[libav-bugs] [Bug 1102] New: avprobe: Input file causing Denial Of Service via Out of memory exception

bugzilla at libav.org bugzilla at libav.org
Sat Nov 18 09:33:03 CET 2017


https://bugzilla.libav.org/show_bug.cgi?id=1102

            Bug ID: 1102
           Summary: avprobe: Input file causing Denial Of Service via Out
                    of memory exception
           Product: Libav
           Version: git HEAD
          Hardware: Other
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: ---
         Component: general
          Assignee: bugzilla at libav.org
          Reporter: lewweihao93 at hotmail.com

Created attachment 698
  --> https://bugzilla.libav.org/attachment.cgi?id=698&action=edit
input file that triggers the crash

avprobe crashes when fed with a malicious input file. The command to trigger
the crash is "avprobe -v 9 -loglevel 99 <input file>". I have attached the
input file. The dump below shows the output of the crash when libav is compiled
with address sanitizer.

avprobe version 12.2, Copyright (c) 2007-2017 the Libav developers
  built on Nov 18 2017 06:57:51 with clang version 3.8.0-2ubuntu4
(tags/RELEASE_380/final)
  configuration: --cc=/home/ubuntu/afl-2.52b/afl-clang-fast
  libavutil     55. 20. 0 / 55. 20. 0
  libavcodec    57. 25. 0 / 57. 25. 0
  libavformat   57.  7. 2 / 57.  7. 2
  libavdevice   56.  1. 0 / 56.  1. 0
  libavfilter    6.  7. 0 /  6.  7. 0
  libavresample  3.  0. 0 /  3.  0. 0
  libswscale     4.  0. 0 /  4.  0. 0
nsv_probe(), buf_size 1497
[mov,mp4,m4a,3gp,3g2,mj2 @ 0x61a00001f280] Probed with size=2048 and score=100
[mov,mp4,m4a,3gp,3g2,mj2 @ 0x61a00001f280] type: 70797466 'ftyp' parent:'root'
sz: 32 0 1497
[mov,mp4,m4a,3gp,3g2,mj2 @ 0x61a00001f280] ISO: File Type Major Brand: isom
[mov,mp4,m4a,3gp,3g2,mj2 @ 0x61a00001f280] type: 65657266 'free' parent:'root'
sz: 8 32 1497
[mov,mp4,m4a,3gp,3g2,mj2 @ 0x61a00001f280] type: 7461646d 'mdat' parent:'root'
sz: 751 40 1497
[mov,mp4,m4a,3gp,3g2,mj2 @ 0x61a00001f280] type: 766f6f6d 'moov' parent:'root'
sz: 706 791 1497
[mov,mp4,m4a,3gp,3g2,mj2 @ 0x61a00001f280] type: 6468766d 'mvhd' parent:'moov'
sz: 108 0 698
[mov,mp4,m4a,3gp,3g2,mj2 @ 0x61a00001f280] time scale = 1000
[mov,mp4,m4a,3gp,3g2,mj2 @ 0x61a00001f280] type: 6b617274 'trak' parent:'moov'
sz: 492 108 698
[mov,mp4,m4a,3gp,3g2,mj2 @ 0x61a00001f280] type: 64686b74 'tkhd' parent:'trak'
sz: 92 0 484
[mov,mp4,m4a,3gp,3g2,mj2 @ 0x61a00001f280] type: 73746465 'edts' parent:'trak'
sz: 36 92 484
[mov,mp4,m4a,3gp,3g2,mj2 @ 0x61a00001f280] type: 74736c65 'elst' parent:'edts'
sz: 28 0 28
[mov,mp4,m4a,3gp,3g2,mj2 @ 0x61a00001f280] track[0].edit_count = 1
[mov,mp4,m4a,3gp,3g2,mj2 @ 0x61a00001f280] type: 6169646d 'mdia' parent:'trak'
sz: 356 128 484
[mov,mp4,m4a,3gp,3g2,mj2 @ 0x61a00001f280] type: 6468646d 'mdhd' parent:'mdia'
sz: 32 0 348
[mov,mp4,m4a,3gp,3g2,mj2 @ 0x61a00001f280] type: 726c6468 'hdlr' parent:'mdia'
sz: 45 32 348
[mov,mp4,m4a,3gp,3g2,mj2 @ 0x61a00001f280] ctype=  (0x00000000)
[mov,mp4,m4a,3gp,3g2,mj2 @ 0x61a00001f280] stype= soun
[mov,mp4,m4a,3gp,3g2,mj2 @ 0x61a00001f280] type: 666e696d 'minf' parent:'mdia'
sz: 271 77 348
[mov,mp4,m4a,3gp,3g2,mj2 @ 0x61a00001f280] type: 64686d73 'smhd' parent:'minf'
sz: 16 0 263
[mov,mp4,m4a,3gp,3g2,mj2 @ 0x61a00001f280] type: 666e6964 'dinf' parent:'minf'
sz: 36 16 263
[mov,mp4,m4a,3gp,3g2,mj2 @ 0x61a00001f280] type: 66657264 'dref' parent:'dinf'
sz: 28 0 28
[mov,mp4,m4a,3gp,3g2,mj2 @ 0x61a00001f280] type url  size 12
[mov,mp4,m4a,3gp,3g2,mj2 @ 0x61a00001f280] Unknown dref type 0x08206c7275 size
12
[mov,mp4,m4a,3gp,3g2,mj2 @ 0x61a00001f280] type: 6c627473 'stbl' parent:'minf'
sz: 211 52 263
[mov,mp4,m4a,3gp,3g2,mj2 @ 0x61a00001f280] type: 64737473 'stsd' parent:'stbl'
sz: 103 0 203
[mov,mp4,m4a,3gp,3g2,mj2 @ 0x61a00001f280] size=87 format=0x6134706d
codec_type=1
[mov,mp4,m4a,3gp,3g2,mj2 @ 0x61a00001f280] audio channels 2
[mov,mp4,m4a,3gp,3g2,mj2 @ 0x61a00001f280] version =0, isom =1
[mov,mp4,m4a,3gp,3g2,mj2 @ 0x61a00001f280] type: 73647365 'esds' parent:'stsd'
sz: 51 0 51
[mov,mp4,m4a,3gp,3g2,mj2 @ 0x61a00001f280] MPEG-4 description: tag=0x03 len=34
[mov,mp4,m4a,3gp,3g2,mj2 @ 0x61a00001f280] MPEG-4 description: tag=0x04 len=20
[mov,mp4,m4a,3gp,3g2,mj2 @ 0x61a00001f280] esds object type id 0x40
[mov,mp4,m4a,3gp,3g2,mj2 @ 0x61a00001f280] MPEG-4 description: tag=0x05 len=2
[mov,mp4,m4a,3gp,3g2,mj2 @ 0x61a00001f280] Specific MPEG-4 header len=2
[mov,mp4,m4a,3gp,3g2,mj2 @ 0x61a00001f280] mp4a config channels 2 obj 2 ext obj
0 sample rate 44100 ext sample rate 0
[mov,mp4,m4a,3gp,3g2,mj2 @ 0x61a00001f280] type: 73747473 'stts' parent:'stbl'
sz: 24 103 203
[mov,mp4,m4a,3gp,3g2,mj2 @ 0x61a00001f280] track[0].stts.entries = 134217729
==1737==ERROR: AddressSanitizer failed to allocate 0x40003000 (1073754112)
bytes of LargeMmapAllocator (error code: 12)
==1737==Process memory map follows:
        0x000000400000-0x00000279d000   /home/ubuntu/libav-12.2/avprobe
        0x00000299c000-0x0000029a0000   /home/ubuntu/libav-12.2/avprobe
        0x0000029a0000-0x000002ace000   /home/ubuntu/libav-12.2/avprobe
        0x000002ace000-0x000003e91000
        0x00007fff7000-0x00008fff7000
        0x00008fff7000-0x02008fff7000
        0x02008fff7000-0x10007fff8000
        0x600000000000-0x602000000000
        0x602000000000-0x602000010000
        0x602000010000-0x603000000000
        0x603000000000-0x603000010000
        0x603000010000-0x604000000000
        0x604000000000-0x604000010000
        0x604000010000-0x605000000000
        0x605000000000-0x605000010000
        0x605000010000-0x607000000000
        0x607000000000-0x607000010000
        0x607000010000-0x608000000000
        0x608000000000-0x608000010000
        0x608000010000-0x60a000000000
        0x60a000000000-0x60a000010000
        0x60a000010000-0x60e000000000
        0x60e000000000-0x60e000010000
        0x60e000010000-0x610000000000
        0x610000000000-0x610000010000
        0x610000010000-0x611000000000
        0x611000000000-0x611000010000
        0x611000010000-0x612000000000
        0x612000000000-0x612000010000
        0x612000010000-0x613000000000
        0x613000000000-0x613000010000
        0x613000010000-0x614000000000
        0x614000000000-0x614000020000
        0x614000020000-0x616000000000
        0x616000000000-0x616000020000
        0x616000020000-0x617000000000
        0x617000000000-0x617000020000
        0x617000020000-0x619000000000
        0x619000000000-0x619000020000
        0x619000020000-0x61a000000000
        0x61a000000000-0x61a000020000
        0x61a000020000-0x61c000000000
        0x61c000000000-0x61c000020000
        0x61c000020000-0x61d000000000
        0x61d000000000-0x61d000020000
        0x61d000020000-0x621000000000
        0x621000000000-0x621000020000
        0x621000020000-0x624000000000
        0x624000000000-0x624000020000
        0x624000020000-0x62a000000000
        0x62a000000000-0x62a000010000
        0x62a000010000-0x62d000000000
        0x62d000000000-0x62d000020000
        0x62d000020000-0x640000000000
        0x640000000000-0x640000003000
        0x7f5509400000-0x7f5509500000
        0x7f5509600000-0x7f5509700000
        0x7f55097f4000-0x7f550bb46000
        0x7f550bb46000-0x7f550bd06000   /lib/x86_64-linux-gnu/libc-2.23.so
        0x7f550bd06000-0x7f550bf06000   /lib/x86_64-linux-gnu/libc-2.23.so
        0x7f550bf06000-0x7f550bf0a000   /lib/x86_64-linux-gnu/libc-2.23.so
        0x7f550bf0a000-0x7f550bf0c000   /lib/x86_64-linux-gnu/libc-2.23.so
        0x7f550bf0c000-0x7f550bf10000
        0x7f550bf10000-0x7f550bf26000   /lib/x86_64-linux-gnu/libgcc_s.so.1
        0x7f550bf26000-0x7f550c125000   /lib/x86_64-linux-gnu/libgcc_s.so.1
        0x7f550c125000-0x7f550c126000   /lib/x86_64-linux-gnu/libgcc_s.so.1
        0x7f550c126000-0x7f550c129000   /lib/x86_64-linux-gnu/libdl-2.23.so
        0x7f550c129000-0x7f550c328000   /lib/x86_64-linux-gnu/libdl-2.23.so
        0x7f550c328000-0x7f550c329000   /lib/x86_64-linux-gnu/libdl-2.23.so
        0x7f550c329000-0x7f550c32a000   /lib/x86_64-linux-gnu/libdl-2.23.so
        0x7f550c32a000-0x7f550c331000   /lib/x86_64-linux-gnu/librt-2.23.so
        0x7f550c331000-0x7f550c530000   /lib/x86_64-linux-gnu/librt-2.23.so
        0x7f550c530000-0x7f550c531000   /lib/x86_64-linux-gnu/librt-2.23.so
        0x7f550c531000-0x7f550c532000   /lib/x86_64-linux-gnu/librt-2.23.so
        0x7f550c532000-0x7f550c54a000  
/lib/x86_64-linux-gnu/libpthread-2.23.so
        0x7f550c54a000-0x7f550c749000  
/lib/x86_64-linux-gnu/libpthread-2.23.so
        0x7f550c749000-0x7f550c74a000  
/lib/x86_64-linux-gnu/libpthread-2.23.so
        0x7f550c74a000-0x7f550c74b000  
/lib/x86_64-linux-gnu/libpthread-2.23.so
        0x7f550c74b000-0x7f550c74f000
        0x7f550c74f000-0x7f550c857000   /lib/x86_64-linux-gnu/libm-2.23.so
        0x7f550c857000-0x7f550ca56000   /lib/x86_64-linux-gnu/libm-2.23.so
        0x7f550ca56000-0x7f550ca57000   /lib/x86_64-linux-gnu/libm-2.23.so
        0x7f550ca57000-0x7f550ca58000   /lib/x86_64-linux-gnu/libm-2.23.so
        0x7f550ca58000-0x7f550ca7e000   /lib/x86_64-linux-gnu/ld-2.23.so
        0x7f550cbce000-0x7f550cc73000
        0x7f550cc73000-0x7f550cc7d000
        0x7f550cc7d000-0x7f550cc7e000   /lib/x86_64-linux-gnu/ld-2.23.so
        0x7f550cc7e000-0x7f550cc7f000   /lib/x86_64-linux-gnu/ld-2.23.so
        0x7f550cc7f000-0x7f550cc80000
        0x7ffeb913d000-0x7ffeb915e000   [stack]
        0x7ffeb91f9000-0x7ffeb91fb000   [vvar]
        0x7ffeb91fb000-0x7ffeb91fd000   [vdso]
        0xffffffffff600000-0xffffffffff601000   [vsyscall]
==1737==End of process memory map.
==1737==AddressSanitizer CHECK failed:
/build/llvm-toolchain-3.8-_PD09B/llvm-toolchain-3.8-3.8/projects/compiler-rt/lib/sanitizer_common/sanitizer_common.cc:183
"((0 && "unable to mmap")) != (0)" (0x0, 0x0)
    #0 0x4c637d  (/home/ubuntu/libav-12.2/avprobe+0x4c637d)
    #1 0x4ccfa3  (/home/ubuntu/libav-12.2/avprobe+0x4ccfa3)
    #2 0x4cd191  (/home/ubuntu/libav-12.2/avprobe+0x4cd191)
    #3 0x4d6102  (/home/ubuntu/libav-12.2/avprobe+0x4d6102)
    #4 0x4287df  (/home/ubuntu/libav-12.2/avprobe+0x4287df)
    #5 0x42176d  (/home/ubuntu/libav-12.2/avprobe+0x42176d)
    #6 0x4bd62d  (/home/ubuntu/libav-12.2/avprobe+0x4bd62d)
    #7 0x22eef05  (/home/ubuntu/libav-12.2/avprobe+0x22eef05)
    #8 0x646b6c  (/home/ubuntu/libav-12.2/avprobe+0x646b6c)
    #9 0x6347a3  (/home/ubuntu/libav-12.2/avprobe+0x6347a3)
    #10 0x6347a3  (/home/ubuntu/libav-12.2/avprobe+0x6347a3)
    #11 0x6347a3  (/home/ubuntu/libav-12.2/avprobe+0x6347a3)
    #12 0x6347a3  (/home/ubuntu/libav-12.2/avprobe+0x6347a3)
    #13 0x648e2a  (/home/ubuntu/libav-12.2/avprobe+0x648e2a)
    #14 0x6347a3  (/home/ubuntu/libav-12.2/avprobe+0x6347a3)
    #15 0x642f21  (/home/ubuntu/libav-12.2/avprobe+0x642f21)
    #16 0x6347a3  (/home/ubuntu/libav-12.2/avprobe+0x6347a3)
    #17 0x63553d  (/home/ubuntu/libav-12.2/avprobe+0x63553d)
    #18 0x829f91  (/home/ubuntu/libav-12.2/avprobe+0x829f91)
    #19 0x4fe59b  (/home/ubuntu/libav-12.2/avprobe+0x4fe59b)
    #20 0x7f550bb6682f  (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #21 0x41cc48  (/home/ubuntu/libav-12.2/avprobe+0x41cc48)

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.libav.org/pipermail/libav-bugs/attachments/20171118/9f362a65/attachment.html>


More information about the libav-bugs mailing list