[libav-bugs] [Bug 1100] New: Heap buffer overflow on vc1_decode_i_blocks_adv.

bugzilla at libav.org bugzilla at libav.org
Fri Nov 17 06:32:42 CET 2017


https://bugzilla.libav.org/show_bug.cgi?id=1100

            Bug ID: 1100
           Summary: Heap buffer overflow on vc1_decode_i_blocks_adv.
           Product: Libav
           Version: git HEAD
          Hardware: X86
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: ---
         Component: libavcodec
          Assignee: bugzilla at libav.org
          Reporter: mgcho.minic at gmail.com

Triggered by "./avconv -i $POC -f null -"

Heap buffer overflow on vc1_decode_i_blocks_adv.


Test environment:

avconv version v13_dev0-1400-gb72ac6d, Copyright (c) 2000-2017 the Libav
developers
  built on Nov 14 2017 01:13:43 with gcc 5.4.0 (Ubuntu 5.4.0-6ubuntu1~16.04.5)
20160609


The GDB debugging information is as follows:

Thread 1 "avconv" received signal SIGABRT, Aborted.
0xb7fd9ce5 in __kernel_vsyscall ()
(gdb) bt
#0  0xb7fd9ce5 in __kernel_vsyscall ()
#1  0xb7da2ea9 in __GI_raise (sig=6) at ../sysdeps/unix/sysv/linux/raise.c:54
#2  0xb7da4407 in __GI_abort () at abort.c:89
#3  0xb7dde37c in __libc_message (do_abort=2, fmt=0xb7ed6df4 "*** Error in
`%s': %s: 0x%s ***\n")
    at ../sysdeps/posix/libc_fatal.c:175
#4  0xb7de42f7 in malloc_printerr (action=<optimized out>, str=0xb7ed6e88
"free(): invalid next size (normal)", 
    ptr=<optimized out>, ar_ptr=0xb7f29780 <main_arena>) at malloc.c:5006
#5  0xb7de4c31 in _int_free (av=0xb7f29780 <main_arena>, p=<optimized out>,
have_lock=0) at malloc.c:3867
#6  0x087ee377 in av_buffer_unref (buf=0x91c6610) at libavutil/buffer.c:117
#7  0x083b5cd8 in ff_free_picture_tables (pic=0x91c65e8) at
libavcodec/mpegpicture.c:421
#8  0x083b72fd in ff_mpv_common_end (s=0x91c61e0) at
libavcodec/mpegvideo.c:1031
#9  0x0806f727 in ff_vc1_decode_end (avctx=0x91cace0) at
libavcodec/vc1dec.c:564
#10 0x0806e265 in avcodec_close (avctx=0x91cace0) at libavcodec/utils.c:745
#11 0x080956d1 in transcode () at avtools/avconv.c:2827
#12 main (argc=6, argv=0xbffff084) at avtools/avconv.c:2940
(gdb) disass $pc-32,$pc+32
Dump of assembler code from 0xb7fd9cc5 to 0xb7fd9d05:
   0xb7fd9cc5 <__vdso_time+21>: inc    DWORD PTR [ebp-0x76fd8b2e]
   0xb7fd9ccb <__vdso_time+27>: add    bl,BYTE PTR [ebp-0x3d]
   0xb7fd9cce:  mov    eax,DWORD PTR [esp]
   0xb7fd9cd1:  ret    
   0xb7fd9cd2:  mov    ebx,DWORD PTR [esp]
   0xb7fd9cd5:  ret    
   0xb7fd9cd6:  mov    edi,DWORD PTR [esp]
   0xb7fd9cd9:  ret    
   0xb7fd9cda:  nop
   0xb7fd9cdb:  nop
   0xb7fd9cdc <__kernel_vsyscall+0>:    push   ecx
   0xb7fd9cdd <__kernel_vsyscall+1>:    push   edx
   0xb7fd9cde <__kernel_vsyscall+2>:    push   ebp
   0xb7fd9cdf <__kernel_vsyscall+3>:    mov    ebp,esp
   0xb7fd9ce1 <__kernel_vsyscall+5>:    sysenter 
   0xb7fd9ce3 <__kernel_vsyscall+7>:    int    0x80
=> 0xb7fd9ce5 <__kernel_vsyscall+9>:    pop    ebp
   0xb7fd9ce6 <__kernel_vsyscall+10>:   pop    edx
   0xb7fd9ce7 <__kernel_vsyscall+11>:   pop    ecx
   0xb7fd9ce8 <__kernel_vsyscall+12>:   ret    
   0xb7fd9ce9:  nop
   0xb7fd9cea:  nop
   0xb7fd9ceb:  nop
   0xb7fd9cec:  nop
   0xb7fd9ced:  lea    esi,[esi+0x0]
   0xb7fd9cf0 <__kernel_sigreturn+0>:   pop    eax
   0xb7fd9cf1 <__kernel_sigreturn+1>:   mov    eax,0x77
   0xb7fd9cf6 <__kernel_sigreturn+6>:   int    0x80
   0xb7fd9cf8 <__kernel_sigreturn+8>:   nop
   0xb7fd9cf9:  lea    esi,[esi+0x0]
   0xb7fd9cfc <__kernel_rt_sigreturn+0>:    mov    eax,0xad
   0xb7fd9d01 <__kernel_rt_sigreturn+5>:    int    0x80
   0xb7fd9d03 <__kernel_rt_sigreturn+7>:    nop
   0xb7fd9d04:  sti    
End of assembler dump.
(gdb) info all-registers 
eax            0x0  0
ecx            0x3e03   15875
edx            0x6  6
ebx            0x3e03   15875
esp            0xbfffe5a8   0xbfffe5a8
ebp            0xbfffe868   0xbfffe868
esi            0xb7f29000   -1208840192
edi            0xbfffe664   -1073748380
eip            0xb7fd9ce5   0xb7fd9ce5 <__kernel_vsyscall+9>
eflags         0x206    [ PF IF ]
cs             0x73 115
ss             0x7b 123
ds             0x7b 123
es             0x7b 123
fs             0x0  0
gs             0x33 51
st0            -nan(0x8080808080808080) (raw 0xffff8080808080808080)
st1            -nan(0x6f6f6f6f6f6f6f6f) (raw 0xffff6f6f6f6f6f6f6f6f)
st2            -nan(0x6f6f6f6f6f6f6f6f) (raw 0xffff6f6f6f6f6f6f6f6f)
st3            -nan(0x6f6f6f6f6f6f6f6f) (raw 0xffff6f6f6f6f6f6f6f6f)
st4            0.0049580000340938568115234375   (raw 0x3ff7a276b80000000000)
st5            46.042888888888889198369724908843637 (raw
0x4004b82beb109c8ee800)
st6            -1   (raw 0xbfff8000000000000000)
st7            -1   (raw 0xbfff8000000000000000)
fctrl          0x37f    895
fstat          0x4020   16416
ftag           0xffff   65535
fiseg          0x0  0
fioff          0x8095d7a    134831482
foseg          0x0  0
fooff          0x0  0
fop            0x0  0
mxcsr          0x1f80   [ IM DM ZM OM UM PM ]
ymm0           {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_double
= {0x0, 0x0, 0x0, 0x0}, v32_int8 = {0x0, 
    0x0, 0xff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xff, 0xff,
0x0 <repeats 17 times>}, v16_int16 = {0x0, 
    0xff, 0x0, 0x0, 0x0, 0x0, 0xff00, 0xff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0,
0x0}, v8_int32 = {0xff0000, 0x0, 0x0, 
    0xffff00, 0x0, 0x0, 0x0, 0x0}, v4_int64 = {0xff0000, 0xffff0000000000, 0x0,
0x0}, v2_int128 = {
    0x00ffff00000000000000000000ff0000, 0x00000000000000000000000000000000}}
ymm1           {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_double
= {0x0, 0x0, 0x0, 0x0}, v32_int8 = {
---Type <return> to continue, or q <return> to quit---
    0x7a, 0x52, 0x0, 0x1, 0x7c, 0x8, 0x1, 0x1b, 0xc, 0x4, 0x4, 0x88, 0x1, 0x0,
0x0, 0x20, 0x0 <repeats 16 times>}, 
  v16_int16 = {0x527a, 0x100, 0x87c, 0x1b01, 0x40c, 0x8804, 0x1, 0x2000, 0x0,
0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 
  v8_int32 = {0x100527a, 0x1b01087c, 0x8804040c, 0x20000001, 0x0, 0x0, 0x0,
0x0}, v4_int64 = {0x1b01087c0100527a, 
    0x200000018804040c, 0x0, 0x0}, v2_int128 =
{0x200000018804040c1b01087c0100527a, 0x00000000000000000000000000000000}}
ymm2           {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_double
= {0x0, 0x8000000000000000, 0x0, 0x0}, 
  v32_int8 = {0xa, 0x0, 0x6b, 0x6e, 0x6f, 0x77, 0x6e, 0x0, 0x6f, 0x62, 0x61,
0x6c, 0x20, 0x68, 0x65, 0x61, 
    0x0 <repeats 16 times>}, v16_int16 = {0xa, 0x6e6b, 0x776f, 0x6e, 0x626f,
0x6c61, 0x6820, 0x6165, 0x0, 0x0, 0x0, 
    0x0, 0x0, 0x0, 0x0, 0x0}, v8_int32 = {0x6e6b000a, 0x6e776f, 0x6c61626f,
0x61656820, 0x0, 0x0, 0x0, 0x0}, 
  v4_int64 = {0x6e776f6e6b000a, 0x616568206c61626f, 0x0, 0x0}, v2_int128 =
{0x616568206c61626f006e776f6e6b000a, 
    0x00000000000000000000000000000000}}
ymm3           {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_double
= {0x0, 0x0, 0x0, 0x0}, v32_int8 = {
    0x0 <repeats 32 times>}, v16_int16 = {0x0 <repeats 16 times>}, v8_int32 =
{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 
  v4_int64 = {0x0, 0x0, 0x0, 0x0}, v2_int128 =
{0x00000000000000000000000000000000, 0x00000000000000000000000000000000}}
ymm4           {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_double
= {0x0, 0x0, 0x0, 0x0}, v32_int8 = {
    0x0 <repeats 32 times>}, v16_int16 = {0x0 <repeats 16 times>}, v8_int32 =
{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 
  v4_int64 = {0x0, 0x0, 0x0, 0x0}, v2_int128 =
{0x00000000000000000000000000000000, 0x00000000000000000000000000000000}}
ymm5           {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_double
= {0x0, 0x0, 0x0, 0x0}, v32_int8 = {
    0x0 <repeats 32 times>}, v16_int16 = {0x0 <repeats 16 times>}, v8_int32 =
{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 
  v4_int64 = {0x0, 0x0, 0x0, 0x0}, v2_int128 =
{0x00000000000000000000000000000000, 0x00000000000000000000000000000000}}
ymm6           {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_double
= {0x0, 0x0, 0x0, 0x0}, v32_int8 = {
    0x0 <repeats 32 times>}, v16_int16 = {0x0 <repeats 16 times>}, v8_int32 =
{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 
  v4_int64 = {0x0, 0x0, 0x0, 0x0}, v2_int128 =
{0x00000000000000000000000000000000, 0x00000000000000000000000000000000}}
ymm7           {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_double
= {0x0, 0x0, 0x0, 0x0}, v32_int8 = {
    0x0 <repeats 32 times>}, v16_int16 = {0x0 <repeats 16 times>}, v8_int32 =
{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 
  v4_int64 = {0x0, 0x0, 0x0, 0x0}, v2_int128 =
{0x00000000000000000000000000000000, 0x00000000000000000000000000000000}}
mm0            {uint64 = 0x8080808080808080, v2_int32 = {0x80808080,
0x80808080}, v4_int16 = {0x8080, 0x8080, 0x8080, 
    0x8080}, v8_int8 = {0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80}}
mm1            {uint64 = 0x6f6f6f6f6f6f6f6f, v2_int32 = {0x6f6f6f6f,
0x6f6f6f6f}, v4_int16 = {0x6f6f, 0x6f6f, 0x6f6f, 
    0x6f6f}, v8_int8 = {0x6f, 0x6f, 0x6f, 0x6f, 0x6f, 0x6f, 0x6f, 0x6f}}
mm2            {uint64 = 0x6f6f6f6f6f6f6f6f, v2_int32 = {0x6f6f6f6f,
0x6f6f6f6f}, v4_int16 = {0x6f6f, 0x6f6f, 0x6f6f, 
    0x6f6f}, v8_int8 = {0x6f, 0x6f, 0x6f, 0x6f, 0x6f, 0x6f, 0x6f, 0x6f}}
mm3            {uint64 = 0x6f6f6f6f6f6f6f6f, v2_int32 = {0x6f6f6f6f,
0x6f6f6f6f}, v4_int16 = {0x6f6f, 0x6f6f, 0x6f6f, 
    0x6f6f}, v8_int8 = {0x6f, 0x6f, 0x6f, 0x6f, 0x6f, 0x6f, 0x6f, 0x6f}}
mm4            {uint64 = 0xa276b80000000000, v2_int32 = {0x0, 0xa276b800},
v4_int16 = {0x0, 0x0, 0xb800, 0xa276}, 
  v8_int8 = {0x0, 0x0, 0x0, 0x0, 0x0, 0xb8, 0x76, 0xa2}}
mm5            {uint64 = 0xb82beb109c8ee800, v2_int32 = {0x9c8ee800,
0xb82beb10}, v4_int16 = {0xe800, 0x9c8e, 0xeb10, 
    0xb82b}, v8_int8 = {0x0, 0xe8, 0x8e, 0x9c, 0x10, 0xeb, 0x2b, 0xb8}}
mm6            {uint64 = 0x8000000000000000, v2_int32 = {0x0, 0x80000000},
v4_int16 = {0x0, 0x0, 0x0, 0x8000}, 
  v8_int8 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x80}}
---Type <return> to continue, or q <return> to quit---
mm7            {uint64 = 0x8000000000000000, v2_int32 = {0x0, 0x80000000},
v4_int16 = {0x0, 0x0, 0x0, 0x8000}, 
  v8_int8 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x80}}


ASAN output:

==15994==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xb53089b4 at
pc 0x0913af33 bp 0xbf893358 sp 0xbf89334c
WRITE of size 4 at 0xb53089b4 thread T0
    #0 0x913af32 in vc1_decode_i_blocks_adv
/home/min/fuzzing/src/libav-12/libavcodec/vc1_block.c:2778:84
    #1 0x91c8be2 in vc1_decode_frame
/home/min/fuzzing/src/libav-12/libavcodec/vc1dec.c:890:13
    #2 0x90eaefd in avcodec_decode_video2
/home/min/fuzzing/src/libav-12/libavcodec/utils.c:1588:19
    #3 0x90edc31 in do_decode
/home/min/fuzzing/src/libav-12/libavcodec/utils.c:1727:15
    #4 0x90ed7f2 in avcodec_send_packet
/home/min/fuzzing/src/libav-12/libavcodec/utils.c:1804:12
    #5 0x81a6d10 in decode /home/min/fuzzing/src/libav-12/avconv.c:1295:15
    #6 0x81a6d10 in decode_video /home/min/fuzzing/src/libav-12/avconv.c:1391
    #7 0x81a6d10 in process_input_packet
/home/min/fuzzing/src/libav-12/avconv.c:1503
    #8 0x8199ea6 in process_input
/home/min/fuzzing/src/libav-12/avconv.c:2673:5
    #9 0x8199ea6 in transcode /home/min/fuzzing/src/libav-12/avconv.c:2715
    #10 0x8199ea6 in main /home/min/fuzzing/src/libav-12/avconv.c:2888
    #11 0xb749e636 in __libc_start_main
/build/glibc-KM3i_a/glibc-2.23/csu/../csu/libc-start.c:291
    #12 0x8089b17 in _start
(/home/min/fuzzing/program/libav-fast/bin/avconv+0x8089b17)

0xb53089b4 is located 0 bytes to the right of 564-byte region
[0xb5308780,0xb53089b4)
allocated by thread T0 here:
    #0 0x812e704 in __interceptor_posix_memalign
(/home/min/fuzzing/program/libav-fast/bin/avconv+0x812e704)
    #1 0x9ba1c0d in av_malloc
/home/min/fuzzing/src/libav-12/libavutil/mem.c:81:9
    #2 0x9b75240 in av_buffer_alloc
/home/min/fuzzing/src/libav-12/libavutil/buffer.c:71:12
    #3 0x9b75c16 in av_buffer_make_writable
/home/min/fuzzing/src/libav-12/libavutil/buffer.c:136:14
    #4 0x8cf3c35 in make_tables_writable
/home/min/fuzzing/src/libav-12/libavcodec/mpegpicture.c:46:5
    #5 0x8cf3c35 in ff_alloc_picture
/home/min/fuzzing/src/libav-12/libavcodec/mpegpicture.c:237

SUMMARY: AddressSanitizer: heap-buffer-overflow
/home/min/fuzzing/src/libav-12/libavcodec/vc1_block.c:2778:84 in
vc1_decode_i_blocks_adv


Credits:

Mingi Cho and Taekyoung Kwon of the Information Security Lab, Yonsei
University.

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.libav.org/pipermail/libav-bugs/attachments/20171117/f1709f29/attachment-0001.html>


More information about the libav-bugs mailing list