


https://bugzilla.libav.org/show_bug.cgi?id=972

            Bug ID: 972
           Summary: global-buffer-overflow in mov_read_mac_string
           Product: Libav
           Version: git HEAD
          Hardware: Other
                OS: Linux
            Status: NEW
          Severity: enhancement
          Priority: ---
         Component: libavformat
          Assignee: bugzilla at libav.org
          Reporter: marco.gra at gmail.com

Created attachment 610
  --> https://bugzilla.libav.org/attachment.cgi?id=610&action=edit
reproducer

hi, the attached sample will trigger a global buffer overflow, with ./avprobe
samplefile, with a ASAN build of the current master branch.

avprobe version e4128c0, Copyright (c) 2007-2016 the Libav developers
  built on Oct  9 2016 20:58:24 with clang version 3.8.0-2ubuntu4
(tags/RELEASE_380/final)
[mov,mp4,m4a,3gp,3g2,mj2 @ 0x61a00001f280] overread end of atom 'dref' by
100728819 bytes
=================================================================
==29379==ERROR: AddressSanitizer: global-buffer-overflow on address
0x0000023d7064 at pc 0x0000006324ff bp 0x7ffd9feb6750 sp 0x7ffd9feb6748
READ of size 4 at 0x0000023d7064 thread T0
    #0 0x6324fe in mov_read_mac_string
/home/bob/VulnResearch/misc/libav_asan/libavformat/mov.c:164:13
    #1 0x6324fe in mov_parse_stsd_video
/home/bob/VulnResearch/misc/libav_asan/libavformat/mov.c:1433
    #2 0x6324fe in ff_mov_read_stsd_entries
/home/bob/VulnResearch/misc/libav_asan/libavformat/mov.c:1840
    #3 0x642ea8 in mov_read_stsd
/home/bob/VulnResearch/misc/libav_asan/libavformat/mov.c:1907:11
    #4 0x632de3 in mov_read_default
/home/bob/VulnResearch/misc/libav_asan/libavformat/mov.c:3269:23
    #5 0x632de3 in mov_read_default
/home/bob/VulnResearch/misc/libav_asan/libavformat/mov.c:3269:23
    #6 0x632de3 in mov_read_default
/home/bob/VulnResearch/misc/libav_asan/libavformat/mov.c:3269:23
    #7 0x632de3 in mov_read_default
/home/bob/VulnResearch/misc/libav_asan/libavformat/mov.c:3269:23
    #8 0x64660a in mov_read_trak
/home/bob/VulnResearch/misc/libav_asan/libavformat/mov.c:2552:16
    #9 0x632de3 in mov_read_default
/home/bob/VulnResearch/misc/libav_asan/libavformat/mov.c:3269:23
    #10 0x641281 in mov_read_moov
/home/bob/VulnResearch/misc/libav_asan/libavformat/mov.c:878:16
    #11 0x632de3 in mov_read_default
/home/bob/VulnResearch/misc/libav_asan/libavformat/mov.c:3269:23
    #12 0x633b42 in mov_read_header
/home/bob/VulnResearch/misc/libav_asan/libavformat/mov.c:3472:16
    #13 0x828291 in avformat_open_input
/home/bob/VulnResearch/misc/libav_asan/libavformat/utils.c:336:20
    #14 0x4fc0fb in open_input_file
/home/bob/VulnResearch/misc/libav_asan/avprobe.c:796:16
    #15 0x4fc0fb in probe_file
/home/bob/VulnResearch/misc/libav_asan/avprobe.c:886
    #16 0x4fc0fb in main /home/bob/VulnResearch/misc/libav_asan/avprobe.c:1087
    #17 0x7f2592ff682f in __libc_start_main
/build/glibc-GKVZIf/glibc-2.23/csu/../csu/libc-start.c:291
    #18 0x41a7a8 in _start
(/home/bob/VulnResearch/misc/libav_asan/avprobe+0x41a7a8)

0x0000023d7064 is located 68 bytes to the right of global variable
'ff_qt_default_palette_256' defined in 'libavformat/qtpalette.h:54:22'
(0x23d6d20) of size 768
SUMMARY: AddressSanitizer: global-buffer-overflow
/home/bob/VulnResearch/misc/libav_asan/libavformat/mov.c:164:13 in
mov_read_mac_string
Shadow bytes around the buggy address:
  0x000080472db0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x000080472dc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x000080472dd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x000080472de0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x000080472df0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x000080472e00: 00 00 00 00 f9 f9 f9 f9 f9 f9 f9 f9[f9]f9 f9 f9
  0x000080472e10: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 00 00 00 00
  0x000080472e20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x000080472e30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x000080472e40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x000080472e50: 00 00 00 00 00 00 00 00 00 00 00 00 f9 f9 f9 f9
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==29379==ABORTING

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.libav.org/pipermail/libav-bugs/attachments/20161009/cd1fe5ce/attachment.html>


More information about the libav-bugs mailing list