<html>
    <head>
      <base href="https://bugzilla.libav.org/" />
    </head>
    <body><table border="1" cellspacing="0" cellpadding="8">
        <tr>
          <th>Bug ID</th>
          <td><a class="bz_bug_link 
          bz_status_NEW "
   title="NEW - There is an illegal address access in bitstream.c of the libav library."
   href="https://bugzilla.libav.org/show_bug.cgi?id=1073">1073</a>
          </td>
        </tr>

        <tr>
          <th>Summary</th>
          <td>There is an illegal address access in bitstream.c  of the libav library.
          </td>
        </tr>

        <tr>
          <th>Product</th>
          <td>Libav
          </td>
        </tr>

        <tr>
          <th>Version</th>
          <td>git HEAD
          </td>
        </tr>

        <tr>
          <th>Hardware</th>
          <td>X86
          </td>
        </tr>

        <tr>
          <th>OS</th>
          <td>Linux
          </td>
        </tr>

        <tr>
          <th>Status</th>
          <td>NEW
          </td>
        </tr>

        <tr>
          <th>Severity</th>
          <td>blocker
          </td>
        </tr>

        <tr>
          <th>Priority</th>
          <td>---
          </td>
        </tr>

        <tr>
          <th>Component</th>
          <td>general
          </td>
        </tr>

        <tr>
          <th>Assignee</th>
          <td>bugzilla@libav.org
          </td>
        </tr>

        <tr>
          <th>Reporter</th>
          <td>v.owl337@gmail.com
          </td>
        </tr></table>
      <p>
        <div>
        <pre>Created <span class=""><a href="attachment.cgi?id=673" name="attach_673" title="Triggered by  "./avconv -i $POC -f null"">attachment 673</a> <a href="attachment.cgi?id=673&action=edit" title="Triggered by  "./avconv -i $POC -f null"">[details]</a></span>
Triggered by  "./avconv -i $POC -f null"

$ ./avconv -i POC -f null
avconv version 13_dev0, Copyright (c) 2000-2017 the Libav developers
  built on Jul 23 2017 22:21:15 with gcc 5.4.0 (Ubuntu 5.4.0-6ubuntu1~16.04.4)
20160609
Trailing options were found on the commandline.
[NULL @ 0x2f30560] [IMGUTILS @ 0x7ffdd5a2f1a0] Picture size 0x0 is invalid
[NULL @ 0x2f30560] ignoring invalid width/height values
[NULL @ 0x2f30560] [IMGUTILS @ 0x7ffdd5a2f1a0] Picture size 0x0 is invalid
Tree size exceeded!
Segmentation fault (core dumped)


ASAN output:

$ ./avconv -i POC -f null

avconv version 12.1, Copyright (c) 2000-2017 the Libav developers
  built on Jun 22 2017 03:56:34 with clang version 3.8.0-2ubuntu4
(tags/RELEASE_380/final)
Trailing options were found on the commandline.
[NULL @ 0x619000000a80] [IMGUTILS @ 0x7ffca3c20540] Picture size 0x0 is invalid
[NULL @ 0x619000000a80] ignoring invalid width/height values
[NULL @ 0x619000000a80] [IMGUTILS @ 0x7ffca3c20540] Picture size 0x0 is invalid
Tree size exceeded!
ASAN:DEADLYSIGNAL
=================================================================
==31159==ERROR: AddressSanitizer: SEGV on unknown address 0x62f001487cc2 (pc
0x000000a27a3d bp 0x61d000014168 sp 0x7ffca3c1ffb0 T0)
    #0 0xa27a3c  (/home/icy/real/libav-12.1-asan/install/bin/avconv+0xa27a3c)
    #1 0xa27c75  (/home/icy/real/libav-12.1-asan/install/bin/avconv+0xa27c75)
    #2 0xa26e30  (/home/icy/real/libav-12.1-asan/install/bin/avconv+0xa26e30)
    #3 0x15492ea  (/home/icy/real/libav-12.1-asan/install/bin/avconv+0x15492ea)
    #4 0x153ee1c  (/home/icy/real/libav-12.1-asan/install/bin/avconv+0x153ee1c)
    #5 0x1635af8  (/home/icy/real/libav-12.1-asan/install/bin/avconv+0x1635af8)
    #6 0x8eeab4  (/home/icy/real/libav-12.1-asan/install/bin/avconv+0x8eeab4)
    #7 0x8e8988  (/home/icy/real/libav-12.1-asan/install/bin/avconv+0x8e8988)
    #8 0x4fda46  (/home/icy/real/libav-12.1-asan/install/bin/avconv+0x4fda46)
    #9 0x4fc626  (/home/icy/real/libav-12.1-asan/install/bin/avconv+0x4fc626)
    #10 0x4fbe7c  (/home/icy/real/libav-12.1-asan/install/bin/avconv+0x4fbe7c)
    #11 0x5226f2  (/home/icy/real/libav-12.1-asan/install/bin/avconv+0x5226f2)
    #12 0x7fe02c41782f  (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #13 0x41a318  (/home/icy/real/libav-12.1-asan/install/bin/avconv+0x41a318)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV
(/home/icy/real/libav-12.1-asan/install/bin/avconv+0xa27a3c) 
==31159==ABORTING


The GDB debugging information is as follows:

$ gdb ./avconv

(gdb) set args -i POC -f null
(gdb) r 
...

Breakpoint 1, build_table (vlc=vlc@entry=0x1086440 <spectral_coeff_tab>,
table_nb_bits=table_nb_bits@entry=9, 
    nb_codes=nb_codes@entry=9, codes=codes@entry=0x1677040,
flags=flags@entry=4) at libavcodec/bitstream.c:197
197                    if (table[j][1] /*bits*/ != 0) {
(gdb) c 9903
Will ignore next 9902 crossings of breakpoint 1.  Continuing.
avconv version 13_dev0, Copyright (c) 2000-2017 the Libav developers
  built on Jul 23 2017 22:21:15 with gcc 5.4.0 (Ubuntu 5.4.0-6ubuntu1~16.04.4)
20160609
Trailing options were found on the commandline.
[NULL @ 0x1683560] [IMGUTILS @ 0x7fffffffd3b0] Picture size 0x0 is invalid
[NULL @ 0x1683560] ignoring invalid width/height values
[NULL @ 0x1683560] [IMGUTILS @ 0x7fffffffd3b0] Picture size 0x0 is invalid
Tree size exceeded!

Breakpoint 1, build_table (vlc=vlc@entry=0x7fffffffd2d8, table_nb_bits=9,
nb_codes=150, codes=<optimized out>, 
    flags=flags@entry=2) at libavcodec/bitstream.c:197
197                    if (table[j][1] /*bits*/ != 0) {
(gdb) i b
Num     Type           Disp Enb Address            What
1       breakpoint     keep y   0x000000000059847d in build_table at
libavcodec/bitstream.c:197
    breakpoint already hit 9904 times
(gdb) n

Program received signal SIGSEGV, Segmentation fault.
0x0000000000598484 in build_table (vlc=vlc@entry=0x7fffffffd2d8,
table_nb_bits=9, nb_codes=150, 
    codes=<optimized out>, flags=flags@entry=2) at libavcodec/bitstream.c:197
197                    if (table[j][1] /*bits*/ != 0) {
(gdb) bt
#0  0x0000000000598484 in build_table (vlc=vlc@entry=0x7fffffffd2d8,
table_nb_bits=9, nb_codes=150, 
    codes=<optimized out>, flags=flags@entry=2) at libavcodec/bitstream.c:197
#1  0x000000000059861f in build_table (vlc=vlc@entry=0x7fffffffd2d8,
table_nb_bits=table_nb_bits@entry=9, 
    nb_codes=nb_codes@entry=255, codes=codes@entry=0x169cdc0,
flags=flags@entry=2)
    at libavcodec/bitstream.c:228
#2  0x0000000000598e24 in ff_init_vlc_sparse (vlc=vlc@entry=0x7fffffffd2d8,
nb_bits=nb_bits@entry=9, 
    nb_codes=255, bits=<optimized out>, bits_wrap=bits_wrap@entry=4,
bits_size=bits_size@entry=4, 
    codes=0x169c0a0, codes_wrap=4, codes_size=4, symbols=0x0, symbols_wrap=0,
symbols_size=0, flags=2)
    at libavcodec/bitstream.c:319
#3  0x00000000004232e5 in smacker_decode_header_tree
(bc=bc@entry=0x7fffffffd380, 
    recodes=recodes@entry=0x169b0b0, last=last@entry=0x169b0d0, size=25776,
smk=0x169b0a0)
    at libavcodec/smacker.c:228
#4  0x0000000000423718 in decode_header_trees (smk=0x169b0a0) at
libavcodec/smacker.c:316
#5  decode_init (avctx=0x1683560) at libavcodec/smacker.c:574
#6  0x0000000000835782 in avcodec_open2 (avctx=avctx@entry=0x1683560, 
    codec=codec@entry=0x107c180 <ff_smacker_decoder>,
options=options@entry=0x1686ac0)
    at libavcodec/utils.c:643
#7  0x000000000054b7ed in try_decode_frame (st=st@entry=0x1682d60,
avpkt=avpkt@entry=0x7fffffffd550, 
    options=0x1686ac0, s=0x1677060) at libavformat/utils.c:1926
#8  0x000000000054fc31 in avformat_find_stream_info (ic=0x1677060,
options=0x1686ac0)
---Type <return> to continue, or q <return> to quit---
    at libavformat/utils.c:2459
#9  0x000000000044f526 in open_input_file (o=o@entry=0x7fffffffd9b0,
filename=<optimized out>)
    at avtools/avconv_opt.c:822
#10 0x000000000045153a in open_files (l=0x1677898, l=0x1677898,
open_file=0x44f240 <open_input_file>, 
    inout=0xb9d43c "input") at avtools/avconv_opt.c:2468
#11 avconv_parse_options (argc=argc@entry=5, argv=argv@entry=0x7fffffffe4d8) at
avtools/avconv_opt.c:2505
#12 0x0000000000449774 in main (argc=5, argv=0x7fffffffe4d8) at
avtools/avconv.c:2916

The vulnerability was triggered in function build_table() at
libavcodec/bitstream.c:197

160 static int build_table(VLC *vlc, int table_nb_bits, int nb_codes,
161                        VLCcode *codes, int flags)
162 {
...
179 
180     /* first pass: map codes and compute auxiliary table sizes */
181     for (i = 0; i < nb_codes; i++) {
182         n      = codes[i].bits;
183         code   = codes[i].code;
184         symbol = codes[i].symbol;
185         ff_dlog(NULL, "i=%d n=%d code=0x%"PRIx32"\n", i, n, code);
186         if (n <= table_nb_bits) {
187             /* no need to add another table */
188             j = code >> (32 - table_nb_bits);
189             nb = 1 << (table_nb_bits - n);
190             inc = 1;
191             if (flags & INIT_VLC_LE) {
192                 j = bitswap_32(code);
193                 inc = 1 << n;
194             }
195             for (k = 0; k < nb; k++) {
196                 ff_dlog(NULL, "%4x: code=%d n=%d\n", j, i, n);
197                 if (table[j][1] /*bits*/ != 0) {
198                     av_log(NULL, AV_LOG_ERROR, "incorrect codes\n");
199                     return AVERROR_INVALIDDATA;
200                 }
201                 table[j][1] = n; //bits
202                 table[j][0] = symbol;
203                 j += inc;
204             }
...


Credits:

This vulnerability is detected by team OWL337, with our custom fuzzer collAFL.
Please contact <a href="mailto:ganshuitao@gmail.com">ganshuitao@gmail.com</a>   and <a href="mailto:chaoz@tsinghua.edu.cn">chaoz@tsinghua.edu.cn</a> if you need
more info about the team, the tool or the vulnerability.</pre>
        </div>
      </p>
      <hr>
      <span>You are receiving this mail because:</span>
      
      <ul>
          <li>You are watching all bug changes.</li>
      </ul>
    </body>
</html>