[libav-bugs] [Bug 1093] New: Global Out of bounds read in apply_dependent_coupling()

bugzilla at libav.org bugzilla at libav.org
Tue Oct 17 07:31:46 CEST 2017


https://bugzilla.libav.org/show_bug.cgi?id=1093

            Bug ID: 1093
           Summary: Global Out of bounds read in
                    apply_dependent_coupling()
           Product: Libav
           Version: git HEAD
          Hardware: X86
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: ---
         Component: libavcodec
          Assignee: bugzilla at libav.org
          Reporter: mgcho.minic at gmail.com

Created attachment 691
  --> https://bugzilla.libav.org/attachment.cgi?id=691&action=edit
POC to trigger global out of bounds read

Triggered by "./avconv -i $POC -f null"


Configuration Information:

avconv version 12.2, Copyright (c) 2000-2017 the Libav developers
  built on Oct  9 2017 02:01:01 with clang version 3.8.0-2ubuntu4
(tags/RELEASE_380/final)
  configuration: --prefix=/home/min/fuzzing/program/libav-12.2-asan/
--toolchain=clang-asan


ASAN output:
$ ./avconv -i POC -f null -

==4180==ERROR: AddressSanitizer: global-buffer-overflow on address 0x09fc32fe
at pc 0x094e64ee bp 0xbfcea268 sp 0xbfcea25c
READ of size 2 at 0x09fc32fe thread T0
    #0 0x94e64ed in apply_dependent_coupling
/home/min/fuzzing/src/libav-12.2/libav-12.2/libavcodec/aacdec.c:2579:46
    #1 0x94ddd1e in apply_channel_coupling
/home/min/fuzzing/src/libav-12.2/libav-12.2/libavcodec/aacdec.c:2632:25
    #2 0x94ddd1e in spectral_to_sample
/home/min/fuzzing/src/libav-12.2/libav-12.2/libavcodec/aacdec.c:2667
    #3 0x94d3163 in aac_decode_frame_int
/home/min/fuzzing/src/libav-12.2/libav-12.2/libavcodec/aacdec.c:2945:5
    #4 0x94c0cd7 in aac_decode_frame
/home/min/fuzzing/src/libav-12.2/libav-12.2/libavcodec/aacdec.c:3011:15
    #5 0x90f21c9 in avcodec_decode_audio4
/home/min/fuzzing/src/libav-12.2/libav-12.2/libavcodec/utils.c:1653:15
    #6 0x90f31e4 in do_decode
/home/min/fuzzing/src/libav-12.2/libav-12.2/libavcodec/utils.c:1732:15
    #7 0x90f2dbf in avcodec_send_packet
/home/min/fuzzing/src/libav-12.2/libav-12.2/libavcodec/utils.c:1804:12
    #8 0x81a03cf in decode
/home/min/fuzzing/src/libav-12.2/libav-12.2/avconv.c:1295:15
    #9 0x81a03cf in decode_audio
/home/min/fuzzing/src/libav-12.2/libav-12.2/avconv.c:1341
    #10 0x81a03cf in process_input_packet
/home/min/fuzzing/src/libav-12.2/libav-12.2/avconv.c:1500
    #11 0x81945bb in process_input
/home/min/fuzzing/src/libav-12.2/libav-12.2/avconv.c:2673:5
    #12 0x81945bb in transcode
/home/min/fuzzing/src/libav-12.2/libav-12.2/avconv.c:2715
    #13 0x81945bb in main
/home/min/fuzzing/src/libav-12.2/libav-12.2/avconv.c:2888
    #14 0xb74f0636 in __libc_start_main
/build/glibc-KM3i_a/glibc-2.23/csu/../csu/libc-start.c:291
    #15 0x8089f47 in _start
(/home/min/fuzzing/program/libav-12.2-asan/bin/avconv+0x8089f47)

0x09fc32fe is located 34 bytes to the left of global variable
'swb_offset_128_24' defined in 'libavcodec/aactab.c:1195:23' (0x9fc3320) of
size 32
0x09fc32fe is located 0 bytes to the right of global variable
'swb_offset_128_48' defined in 'libavcodec/aactab.c:1141:23' (0x9fc32e0) of
size 30
SUMMARY: AddressSanitizer: global-buffer-overflow
/home/min/fuzzing/src/libav-12.2/libav-12.2/libavcodec/aacdec.c:2579:46 in
apply_dependent_coupling
Shadow bytes around the buggy address:
  0x213f8600: f9 f9 f9 f9 00 00 00 00 00 00 00 00 f9 f9 f9 f9
  0x213f8610: 00 00 00 00 00 00 04 f9 f9 f9 f9 f9 00 00 00 00
  0x213f8620: 00 00 00 00 00 f9 f9 f9 f9 f9 f9 f9 00 00 00 00
  0x213f8630: 00 00 00 00 00 04 f9 f9 f9 f9 f9 f9 00 00 00 00
  0x213f8640: 00 00 00 06 f9 f9 f9 f9 00 00 00 00 00 00 04 f9
=>0x213f8650: f9 f9 f9 f9 00 00 00 02 f9 f9 f9 f9 00 00 00[06]
  0x213f8660: f9 f9 f9 f9 00 00 00 00 f9 f9 f9 f9 00 00 00 00
  0x213f8670: f9 f9 f9 f9 00 00 00 00 f9 f9 f9 f9 00 00 00 00
  0x213f8680: 00 00 04 f9 f9 f9 f9 f9 00 05 f9 f9 f9 f9 f9 f9
  0x213f8690: 00 05 f9 f9 f9 f9 f9 f9 00 05 f9 f9 f9 f9 f9 f9
  0x213f86a0: 00 05 f9 f9 f9 f9 f9 f9 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==4180==ABORTING


Credits:

This vulnerability was discovered by Mingi Cho and Taekyoung Kwon of the
Information Security Lab, Yonsei University. Please contact
mgcho.minic at gmail.com and taekyoung at yonsei.ac.kr if you need more information
about the vulnerability and the lab.

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.libav.org/pipermail/libav-bugs/attachments/20171017/19331fcd/attachment.html>


More information about the libav-bugs mailing list