[libav-bugs] [Bug 1073] New: There is an illegal address access in bitstream.c of the libav library.

bugzilla at libav.org bugzilla at libav.org
Wed Jul 26 08:44:43 CEST 2017


https://bugzilla.libav.org/show_bug.cgi?id=1073

            Bug ID: 1073
           Summary: There is an illegal address access in bitstream.c  of
                    the libav library.
           Product: Libav
           Version: git HEAD
          Hardware: X86
                OS: Linux
            Status: NEW
          Severity: blocker
          Priority: ---
         Component: general
          Assignee: bugzilla at libav.org
          Reporter: v.owl337 at gmail.com

Created attachment 673
  --> https://bugzilla.libav.org/attachment.cgi?id=673&action=edit
Triggered by  "./avconv -i $POC -f null"

$ ./avconv -i POC -f null
avconv version 13_dev0, Copyright (c) 2000-2017 the Libav developers
  built on Jul 23 2017 22:21:15 with gcc 5.4.0 (Ubuntu 5.4.0-6ubuntu1~16.04.4)
20160609
Trailing options were found on the commandline.
[NULL @ 0x2f30560] [IMGUTILS @ 0x7ffdd5a2f1a0] Picture size 0x0 is invalid
[NULL @ 0x2f30560] ignoring invalid width/height values
[NULL @ 0x2f30560] [IMGUTILS @ 0x7ffdd5a2f1a0] Picture size 0x0 is invalid
Tree size exceeded!
Segmentation fault (core dumped)


ASAN output:

$ ./avconv -i POC -f null

avconv version 12.1, Copyright (c) 2000-2017 the Libav developers
  built on Jun 22 2017 03:56:34 with clang version 3.8.0-2ubuntu4
(tags/RELEASE_380/final)
Trailing options were found on the commandline.
[NULL @ 0x619000000a80] [IMGUTILS @ 0x7ffca3c20540] Picture size 0x0 is invalid
[NULL @ 0x619000000a80] ignoring invalid width/height values
[NULL @ 0x619000000a80] [IMGUTILS @ 0x7ffca3c20540] Picture size 0x0 is invalid
Tree size exceeded!
ASAN:DEADLYSIGNAL
=================================================================
==31159==ERROR: AddressSanitizer: SEGV on unknown address 0x62f001487cc2 (pc
0x000000a27a3d bp 0x61d000014168 sp 0x7ffca3c1ffb0 T0)
    #0 0xa27a3c  (/home/icy/real/libav-12.1-asan/install/bin/avconv+0xa27a3c)
    #1 0xa27c75  (/home/icy/real/libav-12.1-asan/install/bin/avconv+0xa27c75)
    #2 0xa26e30  (/home/icy/real/libav-12.1-asan/install/bin/avconv+0xa26e30)
    #3 0x15492ea  (/home/icy/real/libav-12.1-asan/install/bin/avconv+0x15492ea)
    #4 0x153ee1c  (/home/icy/real/libav-12.1-asan/install/bin/avconv+0x153ee1c)
    #5 0x1635af8  (/home/icy/real/libav-12.1-asan/install/bin/avconv+0x1635af8)
    #6 0x8eeab4  (/home/icy/real/libav-12.1-asan/install/bin/avconv+0x8eeab4)
    #7 0x8e8988  (/home/icy/real/libav-12.1-asan/install/bin/avconv+0x8e8988)
    #8 0x4fda46  (/home/icy/real/libav-12.1-asan/install/bin/avconv+0x4fda46)
    #9 0x4fc626  (/home/icy/real/libav-12.1-asan/install/bin/avconv+0x4fc626)
    #10 0x4fbe7c  (/home/icy/real/libav-12.1-asan/install/bin/avconv+0x4fbe7c)
    #11 0x5226f2  (/home/icy/real/libav-12.1-asan/install/bin/avconv+0x5226f2)
    #12 0x7fe02c41782f  (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #13 0x41a318  (/home/icy/real/libav-12.1-asan/install/bin/avconv+0x41a318)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV
(/home/icy/real/libav-12.1-asan/install/bin/avconv+0xa27a3c) 
==31159==ABORTING


The GDB debugging information is as follows:

$ gdb ./avconv

(gdb) set args -i POC -f null
(gdb) r 
...

Breakpoint 1, build_table (vlc=vlc at entry=0x1086440 <spectral_coeff_tab>,
table_nb_bits=table_nb_bits at entry=9, 
    nb_codes=nb_codes at entry=9, codes=codes at entry=0x1677040,
flags=flags at entry=4) at libavcodec/bitstream.c:197
197                    if (table[j][1] /*bits*/ != 0) {
(gdb) c 9903
Will ignore next 9902 crossings of breakpoint 1.  Continuing.
avconv version 13_dev0, Copyright (c) 2000-2017 the Libav developers
  built on Jul 23 2017 22:21:15 with gcc 5.4.0 (Ubuntu 5.4.0-6ubuntu1~16.04.4)
20160609
Trailing options were found on the commandline.
[NULL @ 0x1683560] [IMGUTILS @ 0x7fffffffd3b0] Picture size 0x0 is invalid
[NULL @ 0x1683560] ignoring invalid width/height values
[NULL @ 0x1683560] [IMGUTILS @ 0x7fffffffd3b0] Picture size 0x0 is invalid
Tree size exceeded!

Breakpoint 1, build_table (vlc=vlc at entry=0x7fffffffd2d8, table_nb_bits=9,
nb_codes=150, codes=<optimized out>, 
    flags=flags at entry=2) at libavcodec/bitstream.c:197
197                    if (table[j][1] /*bits*/ != 0) {
(gdb) i b
Num     Type           Disp Enb Address            What
1       breakpoint     keep y   0x000000000059847d in build_table at
libavcodec/bitstream.c:197
    breakpoint already hit 9904 times
(gdb) n

Program received signal SIGSEGV, Segmentation fault.
0x0000000000598484 in build_table (vlc=vlc at entry=0x7fffffffd2d8,
table_nb_bits=9, nb_codes=150, 
    codes=<optimized out>, flags=flags at entry=2) at libavcodec/bitstream.c:197
197                    if (table[j][1] /*bits*/ != 0) {
(gdb) bt
#0  0x0000000000598484 in build_table (vlc=vlc at entry=0x7fffffffd2d8,
table_nb_bits=9, nb_codes=150, 
    codes=<optimized out>, flags=flags at entry=2) at libavcodec/bitstream.c:197
#1  0x000000000059861f in build_table (vlc=vlc at entry=0x7fffffffd2d8,
table_nb_bits=table_nb_bits at entry=9, 
    nb_codes=nb_codes at entry=255, codes=codes at entry=0x169cdc0,
flags=flags at entry=2)
    at libavcodec/bitstream.c:228
#2  0x0000000000598e24 in ff_init_vlc_sparse (vlc=vlc at entry=0x7fffffffd2d8,
nb_bits=nb_bits at entry=9, 
    nb_codes=255, bits=<optimized out>, bits_wrap=bits_wrap at entry=4,
bits_size=bits_size at entry=4, 
    codes=0x169c0a0, codes_wrap=4, codes_size=4, symbols=0x0, symbols_wrap=0,
symbols_size=0, flags=2)
    at libavcodec/bitstream.c:319
#3  0x00000000004232e5 in smacker_decode_header_tree
(bc=bc at entry=0x7fffffffd380, 
    recodes=recodes at entry=0x169b0b0, last=last at entry=0x169b0d0, size=25776,
smk=0x169b0a0)
    at libavcodec/smacker.c:228
#4  0x0000000000423718 in decode_header_trees (smk=0x169b0a0) at
libavcodec/smacker.c:316
#5  decode_init (avctx=0x1683560) at libavcodec/smacker.c:574
#6  0x0000000000835782 in avcodec_open2 (avctx=avctx at entry=0x1683560, 
    codec=codec at entry=0x107c180 <ff_smacker_decoder>,
options=options at entry=0x1686ac0)
    at libavcodec/utils.c:643
#7  0x000000000054b7ed in try_decode_frame (st=st at entry=0x1682d60,
avpkt=avpkt at entry=0x7fffffffd550, 
    options=0x1686ac0, s=0x1677060) at libavformat/utils.c:1926
#8  0x000000000054fc31 in avformat_find_stream_info (ic=0x1677060,
options=0x1686ac0)
---Type <return> to continue, or q <return> to quit---
    at libavformat/utils.c:2459
#9  0x000000000044f526 in open_input_file (o=o at entry=0x7fffffffd9b0,
filename=<optimized out>)
    at avtools/avconv_opt.c:822
#10 0x000000000045153a in open_files (l=0x1677898, l=0x1677898,
open_file=0x44f240 <open_input_file>, 
    inout=0xb9d43c "input") at avtools/avconv_opt.c:2468
#11 avconv_parse_options (argc=argc at entry=5, argv=argv at entry=0x7fffffffe4d8) at
avtools/avconv_opt.c:2505
#12 0x0000000000449774 in main (argc=5, argv=0x7fffffffe4d8) at
avtools/avconv.c:2916

The vulnerability was triggered in function build_table() at
libavcodec/bitstream.c:197

160 static int build_table(VLC *vlc, int table_nb_bits, int nb_codes,
161                        VLCcode *codes, int flags)
162 {
...
179 
180     /* first pass: map codes and compute auxiliary table sizes */
181     for (i = 0; i < nb_codes; i++) {
182         n      = codes[i].bits;
183         code   = codes[i].code;
184         symbol = codes[i].symbol;
185         ff_dlog(NULL, "i=%d n=%d code=0x%"PRIx32"\n", i, n, code);
186         if (n <= table_nb_bits) {
187             /* no need to add another table */
188             j = code >> (32 - table_nb_bits);
189             nb = 1 << (table_nb_bits - n);
190             inc = 1;
191             if (flags & INIT_VLC_LE) {
192                 j = bitswap_32(code);
193                 inc = 1 << n;
194             }
195             for (k = 0; k < nb; k++) {
196                 ff_dlog(NULL, "%4x: code=%d n=%d\n", j, i, n);
197                 if (table[j][1] /*bits*/ != 0) {
198                     av_log(NULL, AV_LOG_ERROR, "incorrect codes\n");
199                     return AVERROR_INVALIDDATA;
200                 }
201                 table[j][1] = n; //bits
202                 table[j][0] = symbol;
203                 j += inc;
204             }
...


Credits:

This vulnerability is detected by team OWL337, with our custom fuzzer collAFL.
Please contact ganshuitao at gmail.com   and chaoz at tsinghua.edu.cn if you need
more info about the team, the tool or the vulnerability.

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.libav.org/pipermail/libav-bugs/attachments/20170726/397e84ff/attachment.html>


More information about the libav-bugs mailing list