[libav-bugs] [Bug 1007] New: Heap Buffer Overflow in ff_sbr_hf_gen_sse

bugzilla at libav.org bugzilla at libav.org
Mon Jan 2 16:53:26 CET 2017


https://bugzilla.libav.org/show_bug.cgi?id=1007

            Bug ID: 1007
           Summary: Heap Buffer Overflow in ff_sbr_hf_gen_sse
           Product: Libav
           Version: git HEAD
          Hardware: Other
                OS: Linux
            Status: NEW
          Severity: enhancement
          Priority: ---
         Component: libavcodec
          Assignee: bugzilla at libav.org
          Reporter: jan.s.ruge at gmail.com

Created attachment 635
  --> https://bugzilla.libav.org/attachment.cgi?id=635&action=edit
Triggers heap bof in avprobe

Heap buffer Overflow can be triggered with avprobe, avconv and avplay.
The funtion sbr_hf_gen gets two parameters start, end to determine the number
of loop iterations.
the counting register r8 is initial computed as "r8=start - end" and
incremented each iteration until an integer overflow occurs.
If start = end = 0, the code will read and write until the end of the heap
segment is reached and a SIGSEGV is triggered.
The start and stop parameter are loaded from sbr->data[ch].t_env, which are
read in read_sbr_grid() from the input file.


avprobe:

gdb-peda$ r crash-segv-0x2895e41.aac
RAX: 0x7ffff5574b80 --> 0x0 
RBX: 0x0 
RCX: 0x7ffff5585dc0 --> 0x0 
RDX: 0x7ffff5585bc0 --> 0x0 
RSI: 0x7ffff5575580 --> 0x0 
RDI: 0x7ffff5579410 --> 0x0 
RBP: 0x1b 
RSP: 0x7fffffffdad8 --> 0x9302a0 (<ff_sbr_apply+3504>:  movzx  edx,BYTE PTR
[r13+0x0])
RIP: 0xac2ae1 (<ff_sbr_hf_gen_sse+129>: movaps XMMWORD PTR [rdi+r8*1],xmm5)
R8 : 0xefbf0 
R9 : 0x0 
R10: 0x7ffff5574b70 --> 0x30800000000100b 
R11: 0x1652ac0 --> 0x433ebc1b4336206c 
R12: 0x1 
R13: 0x7ffff5574b70 --> 0x30800000000100b 
R14: 0x7ffff5579550 --> 0x0 
R15: 0x7ffff5534720 --> 0x100003e80
EFLAGS: 0x10206 (carry PARITY adjust zero sign trap INTERRUPT direction
overflow)
[-------------------------------------code-------------------------------------]
   0xac2ad8 <ff_sbr_hf_gen_sse+120>:    addps  xmm5,xmm6
   0xac2adb <ff_sbr_hf_gen_sse+123>:    addps  xmm7,xmm0
   0xac2ade <ff_sbr_hf_gen_sse+126>:    addps  xmm5,xmm7
=> 0xac2ae1 <ff_sbr_hf_gen_sse+129>:    movaps XMMWORD PTR [rdi+r8*1],xmm5
   0xac2ae6 <ff_sbr_hf_gen_sse+134>:    add    r8,0x10
   0xac2aea <ff_sbr_hf_gen_sse+138>:    jne    0xac2aaa <ff_sbr_hf_gen_sse+74>
   0xac2aec <ff_sbr_hf_gen_sse+140>:    repz ret 
   0xac2aee <ff_sbr_hf_gen_sse.loop2+68>:       xchg   ax,ax
[------------------------------------stack-------------------------------------]
0000| 0x7fffffffdad8 --> 0x9302a0 (<ff_sbr_apply+3504>: movzx  edx,BYTE PTR
[r13+0x0])
0008| 0x7fffffffdae0 --> 0x200000002 
0016| 0x7fffffffdae8 --> 0x7ffff555f42c --> 0x0 
0024| 0x7fffffffdaf0 --> 0x7ffff5562d40 --> 0x0 
0032| 0x7fffffffdaf8 --> 0x7ffff5588560 --> 0x0 
0040| 0x7fffffffdb00 --> 0x7ffff5588160 --> 0x0 
0048| 0x7fffffffdb08 --> 0x7ffff5585d80 --> 0x0 
0056| 0x7fffffffdb10 --> 0x7ffff5574b80 --> 0x0 
[------------------------------------------------------------------------------]
Stopped reason: SIGSEGV
ff_sbr_hf_gen_sse () at libavcodec/x86/sbrdsp.asm:182
182     in libavcodec/x86/sbrdsp.asm

gdb-peda$ bt
#0  ff_sbr_hf_gen_sse () at libavcodec/x86/sbrdsp.asm:182
#1  0x00000000009302a0 in sbr_hf_gen (ac=0x1637b20, bs_num_env=0x0,
t_env=0x7ffff555f42c "", bw_array=0x7ffff554d6cc, alpha1=0x7ffff5585d80,
alpha0=0x7ffff5585b80, X_low=0x7ffff5574b80, X_high=0x7ffff5577380,
sbr=0x7ffff5534720) at libavcodec/aacsbr.c:1347
#2  ff_sbr_apply (ac=ac at entry=0x1637b20, sbr=sbr at entry=0x7ffff5534720,
id_aac=id_aac at entry=0x1, L=<optimized out>, R=<optimized out>) at
libavcodec/aacsbr.c:1682
#3  0x000000000091ef96 in spectral_to_sample (ac=ac at entry=0x1637b20) at
libavcodec/aacdec.c:2691
#4  0x0000000000926bc7 in aac_decode_frame_int (avctx=avctx at entry=0x1636940,
data=data at entry=0x1637760, got_frame_ptr=got_frame_ptr at entry=0x7fffffffdf04,
gb=gb at entry=0x7fffffffde90) at libavcodec/aacdec.c:2944
#5  0x0000000000926dd3 in aac_decode_frame (avctx=0x1636940, data=0x1637760,
got_frame_ptr=0x7fffffffdf04, avpkt=<optimized out>) at
libavcodec/aacdec.c:3010
#6  0x000000000058e21d in decode_simple_internal (frame=0x1637760,
avctx=0x1636940) at libavcodec/decode.c:334
#7  decode_simple_receive_frame (frame=<optimized out>, avctx=<optimized out>)
at libavcodec/decode.c:390
#8  decode_receive_frame_internal (avctx=0x1636940, frame=0x1637760) at
libavcodec/decode.c:408
#9  0x000000000058e5b8 in avcodec_send_packet (avctx=avctx at entry=0x1636940,
avpkt=avpkt at entry=0x7fffffffdfb0) at libavcodec/decode.c:445
#10 0x000000000052685d in try_decode_frame (st=st at entry=0x1636280,
avpkt=avpkt at entry=0x7fffffffe090, options=0x0, s=0x16358e0) at
libavformat/utils.c:1950
#11 0x000000000052abc6 in avformat_find_stream_info (ic=0x16358e0,
options=options at entry=0x0) at libavformat/utils.c:2459
#12 0x0000000000449c19 in open_input_file (filename=0x7fffffffe79e
"crash-segv-0x2895e41.aac", ifile=0x7fffffffe310) at avprobe.c:866
#13 probe_file (filename=0x7fffffffe79e "crash-segv-0x2895e41.aac") at
avprobe.c:944
#14 main (argc=argc at entry=0x2, argv=argv at entry=0x7fffffffe538) at
avprobe.c:1178
#15 0x00007ffff6680830 in __libc_start_main (main=0x449a00 <main>, argc=0x2,
argv=0x7fffffffe538, init=<optimized out>, fini=<optimized out>,
rtld_fini=<optimized out>, stack_end=0x7fffffffe528) at ../csu/libc-start.c:291
#16 0x000000000044b889 in _start ()

gdb-peda$ frame 1
#1  0x00000000009302a0 in sbr_hf_gen (ac=0x1637b20, bs_num_env=0x0,
t_env=0x7ffff555f42c "", bw_array=0x7ffff554d6cc, alpha1=0x7ffff5585d80,
alpha0=0x7ffff5585b80, X_low=0x7ffff5574b80, X_high=0x7ffff5577380,
sbr=0x7ffff5534720) at libavcodec/aacsbr.c:1347
1347    libavcodec/aacsbr.c: No such file or directory.
gdb-peda$ x/4x t_env
0x7ffff555f42c: 0x0000000000000000      0x0000000000000000
0x7ffff555f43c: 0x0000000000000000      0x0000000000000000

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.libav.org/pipermail/libav-bugs/attachments/20170102/d21f94e1/attachment.html>


More information about the libav-bugs mailing list