#10677: Use of unitizlised variables when parsing invalid pan filters
--------------------------------------+----------------------------------
Reporter: alexet | Type: defect
Status: new | Priority: minor
Component: undetermined | Version: 5.1.2
Keywords: | Blocked By:
Blocking: | Reproduced by developer: 0
Analyzed by developer: 0 |
--------------------------------------+----------------------------------
Summary of the bug:
In af_pan.c there are quite a few uses of sscanf where the return value is
only checked against zero which doesn't account for the possibility of -1
when the end of the string is reached.
Creating truncated pan filters triggers this code and therefore the output
arguments to sscanf are left uninitialized. In the examples I can create
the stack happens to be zero so nothing bad can happen.
How to reproduce:
This one we skip an uninitialized amount of bytes into a string (it
happens to be zero so no actual issues)
{{{
valgrind ffmpeg -i video.mp4 -af "pan=mono|c0=" -c:v copy output.mp4
==148740== Use of uninitialised value of size 8
==148740== at 0x484E399: rawmemchr (in /usr/libexec/valgrind
/vgpreload_memcheck-amd64-linux.so)
==148740== by 0x6FE2555: _IO_str_init_static_internal (strops.c:41)
==148740== by 0x6FADC21: _IO_strfile_read (strfile.h:92)
==148740== by 0x6FADC21: __isoc99_sscanf (isoc99_sscanf.c:28)
==148740== by 0x498D5C3: ??? (in /usr/lib/x86_64-linux-
gnu/libavfilter.so.8.44.100)
==148740== by 0x498D9EF: ??? (in /usr/lib/x86_64-linux-
gnu/libavfilter.so.8.44.100)
==148740== by 0x4A52DFC: avfilter_init_dict (in /usr/lib/x86_64-linux-
gnu/libavfilter.so.8.44.100)
==148740== by 0x4A53057: avfilter_init_str (in /usr/lib/x86_64-linux-
gnu/libavfilter.so.8.44.100)
==148740== by 0x4A809E5: ??? (in /usr/lib/x86_64-linux-
gnu/libavfilter.so.8.44.100)
==148740== by 0x4A81417: avfilter_graph_parse2 (in /usr/lib/x86_64
-linux-gnu/libavfilter.so.8.44.100)
==148740== by 0x116C3A: ??? (in /usr/bin/ffmpeg)
==148740== by 0x138CF8: ??? (in /usr/bin/ffmpeg)
==148740== by 0x139875: ??? (in /usr/bin/ffmpeg)
==148740==
==148740== Conditional jump or move depends on uninitialised value(s)
==148740== at 0x6FB92D8: __vfscanf_internal (vfscanf-internal.c:628)
==148740== by 0x6FADC60: __isoc99_sscanf (isoc99_sscanf.c:31)
==148740== by 0x498D5C3: ??? (in /usr/lib/x86_64-linux-
gnu/libavfilter.so.8.44.100)
==148740== by 0x498D9EF: ??? (in /usr/lib/x86_64-linux-
gnu/libavfilter.so.8.44.100)
==148740== by 0x4A52DFC: avfilter_init_dict (in /usr/lib/x86_64-linux-
gnu/libavfilter.so.8.44.100)
==148740== by 0x4A53057: avfilter_init_str (in /usr/lib/x86_64-linux-
gnu/libavfilter.so.8.44.100)
==148740== by 0x4A809E5: ??? (in /usr/lib/x86_64-linux-
gnu/libavfilter.so.8.44.100)
==148740== by 0x4A81417: avfilter_graph_parse2 (in /usr/lib/x86_64
-linux-gnu/libavfilter.so.8.44.100)
==148740== by 0x116C3A: ??? (in /usr/bin/ffmpeg)
==148740== by 0x138CF8: ??? (in /usr/bin/ffmpeg)
==148740== by 0x139875: ??? (in /usr/bin/ffmpeg)
==148740== by 0x13C563: ??? (in /usr/bin/ffmpeg)
}}}
In this second case we end up with strncmp on an unitialised char array
(again the char array is zero)
{{{
valgrind ffmpeg -i video.mp4 -af "pan=mono|c0=1*" -c:v copy output.mp4
==151668== Conditional jump or move depends on uninitialised value(s)
==151668== at 0x484A40C: strncmp (in /usr/libexec/valgrind
/vgpreload_memcheck-amd64-linux.so)
==151668== by 0x6CA4103: av_channel_from_string (in /usr/lib/x86_64
-linux-gnu/libavutil.so.57.28.100)
==151668== by 0x498D5EE: ??? (in /usr/lib/x86_64-linux-
gnu/libavfilter.so.8.44.100)
==151668== by 0x498D9EF: ??? (in /usr/lib/x86_64-linux-
gnu/libavfilter.so.8.44.100)
==151668== by 0x4A52DFC: avfilter_init_dict (in /usr/lib/x86_64-linux-
gnu/libavfilter.so.8.44.100)
==151668== by 0x4A53057: avfilter_init_str (in /usr/lib/x86_64-linux-
gnu/libavfilter.so.8.44.100)
==151668== by 0x4A809E5: ??? (in /usr/lib/x86_64-linux-
gnu/libavfilter.so.8.44.100)
==151668== by 0x4A81417: avfilter_graph_parse2 (in /usr/lib/x86_64
-linux-gnu/libavfilter.so.8.44.100)
==151668== by 0x116C3A: ??? (in /usr/bin/ffmpeg)
==151668== by 0x138CF8: ??? (in /usr/bin/ffmpeg)
==151668== by 0x139875: ??? (in /usr/bin/ffmpeg)
==151668== by 0x13C563: ??? (in /usr/bin/ffmpeg)
==151668==
==151668== Conditional jump or move depends on uninitialised value(s)
==151668== at 0x484ACAC: strcmp (in /usr/libexec/valgrind
/vgpreload_memcheck-amd64-linux.so)
==151668== by 0x6CA413C: av_channel_from_string (in /usr/lib/x86_64
-linux-gnu/libavutil.so.57.28.100)
==151668== by 0x498D5EE: ??? (in /usr/lib/x86_64-linux-
gnu/libavfilter.so.8.44.100)
==151668== by 0x498D9EF: ??? (in /usr/lib/x86_64-linux-
gnu/libavfilter.so.8.44.100)
==151668== by 0x4A52DFC: avfilter_init_dict (in /usr/lib/x86_64-linux-
gnu/libavfilter.so.8.44.100)
==151668== by 0x4A53057: avfilter_init_str (in /usr/lib/x86_64-linux-
gnu/libavfilter.so.8.44.100)
==151668== by 0x4A809E5: ??? (in /usr/lib/x86_64-linux-
gnu/libavfilter.so.8.44.100)
==151668== by 0x4A81417: avfilter_graph_parse2 (in /usr/lib/x86_64
-linux-gnu/libavfilter.so.8.44.100)
==151668== by 0x116C3A: ??? (in /usr/bin/ffmpeg)
==151668== by 0x138CF8: ??? (in /usr/bin/ffmpeg)
==151668== by 0x139875: ??? (in /usr/bin/ffmpeg)
==151668== by 0x13C563: ??? (in /usr/bin/ffmpeg)
}}}
Patches should be submitted to the ffmpeg-devel mailing list and not this
bug tracker.
--
Ticket URL: <https://trac.ffmpeg.org/ticket/10677>
FFmpeg <https://ffmpeg.org>
FFmpeg issue tracker_______________________________________________
FFmpeg-trac mailing list
FFmpeg-trac@avcodec.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-trac
To unsubscribe, visit link above, or email
ffmpeg-trac-requ...@ffmpeg.org with subject "unsubscribe".
