[libav-bugs] [Bug 1098] New: Out of bounds access in build_table

bugzilla at libav.org bugzilla at libav.org
Fri Nov 3 09:16:47 CET 2017


https://bugzilla.libav.org/show_bug.cgi?id=1098

            Bug ID: 1098
           Summary: Out of bounds access in build_table
           Product: Libav
           Version: git HEAD
          Hardware: All
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: ---
         Component: general
          Assignee: bugzilla at libav.org
          Reporter: zhihua.yao at dbappsecurity.com.cn

Created attachment 694
  --> https://bugzilla.libav.org/attachment.cgi?id=694&action=edit
avconv -i poc -f null

avconv -i poc -f null

[----------------------------------registers-----------------------------------]
RAX: 0x51f200 (<udp_read_packet+816>:    jmp    0x51f15f <udp_read_packet+655>)
RBX: 0x200 
RCX: 0x9 ('\t')
RDX: 0x292aec0 
RSI: 0x14ae6c0 --> 0xffff0000ffff 
RDI: 0x9 ('\t')
RBP: 0x9 ('\t')
RSP: 0x7fffffffcd90 --> 0x2000007b0 
RIP: 0x57241c (<build_table+316>:    cmp    WORD PTR [rdx+0x2],0x0)
R8 : 0x1 
R9 : 0x1e 
R10: 0x200 
R11: 0x14a26a8 --> 0x4f8a00001e0009 
R12: 0x17 
R13: 0x96 
R14: 0x14a26a8 --> 0x4f8a00001e0009 
R15: 0x0
EFLAGS: 0x10202 (carry parity adjust zero sign trap INTERRUPT direction
overflow)
[-------------------------------------code-------------------------------------]
   0x572413 <build_table+307>:    jle    0x572473 <build_table+403>
   0x572415 <build_table+309>:    movsxd rax,edx
   0x572418 <build_table+312>:    lea    rdx,[rsi+rax*4]
=> 0x57241c <build_table+316>:    cmp    WORD PTR [rdx+0x2],0x0
   0x572421 <build_table+321>:    jne    0x572648 <build_table+872>
   0x572427 <build_table+327>:    movsxd r10,r10d
   0x57242a <build_table+330>:    movzx  ecx,dil
   0x57242e <build_table+334>:    xor    edi,edi
[------------------------------------stack-------------------------------------]
0000| 0x7fffffffcd90 --> 0x2000007b0 
0008| 0x7fffffffcd98 --> 0x14a26a8 --> 0x4f8a00001e0009 
0016| 0x7fffffffcda0 --> 0x14a3e00 --> 0xfffffff70400 
0024| 0x7fffffffcda8 --> 0x7fffffffcfc8 --> 0x9 ('\t')
0032| 0x7fffffffcdb0 --> 0xb0c0 
0040| 0x7fffffffcdb8 --> 0x2c3000000002 
0048| 0x7fffffffcdc0 --> 0x0 
0056| 0x7fffffffcdc8 --> 0xb3 
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
0x000000000057241c in build_table (vlc=vlc at entry=0x7fffffffcfc8,
table_nb_bits=0x9, nb_codes=0x96, codes=<optimized out>, flags=flags at entry=0x2)
at libavcodec/bitstream.c:196
196                    if (table[j][1] /*bits*/ != 0) {
LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
[──────────────────────────────────REGISTERS───────────────────────────────────]
 RAX  0x51f200 (udp_read_packet.constprop+816) ◂— jmp    0x51f15f
 RBX  0x200
 RCX  0x9
 RDX  0x292aec0
 RDI  0x9
 RSI  0x14ae6c0 ◂— 0xffff0000ffff
 R8   0x1
 R9   0x1e
 R10  0x200
 R11  0x14a26a8 ◂— 0x4f8a00001e0009 /* '\t' */
 R12  0x17
 R13  0x96
 R14  0x14a26a8 ◂— 0x4f8a00001e0009 /* '\t' */
 R15  0x0
 RBP  0x9
 RSP  0x7fffffffcd90 ◂— 0x2000007b0
 RIP  0x57241c (build_table+316) ◂— cmp    word ptr [rdx + 2], 0
[────────────────────────────────────DISASM────────────────────────────────────]
 ► 0x57241c <build_table+316>    cmp    word ptr [rdx + 2], 0
   0x572421 <build_table+321>    jne    build_table+872              
<0x572648>
    ↓
   0x572648 <build_table+872>    xor    eax, eax
   0x57264a <build_table+874>    mov    edx, 0xa3e134
   0x57264f <build_table+879>    mov    esi, 0x10
   0x572654 <build_table+884>    xor    edi, edi
   0x572656 <build_table+886>    call   av_log                       
<0x9e2020>

   0x57265b <build_table+891>    add    rsp, 0x38
   0x57265f <build_table+895>    mov    eax, 0xc1444e49
   0x572664 <build_table+900>    pop    rbx
   0x572665 <build_table+901>    pop    rbp
[────────────────────────────────────SOURCE────────────────────────────────────]
191                    j = bitswap_32(code);
192                    inc = 1 << n;
193                }
194                for (k = 0; k < nb; k++) {
195                    av_dlog(NULL, "%4x: code=%d n=%d\n", j, i, n);
196                    if (table[j][1] /*bits*/ != 0) {
197                        av_log(NULL, AV_LOG_ERROR, "incorrect codes\n");
198                        return AVERROR_INVALIDDATA;
199                    }
200                    table[j][1] = n; //bits
[────────────────────────────────────STACK─────────────────────────────────────]
00:0000│ rsp  0x7fffffffcd90 ◂— 0x2000007b0
01:0008│      0x7fffffffcd98 —▸ 0x14a26a8 ◂— 0x4f8a00001e0009 /* '\t' */
02:0010│      0x7fffffffcda0 —▸ 0x14a3e00 ◂— 0xfffffff70400
03:0018│      0x7fffffffcda8 —▸ 0x7fffffffcfc8 ◂— 9 /* '\t' */
04:0020│      0x7fffffffcdb0 ◂— 0xb0c0
05:0028│      0x7fffffffcdb8 ◂— 0x2c3000000002
06:0030│      0x7fffffffcdc0 ◂— 0x0
07:0038│      0x7fffffffcdc8 ◂— 0xb3
[──────────────────────────────────BACKTRACE───────────────────────────────────]
 ► f 0           57241c build_table+316
   f 1           5725c0 build_table+736
   f 2           572dac ff_init_vlc_sparse+1004
   f 3           428150 smacker_decode_header_tree.isra+720
   f 4           428586 decode_init+282
   f 5           428586 decode_init+282
   f 6           806c7c avcodec_open2+2140
   f 7           53605e try_decode_frame+462
   f 8           53a241 avformat_find_stream_info+1169
   f 9           451b69 open_input_file+633
   f 10           452caf avconv_parse_options+175
Program received signal SIGSEGV (fault address 0x292aec2)
pwndbg> p j
$1 = 0x51f200

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.libav.org/pipermail/libav-bugs/attachments/20171103/ae4aed04/attachment.html>


More information about the libav-bugs mailing list