<html>
    <head>
      <base href="https://bugzilla.libav.org/" />
    </head>
    <body><table border="1" cellspacing="0" cellpadding="8">
        <tr>
          <th>Bug ID</th>
          <td><a class="bz_bug_link 
          bz_status_NEW "
   title="NEW - heap buffer overflow in ff_h2645_extract_rbsp"
   href="https://bugzilla.libav.org/show_bug.cgi?id=971">971</a>
          </td>
        </tr>

        <tr>
          <th>Summary</th>
          <td>heap buffer overflow in ff_h2645_extract_rbsp
          </td>
        </tr>

        <tr>
          <th>Product</th>
          <td>Libav
          </td>
        </tr>

        <tr>
          <th>Version</th>
          <td>git HEAD
          </td>
        </tr>

        <tr>
          <th>Hardware</th>
          <td>Other
          </td>
        </tr>

        <tr>
          <th>OS</th>
          <td>Linux
          </td>
        </tr>

        <tr>
          <th>Status</th>
          <td>NEW
          </td>
        </tr>

        <tr>
          <th>Severity</th>
          <td>enhancement
          </td>
        </tr>

        <tr>
          <th>Priority</th>
          <td>---
          </td>
        </tr>

        <tr>
          <th>Component</th>
          <td>libavformat
          </td>
        </tr>

        <tr>
          <th>Assignee</th>
          <td>bugzilla@libav.org
          </td>
        </tr>

        <tr>
          <th>Reporter</th>
          <td>marco.gra@gmail.com
          </td>
        </tr></table>
      <p>
        <div>
        <pre>Created <span class=""><a href="attachment.cgi?id=609" name="attach_609" title="reproducer">attachment 609</a> <a href="attachment.cgi?id=609&action=edit" title="reproducer">[details]</a></span>
reproducer

Hi,

the following sample will trigger a heap overflow in a asan build using
avprobe, my test build was the current master. You can retrigger with ./avprobe
samplefile

avprobe version e4128c0, Copyright (c) 2007-2016 the Libav developers
  built on Oct  9 2016 20:58:24 with clang version 3.8.0-2ubuntu4
(tags/RELEASE_380/final)
[mov,mp4,m4a,3gp,3g2,mj2 @ 0x61a00001f280] overread end of atom 'stsd' by
4293525488 bytes
[mov,mp4,m4a,3gp,3g2,mj2 @ 0x61a00001f280] overread end of atom 'stco' by 5
bytes
[h264 @ 0x61900001ea80] Invalid crop parameters
[h264 @ 0x61900001ea80] QP 4294966899 out of range
[h264 @ 0x61900001ea80] decode_slice_header error
[h264 @ 0x61900001ea80] no frame!
[h264 @ 0x61900001ea80] Missing reference picture
[h264 @ 0x61900001ea80] decode_slice_header error
[h264 @ 0x61900001ea80] illegal modification_of_pic_nums_idc 32
[h264 @ 0x61900001ea80] decode_slice_header error
[h264 @ 0x61900001ea80] no frame!
[h264 @ 0x61900001ea80] illegal modification_of_pic_nums_idc 32
[h264 @ 0x61900001ea80] decode_slice_header error
[h264 @ 0x61900001ea80] no frame!
[h264 @ 0x61900001ea80] Missing reference picture
[h264 @ 0x61900001ea80] Missing reference picture
[h264 @ 0x61900001ea80] illegal short term buffer state detected
=================================================================
==23780==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x60400000def8 at pc 0x000001bec60d bp 0x7fffc0750840 sp 0x7fffc0750838
READ of size 8 at 0x60400000def8 thread T0
    #0 0x1bec60c in ff_h2645_extract_rbsp
(/home/bob/VulnResearch/misc/libav_asan/avprobe+0x1bec60c)
    #1 0x1bed0e7 in ff_h2645_packet_split
(/home/bob/VulnResearch/misc/libav_asan/avprobe+0x1bed0e7)
    #2 0xbe9798 in decode_nal_units
/home/bob/VulnResearch/misc/libav_asan/libavcodec/h264dec.c:528:11
    #3 0xbe9798 in h264_decode_frame
/home/bob/VulnResearch/misc/libav_asan/libavcodec/h264dec.c:742
    #4 0x15e6fc7 in avcodec_decode_video2
/home/bob/VulnResearch/misc/libav_asan/libavcodec/utils.c:1588:19
    #5 0x15e9b2b in do_decode
/home/bob/VulnResearch/misc/libav_asan/libavcodec/utils.c:1727:15
    #6 0x15e9786 in avcodec_send_packet
/home/bob/VulnResearch/misc/libav_asan/libavcodec/utils.c:1804:12
    #7 0x83efb9 in try_decode_frame
/home/bob/VulnResearch/misc/libav_asan/libavformat/utils.c:1950:19
    #8 0x838728 in avformat_find_stream_info
/home/bob/VulnResearch/misc/libav_asan/libavformat/utils.c:2356:9
    #9 0x4fc22d in open_input_file
/home/bob/VulnResearch/misc/libav_asan/avprobe.c:808:16
    #10 0x4fc22d in probe_file
/home/bob/VulnResearch/misc/libav_asan/avprobe.c:886
    #11 0x4fc22d in main /home/bob/VulnResearch/misc/libav_asan/avprobe.c:1087
    #12 0x7f4d14aa382f in __libc_start_main
/build/glibc-GKVZIf/glibc-2.23/csu/../csu/libc-start.c:291
    #13 0x41a7a8 in _start
(/home/bob/VulnResearch/misc/libav_asan/avprobe+0x41a7a8)

0x60400000deff is located 0 bytes to the right of 47-byte region
[0x60400000ded0,0x60400000deff)
allocated by thread T0 here:
    #0 0x4bac58 in realloc
(/home/bob/VulnResearch/misc/libav_asan/avprobe+0x4bac58)
    #1 0x236703d in av_realloc
(/home/bob/VulnResearch/misc/libav_asan/avprobe+0x236703d)
    #2 0x94e097 in packet_alloc
/home/bob/VulnResearch/misc/libav_asan/libavcodec/avpacket.c:75:11
    #3 0x94e097 in av_new_packet
/home/bob/VulnResearch/misc/libav_asan/libavcodec/avpacket.c:87
    #4 0x94e097 in av_grow_packet
/home/bob/VulnResearch/misc/libav_asan/libavcodec/avpacket.c:112
    #5 0x826aed in append_packet_chunked
/home/bob/VulnResearch/misc/libav_asan/libavformat/utils.c:98:15

SUMMARY: AddressSanitizer: heap-buffer-overflow
(/home/bob/VulnResearch/misc/libav_asan/avprobe+0x1bec60c) in
ff_h2645_extract_rbsp
Shadow bytes around the buggy address:
  0x0c087fff9b80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c087fff9b90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c087fff9ba0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c087fff9bb0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c087fff9bc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c087fff9bd0: fa fa fa fa fa fa fa fa fa fa 00 00 00 00 00[07]
  0x0c087fff9be0: fa fa 00 00 00 00 01 fa fa fa 00 00 00 00 01 fa
  0x0c087fff9bf0: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fd
  0x0c087fff9c00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c087fff9c10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c087fff9c20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==23780==ABORTING</pre>
        </div>
      </p>
      <hr>
      <span>You are receiving this mail because:</span>
      
      <ul>
          <li>You are watching all bug changes.</li>
      </ul>
    </body>
</html>