[libav-bugs] [Bug 1137] New: one heap buffer overflow in decode_frame in lcldec.c

bugzilla at libav.org bugzilla at libav.org
Thu Nov 8 10:39:39 CET 2018


https://bugzilla.libav.org/show_bug.cgi?id=1137

            Bug ID: 1137
           Summary: one heap buffer overflow in decode_frame in lcldec.c
           Product: Libav
           Version: 12
          Hardware: X86
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: ---
         Component: libavcodec
          Assignee: bugzilla at libav.org
          Reporter: 92wyunchao at gmail.com

Created attachment 722
  --> https://bugzilla.libav.org/attachment.cgi?id=722&action=edit
poc to reproduce the crash

There exsit one heap buffer overflow vulnerability in decode_frame in lcldec.c
in libav-12.3(https://www.libav.org/) which allows an attacker to cause
denial-of-service via a crafted avi file.

ASAN_OPTIONS=halt_on_error=false:allow_addr2line=true ./avconv -i ~/poc1.avi -f
null -

==21920==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x6100000075c8 at pc 0x0000004a46ed bp 0x7fffffffd2a0 sp 0x7fffffffca50
READ of size 1056 at 0x6100000075c8 thread T0
    #0 0x4a46ec in __asan_memcpy
(/home/huawei/test/libav-12.3/tmp/bin/avconv+0x4a46ec)
    #1 0x107a51c in decode_frame
/home/huawei/test/libav-12.3/libavcodec/lcldec.c:395
    #2 0x16951c7 in avcodec_decode_video2
/home/huawei/test/libav-12.3/libavcodec/utils.c:1588
    #3 0x1697d2b in do_decode
/home/huawei/test/libav-12.3/libavcodec/utils.c:1727
    #4 0x1697986 in avcodec_send_packet
/home/huawei/test/libav-12.3/libavcodec/utils.c:1804
    #5 0x532af1 in decode /home/huawei/test/libav-12.3/avconv.c:1295
    #6 0x532af1 in decode_video /home/huawei/test/libav-12.3/avconv.c:1395
    #7 0x532af1 in process_input_packet
/home/huawei/test/libav-12.3/avconv.c:1514
    #8 0x5284ad in process_input /home/huawei/test/libav-12.3/avconv.c:2690
    #9 0x5284ad in transcode /home/huawei/test/libav-12.3/avconv.c:2732
    #10 0x5284ad in main /home/huawei/test/libav-12.3/avconv.c:2905
    #11 0x7ffff6ccb82f in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #12 0x41a888 in _start
(/home/huawei/test/libav-12.3/tmp/bin/avconv+0x41a888)

0x6100000075c8 is located 0 bytes to the right of 136-byte region
[0x610000007540,0x6100000075c8)
allocated by thread T0 here:
    #0 0x4bb290 in __interceptor_posix_memalign
(/home/huawei/test/libav-12.3/tmp/bin/avconv+0x4bb290)
    #1 0x23fe7b0 in av_malloc /home/huawei/test/libav-12.3/libavutil/mem.c:81
    #2 0x23fe7b0 in av_mallocz /home/huawei/test/libav-12.3/libavutil/mem.c:213
    #3 0x1369e78 in init_context_defaults
/home/huawei/test/libav-12.3/libavcodec/options.c:107
    #4 0x4fcb86 in open_files /home/huawei/test/libav-12.3/avconv_opt.c:2380
    #5 0x4fc3dc in avconv_parse_options
/home/huawei/test/libav-12.3/avconv_opt.c:2417
    #6 0x522c62 in main /home/huawei/test/libav-12.3/avconv.c:2883
    #7 0x7ffff6ccb82f in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x2082f)

SUMMARY: AddressSanitizer: heap-buffer-overflow
(/home/huawei/test/libav-12.3/tmp/bin/avconv+0x4a46ec) in __asan_memcpy
Shadow bytes around the buggy address:
  0x0c207fff8e60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c207fff8e70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c207fff8e80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c207fff8e90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c207fff8ea0: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
=>0x0c207fff8eb0: 00 00 00 00 00 00 00 00 00[fa]fa fa fa fa fa fa
  0x0c207fff8ec0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
  0x0c207fff8ed0: fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa
  0x0c207fff8ee0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
  0x0c207fff8ef0: fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa
  0x0c207fff8f00: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
ASAN:DEADLYSIGNAL
=================================================================
==21920==ERROR: AddressSanitizer: SEGV on unknown address 0x610000010100 (pc
0x7ffff6df8ba6 bp 0x7fffffffd2a0 sp 0x7fffffffca38 T0)
    #0 0x7ffff6df8ba5 in __nss_passwd_lookup
(/lib/x86_64-linux-gnu/libc.so.6+0x14dba5)
    #1 0x4a46a4 in __asan_memcpy
(/home/huawei/test/libav-12.3/tmp/bin/avconv+0x4a46a4)
    #2 0x107a51c in decode_frame
/home/huawei/test/libav-12.3/libavcodec/lcldec.c:395
    #3 0x16951c7 in avcodec_decode_video2
/home/huawei/test/libav-12.3/libavcodec/utils.c:1588
    #4 0x1697d2b in do_decode
/home/huawei/test/libav-12.3/libavcodec/utils.c:1727
    #5 0x1697986 in avcodec_send_packet
/home/huawei/test/libav-12.3/libavcodec/utils.c:1804
    #6 0x532af1 in decode /home/huawei/test/libav-12.3/avconv.c:1295
    #7 0x532af1 in decode_video /home/huawei/test/libav-12.3/avconv.c:1395
    #8 0x532af1 in process_input_packet
/home/huawei/test/libav-12.3/avconv.c:1514
    #9 0x5284ad in process_input /home/huawei/test/libav-12.3/avconv.c:2690
    #10 0x5284ad in transcode /home/huawei/test/libav-12.3/avconv.c:2732
    #11 0x5284ad in main /home/huawei/test/libav-12.3/avconv.c:2905
    #12 0x7ffff6ccb82f in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #13 0x41a888 in _start
(/home/huawei/test/libav-12.3/tmp/bin/avconv+0x41a888)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (/lib/x86_64-linux-gnu/libc.so.6+0x14dba5) in
__nss_passwd_lookup
==21920==ABORTING

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.libav.org/pipermail/libav-bugs/attachments/20181108/bb9f26ef/attachment.html>


More information about the libav-bugs mailing list