[libav-bugs] [Bug 1046] New: segfault in av_parser_parse2() - out of bound read

bugzilla at libav.org bugzilla at libav.org
Fri Apr 14 15:56:09 CEST 2017


https://bugzilla.libav.org/show_bug.cgi?id=1046

            Bug ID: 1046
           Summary: segfault in av_parser_parse2() - out of bound read
           Product: Libav
           Version: git HEAD
          Hardware: Other
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: ---
         Component: utilities
          Assignee: bugzilla at libav.org
          Reporter: bahari.rad at gmail.com

Created attachment 663
  --> https://bugzilla.libav.org/attachment.cgi?id=663&action=edit
poc of out of bound read in av_parser_parse2

Out of bound read in s->cur_frame_end[s->cur_frame_start_index] lead to a
segfault in av_parser_parse2().


$ avconv -i av_parser_parse2 -vn -f wav /dev/null 
avconv version v13_dev0-1039-gb200a2c, Copyright (c) 2000-2017 the Libav
developers
  built on Apr 11 2017 00:42:40 with gcc 5.4.0 (Ubuntu 5.4.0-6ubuntu1~16.04.4)
20160609
[mm @ 0x3469080] unknown chunk type 0xeb
[1]    7700 segmentation fault  avconv -i av_parser_parse2 -vn -f wav 


gdb-peda$ p s->cur_frame_end[s->cur_frame_start_index]
Cannot access memory at address 0x7ffff74c1d28


gdb-peda$ bt
#0  0x000000000135e60a in av_parser_parse2 (s=0x7ffff7481c68 <main_arena+328>,
avctx=0x7ffff7481d18 <main_arena+504>, poutbuf=poutbuf at entry=0x7fffffffd2f8, 
    poutbuf_size=poutbuf_size at entry=0x7fffffffd300, buf=buf at entry=0x2b63230
"\231\004", buf_size=buf_size at entry=0x7400, pts=0x0, dts=0x8000000000000000, 
    pos=0x28) at libavcodec/parser.c:147
#1  0x00000000009d0be1 in parse_packet (s=s at entry=0x2b42080, pkt=<optimized
out>, pkt at entry=0x7fffffffd3f0, stream_index=<optimized out>)
    at libavformat/utils.c:834
#2  0x00000000009d2271 in read_frame_internal (s=s at entry=0x2b42080,
pkt=pkt at entry=0x7fffffffd4e0) at libavformat/utils.c:988
#3  0x00000000009dd9bb in avformat_find_stream_info (ic=0x2b42080,
options=0x2b53be0) at libavformat/utils.c:2336
#4  0x0000000000507cbe in open_input_file (o=o at entry=0x7fffffffd950,
filename=<optimized out>) at avtools/avconv_opt.c:803
#5  0x000000000050f574 in open_files (l=0x2b42898, l=0x2b42898,
open_file=0x507150 <open_input_file>, inout=0x20595fc "input") at
avtools/avconv_opt.c:2449
#6  avconv_parse_options (argc=argc at entry=0x7, argv=argv at entry=0x7fffffffe458)
at avtools/avconv_opt.c:2486
#7  0x00000000004ee4dc in main (argc=argc at entry=0x7,
argv=argv at entry=0x7fffffffe458) at avtools/avconv.c:2910
#8  0x00007ffff70de830 in __libc_start_main (main=0x4ee430 <main>, argc=0x7,
argv=0x7fffffffe458, init=<optimized out>, fini=<optimized out>, 
    rtld_fini=<optimized out>, stack_end=0x7fffffffe448) at
../csu/libc-start.c:291
#9  0x00000000004fe8d9 in _start ()




gdb-peda$ disass $pc-32,$pc+32
Dump of assembler code from 0x135e5ea to 0x135e62a:
   0x000000000135e5ea <av_parser_parse2+282>:    adc    BYTE PTR [rax-0x75],cl
   0x000000000135e5ed <av_parser_parse2+285>:    rex.WR and al,0x8
   0x000000000135e5f0 <av_parser_parse2+288>:    mov    rdx,QWORD PTR [rsp]
   0x000000000135e5f4 <av_parser_parse2+292>:    lea    rsp,[rsp+0x98]
   0x000000000135e5fc <av_parser_parse2+300>:    movsxd r11,DWORD PTR
[rbx+0x54]
   0x000000000135e600 <av_parser_parse2+304>:    mov    r10,QWORD PTR
[rbx+0x18]
   0x000000000135e604 <av_parser_parse2+308>:    movsxd rcx,r9d
   0x000000000135e607 <av_parser_parse2+311>:    add    rcx,r10
=> 0x000000000135e60a <av_parser_parse2+314>:    cmp    rcx,QWORD PTR
[rbx+r11*8+0xc8]
   0x000000000135e612 <av_parser_parse2+322>:    mov    rax,r11
   0x000000000135e615 <av_parser_parse2+325>:    je     0x135e686
<av_parser_parse2+438>
   0x000000000135e617 <av_parser_parse2+327>:    nop
   0x000000000135e618 <av_parser_parse2+328>:    lea    rsp,[rsp-0x98]
   0x000000000135e620 <av_parser_parse2+336>:    mov    QWORD PTR [rsp],rdx
   0x000000000135e624 <av_parser_parse2+340>:    mov    QWORD PTR [rsp+0x8],rcx
   0x000000000135e629 <av_parser_parse2+345>:    mov    QWORD PTR
[rsp+0x10],rax
End of assembler dump.




gdb-peda$ info all-registers 
rax            0xf7481d0c    0xf7481d0c
rbx            0x7ffff7481c68    0x7ffff7481c68
rcx            0x7428    0x7428
rdx            0x7fffffffd2f8    0x7fffffffd2f8
rsi            0x7ffff7481d18    0x7ffff7481d18
rdi            0x28    0x28
rbp            0x7fffffffd300    0x7fffffffd300
rsp            0x7fffffffd260    0x7fffffffd260
r8             0x2b63230    0x2b63230
r9             0x7400    0x7400
r10            0x28    0x28
r11            0x7fff    0x7fff
r12            0x2b63230    0x2b63230
r13            0x7fffffffd3f0    0x7fffffffd3f0
r14            0x2b42080    0x2b42080
r15            0x0    0x0
rip            0x135e60a    0x135e60a <av_parser_parse2+314>
eflags         0x10206    [ PF IF RF ]
cs             0x33    0x33
ss             0x2b    0x2b
ds             0x0    0x0
es             0x0    0x0
fs             0x0    0x0
gs             0x0    0x0
st0            0    (raw 0x00000000000000000000)
st1            0    (raw 0x00000000000000000000)
st2            0    (raw 0x00000000000000000000)
st3            0    (raw 0x00000000000000000000)
st4            0    (raw 0x00000000000000000000)
st5            0    (raw 0x00000000000000000000)
st6            0    (raw 0x00000000000000000000)
st7            0    (raw 0x00000000000000000000)
fctrl          0x37f    0x37f
fstat          0x0    0x0
ftag           0xffff    0xffff
fiseg          0x0    0x0
fioff          0x0    0x0
foseg          0x0    0x0
fooff          0x0    0x0
fop            0x0    0x0
xmm0           {
  v4_float = {0x0, 0x0, 0x0, 0x0}, 
  v2_double = {0x0, 0x0}, 
  v16_int8 = {0x0 <repeats 16 times>}, 
  v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 
  v4_int32 = {0x0, 0x0, 0x0, 0x0}, 
  v2_int64 = {0x0, 0x0}, 
  uint128 = 0x00000000000000000000000000000000
}
xmm1           {
  v4_float = {0x0, 0x0, 0x0, 0x0}, 
  v2_double = {0x0, 0x0}, 
  v16_int8 = {0x0 <repeats 16 times>}, 
  v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 
  v4_int32 = {0x0, 0x0, 0x0, 0x0}, 
  v2_int64 = {0x0, 0x0}, 
  uint128 = 0x00000000000000000000000000000000
}
xmm2           {
  v4_float = {0x0, 0x0, 0x0, 0x0}, 
  v2_double = {0x0, 0x0}, 
  v16_int8 = {0x0 <repeats 16 times>}, 
  v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 
  v4_int32 = {0x0, 0x0, 0x0, 0x0}, 
  v2_int64 = {0x0, 0x0}, 
  uint128 = 0x00000000000000000000000000000000
}
xmm3           {
  v4_float = {0x0, 0x0, 0x0, 0x0}, 
  v2_double = {0x0, 0x0}, 
  v16_int8 = {0x0 <repeats 16 times>}, 
  v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 
  v4_int32 = {0x0, 0x0, 0x0, 0x0}, 
  v2_int64 = {0x0, 0x0}, 
  uint128 = 0x00000000000000000000000000000000
}
xmm4           {
  v4_float = {0x0, 0x0, 0x0, 0x0}, 
  v2_double = {0x0, 0x0}, 
  v16_int8 = {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x0, 0xff, 0xff, 0xff,
0xff, 0xff, 0xff, 0xff, 0x0}, 
  v8_int16 = {0xffff, 0xffff, 0xffff, 0xff, 0xffff, 0xffff, 0xffff, 0xff}, 
  v4_int32 = {0xffffffff, 0xffffff, 0xffffffff, 0xffffff}, 
  v2_int64 = {0xffffffffffffff, 0xffffffffffffff}, 
  uint128 = 0x00ffffffffffffff00ffffffffffffff
}
xmm5           {
  v4_float = {0x2b020000, 0x0, 0x0, 0x0}, 
  v2_double = {0x0, 0x0}, 
  v16_int8 = {0xfc, 0xa9, 0xf1, 0xd2, 0x4d, 0x62, 0x40, 0x3f, 0x0, 0x0, 0x0,
0x0, 0x0, 0x0, 0x0, 0x0}, 
  v8_int16 = {0xa9fc, 0xd2f1, 0x624d, 0x3f40, 0x0, 0x0, 0x0, 0x0}, 
  v4_int32 = {0xd2f1a9fc, 0x3f40624d, 0x0, 0x0}, 
  v2_int64 = {0x3f40624dd2f1a9fc, 0x0}, 
  uint128 = 0x00000000000000003f40624dd2f1a9fc
}
xmm6           {
  v4_float = {0x0, 0x0, 0x0, 0x0}, 
  v2_double = {0x8000000000000000, 0x0}, 
  v16_int8 = {0x61, 0x63, 0x6b, 0x65, 0x74, 0x73, 0x0, 0x61, 0x0, 0x0, 0x0,
0x0, 0x0, 0x0, 0x0, 0x0}, 
  v8_int16 = {0x6361, 0x656b, 0x7374, 0x6100, 0x0, 0x0, 0x0, 0x0}, 
  v4_int32 = {0x656b6361, 0x61007374, 0x0, 0x0}, 
  v2_int64 = {0x61007374656b6361, 0x0}, 
  uint128 = 0x000000000000000061007374656b6361
}
xmm7           {
  v4_float = {0x0, 0x0, 0x0, 0x0}, 
  v2_double = {0x0, 0x0}, 
  v16_int8 = {0x0 <repeats 16 times>}, 
  v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 
  v4_int32 = {0x0, 0x0, 0x0, 0x0}, 
  v2_int64 = {0x0, 0x0}, 
  uint128 = 0x00000000000000000000000000000000
}
xmm8           {
  v4_float = {0x2, 0x0, 0x0, 0x0}, 
  v2_double = {0x8000000000000000, 0x8000000000000000}, 
  v16_int8 = {0xff, 0xf5, 0x0, 0x40, 0xff, 0x55, 0xcd, 0xe0, 0xe0, 0xe0, 0xe0,
0xe0, 0xe0, 0xe0, 0xe0, 0xe0}, 
  v8_int16 = {0xf5ff, 0x4000, 0x55ff, 0xe0cd, 0xe0e0, 0xe0e0, 0xe0e0, 0xe0e0}, 
  v4_int32 = {0x4000f5ff, 0xe0cd55ff, 0xe0e0e0e0, 0xe0e0e0e0}, 
  v2_int64 = {0xe0cd55ff4000f5ff, 0xe0e0e0e0e0e0e0e0}, 
  uint128 = 0xe0e0e0e0e0e0e0e0e0cd55ff4000f5ff
}
xmm9           {
  v4_float = {0x0, 0x0, 0x0, 0x0}, 
  v2_double = {0x0, 0x0}, 
  v16_int8 = {0x0 <repeats 16 times>}, 
  v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 
  v4_int32 = {0x0, 0x0, 0x0, 0x0}, 
  v2_int64 = {0x0, 0x0}, 
  uint128 = 0x00000000000000000000000000000000
}
xmm10          {
  v4_float = {0x0, 0x0, 0x0, 0x0}, 
  v2_double = {0x0, 0x0}, 
  v16_int8 = {0x54, 0xec, 0x35, 0x16, 0xb3, 0xe9, 0x8f, 0xbd, 0x0, 0x0, 0x0,
0x0, 0x0, 0x0, 0x0, 0x0}, 
  v8_int16 = {0xec54, 0x1635, 0xe9b3, 0xbd8f, 0x0, 0x0, 0x0, 0x0}, 
  v4_int32 = {0x1635ec54, 0xbd8fe9b3, 0x0, 0x0}, 
  v2_int64 = {0xbd8fe9b31635ec54, 0x0}, 
  uint128 = 0x0000000000000000bd8fe9b31635ec54
}
xmm11          {
  v4_float = {0x0, 0xfffffffd, 0x0, 0x0}, 
  v2_double = {0xffffffffffffffd2, 0x0}, 
  v16_int8 = {0xe0, 0xe6, 0x35, 0x67, 0x9e, 0x6, 0x47, 0xc0, 0x0, 0x0, 0x0,
0x0, 0x0, 0x0, 0x0, 0x0}, 
  v8_int16 = {0xe6e0, 0x6735, 0x69e, 0xc047, 0x0, 0x0, 0x0, 0x0}, 
  v4_int32 = {0x6735e6e0, 0xc047069e, 0x0, 0x0}, 
  v2_int64 = {0xc047069e6735e6e0, 0x0}, 
  uint128 = 0x0000000000000000c047069e6735e6e0
}
xmm12          {
  v4_float = {0x0, 0x0, 0x0, 0x0}, 
  v2_double = {0x0, 0x0}, 
  v16_int8 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xc4, 0x3c, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0, 0x0, 0x0}, 
  v8_int16 = {0x0, 0x0, 0x0, 0x3cc4, 0x0, 0x0, 0x0, 0x0}, 
  v4_int32 = {0x0, 0x3cc40000, 0x0, 0x0}, 
  v2_int64 = {0x3cc4000000000000, 0x0}, 
  uint128 = 0x00000000000000003cc4000000000000
}
xmm13          {
  v4_float = {0x0, 0x1, 0x0, 0x0}, 
  v2_double = {0x0, 0x0}, 
  v16_int8 = {0x0, 0x90, 0xee, 0x21, 0xa8, 0x74, 0xd3, 0x3f, 0x0, 0x0, 0x0,
0x0, 0x0, 0x0, 0x0, 0x0}, 
  v8_int16 = {0x9000, 0x21ee, 0x74a8, 0x3fd3, 0x0, 0x0, 0x0, 0x0}, 
  v4_int32 = {0x21ee9000, 0x3fd374a8, 0x0, 0x0}, 
  v2_int64 = {0x3fd374a821ee9000, 0x0}, 
  uint128 = 0x00000000000000003fd374a821ee9000
}
xmm14          {
  v4_float = {0x0, 0x3, 0x0, 0x0}, 
  v2_double = {0x2d, 0x0}, 
  v16_int8 = {0xc0, 0x9, 0xf2, 0x16, 0xb5, 0xdf, 0x46, 0x40, 0x0, 0x0, 0x0,
0x0, 0x0, 0x0, 0x0, 0x0}, 
  v8_int16 = {0x9c0, 0x16f2, 0xdfb5, 0x4046, 0x0, 0x0, 0x0, 0x0}, 
  v4_int32 = {0x16f209c0, 0x4046dfb5, 0x0, 0x0}, 
  v2_int64 = {0x4046dfb516f209c0, 0x0}, 
  uint128 = 0x00000000000000004046dfb516f209c0
}
xmm15          {
  v4_float = {0x0, 0x0, 0x0, 0x0}, 
  v2_double = {0x0, 0x0}, 
  v16_int8 = {0xb3, 0x35, 0xb2, 0xb0, 0x7d, 0x51, 0x53, 0x3c, 0x0, 0x0, 0x0,
0x0, 0x0, 0x0, 0x0, 0x0}, 
  v8_int16 = {0x35b3, 0xb0b2, 0x517d, 0x3c53, 0x0, 0x0, 0x0, 0x0}, 
  v4_int32 = {0xb0b235b3, 0x3c53517d, 0x0, 0x0}, 
  v2_int64 = {0x3c53517db0b235b3, 0x0}, 
  uint128 = 0x00000000000000003c53517db0b235b3
}
mxcsr          0x1fa0    [ PE IM DM ZM OM UM PM ]

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.libav.org/pipermail/libav-bugs/attachments/20170414/6116fed8/attachment.html>


More information about the libav-bugs mailing list