[libav-bugs] [Bug 1112] New: invalid memcpy in av_packet_ref (libavcodec/avpacket.c)

bugzilla at libav.org bugzilla at libav.org
Thu Jan 18 05:23:26 CET 2018


            Bug ID: 1112
           Summary: invalid memcpy in av_packet_ref
           Product: Libav
           Version: git HEAD
          Hardware: Other
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: ---
         Component: libavcodec
          Assignee: bugzilla at libav.org
          Reporter: probefuzzer at gmail.com

Created attachment 704
  --> https://bugzilla.libav.org/attachment.cgi?id=704&action=edit
poc for libav

On latest version of libav 12.1:
There is an invalid memcpy (with null pointer parameter) in av_packet_ref 
function of libavcodec/avpacket.c, which can cause denial of service (program
failure) or possibly other unspecified impacts via the POC in the attachment. 

The code snippet is posted below. The second and third parameter of memcpy can
be manipulated by remote attackers via crafted .avi file. When the second
parameter is set to be NULL but the third non-zero, there would be a
segmentation fault and program failure. When they are both zero, the program
behavior is unpredictable.

    364     if (!src->buf) {
    365         ret = packet_alloc(&dst->buf, src->size);
    366         if (ret < 0)
    367             goto fail;
    368         memcpy(dst->buf->data, src->data, src->size);
    370         dst->data = dst->buf->data;
    371     }

To reproduce the problem, run avconv with UBSAN:
avplay $POC

libav/master/src/libavcodec/avpacket.c:368:9: runtime error: null pointer
passed as argument 2, which is declared to never be null

You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.libav.org/pipermail/libav-bugs/attachments/20180118/e897fb99/attachment.html>

More information about the libav-bugs mailing list