[libav-bugs] [Bug 1008] New: avprobe Heap Buffer Overflow in ff_h2645_packet_split (asan report)

bugzilla at libav.org bugzilla at libav.org
Mon Jan 2 17:17:04 CET 2017


https://bugzilla.libav.org/show_bug.cgi?id=1008

            Bug ID: 1008
           Summary: avprobe Heap Buffer Overflow in ff_h2645_packet_split
                    (asan report)
           Product: Libav
           Version: git HEAD
          Hardware: Other
                OS: Linux
            Status: NEW
          Severity: enhancement
          Priority: ---
         Component: libavcodec
          Assignee: bugzilla at libav.org
          Reporter: jan.s.ruge at gmail.com

Created attachment 636
  --> https://bugzilla.libav.org/attachment.cgi?id=636&action=edit
Poc for heap buffer overflow

A heap buffer overflow in avprobe found while fuzzing.
The programm was compiled using 'clang -fsanitize=address
-fsanitize-coverage=bb' and the gcc compiled version also shows multiple memory
access issues by vagrind.
A file triggering this bug appended to the bugreport, but will not cause a
SIGSEGV.

gdb-peda$ b libavcodec/h2645_parse.c:289
gdb-peda$ r crash-heap-0xe94210.mp4
gdb-peda$ c (14 times)

[----------------------------------registers-----------------------------------]
RAX: 0x7 
RBX: 0x61400000a640 --> 0x0 
RCX: 0xff00000000000001 
RDX: 0x61400000a698 --> 0x0 
RSI: 0x7 
RDI: 0x61400000a6b4 --> 0xb68a00000007 
RBP: 0x58 ('X')
RSP: 0x7fffffffd520 --> 0x45e0360e 
RIP: 0xe01c94 (<ff_h2645_packet_split+2996>:    mov    r15d,eax)
R8 : 0x61400000a6a4 --> 0xb68a00000007 
R9 : 0x62e000006648 --> 0x61400000a640 --> 0x0 
R10: 0x62e000006654 --> 0x5 
R11: 0xc5c00000cca --> 0x0 
R12: 0x61700000b691 --> 0x96ab9f01a5020000 
R13: 0x7 
R14: 0x61700000b68a --> 0x80198101030106 
R15: 0x5
EFLAGS: 0x206 (carry PARITY adjust zero sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
   0xe01c89 <ff_h2645_packet_split+2985>:       mov    rdi,r14
   0xe01c8c <ff_h2645_packet_split+2988>:       mov    esi,r13d
   0xe01c8f <ff_h2645_packet_split+2991>:       call   0xdff130
<ff_h2645_extract_rbsp>
=> 0xe01c94 <ff_h2645_packet_split+2996>:       mov    r15d,eax
   0xe01c97 <ff_h2645_packet_split+2999>:       test   r15d,r15d
   0xe01c9a <ff_h2645_packet_split+3002>:       js     0xe03158
<ff_h2645_packet_split+8312>
   0xe01ca0 <ff_h2645_packet_split+3008>:       mov    eax,DWORD PTR
[rip+0x3263eee]        # 0x4065b94
   0xe01ca6 <ff_h2645_packet_split+3014>:       test   eax,eax
[------------------------------------stack-------------------------------------]
0000| 0x7fffffffd520 --> 0x45e0360e 
0008| 0x7fffffffd528 --> 0x2efff4e ("1 32 8 1 b")
0016| 0x7fffffffd530 --> 0x2a690a0 (<av_buffer_unref>:  push   rbp)
0024| 0x7fffffffd538 --> 0x58 ('X')
0032| 0x7fffffffd540 --> 0xfffffffc --> 0x0 
0040| 0x7fffffffd548 --> 0x61400000a640 --> 0x0 
0048| 0x7fffffffd550 --> 0x0 
0056| 0x7fffffffd558 --> 0x302b88d00 --> 0x0 
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value

Breakpoint 1, 0x0000000000e01c94 in ff_h2645_packet_split (pkt=<optimized out>,
buf=0x61700000b68a "\006\001\003\001\201\031\200", length=<optimized out>,
logctx=<optimized out>, is_nalff=<optimized out>, nal_length_size=<optimized
out>, codec_id=<optimized out>)
    at libavcodec/h2645_parse.c:289
289     in libavcodec/h2645_parse.c
gdb-peda$ bt
#0  0x0000000000e01c94 in ff_h2645_packet_split (pkt=<optimized out>,
buf=0x61700000b68a "\006\001\003\001\201\031\200", length=<optimized out>,
logctx=<optimized out>, is_nalff=<optimized out>, nal_length_size=<optimized
out>, codec_id=<optimized out>)
    at libavcodec/h2645_parse.c:289
#1  0x0000000000e39abb in decode_nal_units (h=<optimized out>, buf=<optimized
out>, buf_size=<optimized out>) at libavcodec/h264dec.c:528
#2  h264_decode_frame (avctx=<optimized out>, data=<optimized out>,
got_frame=<optimized out>, avpkt=<optimized out>) at libavcodec/h264dec.c:742
#3  0x0000000000b8c54d in decode_simple_internal (avctx=<optimized out>,
frame=<optimized out>) at libavcodec/decode.c:334
#4  decode_simple_receive_frame (avctx=<optimized out>, frame=<optimized out>)
at libavcodec/decode.c:390
#5  decode_receive_frame_internal (avctx=<optimized out>, frame=<optimized
out>) at libavcodec/decode.c:408
#6  0x0000000000b8aef9 in avcodec_send_packet (avctx=0x61900001ea80,
avpkt=0x7fffffffda20) at libavcodec/decode.c:445
#7  0x000000000091f10f in try_decode_frame (s=<optimized out>, st=<optimized
out>, avpkt=<optimized out>, options=<optimized out>) at
libavformat/utils.c:1950
#8  0x0000000000918dbd in avformat_find_stream_info (ic=<optimized out>,
options=0x0) at libavformat/utils.c:2459
#9  0x00000000004ff716 in open_input_file (filename=0x7fffffffe7a0
"crash-heap-0xe94210.mp4", ifile=<optimized out>) at avprobe.c:866
#10 probe_file (filename=0x7fffffffe7a0 "crash-heap-0xe94210.mp4") at
avprobe.c:944
#11 main (argc=<optimized out>, argv=<optimized out>,
argv at entry=0x7fffffffe548) at avprobe.c:1178
#12 0x00007ffff657e830 in __libc_start_main (main=0x4ff360 <main>, argc=0x2,
argv=0x7fffffffe548, init=<optimized out>, fini=<optimized out>,
rtld_fini=<optimized out>, stack_end=0x7fffffffe538) at ../csu/libc-start.c:291
#13 0x000000000041aa79 in _start ()
Continuing.
=================================================================
==15081==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x61700000b938 at pc 0x000000e008d0 bp 0x7fffffffd460 sp 0x7fffffffd458
READ of size 8 at 0x61700000b938 thread T0
    #0 0xe008cf  (/home/hammel/libav/avprobe-asan+0xe008cf)
    #1 0xe01c93  (/home/hammel/libav/avprobe-asan+0xe01c93)
    #2 0xe39aba  (/home/hammel/libav/avprobe-asan+0xe39aba)
    #3 0xb8c54c  (/home/hammel/libav/avprobe-asan+0xb8c54c)
    #4 0xb8aef8  (/home/hammel/libav/avprobe-asan+0xb8aef8)
    #5 0x91f10e  (/home/hammel/libav/avprobe-asan+0x91f10e)
    #6 0x918dbc  (/home/hammel/libav/avprobe-asan+0x918dbc)
    #7 0x4ff715  (/home/hammel/libav/avprobe-asan+0x4ff715)
    #8 0x7ffff657e82f  (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #9 0x41aa78  (/home/hammel/libav/avprobe-asan+0x41aa78)

0x61700000b93f is located 0 bytes to the right of 703-byte region
[0x61700000b680,0x61700000b93f)
allocated by thread T0 here:
    #0 0x4baf28  (/home/hammel/libav/avprobe-asan+0x4baf28)
    #1 0x2ab53ab  (/home/hammel/libav/avprobe-asan+0x2ab53ab)
    #2 0xa84efb  (/home/hammel/libav/avprobe-asan+0xa84efb)
    #3 0x90167b  (/home/hammel/libav/avprobe-asan+0x90167b)

SUMMARY: AddressSanitizer: heap-buffer-overflow
(/home/hammel/libav/avprobe-asan+0xe008cf) 
Shadow bytes around the buggy address:
  0x0c2e7fff96d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c2e7fff96e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c2e7fff96f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c2e7fff9700: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c2e7fff9710: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c2e7fff9720: 00 00 00 00 00 00 00[07]fa fa fa fa fa fa fa fa
  0x0c2e7fff9730: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c2e7fff9740: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c2e7fff9750: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c2e7fff9760: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c2e7fff9770: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==15081==ABORTING
[Inferior 1 (process 15081) exited with code 01]
Warning: not running or target is remote

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.libav.org/pipermail/libav-bugs/attachments/20170102/f6b9ab4c/attachment-0001.html>


More information about the libav-bugs mailing list