[libav-bugs] [Bug 1089] New: Null pointer dereference in audio_fifo.c

bugzilla at libav.org bugzilla at libav.org
Tue Oct 10 10:22:29 CEST 2017


https://bugzilla.libav.org/show_bug.cgi?id=1089

            Bug ID: 1089
           Summary: Null pointer dereference in audio_fifo.c
           Product: Libav
           Version: git HEAD
          Hardware: X86
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: ---
         Component: libavresample
          Assignee: bugzilla at libav.org
          Reporter: mgcho.minic at gmail.com

Created attachment 689
  --> https://bugzilla.libav.org/attachment.cgi?id=689&action=edit
audio_fifo crash poc

Triggered by "./avconv -i $POC -f null"

Configuration Information:

avconv version 12.2, Copyright (c) 2000-2017 the Libav developers
  built on Oct  9 2017 02:01:01 with clang version 3.8.0-2ubuntu4
(tags/RELEASE_380/final)
  configuration: --prefix=/home/min/fuzzing/program/libav-12.2-asan/
--toolchain=clang-asan



ASAN output:

$ ./avconv -i POC -f null -

==16435==ERROR: AddressSanitizer: SEGV on unknown address 0x00000008 (pc
0x09bf5fe9 bp 0xbf9dbaa8 sp 0xbf9db970 T0)
    #0 0x9bf5fe8 in av_audio_fifo_size
/home/min/fuzzing/src/libav-12.2/libav-12.2/libavutil/audio_fifo.c:188:16
    #1 0x9adfd34 in avresample_available
/home/min/fuzzing/src/libav-12.2/libav-12.2/libavresample/utils.c:750:12
    #2 0x9adfd34 in avresample_get_out_samples
/home/min/fuzzing/src/libav-12.2/libav-12.2/libavresample/utils.c:764
    #3 0x8232e8b in filter_frame
/home/min/fuzzing/src/libav-12.2/libav-12.2/libavfilter/af_resample.c:233:22
    #4 0x81bf013 in ff_filter_frame
/home/min/fuzzing/src/libav-12.2/libav-12.2/libavfilter/avfilter.c:804:12
    #5 0x81bf7cf in default_filter_frame
/home/min/fuzzing/src/libav-12.2/libav-12.2/libavfilter/avfilter.c:744:12
    #6 0x81bf013 in ff_filter_frame
/home/min/fuzzing/src/libav-12.2/libav-12.2/libavfilter/avfilter.c:804:12
    #7 0x81c9a8f in request_frame
/home/min/fuzzing/src/libav-12.2/libav-12.2/libavfilter/buffersrc.c:407:11
    #8 0x81bc55b in ff_request_frame
/home/min/fuzzing/src/libav-12.2/libav-12.2/libavfilter/avfilter.c:269:16
    #9 0x8234397 in request_frame
/home/min/fuzzing/src/libav-12.2/libav-12.2/libavfilter/af_resample.c:191:15
    #10 0x81bc55b in ff_request_frame
/home/min/fuzzing/src/libav-12.2/libav-12.2/libavfilter/avfilter.c:269:16
    #11 0x81ca68b in request_frame
/home/min/fuzzing/src/libav-12.2/libav-12.2/libavfilter/fifo.c:234:20
    #12 0x81bc55b in ff_request_frame
/home/min/fuzzing/src/libav-12.2/libav-12.2/libavfilter/avfilter.c:269:16
    #13 0x81c63fe in av_buffersink_get_frame
/home/min/fuzzing/src/libav-12.2/libav-12.2/libavfilter/buffersink.c:69:16
    #14 0x8198c8a in poll_filter
/home/min/fuzzing/src/libav-12.2/libav-12.2/avconv.c:699:15
    #15 0x8198c8a in poll_filters
/home/min/fuzzing/src/libav-12.2/libav-12.2/avconv.c:793
    #16 0x81945eb in transcode
/home/min/fuzzing/src/libav-12.2/libav-12.2/avconv.c:2720:15
    #17 0x81945eb in main
/home/min/fuzzing/src/libav-12.2/libav-12.2/avconv.c:2888
    #18 0xb74eb636 in __libc_start_main
/build/glibc-KM3i_a/glibc-2.23/csu/../csu/libc-start.c:291
    #19 0x8089f47 in _start
(/home/min/fuzzing/program/libav-12.2-asan/bin/avconv+0x8089f47)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV
/home/min/fuzzing/src/libav-12.2/libav-12.2/libavutil/audio_fifo.c:188:16 in
av_audio_fifo_size



The GDB debugging information is as follows:

(gdb) bt
#0  0x09bf5fe9 in av_audio_fifo_size (af=0x0) at libavutil/audio_fifo.c:188
#1  0x09adfd35 in avresample_available (avr=<optimized out>) at
libavresample/utils.c:750
#2  avresample_get_out_samples (avr=<optimized out>, in_nb_samples=<optimized
out>) at libavresample/utils.c:764
#3  0x08232e8c in filter_frame (inlink=0x9c1ff10 <av_log>, in=<optimized out>)
at libavfilter/af_resample.c:233
#4  0x081bf014 in ff_filter_frame (link=<optimized out>, frame=<optimized out>)
at libavfilter/avfilter.c:804
#5  0x081bf7d0 in default_filter_frame (link=0xb6006b00, frame=0x0) at
libavfilter/avfilter.c:744
#6  0x081bf014 in ff_filter_frame (link=<optimized out>, frame=<optimized out>)
at libavfilter/avfilter.c:804
#7  0x081c9a90 in request_frame (link=<optimized out>) at
libavfilter/buffersrc.c:407
#8  0x081bc55c in ff_request_frame (link=0xb6006b00) at
libavfilter/avfilter.c:269
#9  0x08234398 in request_frame (outlink=<optimized out>) at
libavfilter/af_resample.c:191
#10 0x081bc55c in ff_request_frame (link=0xb60065c0) at
libavfilter/avfilter.c:269
#11 0x081ca68c in request_frame (outlink=0xb60066a0) at libavfilter/fifo.c:234
#12 0x081bc55c in ff_request_frame (link=0xb60066a0) at
libavfilter/avfilter.c:269
#13 0x081c63ff in av_buffersink_get_frame (ctx=<optimized out>, frame=0x8) at
libavfilter/buffersink.c:69
#14 0x08198c8b in poll_filter (ost=0xb5e097c0) at avconv.c:699
#15 poll_filters () at avconv.c:793
#16 0x081945ec in transcode () at avconv.c:2720
#17 main (argc=<optimized out>, argv=<optimized out>) at avconv.c:2888






(gdb) disass $pc-32,$pc+32
Dump of assembler code from 0x9bf5fc9 to 0x9bf6009:
   0x09bf5fc9:    pop    %ds
   0x09bf5fca:    test   %al,(%eax)
   0x09bf5fcc:    add    %al,(%eax)
   0x09bf5fce:    add    %al,(%eax)
   0x09bf5fd0 <av_audio_fifo_size+0>:    sub    $0xc,%esp
   0x09bf5fd3 <av_audio_fifo_size+3>:    mov    0x10(%esp),%eax
   0x09bf5fd7 <av_audio_fifo_size+7>:    add    $0x8,%eax
   0x09bf5fda <av_audio_fifo_size+10>:    mov    %eax,%ecx
   0x09bf5fdc <av_audio_fifo_size+12>:    shr    $0x3,%ecx
   0x09bf5fdf <av_audio_fifo_size+15>:    mov    0x20000000(%ecx),%cl
   0x09bf5fe5 <av_audio_fifo_size+21>:    test   %cl,%cl
   0x09bf5fe7 <av_audio_fifo_size+23>:    jne    0x9bf5fef
<av_audio_fifo_size+31>
=> 0x09bf5fe9 <av_audio_fifo_size+25>:    mov    (%eax),%eax
   0x09bf5feb <av_audio_fifo_size+27>:    add    $0xc,%esp
   0x09bf5fee <av_audio_fifo_size+30>:    ret    
   0x09bf5fef <av_audio_fifo_size+31>:    mov    %eax,%edx
   0x09bf5ff1 <av_audio_fifo_size+33>:    and    $0x7,%edx
   0x09bf5ff4 <av_audio_fifo_size+36>:    add    $0x3,%edx
   0x09bf5ff7 <av_audio_fifo_size+39>:    movsbl %cl,%ecx
   0x09bf5ffa <av_audio_fifo_size+42>:    cmp    %ecx,%edx
   0x09bf5ffc <av_audio_fifo_size+44>:    jl     0x9bf5fe9
<av_audio_fifo_size+25>
   0x09bf5ffe <av_audio_fifo_size+46>:    mov    %eax,(%esp)
   0x09bf6001 <av_audio_fifo_size+49>:    call   0x81386b0
<__asan_report_load4>
   0x09bf6006:    nopw   %cs:0x0(%eax,%eax,1)
End of assembler dump.



(gdb) info all-registers 
eax            0x8    8
ecx            0x0    0
edx            0xb5606304    -1251974396
ebx            0xb5606320    -1251974368
esp            0xbfffda70    0xbfffda70
ebp            0xbfffdba8    0xbfffdba8
esi            0x400    1024
edi            0x0    0
eip            0x9bf5fe9    0x9bf5fe9 <av_audio_fifo_size+25>
eflags         0x10246    [ PF ZF IF RF ]
cs             0x73    115
ss             0x7b    123
ds             0x7b    123
es             0x7b    123
fs             0x0    0
gs             0x33    51
st0            -inf    (raw 0xffff0000000000000000)
st1            -nan(0xffffffffffffffff)    (raw 0xffffffffffffffffffff)
st2            -nan(0xfff53251fff6c499)    (raw 0xfffffff53251fff6c499)
st3            -nan(0xfffc34e8fffcc228)    (raw 0xfffffffc34e8fffcc228)
st4            -nan(0x1000100010001)    (raw 0xffff0001000100010001)
st5            0    (raw 0x00000000000000000000)
st6            9.9999999999999994515327145420957165e-21    (raw
0x3fbcbce5086492111800)
st7            51199    (raw 0x400ec7ff000000000000)
fctrl          0x37f    895
fstat          0x420    1056
ftag           0xffff    65535
fiseg          0x0    0
fioff          0x8193e7b    135872123
foseg          0x0    0
fooff          0x0    0
fop            0x0    0
mxcsr          0x1fa0    [ PE IM DM ZM OM UM PM ]
ymm0           {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_double
= {0x8000000000000000, 
    0x8000000000000000, 0x0, 0x0}, v32_int8 = {0xff <repeats 16 times>, 0x0
<repeats 16 times>}, v16_int16 = {
---Type <return> to continue, or q <return> to quit---
    0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0x0, 0x0,
0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 
  v8_int32 = {0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0x0, 0x0, 0x0,
0x0}, v4_int64 = {0xffffffffffffffff, 
    0xffffffffffffffff, 0x0, 0x0}, v2_int128 =
{0xffffffffffffffffffffffffffffffff, 
    0x00000000000000000000000000000000}}
ymm1           {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_double
= {0x0, 0x0, 0x0, 0x0}, v32_int8 = {
    0x0 <repeats 32 times>}, v16_int16 = {0x0 <repeats 16 times>}, v8_int32 =
{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 
    0x0}, v4_int64 = {0x0, 0x0, 0x0, 0x0}, v2_int128 =
{0x00000000000000000000000000000000, 
    0x00000000000000000000000000000000}}
ymm2           {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_double
= {0x0, 0x0, 0x0, 0x0}, v32_int8 = {
    0x0 <repeats 32 times>}, v16_int16 = {0x0 <repeats 16 times>}, v8_int32 =
{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 
    0x0}, v4_int64 = {0x0, 0x0, 0x0, 0x0}, v2_int128 =
{0x00000000000000000000000000000000, 
    0x00000000000000000000000000000000}}
ymm3           {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_double
= {0x0, 0x0, 0x0, 0x0}, v32_int8 = {
    0x0 <repeats 32 times>}, v16_int16 = {0x0 <repeats 16 times>}, v8_int32 =
{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 
    0x0}, v4_int64 = {0x0, 0x0, 0x0, 0x0}, v2_int128 =
{0x00000000000000000000000000000000, 
    0x00000000000000000000000000000000}}
ymm4           {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_double
= {0x0, 0x0, 0x0, 0x0}, v32_int8 = {
    0x0 <repeats 32 times>}, v16_int16 = {0x0 <repeats 16 times>}, v8_int32 =
{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 
    0x0}, v4_int64 = {0x0, 0x0, 0x0, 0x0}, v2_int128 =
{0x00000000000000000000000000000000, 
    0x00000000000000000000000000000000}}
ymm5           {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_double
= {0x0, 0x0, 0x0, 0x0}, v32_int8 = {
    0x0 <repeats 32 times>}, v16_int16 = {0x0 <repeats 16 times>}, v8_int32 =
{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 
    0x0}, v4_int64 = {0x0, 0x0, 0x0, 0x0}, v2_int128 =
{0x00000000000000000000000000000000, 
    0x00000000000000000000000000000000}}
ymm6           {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_double
= {0x0, 0x0, 0x0, 0x0}, v32_int8 = {
    0x0, 0x0, 0x0, 0x80, 0x80, 0xbb, 0x0, 0x0, 0xff, 0xff, 0xff, 0xff, 0xf, 0x0
<repeats 19 times>}, v16_int16 = {
    0x0, 0x8000, 0xbb80, 0x0, 0xffff, 0xffff, 0xf, 0x0, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0, 0x0, 0x0}, v8_int32 = {
    0x80000000, 0xbb80, 0xffffffff, 0xf, 0x0, 0x0, 0x0, 0x0}, v4_int64 =
{0xbb8080000000, 0xfffffffff, 0x0, 0x0}, 
  v2_int128 = {0x0000000fffffffff0000bb8080000000,
0x00000000000000000000000000000000}}
ymm7           {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_double
= {0x0, 0x0, 0x0, 0x0}, v32_int8 = {
    0x40, 0x63, 0xa9, 0xb5, 0xa0, 0x62, 0xa9, 0xb5, 0x0, 0x62, 0xa9, 0xb5,
0x60, 0x61, 0xa9, 0xb5, 
    0x0 <repeats 16 times>}, v16_int16 = {0x6340, 0xb5a9, 0x62a0, 0xb5a9,
0x6200, 0xb5a9, 0x6160, 0xb5a9, 0x0, 
    0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v8_int32 = {0xb5a96340, 0xb5a962a0,
0xb5a96200, 0xb5a96160, 0x0, 0x0, 0x0, 
    0x0}, v4_int64 = {0xb5a962a0b5a96340, 0xb5a96160b5a96200, 0x0, 0x0},
v2_int128 = {
    0xb5a96160b5a96200b5a962a0b5a96340, 0x00000000000000000000000000000000}}
---Type <return> to continue, or q <return> to quit---
mm0            {uint64 = 0x0, v2_int32 = {0x0, 0x0}, v4_int16 = {0x0, 0x0, 0x0,
0x0}, v8_int8 = {0x0, 0x0, 0x0, 
    0x0, 0x0, 0x0, 0x0, 0x0}}
mm1            {uint64 = 0xffffffffffffffff, v2_int32 = {0xffffffff,
0xffffffff}, v4_int16 = {0xffff, 0xffff, 
    0xffff, 0xffff}, v8_int8 = {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
0xff}}
mm2            {uint64 = 0xfff53251fff6c499, v2_int32 = {0xfff6c499,
0xfff53251}, v4_int16 = {0xc499, 0xfff6, 
    0x3251, 0xfff5}, v8_int8 = {0x99, 0xc4, 0xf6, 0xff, 0x51, 0x32, 0xf5,
0xff}}
mm3            {uint64 = 0xfffc34e8fffcc228, v2_int32 = {0xfffcc228,
0xfffc34e8}, v4_int16 = {0xc228, 0xfffc, 
    0x34e8, 0xfffc}, v8_int8 = {0x28, 0xc2, 0xfc, 0xff, 0xe8, 0x34, 0xfc,
0xff}}
mm4            {uint64 = 0x1000100010001, v2_int32 = {0x10001, 0x10001},
v4_int16 = {0x1, 0x1, 0x1, 0x1}, 
  v8_int8 = {0x1, 0x0, 0x1, 0x0, 0x1, 0x0, 0x1, 0x0}}
mm5            {uint64 = 0x0, v2_int32 = {0x0, 0x0}, v4_int16 = {0x0, 0x0, 0x0,
0x0}, v8_int8 = {0x0, 0x0, 0x0, 
    0x0, 0x0, 0x0, 0x0, 0x0}}
mm6            {uint64 = 0xbce5086492111800, v2_int32 = {0x92111800,
0xbce50864}, v4_int16 = {0x1800, 0x9211, 
    0x864, 0xbce5}, v8_int8 = {0x0, 0x18, 0x11, 0x92, 0x64, 0x8, 0xe5, 0xbc}}
mm7            {uint64 = 0xc7ff000000000000, v2_int32 = {0x0, 0xc7ff0000},
v4_int16 = {0x0, 0x0, 0x0, 0xc7ff}, 
  v8_int8 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xff, 0xc7}}



Credits:

This vulnerability was discovered by Mingi Cho and Taekyoung Kwon of the
Information Security Lab, Yonsei University. Please contact
mgcho.minic at gmail.com and taekyoung at yonsei.ac.kr if you need more information
about the vulnerability and the lab.

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.libav.org/pipermail/libav-bugs/attachments/20171010/defa3fbd/attachment.html>


More information about the libav-bugs mailing list