[libav-bugs] [Bug 1109] New: global-buffer-overflow in decode_residual

bugzilla at libav.org bugzilla at libav.org
Sun Dec 10 10:50:58 CET 2017


https://bugzilla.libav.org/show_bug.cgi?id=1109

            Bug ID: 1109
           Summary: global-buffer-overflow in decode_residual
           Product: Libav
           Version: git HEAD
          Hardware: Other
                OS: Windows
            Status: NEW
          Severity: normal
          Priority: ---
         Component: general
          Assignee: bugzilla at libav.org
          Reporter: gy741.kim at gmail.com

Created attachment 702
  --> https://bugzilla.libav.org/attachment.cgi?id=702&action=edit
PoC

Hello.

I found a global-buffer-overflow bug in libav.

Please confirm.

Thanks.

OS: Ubuntu 16.04 32bit
Version: avprobe v13_dev0-1418-g7993ec1
Steps to reproduce:
1. Download the .POC files.
2. Compile the source code with ASan.
3. ./avprobe $PoC

```
=================================================================
==25773==ERROR: AddressSanitizer: global-buffer-overflow on address 0x0a48ee70
at pc 0x09bf4844 bp 0xbf832bd8 sp 0xbf832bcc
READ of size 1 at 0x0a48ee70 thread T0

    #0 0x9bf4843 in decode_residual (/home/karas/libav/avprobe+0x9bf4843)
    #1 0x9bde252 in ff_h264_decode_mb_cavlc
(/home/karas/libav/avprobe+0x9bde252)
    #2 0x9c8e87d in decode_slice (/home/karas/libav/avprobe+0x9c8e87d)
    #3 0x9c8c27d in ff_h264_execute_decode_slices
(/home/karas/libav/avprobe+0x9c8c27d)
    #4 0x89fe362 in decode_nal_units
/home/karas/libav/libavcodec/h264dec.c:593:27
    #5 0x89fe362 in h264_decode_frame
/home/karas/libav/libavcodec/h264dec.c:727
    #6 0x87a5ef1 in decode_simple_internal
/home/karas/libav/libavcodec/decode.c:335:15
    #7 0x87a5ef1 in decode_simple_receive_frame
/home/karas/libav/libavcodec/decode.c:386
    #8 0x87a5ef1 in decode_receive_frame_internal
/home/karas/libav/libavcodec/decode.c:404
    #9 0x87a494f in avcodec_send_packet
/home/karas/libav/libavcodec/decode.c:469:15
    #10 0x8559564 in try_decode_frame
/home/karas/libav/libavformat/utils.c:1950:19
    #11 0x854fed0 in avformat_find_stream_info
/home/karas/libav/libavformat/utils.c:2459:9
    #12 0x816eebc in open_input_file /home/karas/libav/avtools/avprobe.c:900:16
    #13 0x816eebc in probe_file /home/karas/libav/avtools/avprobe.c:978
    #14 0x816eebc in main /home/karas/libav/avtools/avprobe.c:1212
    #15 0xb74d3636 in __libc_start_main
/build/glibc-KM3i_a/glibc-2.23/csu/../csu/libc-start.c:291
    #16 0x8089a17 in _start (/home/karas/libav/avprobe+0x8089a17)

0x0a48ee70 is located 0 bytes to the right of global variable 'ff_zigzag_scan'
defined in 'libavcodec/mathtables.c:126:15' (0xa48ee60) of size 16
SUMMARY: AddressSanitizer: global-buffer-overflow
(/home/karas/libav/avprobe+0x9bf4843) in decode_residual
Shadow bytes around the buggy address:
  0x21491d70: 00 00 00 00 00 00 00 00 f9 f9 f9 f9 f9 f9 f9 f9
  0x21491d80: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
  0x21491d90: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
  0x21491da0: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
  0x21491db0: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
=>0x21491dc0: 00 00 00 00 00 00 00 00 f9 f9 f9 f9 00 00[f9]f9
  0x21491dd0: f9 f9 f9 f9 00 00 00 00 00 00 00 00 00 00 00 00
  0x21491de0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x21491df0: 05 f9 f9 f9 f9 f9 f9 f9 00 00 00 00 07 f9 f9 f9
  0x21491e00: f9 f9 f9 f9 00 00 05 f9 f9 f9 f9 f9 00 00 00 f9
  0x21491e10: f9 f9 f9 f9 00 00 00 01 f9 f9 f9 f9 00 00 04 f9
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==25773==ABORTING
```

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.libav.org/pipermail/libav-bugs/attachments/20171210/4ebfb0cf/attachment.html>


More information about the libav-bugs mailing list