[libav-bugs] [Bug 1148] New: Heap out-of-bounds read in libavformat/mov.c

bugzilla at libav.org bugzilla at libav.org
Wed Mar 20 16:53:28 CET 2019


https://bugzilla.libav.org/show_bug.cgi?id=1148

            Bug ID: 1148
           Summary: Heap out-of-bounds read in libavformat/mov.c
           Product: Libav
           Version: git HEAD
          Hardware: X86
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: ---
         Component: libavformat
          Assignee: bugzilla at libav.org
          Reporter: mgcho.minic at gmail.com

Created attachment 733
  --> https://bugzilla.libav.org/attachment.cgi?id=733&action=edit
Poc to trigger bug

Triggered by "./avconv -i $POC"

Heap out-of-bounds read in libavformat/mov.c.


ASAN output:

avconv version v13_dev0-1642-gf8abf7d, Copyright (c) 2000-2018 the Libav
developers
  built on Mar 20 2019 02:13:39 with clang version 5.0.0-3~16.04.1
(tags/RELEASE_500/final)
  configuration:
--prefix=/home/seclab/fuzzing-experiment/fuzzing/program/x86/libav-master/clang5-asan
--disable-yasm --enable-cross-compile --cc=clang --target-os=linux --arch=i386
--host-cflags=-m32 --toolchain=clang-asan --host-ldflags=-m32
--extra-cflags=-m32 --extra-ldflags=-m32
  libavutil     56.  8. 0 / 56.  8. 0
  libavcodec    58. 12. 1 / 58. 12. 1
  libavformat   58.  2. 0 / 58.  2. 0
  libavdevice   57.  0. 2 / 57.  0. 2
  libavfilter    7.  1. 0 /  7.  1. 0
  libavresample  4.  0. 0 /  4.  0. 0
  libswscale     5.  0. 1 /  5.  0. 1
Splitting the commandline.
Reading option '-v' ... matched as option 'v' (set libav* logging level) with
argument '9'.
Reading option '-loglevel' ... matched as option 'loglevel' (set libav* logging
level) with argument '99'.
Reading option '-i' ... matched as input file with argument
'/home/seclab/Downloads/mov_probe_crash'.
Finished splitting the commandline.
Parsing a group of options: global .
Applying option v (set libav* logging level) with argument 9.
Successfully parsed a group of options.
Parsing a group of options: input file /home/seclab/Downloads/mov_probe_crash.
Successfully parsed a group of options.
Opening an input file: /home/seclab/Downloads/mov_probe_crash.
=================================================================
==179996==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xf3d0a07f
at pc 0x08352e2c bp 0xfff72d38 sp 0xfff72d2c
READ of size 4 at 0xf3d0a07f thread T0
    #0 0x8352e2b in mov_probe /home/seclab/libav/libavformat/mov.c:3613:15
    #1 0x82e2516 in av_probe_input_format2
/home/seclab/libav/libavformat/format.c:193:21
    #2 0x82e328a in av_probe_input_buffer
/home/seclab/libav/libavformat/format.c:286:16
    #3 0x850e871 in init_input /home/seclab/libav/libavformat/utils.c
    #4 0x850e871 in avformat_open_input
/home/seclab/libav/libavformat/utils.c:303
    #5 0x818b19d in open_input_file
/home/seclab/libav/avtools/avconv_opt.c:804:11
    #6 0x818a393 in open_files /home/seclab/libav/avtools/avconv_opt.c:2467:15
    #7 0x8189d4f in avconv_parse_options
/home/seclab/libav/avtools/avconv_opt.c:2504:11
    #8 0x81baf9d in main /home/seclab/libav/avtools/avconv.c:2953:11
    #9 0xf74a3636 in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x18636)
    #10 0x808b647 in _start
(/home/seclab/fuzzing-experiment/fuzzing/program/x86/libav-master/clang5-asan/bin/avconv+0x808b647)


Credits:

Mingi Cho, Seoyoung Kim, and Taekyoung Kwon of the Information Security Lab,
Yonsei University.

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.libav.org/pipermail/libav-bugs/attachments/20190320/3d120e1f/attachment.html>


More information about the libav-bugs mailing list