[libav-bugs] [Bug 1152] New: heap-buffer-overflow in in vc1_decode_b_mb_intfi in vc1_block.c

bugzilla at libav.org bugzilla at libav.org
Tue Mar 26 03:06:25 CET 2019


https://bugzilla.libav.org/show_bug.cgi?id=1152

            Bug ID: 1152
           Summary: heap-buffer-overflow in in vc1_decode_b_mb_intfi in
                    vc1_block.c
           Product: Libav
           Version: 12
          Hardware: Other
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: ---
         Component: libavcodec
          Assignee: bugzilla at libav.org
          Reporter: 92wyunchao at gmail.com

Created attachment 737
  --> https://bugzilla.libav.org/attachment.cgi?id=737&action=edit
poc to trigger the bug

ASAN_OPTIONS=halt_on_error=false:allow_addr2line=true ./avconv -i $poc -f null
-

==77147==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x61500000fe6a at pc 0x00000172f868 bp 0x7fff0c87e550 sp 0x7fff0c87e548
WRITE of size 2 at 0x61500000fe6a thread T0
    #0 0x172f867 in vc1_decode_b_mb_intfi
/home/s2e/Desktop/libav-12.3/libavcodec/vc1_block.c:2214
    #1 0x172f867 in vc1_decode_b_blocks
/home/s2e/Desktop/libav-12.3/libavcodec/vc1_block.c:2971
    #2 0x16e8cd4 in ff_vc1_decode_blocks
/home/s2e/Desktop/libav-12.3/libavcodec/vc1_block.c:3058
    #3 0x178813b in vc1_decode_frame
/home/s2e/Desktop/libav-12.3/libavcodec/vc1dec.c:890
    #4 0x169bb87 in avcodec_decode_video2
/home/s2e/Desktop/libav-12.3/libavcodec/utils.c:1588
    #5 0x169e6eb in do_decode
/home/s2e/Desktop/libav-12.3/libavcodec/utils.c:1727
    #6 0x169e346 in avcodec_send_packet
/home/s2e/Desktop/libav-12.3/libavcodec/utils.c:1804
    #7 0x5335d1 in decode /home/s2e/Desktop/libav-12.3/avconv.c:1295
    #8 0x5335d1 in decode_video /home/s2e/Desktop/libav-12.3/avconv.c:1395
    #9 0x5335d1 in process_input_packet
/home/s2e/Desktop/libav-12.3/avconv.c:1514
    #10 0x528f8d in process_input /home/s2e/Desktop/libav-12.3/avconv.c:2690
    #11 0x528f8d in transcode /home/s2e/Desktop/libav-12.3/avconv.c:2732
    #12 0x528f8d in main /home/s2e/Desktop/libav-12.3/avconv.c:2905
    #13 0x7f16d94e382f in __libc_start_main
/build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291
    #14 0x41b368 in _start
(/home/s2e/Desktop/libav-12.3/build/bin/avconv+0x41b368)

0x61500000fe6a is located 0 bytes to the right of 426-byte region
[0x61500000fcc0,0x61500000fe6a)
allocated by thread T0 here:
    #0 0x4bbd70 in __interceptor_posix_memalign
(/home/s2e/Desktop/libav-12.3/build/bin/avconv+0x4bbd70)
    #1 0x2405110 in av_malloc /home/s2e/Desktop/libav-12.3/libavutil/mem.c:81
    #2 0x2405110 in av_mallocz /home/s2e/Desktop/libav-12.3/libavutil/mem.c:213
    #3 0x1243512 in init_context_frame
/home/s2e/Desktop/libav-12.3/libavcodec/mpegvideo.c:737

SUMMARY: AddressSanitizer: heap-buffer-overflow
/home/s2e/Desktop/libav-12.3/libavcodec/vc1_block.c:2214 in
vc1_decode_b_mb_intfi
Shadow bytes around the buggy address:
  0x0c2a7fff9f70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c2a7fff9f80: 00 00 00 00 00 00 00 00 00 00 06 fa fa fa fa fa
  0x0c2a7fff9f90: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x0c2a7fff9fa0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c2a7fff9fb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c2a7fff9fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00[02]fa fa
  0x0c2a7fff9fd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c2a7fff9fe0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c2a7fff9ff0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c2a7fffa000: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c2a7fffa010: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==77147==ABORTING

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.libav.org/pipermail/libav-bugs/attachments/20190326/d2635b77/attachment.html>


More information about the libav-bugs mailing list