[libav-bugs] [Bug 1110] New: Invalid memcpy in ff_mov_read_stsd_entries (libavformat/mov.c)

bugzilla at libav.org bugzilla at libav.org
Fri Jan 12 23:55:16 CET 2018


            Bug ID: 1110
           Summary: Invalid memcpy in ff_mov_read_stsd_entries
           Product: Libav
           Version: git HEAD
          Hardware: Other
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: ---
         Component: libavformat
          Assignee: bugzilla at libav.org
          Reporter: probefuzzer at gmail.com

Created attachment 703
  --> https://bugzilla.libav.org/attachment.cgi?id=703&action=edit
poc for libav

On latest version of libav 12.1:
There is an invalid memcpy (with null pointer parameter) in
ff_mov_read_stsd_entries  function of libavformat/mov.c, which can cause denial
of service (program failure) or possibly other unspecified impacts via the POC
in the attachment. 

The code snippet is posted below. The second and third parameter of memcpy can
be manipulated by remote attackers via crafted .avi file. When the second
parameter is set to be NULL but the third non-zero, there would be a
segmentation fault and program failure. When they are both zero, the program
behavior is unpredictable.

   1843         if (sc->extradata) {
   1844             int extra_size = st->codecpar->extradata_size;
   1851             memcpy(sc->extradata[pseudo_stream_id],
st->codecpar->extradata, extra_size);
   1854         }

To reproduce the problem, run avconv with UBSAN:
avconv -y -i $POC -b 64k OUTPUT

libav/master/src/libavformat/mov.c:1851:13: runtime error: null pointer passed
as argument 2, which is declared to never be null

You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.libav.org/pipermail/libav-bugs/attachments/20180112/0309486c/attachment.html>

More information about the libav-bugs mailing list