[libav-bugs] [Bug 1018] New: Global buff overflow (read) at libavcodec/ivi.c ivi_decode_coded_blocks()

bugzilla at libav.org bugzilla at libav.org
Mon Jan 2 21:56:08 CET 2017


https://bugzilla.libav.org/show_bug.cgi?id=1018

            Bug ID: 1018
           Summary: Global buff overflow (read) at libavcodec/ivi.c
                    ivi_decode_coded_blocks()
           Product: Libav
           Version: git HEAD
          Hardware: Other
                OS: Linux
            Status: NEW
          Severity: enhancement
          Priority: ---
         Component: libavcodec
          Assignee: bugzilla at libav.org
          Reporter: jan.s.ruge at gmail.com

Created attachment 645
  --> https://bugzilla.libav.org/attachment.cgi?id=645&action=edit
Sample file triggering a global buff overflow

By fuzzing I found a global buffer overflow (READ) in libavcodec/ivi.c:563
ivi_decode_coded_blocks()
A file triggering the bug was attached to the bug report.
Libav was compiled with "clang -fsanitize=address -fsanitize-coverage=bb"
git HEAD ee164727dd64c199b87118917e674b17c25e0da3


gdb-peda$ r crash-global-0x13005fd.avi  > /dev/null
Starting program: /home/hammel/libav/libav/avplay crash-global-0x13005fd.avi  >
/dev/null
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
avplay version v13_dev0-685-gee16472, Copyright (c) 2003-2016 the Libav
developers
  built on Jan  2 2017 00:21:26 with clang version 3.8.0-2ubuntu4
(tags/RELEASE_380/final)
[New Thread 0x7ffe66eff700 (LWP 30953)]
[New Thread 0x7ffe66220700 (LWP 30954)]
                                       [New process 30955]
                                                          [Thread debugging
using libthread_db enabled]
                                                                               
                       Using host libthread_db library
"/lib/x86_64-linux-gnu/libthread_db.so.1".
                                                                               
                                                                               
                 [Inferior 2 (process 30955) exited with code 01]
ALSA lib confmisc.c:768:(parse_card) cannot find card '0'
ALSA lib conf.c:4292:(_snd_config_evaluate) function snd_func_card_driver
returned error: No such file or directory
ALSA lib confmisc.c:392:(snd_func_concat) error evaluating strings
ALSA lib conf.c:4292:(_snd_config_evaluate) function snd_func_concat returned
error: No such file or directory
ALSA lib confmisc.c:1251:(snd_func_refer) error evaluating name
ALSA lib conf.c:4292:(_snd_config_evaluate) function snd_func_refer returned
error: No such file or directory
ALSA lib conf.c:4771:(snd_config_expand) Evaluate error: No such file or
directory
ALSA lib pcm.c:2266:(snd_pcm_open_noupdate) Unknown PCM default
Warning: not running or target is remote
Input #0, avi, from 'crash-global-0x13005fd.avi':
  Metadata:
    encoder         : Lavf57.10.2
  Duration: 00:00:01.00, start: 0.000000, bitrate: 1354 kb/s
    Stream #0:0: Video: indeo4 [IV41 / 0x31345649]
      yuv410p, 360x288
      24 fps, 24 tbn
gdb-peda$ [indeo4 @ 0x61900000c880] MB sizes mismatch: 4 vs. 8
[indeo4 @ 0x61900000c880] Error while decoding band: 2, plane: 0
[indeo4 @ 0x61900000c880] The band block size does not match the configuration
inherited
[indeo4 @ 0x61900000c880] Error while decoding band header: -1052488119
[indeo4 @ 0x61900000c880] Error while decoding band: 2, plane: 0
=================================================================
==30918==ERROR: AddressSanitizer: global-buffer-overflow on address
0x000002a3fabd at pc 0x0000011871b1 bp 0x7ffe65a1dff0 sp 0x7ffe65a1dfe8
READ of size 1 at 0x000002a3fabd thread T3
    #0 0x11871b0  (/home/hammel/libav/libav/avplay+0x11871b0) 
libavcodec/ivi.c, line 563 ivi_decode_coded_blocks()
    #1 0xb428b7  (/home/hammel/libav/libav/avplay+0xb428b7) 
libavcodec/decode.c, line 334
    #2 0xb40a97  (/home/hammel/libav/libav/avplay+0xb40a97) 
libavcodec/decode.c, line 445
    #3 0xb43793  (/home/hammel/libav/libav/avplay+0xb43793) 
libavcodec/decode.c, line 500
    #4 0x50ed1a  (/home/hammel/libav/libav/avplay+0x50ed1a)
    #5 0x7ffff7b520b7  (/usr/lib/x86_64-linux-gnu/libSDL-1.2.so.0+0x140b7)
    #6 0x7ffff7b91f58  (/usr/lib/x86_64-linux-gnu/libSDL-1.2.so.0+0x53f58)
    #7 0x7ffff67976b9  (/lib/x86_64-linux-gnu/libpthread.so.0+0x76b9)
    #8 0x7ffff5eab82c  (/lib/x86_64-linux-gnu/libc.so.6+0x10682c)

0x000002a3fabd is located 35 bytes to the left of global variable
'ff_ivi_rvmap_tabs' defined in 'libavcodec/ivi.c:1206:17' (0x2a3fae0) of size
4626
0x000002a3fabd is located 13 bytes to the right of global variable
'ff_ivi_direct_scan_4x4' defined in 'libavcodec/ivi.c:1198:15' (0x2a3faa0) of
size 16
SUMMARY: AddressSanitizer: global-buffer-overflow
(/home/hammel/libav/libav/avplay+0x11871b0) 
Shadow bytes around the buggy address:
  0x00008053ff00: f9 f9 f9 f9 00 00 00 00 02 f9 f9 f9 f9 f9 f9 f9
  0x00008053ff10: 00 00 00 00 f9 f9 f9 f9 00 00 00 06 f9 f9 f9 f9
  0x00008053ff20: 00 00 00 06 f9 f9 f9 f9 00 00 00 00 f9 f9 f9 f9
  0x00008053ff30: 00 00 00 00 00 f9 f9 f9 f9 f9 f9 f9 00 00 00 00
  0x00008053ff40: 00 00 00 00 f9 f9 f9 f9 00 00 00 00 00 00 00 00
=>0x00008053ff50: f9 f9 f9 f9 00 00 f9[f9]f9 f9 f9 f9 00 00 00 00
  0x00008053ff60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x00008053ff70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x00008053ff80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x00008053ff90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x00008053ffa0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
Thread T3 created by T0 here:
    #0 0x42e949  (/home/hammel/libav/libav/avplay+0x42e949)
    #1 0x7ffff7b91fa9  (/usr/lib/x86_64-linux-gnu/libSDL-1.2.so.0+0x53fa9)

==30918==ABORTING

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.libav.org/pipermail/libav-bugs/attachments/20170102/4ea52171/attachment-0001.html>


More information about the libav-bugs mailing list