[libav-bugs] [Bug 1028] New: Heap out of bounds read in pred8x8_mad_cow_dc_l0t_8()

bugzilla at libav.org bugzilla at libav.org
Mon Feb 13 13:35:37 CET 2017 

https://bugzilla.libav.org/show_bug.cgi?id=1028

            Bug ID: 1028
           Summary: Heap out of bounds read in pred8x8_mad_cow_dc_l0t_8()
           Product: Libav
           Version: git HEAD
          Hardware: X86
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: ---
         Component: libavcodec
          Assignee: bugzilla at libav.org
          Reporter: fumfi.255 at gmail.com

Created attachment 650
  --> https://bugzilla.libav.org/attachment.cgi?id=650&action=edit
POC to trigger heap out of bounds read (avprobe)

After some fuzz testing I found a crashing test case.

Command: avprobe hoobr_pred8x8_mad_cow_dc_l0t_8

Git Head: 3bc5b28d5a191864c54bba60646933a63da31656


ASAN:

==6357==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x62b000085148
at pc 0x000001d055fe bp 0x7ffd5391dd40 sp 0x7ffd5391dd38
READ of size 1 at 0x62b000085148 thread T0
    #0 0x1d055fd in pred8x8_mad_cow_dc_l0t_8 (/usr/local/bin/avprobe+0x1d055fd)
    #1 0x1c2d6ea in hl_decode_mb_complex (/usr/local/bin/avprobe+0x1c2d6ea)
    #2 0x1c19b7e in ff_h264_hl_decode_mb (/usr/local/bin/avprobe+0x1c19b7e)
    #3 0x1c8ef09 in decode_slice (/usr/local/bin/avprobe+0x1c8ef09)
    #4 0x1c8d4c9 in ff_h264_execute_decode_slices
(/usr/local/bin/avprobe+0x1c8d4c9)
    #5 0xc23c88 in decode_nal_units XYZ/libav/libavcodec/h264dec.c:591:27
    #6 0xc23c88 in h264_decode_frame XYZ/libav/libavcodec/h264dec.c:725
    #7 0xa15255 in decode_simple_internal XYZ/libav/libavcodec/decode.c:335:15
    #8 0xa15255 in decode_simple_receive_frame
XYZ/libav/libavcodec/decode.c:391
    #9 0xa15255 in decode_receive_frame_internal
XYZ/libav/libavcodec/decode.c:409
    #10 0xa14014 in avcodec_send_packet XYZ/libav/libavcodec/decode.c:446:15
    #11 0x83704b in try_decode_frame XYZ/libav/libavformat/utils.c:1950:19
    #12 0x830b93 in avformat_find_stream_info
XYZ/libav/libavformat/utils.c:2459:9
    #13 0x4f6bb9 in open_input_file XYZ/libav/avprobe.c:866:16
    #14 0x4f6bb9 in probe_file XYZ/libav/avprobe.c:944
    #15 0x4f6bb9 in main XYZ/libav/avprobe.c:1178
    #16 0x7f5fad18782f in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #17 0x41aeb8 in _start (/usr/local/bin/avprobe+0x41aeb8)

0x62b000085148 is located 184 bytes to the left of 27856-byte region
[0x62b000085200,0x62b00008bed0)
allocated by thread T0 here:
    #0 0x4ba177 in __interceptor_posix_memalign
/home/development/llvm/3.9.0/final/llvm.src/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:130:3
    #1 0x2349043 in av_malloc (/usr/local/bin/avprobe+0x2349043)
    #2 0x2314d3a in av_buffer_alloc (/usr/local/bin/avprobe+0x2314d3a)
    #3 0x23171e7 in av_buffer_pool_get (/usr/local/bin/avprobe+0x23171e7)
    #4 0xa1baff in video_get_buffer XYZ/libav/libavcodec/decode.c:982:23
    #5 0xa1baff in avcodec_default_get_buffer2
XYZ/libav/libavcodec/decode.c:1016
    #6 0xa1e8f9 in ff_get_buffer XYZ/libav/libavcodec/decode.c:1143:11

SUMMARY: AddressSanitizer: heap-buffer-overflow
(/usr/local/bin/avprobe+0x1d055fd) in pred8x8_mad_cow_dc_l0t_8
Shadow bytes around the buggy address:
  0x0c56800089d0: 00 00 00 00 00 00 00 00 00 00 fa fa fa fa fa fa
  0x0c56800089e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c56800089f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c5680008a00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c5680008a10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c5680008a20: fa fa fa fa fa fa fa fa fa[fa]fa fa fa fa fa fa
  0x0c5680008a30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c5680008a40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c5680008a50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c5680008a60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c5680008a70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==6357==ABORTING

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.libav.org/pipermail/libav-bugs/attachments/20170213/71a4ffde/attachment.html>

More information about the libav-bugs mailing list