[libav-bugs] [Bug 1123] New: avconv crashes because of an AVI file -- many buffer overwrites

bugzilla at libav.org bugzilla at libav.org
Mon Apr 23 14:41:17 CEST 2018


https://bugzilla.libav.org/show_bug.cgi?id=1123

            Bug ID: 1123
           Summary: avconv crashes because of an AVI file -- many buffer
                    overwrites
           Product: Libav
           Version: git HEAD
          Hardware: Other
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: ---
         Component: general
          Assignee: bugzilla at libav.org
          Reporter: thuanpv at comp.nus.edu.sg

Created attachment 713
  --> https://bugzilla.libav.org/attachment.cgi?id=713&action=edit
crash-inducing sample file

Dear all,

This bug was found with AFLSmart, an extension of AFL. Thanks also to Marcel
Böhme, Andrew Santosa and Alexandru Razvan Caciulescu. 

This bug was found on Ubuntu 16.04 64-bit & libav revision 39f3b6 (HEAD)

To reproduce:
Download the attached file - libav_crash_1.avi
avconv -i libav_crash_1.avi -f null -

Valgrind says:

==166146== Invalid write of size 8
==166146==    at 0x1091160: ff_ivi_put_dc_pixel_8x8 (string3.h:90)
==166146==    by 0x108239F: ff_ivi_decode_frame (ivi.c:497)
==166146==    by 0xBCC2C3: decode_receive_frame_internal (decode.c:336)
==166146==    by 0xBCD2DF: avcodec_send_packet (decode.c:470)
==166146==    by 0x55A167: decode (avconv.c:1309)
==166146==    by 0x55A167: decode_video (avconv.c:1409)
==166146==    by 0x4FCD89: process_input_packet (avconv.c:1528)
==166146==    by 0x4FCD89: process_input (avconv.c:2756)
==166146==    by 0x4FCD89: transcode (avconv.c:2798)
==166146==    by 0x4FCD89: main (avconv.c:2972)
==166146==  Address 0x59cf2a0 is 0 bytes after a block of size 2,560 alloc'd
==166146==    at 0x4C2FFC6: memalign (in
/usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==166146==    by 0x4C300D1: posix_memalign (in
/usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==166146==    by 0x20D5832: av_mallocz (mem.c:71)
==166146==    by 0x442C07: ff_ivi_init_planes (ivi.c:370)
==166146==    by 0x104E42E: decode_pic_hdr (indeo4.c:190)
==166146==    by 0x107EFAC: ff_ivi_decode_frame (ivi.c:1036)
==166146==    by 0xBCC2C3: decode_receive_frame_internal (decode.c:336)
==166146==    by 0xBCD2DF: avcodec_send_packet (decode.c:470)
==166146==    by 0x55A167: decode (avconv.c:1309)
==166146==    by 0x55A167: decode_video (avconv.c:1409)
==166146==    by 0x4FCD89: process_input_packet (avconv.c:1528)
==166146==    by 0x4FCD89: process_input (avconv.c:2756)
==166146==    by 0x4FCD89: transcode (avconv.c:2798)
==166146==    by 0x4FCD89: main (avconv.c:2972)
==166146== 
==166146== Invalid write of size 8
==166146==    at 0x1091167: ff_ivi_put_dc_pixel_8x8 (string3.h:90)
==166146==    by 0x108239F: ff_ivi_decode_frame (ivi.c:497)
==166146==    by 0xBCC2C3: decode_receive_frame_internal (decode.c:336)
==166146==    by 0xBCD2DF: avcodec_send_packet (decode.c:470)
==166146==    by 0x55A167: decode (avconv.c:1309)
==166146==    by 0x55A167: decode_video (avconv.c:1409)
==166146==    by 0x4FCD89: process_input_packet (avconv.c:1528)
==166146==    by 0x4FCD89: process_input (avconv.c:2756)
==166146==    by 0x4FCD89: transcode (avconv.c:2798)
==166146==    by 0x4FCD89: main (avconv.c:2972)
==166146==  Address 0x59cf2a8 is 8 bytes after a block of size 2,560 alloc'd
==166146==    at 0x4C2FFC6: memalign (in
/usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==166146==    by 0x4C300D1: posix_memalign (in
/usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==166146==    by 0x20D5832: av_mallocz (mem.c:71)
==166146==    by 0x442C07: ff_ivi_init_planes (ivi.c:370)
==166146==    by 0x104E42E: decode_pic_hdr (indeo4.c:190)
==166146==    by 0x107EFAC: ff_ivi_decode_frame (ivi.c:1036)
==166146==    by 0xBCC2C3: decode_receive_frame_internal (decode.c:336)
==166146==    by 0xBCD2DF: avcodec_send_packet (decode.c:470)
==166146==    by 0x55A167: decode (avconv.c:1309)
==166146==    by 0x55A167: decode_video (avconv.c:1409)
==166146==    by 0x4FCD89: process_input_packet (avconv.c:1528)
==166146==    by 0x4FCD89: process_input (avconv.c:2756)
==166146==    by 0x4FCD89: transcode (avconv.c:2798)
==166146==    by 0x4FCD89: main (avconv.c:2972)

==166146== Invalid write of size 8
==166146==    at 0x1091175: ff_ivi_put_dc_pixel_8x8 (ivi_dsp.c:760)
==166146==    by 0x108239F: ff_ivi_decode_frame (ivi.c:497)
==166146==    by 0xBCC2C3: decode_receive_frame_internal (decode.c:336)
==166146==    by 0xBCD2DF: avcodec_send_packet (decode.c:470)
==166146==    by 0x55A167: decode (avconv.c:1309)
==166146==    by 0x55A167: decode_video (avconv.c:1409)
==166146==    by 0x4FCD89: process_input_packet (avconv.c:1528)
==166146==    by 0x4FCD89: process_input (avconv.c:2756)
==166146==    by 0x4FCD89: transcode (avconv.c:2798)
==166146==    by 0x4FCD89: main (avconv.c:2972)
==166146==  Address 0x59cf2f0 is 0 bytes inside an unallocated block of size 16
in arena "client"
==166146== 

ASAN says:

==179022==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x61e00000e280 at pc 0x7fbb33844eb4 bp 0x7ffc76b08260 sp 0x7ffc76b07a08
WRITE of size 16 at 0x61e00000e280 thread T0
    #0 0x7fbb33844eb3  (/usr/lib/x86_64-linux-gnu/libasan.so.3+0x47eb3)
    #1 0xb7e4de  (/home/thuan/subjects/libav-asan/avconv+0xb7e4de)
    #2 0xb6f97e  (/home/thuan/subjects/libav-asan/avconv+0xb6f97e)
    #3 0x8a32ef  (/home/thuan/subjects/libav-asan/avconv+0x8a32ef)
    #4 0x8a3f47  (/home/thuan/subjects/libav-asan/avconv+0x8a3f47)
    #5 0x5117dd  (/home/thuan/subjects/libav-asan/avconv+0x5117dd)
    #6 0x4d2b0a  (/home/thuan/subjects/libav-asan/avconv+0x4d2b0a)
    #7 0x7fbb32d1382f  (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #8 0x4e22c8  (/home/thuan/subjects/libav-asan/avconv+0x4e22c8)

0x61e00000e280 is located 0 bytes to the right of 2560-byte region
[0x61e00000d880,0x61e00000e280)
allocated by thread T0 here:
    #0 0x7fbb338c4a90  (/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc7a90)
    #1 0x16b9b5e  (/home/thuan/subjects/libav-asan/avconv+0x16b9b5e)

SUMMARY: AddressSanitizer: heap-buffer-overflow
(/usr/lib/x86_64-linux-gnu/libasan.so.3+0x47eb3) 
Shadow bytes around the buggy address:
  0x0c3c7fff9c00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c3c7fff9c10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c3c7fff9c20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c3c7fff9c30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c3c7fff9c40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c3c7fff9c50:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c3c7fff9c60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c3c7fff9c70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c3c7fff9c80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c3c7fff9c90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c3c7fff9ca0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Regards,

Thuan

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.libav.org/pipermail/libav-bugs/attachments/20180423/21e7d347/attachment.html>


More information about the libav-bugs mailing list