[libav-bugs] [Bug 1139] New: one segment fault in in vc1_decode_frame in vc1dec.c

bugzilla at libav.org bugzilla at libav.org
Thu Nov 8 14:55:10 CET 2018


https://bugzilla.libav.org/show_bug.cgi?id=1139

            Bug ID: 1139
           Summary: one segment fault in in vc1_decode_frame in vc1dec.c
           Product: Libav
           Version: 12
          Hardware: X86
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: ---
         Component: libavcodec
          Assignee: bugzilla at libav.org
          Reporter: 92wyunchao at gmail.com

Created attachment 724
  --> https://bugzilla.libav.org/attachment.cgi?id=724&action=edit
poc to reproduce the crash

There exist one invalid memory access in vc1_decode_frame in vc1dec.c in
libav-12.3 which allows attackers to cause a denial-of-service via crafted aac
file.

$uname -a
Linux ubuntu 4.4.0-21-generic #37-Ubuntu SMP Mon Apr 18 18:33:37 UTC 2016
x86_64 x86_64 x86_64 GNU/Linux

$./avconv -i poc -f null -


Program received signal SIGSEGV, Segmentation fault.

[----------------------------------registers-----------------------------------]
RAX: 0x9981 
RBX: 0xfffffffffffffffc 
RCX: 0x0 
RDX: 0x1d0ec50 --> 0x0 
RSI: 0x1d791e0 --> 0x0 
RDI: 0x1d791e0 --> 0x0 
RBP: 0x0 
RSP: 0x7fffffffdba0 --> 0x0 
RIP: 0xc21987 (<vc1_decode_frame+21319>:    mov    eax,DWORD PTR [r13+0x30])
R8 : 0x1 
R9 : 0x1d31840 --> 0x0 
R10: 0x7ffff7691b78 --> 0x1e2ec80 --> 0x0 
R11: 0x7ffff7691b78 --> 0x1e2ec80 --> 0x0 
R12: 0x1d360e0 --> 0x1372790 --> 0x13709ab ("AVCodecContext")
R13: 0xfffffffffffffff8 
R14: 0x1d33708 --> 0x1d2f8c0 --> 0x6050f9ff871f84c3 
R15: 0x80
EFLAGS: 0x10202 (carry parity adjust zero sign trap INTERRUPT direction
overflow)
[-------------------------------------code-------------------------------------]
   0xc21977 <vc1_decode_frame+21303>:    xor    rax,0xbfe3
   0xc2197d <vc1_decode_frame+21309>:    inc    BYTE PTR [rdx+rax*1]
   0xc21980 <vc1_decode_frame+21312>:    mov    DWORD PTR fs:[rbx],0x5ff1
=> 0xc21987 <vc1_decode_frame+21319>:    mov    eax,DWORD PTR [r13+0x30]
   0xc2198b <vc1_decode_frame+21323>:    cdq    
   0xc2198c <vc1_decode_frame+21324>:    idiv   r15d
   0xc2198f <vc1_decode_frame+21327>:    movsxd rax,DWORD PTR fs:[rbx]
   0xc21993 <vc1_decode_frame+21331>:    mov    rsi,QWORD PTR [rip+0xafbbd6]   
    # 0x171d570 <__afl_area_ptr>
[------------------------------------stack-------------------------------------]
0000| 0x7fffffffdba0 --> 0x0 
0008| 0x7fffffffdba8 --> 0x7c00000077 ('w')
0016| 0x7fffffffdbb0 --> 0xffff800000002401 
0024| 0x7fffffffdbb8 --> 0x7fffffffdbff --> 0xfffffffffffffc00 
0032| 0x7fffffffdbc0 --> 0x100000002 
0040| 0x7fffffffdbc8 --> 0x7fffffffdde4 --> 0x1d360e000000000 
0048| 0x7fffffffdbd0 --> 0x1d20020 --> 0x0 
0056| 0x7fffffffdbd8 --> 0x0 
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
0x0000000000c21987 in vc1_decode_frame (avctx=<optimized out>, data=<optimized
out>, got_frame=<optimized out>, avpkt=<optimized out>) at
libavcodec/vc1dec.c:884
884                    s->end_mb_y = (i <= n_slices1 + 1) ? mb_height :
FFMIN(mb_height, slices[i].mby_start % mb_height);
gdb-peda$ bt
#0  0x0000000000c21987 in vc1_decode_frame (avctx=<optimized out>,
data=<optimized out>, got_frame=<optimized out>, avpkt=<optimized out>) at
libavcodec/vc1dec.c:884
#1  0x00000000006e9b16 in decode_simple_internal (avctx=<optimized out>,
frame=<optimized out>) at libavcodec/decode.c:336
#2  decode_simple_receive_frame (avctx=<optimized out>, frame=<optimized out>)
at libavcodec/decode.c:387
#3  decode_receive_frame_internal (avctx=<optimized out>, frame=<optimized
out>) at libavcodec/decode.c:405
#4  0x00000000006e97de in avcodec_send_packet (avctx=0x1d360e0,
avpkt=0x7fffffffdeb0) at libavcodec/decode.c:466
#5  0x000000000042b769 in decode (avctx=0x1d360e0, pkt=0x7fffffffdeb0,
frame=<optimized out>, got_frame=<optimized out>) at avtools/avconv.c:1312
#6  decode_video (ist=<optimized out>, pkt=0x7fffffffdeb0,
got_output=<optimized out>, decode_failed=<optimized out>) at
avtools/avconv.c:1412
#7  process_input_packet (ist=<optimized out>, pkt=<optimized out>,
no_eof=<optimized out>) at avtools/avconv.c:1531
#8  0x0000000000426292 in process_input () at avtools/avconv.c:2759
#9  transcode () at avtools/avconv.c:2801
#10 main (argc=<optimized out>, argv=<optimized out>,
argv at entry=0x7fffffffe5a8) at avtools/avconv.c:2975
#11 0x00007ffff72ed830 in __libc_start_main (main=0x423230 <main>, argc=0x6,
argv=0x7fffffffe5a8, init=<optimized out>, fini=<optimized out>,
rtld_fini=<optimized out>, stack_end=0x7fffffffe598) at ../csu/libc-start.c:291
#12 0x0000000000403b69 in _start ()

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.libav.org/pipermail/libav-bugs/attachments/20181108/8bee4ce8/attachment.html>


More information about the libav-bugs mailing list