[libav-bugs] [Bug 1149] New: An out-of-bounds read in libavcodec/h264_ps.c

bugzilla at libav.org bugzilla at libav.org
Wed Mar 20 17:07:11 CET 2019


https://bugzilla.libav.org/show_bug.cgi?id=1149

            Bug ID: 1149
           Summary: An out-of-bounds read in libavcodec/h264_ps.c
           Product: Libav
           Version: git HEAD
          Hardware: X86
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: ---
         Component: libavcodec
          Assignee: bugzilla at libav.org
          Reporter: mgcho.minic at gmail.com

Created attachment 734
  --> https://bugzilla.libav.org/attachment.cgi?id=734&action=edit
Poc to trigger bug

Triggered by "./avconv -i $POC -f null -"

An out-of-bounds read in libavcodec/h264_ps.c.


ASAN output:

avconv version v13_dev0-1642-gf8abf7d, Copyright (c) 2000-2018 the Libav
developers
  built on Mar 20 2019 02:13:39 with clang version 5.0.0-3~16.04.1
(tags/RELEASE_500/final)
  configuration:
--prefix=/home/seclab/fuzzing-experiment/fuzzing/program/x86/libav-master/clang5-asan
--disable-yasm --enable-cross-compile --cc=clang --target-os=linux --arch=i386
--host-cflags=-m32 --toolchain=clang-asan --host-ldflags=-m32
--extra-cflags=-m32 --extra-ldflags=-m32
  libavutil     56.  8. 0 / 56.  8. 0
  libavcodec    58. 12. 1 / 58. 12. 1
  libavformat   58.  2. 0 / 58.  2. 0
  libavdevice   57.  0. 2 / 57.  0. 2
  libavfilter    7.  1. 0 /  7.  1. 0
  libavresample  4.  0. 0 /  4.  0. 0
  libswscale     5.  0. 1 /  5.  0. 1
Splitting the commandline.
Reading option '-v' ... matched as option 'v' (set libav* logging level) with
argument '9'.
Reading option '-loglevel' ... matched as option 'loglevel' (set libav* logging
level) with argument '99'.
Reading option '-i' ... matched as input file with argument
'/home/seclab/Downloads/build_qp_table_crash'.
Reading option '-f' ... matched as option 'f' (force format) with argument
'null'.
Reading option '-' ... matched as output file.
Finished splitting the commandline.
Parsing a group of options: global .
Applying option v (set libav* logging level) with argument 9.
Successfully parsed a group of options.
Parsing a group of options: input file
/home/seclab/Downloads/build_qp_table_crash.
Successfully parsed a group of options.
Opening an input file: /home/seclab/Downloads/build_qp_table_crash.
score: 0, dvhs_score: 0, fec_score: 0 
nsv_probe(), buf_size 2048
[pmp @ 0xf3203680] Probed with size=2048 and score=100
Ignoring attempt to set invalid timebase for st:0
[pmp @ 0xf3203680] Unsupported audio format
[NULL @ 0xf2e03880] [IMGUTILS @ 0xffd04830] Picture size 0x0 is invalid
[NULL @ 0xf2e03880] ignoring invalid width/height values
[NULL @ 0xf2e03880] [IMGUTILS @ 0xffd04830] Picture size 0x0 is invalid
IN delayed:0 pts:-9223372036854775808, dts:0 cur_dts:1 st:0 pc:(nil)
OUTdelayed:0/0 pts:-9223372036854775808, dts:0 cur_dts:1
[AVBSFContext @ 0xf52016e0] nal_unit_type: 8, nal_ref_idc: 2
[AVBSFContext @ 0xf52016e0] nal_unit_type: 0, nal_ref_idc: 0
[AVBSFContext @ 0xf52016e0] nal_unit_type: 7, nal_ref_idc: 0
[AVBSFContext @ 0xf52016e0] nal_unit_type: 0, nal_ref_idc: 0
    Last message repeated 3 times
[AVBSFContext @ 0xf52016e0] nal_unit_type: 8, nal_ref_idc: 2
[AVBSFContext @ 0xf52016e0] nal_unit_type: 0, nal_ref_idc: 0
[AVBSFContext @ 0xf52016e0] nal_unit_type: 8, nal_ref_idc: 2
[AVBSFContext @ 0xf52016e0] nal_unit_type: 7, nal_ref_idc: 0
[AVBSFContext @ 0xf52016e0] Invalid NAL unit 0, skipping.
    Last message repeated 1 times
[AVBSFContext @ 0xf52016e0] nal_unit_type: 0, nal_ref_idc: 0
[AVBSFContext @ 0xf52016e0] Invalid NAL unit 0, skipping.
[AVBSFContext @ 0xf52016e0] nal_unit_type: 7, nal_ref_idc: 0
[AVBSFContext @ 0xf52016e0] nal_unit_type: 8, nal_ref_idc: 2
[AVBSFContext @ 0xf52016e0] nal_unit_type: 0, nal_ref_idc: 0
    Last message repeated 3 times
[AVBSFContext @ 0xf52016e0] nal_unit_type: 8, nal_ref_idc: 2
[AVBSFContext @ 0xf52016e0] nal_unit_type: 0, nal_ref_idc: 0
[AVBSFContext @ 0xf52016e0] nal_unit_type: 8, nal_ref_idc: 2
[AVBSFContext @ 0xf52016e0] nal_unit_type: 7, nal_ref_idc: 0
[AVBSFContext @ 0xf52016e0] Invalid NAL unit 0, skipping.
    Last message repeated 1 times
[AVBSFContext @ 0xf52016e0] nal_unit_type: 0, nal_ref_idc: 0
[AVBSFContext @ 0xf52016e0] Invalid NAL unit 0, skipping.
[AVBSFContext @ 0xf52016e0] nal_unit_type: 7, nal_ref_idc: 0
    Last message repeated 2 times
[h264 @ 0xf2e03880] nal_unit_type: 8, nal_ref_idc: 2
[h264 @ 0xf2e03880] nal_unit_type: 0, nal_ref_idc: 0
[h264 @ 0xf2e03880] nal_unit_type: 7, nal_ref_idc: 0
[h264 @ 0xf2e03880] nal_unit_type: 0, nal_ref_idc: 0
    Last message repeated 3 times
[h264 @ 0xf2e03880] nal_unit_type: 8, nal_ref_idc: 2
[h264 @ 0xf2e03880] nal_unit_type: 0, nal_ref_idc: 0
[h264 @ 0xf2e03880] nal_unit_type: 8, nal_ref_idc: 2
[h264 @ 0xf2e03880] nal_unit_type: 7, nal_ref_idc: 0
[h264 @ 0xf2e03880] Invalid NAL unit 0, skipping.
    Last message repeated 1 times
[h264 @ 0xf2e03880] nal_unit_type: 0, nal_ref_idc: 0
[h264 @ 0xf2e03880] Invalid NAL unit 0, skipping.
[h264 @ 0xf2e03880] nal_unit_type: 7, nal_ref_idc: 0
[h264 @ 0xf2e03880] nal_unit_type: 8, nal_ref_idc: 2
[h264 @ 0xf2e03880] nal_unit_type: 0, nal_ref_idc: 0
    Last message repeated 3 times
[h264 @ 0xf2e03880] nal_unit_type: 8, nal_ref_idc: 2
[h264 @ 0xf2e03880] nal_unit_type: 0, nal_ref_idc: 0
[h264 @ 0xf2e03880] nal_unit_type: 8, nal_ref_idc: 2
[h264 @ 0xf2e03880] nal_unit_type: 7, nal_ref_idc: 0
[h264 @ 0xf2e03880] Invalid NAL unit 0, skipping.
    Last message repeated 1 times
[h264 @ 0xf2e03880] nal_unit_type: 0, nal_ref_idc: 0
[h264 @ 0xf2e03880] Invalid NAL unit 0, skipping.
[h264 @ 0xf2e03880] nal_unit_type: 7, nal_ref_idc: 0
    Last message repeated 2 times
[h264 @ 0xf2e03880] sps_id 0 out of range
[h264 @ 0xf2e03880] Unknown NAL code: 0 (79 bits)
[h264 @ 0xf2e03880] log2_max_frame_num_minus4 out of range (0-12): 14
[h264 @ 0xf2e03880] Unknown NAL code: 0 (206 bits)
[h264 @ 0xf2e03880] Unknown NAL code: 0 (8 bits)
[h264 @ 0xf2e03880] Unknown NAL code: 0 (0 bits)
[h264 @ 0xf2e03880] Unknown NAL code: 0 (11 bits)
[h264 @ 0xf2e03880] sps_id 0 out of range
[h264 @ 0xf2e03880] Unknown NAL code: 0 (55 bits)
[h264 @ 0xf2e03880] sps_id 0 out of range
[h264 @ 0xf2e03880] log2_max_frame_num_minus4 out of range (0-12): -1
[h264 @ 0xf2e03880] Unknown NAL code: 0 (0 bits)
[h264 @ 0xf2e03880] FMO not supported
=================================================================
==164734==ERROR: AddressSanitizer: global-buffer-overflow on address 0x0a279860
at pc 0x0895f193 bp 0xffd04458 sp 0xffd0444c
READ of size 1 at 0x0a279860 thread T0
    #0 0x895f192 in build_qp_table
/home/seclab/libav/libavcodec/h264_ps.c:663:13
    #1 0x895f192 in ff_h264_decode_picture_parameter_set
/home/seclab/libav/libavcodec/h264_ps.c:747
    #2 0x89696fc in decode_nal_units
/home/seclab/libav/libavcodec/h264dec.c:617:19
    #3 0x89696fc in h264_decode_frame
/home/seclab/libav/libavcodec/h264dec.c:728
    #4 0x874924b in decode_simple_internal
/home/seclab/libav/libavcodec/decode.c:336:15
    #5 0x874924b in decode_simple_receive_frame
/home/seclab/libav/libavcodec/decode.c:387
    #6 0x874924b in decode_receive_frame_internal
/home/seclab/libav/libavcodec/decode.c:405
    #7 0x8748d12 in avcodec_send_packet
/home/seclab/libav/libavcodec/decode.c:466:15
    #8 0x85247ab in try_decode_frame
/home/seclab/libav/libavformat/utils.c:1950:19
    #9 0x851cafa in avformat_find_stream_info
/home/seclab/libav/libavformat/utils.c:2459:9
    #10 0x818b68a in open_input_file
/home/seclab/libav/avtools/avconv_opt.c:821:11
    #11 0x818a393 in open_files /home/seclab/libav/avtools/avconv_opt.c:2467:15
    #12 0x8189d4f in avconv_parse_options
/home/seclab/libav/avtools/avconv_opt.c:2504:11
    #13 0x81baf9d in main /home/seclab/libav/avtools/avconv.c:2953:11
    #14 0xf7540636 in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x18636)
    #15 0x808b647 in _start
(/home/seclab/fuzzing-experiment/fuzzing/program/x86/libav-master/clang5-asan/bin/avconv+0x808b647)


Credits:

Mingi Cho, Seoyoung Kim, and Taekyoung Kwon of the Information Security Lab,
Yonsei University.

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.libav.org/pipermail/libav-bugs/attachments/20190320/ee11e226/attachment-0001.html>


More information about the libav-bugs mailing list