[libav-bugs] [Bug 1078] New: Global variable out of bounds read in build_qp_table()
bugzilla at libav.org
bugzilla at libav.org
Fri Aug 25 10:53:36 CEST 2017
https://bugzilla.libav.org/show_bug.cgi?id=1078
Bug ID: 1078
Summary: Global variable out of bounds read in build_qp_table()
Product: Libav
Version: git HEAD
Hardware: Other
OS: Linux
Status: NEW
Severity: normal
Priority: ---
Component: libavcodec
Assignee: bugzilla at libav.org
Reporter: fumfi.255 at gmail.com
Created attachment 677
--> https://bugzilla.libav.org/attachment.cgi?id=677&action=edit
POC to trigger global out of bounds read (avprobe)
After some fuzz testing I found a crashing test case.
Git Head: b90fdb2c7199cc8b0e8d994fafba1fb4dc181d88
Command: avprobe libav_goobr_build_qp_table
ASAN:
==30136==ERROR: AddressSanitizer: global-buffer-overflow on address
0x00000254522d at pc 0x000000c2f407 bp 0x7ffd4cd59b10 sp 0x7ffd4cd59b08
READ of size 1 at 0x00000254522d thread T0
#0 0xc2f406 in build_qp_table XYZ/libav/libavcodec/h264_ps.c:663:13
#1 0xc2f406 in ff_h264_decode_picture_parameter_set
XYZ/libav/libavcodec/h264_ps.c:747
#2 0xc148f3 in parse_nal_units XYZ/libav/libavcodec/h264_parser.c:269:13
#3 0xc148f3 in h264_parse XYZ/libav/libavcodec/h264_parser.c:513
#4 0x130f161 in av_parser_parse2 XYZ/libav/libavcodec/parser.c:166:13
#5 0x83e26c in parse_packet XYZ/libav/libavformat/utils.c:834:15
#6 0x82570e in read_frame_internal XYZ/libav/libavformat/utils.c:940:21
#7 0x82ef8a in avformat_find_stream_info
XYZ/libav/libavformat/utils.c:2336:15
#8 0x4fe8f7 in open_input_file XYZ/libav/avtools/avprobe.c:900:16
#9 0x4fe8f7 in probe_file XYZ/libav/avtools/avprobe.c:978
#10 0x4fe8f7 in main XYZ/libav/avtools/avprobe.c:1212
#11 0x7f52b466782f in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#12 0x41b198 in _start (/usr/local/bin/avprobe+0x41b198)
0x00000254522d is located 19 bytes to the left of global variable
'ff_h264_chroma_qp' defined in 'libavcodec/h264data.c:199:15' (0x2545240) of
size 192
0x00000254522d is located 13 bytes to the right of global variable
'ff_h264_quant_div6' defined in 'libavcodec/h264data.c:180:15' (0x25451e0) of
size 64
SUMMARY: AddressSanitizer: global-buffer-overflow
XYZ/libav/libavcodec/h264_ps.c:663:13 in build_qp_table
Shadow bytes around the buggy address:
0x0000804a09f0: 00 00 f9 f9 f9 f9 f9 f9 00 00 00 00 00 00 00 00
0x0000804a0a00: 00 00 00 04 f9 f9 f9 f9 00 00 00 00 00 00 04 f9
0x0000804a0a10: f9 f9 f9 f9 00 00 02 f9 f9 f9 f9 f9 00 00 f9 f9
0x0000804a0a20: f9 f9 f9 f9 00 00 00 00 04 f9 f9 f9 f9 f9 f9 f9
0x0000804a0a30: 00 00 00 00 00 00 00 00 f9 f9 f9 f9 00 00 00 00
=>0x0000804a0a40: 00 00 00 00 f9[f9]f9 f9 00 00 00 00 00 00 00 00
0x0000804a0a50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0000804a0a60: f9 f9 f9 f9 00 00 00 00 00 00 00 00 00 00 00 00
0x0000804a0a70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0000804a0a80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0000804a0a90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==30136==ABORTING
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.libav.org/pipermail/libav-bugs/attachments/20170825/c0c85aa8/attachment.html>
More information about the libav-bugs
mailing list