[libav-bugs] [Bug 1135] New: mutilple heap buffer oveflow vulnerabilities in libavcodec/vc1_block.c

bugzilla at libav.org bugzilla at libav.org
Mon Oct 29 02:06:11 CET 2018


https://bugzilla.libav.org/show_bug.cgi?id=1135

            Bug ID: 1135
           Summary: mutilple heap buffer oveflow vulnerabilities in
                    libavcodec/vc1_block.c
           Product: Libav
           Version: 12
          Hardware: X86
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: ---
         Component: libavcodec
          Assignee: bugzilla at libav.org
          Reporter: 92wyunchao at gmail.com

Created attachment 720
  --> https://bugzilla.libav.org/attachment.cgi?id=720&action=edit
poc to reproduce the crash

There exsit multiple heap buffer overflow vulnerabilities in vc1_block.c in
libav-12.3(https://www.libav.org), which allow attacker to cause a
denial-of-service.

$uname -a
Linux VM-0-9-ubuntu 4.4.0-91-generic #114-Ubuntu SMP Tue Aug 8 11:56:56 UTC
2017 x86_64 x86_64 x86_64 GNU/Linux

1)$ASAN_OPTIONS=halt_on_error=false:allow_addr2line=true ./avconv -i poc1 -f
null -

==8471==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61500000fe6a
at pc 0x0000016ec4f1 bp 0x7ffcc19cd150 sp 0x7ffcc19cd148
WRITE of size 2 at 0x61500000fe6a thread T0
    #0 0x16ec4f0 in vc1_decode_i_block_adv
/home/ubuntu/asan/libav-12.3/libavcodec/vc1_block.c:799
    #1 0x16ec4f0 in vc1_decode_i_blocks_adv
/home/ubuntu/asan/libav-12.3/libavcodec/vc1_block.c:2814
    #2 0x16e21f4 in ff_vc1_decode_blocks
/home/ubuntu/asan/libav-12.3/libavcodec/vc1_block.c:3041
    #3 0x17816bb in vc1_decode_frame
/home/ubuntu/asan/libav-12.3/libavcodec/vc1dec.c:890
    #4 0x16950f7 in avcodec_decode_video2
/home/ubuntu/asan/libav-12.3/libavcodec/utils.c:1588
    #5 0x1697c5b in do_decode
/home/ubuntu/asan/libav-12.3/libavcodec/utils.c:1727
    #6 0x16978b6 in avcodec_send_packet
/home/ubuntu/asan/libav-12.3/libavcodec/utils.c:1804
    #7 0x532ad1 in decode /home/ubuntu/asan/libav-12.3/avconv.c:1295
    #8 0x532ad1 in decode_video /home/ubuntu/asan/libav-12.3/avconv.c:1395
    #9 0x532ad1 in process_input_packet
/home/ubuntu/asan/libav-12.3/avconv.c:1514
    #10 0x52848d in process_input /home/ubuntu/asan/libav-12.3/avconv.c:2690
    #11 0x52848d in transcode /home/ubuntu/asan/libav-12.3/avconv.c:2732
    #12 0x52848d in main /home/ubuntu/asan/libav-12.3/avconv.c:2905
    #13 0x7f1ff83fe82f in __libc_start_main
/build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291
    #14 0x41a888 in _start (/home/ubuntu/asan/libav-12.3/avconv+0x41a888)

0x61500000fe6a is located 0 bytes to the right of 426-byte region
[0x61500000fcc0,0x61500000fe6a)
allocated by thread T0 here:
    #0 0x4bb290 in __interceptor_posix_memalign
(/home/ubuntu/asan/libav-12.3/avconv+0x4bb290)
    #1 0x23fe720 in av_malloc /home/ubuntu/asan/libav-12.3/libavutil/mem.c:81
    #2 0x23fe720 in av_mallocz /home/ubuntu/asan/libav-12.3/libavutil/mem.c:213
    #3 0x123ca72 in init_context_frame
/home/ubuntu/asan/libav-12.3/libavcodec/mpegvideo.c:737

SUMMARY: AddressSanitizer: heap-buffer-overflow
/home/ubuntu/asan/libav-12.3/libavcodec/vc1_block.c:799 in
vc1_decode_i_block_adv
Shadow bytes around the buggy address:
  0x0c2a7fff9f70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c2a7fff9f80: 00 00 00 00 00 00 00 00 00 00 06 fa fa fa fa fa
  0x0c2a7fff9f90: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x0c2a7fff9fa0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c2a7fff9fb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c2a7fff9fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00[02]fa fa
  0x0c2a7fff9fd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c2a7fff9fe0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c2a7fff9ff0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c2a7fffa000: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c2a7fffa010: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==8471==ABORTING

2)$ASAN_OPTIONS=halt_on_error=false:allow_addr2line=true ./avconv -i poc2 -f
null -

==19995==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x60a00000d26e at pc 0x00000172c26c bp 0x7ffe1466c2d0 sp 0x7ffe1466c2c8
READ of size 2 at 0x60a00000d26e thread T0
    #0 0x172c26b in ff_vc1_pred_dc
/home/ubuntu/asan/libav-12.3/libavcodec/vc1_block.c:429
    #1 0x16e56fb in vc1_decode_i_block_adv
/home/ubuntu/asan/libav-12.3/libavcodec/vc1_block.c:798
    #2 0x16e56fb in vc1_decode_i_blocks_adv
/home/ubuntu/asan/libav-12.3/libavcodec/vc1_block.c:2814
    #3 0x16e21f4 in ff_vc1_decode_blocks
/home/ubuntu/asan/libav-12.3/libavcodec/vc1_block.c:3041
    #4 0x17816bb in vc1_decode_frame
/home/ubuntu/asan/libav-12.3/libavcodec/vc1dec.c:890
    #5 0x16950f7 in avcodec_decode_video2
/home/ubuntu/asan/libav-12.3/libavcodec/utils.c:1588
    #6 0x1697c5b in do_decode
/home/ubuntu/asan/libav-12.3/libavcodec/utils.c:1727
    #7 0x16978b6 in avcodec_send_packet
/home/ubuntu/asan/libav-12.3/libavcodec/utils.c:1804
    #8 0x532ad1 in decode /home/ubuntu/asan/libav-12.3/avconv.c:1295
    #9 0x532ad1 in decode_video /home/ubuntu/asan/libav-12.3/avconv.c:1395
    #10 0x532ad1 in process_input_packet
/home/ubuntu/asan/libav-12.3/avconv.c:1514
    #11 0x52848d in process_input /home/ubuntu/asan/libav-12.3/avconv.c:2690
    #12 0x52848d in transcode /home/ubuntu/asan/libav-12.3/avconv.c:2732
    #13 0x52848d in main /home/ubuntu/asan/libav-12.3/avconv.c:2905
    #14 0x7fc151e2482f in __libc_start_main
/build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291
    #15 0x41a888 in _start (/home/ubuntu/asan/libav-12.3/avconv+0x41a888)

0x60a00000d26e is located 4 bytes to the right of 74-byte region
[0x60a00000d220,0x60a00000d26a)
allocated by thread T0 here:
    #0 0x4bb290 in __interceptor_posix_memalign
(/home/ubuntu/asan/libav-12.3/avconv+0x4bb290)
    #1 0x23fe720 in av_malloc /home/ubuntu/asan/libav-12.3/libavutil/mem.c:81
    #2 0x23fe720 in av_mallocz /home/ubuntu/asan/libav-12.3/libavutil/mem.c:213
    #3 0x123ca72 in init_context_frame
/home/ubuntu/asan/libav-12.3/libavcodec/mpegvideo.c:737

SUMMARY: AddressSanitizer: heap-buffer-overflow
/home/ubuntu/asan/libav-12.3/libavcodec/vc1_block.c:429 in ff_vc1_pred_dc
Shadow bytes around the buggy address:
  0x0c147fff99f0: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 fa
  0x0c147fff9a00: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x0c147fff9a10: 00 00 00 fa fa fa fa fa fa fa fa fa fd fd fd fd
  0x0c147fff9a20: fd fd fd fd fd fa fa fa fa fa fa fa fa fa fa fa
  0x0c147fff9a30: fd fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa
=>0x0c147fff9a40: fa fa fa fa 00 00 00 00 00 00 00 00 00[02]fa fa
  0x0c147fff9a50: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
  0x0c147fff9a60: fd fd fd fd fa fa fa fa fa fa fa fa fd fd fd fd
  0x0c147fff9a70: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa
  0x0c147fff9a80: 00 00 00 00 00 00 00 00 00 00 00 fa fa fa fa fa
  0x0c147fff9a90: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==19995==ABORTING

3)$ASAN_OPTIONS=halt_on_error=false:allow_addr2line=true ./avconv -i poc3 -f
null -

==3534==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x62400000a224
at pc 0x000001713972 bp 0x7ffc6cbb0b50 sp 0x7ffc6cbb0b48
WRITE of size 2 at 0x62400000a224 thread T0
    #0 0x1713971 in vc1_decode_p_mb_intfi
/home/ubuntu/asan/libav-12.3/libavcodec/vc1_block.c:1898
    #1 0x1713971 in vc1_decode_p_blocks
/home/ubuntu/asan/libav-12.3/libavcodec/vc1_block.c:2899
    #2 0x16e223b in ff_vc1_decode_blocks
/home/ubuntu/asan/libav-12.3/libavcodec/vc1_block.c:3049
    #3 0x17816bb in vc1_decode_frame
/home/ubuntu/asan/libav-12.3/libavcodec/vc1dec.c:890
    #4 0x16950f7 in avcodec_decode_video2
/home/ubuntu/asan/libav-12.3/libavcodec/utils.c:1588
    #5 0x1697c5b in do_decode
/home/ubuntu/asan/libav-12.3/libavcodec/utils.c:1727
    #6 0x16978b6 in avcodec_send_packet
/home/ubuntu/asan/libav-12.3/libavcodec/utils.c:1804
    #7 0x532ad1 in decode /home/ubuntu/asan/libav-12.3/avconv.c:1295
    #8 0x532ad1 in decode_video /home/ubuntu/asan/libav-12.3/avconv.c:1395
    #9 0x532ad1 in process_input_packet
/home/ubuntu/asan/libav-12.3/avconv.c:1514
    #10 0x52848d in process_input /home/ubuntu/asan/libav-12.3/avconv.c:2690
    #11 0x52848d in transcode /home/ubuntu/asan/libav-12.3/avconv.c:2732
    #12 0x52848d in main /home/ubuntu/asan/libav-12.3/avconv.c:2905
    #13 0x7f320744882f in __libc_start_main
/build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291
    #14 0x41a888 in _start (/home/ubuntu/asan/libav-12.3/avconv+0x41a888)

AddressSanitizer can not describe address in more detail (wild memory access
suspected).
SUMMARY: AddressSanitizer: heap-buffer-overflow
/home/ubuntu/asan/libav-12.3/libavcodec/vc1_block.c:1898 in
vc1_decode_p_mb_intfi
Shadow bytes around the buggy address:
  0x0c487fff93f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c487fff9400: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c487fff9410: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c487fff9420: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c487fff9430: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c487fff9440: fa fa fa fa[fa]fa fa fa fa fa fa fa fa fa fa fa
  0x0c487fff9450: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c487fff9460: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c487fff9470: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c487fff9480: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c487fff9490: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==3534==ABORTING

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.libav.org/pipermail/libav-bugs/attachments/20181029/cccad7a6/attachment.html>


More information about the libav-bugs mailing list