[libav-bugs] [Bug 1039] New: Null pointer dereference in nsvdec.c

bugzilla at libav.org bugzilla at libav.org
Tue Mar 21 07:14:03 CET 2017


https://bugzilla.libav.org/show_bug.cgi?id=1039

            Bug ID: 1039
           Summary: Null pointer dereference in nsvdec.c
           Product: Libav
           Version: git HEAD
          Hardware: X86
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: ---
         Component: libavformat
          Assignee: bugzilla at libav.org
          Reporter: boehme.marcel at gmail.com

Created attachment 657
  --> https://bugzilla.libav.org/attachment.cgi?id=657&action=edit
Crash-inducing sample file

Dear all,

The following bug was found with AFLGo, a directed version of the fuzzer AFL /
AFLFast. Thanks also to Van-Thuan Pham.

The attached file crashes LibAV with a segmentation fault due to a null pointer
dereference. It was reproduced on Ubuntu 14.04 x86_64 for LibAV git revision
824d4062 (HEAD).

Below is GBD INFORMATION containing the stack trace, assembler code, and
register information from gdb for the crash-inducing sample input. The stack
trace may vary but it always crashes in the same function. Here are the stack
traces of two different files:

==47558== Invalid read of size 1
==47558==    at 0x8A5FB2: nsv_read_chunk (nsvdec.c:579)
==47558==    by 0x8A6C82: nsv_read_packet (nsvdec.c:644)
==47558==    by 0xA2AB00: ff_read_packet (utils.c:447)
==47558==    by 0xA32FC8: read_frame_internal (utils.c:932)
==47558==    by 0xA403A6: avformat_find_stream_info (utils.c:2336)
==47558==    by 0x541459: open_input_file (avconv_opt.c:771)
==47558==    by 0x5454FE: open_files (avconv_opt.c:2417)
==47558==    by 0x5454FE: avconv_parse_options (avconv_opt.c:2454)
==47558==    by 0x518B8E: main (avconv.c:2881)
==47558==  Address 0x0 is not stack'd, malloc'd or (recently) free'd

==52462== Invalid read of size 1
==52462==    at 0x8A5FB2: nsv_read_chunk (nsvdec.c:579)
==52462==    by 0x8A9754: nsv_read_header (nsvdec.c:505)
==52462==    by 0xA50C61: avformat_open_input (utils.c:336)
==52462==    by 0x541049: open_input_file (avconv_opt.c:754)
==52462==    by 0x5454FE: open_files (avconv_opt.c:2417)
==52462==    by 0x5454FE: avconv_parse_options (avconv_opt.c:2454)
==52462==    by 0x518B8E: main (avconv.c:2881)


GDB INFORMATION
$ gdb ./avconv

(gdb) r -i crash -f null - > /dev/null
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
avconv version v13_dev0-948-g7995ebf, Copyright (c) 2000-2017 the Libav
developers
  built on Mar 17 2017 05:01:44 with gcc 4.8 (Ubuntu 4.8.5-2ubuntu1~14.04.1)
[nsv @ 0x2c12060] Format detected only with low score of 20, misdetection
possible!

Program received signal SIGSEGV, Segmentation fault.
nsv_read_chunk (s=s at entry=0x2c12060, fill_header=fill_header at entry=1) at
libavformat/nsvdec.c:579
579                 av_log(s, AV_LOG_TRACE, "NSV video: [%d] = %02"PRIx8"\n",

(gdb) bt
#0  nsv_read_chunk (s=s at entry=0x2c12060, fill_header=fill_header at entry=1) at
libavformat/nsvdec.c:579
#1  0x00000000008a9755 in nsv_read_header (s=s at entry=0x2c12060) at
libavformat/nsvdec.c:505
#2  0x0000000000a50c62 in avformat_open_input (ps=ps at entry=0x7fffffffd950, 
    filename=filename at entry=0x7fffffffe7e3
"/dev/shm/run-libav/avconv/fuzzer9/crashes/id:000179,sig:11,src:007241+003000,op:splice,rep:16", 
    fmt=fmt at entry=0x0, options=0x2c17ff8) at libavformat/utils.c:336
#3  0x000000000054104a in open_input_file (o=o at entry=0x7fffffffdad0,
filename=<optimized out>) at avtools/avconv_opt.c:754
#4  0x00000000005454ff in open_files (inout=0x212e5fc "input",
open_file=0x540a00 <open_input_file>, l=<optimized out>, l=<optimized out>)
    at avtools/avconv_opt.c:2417
#5  avconv_parse_options (argc=argc at entry=6, argv=argv at entry=0x7fffffffe578) at
avtools/avconv_opt.c:2454
#6  0x0000000000518b8f in main (argc=6, argv=0x7fffffffe578) at
avtools/avconv.c:2881

(gdb) disass $pc-32,$pc+32
Dump of assembler code from 0x8a5f92 to 0x8a5fd2:
   0x00000000008a5f92 <nsv_read_chunk+4834>:    mov    $0x212230c,%edx
   0x00000000008a5f97 <nsv_read_chunk+4839>:    mov    (%rax),%ecx
   0x00000000008a5f99 <nsv_read_chunk+4841>:    sete   %r8b
   0x00000000008a5f9d <nsv_read_chunk+4845>:    or     %r8d,0x40(%r15)
   0x00000000008a5fa1 <nsv_read_chunk+4849>:    cmp    $0x8,%ebp
   0x00000000008a5fa4 <nsv_read_chunk+4852>:    cmovbe %ebp,%r12d
   0x00000000008a5fa8 <nsv_read_chunk+4856>:    mov    %rdi,0x28(%r15)
   0x00000000008a5fac <nsv_read_chunk+4860>:    xor    %eax,%eax
   0x00000000008a5fae <nsv_read_chunk+4862>:    mov    %ecx,0x3c(%r15)
=> 0x00000000008a5fb2 <nsv_read_chunk+4866>:    movzbl (%r9),%r8d
   0x00000000008a5fb6 <nsv_read_chunk+4870>:    lea    -0x1(%r12),%ebp
   0x00000000008a5fbb <nsv_read_chunk+4875>:    xor    %ecx,%ecx
   0x00000000008a5fbd <nsv_read_chunk+4877>:    mov    %r13,%rdi
   0x00000000008a5fc0 <nsv_read_chunk+4880>:    and    $0x3,%ebp
   0x00000000008a5fc3 <nsv_read_chunk+4883>:    mov    %ebp,0x14(%rsp)
   0x00000000008a5fc7 <nsv_read_chunk+4887>:    mov    $0x1,%ebp
   0x00000000008a5fcc <nsv_read_chunk+4892>:    callq  0x20bc3b0 <av_log>
   0x00000000008a5fd1 <nsv_read_chunk+4897>:    cmp    $0x1,%r12d
End of assembler dump.

(gdb) info all-registers
rax            0x0      0                                                       
rbx            0x2c2b140        46313792
rcx            0x0      0
rdx            0x212230c        34743052
rsi            0x38     56
rdi            0x0      0
rbp            0x50f65  0x50f65
rsp            0x7fffffffd750   0x7fffffffd750
r8             0x1      1
r9             0x0      0
r10            0x8000000000000000       -9223372036854775808
r11            0x247    583
r12            0x8      8
r13            0x2c12060        46211168
r14            0x0      0
r15            0x2c23020        46280736
rip            0x8a5fb2 0x8a5fb2 <nsv_read_chunk+4866>
eflags         0x10246  [ PF ZF IF RF ]
cs             0x33     51
ss             0x2b     43
ds             0x0      0
es             0x0      0
fs             0x0      0
gs             0x0      0
st0            0        (raw 0x00000000000000000000)
st1            0        (raw 0x00000000000000000000)
st2            0        (raw 0x00000000000000000000)
st3            0        (raw 0x00000000000000000000)
st4            0        (raw 0x00000000000000000000)
st5            0        (raw 0x00000000000000000000)
st6            0        (raw 0x00000000000000000000)
st7            0        (raw 0x00000000000000000000)
fctrl          0x37f    895
fstat          0x0      0
ftag           0xffff   65535
fiseg          0x0      0
fioff          0x0      0
foseg          0x0      0
fooff          0x0      0
fop            0x0      0
mxcsr          0x1fa0   [ PE IM DM ZM OM UM PM ]
ymm0           {v8_float = {0x0, 0x1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_double
= {0x1, 0x0, 0x0, 0x0}, v32_int8 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xf0, 0x3f, 
    0x0 <repeats 24 times>}, v16_int16 = {0x0, 0x0, 0x0, 0x3ff0, 0x0 <repeats
12 times>}, v8_int32 = {0x0, 0x3ff00000, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 
  v4_int64 = {0x3ff0000000000000, 0x0, 0x0, 0x0}, v2_int128 =
{0x00000000000000003ff0000000000000, 0x00000000000000000000000000000000}}
ymm1           {v8_float = {0x0, 0x1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_double
= {0x1, 0x0, 0x0, 0x0}, v32_int8 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xf0, 0x3f, 
    0x0 <repeats 24 times>}, v16_int16 = {0x0, 0x0, 0x0, 0x3ff0, 0x0 <repeats
12 times>}, v8_int32 = {0x0, 0x3ff00000, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 
  v4_int64 = {0x3ff0000000000000, 0x0, 0x0, 0x0}, v2_int128 =
{0x00000000000000003ff0000000000000, 0x00000000000000000000000000000000}}
ymm2           {v8_float = {0x0, 0x1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_double
= {0x1, 0x0, 0x0, 0x0}, v32_int8 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xf0, 0x3f, 
    0x0 <repeats 24 times>}, v16_int16 = {0x0, 0x0, 0x0, 0x3ff0, 0x0 <repeats
12 times>}, v8_int32 = {0x0, 0x3ff00000, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 
  v4_int64 = {0x3ff0000000000000, 0x0, 0x0, 0x0}, v2_int128 =
{0x00000000000000003ff0000000000000, 0x00000000000000000000000000000000}}
ymm3           {v8_float = {0x0, 0x1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_double
= {0x1, 0x0, 0x0, 0x0}, v32_int8 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xf0, 0x3f, 
    0x0 <repeats 24 times>}, v16_int16 = {0x0, 0x0, 0x0, 0x3ff0, 0x0 <repeats
12 times>}, v8_int32 = {0x0, 0x3ff00000, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 
  v4_int64 = {0x3ff0000000000000, 0x0, 0x0, 0x0}, v2_int128 =
{0x00000000000000003ff0000000000000, 0x00000000000000000000000000000000}}
ymm4           {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_double
= {0x0, 0x0, 0x0, 0x0}, v32_int8 = {0x0 <repeats 32 times>}, v16_int16 = {
    0x0 <repeats 16 times>}, v8_int32 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0,
0x0}, v4_int64 = {0x0, 0x0, 0x0, 0x0}, v2_int128 = {
    0x00000000000000000000000000000000, 0x00000000000000000000000000000000}}
ymm5           {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_double
= {0x0, 0x0, 0x0, 0x0}, v32_int8 = {0x70, 0x70, 0x69, 0x6e, 0x67, 
    0x0 <repeats 27 times>}, v16_int16 = {0x7070, 0x6e69, 0x67, 0x0 <repeats 13
times>}, v8_int32 = {0x6e697070, 0x67, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 
  v4_int64 = {0x676e697070, 0x0, 0x0, 0x0}, v2_int128 =
{0x0000000000000000000000676e697070, 0x00000000000000000000000000000000}}
ymm6           {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_double
= {0x8000000000000000, 0x0, 0x0, 0x0}, v32_int8 = {0x61, 0x63, 0x6b, 0x65, 
    0x74, 0x73, 0x0, 0x61, 0x0 <repeats 24 times>}, v16_int16 = {0x6361,
0x656b, 0x7374, 0x6100, 0x0 <repeats 12 times>}, v8_int32 = {0x656b6361,
0x61007374, 
    0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_int64 = {0x61007374656b6361, 0x0, 0x0,
0x0}, v2_int128 = {0x000000000000000061007374656b6361, 
    0x00000000000000000000000000000000}}
ymm7           {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_double
= {0x0, 0x0, 0x0, 0x0}, v32_int8 = {0x0 <repeats 32 times>}, v16_int16 = {
    0x0 <repeats 16 times>}, v8_int32 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0,
0x0}, v4_int64 = {0x0, 0x0, 0x0, 0x0}, v2_int128 = {
    0x00000000000000000000000000000000, 0x00000000000000000000000000000000}}
ymm8           {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_double
= {0x0, 0x0, 0x0, 0x0}, v32_int8 = {0x0 <repeats 32 times>}, v16_int16 = {
    0x0 <repeats 16 times>}, v8_int32 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0,
0x0}, v4_int64 = {0x0, 0x0, 0x0, 0x0}, v2_int128 = {
    0x00000000000000000000000000000000, 0x00000000000000000000000000000000}}
ymm9           {v8_float = {0x0, 0x1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_double
= {0x1, 0x0, 0x0, 0x0}, v32_int8 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xf0, 0x3f, 
    0x0 <repeats 24 times>}, v16_int16 = {0x0, 0x0, 0x0, 0x3ff0, 0x0 <repeats
12 times>}, v8_int32 = {0x0, 0x3ff00000, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0},
  v4_int64 = {0x3ff0000000000000, 0x0, 0x0, 0x0}, v2_int128 =
{0x00000000000000003ff0000000000000, 0x00000000000000000000000000000000}}
ymm10          {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_double
= {0x0, 0x0, 0x0, 0x0}, v32_int8 = {0x0, 0x0, 0x46, 0x84, 0x24, 0x59, 0xd6, 
    0x3e, 0x0 <repeats 24 times>}, v16_int16 = {0x0, 0x8446, 0x5924, 0x3ed6,
0x0 <repeats 12 times>}, v8_int32 = {0x84460000, 0x3ed65924, 0x0, 0x0, 0x0,
0x0, 
    0x0, 0x0}, v4_int64 = {0x3ed6592484460000, 0x0, 0x0, 0x0}, v2_int128 =
{0x00000000000000003ed6592484460000, 0x00000000000000000000000000000000}}
ymm11          {v8_float = {0x9689a800, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0},
v4_double = {0x0, 0x0, 0x0, 0x0}, v32_int8 = {0x6a, 0xa2, 0x65, 0x50, 0xf2,
0xea, 
    0x8f, 0xbd, 0x0 <repeats 24 times>}, v16_int16 = {0xa26a, 0x5065, 0xeaf2,
0xbd8f, 0x0 <repeats 12 times>}, v8_int32 = {0x5065a26a, 0xbd8feaf2, 0x0, 0x0, 
    0x0, 0x0, 0x0, 0x0}, v4_int64 = {0xbd8feaf25065a26a, 0x0, 0x0, 0x0},
v2_int128 = {0x0000000000000000bd8feaf25065a26a,
0x00000000000000000000000000000000}}
ymm12          {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_double
= {0x0, 0x0, 0x0, 0x0}, v32_int8 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xc4, 0x3c, 
    0x0 <repeats 24 times>}, v16_int16 = {0x0, 0x0, 0x0, 0x3cc4, 0x0 <repeats
12 times>}, v8_int32 = {0x0, 0x3cc40000, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 
  v4_int64 = {0x3cc4000000000000, 0x0, 0x0, 0x0}, v2_int128 =
{0x00000000000000003cc4000000000000, 0x00000000000000000000000000000000}}
ymm13          {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_double
= {0x0, 0x0, 0x0, 0x0}, v32_int8 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x80, 0x59, 0xbc, 
    0x0 <repeats 24 times>}, v16_int16 = {0x0, 0x0, 0x8000, 0xbc59, 0x0
<repeats 12 times>}, v8_int32 = {0x0, 0xbc598000, 0x0, 0x0, 0x0, 0x0, 0x0,
0x0}, 
  v4_int64 = {0xbc59800000000000, 0x0, 0x0, 0x0}, v2_int128 =
{0x0000000000000000bc59800000000000, 0x00000000000000000000000000000000}}
ymm14          {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_double
= {0x0, 0x0, 0x0, 0x0}, v32_int8 = {0x8e, 0x85, 0x83, 0xe8, 0xf0, 0x24, 0x53, 
    0x3c, 0x0 <repeats 24 times>}, v16_int16 = {0x858e, 0xe883, 0x24f0, 0x3c53,
0x0 <repeats 12 times>}, v8_int32 = {0xe883858e, 0x3c5324f0, 0x0, 0x0, 0x0, 
    0x0, 0x0, 0x0}, v4_int64 = {0x3c5324f0e883858e, 0x0, 0x0, 0x0}, v2_int128 =
{0x00000000000000003c5324f0e883858e, 0x00000000000000000000000000000000}}
ymm15          {v8_float = {0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_double
= {0x2d, 0x0, 0x0, 0x0}, v32_int8 = {0xc0, 0x9, 0xf2, 0x16, 0xb5, 0xdf, 0x46, 
    0x40, 0x0 <repeats 24 times>}, v16_int16 = {0x9c0, 0x16f2, 0xdfb5, 0x4046,
0x0 <repeats 12 times>}, v8_int32 = {0x16f209c0, 0x4046dfb5, 0x0, 0x0, 0x0, 
    0x0, 0x0, 0x0}, v4_int64 = {0x4046dfb516f209c0, 0x0, 0x0, 0x0}, v2_int128 =
{0x00000000000000004046dfb516f209c0, 0x00000000000000000000000000000000}}

Best regards,
- Marcel

---
Marcel Boehme
Senior Research Fellow
TSUNAMi Research Centre
National University of Singapore

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.libav.org/pipermail/libav-bugs/attachments/20170321/826aa5bc/attachment-0001.html>


More information about the libav-bugs mailing list