[libav-bugs] [Bug 1144] New: avconv crashes in avio_read()

bugzilla at libav.org bugzilla at libav.org
Wed Mar 20 11:43:19 CET 2019


https://bugzilla.libav.org/show_bug.cgi?id=1144

            Bug ID: 1144
           Summary: avconv crashes in avio_read()
           Product: Libav
           Version: git HEAD
          Hardware: Other
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: ---
         Component: libavformat
          Assignee: bugzilla at libav.org
          Reporter: mgcho.minic at gmail.com

Created attachment 729
  --> https://bugzilla.libav.org/attachment.cgi?id=729&action=edit
Poc to trigger bug

Triggered by "./avconv -i $POC"

Segmentation fault on avio_read.


The GDB debugging information is as follows:

(gdb) r -v 9 -loglevel 99 -i ~/Downloads/avio_read_crash 
Starting program:
/home/seclab/fuzzing-experiment/fuzzing/program/x86/libav-master/clang5/bin/avconv
-v 9 -loglevel 99 -i ~/Downloads/avio_read_crash
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
avconv version v13_dev0-1642-gf8abf7d, Copyright (c) 2000-2018 the Libav
developers
  built on Mar 19 2019 11:21:48 with clang version 5.0.0-3~16.04.1
(tags/RELEASE_500/final)
  configuration:
--prefix=/home/seclab/fuzzing-experiment/fuzzing/program/x86/libav-master/clang5
--disable-yasm --enable-cross-compile --cc=clang --target-os=linux --arch=i386
--host-cflags=-m32 --host-ldflags=-m32 --extra-cflags=-m32 --extra-ldflags=-m32
  libavutil     56.  8. 0 / 56.  8. 0
  libavcodec    58. 12. 1 / 58. 12. 1
  libavformat   58.  2. 0 / 58.  2. 0
  libavdevice   57.  0. 2 / 57.  0. 2
  libavfilter    7.  1. 0 /  7.  1. 0
  libavresample  4.  0. 0 /  4.  0. 0
  libswscale     5.  0. 1 /  5.  0. 1
Splitting the commandline.
Reading option '-v' ... matched as option 'v' (set libav* logging level) with
argument '9'.
Reading option '-loglevel' ... matched as option 'loglevel' (set libav* logging
level) with argument '99'.
Reading option '-i' ... matched as input file with argument
'/home/seclab/Downloads/avio_read_crash'.
Finished splitting the commandline.
Parsing a group of options: global .
Applying option v (set libav* logging level) with argument 9.
Successfully parsed a group of options.
Parsing a group of options: input file /home/seclab/Downloads/avio_read_crash.
Successfully parsed a group of options.
Opening an input file: /home/seclab/Downloads/avio_read_crash.
nsv_probe(), buf_size 67
[sox @ 0x91535c0] Probed with size=2048 and score=100
[sox @ 0x91535c0] truncating fractional part of sample rate (0.000000)


Program received signal SIGSEGV, Segmentation fault.
0xf7ea8dbc in ?? () from /lib/i386-linux-gnu/libc.so.6
(gdb) bt
#0  0xf7ea8dbc in ?? () from /lib/i386-linux-gnu/libc.so.6
#1  0x0808f3bb in avio_read (s=0x915bda0, buf=0x0, size=2147483647) at
libavformat/aviobuf.c:591
#2  0x0813a6c4 in sox_read_header (s=0x91535c0) at libavformat/soxdec.c:100
#3  0x08143468 in avformat_open_input (ps=0xffffcc30, filename=<optimized out>,
fmt=<optimized out>, options=<optimized out>) at libavformat/utils.c:336
#4  0x0804b8b9 in open_input_file (o=<optimized out>, filename=<optimized out>)
at avtools/avconv_opt.c:804
#5  0x0804b480 in open_files (l=<optimized out>, inout=<optimized out>,
open_file=<optimized out>) at avtools/avconv_opt.c:2467
#6  0x0804b286 in avconv_parse_options (argc=<optimized out>, argv=<optimized
out>) at avtools/avconv_opt.c:2504
#7  0x08058b4f in main (argc=<optimized out>, argv=<optimized out>) at
avtools/avconv.c:2953

(gdb) disass $pc-32,$pc+32
Dump of assembler code from 0xf7ea8d9c to 0xf7ea8ddc:
   0xf7ea8d9c:    incl   0x8b263c3(%ecx)
   0xf7ea8da2:    add    %bh,(%ebx)
   0xf7ea8da4:    mov    0x0(%ecx,%eax,1),%esp
   0xf7ea8da8:    add    %cl,(%edi)
   0xf7ea8daa:    adcl   $0x0,0x1(%edi)
   0xf7ea8dae:    add    %dh,%bl
   0xf7ea8db0:    movq   (%eax),%mm0
   0xf7ea8db3:    movdqu -0x10(%eax,%ecx,1),%xmm1
   0xf7ea8db9:    cmp    $0x20,%ecx
=> 0xf7ea8dbc:    movdqu %xmm0,(%edx)
   0xf7ea8dc0:    movdqu %xmm1,-0x10(%edx,%ecx,1)
   0xf7ea8dc6:    jbe    0xf7ea907e
   0xf7ea8dcc:    movdqu 0x10(%eax),%xmm0
   0xf7ea8dd1:    movdqu -0x20(%eax,%ecx,1),%xmm1
   0xf7ea8dd7:    cmp    $0x40,%ecx
   0xf7ea8dda:    movdqu %xmm0,0x10(%edx)
End of assembler dump.

(gdb) info all-registers
eax            0x915be38    152419896
ecx            0x23    35
edx            0x0    0
ebx            0xf7f34000    -135053312
esp            0xffffcb38    0xffffcb38
ebp            0x7fffffff    0x7fffffff
esi            0x915bda0    152419744
edi            0x23    35
eip            0xf7ea8dbc    0xf7ea8dbc
eflags         0x210206    [ PF IF RF ID ]
cs             0x23    35
ss             0x2b    43
ds             0x2b    43
es             0x2b    43
fs             0x0    0
gs             0x63    99
st0            9.957466722920461539027801867174361e-06    (raw
0x3feea70efe71ee611800)
st1            -0.16666658368778738963378316384478239    (raw
0xbffcaaaaa51919b23800)
st2            -5.2368704321306240943608958015795252e-09    (raw
0xbfe3b3efffdd0585e000)
st3            0.49999999985513093880840074234583881    (raw
0x3ffdfffffffec16df800)
st4            1.7384289452803415575633558961773407e-09    (raw
0x3fe1eeed87e67d4a0800)
st5            0    (raw 0x00000000000000000000)
st6            5.2918203504235082049120317528188199e-246    (raw
0x3cd093fffbcffd0d0000)
st7            5.2918203504235082049120317528188199e-246    (raw
0x3cd093fffbcffd0d0000)
fctrl          0x37f    895
fstat          0x420    1056
ftag           0xffff    65535
fiseg          0x0    0
fioff          0xf7dc6db6    -136548938
foseg          0x0    0
fooff          0x0    0
fop            0x0    0
mxcsr          0x1fa0    [ PE IM DM ZM OM UM PM ]
bndcfgu        {raw = 0x0, config = {base = 0x0, reserved = 0x0, preserved =
0x0, enabled = 0x0}}    {raw = 0x0, config = {base = 0, reserved = 0, preserved
= 0, enabled = 0}}
bndstatus      {raw = 0x0, status = {bde = 0x0, error = 0x0}}    {raw = 0x0,
status = {bde = 0, error = 0}}
k0             0x0    0
k1             0x0    0
k2             0x0    0
k3             0x0    0
k4             0x0    0
k5             0x0    0
k6             0x0    0
k7             0x0    0
zmm0           {v16_float = {0x0, 0x0, 0x0, 0xfff7f9bd, 0x0 <repeats 12
times>}, v8_double = {0x8000000000000000, 0x8000000000000000, 0x0, 0x0, 0x0,
0x0, 0x0, 0x0}, v64_int8 = {0x20, 0x0, 0x0, 0x0, 
    0xec, 0x95, 0xf, 0x60, 0x60, 0x60, 0x5b, 0xf4, 0x32, 0x64, 0x0, 0xc9, 0x0
<repeats 48 times>}, v32_int16 = {0x20, 0x0, 0x95ec, 0x600f, 0x6060, 0xf45b,
0x6432, 0xc900, 0x0 <repeats 24 times>}, 
  v16_int32 = {0x20, 0x600f95ec, 0xf45b6060, 0xc9006432, 0x0 <repeats 12
times>}, v8_int64 = {0x600f95ec00000020, 0xc9006432f45b6060, 0x0, 0x0, 0x0,
0x0, 0x0, 0x0}, v4_int128 = {
    0xc9006432f45b6060600f95ec00000020, 0x00000000000000000000000000000000,
0x00000000000000000000000000000000, 0x00000000000000000000000000000000}}
zmm1           {v16_float = {0x0, 0x0, 0x0, 0x0, 0x0 <repeats 12 times>},
v8_double = {0x0, 0x8000000000000000, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v64_int8 =
{0x60, 0x42, 0x60, 0x60, 0x60, 0x0, 0x3a, 0x0, 
    0x18, 0x60, 0x60, 0x60, 0x80, 0x1, 0x0, 0x7f, 0x0 <repeats 48 times>},
v32_int16 = {0x4260, 0x6060, 0x60, 0x3a, 0x6018, 0x6060, 0x180, 0x7f00, 0x0
<repeats 24 times>}, v16_int32 = {0x60604260, 
    0x3a0060, 0x60606018, 0x7f000180, 0x0 <repeats 12 times>}, v8_int64 =
{0x3a006060604260, 0x7f00018060606018, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_int128
= {0x7f00018060606018003a006060604260, 
    0x00000000000000000000000000000000, 0x00000000000000000000000000000000,
0x00000000000000000000000000000000}}
zmm2           {v16_float = {0x0 <repeats 16 times>}, v8_double = {0x0, 0x0,
0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v64_int8 = {0x0 <repeats 64 times>}, v32_int16 =
{0x0 <repeats 32 times>}, v16_int32 = {
    0x0 <repeats 16 times>}, v8_int64 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0,
0x0}, v4_int128 = {0x00000000000000000000000000000000,
0x00000000000000000000000000000000, 0x00000000000000000000000000000000, 
    0x00000000000000000000000000000000}}
zmm3           {v16_float = {0x0 <repeats 16 times>}, v8_double = {0x0, 0x0,
0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v64_int8 = {0x0 <repeats 64 times>}, v32_int16 =
{0x0 <repeats 32 times>}, v16_int32 = {
    0x0 <repeats 16 times>}, v8_int64 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0,
0x0}, v4_int128 = {0x00000000000000000000000000000000,
0x00000000000000000000000000000000, 0x00000000000000000000000000000000, 
    0x00000000000000000000000000000000}}
zmm4           {v16_float = {0x0, 0x0 <repeats 15 times>}, v8_double = {0x0,
0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v64_int8 = {0xff, 0xff, 0xff, 0xff, 0x0
<repeats 60 times>}, v32_int16 = {0xffff, 0xffff, 
    0x0 <repeats 30 times>}, v16_int32 = {0xffffffff, 0x0 <repeats 15 times>},
v8_int64 = {0xffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_int128 =
{0x000000000000000000000000ffffffff, 
    0x00000000000000000000000000000000, 0x00000000000000000000000000000000,
0x00000000000000000000000000000000}}
zmm5           {v16_float = {0x0 <repeats 16 times>}, v8_double = {0x0, 0x0,
0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v64_int8 = {0x0 <repeats 64 times>}, v32_int16 =
{0x0 <repeats 32 times>}, v16_int32 = {
---Type <return> to continue, or q <return> to quit---
    0x0 <repeats 16 times>}, v8_int64 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0,
0x0}, v4_int128 = {0x00000000000000000000000000000000,
0x00000000000000000000000000000000, 0x00000000000000000000000000000000, 
    0x00000000000000000000000000000000}}
zmm6           {v16_float = {0x0 <repeats 16 times>}, v8_double = {0x0, 0x0,
0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v64_int8 = {0x0 <repeats 64 times>}, v32_int16 =
{0x0 <repeats 32 times>}, v16_int32 = {
    0x0 <repeats 16 times>}, v8_int64 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0,
0x0}, v4_int128 = {0x00000000000000000000000000000000,
0x00000000000000000000000000000000, 0x00000000000000000000000000000000, 
    0x00000000000000000000000000000000}}
zmm7           {v16_float = {0x0 <repeats 16 times>}, v8_double = {0x0, 0x0,
0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v64_int8 = {0x0 <repeats 64 times>}, v32_int16 =
{0x0 <repeats 32 times>}, v16_int32 = {
    0x0 <repeats 16 times>}, v8_int64 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0,
0x0}, v4_int128 = {0x00000000000000000000000000000000,
0x00000000000000000000000000000000, 0x00000000000000000000000000000000, 
    0x00000000000000000000000000000000}}
mm0            {uint64 = 0xa70efe71ee611800, v2_int32 = {0xee611800,
0xa70efe71}, v4_int16 = {0x1800, 0xee61, 0xfe71, 0xa70e}, v8_int8 = {0x0, 0x18,
0x61, 0xee, 0x71, 0xfe, 0xe, 0xa7}}
mm1            {uint64 = 0xaaaaa51919b23800, v2_int32 = {0x19b23800,
0xaaaaa519}, v4_int16 = {0x3800, 0x19b2, 0xa519, 0xaaaa}, v8_int8 = {0x0, 0x38,
0xb2, 0x19, 0x19, 0xa5, 0xaa, 0xaa}}
mm2            {uint64 = 0xb3efffdd0585e000, v2_int32 = {0x585e000,
0xb3efffdd}, v4_int16 = {0xe000, 0x585, 0xffdd, 0xb3ef}, v8_int8 = {0x0, 0xe0,
0x85, 0x5, 0xdd, 0xff, 0xef, 0xb3}}
mm3            {uint64 = 0xfffffffec16df800, v2_int32 = {0xc16df800,
0xfffffffe}, v4_int16 = {0xf800, 0xc16d, 0xfffe, 0xffff}, v8_int8 = {0x0, 0xf8,
0x6d, 0xc1, 0xfe, 0xff, 0xff, 0xff}}
mm4            {uint64 = 0xeeed87e67d4a0800, v2_int32 = {0x7d4a0800,
0xeeed87e6}, v4_int16 = {0x800, 0x7d4a, 0x87e6, 0xeeed}, v8_int8 = {0x0, 0x8,
0x4a, 0x7d, 0xe6, 0x87, 0xed, 0xee}}
mm5            {uint64 = 0x0, v2_int32 = {0x0, 0x0}, v4_int16 = {0x0, 0x0, 0x0,
0x0}, v8_int8 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}
mm6            {uint64 = 0x93fffbcffd0d0000, v2_int32 = {0xfd0d0000,
0x93fffbcf}, v4_int16 = {0x0, 0xfd0d, 0xfbcf, 0x93ff}, v8_int8 = {0x0, 0x0,
0xd, 0xfd, 0xcf, 0xfb, 0xff, 0x93}}
mm7            {uint64 = 0x93fffbcffd0d0000, v2_int32 = {0xfd0d0000,
0x93fffbcf}, v4_int16 = {0x0, 0xfd0d, 0xfbcf, 0x93ff}, v8_int8 = {0x0, 0x0,
0xd, 0xfd, 0xcf, 0xfb, 0xff, 0x93}}


Credits:

Mingi Cho, Seoyoung Kim, and Taekyoung Kwon of the Information Security Lab,
Yonsei University.

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.libav.org/pipermail/libav-bugs/attachments/20190320/4d2a1d7a/attachment.html>


More information about the libav-bugs mailing list