[libav-bugs] [Bug 1138] New: one segment fault in ff_mpa_synth_filter_float in libavcodec/mpegaudiodsp_template.c:189

bugzilla at libav.org bugzilla at libav.org
Thu Nov 8 14:17:25 CET 2018


https://bugzilla.libav.org/show_bug.cgi?id=1138

            Bug ID: 1138
           Summary: one segment fault in ff_mpa_synth_filter_float in
                    libavcodec/mpegaudiodsp_template.c:189
           Product: Libav
           Version: 12
          Hardware: X86
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: ---
         Component: libavcodec
          Assignee: bugzilla at libav.org
          Reporter: 92wyunchao at gmail.com

Created attachment 723
  --> https://bugzilla.libav.org/attachment.cgi?id=723&action=edit
poc to reproduce the crash

Null pointer deference(RIP points to zero) in in ff_mpa_synth_filter_float in
mpegaudiodsp_template.c in libav12.3 can cause a segment fault(application
crash) via crafted mov file.

$uanme -a
Linux ubuntu 4.4.0-21-generic #37-Ubuntu SMP Mon Apr 18 18:33:37 UTC 2016
x86_64 x86_64 x86_64 GNU/Linux


$gdb --args ./avconv -i poc -f null -
RAX: 0x1d7eba0 --> 0x8000000080000000 
RBX: 0x1d7cb50 --> 0x0 
RCX: 0x1d86ba0 --> 0x0 
RDX: 0x7fffffffdd30 --> 0x0 
RSI: 0x1c970f0 --> 0xac00000000000000 
RDI: 0x1d7cb80 --> 0x3e9c5c10bfaa83a4 
RBP: 0x1d7cb80 --> 0x3e9c5c10bfaa83a4 
RSP: 0x7fffffffd980 --> 0x1d86ba0 --> 0x0 
RIP: 0xa045a5 (<ff_mpa_synth_filter_float+101>:    call   QWORD PTR [rbx])
R8 : 0x2 
R9 : 0x1d86ba0 --> 0x0 
R10: 0x1d7ec98 --> 0x0 
R11: 0xfffffffffffffffc 
R12: 0x1c970f0 --> 0xac00000000000000 
R13: 0x1d7eb80 --> 0x0 
R14: 0x0 
R15: 0x7fffffffdd30 --> 0x0
EFLAGS: 0x202 (carry parity adjust zero sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
   0xa04599 <ff_mpa_synth_filter_float+89>:    mov    rdx,r15
   0xa0459c <ff_mpa_synth_filter_float+92>:    mov    rcx,QWORD PTR [rsp]
   0xa045a0 <ff_mpa_synth_filter_float+96>:    mov    r8,QWORD PTR [rsp+0x40]
=> 0xa045a5 <ff_mpa_synth_filter_float+101>:    call   QWORD PTR [rbx]
   0xa045a7 <ff_mpa_synth_filter_float+103>:    lea    eax,[r14+0x1e0]
   0xa045ae <ff_mpa_synth_filter_float+110>:    and    eax,0x1ff
   0xa045b3 <ff_mpa_synth_filter_float+115>:    mov    DWORD PTR [r13+0x0],eax
   0xa045b7 <ff_mpa_synth_filter_float+119>:    add    rsp,0x8
Guessed arguments:
arg[0]: 0x1d7cb80 --> 0x3e9c5c10bfaa83a4 
arg[1]: 0x1c970f0 --> 0xac00000000000000 
arg[2]: 0x7fffffffdd30 --> 0x0 
arg[3]: 0x1d86ba0 --> 0x0 
arg[4]: 0x2 
[------------------------------------stack-------------------------------------]
0000| 0x7fffffffd980 --> 0x1d86ba0 --> 0x0 
0008| 0x7fffffffd988 --> 0x1d7eb80 --> 0x0 
0016| 0x7fffffffd990 --> 0x1d6e1c0 --> 0x200000002 
0024| 0x7fffffffd998 --> 0x1d6e1c0 --> 0x200000002 
0032| 0x7fffffffd9a0 --> 0x0 
0040| 0x7fffffffd9a8 --> 0x1d7cb80 --> 0x3e9c5c10bfaa83a4 
0048| 0x7fffffffd9b0 --> 0x7fffffffdd30 --> 0x0 
0056| 0x7fffffffd9b8 --> 0xad2943 (<qdm2_decode_frame+52179>:    movsxd
rax,DWORD PTR [r13+0x0])
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value

Breakpoint 6, 0x0000000000a045a5 in ff_mpa_synth_filter_float (s=0x1d7cb50,
synth_buf_ptr=<optimized out>, synth_buf_offset=0x1d7eb80, window=0x1c970f0
<ff_mpa_synth_window_float>, dither_state=0x7fffffffdd30, samples=0x1d86ba0,
incr=<optimized out>, 
    sb_samples=<optimized out>) at libavcodec/mpegaudiodsp_template.c:189
189        s->RENAME(apply_window)(synth_buf, window, dither_state, samples,
incr);
gdb-peda$ bt
#0  0x0000000000a045a5 in ff_mpa_synth_filter_float (s=0x1d7cb50,
synth_buf_ptr=<optimized out>, synth_buf_offset=0x1d7eb80, window=0x1c970f0
<ff_mpa_synth_window_float>, dither_state=0x7fffffffdd30, samples=0x1d86ba0,
incr=<optimized out>, sb_samples=<optimized out>)
    at libavcodec/mpegaudiodsp_template.c:189
#1  0x0000000000ad2943 in qdm2_synthesis_filter (q=<optimized out>,
index=<optimized out>) at libavcodec/qdm2.c:1688
#2  qdm2_decode (q=<optimized out>, in=<optimized out>, out=<optimized out>) at
libavcodec/qdm2.c:1949
#3  qdm2_decode_frame (avctx=<optimized out>, data=<optimized out>,
got_frame_ptr=<optimized out>, avpkt=<optimized out>) at libavcodec/qdm2.c:1992
#4  0x00000000006e9b16 in decode_simple_internal (avctx=<optimized out>,
frame=<optimized out>) at libavcodec/decode.c:336
#5  decode_simple_receive_frame (avctx=<optimized out>, frame=<optimized out>)
at libavcodec/decode.c:387
#6  decode_receive_frame_internal (avctx=<optimized out>, frame=<optimized
out>) at libavcodec/decode.c:405
#7  0x00000000006e97de in avcodec_send_packet (avctx=0x1d40ba0,
avpkt=0x7fffffffde90) at libavcodec/decode.c:466
#8  0x000000000042b928 in decode (avctx=0x1d40ba0, pkt=0x7fffffffde90,
frame=<optimized out>, got_frame=<optimized out>) at avtools/avconv.c:1312
#9  decode_audio (ist=<optimized out>, pkt=0x7fffffffde90,
got_output=<optimized out>, decode_failed=<optimized out>) at
avtools/avconv.c:1359
#10 process_input_packet (ist=<optimized out>, pkt=<optimized out>,
no_eof=<optimized out>) at avtools/avconv.c:1527
#11 0x0000000000426292 in process_input () at avtools/avconv.c:2759
#12 transcode () at avtools/avconv.c:2801
#13 main (argc=<optimized out>, argv=<optimized out>,
argv at entry=0x7fffffffe588) at avtools/avconv.c:2975
#14 0x00007ffff72ed830 in __libc_start_main (main=0x423230 <main>, argc=0x6,
argv=0x7fffffffe588, init=<optimized out>, fini=<optimized out>,
rtld_fini=<optimized out>, stack_end=0x7fffffffe578) at ../csu/libc-start.c:291
#15 0x0000000000403b69 in _start ()

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.libav.org/pipermail/libav-bugs/attachments/20181108/bd615145/attachment.html>


More information about the libav-bugs mailing list