[libav-bugs] [Bug 1155] New: heap-buffer-overflow in vc1_decode_p_mb_intfi in vc1_block.c

bugzilla at libav.org bugzilla at libav.org
Tue Mar 26 03:36:28 CET 2019


https://bugzilla.libav.org/show_bug.cgi?id=1155

            Bug ID: 1155
           Summary: heap-buffer-overflow in vc1_decode_p_mb_intfi in
                    vc1_block.c
           Product: Libav
           Version: 12
          Hardware: Other
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: ---
         Component: libavcodec
          Assignee: bugzilla at libav.org
          Reporter: 92wyunchao at gmail.com

Created attachment 740
  --> https://bugzilla.libav.org/attachment.cgi?id=740&action=edit
poc to reproduce the bug

ASAN_OPTIONS=halt_on_error=false:allow_addr2line=true ./avconv -i $POC -f null
-

==77337==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x6160000041b4 at pc 0x00000171b397 bp 0x7ffca1cf7230 sp 0x7ffca1cf7228
WRITE of size 4 at 0x6160000041b4 thread T0
    #0 0x171b396 in vc1_decode_p_mb_intfi
/home/s2e/Desktop/libav-12.3/libavcodec/vc1_block.c:1861
    #1 0x171b396 in vc1_decode_p_blocks
/home/s2e/Desktop/libav-12.3/libavcodec/vc1_block.c:2899
    #2 0x16e8cab in ff_vc1_decode_blocks
/home/s2e/Desktop/libav-12.3/libavcodec/vc1_block.c:3049
    #3 0x178813b in vc1_decode_frame
/home/s2e/Desktop/libav-12.3/libavcodec/vc1dec.c:890
    #4 0x169bb87 in avcodec_decode_video2
/home/s2e/Desktop/libav-12.3/libavcodec/utils.c:1588
    #5 0x169e6eb in do_decode
/home/s2e/Desktop/libav-12.3/libavcodec/utils.c:1727
    #6 0x169e346 in avcodec_send_packet
/home/s2e/Desktop/libav-12.3/libavcodec/utils.c:1804
    #7 0x5335d1 in decode /home/s2e/Desktop/libav-12.3/avconv.c:1295
    #8 0x5335d1 in decode_video /home/s2e/Desktop/libav-12.3/avconv.c:1395
    #9 0x5335d1 in process_input_packet
/home/s2e/Desktop/libav-12.3/avconv.c:1514
    #10 0x528f8d in process_input /home/s2e/Desktop/libav-12.3/avconv.c:2690
    #11 0x528f8d in transcode /home/s2e/Desktop/libav-12.3/avconv.c:2732
    #12 0x528f8d in main /home/s2e/Desktop/libav-12.3/avconv.c:2905
    #13 0x7f44d48d382f in __libc_start_main
/build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291
    #14 0x41b368 in _start
(/home/s2e/Desktop/libav-12.3/build/bin/avconv+0x41b368)

0x6160000041b4 is located 0 bytes to the right of 564-byte region
[0x616000003f80,0x6160000041b4)
allocated by thread T0 here:
    #0 0x4bbd70 in __interceptor_posix_memalign
(/home/s2e/Desktop/libav-12.3/build/bin/avconv+0x4bbd70)
    #1 0x2404635 in av_malloc /home/s2e/Desktop/libav-12.3/libavutil/mem.c:81
    #2 0x23cedb6 in av_buffer_alloc
/home/s2e/Desktop/libav-12.3/libavutil/buffer.c:71
    #3 0x23cf7dc in av_buffer_make_writable
/home/s2e/Desktop/libav-12.3/libavutil/buffer.c:136
    #4 0x12386b1 in make_tables_writable
/home/s2e/Desktop/libav-12.3/libavcodec/mpegpicture.c:46
    #5 0x12386b1 in ff_alloc_picture
/home/s2e/Desktop/libav-12.3/libavcodec/mpegpicture.c:237

SUMMARY: AddressSanitizer: heap-buffer-overflow
/home/s2e/Desktop/libav-12.3/libavcodec/vc1_block.c:1861 in
vc1_decode_p_mb_intfi
Shadow bytes around the buggy address:
  0x0c2c7fff87e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c2c7fff87f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c2c7fff8800: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c2c7fff8810: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c2c7fff8820: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c2c7fff8830: 00 00 00 00 00 00[04]fa fa fa fa fa fa fa fa fa
  0x0c2c7fff8840: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c2c7fff8850: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c2c7fff8860: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c2c7fff8870: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c2c7fff8880: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==77337==ABORTING

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.libav.org/pipermail/libav-bugs/attachments/20190326/9717604f/attachment.html>


More information about the libav-bugs mailing list