[FFmpeg-trac] #11652(ffmpeg:new): [security] libavcodec/hevc/hevcdec.c:2147:16 SEGV in hls_prediction_unit

Sat, 28 Jun 2025 02:30:06 -0700 

#11652: [security] libavcodec/hevc/hevcdec.c:2147:16 SEGV in hls_prediction_unit
-------------------------------------+-------------------------------------
             Reporter:  sigdevel     |                     Type:  defect
               Status:  new          |                 Priority:  normal
            Component:  ffmpeg       |                  Version:  git-
             Keywords:  libavcodec,  |  master
  SIGSEGV, hevc                      |               Blocked By:
             Blocking:               |  Reproduced by developer:  0
Analyzed by developer:  0            |
-------------------------------------+-------------------------------------
 Summary of the bug:
 When processing specially crafted HEVC-video streams, the HEVC decoder
 fails to validate the decoding context pointer (s->HEVClc) before
 accessing its substructures. This leads to a NULL pointer dereference when
 accessing s->HEVClc->pu.merge_flag, causing a segmentation fault and
 denial-of-service

 How to reproduce:
 {{{
 ./ffmpeg -i ./3_poc_libavcodec_hevc_hevcdec_c_2147 -f null
 }}}

 ENV:

 {{{
 ffmpeg debug version: N-120056-g6e8bd5dd25 (ffmpeg commit hash
 6e8bd5dd2588f892cde308022a8a1e6ee82b9fa0) ;
 ffmpeg latest autobuild version: ffmpeg version
 N-120054-g18c62245d7-20250627 ;
 built on: 6.12.25-amd64 ;
 build opts debug: --disable-shared --enable-static --disable-doc --enable-
 gpl --enable-libass --enable-libfreetype --enable-libmp3lame --enable-
 libopus --enable-libvorbis --enable-libx264 --enable-libx265 --enable-
 nonfree --toolchain=clang-asan --enable-debug=3 --disable-optimizations
 --disable-stripping ;
 build opts default: --prefix=/ffbuild/prefix --pkg-config-flags=--static
 --pkg-config=pkg-config --cross-prefix=x86_64-ffbuild-linux-gnu-
 --arch=x86_64 --target-os=linux --enable-gpl --enable-version3 --disable-
 debug --enable-iconv --enable-zlib --enable-libfribidi --enable-gmp
 --enable-libxml2 --enable-openssl --enable-lzma --enable-fontconfig
 --enable-libharfbuzz --enable-libfreetype --enable-libvorbis --enable-
 opencl --enable-libpulse --enable-libvmaf --enable-libxcb --enable-xlib
 --enable-amf --enable-libaom --enable-libaribb24 --enable-avisynth
 --enable-chromaprint --enable-libdav1d --enable-libdavs2 --enable-
 libdvdread --enable-libdvdnav --disable-libfdk-aac --enable-ffnvcodec
 --enable-cuda-llvm --enable-frei0r --enable-libgme --enable-libkvazaar
 --enable-libaribcaption --enable-libass --enable-libbluray --enable-libjxl
 --enable-libmp3lame --enable-libopus --enable-librist --enable-libssh
 --enable-libtheora --enable-libvpx --enable-libwebp --enable-libzmq
 --enable-lv2 --enable-libvpl --enable-openal --enable-liboapv --enable-
 libopencore-amrnb --enable-libopencore-amrwb --enable-libopenh264
 --enable-libopenjpeg --enable-libopenmpt --enable-librav1e --enable-
 librubberband --disable-schannel --enable-sdl2 --enable-libsnappy
 --enable-libsoxr --enable-libsrt --enable-libsvtav1 --enable-libtwolame
 --enable-libuavs3d --enable-libdrm --enable-vaapi --enable-libvidstab
 --enable-vulkan --enable-libshaderc --enable-libplacebo --enable-libvvenc
 --enable-libx264 --enable-libx265 --enable-libxavs2 --enable-libxvid
 --enable-libzimg --enable-libzvbi --extra-cflags=-DLIBTWOLAME_STATIC
 --extra-cxxflags= --extra-libs='-ldl -lgomp' --extra-ldflags=-pthread
 --extra-ldexeflags=-pie --cc=x86_64-ffbuild-linux-gnu-gcc --cxx=x86_64
 -ffbuild-linux-gnu-g++ --ar=x86_64-ffbuild-linux-gnu-gcc-ar
 --ranlib=x86_64-ffbuild-linux-gnu-gcc-ranlib --nm=x86_64-ffbuild-linux-
 gnu-gcc-nm --extra-version=20250627
 }}}


 Asan output:

 {{{

 ffmpeg version N-120001-gf789d60e11 Copyright (c) 2000-2025 the FFmpeg
 developers
   built with Debian clang version 19.1.7 (1+b1)
   configuration: --disable-shared --enable-static --disable-doc --enable-
 gpl --enable-libass --enable-libfreetype --enable-libmp3lame --enable-
 libopus --enable-libvorbis --enable-libx264 --enable-libx265 --enable-
 nonfree --toolchain=clang-asan --enable-debug=3 --disable-optimizations
 --disable-stripping
   libavutil      60.  3.100 / 60.  3.100
   libavcodec     62.  3.101 / 62.  3.101
   libavformat    62.  1.100 / 62.  1.100
   libavdevice    62.  0.100 / 62.  0.100
   libavfilter    11.  0.100 / 11.  0.100
   libswscale      9.  0.100 /  9.  0.100
   libswresample   6.  0.100 /  6.  0.100
 [kux @ 0x517000000080] Read FLV header error, input file is not a standard
 flv format, first PreviousTagSize0 always is 0
 [kux @ 0x517000000080] Negative cts, previous timestamps might be wrong.
 Truncating packet of size 6514015 to 571
 [kux @ 0x517000000080] Packet corrupt (stream = 0, dts = 6255619).
 [kux @ 0x517000000080] Track size mismatch: 6513444!
 [extract_extradata @ 0x50e000000100] Failed to parse header of NALU (type
 0): "Invalid data found when processing input". Skipping NALU.
     Last message repeated 1 times
 [NULL @ 0x519000000f80] VPS 7 does not exist
 [NULL @ 0x519000000f80] Failed to parse header of NALU (type 0): "Invalid
 data found when processing input". Skipping NALU.
     Last message repeated 1 times
 [NULL @ 0x519000000f80] VPS 7 does not exist
 [NULL @ 0x519000000f80] PPS id out of range: 2
 [extract_extradata @ 0x50e000000100] Failed to parse header of NALU (type
 0): "Invalid data found when processing input". Skipping NALU.
     Last message repeated 1 times
 [hevc @ 0x519000000f80] VPS 7 does not exist
 [hevc @ 0x519000000f80] Failed to parse header of NALU (type 0): "Invalid
 data found when processing input". Skipping NALU.
     Last message repeated 1 times
 [hevc @ 0x519000000f80] VPS 7 does not exist
 [hevc @ 0x519000000f80] Skipping invalid undecodable NALU: 33
 [hevc @ 0x519000000f80] Unknown profile bitstream
     Last message repeated 1 times
 [hevc @ 0x519000000f80] sps_max_num_reorder_pics out of range: 2
 [hevc @ 0x519000000f80] Overread PPS by 8 bits
 [hevc @ 0x519000000f80] Overread slice header by 8 bits
 [hevc @ 0x519000000f80] Skipping invalid undecodable NALU: 0
 [hevc @ 0x519000000f80] Unknown profile bitstream
 [hevc @ 0x519000000f80] SPS id out of range: 32
 [hevc @ 0x519000000f80] Skipping invalid undecodable NALU: 33
 [hevc @ 0x519000000f80] VPS 0 does not exist
 [hevc @ 0x519000000f80] Skipping invalid undecodable NALU: 33
 [hevc @ 0x519000000f80] Overread slice header by 8 bits
 [hevc @ 0x519000000f80] Skipping invalid undecodable NALU: 0
 [hevc @ 0x519000000f80] Could not find ref with POC -30
 [hevc @ 0x519000000f80] Could not find ref with POC 127
 [hevc @ 0x519000000f80] Could not find ref with POC 130
 [hevc @ 0x519000000f80] Could not find ref with POC 135
 [hevc @ 0x519000000f80] Could not find ref with POC 146
 [hevc @ 0x519000000f80] Could not find ref with POC 148
 [hevc @ 0x519000000f80] Could not find ref with POC 150
 [hevc @ 0x519000000f80] Could not find ref with POC 152
 [hevc @ 0x519000000f80] Could not find ref with POC 174
 [hevc @ 0x519000000f80] Could not find ref with POC 176
 [hevc @ 0x519000000f80] Could not find ref with POC 1
 [hevc @ 0x519000000f80] Could not find ref with POC 2
 [hevc @ 0x519000000f80] Could not find ref with POC 13
 [hevc @ 0x519000000f80] PTL information too short
 [hevc @ 0x519000000f80] Skipping invalid undecodable NALU: 32
 [hevc @ 0x519000000f80] Two slices reporting being the first in the same
 frame.
 [hevc @ 0x519000000f80] Skipping invalid undecodable NALU: 0
 [hevc @ 0x519000000f80] PTL information too short
 [hevc @ 0x519000000f80] Skipping invalid undecodable NALU: 32
 AddressSanitizer:DEADLYSIGNAL
 =================================================================
 ==10759==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000
 (pc 0x55b9d2cdc5fc bp 0x7ffcb77398e0 sp 0x7ffcb7738f60 T0)
 ==10759==The signal is caused by a READ memory access.
 ==10759==Hint: address points to the zero page.
     #0 0x55b9d2cdc5fc in hls_prediction_unit /media/user/6d3eeb8a-
 
a93b-4220-bb13-a4e488ce0ce2/gpac/runtime/ffmpeg_asan/libavcodec/hevc/hevcdec.c:2147:16
     #1 0x55b9d2cd9797 in hls_coding_unit /media/user/6d3eeb8a-
 
a93b-4220-bb13-a4e488ce0ce2/gpac/runtime/ffmpeg_asan/libavcodec/hevc/hevcdec.c:2469:9
     #2 0x55b9d2cd8a2c in hls_coding_quadtree /media/user/6d3eeb8a-
 
a93b-4220-bb13-a4e488ce0ce2/gpac/runtime/ffmpeg_asan/libavcodec/hevc/hevcdec.c:2677:15
     #3 0x55b9d2cd8549 in hls_coding_quadtree /media/user/6d3eeb8a-
 
a93b-4220-bb13-a4e488ce0ce2/gpac/runtime/ffmpeg_asan/libavcodec/hevc/hevcdec.c:2642:21
     #4 0x55b9d2cd2691 in hls_decode_entry /media/user/6d3eeb8a-
 
a93b-4220-bb13-a4e488ce0ce2/gpac/runtime/ffmpeg_asan/libavcodec/hevc/hevcdec.c:2782:21
     #5 0x55b9d2cc9a33 in decode_slice_data /media/user/6d3eeb8a-
 
a93b-4220-bb13-a4e488ce0ce2/gpac/runtime/ffmpeg_asan/libavcodec/hevc/hevcdec.c:3075:12
     #6 0x55b9d2cbf0b4 in decode_slice /media/user/6d3eeb8a-
 
a93b-4220-bb13-a4e488ce0ce2/gpac/runtime/ffmpeg_asan/libavcodec/hevc/hevcdec.c:3589:11
     #7 0x55b9d2cbd916 in decode_nal_unit /media/user/6d3eeb8a-
 
a93b-4220-bb13-a4e488ce0ce2/gpac/runtime/ffmpeg_asan/libavcodec/hevc/hevcdec.c:3657:15
     #8 0x55b9d2cbca67 in decode_nal_units /media/user/6d3eeb8a-
 
a93b-4220-bb13-a4e488ce0ce2/gpac/runtime/ffmpeg_asan/libavcodec/hevc/hevcdec.c:3770:15
     #9 0x55b9d2cb69d8 in hevc_receive_frame /media/user/6d3eeb8a-
 
a93b-4220-bb13-a4e488ce0ce2/gpac/runtime/ffmpeg_asan/libavcodec/hevc/hevcdec.c:3872:14
     #10 0x55b9d2950998 in ff_decode_receive_frame_internal /media/user
 /6d3eeb8a-
 a93b-4220-bb13-a4e488ce0ce2/gpac/runtime/ffmpeg_asan/libavcodec/decode.c:618:19
     #11 0x55b9d29530b4 in decode_receive_frame_internal /media/user
 /6d3eeb8a-
 a93b-4220-bb13-a4e488ce0ce2/gpac/runtime/ffmpeg_asan/libavcodec/decode.c:650:15
     #12 0x55b9d2952fad in avcodec_send_packet /media/user/6d3eeb8a-
 a93b-4220-bb13-a4e488ce0ce2/gpac/runtime/ffmpeg_asan/libavcodec/decode.c:726:15
     #13 0x55b9d1ead07b in try_decode_frame /media/user/6d3eeb8a-
 
a93b-4220-bb13-a4e488ce0ce2/gpac/runtime/ffmpeg_asan/libavformat/demux.c:2146:19
     #14 0x55b9d1ea75c5 in avformat_find_stream_info /media/user/6d3eeb8a-
 a93b-4220-bb13-a4e488ce0ce2/gpac/runtime/ffmpeg_asan/libavformat/demux.c:2828:9
     #15 0x55b9d100f7d0 in ifile_open /media/user/6d3eeb8a-
 
a93b-4220-bb13-a4e488ce0ce2/gpac/runtime/ffmpeg_asan/fftools/ffmpeg_demux.c:1814:15
     #16 0x55b9d1073ee4 in open_files /media/user/6d3eeb8a-
 
a93b-4220-bb13-a4e488ce0ce2/gpac/runtime/ffmpeg_asan/fftools/ffmpeg_opt.c:1366:15
     #17 0x55b9d1073928 in ffmpeg_parse_options /media/user/6d3eeb8a-
 
a93b-4220-bb13-a4e488ce0ce2/gpac/runtime/ffmpeg_asan/fftools/ffmpeg_opt.c:1415:11
     #18 0x55b9d10b6fd9 in main /media/user/6d3eeb8a-
 a93b-4220-bb13-a4e488ce0ce2/gpac/runtime/ffmpeg_asan/fftools/ffmpeg.c:991:11
     #19 0x7fb6b3a33ca7 in __libc_start_call_main
 csu/../sysdeps/nptl/libc_start_call_main.h:58:16
     #20 0x7fb6b3a33d64 in __libc_start_main csu/../csu/libc-start.c:360:3
     #21 0x55b9d0f18710 in _start (/media/user/6d3eeb8a-
 a93b-4220-bb13-a4e488ce0ce2/gpac/runtime/ffmpeg_asan/ffmpeg+0x521710)
 (BuildId: 379ac85827c85a62a3da71cc682c7649d933e230)

 ==10759==Register values:
 rax = 0x0000000000000000  rbx = 0x00007ffcb7738f60  rcx =
 0x0000000000000000  rdx = 0x0000000000000002
 rdi = 0x00007fb6b27c8dec  rsi = 0x0000000000000000  rbp =
 0x00007ffcb77398e0  rsp = 0x00007ffcb7738f60
  r8 = 0x00000ff6d64f91bd   r9 = 0x00007fb6b27c8df7  r10 =
 0x00000ff6d64f91be  r11 = 0x00000ff7564f11b8
 r12 = 0x0000000000000000  r13 = 0x00007ffcb773e318  r14 =
 0x0000000000000003  r15 = 0x000055b9d5b831b0
 AddressSanitizer can not provide additional info.
 SUMMARY: AddressSanitizer: SEGV /media/user/6d3eeb8a-
 
a93b-4220-bb13-a4e488ce0ce2/gpac/runtime/ffmpeg_asan/libavcodec/hevc/hevcdec.c:2147:16
 in hls_prediction_unit
 ==10759==ABORTING
 }}}

 
[[Image(https://github.com/sigdevel/pocs/blob/main/res/FFmpeg/ffmpeg/3/3_ffmpeg_clean_2025-06-28_11-13.png)]]

 Poc-sample was uploaded to https://streams.videolan.org/upload/
-- 
Ticket URL: <https://trac.ffmpeg.org/ticket/11652>
FFmpeg <https://ffmpeg.org>
FFmpeg issue tracker

_______________________________________________
FFmpeg-trac mailing list
[email protected]
https://ffmpeg.org/mailman/listinfo/ffmpeg-trac

To unsubscribe, visit link above, or email
[email protected] with subject "unsubscribe".

Reply via email to