[libav-bugs] [Bug 973] New: decode_residual avprobe global buffer overflow

bugzilla at libav.org bugzilla at libav.org
Sun Oct 9 15:13:39 CEST 2016


https://bugzilla.libav.org/show_bug.cgi?id=973

            Bug ID: 973
           Summary: decode_residual avprobe global buffer overflow
           Product: Libav
           Version: git HEAD
          Hardware: Other
                OS: Linux
            Status: NEW
          Severity: enhancement
          Priority: ---
         Component: utilities
          Assignee: bugzilla at libav.org
          Reporter: marco.gra at gmail.com

Created attachment 611
  --> https://bugzilla.libav.org/attachment.cgi?id=611&action=edit
reproducer

Hi, the attached sample will trigger a global buffer overflow in ./avprobe
samplefile, with an ASAN build of the current master 

avprobe version e4128c0, Copyright (c) 2007-2016 the Libav developers
  built on Oct  9 2016 20:58:24 with clang version 3.8.0-2ubuntu4
(tags/RELEASE_380/final)
[mov,mp4,m4a,3gp,3g2,mj2 @ 0x61a00001f280] overread end of atom 'dref' by 8192
bytes
=================================================================
==37863==ERROR: AddressSanitizer: global-buffer-overflow on address
0x000002523cd0 at pc 0x000001c155fe bp 0x7ffde6d98370 sp 0x7ffde6d98368
READ of size 1 at 0x000002523cd0 thread T0
    #0 0x1c155fd in decode_residual
(/home/bob/VulnResearch/misc/libav_asan/avprobe+0x1c155fd)
    #1 0x1bfff07 in ff_h264_decode_mb_cavlc
(/home/bob/VulnResearch/misc/libav_asan/avprobe+0x1bfff07)
    #2 0x1c9ecd1 in decode_slice
(/home/bob/VulnResearch/misc/libav_asan/avprobe+0x1c9ecd1)
    #3 0x1c9c3b9 in ff_h264_execute_decode_slices
(/home/bob/VulnResearch/misc/libav_asan/avprobe+0x1c9c3b9)
    #4 0xbea8b9 in decode_nal_units
/home/bob/VulnResearch/misc/libav_asan/libavcodec/h264dec.c:588:27
    #5 0xbea8b9 in h264_decode_frame
/home/bob/VulnResearch/misc/libav_asan/libavcodec/h264dec.c:742
    #6 0x15e6fc7 in avcodec_decode_video2
/home/bob/VulnResearch/misc/libav_asan/libavcodec/utils.c:1588:19
    #7 0x15e9b2b in do_decode
/home/bob/VulnResearch/misc/libav_asan/libavcodec/utils.c:1727:15
    #8 0x15e9786 in avcodec_send_packet
/home/bob/VulnResearch/misc/libav_asan/libavcodec/utils.c:1804:12
    #9 0x83efb9 in try_decode_frame
/home/bob/VulnResearch/misc/libav_asan/libavformat/utils.c:1950:19
    #10 0x838728 in avformat_find_stream_info
/home/bob/VulnResearch/misc/libav_asan/libavformat/utils.c:2356:9
    #11 0x4fc22d in open_input_file
/home/bob/VulnResearch/misc/libav_asan/avprobe.c:808:16
    #12 0x4fc22d in probe_file
/home/bob/VulnResearch/misc/libav_asan/avprobe.c:886
    #13 0x4fc22d in main /home/bob/VulnResearch/misc/libav_asan/avprobe.c:1087
    #14 0x7fbf23fe282f in __libc_start_main
/build/glibc-GKVZIf/glibc-2.23/csu/../csu/libc-start.c:291
    #15 0x41a7a8 in _start
(/home/bob/VulnResearch/misc/libav_asan/avprobe+0x41a7a8)

0x000002523cd0 is located 0 bytes to the right of global variable
'ff_zigzag_scan' defined in 'libavcodec/mathtables.c:126:15' (0x2523cc0) of
size 16
SUMMARY: AddressSanitizer: global-buffer-overflow
(/home/bob/VulnResearch/misc/libav_asan/avprobe+0x1c155fd) in decode_residual
Shadow bytes around the buggy address:
  0x00008049c740: 00 00 00 00 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
  0x00008049c750: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
  0x00008049c760: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
  0x00008049c770: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
  0x00008049c780: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 00 00 00 00
=>0x00008049c790: 00 00 00 00 f9 f9 f9 f9 00 00[f9]f9 f9 f9 f9 f9
  0x00008049c7a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x00008049c7b0: 00 00 00 00 00 00 00 00 00 00 00 00 05 f9 f9 f9
  0x00008049c7c0: f9 f9 f9 f9 00 00 00 00 07 f9 f9 f9 f9 f9 f9 f9
  0x00008049c7d0: 00 00 05 f9 f9 f9 f9 f9 00 00 00 f9 f9 f9 f9 f9
  0x00008049c7e0: 00 00 00 01 f9 f9 f9 f9 00 00 04 f9 f9 f9 f9 f9
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==37863==ABORTING

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.libav.org/pipermail/libav-bugs/attachments/20161009/0d35361a/attachment-0001.html>


More information about the libav-bugs mailing list