[libav-bugs] [Bug 1154] New: heap-use-after-free in vc1_decode_frame in vc1dec.c

bugzilla at libav.org bugzilla at libav.org
Tue Mar 26 03:25:55 CET 2019


https://bugzilla.libav.org/show_bug.cgi?id=1154

            Bug ID: 1154
           Summary: heap-use-after-free in vc1_decode_frame in vc1dec.c
           Product: Libav
           Version: git HEAD
          Hardware: Other
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: ---
         Component: libavcodec
          Assignee: bugzilla at libav.org
          Reporter: 92wyunchao at gmail.com

Created attachment 739
  --> https://bugzilla.libav.org/attachment.cgi?id=739&action=edit
poc to reproduce the bug

ASAN_OPTIONS=halt_on_error=false:allow_addr2line=true ./avconv -i $poc -f null
-

==77305==ERROR: AddressSanitizer: heap-use-after-free on address 0x60800000ae28
at pc 0x00000178f21f bp 0x7ffe0d645850 sp 0x7ffe0d645848
READ of size 4 at 0x60800000ae28 thread T0
    #0 0x178f21e in vc1_decode_frame
/home/s2e/Desktop/libav-12.3/libavcodec/vc1dec.c:883
    #1 0x169bb87 in avcodec_decode_video2
/home/s2e/Desktop/libav-12.3/libavcodec/utils.c:1588
    #2 0x169e6eb in do_decode
/home/s2e/Desktop/libav-12.3/libavcodec/utils.c:1727
    #3 0x169e346 in avcodec_send_packet
/home/s2e/Desktop/libav-12.3/libavcodec/utils.c:1804
    #4 0x5335d1 in decode /home/s2e/Desktop/libav-12.3/avconv.c:1295
    #5 0x5335d1 in decode_video /home/s2e/Desktop/libav-12.3/avconv.c:1395
    #6 0x5335d1 in process_input_packet
/home/s2e/Desktop/libav-12.3/avconv.c:1514
    #7 0x528f8d in process_input /home/s2e/Desktop/libav-12.3/avconv.c:2690
    #8 0x528f8d in transcode /home/s2e/Desktop/libav-12.3/avconv.c:2732
    #9 0x528f8d in main /home/s2e/Desktop/libav-12.3/avconv.c:2905
    #10 0x7f3c56a8082f in __libc_start_main
/build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291
    #11 0x41b368 in _start
(/home/s2e/Desktop/libav-12.3/build/bin/avconv+0x41b368)

0x60800000ae28 is located 8 bytes inside of 96-byte region
[0x60800000ae20,0x60800000ae80)
freed by thread T0 here:
    #0 0x4bb818 in realloc
(/home/s2e/Desktop/libav-12.3/build/bin/avconv+0x4bb818)
    #1 0x240476d in av_realloc /home/s2e/Desktop/libav-12.3/libavutil/mem.c:136
    #2 0x57172b in ff_default_query_formats
/home/s2e/Desktop/libav-12.3/libavfilter/formats.c:401

previously allocated by thread T0 here:
    #0 0x4bb818 in realloc
(/home/s2e/Desktop/libav-12.3/build/bin/avconv+0x4bb818)
    #1 0x240476d in av_realloc /home/s2e/Desktop/libav-12.3/libavutil/mem.c:136
    #2 0x57172b in ff_default_query_formats
/home/s2e/Desktop/libav-12.3/libavfilter/formats.c:401

SUMMARY: AddressSanitizer: heap-use-after-free
/home/s2e/Desktop/libav-12.3/libavcodec/vc1dec.c:883 in vc1_decode_frame
Shadow bytes around the buggy address:
  0x0c107fff9570: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c107fff9580: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c107fff9590: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c107fff95a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c107fff95b0: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c107fff95c0: fa fa fa fa fd[fd]fd fd fd fd fd fd fd fd fd fd
  0x0c107fff95d0: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c107fff95e0: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fa
  0x0c107fff95f0: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fa
  0x0c107fff9600: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c107fff9610: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==77305==ABORTING

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.libav.org/pipermail/libav-bugs/attachments/20190326/57e56845/attachment.html>


More information about the libav-bugs mailing list