[libav-bugs] [Bug 1077] New: Global variable out of bounds read in apply_dependent_coupling()

bugzilla at libav.org bugzilla at libav.org
Fri Aug 25 10:44:47 CEST 2017


https://bugzilla.libav.org/show_bug.cgi?id=1077

            Bug ID: 1077
           Summary: Global variable out of bounds read in
                    apply_dependent_coupling()
           Product: Libav
           Version: git HEAD
          Hardware: Other
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: ---
         Component: libavcodec
          Assignee: bugzilla at libav.org
          Reporter: fumfi.255 at gmail.com

Created attachment 676
  --> https://bugzilla.libav.org/attachment.cgi?id=676&action=edit
POC to trigger global out of bounds read (avprobe)

After some fuzz testing I found a crashing test case.

Git Head: b90fdb2c7199cc8b0e8d994fafba1fb4dc181d88

Command: avprobe libav_goobr_apply_dependent_coupling

ASAN:

==16097==ERROR: AddressSanitizer: global-buffer-overflow on address
0x00000278673a at pc 0x000001aaa6a2 bp 0x7fff1cf47ae0 sp 0x7fff1cf47ad8
READ of size 2 at 0x00000278673a thread T0
    #0 0x1aaa6a1 in apply_dependent_coupling (/usr/local/bin/avprobe+0x1aaa6a1)
    #1 0x1aa0680 in spectral_to_sample (/usr/local/bin/avprobe+0x1aa0680)
    #2 0x1a9476d in aac_decode_frame_int (/usr/local/bin/avprobe+0x1a9476d)
    #3 0x1a81d0a in aac_decode_frame (/usr/local/bin/avprobe+0x1a81d0a)
    #4 0xa2b91d in decode_simple_internal XYZ/libav/libavcodec/decode.c:335:15
    #5 0xa2b91d in decode_simple_receive_frame
XYZ/libav/libavcodec/decode.c:386
    #6 0xa2b91d in decode_receive_frame_internal
XYZ/libav/libavcodec/decode.c:404
    #7 0xa2a7c7 in avcodec_send_packet XYZ/libav/libavcodec/decode.c:469:15
    #8 0x8361b8 in try_decode_frame XYZ/libav/libavformat/utils.c:1950:19
    #9 0x82faa6 in avformat_find_stream_info
XYZ/libav/libavformat/utils.c:2459:9
    #10 0x4fe8f7 in open_input_file XYZ/libav/avtools/avprobe.c:900:16
    #11 0x4fe8f7 in probe_file XYZ/libav/avtools/avprobe.c:978
    #12 0x4fe8f7 in main XYZ/libav/avtools/avprobe.c:1212
    #13 0x7fb754b9982f in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #14 0x41b198 in _start (/usr/local/bin/avprobe+0x41b198)

0x00000278673a is located 38 bytes to the left of global variable
'swb_offset_128_48' defined in 'libavcodec/aactab.c:1141:23' (0x2786760) of
size 30
0x00000278673a is located 0 bytes to the right of global variable
'swb_offset_128_96' defined in 'libavcodec/aactab.c:1102:23' (0x2786720) of
size 26
SUMMARY: AddressSanitizer: global-buffer-overflow
(/usr/local/bin/avprobe+0x1aaa6a1) in apply_dependent_coupling
Shadow bytes around the buggy address:
  0x0000804e8c90: 00 00 00 00 00 00 00 00 00 00 00 00 00 f9 f9 f9
  0x0000804e8ca0: f9 f9 f9 f9 00 00 00 00 00 00 00 00 00 f9 f9 f9
  0x0000804e8cb0: f9 f9 f9 f9 00 00 00 00 00 00 00 00 00 04 f9 f9
  0x0000804e8cc0: f9 f9 f9 f9 00 00 00 00 00 00 00 06 f9 f9 f9 f9
  0x0000804e8cd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 f9 f9 f9
=>0x0000804e8ce0: f9 f9 f9 f9 00 00 00[02]f9 f9 f9 f9 00 00 00 06
  0x0000804e8cf0: f9 f9 f9 f9 00 00 00 00 f9 f9 f9 f9 00 00 00 00
  0x0000804e8d00: f9 f9 f9 f9 00 00 00 00 f9 f9 f9 f9 00 00 00 00
  0x0000804e8d10: 00 00 00 00 00 00 00 00 00 f9 f9 f9 f9 f9 f9 f9
  0x0000804e8d20: 00 05 f9 f9 f9 f9 f9 f9 00 05 f9 f9 f9 f9 f9 f9
  0x0000804e8d30: 00 05 f9 f9 f9 f9 f9 f9 00 05 f9 f9 f9 f9 f9 f9
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==16097==ABORTING

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.libav.org/pipermail/libav-bugs/attachments/20170825/3011a4eb/attachment.html>


More information about the libav-bugs mailing list