[libav-bugs] [Bug 1143] New: libav crashes at parse_source_parameters()

bugzilla at libav.org bugzilla at libav.org
Wed Mar 20 09:31:23 CET 2019


https://bugzilla.libav.org/show_bug.cgi?id=1143

            Bug ID: 1143
           Summary: libav crashes at parse_source_parameters()
           Product: Libav
           Version: git HEAD
          Hardware: X86
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: ---
         Component: libavcodec
          Assignee: bugzilla at libav.org
          Reporter: mgcho.minic at gmail.com

Created attachment 728
  --> https://bugzilla.libav.org/attachment.cgi?id=728&action=edit
Poc to trigger bug

This bug was found in Ubuntu 16.04, and can trigger by "avconv -i $POC"


GDB output:

(gdb) r -loglevel 99 -i ~/Downloads/parse_source_parameters 
Starting program:
/home/seclab/fuzzing-experiment/fuzzing/program/x86/libav-master/clang5/bin/avconv
-loglevel 99 -i ~/Downloads/parse_source_parameters
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
avconv version v13_dev0-1642-gf8abf7d, Copyright (c) 2000-2018 the Libav
developers
  built on Mar 19 2019 11:21:48 with clang version 5.0.0-3~16.04.1
(tags/RELEASE_500/final)
  configuration:
--prefix=/home/seclab/fuzzing-experiment/fuzzing/program/x86/libav-master/clang5
--disable-yasm --enable-cross-compile --cc=clang --target-os=linux --arch=i386
--host-cflags=-m32 --host-ldflags=-m32 --extra-cflags=-m32 --extra-ldflags=-m32
  libavutil     56.  8. 0 / 56.  8. 0
  libavcodec    58. 12. 1 / 58. 12. 1
  libavformat   58.  2. 0 / 58.  2. 0
  libavdevice   57.  0. 2 / 57.  0. 2
  libavfilter    7.  1. 0 /  7.  1. 0
  libavresample  4.  0. 0 /  4.  0. 0
  libswscale     5.  0. 1 /  5.  0. 1
Splitting the commandline.
Reading option '-loglevel' ... matched as option 'loglevel' (set libav* logging
level) with argument '99'.
Reading option '-i' ... matched as input file with argument
'/home/seclab/Downloads/parse_source_parameters'.
Finished splitting the commandline.
Parsing a group of options: global .
Applying option loglevel (set libav* logging level) with argument 99.
Successfully parsed a group of options.
Parsing a group of options: input file
/home/seclab/Downloads/parse_source_parameters.
Successfully parsed a group of options.
Opening an input file: /home/seclab/Downloads/parse_source_parameters.
nsv_probe(), buf_size 1106
[ogg @ 0x91535a0] Probed with size=2048 and score=100
[ogg @ 0x91535a0] ogg_packet: curidx=-1
[ogg @ 0x91535a0] ogg_packet: idx=0 pstart=6 psize=0 segp=1 nsegs=6
[ogg @ 0x91535a0] ogg_packet: idx 0, frame size 2, start 6
[ogg @ 0x91535a0] ogg_packet: curidx=0
[ogg @ 0x91535a0] ogg_packet: idx=0 pstart=8 psize=0 segp=2 nsegs=6
[ogg @ 0x91535a0] ogg_packet: idx 0, frame size 0, start 8
[ogg @ 0x91535a0] ogg_packet: curidx=0
[ogg @ 0x91535a0] ogg_packet: idx=0 pstart=8 psize=0 segp=3 nsegs=6
[ogg @ 0x91535a0] ogg_packet: idx 0, frame size 0, start 8
[ogg @ 0x91535a0] ogg_packet: curidx=0
[ogg @ 0x91535a0] ogg_packet: idx=0 pstart=8 psize=0 segp=4 nsegs=6
[ogg @ 0x91535a0] ogg_packet: idx 0, frame size 0, start 8
[ogg @ 0x91535a0] ogg_packet: curidx=0
[ogg @ 0x91535a0] ogg_packet: idx=0 pstart=8 psize=0 segp=5 nsegs=6
[ogg @ 0x91535a0] ogg_packet: idx=0 pstart=0 psize=255 segp=0 nsegs=6
[ogg @ 0x91535a0] ogg_packet: idx 0, frame size 261, start 0
[ogg @ 0x91535a0] Stream may have unhandled features

Program received signal SIGSEGV, Segmentation fault.
parse_source_parameters (dsh=<optimized out>, log_ctx=<optimized out>,
bc=<optimized out>) at libavcodec/dirac.c:283
283    in libavcodec/dirac.c
(gdb) bt
#0  parse_source_parameters (dsh=<optimized out>, log_ctx=<optimized out>,
bc=<optimized out>) at libavcodec/dirac.c:283
#1  av_dirac_parse_sequence_header (pdsh=<optimized out>, buf=<optimized out>,
buf_size=<optimized out>, log_ctx=<optimized out>) at libavcodec/dirac.c:364
#2  0x08104754 in dirac_header (s=0x1, idx=<optimized out>) at
libavformat/oggparsedirac.c:39
#3  0x08102a0d in ogg_packet (s=<optimized out>, str=<optimized out>,
dstart=<optimized out>, dsize=<optimized out>, fpos=<optimized out>) at
libavformat/oggdec.c:413
#4  0x08101842 in ogg_get_headers (s=<optimized out>) at
libavformat/oggdec.c:480
#5  ogg_read_header (s=<optimized out>) at libavformat/oggdec.c:567
#6  0x08143468 in avformat_open_input (ps=0xffffcc40, filename=<optimized out>,
fmt=<optimized out>, options=<optimized out>) at libavformat/utils.c:336
#7  0x0804b8b9 in open_input_file (o=<optimized out>, filename=<optimized out>)
at avtools/avconv_opt.c:804
#8  0x0804b480 in open_files (l=<optimized out>, inout=<optimized out>,
open_file=<optimized out>) at avtools/avconv_opt.c:2467
#9  0x0804b286 in avconv_parse_options (argc=<optimized out>, argv=<optimized
out>) at avtools/avconv_opt.c:2504
#10 0x08058b4f in main (argc=<optimized out>, argv=<optimized out>) at
avtools/avconv.c:2953

(gdb) disass $pc-32,$pc+32
Dump of assembler code from 0x81d2b39 to 0x81d2b79:
   0x081d2b39 <av_dirac_parse_sequence_header+19977>:    mov    DWORD PTR
[esp+0x4],esi
   0x081d2b3d <av_dirac_parse_sequence_header+19981>:    mov    ebp,DWORD PTR
[esp+0x18]
   0x081d2b41 <av_dirac_parse_sequence_header+19985>:    mov    ecx,DWORD PTR
[esp+0xc]
   0x081d2b45 <av_dirac_parse_sequence_header+19989>:    mov    ebx,DWORD PTR
[esp+0x4]
   0x081d2b49 <av_dirac_parse_sequence_header+19993>:    mov    esi,edi
   0x081d2b4b <av_dirac_parse_sequence_header+19995>:    mov    edi,eax
   0x081d2b4d <av_dirac_parse_sequence_header+19997>:    movzx  edx,BYTE PTR
[ecx+0x895d6f7]
   0x081d2b54 <av_dirac_parse_sequence_header+20004>:    cmp    edx,0x2
   0x081d2b57 <av_dirac_parse_sequence_header+20007>:    jg     0x81d2b63
<av_dirac_parse_sequence_header+20019>
=> 0x081d2b59 <av_dirac_parse_sequence_header+20009>:    mov    eax,DWORD PTR
[edx*4+0x8950e88]
   0x081d2b60 <av_dirac_parse_sequence_header+20016>:    mov    DWORD PTR
[ebp+0x38],eax
   0x081d2b63 <av_dirac_parse_sequence_header+20019>:    test   esi,esi
   0x081d2b65 <av_dirac_parse_sequence_header+20021>:    jne    0x81d2b88
<av_dirac_parse_sequence_header+20056>
   0x081d2b67 <av_dirac_parse_sequence_header+20023>:    mov    eax,DWORD PTR
[esp+0x8]
   0x081d2b6b <av_dirac_parse_sequence_header+20027>:    xor    esi,esi
   0x081d2b6d <av_dirac_parse_sequence_header+20029>:    cmp    eax,DWORD PTR
[esp+0x14]
   0x081d2b71 <av_dirac_parse_sequence_header+20033>:    jae    0x81d2b88
<av_dirac_parse_sequence_header+20056>
   0x081d2b73 <av_dirac_parse_sequence_header+20035>:    mov    ebx,DWORD PTR
[eax]
   0x081d2b75 <av_dirac_parse_sequence_header+20037>:    mov    edi,DWORD PTR
[eax+0x4]
   0x081d2b78 <av_dirac_parse_sequence_header+20040>:    add    eax,0x8
End of assembler dump.

(gdb) info all-registers
eax            0x0    0
ecx            0x1    1
edx            0x99999997    -1717986921
ebx            0x28282    164482
esp            0xffffca80    0xffffca80
ebp            0x9154800    0x9154800
esi            0x29    41
edi            0x82800000    -2105540608
eip            0x81d2b59    0x81d2b59 <av_dirac_parse_sequence_header+20009>
eflags         0x210286    [ PF SF IF RF ID ]
cs             0x23    35
ss             0x2b    43
ds             0x2b    43
es             0x2b    43
fs             0x0    0
gs             0x63    99


Credits:

Mingi Cho, Seoyoung Kim, and Taekyoung Kwon of the Information Security Lab,
Yonsei University.

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.libav.org/pipermail/libav-bugs/attachments/20190320/5e2417e5/attachment-0001.html>


More information about the libav-bugs mailing list