<html>
    <head>
      <base href="https://bugzilla.libav.org/" />
    </head>
    <body><table border="1" cellspacing="0" cellpadding="8">
        <tr>
          <th>Bug ID</th>
          <td><a class="bz_bug_link 
          bz_status_NEW "
   title="NEW - Null pointer dereference in audio_fifo.c"
   href="https://bugzilla.libav.org/show_bug.cgi?id=1089">1089</a>
          </td>
        </tr>

        <tr>
          <th>Summary</th>
          <td>Null pointer dereference in audio_fifo.c
          </td>
        </tr>

        <tr>
          <th>Product</th>
          <td>Libav
          </td>
        </tr>

        <tr>
          <th>Version</th>
          <td>git HEAD
          </td>
        </tr>

        <tr>
          <th>Hardware</th>
          <td>X86
          </td>
        </tr>

        <tr>
          <th>OS</th>
          <td>Linux
          </td>
        </tr>

        <tr>
          <th>Status</th>
          <td>NEW
          </td>
        </tr>

        <tr>
          <th>Severity</th>
          <td>normal
          </td>
        </tr>

        <tr>
          <th>Priority</th>
          <td>---
          </td>
        </tr>

        <tr>
          <th>Component</th>
          <td>libavresample
          </td>
        </tr>

        <tr>
          <th>Assignee</th>
          <td>bugzilla@libav.org
          </td>
        </tr>

        <tr>
          <th>Reporter</th>
          <td>mgcho.minic@gmail.com
          </td>
        </tr></table>
      <p>
        <div>
        <pre>Created <span class=""><a href="attachment.cgi?id=689" name="attach_689" title="audio_fifo crash poc">attachment 689</a> <a href="attachment.cgi?id=689&action=edit" title="audio_fifo crash poc">[details]</a></span>
audio_fifo crash poc

Triggered by "./avconv -i $POC -f null"

Configuration Information:

avconv version 12.2, Copyright (c) 2000-2017 the Libav developers
  built on Oct  9 2017 02:01:01 with clang version 3.8.0-2ubuntu4
(tags/RELEASE_380/final)
  configuration: --prefix=/home/min/fuzzing/program/libav-12.2-asan/
--toolchain=clang-asan



ASAN output:

$ ./avconv -i POC -f null -

==16435==ERROR: AddressSanitizer: SEGV on unknown address 0x00000008 (pc
0x09bf5fe9 bp 0xbf9dbaa8 sp 0xbf9db970 T0)
    #0 0x9bf5fe8 in av_audio_fifo_size
/home/min/fuzzing/src/libav-12.2/libav-12.2/libavutil/audio_fifo.c:188:16
    #1 0x9adfd34 in avresample_available
/home/min/fuzzing/src/libav-12.2/libav-12.2/libavresample/utils.c:750:12
    #2 0x9adfd34 in avresample_get_out_samples
/home/min/fuzzing/src/libav-12.2/libav-12.2/libavresample/utils.c:764
    #3 0x8232e8b in filter_frame
/home/min/fuzzing/src/libav-12.2/libav-12.2/libavfilter/af_resample.c:233:22
    #4 0x81bf013 in ff_filter_frame
/home/min/fuzzing/src/libav-12.2/libav-12.2/libavfilter/avfilter.c:804:12
    #5 0x81bf7cf in default_filter_frame
/home/min/fuzzing/src/libav-12.2/libav-12.2/libavfilter/avfilter.c:744:12
    #6 0x81bf013 in ff_filter_frame
/home/min/fuzzing/src/libav-12.2/libav-12.2/libavfilter/avfilter.c:804:12
    #7 0x81c9a8f in request_frame
/home/min/fuzzing/src/libav-12.2/libav-12.2/libavfilter/buffersrc.c:407:11
    #8 0x81bc55b in ff_request_frame
/home/min/fuzzing/src/libav-12.2/libav-12.2/libavfilter/avfilter.c:269:16
    #9 0x8234397 in request_frame
/home/min/fuzzing/src/libav-12.2/libav-12.2/libavfilter/af_resample.c:191:15
    #10 0x81bc55b in ff_request_frame
/home/min/fuzzing/src/libav-12.2/libav-12.2/libavfilter/avfilter.c:269:16
    #11 0x81ca68b in request_frame
/home/min/fuzzing/src/libav-12.2/libav-12.2/libavfilter/fifo.c:234:20
    #12 0x81bc55b in ff_request_frame
/home/min/fuzzing/src/libav-12.2/libav-12.2/libavfilter/avfilter.c:269:16
    #13 0x81c63fe in av_buffersink_get_frame
/home/min/fuzzing/src/libav-12.2/libav-12.2/libavfilter/buffersink.c:69:16
    #14 0x8198c8a in poll_filter
/home/min/fuzzing/src/libav-12.2/libav-12.2/avconv.c:699:15
    #15 0x8198c8a in poll_filters
/home/min/fuzzing/src/libav-12.2/libav-12.2/avconv.c:793
    #16 0x81945eb in transcode
/home/min/fuzzing/src/libav-12.2/libav-12.2/avconv.c:2720:15
    #17 0x81945eb in main
/home/min/fuzzing/src/libav-12.2/libav-12.2/avconv.c:2888
    #18 0xb74eb636 in __libc_start_main
/build/glibc-KM3i_a/glibc-2.23/csu/../csu/libc-start.c:291
    #19 0x8089f47 in _start
(/home/min/fuzzing/program/libav-12.2-asan/bin/avconv+0x8089f47)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV
/home/min/fuzzing/src/libav-12.2/libav-12.2/libavutil/audio_fifo.c:188:16 in
av_audio_fifo_size



The GDB debugging information is as follows:

(gdb) bt
#0  0x09bf5fe9 in av_audio_fifo_size (af=0x0) at libavutil/audio_fifo.c:188
#1  0x09adfd35 in avresample_available (avr=<optimized out>) at
libavresample/utils.c:750
#2  avresample_get_out_samples (avr=<optimized out>, in_nb_samples=<optimized
out>) at libavresample/utils.c:764
#3  0x08232e8c in filter_frame (inlink=0x9c1ff10 <av_log>, in=<optimized out>)
at libavfilter/af_resample.c:233
#4  0x081bf014 in ff_filter_frame (link=<optimized out>, frame=<optimized out>)
at libavfilter/avfilter.c:804
#5  0x081bf7d0 in default_filter_frame (link=0xb6006b00, frame=0x0) at
libavfilter/avfilter.c:744
#6  0x081bf014 in ff_filter_frame (link=<optimized out>, frame=<optimized out>)
at libavfilter/avfilter.c:804
#7  0x081c9a90 in request_frame (link=<optimized out>) at
libavfilter/buffersrc.c:407
#8  0x081bc55c in ff_request_frame (link=0xb6006b00) at
libavfilter/avfilter.c:269
#9  0x08234398 in request_frame (outlink=<optimized out>) at
libavfilter/af_resample.c:191
#10 0x081bc55c in ff_request_frame (link=0xb60065c0) at
libavfilter/avfilter.c:269
#11 0x081ca68c in request_frame (outlink=0xb60066a0) at libavfilter/fifo.c:234
#12 0x081bc55c in ff_request_frame (link=0xb60066a0) at
libavfilter/avfilter.c:269
#13 0x081c63ff in av_buffersink_get_frame (ctx=<optimized out>, frame=0x8) at
libavfilter/buffersink.c:69
#14 0x08198c8b in poll_filter (ost=0xb5e097c0) at avconv.c:699
#15 poll_filters () at avconv.c:793
#16 0x081945ec in transcode () at avconv.c:2720
#17 main (argc=<optimized out>, argv=<optimized out>) at avconv.c:2888






(gdb) disass $pc-32,$pc+32
Dump of assembler code from 0x9bf5fc9 to 0x9bf6009:
   0x09bf5fc9:    pop    %ds
   0x09bf5fca:    test   %al,(%eax)
   0x09bf5fcc:    add    %al,(%eax)
   0x09bf5fce:    add    %al,(%eax)
   0x09bf5fd0 <av_audio_fifo_size+0>:    sub    $0xc,%esp
   0x09bf5fd3 <av_audio_fifo_size+3>:    mov    0x10(%esp),%eax
   0x09bf5fd7 <av_audio_fifo_size+7>:    add    $0x8,%eax
   0x09bf5fda <av_audio_fifo_size+10>:    mov    %eax,%ecx
   0x09bf5fdc <av_audio_fifo_size+12>:    shr    $0x3,%ecx
   0x09bf5fdf <av_audio_fifo_size+15>:    mov    0x20000000(%ecx),%cl
   0x09bf5fe5 <av_audio_fifo_size+21>:    test   %cl,%cl
   0x09bf5fe7 <av_audio_fifo_size+23>:    jne    0x9bf5fef
<av_audio_fifo_size+31>
=> 0x09bf5fe9 <av_audio_fifo_size+25>:    mov    (%eax),%eax
   0x09bf5feb <av_audio_fifo_size+27>:    add    $0xc,%esp
   0x09bf5fee <av_audio_fifo_size+30>:    ret    
   0x09bf5fef <av_audio_fifo_size+31>:    mov    %eax,%edx
   0x09bf5ff1 <av_audio_fifo_size+33>:    and    $0x7,%edx
   0x09bf5ff4 <av_audio_fifo_size+36>:    add    $0x3,%edx
   0x09bf5ff7 <av_audio_fifo_size+39>:    movsbl %cl,%ecx
   0x09bf5ffa <av_audio_fifo_size+42>:    cmp    %ecx,%edx
   0x09bf5ffc <av_audio_fifo_size+44>:    jl     0x9bf5fe9
<av_audio_fifo_size+25>
   0x09bf5ffe <av_audio_fifo_size+46>:    mov    %eax,(%esp)
   0x09bf6001 <av_audio_fifo_size+49>:    call   0x81386b0
<__asan_report_load4>
   0x09bf6006:    nopw   %cs:0x0(%eax,%eax,1)
End of assembler dump.



(gdb) info all-registers 
eax            0x8    8
ecx            0x0    0
edx            0xb5606304    -1251974396
ebx            0xb5606320    -1251974368
esp            0xbfffda70    0xbfffda70
ebp            0xbfffdba8    0xbfffdba8
esi            0x400    1024
edi            0x0    0
eip            0x9bf5fe9    0x9bf5fe9 <av_audio_fifo_size+25>
eflags         0x10246    [ PF ZF IF RF ]
cs             0x73    115
ss             0x7b    123
ds             0x7b    123
es             0x7b    123
fs             0x0    0
gs             0x33    51
st0            -inf    (raw 0xffff0000000000000000)
st1            -nan(0xffffffffffffffff)    (raw 0xffffffffffffffffffff)
st2            -nan(0xfff53251fff6c499)    (raw 0xfffffff53251fff6c499)
st3            -nan(0xfffc34e8fffcc228)    (raw 0xfffffffc34e8fffcc228)
st4            -nan(0x1000100010001)    (raw 0xffff0001000100010001)
st5            0    (raw 0x00000000000000000000)
st6            9.9999999999999994515327145420957165e-21    (raw
0x3fbcbce5086492111800)
st7            51199    (raw 0x400ec7ff000000000000)
fctrl          0x37f    895
fstat          0x420    1056
ftag           0xffff    65535
fiseg          0x0    0
fioff          0x8193e7b    135872123
foseg          0x0    0
fooff          0x0    0
fop            0x0    0
mxcsr          0x1fa0    [ PE IM DM ZM OM UM PM ]
ymm0           {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_double
= {0x8000000000000000, 
    0x8000000000000000, 0x0, 0x0}, v32_int8 = {0xff <repeats 16 times>, 0x0
<repeats 16 times>}, v16_int16 = {
---Type <return> to continue, or q <return> to quit---
    0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0x0, 0x0,
0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 
  v8_int32 = {0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0x0, 0x0, 0x0,
0x0}, v4_int64 = {0xffffffffffffffff, 
    0xffffffffffffffff, 0x0, 0x0}, v2_int128 =
{0xffffffffffffffffffffffffffffffff, 
    0x00000000000000000000000000000000}}
ymm1           {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_double
= {0x0, 0x0, 0x0, 0x0}, v32_int8 = {
    0x0 <repeats 32 times>}, v16_int16 = {0x0 <repeats 16 times>}, v8_int32 =
{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 
    0x0}, v4_int64 = {0x0, 0x0, 0x0, 0x0}, v2_int128 =
{0x00000000000000000000000000000000, 
    0x00000000000000000000000000000000}}
ymm2           {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_double
= {0x0, 0x0, 0x0, 0x0}, v32_int8 = {
    0x0 <repeats 32 times>}, v16_int16 = {0x0 <repeats 16 times>}, v8_int32 =
{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 
    0x0}, v4_int64 = {0x0, 0x0, 0x0, 0x0}, v2_int128 =
{0x00000000000000000000000000000000, 
    0x00000000000000000000000000000000}}
ymm3           {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_double
= {0x0, 0x0, 0x0, 0x0}, v32_int8 = {
    0x0 <repeats 32 times>}, v16_int16 = {0x0 <repeats 16 times>}, v8_int32 =
{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 
    0x0}, v4_int64 = {0x0, 0x0, 0x0, 0x0}, v2_int128 =
{0x00000000000000000000000000000000, 
    0x00000000000000000000000000000000}}
ymm4           {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_double
= {0x0, 0x0, 0x0, 0x0}, v32_int8 = {
    0x0 <repeats 32 times>}, v16_int16 = {0x0 <repeats 16 times>}, v8_int32 =
{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 
    0x0}, v4_int64 = {0x0, 0x0, 0x0, 0x0}, v2_int128 =
{0x00000000000000000000000000000000, 
    0x00000000000000000000000000000000}}
ymm5           {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_double
= {0x0, 0x0, 0x0, 0x0}, v32_int8 = {
    0x0 <repeats 32 times>}, v16_int16 = {0x0 <repeats 16 times>}, v8_int32 =
{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 
    0x0}, v4_int64 = {0x0, 0x0, 0x0, 0x0}, v2_int128 =
{0x00000000000000000000000000000000, 
    0x00000000000000000000000000000000}}
ymm6           {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_double
= {0x0, 0x0, 0x0, 0x0}, v32_int8 = {
    0x0, 0x0, 0x0, 0x80, 0x80, 0xbb, 0x0, 0x0, 0xff, 0xff, 0xff, 0xff, 0xf, 0x0
<repeats 19 times>}, v16_int16 = {
    0x0, 0x8000, 0xbb80, 0x0, 0xffff, 0xffff, 0xf, 0x0, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0, 0x0, 0x0}, v8_int32 = {
    0x80000000, 0xbb80, 0xffffffff, 0xf, 0x0, 0x0, 0x0, 0x0}, v4_int64 =
{0xbb8080000000, 0xfffffffff, 0x0, 0x0}, 
  v2_int128 = {0x0000000fffffffff0000bb8080000000,
0x00000000000000000000000000000000}}
ymm7           {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_double
= {0x0, 0x0, 0x0, 0x0}, v32_int8 = {
    0x40, 0x63, 0xa9, 0xb5, 0xa0, 0x62, 0xa9, 0xb5, 0x0, 0x62, 0xa9, 0xb5,
0x60, 0x61, 0xa9, 0xb5, 
    0x0 <repeats 16 times>}, v16_int16 = {0x6340, 0xb5a9, 0x62a0, 0xb5a9,
0x6200, 0xb5a9, 0x6160, 0xb5a9, 0x0, 
    0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v8_int32 = {0xb5a96340, 0xb5a962a0,
0xb5a96200, 0xb5a96160, 0x0, 0x0, 0x0, 
    0x0}, v4_int64 = {0xb5a962a0b5a96340, 0xb5a96160b5a96200, 0x0, 0x0},
v2_int128 = {
    0xb5a96160b5a96200b5a962a0b5a96340, 0x00000000000000000000000000000000}}
---Type <return> to continue, or q <return> to quit---
mm0            {uint64 = 0x0, v2_int32 = {0x0, 0x0}, v4_int16 = {0x0, 0x0, 0x0,
0x0}, v8_int8 = {0x0, 0x0, 0x0, 
    0x0, 0x0, 0x0, 0x0, 0x0}}
mm1            {uint64 = 0xffffffffffffffff, v2_int32 = {0xffffffff,
0xffffffff}, v4_int16 = {0xffff, 0xffff, 
    0xffff, 0xffff}, v8_int8 = {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
0xff}}
mm2            {uint64 = 0xfff53251fff6c499, v2_int32 = {0xfff6c499,
0xfff53251}, v4_int16 = {0xc499, 0xfff6, 
    0x3251, 0xfff5}, v8_int8 = {0x99, 0xc4, 0xf6, 0xff, 0x51, 0x32, 0xf5,
0xff}}
mm3            {uint64 = 0xfffc34e8fffcc228, v2_int32 = {0xfffcc228,
0xfffc34e8}, v4_int16 = {0xc228, 0xfffc, 
    0x34e8, 0xfffc}, v8_int8 = {0x28, 0xc2, 0xfc, 0xff, 0xe8, 0x34, 0xfc,
0xff}}
mm4            {uint64 = 0x1000100010001, v2_int32 = {0x10001, 0x10001},
v4_int16 = {0x1, 0x1, 0x1, 0x1}, 
  v8_int8 = {0x1, 0x0, 0x1, 0x0, 0x1, 0x0, 0x1, 0x0}}
mm5            {uint64 = 0x0, v2_int32 = {0x0, 0x0}, v4_int16 = {0x0, 0x0, 0x0,
0x0}, v8_int8 = {0x0, 0x0, 0x0, 
    0x0, 0x0, 0x0, 0x0, 0x0}}
mm6            {uint64 = 0xbce5086492111800, v2_int32 = {0x92111800,
0xbce50864}, v4_int16 = {0x1800, 0x9211, 
    0x864, 0xbce5}, v8_int8 = {0x0, 0x18, 0x11, 0x92, 0x64, 0x8, 0xe5, 0xbc}}
mm7            {uint64 = 0xc7ff000000000000, v2_int32 = {0x0, 0xc7ff0000},
v4_int16 = {0x0, 0x0, 0x0, 0xc7ff}, 
  v8_int8 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xff, 0xc7}}



Credits:

This vulnerability was discovered by Mingi Cho and Taekyoung Kwon of the
Information Security Lab, Yonsei University. Please contact
<a href="mailto:mgcho.minic@gmail.com">mgcho.minic@gmail.com</a> and <a href="mailto:taekyoung@yonsei.ac.kr">taekyoung@yonsei.ac.kr</a> if you need more information
about the vulnerability and the lab.</pre>
        </div>
      </p>
      <hr>
      <span>You are receiving this mail because:</span>
      
      <ul>
          <li>You are watching all bug changes.</li>
      </ul>
    </body>
</html>