[libav-bugs] [Bug 1121] New: avconv crashes -- several invalid writes

bugzilla at libav.org bugzilla at libav.org
Sun Apr 22 16:43:00 CEST 2018


https://bugzilla.libav.org/show_bug.cgi?id=1121

            Bug ID: 1121
           Summary: avconv crashes -- several invalid writes
           Product: Libav
           Version: git HEAD
          Hardware: Other
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: ---
         Component: general
          Assignee: bugzilla at libav.org
          Reporter: thuanpv at comp.nus.edu.sg

Created attachment 711
  --> https://bugzilla.libav.org/attachment.cgi?id=711&action=edit
crash-inducing sample file

Dear all,

This bug was found with AFLSmart, an extension of AFL. Thanks also to Marcel
Böhme, Andrew Santosa and Alexandru Razvan Caciulescu. 

This bug was found on Ubuntu 16.04 64-bit & libav revision 39f3b6 (HEAD)

To reproduce:
Download the attached file - libav_crash1.wav
avconv -i libav_crash1.wav -f null -

Error message:

[mm @ 0x3e4b060] unknown chunk type 0x111f
[mm @ 0x3e4b060] unknown chunk type 0xa72
[mm @ 0x3e4b060] unknown chunk type 0xbfe
[mm @ 0x3e4b060] unknown chunk type 0x6900
[mm @ 0x3e4b060] unknown chunk type 0xdf00
[mm @ 0x3e4b060] unknown chunk type 0xb
[mm @ 0x3e4b060] Estimating duration from bitrate, this may be inaccurate
Input #0, mm, from 'libav_crash_1.wav':
  Duration: N/A, start: 0.000000, bitrate: N/A
    Stream #0:0: Video: mmvideo
      pal8, 366x4
      1 tbn
    Stream #0:1: Audio: pcm_u8
      8000 Hz, mono, u8, 64 kb/s
Stream mapping:
  Stream #0:0 -> #0:0 (mmvideo (native) -> wrapped_avframe (native))
  Stream #0:1 -> #0:1 (pcm_u8 (native) -> pcm_s16le (native))
Press ctrl-c to stop encoding
Error while decoding stream #0:0
libav_crash_1.wav: Input/output error
Video encoding failed
*** Error in `../libav/avconv': corrupted size vs. prev_size:
0x0000000003e4c1b0 ***
======= Backtrace: =========
/lib/x86_64-linux-gnu/libc.so.6(+0x777e5)[0x7fae8bcda7e5]
/lib/x86_64-linux-gnu/libc.so.6(+0x80dfb)[0x7fae8bce3dfb]
/lib/x86_64-linux-gnu/libc.so.6(cfree+0x4c)[0x7fae8bce753c]
../libav/avconv[0x2085f47]
../libav/avconv[0x480545]
../libav/avconv[0x13a0e2b]
../libav/avconv[0x54baaa]
../libav/avconv[0x534702]
../libav/avconv[0x4f9456]
/lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf0)[0x7fae8bc83830]
../libav/avconv[0x5059d9]
======= Memory map: ========
00400000-02411000 r-xp 00000000 08:07 5646055                           
/home/thuan/experiments/libav/avconv
02610000-02611000 r--p 02010000 08:07 5646055                           
/home/thuan/experiments/libav/avconv
02611000-0263d000 rw-p 02011000 08:07 5646055                           
/home/thuan/experiments/libav/avconv
0263d000-02c37000 rw-p 00000000 00:00 0 
03e4b000-03e85000 rw-p 00000000 00:00 0                                  [heap]
7fae84000000-7fae84021000 rw-p 00000000 00:00 0 
7fae84021000-7fae88000000 ---p 00000000 00:00 0 
7fae8ba4c000-7fae8ba62000 r-xp 00000000 08:07 1970553                   
/lib/x86_64-linux-gnu/libgcc_s.so.1
7fae8ba62000-7fae8bc61000 ---p 00016000 08:07 1970553                   
/lib/x86_64-linux-gnu/libgcc_s.so.1
7fae8bc61000-7fae8bc62000 r--p 00015000 08:07 1970553                   
/lib/x86_64-linux-gnu/libgcc_s.so.1
7fae8bc62000-7fae8bc63000 rw-p 00016000 08:07 1970553                   
/lib/x86_64-linux-gnu/libgcc_s.so.1
7fae8bc63000-7fae8be23000 r-xp 00000000 08:07 1971528                   
/lib/x86_64-linux-gnu/libc-2.23.so
7fae8be23000-7fae8c023000 ---p 001c0000 08:07 1971528                   
/lib/x86_64-linux-gnu/libc-2.23.so
7fae8c023000-7fae8c027000 r--p 001c0000 08:07 1971528                   
/lib/x86_64-linux-gnu/libc-2.23.so
7fae8c027000-7fae8c029000 rw-p 001c4000 08:07 1971528                   
/lib/x86_64-linux-gnu/libc-2.23.so
7fae8c029000-7fae8c02d000 rw-p 00000000 00:00 0 
7fae8c02d000-7fae8c045000 r-xp 00000000 08:07 1971527                   
/lib/x86_64-linux-gnu/libpthread-2.23.so
7fae8c045000-7fae8c244000 ---p 00018000 08:07 1971527                   
/lib/x86_64-linux-gnu/libpthread-2.23.so
7fae8c244000-7fae8c245000 r--p 00017000 08:07 1971527                   
/lib/x86_64-linux-gnu/libpthread-2.23.so
7fae8c245000-7fae8c246000 rw-p 00018000 08:07 1971527                   
/lib/x86_64-linux-gnu/libpthread-2.23.so
7fae8c246000-7fae8c24a000 rw-p 00000000 00:00 0 
7fae8c24a000-7fae8c263000 r-xp 00000000 08:07 1970845                   
/lib/x86_64-linux-gnu/libz.so.1.2.8
7fae8c263000-7fae8c462000 ---p 00019000 08:07 1970845                   
/lib/x86_64-linux-gnu/libz.so.1.2.8
7fae8c462000-7fae8c463000 r--p 00018000 08:07 1970845                   
/lib/x86_64-linux-gnu/libz.so.1.2.8
7fae8c463000-7fae8c464000 rw-p 00019000 08:07 1970845                   
/lib/x86_64-linux-gnu/libz.so.1.2.8
7fae8c464000-7fae8c56c000 r-xp 00000000 08:07 1966085                   
/lib/x86_64-linux-gnu/libm-2.23.so
7fae8c56c000-7fae8c76b000 ---p 00108000 08:07 1966085                   
/lib/x86_64-linux-gnu/libm-2.23.so
7fae8c76b000-7fae8c76c000 r--p 00107000 08:07 1966085                   
/lib/x86_64-linux-gnu/libm-2.23.so
7fae8c76c000-7fae8c76d000 rw-p 00108000 08:07 1966085                   
/lib/x86_64-linux-gnu/libm-2.23.so
7fae8c76d000-7fae8c793000 r-xp 00000000 08:07 1971526                   
/lib/x86_64-linux-gnu/ld-2.23.so
7fae8c974000-7fae8c979000 rw-p 00000000 00:00 0 
7fae8c991000-7fae8c992000 rw-p 00000000 00:00 0 
7fae8c992000-7fae8c993000 r--p 00025000 08:07 1971526                   
/lib/x86_64-linux-gnu/ld-2.23.so
7fae8c993000-7fae8c994000 rw-p 00026000 08:07 1971526                   
/lib/x86_64-linux-gnu/ld-2.23.so
7fae8c994000-7fae8c995000 rw-p 00000000 00:00 0 
7fffc7fad000-7fffc7fce000 rw-p 00000000 00:00 0                         
[stack]
7fffc7fda000-7fffc7fdd000 r--p 00000000 00:00 0                          [vvar]
7fffc7fdd000-7fffc7fdf000 r-xp 00000000 00:00 0                          [vdso]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0                 
[vsyscall]
Aborted (core dumped)


Valgrind says:

==15678== Invalid write of size 1
==15678==    at 0x4C344E5: memset (in
/usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==15678==    by 0x119A6D9: mm_decode_intra (string3.h:90)
==15678==    by 0x119B959: mm_decode_frame (mmvideo.c:216)
==15678==    by 0xBCC2C3: decode_receive_frame_internal (decode.c:336)
==15678==    by 0xBCD2DF: avcodec_send_packet (decode.c:470)
==15678==    by 0x55A167: decode (avconv.c:1309)
==15678==    by 0x55A167: decode_video (avconv.c:1409)
==15678==    by 0x4FCD89: process_input_packet (avconv.c:1528)
==15678==    by 0x4FCD89: process_input (avconv.c:2756)
==15678==    by 0x4FCD89: transcode (avconv.c:2798)
==15678==    by 0x4FCD89: main (avconv.c:2972)
==15678==  Address 0x599d836 is 6 bytes after a block of size 1,552 alloc'd
==15678==    at 0x4C2FFC6: memalign (in
/usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==15678==    by 0x4C300D1: posix_memalign (in
/usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==15678==    by 0x20D4B1B: av_malloc (mem.c:71)
==15678==    by 0x2084241: av_buffer_alloc (buffer.c:72)
==15678==    by 0x2086515: av_buffer_pool_get (buffer.c:289)
==15678==    by 0xBD28D2: avcodec_default_get_buffer2 (decode.c:1143)
==15678==    by 0xBD4B9E: ff_get_buffer (decode.c:1345)
==15678==    by 0xBD5C11: ff_reget_buffer (decode.c:1374)
==15678==    by 0x119A953: mm_decode_frame (mmvideo.c:207)
==15678==    by 0xBCC2C3: decode_receive_frame_internal (decode.c:336)
==15678==    by 0xBCD2DF: avcodec_send_packet (decode.c:470)
==15678==    by 0x55A167: decode (avconv.c:1309)
==15678==    by 0x55A167: decode_video (avconv.c:1409)
==15678== 
==15678== Invalid write of size 1
==15678==    at 0x4C34558: memset (in
/usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==15678==    by 0x119A6D9: mm_decode_intra (string3.h:90)
==15678==    by 0x119B959: mm_decode_frame (mmvideo.c:216)
==15678==    by 0xBCC2C3: decode_receive_frame_internal (decode.c:336)
==15678==    by 0xBCD2DF: avcodec_send_packet (decode.c:470)
==15678==    by 0x55A167: decode (avconv.c:1309)
==15678==    by 0x55A167: decode_video (avconv.c:1409)
==15678==    by 0x4FCD89: process_input_packet (avconv.c:1528)
==15678==    by 0x4FCD89: process_input (avconv.c:2756)
==15678==    by 0x4FCD89: transcode (avconv.c:2798)
==15678==    by 0x4FCD89: main (avconv.c:2972)
==15678==  Address 0x599d838 is 8 bytes after a block of size 1,552 alloc'd
==15678==    at 0x4C2FFC6: memalign (in
/usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==15678==    by 0x4C300D1: posix_memalign (in
/usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==15678==    by 0x20D4B1B: av_malloc (mem.c:71)
==15678==    by 0x2084241: av_buffer_alloc (buffer.c:72)
==15678==    by 0x2086515: av_buffer_pool_get (buffer.c:289)
==15678==    by 0xBD28D2: avcodec_default_get_buffer2 (decode.c:1143)
==15678==    by 0xBD4B9E: ff_get_buffer (decode.c:1345)
==15678==    by 0xBD5C11: ff_reget_buffer (decode.c:1374)
==15678==    by 0x119A953: mm_decode_frame (mmvideo.c:207)
==15678==    by 0xBCC2C3: decode_receive_frame_internal (decode.c:336)
==15678==    by 0xBCD2DF: avcodec_send_packet (decode.c:470)
==15678==    by 0x55A167: decode (avconv.c:1309)
==15678==    by 0x55A167: decode_video (avconv.c:1409)
==15678== 
...
Error while decoding stream #0:0
libav_crash_1.wav: Input/output error
Video encoding failed
==15678== 
==15678== Process terminating with default action of signal 11 (SIGSEGV)
==15678==  General Protection Fault
==15678==    at 0x2084CB4: av_buffer_unref (buffer.c:116)
==15678==    by 0x20AC8B3: av_frame_unref (frame.c:313)
==15678==    by 0x20ACBE7: av_frame_free (frame.c:86)
==15678==    by 0x449091: mm_decode_end (mmvideo.c:241)
==15678==    by 0x4804B0: avcodec_close (utils.c:746)
==15678==    by 0x13A0E2A: avcodec_free_context (options.c:158)
==15678==    by 0x54BAA9: avconv_cleanup (avconv.c:229)
==15678==    by 0x534701: exit_program (cmdutils.c:98)
==15678==    by 0x4F9455: main (avconv.c:2957)

ASAN says:

==10062==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x61b00001f900 at pc 0x7f6d3661ceb4 bp 0x7ffe204e13d0 sp 0x7ffe204e0b78
WRITE of size 2 at 0x61b00001f900 thread T0
    #0 0x7f6d3661ceb3  (/usr/lib/x86_64-linux-gnu/libasan.so.3+0x47eb3)
    #1 0xc018a5  (/home/thuan/experiments/libav-asan/avconv+0xc018a5)
    #2 0xc03061  (/home/thuan/experiments/libav-asan/avconv+0xc03061)
    #3 0x8a32ef  (/home/thuan/experiments/libav-asan/avconv+0x8a32ef)
    #4 0x8a3f47  (/home/thuan/experiments/libav-asan/avconv+0x8a3f47)
    #5 0x5117dd  (/home/thuan/experiments/libav-asan/avconv+0x5117dd)
    #6 0x4d2b0a  (/home/thuan/experiments/libav-asan/avconv+0x4d2b0a)
    #7 0x7f6d35aeb82f  (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #8 0x4e22c8  (/home/thuan/experiments/libav-asan/avconv+0x4e22c8)

AddressSanitizer can not describe address in more detail (wild memory access
suspected).
SUMMARY: AddressSanitizer: heap-buffer-overflow
(/usr/lib/x86_64-linux-gnu/libasan.so.3+0x47eb3) 
Shadow bytes around the buggy address:
  0x0c367fffbed0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c367fffbee0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c367fffbef0: 00 00 fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c367fffbf00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c367fffbf10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c367fffbf20:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c367fffbf30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c367fffbf40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c367fffbf50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c367fffbf60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c367fffbf70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==10062==ABORTING


Regards,

Thuan

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.libav.org/pipermail/libav-bugs/attachments/20180422/e2a5933e/attachment.html>


More information about the libav-bugs mailing list