[libav-bugs] [Bug 1067] New: There is a heap based buffer overflow in the avconv && avprobe tools of the libav library. A crafted input can lead to a heap buffer overflow resulting in multiple damages.

bugzilla at libav.org bugzilla at libav.org
Fri Jun 23 06:17:56 CEST 2017


https://bugzilla.libav.org/show_bug.cgi?id=1067

            Bug ID: 1067
           Summary: There is a heap based buffer overflow in the avconv &&
                    avprobe tools of the libav library. A crafted input
                    can lead to a heap buffer overflow resulting in
                    multiple damages.
           Product: Libav
           Version: 12
          Hardware: X86
                OS: Linux
            Status: NEW
          Severity: critical
          Priority: ---
         Component: release
          Assignee: bugzilla at libav.org
          Reporter: v.owl337 at gmail.com

Created attachment 669
  --> https://bugzilla.libav.org/attachment.cgi?id=669&action=edit
Description contains the trigger method

The debugging information is as follows:

$ ./avconv -i POC1 -f null 
avconv version 12.1, Copyright (c) 2000-2017 the Libav developers
  built on May 20 2017 04:46:17 with clang version 3.8.0-2ubuntu4
(tags/RELEASE_380/final)
[h263 @ 0x21ec040] Format detected only with low score of 25, misdetection
possible!
[h263 @ 0x21f8080] warning: first frame is no keyframe
[h263 @ 0x21f8080] Error at MB: 1
[h263 @ 0x21f8080] I cbpy damaged at 13 0
[h263 @ 0x21f8080] Error at MB: 13
[h263 @ 0x21f8080] illegal ac vlc code at 0x0
[h263 @ 0x21f8080] Error at MB: 0
[h263 @ 0x21f8080] Error at MB: 4989
[h263 @ 0x21f8080] illegal ac vlc code at 0x0
[h263 @ 0x21f8080] Error at MB: 0
Segmentation fault

The vulnerability was triggered in function hpel_motion() at
mpegvideo_motion.c:192 . With a special input,the pointer 'src' will point to
an illegal address that cause a Segmentation fault of the program. This bug not
crash until the function hpel_motion() being called multiple times.

192 static inline int hpel_motion(MpegEncContext *s,
193                               uint8_t *dest, uint8_t *src,
194                               int src_x, int src_y,
195                               op_pixels_func *pix_op,
196                               int motion_x, int motion_y)
197 {
198     int dxy = 0;
199     int emu = 0;
200 
201     src_x += motion_x >> 1;
202     src_y += motion_y >> 1;
203 
204     /* WARNING: do no forget half pels */
205     src_x = av_clip(src_x, -16, s->width); // FIXME unneeded for emu?
206     if (src_x != s->width)
207         dxy |= motion_x & 1;
208     src_y = av_clip(src_y, -16, s->height);
209     if (src_y != s->height)
210         dxy |= (motion_y & 1) << 1;
211     src += src_y * s->linesize + src_x;

The bug result in multi crashes in different function, all the crashes are
caused by calling the same function hpel_motion().  gdb debug information is
below, we just list 5 poc and each bring different affact.

$ gdb ./avconv

(gdb) set args -i POC1 -f null
(gdb) r
...

Trailing options were found on the commandline.
[h263 @ 0x1bd0060] Format detected only with low score of 25, misdetection
possible!
[h263 @ 0x1bdc080] warning: first frame is no keyframe
[h263 @ 0x1bdc080] Error at MB: 1
[h263 @ 0x1bdc080] I cbpy damaged at 13 0
[h263 @ 0x1bdc080] Error at MB: 13
[h263 @ 0x1bdc080] illegal ac vlc code at 0x0
[h263 @ 0x1bdc080] Error at MB: 0
[h263 @ 0x1bdc080] Error at MB: 4989
[h263 @ 0x1bdc080] illegal ac vlc code at 0x0
[h263 @ 0x1bdc080] Error at MB: 0

Program received signal SIGSEGV, Segmentation fault.
0x0000000000f5f7d0 in ff_put_pixels8_mmx (block=0x7ffff7e4f078 "", 
    pixels=0x7ffff7359afa <error: Cannot access memory at address
0x7ffff7359afa>, line_size=1408, h=8)
    at libavcodec/x86/fpel_mmx.c:81
81        __asm__ volatile (

(gdb) set args -i  POC2  -f null
(gdb) r
...

Trailing options were found on the commandline.
[h263 @ 0x1bd0060] Format detected only with low score of 25, misdetection
possible!
[h263 @ 0x1bdc080] warning: first frame is no keyframe

Program received signal SIGSEGV, Segmentation fault.
0x0000000000f8bf94 in ff_put_pixels8_y2_mmxext ()

(gdb) set args -i  POC3  -f null
(gdb) r
...
Trailing options were found on the commandline.
[h263 @ 0x1bdc080] run overflow at 0x0 i:0
[h263 @ 0x1bdc080] Error at MB: 0
[h263 @ 0x1bdc080] run overflow at 6x0 i:0
[h263 @ 0x1bdc080] Error at MB: 6
...

Program received signal SIGSEGV, Segmentation fault.
ff_put_pixels8_xy2_mmx (block=0x7ffff7e4f098 "", 
    pixels=0x7ffff7359b1e <error: Cannot access memory at address
0x7ffff7359b1e>, line_size=1408, h=8)
    at libavcodec/x86/rnd_template.c:38
38        __asm__ volatile(

(gdb) set args -i  POC4  -f null
(gdb) r
...
Trailing options were found on the commandline.
[h263 @ 0x1bd0060] Format detected only with low score of 25, misdetection
possible!
[h263 @ 0x1bdc080] warning: first frame is no keyframe
[h263 @ 0x1bdc080] illegal ac vlc code at 2x0
...

Program received signal SIGSEGV, Segmentation fault.
0x0000000000f8bd04 in ff_put_pixels8_x2_mmxext.loop ()

(gdb) set args -i  POC5  -f null 
(gdb) r
...
Trailing options were found on the commandline.
[h263 @ 0x1bd0060] Format detected only with low score of 25, misdetection
possible!
[h263 @ 0x1bdc080] Syntax-based Arithmetic Coding (SAC) not supported
[h263 @ 0x1bdc080] header damaged
...

Program received signal SIGSEGV, Segmentation fault.
put_no_rnd_pixels8_xy2_mmx (block=0x7ffff7e4f040 "", 
    pixels=0x7ffff7357f40 <error: Cannot access memory at address
0x7ffff7357f40>, line_size=1408, h=8)
    at libavcodec/x86/rnd_template.c:38
38        __asm__ volatile(
...

Credits:

This vulnerability is detected by team OWL337, with our custom fuzzer collAFL.
Please contact ganshuitao at gmail.com   and chaoz at tsinghua.edu.cn if you need
more info about the team, the tool or the vulnerability.

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.libav.org/pipermail/libav-bugs/attachments/20170623/078e2c09/attachment.html>


More information about the libav-bugs mailing list