[libav-bugs] [Bug 1009] New: avplay use after free

bugzilla at libav.org bugzilla at libav.org
Mon Jan 2 17:42:44 CET 2017


https://bugzilla.libav.org/show_bug.cgi?id=1009

            Bug ID: 1009
           Summary: avplay use after free
           Product: Libav
           Version: git HEAD
          Hardware: Other
                OS: Linux
            Status: NEW
          Severity: enhancement
          Priority: ---
         Component: utilities
          Assignee: bugzilla at libav.org
          Reporter: jan.s.ruge at gmail.com

Created attachment 637
  --> https://bugzilla.libav.org/attachment.cgi?id=637&action=edit
File triggering a uaf in avplay

By playing the crash-uaf-0x4fafc9.avi file, an use after free can be triggered
in avplay.c
The graph filter struct is freed in the video_thread and accessed by
alloc_picture in the event loop.
Libav was compiled using "clang -fsanitize=address -fsanitize-coverage=bb"

alloc & free:
    setup_streams() //avplay.c
        video_thread() //avplay.c
                configure_video_filters(graph, is) //avplay.c
                avfilter_graph_create_filter(filt_src, ..., graph)
                avfilter_graph_create_filter(filt_out, ..., graph)

                is->in_video_filter  = filt_src;
                is->out_video_filter = filt_out;

            avfilter_graph_free(&graph)

uaf:
    event_loop() //avplay.c
        alloc_picture() //avplay.c
            is->out_video_filter->inputs[0]->w; //<= use after free



gdb avplay
(gdb) r crash-uaf-0x4fafc9.avi

ALSA lib pcm.c:2266:(snd_pcm_open_noupdate) Unknown PCM default
[avi @ 0x61a00001da80] Something went wrong during header parsing, I will
ignore it and try to continue anyway.
Input #0, avi, from 'crash-uaf-0x4fafc9.avi':
  Duration: 308788:29:54.00, start: 0.000000, bitrate: N/A
    Stream #0:0: Video: huffyuv [HFYU / 0x55594648]
      bgra, 664x432
      1 tbn
gdb-peda$ =================================================================
==15150==ERROR: AddressSanitizer: heap-use-after-free on address 0x60e000006dc0
at pc 0x000000503432 bp 0x7fffffffe230 sp 0x7fffffffe228
READ of size 8 at 0x60e000006dc0 thread T0
    #0 0x503431  (/home/hammel/libav/libav/avplay+0x503431)
    #1 0x7ffff5dc582f  (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #2 0x41c408  (/home/hammel/libav/libav/avplay+0x41c408)

0x60e000006dc0 is located 32 bytes inside of 112-byte region
[0x60e000006da0,0x60e000006e10)
freed by thread T8 here:
    #0 0x4bc3b0  (/home/hammel/libav/libav/avplay+0x4bc3b0)
    #1 0x53d3c0  (/home/hammel/libav/libav/avplay+0x53d3c0)
    #2 0x7ffff7b520b7  (/usr/lib/x86_64-linux-gnu/libSDL-1.2.so.0+0x140b7)

previously allocated by thread T8 here:
    #0 0x4bce10  (/home/hammel/libav/libav/avplay+0x4bce10)
    #1 0x2857b92  (/home/hammel/libav/libav/avplay+0x2857b92)
    #2 0x539184  (/home/hammel/libav/libav/avplay+0x539184)

Thread T8 created by T0 here:
    #0 0x42e949  (/home/hammel/libav/libav/avplay+0x42e949)
    #1 0x7ffff7b91fa9  (/usr/lib/x86_64-linux-gnu/libSDL-1.2.so.0+0x53fa9)

SUMMARY: AddressSanitizer: heap-use-after-free
(/home/hammel/libav/libav/avplay+0x503431) 
Shadow bytes around the buggy address:
  0x0c1c7fff8d60: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c1c7fff8d70: fd fd fd fa fa fa fa fa fa fa fa fa fd fd fd fd
  0x0c1c7fff8d80: fd fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa
  0x0c1c7fff8d90: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
  0x0c1c7fff8da0: fd fd fd fd fd fd fa fa fa fa fa fa fa fa fa fa
=>0x0c1c7fff8db0: fa fa fa fa fd fd fd fd[fd]fd fd fd fd fd fd fd
  0x0c1c7fff8dc0: fd fd fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c1c7fff8dd0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fa fa
  0x0c1c7fff8de0: fa fa fa fa fa fa fa fa fa fa fa fa fd fd fd fd
  0x0c1c7fff8df0: fd fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa
  0x0c1c7fff8e00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==15150==ABORTING

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.libav.org/pipermail/libav-bugs/attachments/20170102/c65a4180/attachment.html>


More information about the libav-bugs mailing list