[libav-bugs] [Bug 1094] New: Heap out of bounds read in mpc8_probe()

bugzilla at libav.org bugzilla at libav.org
Tue Oct 17 07:34:36 CEST 2017


https://bugzilla.libav.org/show_bug.cgi?id=1094

            Bug ID: 1094
           Summary: Heap out of bounds read in mpc8_probe()
           Product: Libav
           Version: git HEAD
          Hardware: X86
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: ---
         Component: libavformat
          Assignee: bugzilla at libav.org
          Reporter: mgcho.minic at gmail.com

Created attachment 692
  --> https://bugzilla.libav.org/attachment.cgi?id=692&action=edit
POC to trigger heap out of bounds read

Triggered by "./avconv -i $POC -f null"


Configuration Information:

avconv version 12.2, Copyright (c) 2000-2017 the Libav developers
  built on Oct  9 2017 02:01:01 with clang version 3.8.0-2ubuntu4
(tags/RELEASE_380/final)
  configuration: --prefix=/home/min/fuzzing/program/libav-12.2-asan/
--toolchain=clang-asan


ASAN output:
$ ./avconv -i POC -f null -

==5447==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xb450a045 at
pc 0x0838d1d7 bp 0xbfec1eb8 sp 0xbfec1eac
READ of size 1 at 0xb450a045 thread T0
    #0 0x838d1d6 in mpc8_probe
/home/min/fuzzing/src/libav-12.2/libav-12.2/libavformat/mpc8.c:87:29
    #1 0x82c731f in av_probe_input_format2
/home/min/fuzzing/src/libav-12.2/libav-12.2/libavformat/format.c:193:21
    #2 0x82c7fcc in av_probe_input_buffer
/home/min/fuzzing/src/libav-12.2/libav-12.2/libavformat/format.c:286:16
    #3 0x84ff4f5 in init_input
/home/min/fuzzing/src/libav-12.2/libav-12.2/libavformat/utils.c:198:20
    #4 0x84ff4f5 in avformat_open_input
/home/min/fuzzing/src/libav-12.2/libav-12.2/libavformat/utils.c:303
    #5 0x816aa12 in open_input_file
/home/min/fuzzing/src/libav-12.2/libav-12.2/avconv_opt.c:754:11
    #6 0x8169cdc in open_files
/home/min/fuzzing/src/libav-12.2/libav-12.2/avconv_opt.c:2380:15
    #7 0x8169730 in avconv_parse_options
/home/min/fuzzing/src/libav-12.2/libav-12.2/avconv_opt.c:2417:11
    #8 0x818f46e in main
/home/min/fuzzing/src/libav-12.2/libav-12.2/avconv.c:2866:11
    #9 0xb7485636 in __libc_start_main
/build/glibc-KM3i_a/glibc-2.23/csu/../csu/libc-start.c:291
    #10 0x8089f47 in _start
(/home/min/fuzzing/program/libav-12.2-asan/bin/avconv+0x8089f47)

0xb450a045 is located 59 bytes to the left of 2080-byte region
[0xb450a080,0xb450a8a0)
allocated by thread T0 here:
    #0 0x812e5f4 in realloc
(/home/min/fuzzing/program/libav-12.2-asan/bin/avconv+0x812e5f4)
    #1 0x9c23405 in av_realloc
/home/min/fuzzing/src/libav-12.2/libav-12.2/libavutil/mem.c:136:12
    #2 0x9c23405 in av_reallocp
/home/min/fuzzing/src/libav-12.2/libav-12.2/libavutil/mem.c:150

SUMMARY: AddressSanitizer: heap-buffer-overflow
/home/min/fuzzing/src/libav-12.2/libav-12.2/libavformat/mpc8.c:87:29 in
mpc8_probe
Shadow bytes around the buggy address:
  0x368a13b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x368a13c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x368a13d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x368a13e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x368a13f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x368a1400: fa fa fa fa fa fa fa fa[fa]fa fa fa fa fa fa fa
  0x368a1410: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x368a1420: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x368a1430: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x368a1440: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x368a1450: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==5447==ABORTING


Credits:

This vulnerability was discovered by Mingi Cho and Taekyoung Kwon of the
Information Security Lab, Yonsei University. Please contact
mgcho.minic at gmail.com and taekyoung at yonsei.ac.kr if you need more information
about the vulnerability and the lab.

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.libav.org/pipermail/libav-bugs/attachments/20171017/0f31abcb/attachment-0001.html>


More information about the libav-bugs mailing list