Issue metadata
Sign in to add a comment
|
FFmpeg - heap-buffer-overflow
Reported by
gy741....@gmail.com,
Dec 21 2017
|
||||||||||||||||||||||
Issue descriptionUserAgent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.79 Safari/537.36 Edge/14.14393 Steps to reproduce the problem: chrome 1. Download the .POC files. 2. google-chrome poc.mp4 FFmpeg 1. Download the .POC files. 2. Compile the source code with ASan. 3. ./ffmpeg -i PoC.mp4 -f null /dev/null What is the expected behavior? What went wrong? =================== chrome log =================== ``` karas~$ google-chrome poc.mp4 tcmalloc: large alloc 1433264128 bytes == 0x2d5ad0bc3000 @ [1:6:1221/125147.328304:FATAL:memory_linux.cc(35)] Out of memory. --2017-12-21 12:51:47-- https://clients2.google.com/cr/report Resolving clients2.google.com (clients2.google.com)... 172.217.31.142, 2404:6800:4004:808::200e Connecting to clients2.google.com (clients2.google.com)|172.217.31.142|:443... connected. HTTP request sent, awaiting response... 200 OK Length: unspecified [text/html] Saving to: ‘/dev/fd/4’ Crash dump id: f6f872f9a71bf3c7 --2017-12-21 12:51:48-- https://clients2.google.com/cr/report Resolving clients2.google.com (clients2.google.com)... 172.217.31.142, 2404:6800:4004:808::200e Connecting to clients2.google.com (clients2.google.com)|172.217.31.142|:443... connected. HTTP request sent, awaiting response... 200 OK Length: unspecified [text/html] Saving to: ‘/dev/fd/4’ Crash dump id: b38587b5753e6ffc ``` =================- FFmpeg Log ================================================================= ``` 18692==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x619000014480 at pc 0x000000867366 bp 0x7fffffffa840 sp 0x7fffffffa838 WRITE of size 1 at 0x619000014480 thread T0 #0 0x867365 in transpose_block_8_c /home/karas/FFmpeg/libavfilter/vf_transpose.c:95:20 #1 0x8661a9 in filter_slice /home/karas/FFmpeg/libavfilter/vf_transpose.c:318:13 #2 0x5eda09 in default_execute /home/karas/FFmpeg/libavfilter/avfilter.c:689:17 #3 0x8657a4 in filter_frame /home/karas/FFmpeg/libavfilter/vf_transpose.c:353:5 #4 0x5f19fa in ff_filter_frame_framed /home/karas/FFmpeg/libavfilter/avfilter.c:1104:11 #5 0x5f19fa in ff_filter_frame_to_filter /home/karas/FFmpeg/libavfilter/avfilter.c:1252 #6 0x5f19fa in ff_filter_activate_default /home/karas/FFmpeg/libavfilter/avfilter.c:1301 #7 0x5f19fa in ff_filter_activate /home/karas/FFmpeg/libavfilter/avfilter.c:1463 #8 0x6076a6 in push_frame /home/karas/FFmpeg/libavfilter/buffersrc.c:181:15 #9 0x6076a6 in av_buffersrc_add_frame_internal /home/karas/FFmpeg/libavfilter/buffersrc.c:255 #10 0x606cf8 in av_buffersrc_add_frame_flags /home/karas/FFmpeg/libavfilter/buffersrc.c:164:16 #11 0x57f583 in ifilter_send_frame /home/karas/FFmpeg/fftools/ffmpeg.c:2192:11 #12 0x57f583 in send_frame_to_filters /home/karas/FFmpeg/fftools/ffmpeg.c:2271 #13 0x569f59 in decode_video /home/karas/FFmpeg/fftools/ffmpeg.c:2472:11 #14 0x569f59 in process_input_packet /home/karas/FFmpeg/fftools/ffmpeg.c:2626 #15 0x55ed80 in process_input /home/karas/FFmpeg/fftools/ffmpeg.c:4463:5 #16 0x55ed80 in transcode_step /home/karas/FFmpeg/fftools/ffmpeg.c:4583 #17 0x55ed80 in transcode /home/karas/FFmpeg/fftools/ffmpeg.c:4637 #18 0x5529b8 in main /home/karas/FFmpeg/fftools/ffmpeg.c:4843:9 #19 0x7ffff667e3f0 in __libc_start_main /build/glibc-mXZSwJ/glibc-2.24/csu/../csu/libc-start.c:291 #20 0x41caf9 in _start (/home/karas/FFmpeg/ffmpeg+0x41caf9) 0x619000014480 is located 0 bytes to the right of 1024-byte region [0x619000014080,0x619000014480) allocated by thread T0 here: #0 0x4db8c0 in __interceptor_posix_memalign (/home/karas/FFmpeg/ffmpeg+0x4db8c0) #1 0x355ad3a in av_malloc /home/karas/FFmpeg/libavutil/mem.c:87:9 #2 0x351326a in av_buffer_alloc /home/karas/FFmpeg/libavutil/buffer.c:72:12 #3 0x351326a in av_buffer_allocz /home/karas/FFmpeg/libavutil/buffer.c:85 #4 0x35154da in pool_alloc_buffer /home/karas/FFmpeg/libavutil/buffer.c:313:26 #5 0x35154da in av_buffer_pool_get /home/karas/FFmpeg/libavutil/buffer.c:349 #6 0x63756a in ff_frame_pool_get /home/karas/FFmpeg/libavfilter/framepool.c:222:29 #7 0x8cdb69 in ff_default_get_video_buffer /home/karas/FFmpeg/libavfilter/video.c:89:12 #8 0x865597 in filter_frame /home/karas/FFmpeg/libavfilter/vf_transpose.c:338:11 #9 0x5f19fa in ff_filter_frame_framed /home/karas/FFmpeg/libavfilter/avfilter.c:1104:11 #10 0x5f19fa in ff_filter_frame_to_filter /home/karas/FFmpeg/libavfilter/avfilter.c:1252 #11 0x5f19fa in ff_filter_activate_default /home/karas/FFmpeg/libavfilter/avfilter.c:1301 #12 0x5f19fa in ff_filter_activate /home/karas/FFmpeg/libavfilter/avfilter.c:1463 #13 0x6076a6 in push_frame /home/karas/FFmpeg/libavfilter/buffersrc.c:181:15 #14 0x6076a6 in av_buffersrc_add_frame_internal /home/karas/FFmpeg/libavfilter/buffersrc.c:255 #15 0x606cf8 in av_buffersrc_add_frame_flags /home/karas/FFmpeg/libavfilter/buffersrc.c:164:16 #16 0x57f583 in ifilter_send_frame /home/karas/FFmpeg/fftools/ffmpeg.c:2192:11 #17 0x57f583 in send_frame_to_filters /home/karas/FFmpeg/fftools/ffmpeg.c:2271 #18 0x569f59 in decode_video /home/karas/FFmpeg/fftools/ffmpeg.c:2472:11 #19 0x569f59 in process_input_packet /home/karas/FFmpeg/fftools/ffmpeg.c:2626 #20 0x55ed80 in process_input /home/karas/FFmpeg/fftools/ffmpeg.c:4463:5 #21 0x55ed80 in transcode_step /home/karas/FFmpeg/fftools/ffmpeg.c:4583 #22 0x55ed80 in transcode /home/karas/FFmpeg/fftools/ffmpeg.c:4637 #23 0x5529b8 in main /home/karas/FFmpeg/fftools/ffmpeg.c:4843:9 #24 0x7ffff667e3f0 in __libc_start_main /build/glibc-mXZSwJ/glibc-2.24/csu/../csu/libc-start.c:291 SUMMARY: AddressSanitizer: heap-buffer-overflow /home/karas/FFmpeg/libavfilter/vf_transpose.c:95:20 in transpose_block_8_c Shadow bytes around the buggy address: 0x0c327fffa840: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c327fffa850: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c327fffa860: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c327fffa870: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c327fffa880: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x0c327fffa890:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c327fffa8a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c327fffa8b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c327fffa8c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c327fffa8d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c327fffa8e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==18692==ABORTING ``` Did this work before? N/A Chrome version: 51.0.2704.79 Channel: n/a OS Version: 10.0 Flash Version: Shockwave Flash 28.0 r0 Chrome Version: 63.0.3239.108 (Official Build) (64-bit) Hello, I found a bug in FFmpeg. This has not yet been reported to FFmpeg. I ran PoC.mp4 in Chrome and saw a crash message. Is the FFmpeg bug in the scope of impact? chromium third_party has FFmpeg. Thanks.
,
Dec 21 2017
,
Dec 22 2017
ClusterFuzz is analyzing your testcase. Developers can follow the progress at https://clusterfuzz.com/testcase?key=5883127183704064.
,
Dec 28 2017
ClusterFuzz is analyzing your testcase. Developers can follow the progress at https://clusterfuzz.com/testcase?key=6357794352791552.
,
Dec 28 2017
hubbe: Can you take a look at this? Dale is OOO until the 7th. Note that the reporter says this isn't reported to upstream FFMpeg yet. Reporter: Yes, third-party libraries that Chrome ships are in-scope for the VRP.
,
Dec 28 2017
It does not reproduce with Chrome, will let hubbe@ and dalecurtis@ to triage.
,
Dec 28 2017
FWIW, the repro version in #3 crashed my Windows 10 Canary instance with an OOM error.
,
Dec 29 2017
,
Jan 4 2018
hubbe: Uh oh! This issue still open and hasn't been updated in the last 14 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers? If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one? If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started. Thanks for your time! To disable nags, add the Disable-Nags label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Jan 8 2018
,
Jan 16 2018
Chrome does not use avfilter, so this does not affect us.
,
Jan 16 2018
(The crash IDs are just OOM crashes, which should be alleviated by http://git.videolan.org/?p=ffmpeg.git;a=commit;h=2d015d3bf9fed59c65a3819a35fedbb8b7dde623 from upstream)
,
Jan 21 2018
Hello, So, is it okay to report problems to the ffmpeg upstream administrator? The problem is reproduced in the latest version of ffmpeg. (commit 78e884f3fb1d0471dbe2c89fec0d0f274f7c8350) Thanks. ``` ================================================================= ==8129==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x619000014480 at pc 0x000000bfdc50 bp 0x7fffd1725a80 sp 0x7fffd1725a78 WRITE of size 1 at 0x619000014480 thread T0 #0 0xbfdc4f in transpose_block_8_c /home/karas/ffmpeg/libavfilter/vf_transpose.c:95:20 #1 0xbf9eb2 in filter_slice /home/karas/ffmpeg/libavfilter/vf_transpose.c:318:13 #2 0x6d6fe4 in default_execute /home/karas/ffmpeg/libavfilter/avfilter.c:698:17 #3 0xbf8f16 in filter_frame /home/karas/ffmpeg/libavfilter/vf_transpose.c:353:5 #4 0x6ddd5f in ff_filter_activate /home/karas/ffmpeg/libavfilter/avfilter.c:1113:11 #5 0x70b8a6 in push_frame /home/karas/ffmpeg/libavfilter/buffersrc.c:181:15 #6 0x70b8a6 in av_buffersrc_add_frame_internal /home/karas/ffmpeg/libavfilter/buffersrc.c:255 #7 0x70a387 in av_buffersrc_add_frame_flags /home/karas/ffmpeg/libavfilter/buffersrc.c:164:16 #8 0x5e869b in ifilter_send_frame /home/karas/ffmpeg/fftools/ffmpeg.c:2189:11 #9 0x5e869b in send_frame_to_filters /home/karas/ffmpeg/fftools/ffmpeg.c:2268 #10 0x5bde72 in process_input_packet /home/karas/ffmpeg/fftools/ffmpeg.c:2469:11 #11 0x5a7984 in process_input /home/karas/ffmpeg/fftools/ffmpeg.c:4460:5 #12 0x5a7984 in transcode_step /home/karas/ffmpeg/fftools/ffmpeg.c:4580 #13 0x5a7984 in transcode /home/karas/ffmpeg/fftools/ffmpeg.c:4634 #14 0x592986 in main /home/karas/ffmpeg/fftools/ffmpeg.c:4840:9 #15 0x7fd6e22cd1c0 in __libc_start_main /build/glibc-CxtIbX/glibc-2.26/csu/../csu/libc-start.c:308 #16 0x41c819 in _start (/home/karas/ffmpeg/ffmpeg+0x41c819) 0x619000014480 is located 0 bytes to the right of 1024-byte region [0x619000014080,0x619000014480) allocated by thread T0 here: #0 0x4dd2f8 in __interceptor_posix_memalign (/home/karas/ffmpeg/ffmpeg+0x4dd2f8) #1 0x6b626e8 in av_malloc /home/karas/ffmpeg/libavutil/mem.c:87:9 #2 0x6ac2cf8 in av_buffer_alloc /home/karas/ffmpeg/libavutil/buffer.c:72:12 #3 0x6ac2cf8 in av_buffer_allocz /home/karas/ffmpeg/libavutil/buffer.c:85 #4 0x6ac6db7 in pool_alloc_buffer /home/karas/ffmpeg/libavutil/buffer.c:313:26 #5 0x6ac6db7 in av_buffer_pool_get /home/karas/ffmpeg/libavutil/buffer.c:349 #6 0x76fed1 in ff_frame_pool_get /home/karas/ffmpeg/libavfilter/framepool.c:222:29 #7 0xccc4cb in ff_default_get_video_buffer /home/karas/ffmpeg/libavfilter/video.c:90:13 #8 0xbf8bbf in filter_frame /home/karas/ffmpeg/libavfilter/vf_transpose.c:338:11 #9 0x6ddd5f in ff_filter_activate /home/karas/ffmpeg/libavfilter/avfilter.c:1113:11 #10 0x70b8a6 in push_frame /home/karas/ffmpeg/libavfilter/buffersrc.c:181:15 #11 0x70b8a6 in av_buffersrc_add_frame_internal /home/karas/ffmpeg/libavfilter/buffersrc.c:255 #12 0x70a387 in av_buffersrc_add_frame_flags /home/karas/ffmpeg/libavfilter/buffersrc.c:164:16 #13 0x5e869b in ifilter_send_frame /home/karas/ffmpeg/fftools/ffmpeg.c:2189:11 #14 0x5e869b in send_frame_to_filters /home/karas/ffmpeg/fftools/ffmpeg.c:2268 #15 0x5bde72 in process_input_packet /home/karas/ffmpeg/fftools/ffmpeg.c:2469:11 #16 0x5a7984 in process_input /home/karas/ffmpeg/fftools/ffmpeg.c:4460:5 #17 0x5a7984 in transcode_step /home/karas/ffmpeg/fftools/ffmpeg.c:4580 #18 0x5a7984 in transcode /home/karas/ffmpeg/fftools/ffmpeg.c:4634 #19 0x592986 in main /home/karas/ffmpeg/fftools/ffmpeg.c:4840:9 #20 0x7fd6e22cd1c0 in __libc_start_main /build/glibc-CxtIbX/glibc-2.26/csu/../csu/libc-start.c:308 SUMMARY: AddressSanitizer: heap-buffer-overflow /home/karas/ffmpeg/libavfilter/vf_transpose.c:95:20 in transpose_block_8_c Shadow bytes around the buggy address: 0x0c327fffa840: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c327fffa850: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c327fffa860: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c327fffa870: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c327fffa880: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x0c327fffa890:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c327fffa8a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c327fffa8b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c327fffa8c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c327fffa8d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c327fffa8e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==8129==ABORTING ```
,
Jan 22 2018
Yes, I recommend you contact the ffmpeg folks https://www.ffmpeg.org/security.html
,
Jan 27 2018
Hello, I reported the problem, and the ffmpeg team solved the problem. Fix: commit c6939f65a116b1ffed345d29d8621ee4ffb32235 https://git.ffmpeg.org/gitweb/ffmpeg.git/commit/c6939f65a116b1ffed345d29d8621ee4ffb32235 Thanks.
,
Mar 1 2018
,
Apr 25 2018
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by gy741....@gmail.com
, Dec 21 20175.4 KB
5.4 KB Download