<html>
    <head>
      <base href="https://bugzilla.libav.org/" />
    </head>
    <body><table border="1" cellspacing="0" cellpadding="8">
        <tr>
          <th>Bug ID</th>
          <td><a class="bz_bug_link 
          bz_status_NEW "
   title="NEW - one heap-use-after-free in h264_slice_init in h264_slice.c"
   href="https://bugzilla.libav.org/show_bug.cgi?id=1151">1151</a>
          </td>
        </tr>

        <tr>
          <th>Summary</th>
          <td>one heap-use-after-free in h264_slice_init in h264_slice.c
          </td>
        </tr>

        <tr>
          <th>Product</th>
          <td>Libav
          </td>
        </tr>

        <tr>
          <th>Version</th>
          <td>12
          </td>
        </tr>

        <tr>
          <th>Hardware</th>
          <td>Other
          </td>
        </tr>

        <tr>
          <th>OS</th>
          <td>Linux
          </td>
        </tr>

        <tr>
          <th>Status</th>
          <td>NEW
          </td>
        </tr>

        <tr>
          <th>Severity</th>
          <td>normal
          </td>
        </tr>

        <tr>
          <th>Priority</th>
          <td>---
          </td>
        </tr>

        <tr>
          <th>Component</th>
          <td>libavcodec
          </td>
        </tr>

        <tr>
          <th>Assignee</th>
          <td>bugzilla@libav.org
          </td>
        </tr>

        <tr>
          <th>Reporter</th>
          <td>92wyunchao@gmail.com
          </td>
        </tr></table>
      <p>
        <div>
        <pre>Created <span class=""><a href="attachment.cgi?id=736" name="attach_736" title="poc to trigger the bug">attachment 736</a> <a href="attachment.cgi?id=736&action=edit" title="poc to trigger the bug">[details]</a></span>
poc to trigger the bug

There exists one heap-use-after-free in h264_slice_init in h264_slice.c in
libav 12.3, which could cause a denial-of-service via a crafted file.

ASAN_OPTIONS=halt_on_error=false:allow_addr2line=true ./avconv -i $poc -f null
-

==67675==ERROR: AddressSanitizer: heap-use-after-free on address 0x6340001a0820
at pc 0x000001d35b41 bp 0x7f1bf3cc2810 sp 0x7f1bf3cc2808
READ of size 4 at 0x6340001a0820 thread T1
Error while decoding stream #0:0
    Last message repeated 3 times
Video encoding failed
    #0 0x1d35b40 in h264_slice_init
/home/s2e/Desktop/libav-12.3/libavcodec/h264_slice.c:1758
    #1 0x1d35b40 in ff_h264_queue_decode_slice
/home/s2e/Desktop/libav-12.3/libavcodec/h264_slice.c:1912
    #2 0xc9f2ab in decode_nal_units
/home/s2e/Desktop/libav-12.3/libavcodec/h264dec.c:575
    #3 0xc9f2ab in h264_decode_frame
/home/s2e/Desktop/libav-12.3/libavcodec/h264dec.c:744
    #4 0x13e64e3 in frame_worker_thread
/home/s2e/Desktop/libav-12.3/libavcodec/pthread_frame.c:145
    #5 0x7f1bf6d6c6b9 in start_thread
(/lib/x86_64-linux-gnu/libpthread.so.0+0x76b9)
    #6 0x7f1bf648041c in clone
/build/glibc-Cl5G7W/glibc-2.23/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:109

0x6340001a0820 is located 32 bytes inside of 123656-byte region
[0x6340001a0800,0x6340001beb08)
freed by thread T0 here:
    #0 0x4bb310 in __interceptor_cfree.localalias.0 asan_malloc_linux.cc.o
    #1 0x23cf4ad in av_buffer_unref
/home/s2e/Desktop/libav-12.3/libavutil/buffer.c:116
    #2 0x1d23519 in ff_h264_update_thread_context
/home/s2e/Desktop/libav-12.3/libavcodec/h264_slice.c:349

previously allocated by thread T1 here:
    #0 0x4bbd70 in __interceptor_posix_memalign
(/home/s2e/Desktop/libav-12.3/build/bin/avconv+0x4bbd70)
    #1 0x2404635 in av_malloc /home/s2e/Desktop/libav-12.3/libavutil/mem.c:81
    #2 0x23cedb6 in av_buffer_alloc
/home/s2e/Desktop/libav-12.3/libavutil/buffer.c:71
    #3 0x23cf14d in av_buffer_allocz
/home/s2e/Desktop/libav-12.3/libavutil/buffer.c:84

Thread T1 created by T0 here:
    #0 0x42d8a9 in __interceptor_pthread_create
(/home/s2e/Desktop/libav-12.3/build/bin/avconv+0x42d8a9)
    #1 0x13e5677 in ff_frame_thread_init
/home/s2e/Desktop/libav-12.3/libavcodec/pthread_frame.c:651
    #2 0x20de571 in ff_thread_init
/home/s2e/Desktop/libav-12.3/libavcodec/pthread.c:77
    #3 0x524004 in init_input_stream /home/s2e/Desktop/libav-12.3/avconv.c:1706
    #4 0x524004 in transcode_init /home/s2e/Desktop/libav-12.3/avconv.c:2146
    #5 0x524004 in transcode /home/s2e/Desktop/libav-12.3/avconv.c:2709
    #6 0x524004 in main /home/s2e/Desktop/libav-12.3/avconv.c:2905
    #7 0x7f1bf639982f in __libc_start_main
/build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291

SUMMARY: AddressSanitizer: heap-use-after-free
/home/s2e/Desktop/libav-12.3/libavcodec/h264_slice.c:1758 in h264_slice_init
Shadow bytes around the buggy address:
  0x0c688002c0b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c688002c0c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c688002c0d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c688002c0e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c688002c0f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c688002c100: fd fd fd fd[fd]fd fd fd fd fd fd fd fd fd fd fd
  0x0c688002c110: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c688002c120: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c688002c130: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c688002c140: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c688002c150: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==67675==ABORTING</pre>
        </div>
      </p>
      <hr>
      <span>You are receiving this mail because:</span>
      
      <ul>
          <li>You are watching all bug changes.</li>
      </ul>
    </body>
</html>