[libav-bugs] [Bug 1011] New: Heap Buffer Overflow (read) at svq3.c svq3_decode_slice_header() (asan report)

bugzilla at libav.org bugzilla at libav.org
Mon Jan 2 20:04:01 CET 2017


https://bugzilla.libav.org/show_bug.cgi?id=1011

            Bug ID: 1011
           Summary: Heap Buffer Overflow (read) at svq3.c
                    svq3_decode_slice_header() (asan report)
           Product: Libav
           Version: git HEAD
          Hardware: Other
                OS: Linux
            Status: NEW
          Severity: enhancement
          Priority: ---
         Component: libavcodec
          Assignee: bugzilla at libav.org
          Reporter: jan.s.ruge at gmail.com

By fuzzing I found a heap buffer overflow in svq3.c svq3_decode_slice_header
(out of bounce read).
The library was compiled using "clang -fsanitize=address
-fsanitize-coverage=bb"

git HEAD ee164727dd64c199b87118917e674b17c25e0da3

$ gdb avplay
(gdb)r crash-heap-0x4a2084.mov > /dev/null
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
avplay version v13_dev0-685-gee16472, Copyright (c) 2003-2016 the Libav
developers
  built on Jan  2 2017 00:21:26 with clang version 3.8.0-2ubuntu4
(tags/RELEASE_380/final)
[New Thread 0x7ffe66eff700 (LWP 14052)]
[New Thread 0x7ffe66220700 (LWP 14053)]
                                       [New process 14054]
                                                          [Thread debugging
using libthread_db enabled]
                                                                               
                       Using host libthread_db library
"/lib/x86_64-linux-gnu/libthread_db.so.1".
                                                                               
                                                                               
                 [Inferior 2 (process 14054) exited with code 01]
ALSA lib confmisc.c:768:(parse_card) cannot find card '0'
ALSA lib conf.c:4292:(_snd_config_evaluate) function snd_func_card_driver
returned error: No such file or directory
ALSA lib confmisc.c:392:(snd_func_concat) error evaluating strings
ALSA lib conf.c:4292:(_snd_config_evaluate) function snd_func_concat returned
error: No such file or directory
ALSA lib confmisc.c:1251:(snd_func_refer) error evaluating name
ALSA lib conf.c:4292:(_snd_config_evaluate) function snd_func_refer returned
error: No such file or directory
ALSA lib conf.c:4771:(snd_config_expand) Evaluate error: No such file or
directory
ALSA lib pcm.c:2266:(snd_pcm_open_noupdate) Unknown PCM default
Input #0, mov,mp4,m4a,3gp,3g2,mj2, from 'crash-heap-0x4a2084.mov':
  Metadata:
    major_brand     : qt  
    minor_version   : 512
    compatible_brands: qt  
    creation_time   : 2008-08-27 02:27:42
    encoder         : Lavf57.10.2
  Duration: 00:00:00.80, start: 0.000000, bitrate: 412 kb/s
    Stream #0:0(eng): Video: svq3 [SVQ3 / 0x33515653]
      yuvj420p, pc, 352x264, -100278 kb/s
      25 fps, 600 tbn (default)
    Metadata:
      creation_time   : 2008-08-27 02:27:42
      handler_name    : DataHandler
      encoder         : Sorenson Video 3
Warning: not running or target is remote
[svq3 @ 0x619000000a80] left block unavailable for requested intra mode
[svq3 @ 0x619000000a80] ff_h264_check_intra_pred_mode < 0
[svq3 @ 0x619000000a80] error while decoding MB 0 0
[svq3 @ 0x619000000a80] Missing reference frame.
[svq3 @ 0x619000000a80] unsupported slice header (FF)
[svq3 @ 0x619000000a80] Missing reference frame.
[svq3 @ 0x619000000a80] top block unavailable for requested intra mode
[svq3 @ 0x619000000a80] ff_h264_check_intra_pred_mode < 0
[svq3 @ 0x619000000a80] error while decoding MB 6 0
[svq3 @ 0x619000000a80] error in B-frame picture id
[svq3 @ 0x619000000a80] error while decoding MB 1 0
[svq3 @ 0x619000000a80] error in B-frame picture id
[svq3 @ 0x619000000a80] error while decoding intra luma dc
[svq3 @ 0x619000000a80] error while decoding MB 2 5
[svq3 @ 0x619000000a80] error in B-frame picture id
[svq3 @ 0x619000000a80] error while decoding MB 1 0
[svq3 @ 0x619000000a80] error in B-frame picture id


=================================================================
==13994==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x61500000fc6f at pc 0x0000004a626d bp 0x7ffe62a6bfe0 sp 0x7ffe62a6b790
READ of size 2434 at 0x61500000fc6f thread T3
    #0 0x4a626c  (/home/hammel/libav/libav/avplay+0x4a626c)
    #1 0x184590d  (/home/hammel/libav/libav/avplay+0x184590d)
    #2 0x183702c  (/home/hammel/libav/libav/avplay+0x183702c)
    #3 0xb428b7  (/home/hammel/libav/libav/avplay+0xb428b7)
    #4 0xb40a97  (/home/hammel/libav/libav/avplay+0xb40a97)
    #5 0xb43793  (/home/hammel/libav/libav/avplay+0xb43793)
    #6 0x50ed1a  (/home/hammel/libav/libav/avplay+0x50ed1a)
    #7 0x7ffff7b520b7  (/usr/lib/x86_64-linux-gnu/libSDL-1.2.so.0+0x140b7)
    #8 0x7ffff7b91f58  (/usr/lib/x86_64-linux-gnu/libSDL-1.2.so.0+0x53f58)
    #9 0x7ffff67976b9  (/lib/x86_64-linux-gnu/libpthread.so.0+0x76b9)
    #10 0x7ffff5eab82c  (/lib/x86_64-linux-gnu/libc.so.6+0x10682c)

0x61500000fc6f is located 0 bytes to the right of 495-byte region
[0x61500000fa80,0x61500000fc6f)
allocated by thread T0 here:
    #0 0x4bc8b8  (/home/hammel/libav/libav/avplay+0x4bc8b8)
    #1 0x28571d4  (/home/hammel/libav/libav/avplay+0x28571d4)
    #2 0xa5e5a3  (/home/hammel/libav/libav/avplay+0xa5e5a3)
    #3 0x90bcb2  (/home/hammel/libav/libav/avplay+0x90bcb2)

Thread T3 created by T0 here:
    #0 0x42e949  (/home/hammel/libav/libav/avplay+0x42e949)
    #1 0x7ffff7b91fa9  (/usr/lib/x86_64-linux-gnu/libSDL-1.2.so.0+0x53fa9)

SUMMARY: AddressSanitizer: heap-buffer-overflow
(/home/hammel/libav/libav/avplay+0x4a626c) 
Shadow bytes around the buggy address:
  0x0c2a7fff9f30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c2a7fff9f40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c2a7fff9f50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c2a7fff9f60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c2a7fff9f70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c2a7fff9f80: 00 00 00 00 00 00 00 00 00 00 00 00 00[07]fa fa
  0x0c2a7fff9f90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c2a7fff9fa0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c2a7fff9fb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c2a7fff9fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c2a7fff9fd0: 00 00 00 00 00 00 00 00 00 00 00 00 fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==13994==ABORTING


Backtrace READ:
0x4a626c: ???
0x184590d: file libavcodec/svq3.c, line 1043 memcpy(s->slice_buf, s->gb.buffer
+ s->gb.index / 8, slice_bytes);
0x183702c: file libavcodec/svq3.c, line 1396
0xb428b7: file libavcodec/decode.c, line 334

Backtrace Alloc:
0x4bc8b8: ???
0x28571d4: file libavutil/mem.c, line 116
0xa5e5a3: libavcodec/avpacket.c, line 75

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.libav.org/pipermail/libav-bugs/attachments/20170102/b0e4fe89/attachment-0001.html>


More information about the libav-bugs mailing list