[libav-bugs] [Bug 1151] New: one heap-use-after-free in h264_slice_init in h264_slice.c

bugzilla at libav.org bugzilla at libav.org
Mon Mar 25 15:30:07 CET 2019


https://bugzilla.libav.org/show_bug.cgi?id=1151

            Bug ID: 1151
           Summary: one heap-use-after-free in h264_slice_init in
                    h264_slice.c
           Product: Libav
           Version: 12
          Hardware: Other
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: ---
         Component: libavcodec
          Assignee: bugzilla at libav.org
          Reporter: 92wyunchao at gmail.com

Created attachment 736
  --> https://bugzilla.libav.org/attachment.cgi?id=736&action=edit
poc to trigger the bug

There exists one heap-use-after-free in h264_slice_init in h264_slice.c in
libav 12.3, which could cause a denial-of-service via a crafted file.

ASAN_OPTIONS=halt_on_error=false:allow_addr2line=true ./avconv -i $poc -f null
-

==67675==ERROR: AddressSanitizer: heap-use-after-free on address 0x6340001a0820
at pc 0x000001d35b41 bp 0x7f1bf3cc2810 sp 0x7f1bf3cc2808
READ of size 4 at 0x6340001a0820 thread T1
Error while decoding stream #0:0
    Last message repeated 3 times
Video encoding failed
    #0 0x1d35b40 in h264_slice_init
/home/s2e/Desktop/libav-12.3/libavcodec/h264_slice.c:1758
    #1 0x1d35b40 in ff_h264_queue_decode_slice
/home/s2e/Desktop/libav-12.3/libavcodec/h264_slice.c:1912
    #2 0xc9f2ab in decode_nal_units
/home/s2e/Desktop/libav-12.3/libavcodec/h264dec.c:575
    #3 0xc9f2ab in h264_decode_frame
/home/s2e/Desktop/libav-12.3/libavcodec/h264dec.c:744
    #4 0x13e64e3 in frame_worker_thread
/home/s2e/Desktop/libav-12.3/libavcodec/pthread_frame.c:145
    #5 0x7f1bf6d6c6b9 in start_thread
(/lib/x86_64-linux-gnu/libpthread.so.0+0x76b9)
    #6 0x7f1bf648041c in clone
/build/glibc-Cl5G7W/glibc-2.23/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:109

0x6340001a0820 is located 32 bytes inside of 123656-byte region
[0x6340001a0800,0x6340001beb08)
freed by thread T0 here:
    #0 0x4bb310 in __interceptor_cfree.localalias.0 asan_malloc_linux.cc.o
    #1 0x23cf4ad in av_buffer_unref
/home/s2e/Desktop/libav-12.3/libavutil/buffer.c:116
    #2 0x1d23519 in ff_h264_update_thread_context
/home/s2e/Desktop/libav-12.3/libavcodec/h264_slice.c:349

previously allocated by thread T1 here:
    #0 0x4bbd70 in __interceptor_posix_memalign
(/home/s2e/Desktop/libav-12.3/build/bin/avconv+0x4bbd70)
    #1 0x2404635 in av_malloc /home/s2e/Desktop/libav-12.3/libavutil/mem.c:81
    #2 0x23cedb6 in av_buffer_alloc
/home/s2e/Desktop/libav-12.3/libavutil/buffer.c:71
    #3 0x23cf14d in av_buffer_allocz
/home/s2e/Desktop/libav-12.3/libavutil/buffer.c:84

Thread T1 created by T0 here:
    #0 0x42d8a9 in __interceptor_pthread_create
(/home/s2e/Desktop/libav-12.3/build/bin/avconv+0x42d8a9)
    #1 0x13e5677 in ff_frame_thread_init
/home/s2e/Desktop/libav-12.3/libavcodec/pthread_frame.c:651
    #2 0x20de571 in ff_thread_init
/home/s2e/Desktop/libav-12.3/libavcodec/pthread.c:77
    #3 0x524004 in init_input_stream /home/s2e/Desktop/libav-12.3/avconv.c:1706
    #4 0x524004 in transcode_init /home/s2e/Desktop/libav-12.3/avconv.c:2146
    #5 0x524004 in transcode /home/s2e/Desktop/libav-12.3/avconv.c:2709
    #6 0x524004 in main /home/s2e/Desktop/libav-12.3/avconv.c:2905
    #7 0x7f1bf639982f in __libc_start_main
/build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291

SUMMARY: AddressSanitizer: heap-use-after-free
/home/s2e/Desktop/libav-12.3/libavcodec/h264_slice.c:1758 in h264_slice_init
Shadow bytes around the buggy address:
  0x0c688002c0b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c688002c0c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c688002c0d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c688002c0e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c688002c0f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c688002c100: fd fd fd fd[fd]fd fd fd fd fd fd fd fd fd fd fd
  0x0c688002c110: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c688002c120: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c688002c130: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c688002c140: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c688002c150: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==67675==ABORTING

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.libav.org/pipermail/libav-bugs/attachments/20190325/865134ff/attachment.html>


More information about the libav-bugs mailing list