[libav-bugs] [Bug 1017] New: NULL deref at libavformat/mov.c mov_read_close()

bugzilla at libav.org bugzilla at libav.org
Mon Jan 2 21:39:07 CET 2017


https://bugzilla.libav.org/show_bug.cgi?id=1017

            Bug ID: 1017
           Summary: NULL deref at libavformat/mov.c mov_read_close()
           Product: Libav
           Version: git HEAD
          Hardware: Other
                OS: Linux
            Status: NEW
          Severity: enhancement
          Priority: ---
         Component: libavcodec
          Assignee: bugzilla at libav.org
          Reporter: jan.s.ruge at gmail.com

Created attachment 644
  --> https://bugzilla.libav.org/attachment.cgi?id=644&action=edit
sample file causing avplay to crash with null deref

I found by fuzzing a NULL deref in libavformat/mov.c mov_read_close().
The bug is triggered if the supplied sample file is played with avplay.
git HEAD ee164727dd64c199b87118917e674b17c25e0da3

$ ./libav/avplay crash-null-0x75d678.mov 
avplay version v13_dev0-685-gee16472, Copyright (c) 2003-2016 the Libav
developers
  built on Jan  2 2017 00:21:26 with clang version 3.8.0-2ubuntu4
(tags/RELEASE_380/final)
Segmentation fault (core dumped)
$ gdb gdb/avplay /tmp/core_avplay.31116 
Reading symbols from gdb/avplay...done.
[New LWP 31116]
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Core was generated by `gdb/avplay crash-null-0x75d678.mov'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0  mov_read_close (s=s at entry=0x1872f00) at libavformat/mov.c:3708
3708                av_free(sc->extradata[j]);
gdb-peda$ bt
#0  mov_read_close (s=s at entry=0x1872f00) at libavformat/mov.c:3708
#1  0x00000000004c97b3 in mov_read_header (s=0x1872f00) at
libavformat/mov.c:3744
#2  0x000000000054a1e9 in avformat_open_input (ps=ps at entry=0x7fffffffe400,
filename=filename at entry=0x10af4c8 <player_state+264264>
"crash-null-0x75d678.mov", fmt=<optimized out>, options=0x15e7d98
<format_opts>) at libavformat/utils.c:336
#3  0x000000000044d14a in stream_setup (is=0x106ec80 <player_state>) at
avplay.c:2293
#4  stream_open (iformat=0x0, filename=<optimized out>, is=0x106ec80
<player_state>) at avplay.c:2550
#5  main (argc=argc at entry=0x2, argv=argv at entry=0x7fffffffe568) at avplay.c:3050
#6  0x00007ffff63e7830 in __libc_start_main (main=0x44cfa0 <main>, argc=0x2,
argv=0x7fffffffe568, init=<optimized out>, fini=<optimized out>,
rtld_fini=<optimized out>, stack_end=0x7fffffffe558) at ../csu/libc-start.c:291
#7  0x000000000044e589 in _start ()

gdb-peda$ disas $pc
...
   0x00000000004c64cb <+267>:    mov    eax,DWORD PTR [rbx+0x514]
   0x00000000004c64d1 <+273>:    test   eax,eax
   0x00000000004c64d3 <+275>:    jle    0x4c64f7 <mov_read_close+311>
   0x00000000004c64d5 <+277>:    nop    DWORD PTR [rax]
   0x00000000004c64d8 <+280>:    mov    rdx,QWORD PTR [rbx+0x500]
   0x00000000004c64df <+287>:    add    ebp,0x1
=> 0x00000000004c64e2 <+290>:    mov    rdi,QWORD PTR [rdx+r15*1]
   0x00000000004c64e6 <+294>:    add    r15,0x8
   0x00000000004c64ea <+298>:    call   0xb3f2a0 <av_free>
   0x00000000004c64ef <+303>:    cmp    DWORD PTR [rbx+0x514],ebp
   0x00000000004c64f5 <+309>:    jg     0x4c64d8 <mov_read_close+280>
   0x00000000004c64f7 <+311>:    lea    rdi,[rbx+0x500]
   0x00000000004c64fe <+318>:    add    r13d,0x1
   0x00000000004c6502 <+322>:    add    r14,0x8
   0x00000000004c6506 <+326>:    call   0xb3f2b0 <av_freep>
   0x00000000004c650b <+331>:    lea    rdi,[rbx+0x508]
...
gdb-peda$ info all
rax            0x1    0x1
rbx            0x18880c0    0x18880c0
rcx            0x1    0x1
rdx            0x0    0x0
rsi            0x0    0x0
rdi            0x0    0x0
rbp            0x1    0x1
rsp            0x7fffffffe160    0x7fffffffe160
r8             0x7ffff7f46880    0x7ffff7f46880
r9             0x1    0x1
r10            0xda5547    0xda5547
r11            0x0    0x0
r12            0x1872f00    0x1872f00
r13            0x0    0x0
r14            0x0    0x0
r15            0x0    0x0
rip            0x4c64e2    0x4c64e2 <mov_read_close+290>
eflags         0x10202    [ IF RF ]
cs             0x33    0x33
ss             0x2b    0x2b
ds             0x0    0x0
es             0x0    0x0
fs             0x0    0x0
gs             0x0    0x0
st0            0    (raw 0x00000000000000000000)
st1            0    (raw 0x00000000000000000000)
st2            0    (raw 0x00000000000000000000)
st3            0    (raw 0x00000000000000000000)
st4            0    (raw 0x00000000000000000000)
st5            0    (raw 0x00000000000000000000)
st6            0    (raw 0x00000000000000000000)
st7            0    (raw 0x00000000000000000000)
fctrl          0x37f    0x37f
fstat          0x0    0x0
ftag           0xffff    0xffff
fiseg          0x0    0x0
fioff          0x0    0x0
foseg          0x0    0x0
fooff          0x0    0x0
fop            0x0    0x0
mxcsr          0x1fa0    [ PE IM DM ZM OM UM PM ]
ymm0           {
  v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 
  v4_double = {0x0, 0x0, 0x0, 0x0}, 
  v32_int8 = {0x0 <repeats 32 times>}, 
  v16_int16 = {0x0 <repeats 16 times>}, 
  v8_int32 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 
  v4_int64 = {0x0, 0x0, 0x0, 0x0}, 
  v2_int128 = {0x00000000000000000000000000000000,
0x00000000000000000000000000000000}
}
ymm1           {
  v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 
  v4_double = {0x0, 0x0, 0x0, 0x0}, 
  v32_int8 = {0x0 <repeats 32 times>}, 
  v16_int16 = {0x0 <repeats 16 times>}, 
  v8_int32 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 
  v4_int64 = {0x0, 0x0, 0x0, 0x0}, 
  v2_int128 = {0x00000000000000000000000000000000,
0x00000000000000000000000000000000}
}
ymm2           {
  v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 
  v4_double = {0x0, 0x0, 0x0, 0x0}, 
  v32_int8 = {0x0 <repeats 32 times>}, 
  v16_int16 = {0x0 <repeats 16 times>}, 
  v8_int32 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 
  v4_int64 = {0x0, 0x0, 0x0, 0x0}, 
  v2_int128 = {0x00000000000000000000000000000000,
0x00000000000000000000000000000000}
}
ymm3           {
  v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 
  v4_double = {0x0, 0x0, 0x0, 0x0}, 
  v32_int8 = {0x0 <repeats 32 times>}, 
  v16_int16 = {0x0 <repeats 16 times>}, 
  v8_int32 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 
  v4_int64 = {0x0, 0x0, 0x0, 0x0}, 
  v2_int128 = {0x00000000000000000000000000000000,
0x00000000000000000000000000000000}
}
ymm4           {
  v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 
  v4_double = {0x8000000000000000, 0x8000000000000000, 0x0, 0x0}, 
  v32_int8 = {0xff, 0xff, 0xff, 0xff, 0x0, 0xff <repeats 11 times>, 0x0
<repeats 16 times>}, 
  v16_int16 = {0xffff, 0xffff, 0xff00, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 
  v8_int32 = {0xffffffff, 0xffffff00, 0xffffffff, 0xffffffff, 0x0, 0x0, 0x0,
0x0}, 
  v4_int64 = {0xffffff00ffffffff, 0xffffffffffffffff, 0x0, 0x0}, 
  v2_int128 = {0xffffffffffffffffffffff00ffffffff,
0x00000000000000000000000000000000}
}
ymm5           {
  v8_float = {0x0, 0xd6, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 
  v4_double = {0x590481e5c1bd8c, 0x8000000000000000, 0x0, 0x0}, 
  v32_int8 = {0x63, 0x6f, 0x70, 0x79, 0x20, 0x41, 0x56, 0x43, 0x6f, 0x64, 0x65,
0x63, 0x43, 0x6f, 0x6e, 0x74, 0x0 <repeats 16 times>}, 
  v16_int16 = {0x6f63, 0x7970, 0x4120, 0x4356, 0x646f, 0x6365, 0x6f43, 0x746e,
0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 
  v8_int32 = {0x79706f63, 0x43564120, 0x6365646f, 0x746e6f43, 0x0, 0x0, 0x0,
0x0}, 
  v4_int64 = {0x4356412079706f63, 0x746e6f436365646f, 0x0, 0x0}, 
  v2_int128 = {0x746e6f436365646f4356412079706f63,
0x00000000000000000000000000000000}
}
ymm6           {
  v8_float = {0x0, 0xcdd00000, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 
  v4_double = {0x8000000000000000, 0x0, 0x0, 0x0}, 
  v32_int8 = {0x61, 0x63, 0x6b, 0x65, 0x74, 0x73, 0x0, 0x54, 0x72, 0x69, 0x65,
0x64, 0x20, 0x74, 0x6f, 0x20, 0x0 <repeats 16 times>}, 
  v16_int16 = {0x6361, 0x656b, 0x7374, 0x5400, 0x6972, 0x6465, 0x7420, 0x206f,
0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 
  v8_int32 = {0x656b6361, 0x54007374, 0x64656972, 0x206f7420, 0x0, 0x0, 0x0,
0x0}, 
  v4_int64 = {0x54007374656b6361, 0x206f742064656972, 0x0, 0x0}, 
  v2_int128 = {0x206f74206465697254007374656b6361,
0x00000000000000000000000000000000}
}
ymm7           {
  v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 
  v4_double = {0x0, 0x0, 0x0, 0x0}, 
  v32_int8 = {0x0 <repeats 32 times>}, 
  v16_int16 = {0x0 <repeats 16 times>}, 
  v8_int32 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 
  v4_int64 = {0x0, 0x0, 0x0, 0x0}, 
  v2_int128 = {0x00000000000000000000000000000000,
0x00000000000000000000000000000000}
}
ymm8           {
  v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 
  v4_double = {0x0, 0x0, 0x0, 0x0}, 
  v32_int8 = {0x2d, 0x31, 0x31, 0x2d, 0x31, 0x31, 0x20, 0x31, 0x39, 0x3a, 0x35,
0x34, 0x3a, 0x35, 0x30, 0x0 <repeats 17 times>}, 
  v16_int16 = {0x312d, 0x2d31, 0x3131, 0x3120, 0x3a39, 0x3435, 0x353a, 0x30,
0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 
  v8_int32 = {0x2d31312d, 0x31203131, 0x34353a39, 0x30353a, 0x0, 0x0, 0x0,
0x0}, 
  v4_int64 = {0x312031312d31312d, 0x30353a34353a39, 0x0, 0x0}, 
  v2_int128 = {0x0030353a34353a39312031312d31312d,
0x00000000000000000000000000000000}
}
ymm9           {
  v8_float = {0x0, 0x1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 
  v4_double = {0x0, 0x0, 0x0, 0x0}, 
  v32_int8 = {0xf6, 0x8f, 0xee, 0x21, 0xa8, 0x74, 0xd3, 0x3f, 0x0 <repeats 24
times>}, 
  v16_int16 = {0x8ff6, 0x21ee, 0x74a8, 0x3fd3, 0x0 <repeats 12 times>}, 
  v8_int32 = {0x21ee8ff6, 0x3fd374a8, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 
  v4_int64 = {0x3fd374a821ee8ff6, 0x0, 0x0, 0x0}, 
  v2_int128 = {0x00000000000000003fd374a821ee8ff6,
0x00000000000000000000000000000000}
}
ymm10          {
  v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 
  v4_double = {0x0, 0x0, 0x0, 0x0}, 
  v32_int8 = {0x54, 0xec, 0x35, 0x16, 0xb3, 0xe9, 0x8f, 0xbd, 0x0 <repeats 24
times>}, 
  v16_int16 = {0xec54, 0x1635, 0xe9b3, 0xbd8f, 0x0 <repeats 12 times>}, 
  v8_int32 = {0x1635ec54, 0xbd8fe9b3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 
  v4_int64 = {0xbd8fe9b31635ec54, 0x0, 0x0, 0x0}, 
  v2_int128 = {0x0000000000000000bd8fe9b31635ec54,
0x00000000000000000000000000000000}
}
ymm11          {
  v8_float = {0x0, 0xfffffffd, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 
  v4_double = {0xffffffffffffffd2, 0x0, 0x0, 0x0}, 
  v32_int8 = {0xe0, 0xe6, 0x35, 0x67, 0x9e, 0x6, 0x47, 0xc0, 0x0 <repeats 24
times>}, 
  v16_int16 = {0xe6e0, 0x6735, 0x69e, 0xc047, 0x0 <repeats 12 times>}, 
  v8_int32 = {0x6735e6e0, 0xc047069e, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 
  v4_int64 = {0xc047069e6735e6e0, 0x0, 0x0, 0x0}, 
  v2_int128 = {0x0000000000000000c047069e6735e6e0,
0x00000000000000000000000000000000}
}
ymm12          {
  v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 
  v4_double = {0x0, 0x0, 0x0, 0x0}, 
  v32_int8 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xc4, 0x3c, 0x0 <repeats 24
times>}, 
  v16_int16 = {0x0, 0x0, 0x0, 0x3cc4, 0x0 <repeats 12 times>}, 
  v8_int32 = {0x0, 0x3cc40000, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 
  v4_int64 = {0x3cc4000000000000, 0x0, 0x0, 0x0}, 
  v2_int128 = {0x00000000000000003cc4000000000000,
0x00000000000000000000000000000000}
}
ymm13          {
  v8_float = {0x0, 0x1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 
  v4_double = {0x0, 0x0, 0x0, 0x0}, 
  v32_int8 = {0x0, 0x90, 0xee, 0x21, 0xa8, 0x74, 0xd3, 0x3f, 0x0 <repeats 24
times>}, 
  v16_int16 = {0x9000, 0x21ee, 0x74a8, 0x3fd3, 0x0 <repeats 12 times>}, 
  v8_int32 = {0x21ee9000, 0x3fd374a8, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 
  v4_int64 = {0x3fd374a821ee9000, 0x0, 0x0, 0x0}, 
  v2_int128 = {0x00000000000000003fd374a821ee9000,
0x00000000000000000000000000000000}
}
ymm14          {
  v8_float = {0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 
  v4_double = {0x2d, 0x0, 0x0, 0x0}, 
  v32_int8 = {0xc0, 0x9, 0xf2, 0x16, 0xb5, 0xdf, 0x46, 0x40, 0x0 <repeats 24
times>}, 
  v16_int16 = {0x9c0, 0x16f2, 0xdfb5, 0x4046, 0x0 <repeats 12 times>}, 
  v8_int32 = {0x16f209c0, 0x4046dfb5, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 
  v4_int64 = {0x4046dfb516f209c0, 0x0, 0x0, 0x0}, 
  v2_int128 = {0x00000000000000004046dfb516f209c0,
0x00000000000000000000000000000000}
}
ymm15          {
  v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 
  v4_double = {0x0, 0x0, 0x0, 0x0}, 
  v32_int8 = {0xb3, 0x35, 0xb2, 0xb0, 0x7d, 0x51, 0x53, 0x3c, 0x0 <repeats 24
times>}, 
  v16_int16 = {0x35b3, 0xb0b2, 0x517d, 0x3c53, 0x0 <repeats 12 times>}, 
  v8_int32 = {0xb0b235b3, 0x3c53517d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 
  v4_int64 = {0x3c53517db0b235b3, 0x0, 0x0, 0x0}, 
  v2_int128 = {0x00000000000000003c53517db0b235b3,
0x00000000000000000000000000000000}
}

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.libav.org/pipermail/libav-bugs/attachments/20170102/608672e3/attachment.html>


More information about the libav-bugs mailing list