[libav-bugs] [Bug 1127] New: avconv crashes -- global buffer overflow

bugzilla at libav.org bugzilla at libav.org
Sun May 13 09:46:12 CEST 2018


https://bugzilla.libav.org/show_bug.cgi?id=1127

            Bug ID: 1127
           Summary: avconv crashes -- global buffer overflow
           Product: Libav
           Version: git HEAD
          Hardware: Other
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: ---
         Component: general
          Assignee: bugzilla at libav.org
          Reporter: thuanpv at comp.nus.edu.sg

Created attachment 716
  --> https://bugzilla.libav.org/attachment.cgi?id=716&action=edit
crash-inducing sample file

Dear all,

This bug was found with AFLSmart, an extension of AFL. Thanks also to Marcel
Böhme, Andrew Santosa and Alexandru Razvan Caciulescu. 

This bug was found on Ubuntu 16.04 64-bit & libav revision 39f3b6 (HEAD)

To reproduce:
Download the attached file - libav_crash_3.avi
avconv -i libav_crash_3.avi -f null -


ASAN says:

avconv version v13_dev0-1538-g39f3b6f, Copyright (c) 2000-2018 the Libav
developers
  built on Apr 27 2018 08:54:43 with gcc 6.4.0 (Ubuntu 6.4.0-17ubuntu1~16.04)
20180424
Input #0, avi, from 'libav_crash_3.avi':
  Duration: 00:00:13.16, start: 0.000000, bitrate: 164 kb/s
    Stream #0:0: Video: indeo4 [IV41 / 0x31345649]
      yuv410p, 160x120
      12 fps, 12 tbn
Stream mapping:
  Stream #0:0 -> #0:0 (indeo4 (native) -> wrapped_avframe (native))
Press ctrl-c to stop encoding
[indeo4 @ 0x61900001ea80] Tile data_size mismatch!
[indeo4 @ 0x61900001ea80] Error while decoding band: 0, plane: 0
Error while decoding stream #0:0
[indeo4 @ 0x61900001ea80] Scan pattern is not set.
[indeo4 @ 0x61900001ea80] Corrupted tile data encountered!
[indeo4 @ 0x61900001ea80] Error while decoding band: 0, plane: 1
Error while decoding stream #0:0
[indeo4 @ 0x61900001ea80] Corrupted tile data encountered!
[indeo4 @ 0x61900001ea80] Error while decoding band: 0, plane: 0
Error while decoding stream #0:0
[indeo4 @ 0x61900001ea80] Scan pattern is not set.
[indeo4 @ 0x61900001ea80] Corrupted tile data encountered!
[indeo4 @ 0x61900001ea80] Error while decoding band: 0, plane: 1
Error while decoding stream #0:0
[indeo4 @ 0x61900001ea80] Too many corrections: 89
[indeo4 @ 0x61900001ea80] Error while decoding band header: -1052488119
[indeo4 @ 0x61900001ea80] Error while decoding band: 0, plane: 1
Error while decoding stream #0:0
[indeo4 @ 0x61900001ea80] The band block size does not match the configuration
inherited
[indeo4 @ 0x61900001ea80] Error while decoding band header: -1052488119
[indeo4 @ 0x61900001ea80] Error while decoding band: 0, plane: 1
Error while decoding stream #0:0
[indeo4 @ 0x61900001ea80] Corrupted tile data encountered!
[indeo4 @ 0x61900001ea80] Error while decoding band: 0, plane: 0
Error while decoding stream #0:0
[indeo4 @ 0x61900001ea80] Corrupted tile data encountered!
[indeo4 @ 0x61900001ea80] Error while decoding band: 0, plane: 0
Error while decoding stream #0:0
=================================================================
==122389==ERROR: AddressSanitizer: global-buffer-overflow on address
0x000001838464 at pc 0x000000b72ac7 bp 0x7ffd42fa8ad0 sp 0x7ffd42fa8ac0
READ of size 2 at 0x000001838464 thread T0
    #0 0xb72ac6  (/home/thuan/aflsmart-experiments/libav-asan/avconv+0xb72ac6)
    #1 0x8a305f  (/home/thuan/aflsmart-experiments/libav-asan/avconv+0x8a305f)
    #2 0x8a3cb7  (/home/thuan/aflsmart-experiments/libav-asan/avconv+0x8a3cb7)
    #3 0x5117cd  (/home/thuan/aflsmart-experiments/libav-asan/avconv+0x5117cd)
    #4 0x4d2b0a  (/home/thuan/aflsmart-experiments/libav-asan/avconv+0x4d2b0a)
    #5 0x7f713d8bd82f  (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #6 0x4e22c8  (/home/thuan/aflsmart-experiments/libav-asan/avconv+0x4e22c8)

0x000001838464 is located 28 bytes to the left of global variable
'ivi4_quant_4x4_intra' defined in 'libavcodec/indeo4data.h:275:23' (0x1838480)
of size 160
0x000001838464 is located 4 bytes to the right of global variable
'ivi4_quant_4x4_inter' defined in 'libavcodec/indeo4data.h:308:23' (0x18383c0)
of size 160
SUMMARY: AddressSanitizer: global-buffer-overflow
(/home/thuan/aflsmart-experiments/libav-asan/avconv+0xb72ac6)

Regards,

Thuan

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.libav.org/pipermail/libav-bugs/attachments/20180513/d563b3a4/attachment.html>


More information about the libav-bugs mailing list