[libav-bugs] [Bug 1088] New: Read invalid address caused SEGV in dirac_parser.c

bugzilla at libav.org bugzilla at libav.org
Tue Oct 10 10:11:50 CEST 2017


https://bugzilla.libav.org/show_bug.cgi?id=1088

            Bug ID: 1088
           Summary: Read invalid address caused SEGV in dirac_parser.c
           Product: Libav
           Version: git HEAD
          Hardware: X86
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: ---
         Component: libavcodec
          Assignee: bugzilla at libav.org
          Reporter: mgcho.minic at gmail.com

Created attachment 688
  --> https://bugzilla.libav.org/attachment.cgi?id=688&action=edit
dirac crash sample file

Triggered by "./avconv -i $POC -f null"

Configuration Information:

avconv version 12.2, Copyright (c) 2000-2017 the Libav developers
  built on Oct  9 2017 02:01:01 with clang version 3.8.0-2ubuntu4
(tags/RELEASE_380/final)
  configuration: --prefix=/home/min/fuzzing/program/libav-12.2-asan/
--toolchain=clang-asan



ASAN output:

$ ./avconv -i POC -f null -

==16222==ERROR: AddressSanitizer: SEGV on unknown address 0x2526016e (pc
0x0869bfec bp 0xbf924768 sp 0xbf9245b0 T0)
    #0 0x869bfeb in unpack_parse_unit
/home/min/fuzzing/src/libav-12.2/libav-12.2/libavcodec/dirac_parser.c:107:19
    #1 0x869bfeb in dirac_combine_frame
/home/min/fuzzing/src/libav-12.2/libav-12.2/libavcodec/dirac_parser.c:163
    #2 0x869bfeb in dirac_parse
/home/min/fuzzing/src/libav-12.2/libav-12.2/libavcodec/dirac_parser.c:234
    #3 0x8e37b74 in av_parser_parse2
/home/min/fuzzing/src/libav-12.2/libav-12.2/libavcodec/parser.c:165:13
    #4 0x851ca4c in parse_packet
/home/min/fuzzing/src/libav-12.2/libav-12.2/libavformat/utils.c:834:15
    #5 0x850480b in read_frame_internal
/home/min/fuzzing/src/libav-12.2/libav-12.2/libavformat/utils.c:988:24
    #6 0x850df92 in avformat_find_stream_info
/home/min/fuzzing/src/libav-12.2/libav-12.2/libavformat/utils.c:2226:15
    #7 0x816afb4 in open_input_file
/home/min/fuzzing/src/libav-12.2/libav-12.2/avconv_opt.c:771:11
    #8 0x8169cdc in open_files
/home/min/fuzzing/src/libav-12.2/libav-12.2/avconv_opt.c:2380:15
    #9 0x8169730 in avconv_parse_options
/home/min/fuzzing/src/libav-12.2/libav-12.2/avconv_opt.c:2417:11
    #10 0x818f46e in main
/home/min/fuzzing/src/libav-12.2/libav-12.2/avconv.c:2866:11
    #11 0xb746f636 in __libc_start_main
/build/glibc-KM3i_a/glibc-2.23/csu/../csu/libc-start.c:291
    #12 0x8089f47 in _start
(/home/min/fuzzing/program/libav-12.2-asan/bin/avconv+0x8089f47)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV
/home/min/fuzzing/src/libav-12.2/libav-12.2/libavcodec/dirac_parser.c:107:19 in
unpack_parse_unit




The GDB debugging information is as follows:

(gdb) r -i ./dirac_crash.mp3  -f null -


(gdb) bt
#0  0x0869bfec in unpack_parse_unit (pc=<optimized out>, offset=<optimized
out>, pu=<optimized out>)
    at libavcodec/dirac_parser.c:107
#1  dirac_combine_frame (s=<optimized out>, avctx=<optimized out>,
next=<optimized out>, buf=<optimized out>, 
    buf_size=<optimized out>) at libavcodec/dirac_parser.c:163
#2  dirac_parse (s=<optimized out>, avctx=0x29c00b76, poutbuf=<optimized out>,
poutbuf_size=<optimized out>, 
    buf=<optimized out>, buf_size=<optimized out>) at
libavcodec/dirac_parser.c:234
#3  0x08e37b75 in av_parser_parse2 (s=<optimized out>, avctx=<optimized out>,
poutbuf=<optimized out>, 
    poutbuf_size=0xbfffd728, buf=<optimized out>, buf_size=-1262470640,
pts=-5422269850229655024, 
    dts=-5404319000056284600, pos=1628059275408441344) at
libavcodec/parser.c:165
#4  0x0851ca4d in parse_packet (s=0xb4403680, pkt=0xbfffd780,
stream_index=<optimized out>)
    at libavformat/utils.c:834
#5  0x0850480c in read_frame_internal (s=<optimized out>, pkt=<optimized out>)
at libavformat/utils.c:988
#6  0x0850df93 in avformat_find_stream_info (ic=<optimized out>,
options=0x17fffbb4) at libavformat/utils.c:2226
#7  0x0816afb5 in open_input_file (o=<optimized out>, filename=<optimized out>)
at avconv_opt.c:771
#8  0x08169cdd in open_files (l=<optimized out>, inout=0x9c54460 <.str.19>
"input", open_file=<optimized out>)
    at avconv_opt.c:2380
#9  0x08169731 in avconv_parse_options (argc=<optimized out>, argv=<optimized
out>) at avconv_opt.c:2417
#10 0x0818f46f in main (argc=<optimized out>, argv=<optimized out>) at
avconv.c:2866


(gdb) disass $pc-32,$pc+32
Dump of assembler code from 0x869bfcc to 0x869c00c:
   0x0869bfcc <dirac_parse+1548>:   add    %ecx,%edi
   0x0869bfce <dirac_parse+1550>:   js     0x869c0d4 <dirac_parse+1812>
   0x0869bfd4 <dirac_parse+1556>:   lea    0xd(%eax,%edi,1),%ecx
   0x0869bfd8 <dirac_parse+1560>:   cmp    0x38(%esp),%ecx
   0x0869bfdc <dirac_parse+1564>:   ja     0x869c0d4 <dirac_parse+1812>
   0x0869bfe2 <dirac_parse+1570>:   add    %edi,%eax
   0x0869bfe4 <dirac_parse+1572>:   lea    0x4(%eax),%ecx
   0x0869bfe7 <dirac_parse+1575>:   mov    %ecx,%edi
   0x0869bfe9 <dirac_parse+1577>:   shr    $0x3,%edi
=> 0x0869bfec <dirac_parse+1580>:   mov    0x20000000(%edi),%bl
   0x0869bff2 <dirac_parse+1586>:   test   %bl,%bl
   0x0869bff4 <dirac_parse+1588>:   jne    0x869caf7 <dirac_parse+4407>
   0x0869bffa <dirac_parse+1594>:   mov    0x4(%eax),%cl
   0x0869bffd <dirac_parse+1597>:   lea    0x5(%eax),%edi
   0x0869c000 <dirac_parse+1600>:   mov    %edi,%ebx
   0x0869c002 <dirac_parse+1602>:   shr    $0x3,%ebx
   0x0869c005 <dirac_parse+1605>:   mov    0x20000000(%ebx),%ch
   0x0869c00b <dirac_parse+1611>:   test   %ch,%ch
End of assembler dump.




(gdb) disass $pc-32,$pc+32
Dump of assembler code from 0x869bfcc to 0x869c00c:
   0x0869bfcc <dirac_parse+1548>:   add    %ecx,%edi
   0x0869bfce <dirac_parse+1550>:   js     0x869c0d4 <dirac_parse+1812>
   0x0869bfd4 <dirac_parse+1556>:   lea    0xd(%eax,%edi,1),%ecx
   0x0869bfd8 <dirac_parse+1560>:   cmp    0x38(%esp),%ecx
   0x0869bfdc <dirac_parse+1564>:   ja     0x869c0d4 <dirac_parse+1812>
   0x0869bfe2 <dirac_parse+1570>:   add    %edi,%eax
   0x0869bfe4 <dirac_parse+1572>:   lea    0x4(%eax),%ecx
   0x0869bfe7 <dirac_parse+1575>:   mov    %ecx,%edi
   0x0869bfe9 <dirac_parse+1577>:   shr    $0x3,%edi
=> 0x0869bfec <dirac_parse+1580>:   mov    0x20000000(%edi),%bl
   0x0869bff2 <dirac_parse+1586>:   test   %bl,%bl
   0x0869bff4 <dirac_parse+1588>:   jne    0x869caf7 <dirac_parse+4407>
   0x0869bffa <dirac_parse+1594>:   mov    0x4(%eax),%cl
   0x0869bffd <dirac_parse+1597>:   lea    0x5(%eax),%edi
   0x0869c000 <dirac_parse+1600>:   mov    %edi,%ebx
   0x0869c002 <dirac_parse+1602>:   shr    $0x3,%ebx
   0x0869c005 <dirac_parse+1605>:   mov    0x20000000(%ebx),%ch
   0x0869c00b <dirac_parse+1611>:   test   %ch,%ch
End of assembler dump.





(gdb) info all-registers
eax            0x29c00b72   700451698
ecx            0x29c00b76   700451702
edx            0x8c000000   -1946157056
ebx            0x16b80100   381157632
esp            0xbfffd570   0xbfffd570
ebp            0xbfffd728   0xbfffd728
esi            0x1ff    511
edi            0x538016e    87556462
eip            0x869bfec    0x869bfec <dirac_parse+1580>
eflags         0x10203  [ CF IF RF ]
cs             0x73 115
ss             0x7b 123
ds             0x7b 123
es             0x7b 123
fs             0x0  0
gs             0x33 51
st0            9.957466722920461539027801867174361e-06  (raw
0x3feea70efe71ee611800)
st1            -0.16666658368778738963378316384478239   (raw
0xbffcaaaaa51919b23800)
st2            -5.2368704321306240943608958015795252e-09    (raw
0xbfe3b3efffdd0585e000)
st3            0.49999999985513093880840074234583881    (raw
0x3ffdfffffffec16df800)
st4            1.7384289452803415575633558961773407e-09 (raw
0x3fe1eeed87e67d4a0800)
st5            0    (raw 0x00000000000000000000)
st6            25   (raw 0x4003c800000000000000)
st7            3602879701896396800  (raw 0x403cc800000000000000)
fctrl          0x37f    895
fstat          0x20 32
ftag           0xffff   65535
fiseg          0x0  0
fioff          0x9c32642    163784258
foseg          0x0  0
fooff          0x0  0
fop            0x0  0
mxcsr          0x1fa0   [ PE IM DM ZM OM UM PM ]
ymm0           {v8_float = {0x1a, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_double
= {0x0, 0x0, 0x0, 0x0}, 
  v32_int8 = {0x68, 0xfc, 0xd6, 0x41, 0x47, 0x6f, 0x20, 0xa7, 0x19, 0x1a, 0x21,
0xf9, 0xb7, 0xd5, 0x49, 0xaa, 
---Type <return> to continue, or q <return> to quit---
    0x0 <repeats 16 times>}, v16_int16 = {0xfc68, 0x41d6, 0x6f47, 0xa720,
0x1a19, 0xf921, 0xd5b7, 0xaa49, 0x0, 
    0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v8_int32 = {0x41d6fc68, 0xa7206f47,
0xf9211a19, 0xaa49d5b7, 0x0, 0x0, 0x0, 
    0x0}, v4_int64 = {0xa7206f4741d6fc68, 0xaa49d5b7f9211a19, 0x0, 0x0},
v2_int128 = {
    0xaa49d5b7f9211a19a7206f4741d6fc68, 0x00000000000000000000000000000000}}
ymm1           {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_double
= {0x8000000000000000, 0x0, 0x0, 
    0x0}, v32_int8 = {0x46, 0x90, 0xee, 0xb8, 0xc, 0xc4, 0xbf, 0x73, 0xb3, 0x9,
0x18, 0x8e, 0xd, 0x6e, 0x3e, 0x9a, 
    0x0 <repeats 16 times>}, v16_int16 = {0x9046, 0xb8ee, 0xc40c, 0x73bf,
0x9b3, 0x8e18, 0x6e0d, 0x9a3e, 0x0, 0x0, 
    0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v8_int32 = {0xb8ee9046, 0x73bfc40c,
0x8e1809b3, 0x9a3e6e0d, 0x0, 0x0, 0x0, 
    0x0}, v4_int64 = {0x73bfc40cb8ee9046, 0x9a3e6e0d8e1809b3, 0x0, 0x0},
v2_int128 = {
    0x9a3e6e0d8e1809b373bfc40cb8ee9046, 0x00000000000000000000000000000000}}
ymm2           {v8_float = {0xefe80000, 0x0, 0x0, 0x58da2d8, 0x0, 0x0, 0x0,
0x0}, v4_double = {0x0, 
    0x8000000000000000, 0x0, 0x0}, v32_int8 = {0x6, 0x44, 0x35, 0xd4, 0x7c,
0xac, 0xe2, 0x33, 0x39, 0x14, 0x2e, 
    0x32, 0x5b, 0xb4, 0xb1, 0x4c, 0x0 <repeats 16 times>}, v16_int16 = {0x4406,
0xd435, 0xac7c, 0x33e2, 0x1439, 
    0x322e, 0xb45b, 0x4cb1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v8_int32 =
{0xd4354406, 0x33e2ac7c, 
    0x322e1439, 0x4cb1b45b, 0x0, 0x0, 0x0, 0x0}, v4_int64 =
{0x33e2ac7cd4354406, 0x4cb1b45b322e1439, 0x0, 0x0}, 
  v2_int128 = {0x4cb1b45b322e143933e2ac7cd4354406,
0x00000000000000000000000000000000}}
ymm3           {v8_float = {0xfd021824, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0},
v4_double = {0x8000000000000000, 0x0, 
    0x0, 0x0}, v32_int8 = {0xf7, 0x79, 0x3f, 0xcc, 0xe3, 0x4, 0x85, 0x5f, 0x30,
0xa3, 0x53, 0x84, 0x98, 0x3d, 0xd, 
    0x82, 0x0 <repeats 16 times>}, v16_int16 = {0x79f7, 0xcc3f, 0x4e3, 0x5f85,
0xa330, 0x8453, 0x3d98, 0x820d, 
    0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v8_int32 = {0xcc3f79f7,
0x5f8504e3, 0x8453a330, 0x820d3d98, 0x0, 0x0, 
    0x0, 0x0}, v4_int64 = {0x5f8504e3cc3f79f7, 0x820d3d988453a330, 0x0, 0x0},
v2_int128 = {
    0x820d3d988453a3305f8504e3cc3f79f7, 0x00000000000000000000000000000000}}
ymm4           {v8_float = {0x11, 0x13, 0x0, 0x228051, 0x0, 0x0, 0x0, 0x0},
v4_double = {0x69ce410, 
    0x8000000000000000, 0x0, 0x0}, v32_int8 = {0x78, 0x6a, 0x88, 0x41, 0x90,
0x73, 0x9a, 0x41, 0xc8, 0x53, 0xbf, 
    0x3b, 0x46, 0x1, 0xa, 0x4a, 0x0 <repeats 16 times>}, v16_int16 = {0x6a78,
0x4188, 0x7390, 0x419a, 0x53c8, 
    0x3bbf, 0x146, 0x4a0a, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v8_int32 =
{0x41886a78, 0x419a7390, 
    0x3bbf53c8, 0x4a0a0146, 0x0, 0x0, 0x0, 0x0}, v4_int64 =
{0x419a739041886a78, 0x4a0a01463bbf53c8, 0x0, 0x0}, 
  v2_int128 = {0x4a0a01463bbf53c8419a739041886a78,
0x00000000000000000000000000000000}}
ymm5           {v8_float = {0x0, 0x11, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_double
= {0x3c1e2e0, 0x0, 0x0, 0x0}, 
  v32_int8 = {0xab, 0x4c, 0x2, 0x6, 0x17, 0xf, 0x8e, 0x41, 0x64, 0x11, 0x85,
0x5b, 0xa, 0x38, 0x92, 0x1c, 
    0x0 <repeats 16 times>}, v16_int16 = {0x4cab, 0x602, 0xf17, 0x418e, 0x1164,
0x5b85, 0x380a, 0x1c92, 0x0, 0x0, 
    0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v8_int32 = {0x6024cab, 0x418e0f17,
0x5b851164, 0x1c92380a, 0x0, 0x0, 0x0, 0x0}, 
  v4_int64 = {0x418e0f1706024cab, 0x1c92380a5b851164, 0x0, 0x0}, v2_int128 =
{0x1c92380a5b851164418e0f1706024cab, 
    0x00000000000000000000000000000000}}
ymm6           {v8_float = {0x0, 0x0, 0xf, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_double
= {0x8000000000000000, 0x0, 0x0, 
---Type <return> to continue, or q <return> to quit---
    0x0}, v32_int8 = {0xe, 0x93, 0x43, 0xbe, 0x3b, 0x81, 0xd6, 0xff, 0x6a,
0x42, 0x70, 0x41, 0x19, 0x64, 0x64, 
    0x82, 0x0 <repeats 16 times>}, v16_int16 = {0x930e, 0xbe43, 0x813b, 0xffd6,
0x426a, 0x4170, 0x6419, 0x8264, 
    0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v8_int32 = {0xbe43930e,
0xffd6813b, 0x4170426a, 0x82646419, 0x0, 0x0, 
    0x0, 0x0}, v4_int64 = {0xffd6813bbe43930e, 0x826464194170426a, 0x0, 0x0},
v2_int128 = {
    0x826464194170426affd6813bbe43930e, 0x00000000000000000000000000000000}}
ymm7           {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_double
= {0x0, 0x0, 0x0, 0x0}, v32_int8 = {
    0x5c, 0x26, 0xff, 0xff, 0xff, 0xe2, 0xe1, 0xf, 0xfc, 0x78, 0x2b, 0xbf,
0xff, 0xff, 0xea, 0x2f, 
    0x0 <repeats 16 times>}, v16_int16 = {0x265c, 0xffff, 0xe2ff, 0xfe1,
0x78fc, 0xbf2b, 0xffff, 0x2fea, 0x0, 0x0, 
    0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v8_int32 = {0xffff265c, 0xfe1e2ff,
0xbf2b78fc, 0x2feaffff, 0x0, 0x0, 0x0, 0x0}, 
  v4_int64 = {0xfe1e2ffffff265c, 0x2feaffffbf2b78fc, 0x0, 0x0}, v2_int128 =
{0x2feaffffbf2b78fc0fe1e2ffffff265c, 
    0x00000000000000000000000000000000}}
mm0            {uint64 = 0xa70efe71ee611800, v2_int32 = {0xee611800,
0xa70efe71}, v4_int16 = {0x1800, 0xee61, 
    0xfe71, 0xa70e}, v8_int8 = {0x0, 0x18, 0x61, 0xee, 0x71, 0xfe, 0xe, 0xa7}}
mm1            {uint64 = 0xaaaaa51919b23800, v2_int32 = {0x19b23800,
0xaaaaa519}, v4_int16 = {0x3800, 0x19b2, 
    0xa519, 0xaaaa}, v8_int8 = {0x0, 0x38, 0xb2, 0x19, 0x19, 0xa5, 0xaa, 0xaa}}
mm2            {uint64 = 0xb3efffdd0585e000, v2_int32 = {0x585e000,
0xb3efffdd}, v4_int16 = {0xe000, 0x585, 
    0xffdd, 0xb3ef}, v8_int8 = {0x0, 0xe0, 0x85, 0x5, 0xdd, 0xff, 0xef, 0xb3}}
mm3            {uint64 = 0xfffffffec16df800, v2_int32 = {0xc16df800,
0xfffffffe}, v4_int16 = {0xf800, 0xc16d, 
    0xfffe, 0xffff}, v8_int8 = {0x0, 0xf8, 0x6d, 0xc1, 0xfe, 0xff, 0xff, 0xff}}
mm4            {uint64 = 0xeeed87e67d4a0800, v2_int32 = {0x7d4a0800,
0xeeed87e6}, v4_int16 = {0x800, 0x7d4a, 
    0x87e6, 0xeeed}, v8_int8 = {0x0, 0x8, 0x4a, 0x7d, 0xe6, 0x87, 0xed, 0xee}}
mm5            {uint64 = 0x0, v2_int32 = {0x0, 0x0}, v4_int16 = {0x0, 0x0, 0x0,
0x0}, v8_int8 = {0x0, 0x0, 0x0, 
    0x0, 0x0, 0x0, 0x0, 0x0}}
mm6            {uint64 = 0xc800000000000000, v2_int32 = {0x0, 0xc8000000},
v4_int16 = {0x0, 0x0, 0x0, 0xc800}, 
  v8_int8 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xc8}}
mm7            {uint64 = 0xc800000000000000, v2_int32 = {0x0, 0xc8000000},
v4_int16 = {0x0, 0x0, 0x0, 0xc800}, 
  v8_int8 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xc8}}





Crash Information:

(gdb) finish
Run till exit from #0  unpack_parse_unit (pu=0x42424344, pc=0x92323a0,
offset=153296864)
    at libavcodec/dirac_parser.c:102
0x08253d01 in dirac_combine_frame (s=0x92323a0, avctx=0x9231fe0, next=17,
buf=0xbfffe2d4, buf_size=0xbfffe2d0)
    at libavcodec/dirac_parser.c:162
162         if (!unpack_parse_unit(&pu1, pc, pc->index - 13)                   
 ||
Value returned is $2 = 1

(gdb) p pu1
$3 = {next_pu_offset = 1633771873, prev_pu_offset = 2147483644, pu_type = 0
'\000'}


dirac_combine_frame:

        if (!unpack_parse_unit(&pu1, pc, pc->index - 13)                     ||
            !unpack_parse_unit(&pu, pc, pc->index - 13 - pu1.prev_pu_offset) ||
            pu.next_pu_offset != pu1.prev_pu_offset) {
            pc->index              -= 9;
            *buf_size               = next - 9;
            pc->header_bytes_needed = 9;
            return -1;
        }


# There was no check for the value of prev_pu_offset in dirac_combine_frame().


static int unpack_parse_unit(DiracParseUnit *pu, DiracParseContext *pc,
                             int offset)
{
    uint8_t *start = pc->buffer + offset;
    uint8_t *end   = pc->buffer + pc->index;
    if (start < pc->buffer || (start + 13 > end))
        return 0;
    pu->pu_type = start[4];


# Potential integer overflows in (start + 13 > end).


Credits:

This vulnerability was discovered by Mingi Cho and Taekyoung Kwon of the
Information Security Lab, Yonsei University. Please contact
mgcho.minic at gmail.com and taekyoung at yonsei.ac.kr if you need more information
about the vulnerability and the lab.

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.libav.org/pipermail/libav-bugs/attachments/20171010/99c22ef8/attachment-0001.html>


More information about the libav-bugs mailing list