[libav-bugs] [Bug 1095] New: Heap out of bounds read in pcm_encode_frame()

bugzilla at libav.org bugzilla at libav.org
Tue Oct 17 07:38:32 CEST 2017


https://bugzilla.libav.org/show_bug.cgi?id=1095

            Bug ID: 1095
           Summary: Heap out of bounds read in pcm_encode_frame()
           Product: Libav
           Version: git HEAD
          Hardware: X86
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: ---
         Component: libavcodec
          Assignee: bugzilla at libav.org
          Reporter: mgcho.minic at gmail.com

Created attachment 693
  --> https://bugzilla.libav.org/attachment.cgi?id=693&action=edit
POC to trigger heap out of bounds read

Triggered by "./avconv -i $POC -f null -"


Configuration Information:

avconv version 12.2, Copyright (c) 2000-2017 the Libav developers
  built on Oct  9 2017 02:01:01 with clang version 3.8.0-2ubuntu4
(tags/RELEASE_380/final)
  configuration: --prefix=/home/min/fuzzing/program/libav-12.2-asan/
--toolchain=clang-asan


ASAN output:
$ ./avconv -i POC -f null -

==6039==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xb030d200 at
pc 0x08117295 bp 0xbfdb7de8 sp 0xbfdb79c0
READ of size 96256 at 0xb030d200 thread T0
    #0 0x8117294 in __asan_memcpy
(/home/min/fuzzing/program/libav-12.2-asan/bin/avconv+0x8117294)
    #1 0x8e3e596 in pcm_encode_frame
/home/min/fuzzing/src/libav-12.2/libav-12.2/libavcodec/pcm.c:168:9
    #2 0x90eee48 in avcodec_encode_audio2
/home/min/fuzzing/src/libav-12.2/libav-12.2/libavcodec/utils.c:1339:11
    #3 0x90f44dd in do_encode
/home/min/fuzzing/src/libav-12.2/libav-12.2/libavcodec/utils.c:1862:15
    #4 0x90f4149 in avcodec_send_frame
/home/min/fuzzing/src/libav-12.2/libav-12.2/libavcodec/utils.c:1908:12
    #5 0x8199532 in do_audio_out
/home/min/fuzzing/src/libav-12.2/libav-12.2/avconv.c:436:11
    #6 0x8199532 in poll_filter
/home/min/fuzzing/src/libav-12.2/libav-12.2/avconv.c:724
    #7 0x8199532 in poll_filters
/home/min/fuzzing/src/libav-12.2/libav-12.2/avconv.c:793
    #8 0x81945eb in transcode
/home/min/fuzzing/src/libav-12.2/libav-12.2/avconv.c:2720:15
    #9 0x81945eb in main
/home/min/fuzzing/src/libav-12.2/libav-12.2/avconv.c:2888
    #10 0xb7498636 in __libc_start_main
/build/glibc-KM3i_a/glibc-2.23/csu/../csu/libc-start.c:291
    #11 0x8089f47 in _start
(/home/min/fuzzing/program/libav-12.2-asan/bin/avconv+0x8089f47)

0xb030d200 is located 0 bytes to the right of 24576-byte region
[0xb0307200,0xb030d200)
allocated by thread T0 here:
    #0 0x812eb34 in __interceptor_posix_memalign
(/home/min/fuzzing/program/libav-12.2-asan/bin/avconv+0x812eb34)
    #1 0x9c232bd in av_malloc
/home/min/fuzzing/src/libav-12.2/libav-12.2/libavutil/mem.c:81:9
    #2 0x9bf7d65 in av_buffer_alloc
/home/min/fuzzing/src/libav-12.2/libav-12.2/libavutil/buffer.c:71:12
    #3 0x9c0df00 in get_audio_buffer
/home/min/fuzzing/src/libav-12.2/libav-12.2/libavutil/frame.c:167:25
    #4 0x9c0df00 in av_frame_get_buffer
/home/min/fuzzing/src/libav-12.2/libav-12.2/libavutil/frame.c:194

SUMMARY: AddressSanitizer: heap-buffer-overflow
(/home/min/fuzzing/program/libav-12.2-asan/bin/avconv+0x8117294) in
__asan_memcpy
Shadow bytes around the buggy address:
  0x360619f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x36061a00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x36061a10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x36061a20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x36061a30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x36061a40:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x36061a50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x36061a60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x36061a70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x36061a80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x36061a90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==6039==ABORTING


Credits:

This vulnerability was discovered by Mingi Cho and Taekyoung Kwon of the
Information Security Lab, Yonsei University. Please contact
mgcho.minic at gmail.com and taekyoung at yonsei.ac.kr if you need more information
about the vulnerability and the lab.

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.libav.org/pipermail/libav-bugs/attachments/20171017/e573b020/attachment.html>


More information about the libav-bugs mailing list