[libav-bugs] [Bug 1118] New: Heap overflow in avi file

bugzilla at libav.org bugzilla at libav.org
Thu Mar 8 22:36:08 CET 2018


https://bugzilla.libav.org/show_bug.cgi?id=1118

            Bug ID: 1118
           Summary: Heap overflow in avi file
           Product: Libav
           Version: git HEAD
          Hardware: All
                OS: All
            Status: NEW
          Severity: major
          Priority: ---
         Component: general
          Assignee: bugzilla at libav.org
          Reporter: jplopezy at gmail.com

Dear,

I found this vulnerability a few months ago, in windows and today I validated
it in windows with asan (thanks to the support of the libav irc for taking off
doubts)

Basically execute with the avplay a manipulated avi file.

In windows and linux (ubuntu) it generates a heap overflow.

WINDOWS

 Hash Usage : Stack Trace:
Major+Minor : ntdll!RtlIsNonEmptyDirectoryReparsePointAllowed+0xaf
Major+Minor : ntdll!RtlpNtSetValueKey+0x42a
Major+Minor : ntdll!wcstok_s+0x34d2
Major+Minor : ntdll!RtlGetCurrentServiceSessionId+0x312f
Excluded    : ntdll!RtlFreeHeap+0x41d
Excluded    : msvcrt!free+0x1c
Major+Minor : msvcrt!aligned_free+0x16
Minor       : avutil_56!av_buffer_unref+0x1e
Minor       : avutil_56!av_frame_unref+0x8d
Minor       : avutil_56!av_frame_free+0x1a
Minor       : avfilter_7!avfilter_graph_parse+0xd901
Minor       : avfilter_7!avfilter_pad_get_type+0xfa
Minor       : avfilter_7!av_buffersink_get_samples+0x428
Minor       : avfilter_7!avfilter_config_links+0x619
Minor       : avfilter_7!av_buffersrc_write_frame+0xa0c
Minor       : avfilter_7!avfilter_config_links+0x619
Minor       : avfilter_7!av_buffersink_get_frame+0x19
Minor       : avplay+0xbb40
Minor       : avplay!SDL_EventState+0x354
Minor       : avplay!SDL_SetTimer+0x231
Minor       : msvcrt!beginthreadex+0x126
Minor       : msvcrt!endthreadex+0xac
Minor       : KERNEL32!BaseThreadInitThunk+0x14
Minor       : ntdll!RtlUserThreadStart+0x21
Instruction Address: 0x00007fff396e775f

Description: Heap Corruption
Short Description: HeapCorruption
Exploitability Classification: EXPLOITABLE
Recommended Bug Title: Exploitable - Heap Corruption starting at
ntdll!RtlIsNonEmptyDirectoryReparsePointAllowed+0x00000000000000af
(Hash=0x69eb8d65.0xf3b57e8d)


Linux

root at test-P55M-UD2:/home/test/samples2# avplay
sf_208f7a3555a71313f076dee343b066cf-228104-0x7fff396e775f-minimized.avi
avplay version v13_dev0-1499-gdd7e63a, Copyright (c) 2003-2018 the Libav
developers
  built on Mar  8 2018 18:19:00 with gcc 5.4.0 (Ubuntu 5.4.0-6ubuntu1~16.04.9)
20160609
Input #0, avi, from
'sf_208f7a3555a71313f076dee343b066cf-228104-0x7fff396e775f-minimized.avi':
  Duration: 00:00:00.24, start: 0.000000, bitrate: 15777 kb/s
    Stream #0:0: Video: mszh [MSZH / 0x485A534D]
      bgr24, 320x7
      12.04 tbn
    Stream #0:1: Audio: wmav2 [a[1][0][0] / 0x0161]
      16000 Hz, 1 channels, fltp, 16 kb/s
=================================================================   
==22959==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x61d00002ed40 at pc 0x000001625a04 bp 0x7f676216b1b0 sp 0x7f676216b1a0
WRITE of size 1 at 0x61d00002ed40 thread T5
    #0 0x1625a03  (/usr/local/bin/avplay+0x1625a03)
    #1 0x15bde6c  (/usr/local/bin/avplay+0x15bde6c)
    #2 0x15d5547  (/usr/local/bin/avplay+0x15d5547)
    #3 0x52d424  (/usr/local/bin/avplay+0x52d424)
    #4 0x504750  (/usr/local/bin/avplay+0x504750)
    #5 0x50aa9a  (/usr/local/bin/avplay+0x50aa9a)
    #6 0x501644  (/usr/local/bin/avplay+0x501644)
    #7 0x50d07f  (/usr/local/bin/avplay+0x50d07f)
    #8 0x501644  (/usr/local/bin/avplay+0x501644)
    #9 0x509974  (/usr/local/bin/avplay+0x509974)
    #10 0x4eebe5  (/usr/local/bin/avplay+0x4eebe5)
    #11 0x7f676b82f0b7  (/usr/lib/x86_64-linux-gnu/libSDL-1.2.so.0+0x140b7)
    #12 0x7f676b86ef58  (/usr/lib/x86_64-linux-gnu/libSDL-1.2.so.0+0x53f58)
    #13 0x7f676b6056b9  (/lib/x86_64-linux-gnu/libpthread.so.0+0x76b9)
    #14 0x7f676b33b41c  (/lib/x86_64-linux-gnu/libc.so.6+0x10741c)

0x61d00002ed40 is located 0 bytes to the right of 2240-byte region
[0x61d00002e480,0x61d00002ed40)
allocated by thread T5 here:
    #0 0x7f676c580076  (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x99076)
    #1 0x1689525  (/usr/local/bin/avplay+0x1689525)

Thread T5 created by T0 here:
    #0 0x7f676c51d253  (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x36253)
    #1 0x7f676b86efa9  (/usr/lib/x86_64-linux-gnu/libSDL-1.2.so.0+0x53fa9)

SUMMARY: AddressSanitizer: heap-buffer-overflow ??:0 ??
Shadow bytes around the buggy address:
  0x0c3a7fffdd50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c3a7fffdd60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c3a7fffdd70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c3a7fffdd80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c3a7fffdd90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c3a7fffdda0: 00 00 00 00 00 00 00 00[fa]fa fa fa fa fa fa fa
  0x0c3a7fffddb0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c3a7fffddc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c3a7fffddd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c3a7fffdde0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c3a7fffddf0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
==22959==ABORTING
root at test-P55M-UD2:/home/test/samples2# avplay
sf_208f7a3555a71313f076dee343b066cf-228104-0x7fff396e775f-minimized.avi
avplay version v13_dev0-1499-gdd7e63a, Copyright (c) 2003-2018 the Libav
developers
  built on Mar  8 2018 18:19:00 with gcc 5.4.0 (Ubuntu 5.4.0-6ubuntu1~16.04.9)
20160609
Input #0, avi, from
'sf_208f7a3555a71313f076dee343b066cf-228104-0x7fff396e775f-minimized.avi':
  Duration: 00:00:00.24, start: 0.000000, bitrate: 15777 kb/s
    Stream #0:0: Video: mszh [MSZH / 0x485A534D]
      bgr24, 320x7
      12.04 tbn
    Stream #0:1: Audio: wmav2 [a[1][0][0] / 0x0161]
      16000 Hz, 1 channels, fltp, 16 kb/s
=================================================================   
==22959==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x61d00002ed40 at pc 0x000001625a04 bp 0x7f676216b1b0 sp 0x7f676216b1a0
WRITE of size 1 at 0x61d00002ed40 thread T5
    #0 0x1625a03  (/usr/local/bin/avplay+0x1625a03)
    #1 0x15bde6c  (/usr/local/bin/avplay+0x15bde6c)
    #2 0x15d5547  (/usr/local/bin/avplay+0x15d5547)
    #3 0x52d424  (/usr/local/bin/avplay+0x52d424)
    #4 0x504750  (/usr/local/bin/avplay+0x504750)
    #5 0x50aa9a  (/usr/local/bin/avplay+0x50aa9a)
    #6 0x501644  (/usr/local/bin/avplay+0x501644)
    #7 0x50d07f  (/usr/local/bin/avplay+0x50d07f)
    #8 0x501644  (/usr/local/bin/avplay+0x501644)
    #9 0x509974  (/usr/local/bin/avplay+0x509974)
    #10 0x4eebe5  (/usr/local/bin/avplay+0x4eebe5)
    #11 0x7f676b82f0b7  (/usr/lib/x86_64-linux-gnu/libSDL-1.2.so.0+0x140b7)
    #12 0x7f676b86ef58  (/usr/lib/x86_64-linux-gnu/libSDL-1.2.so.0+0x53f58)
    #13 0x7f676b6056b9  (/lib/x86_64-linux-gnu/libpthread.so.0+0x76b9)
    #14 0x7f676b33b41c  (/lib/x86_64-linux-gnu/libc.so.6+0x10741c)

0x61d00002ed40 is located 0 bytes to the right of 2240-byte region
[0x61d00002e480,0x61d00002ed40)
allocated by thread T5 here:
    #0 0x7f676c580076  (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x99076)
    #1 0x1689525  (/usr/local/bin/avplay+0x1689525)

Thread T5 created by T0 here:
    #0 0x7f676c51d253  (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x36253)
    #1 0x7f676b86efa9  (/usr/lib/x86_64-linux-gnu/libSDL-1.2.so.0+0x53fa9)

SUMMARY: AddressSanitizer: heap-buffer-overflow ??:0 ??
Shadow bytes around the buggy address:
  0x0c3a7fffdd50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c3a7fffdd60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c3a7fffdd70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c3a7fffdd80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c3a7fffdd90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c3a7fffdda0: 00 00 00 00 00 00 00 00[fa]fa fa fa fa fa fa fa
  0x0c3a7fffddb0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c3a7fffddc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c3a7fffddd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c3a7fffdde0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c3a7fffddf0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
==22959==ABORTING


nothing more to add,  maybe update more info

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.libav.org/pipermail/libav-bugs/attachments/20180308/7f93c243/attachment.html>


More information about the libav-bugs mailing list