[libav-bugs] [Bug 1078] New: Global variable out of bounds read in build_qp_table()

bugzilla at libav.org bugzilla at libav.org
Fri Aug 25 10:53:36 CEST 2017


https://bugzilla.libav.org/show_bug.cgi?id=1078

            Bug ID: 1078
           Summary: Global variable out of bounds read in build_qp_table()
           Product: Libav
           Version: git HEAD
          Hardware: Other
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: ---
         Component: libavcodec
          Assignee: bugzilla at libav.org
          Reporter: fumfi.255 at gmail.com

Created attachment 677
  --> https://bugzilla.libav.org/attachment.cgi?id=677&action=edit
POC to trigger global out of bounds read (avprobe)

After some fuzz testing I found a crashing test case.

Git Head: b90fdb2c7199cc8b0e8d994fafba1fb4dc181d88

Command: avprobe libav_goobr_build_qp_table

ASAN:

==30136==ERROR: AddressSanitizer: global-buffer-overflow on address
0x00000254522d at pc 0x000000c2f407 bp 0x7ffd4cd59b10 sp 0x7ffd4cd59b08
READ of size 1 at 0x00000254522d thread T0
    #0 0xc2f406 in build_qp_table XYZ/libav/libavcodec/h264_ps.c:663:13
    #1 0xc2f406 in ff_h264_decode_picture_parameter_set
XYZ/libav/libavcodec/h264_ps.c:747
    #2 0xc148f3 in parse_nal_units XYZ/libav/libavcodec/h264_parser.c:269:13
    #3 0xc148f3 in h264_parse XYZ/libav/libavcodec/h264_parser.c:513
    #4 0x130f161 in av_parser_parse2 XYZ/libav/libavcodec/parser.c:166:13
    #5 0x83e26c in parse_packet XYZ/libav/libavformat/utils.c:834:15
    #6 0x82570e in read_frame_internal XYZ/libav/libavformat/utils.c:940:21
    #7 0x82ef8a in avformat_find_stream_info
XYZ/libav/libavformat/utils.c:2336:15
    #8 0x4fe8f7 in open_input_file XYZ/libav/avtools/avprobe.c:900:16
    #9 0x4fe8f7 in probe_file XYZ/libav/avtools/avprobe.c:978
    #10 0x4fe8f7 in main XYZ/libav/avtools/avprobe.c:1212
    #11 0x7f52b466782f in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #12 0x41b198 in _start (/usr/local/bin/avprobe+0x41b198)

0x00000254522d is located 19 bytes to the left of global variable
'ff_h264_chroma_qp' defined in 'libavcodec/h264data.c:199:15' (0x2545240) of
size 192
0x00000254522d is located 13 bytes to the right of global variable
'ff_h264_quant_div6' defined in 'libavcodec/h264data.c:180:15' (0x25451e0) of
size 64
SUMMARY: AddressSanitizer: global-buffer-overflow
XYZ/libav/libavcodec/h264_ps.c:663:13 in build_qp_table
Shadow bytes around the buggy address:
  0x0000804a09f0: 00 00 f9 f9 f9 f9 f9 f9 00 00 00 00 00 00 00 00
  0x0000804a0a00: 00 00 00 04 f9 f9 f9 f9 00 00 00 00 00 00 04 f9
  0x0000804a0a10: f9 f9 f9 f9 00 00 02 f9 f9 f9 f9 f9 00 00 f9 f9
  0x0000804a0a20: f9 f9 f9 f9 00 00 00 00 04 f9 f9 f9 f9 f9 f9 f9
  0x0000804a0a30: 00 00 00 00 00 00 00 00 f9 f9 f9 f9 00 00 00 00
=>0x0000804a0a40: 00 00 00 00 f9[f9]f9 f9 00 00 00 00 00 00 00 00
  0x0000804a0a50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0000804a0a60: f9 f9 f9 f9 00 00 00 00 00 00 00 00 00 00 00 00
  0x0000804a0a70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0000804a0a80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0000804a0a90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==30136==ABORTING

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.libav.org/pipermail/libav-bugs/attachments/20170825/c0c85aa8/attachment.html>


More information about the libav-bugs mailing list