[FFmpeg-trac] #11680(tools:new): Double-free memory corruption in DSS (Digital Speech Standard) format demuxer during cleanup phase, leading to program abort.

[FFmpeg]

#11680: Double-free memory corruption in DSS (Digital Speech Standard) format
demuxer during cleanup phase, leading to program abort.
-------------------------------+---------------------------------------
             Reporter:  xdc    |                     Type:  defect
               Status:  new    |                 Priority:  normal
            Component:  tools  |                  Version:  unspecified
             Keywords:  libav  |               Blocked By:
             Blocking:         |  Reproduced by developer:  0
Analyzed by developer:  0      |
-------------------------------+---------------------------------------
 ## How to reproduce:
 ```
 % avconv -ss 0.1 -i /workspace/POC/POC_libav_avconv_abort_dss_doublefree
 -f null -
 avconv version 13_dev0, Copyright (c) 2000-2018 the Libav developers
   built on Jul 19 2025 14:57:50 with Ubuntu clang version 16.0.6
 (++20231112100510+7cbf1a259152-1~exp1~20231112100554.106)
   configuration: --cc=/Fuzzer/OPA++/afl-clang-lto --extra-cflags=
 --prefix=/workspace/benchmark/program/libav-c464278-Apr16-2019/install
 --disable-shared --enable-static --disable-x86asm --disable-inline-asm
   libavutil     56.  8. 0 / 56.  8. 0
   libavcodec    58. 12. 1 / 58. 12. 1
   libavformat   58.  2. 0 / 58.  2. 0
   libavdevice   57.  0. 2 / 57.  0. 2
   libavfilter    7.  1. 0 /  7.  1. 0
   libavresample  4.  0. 0 /  4.  0. 0
   libswscale     5.  0. 1 /  5.  0. 1
 [dss @ 0x555557165800] Estimating duration from bitrate, this may be
 inaccurate
 /workspace/POC/POC_libav_avconv_abort_dss_doublefree: could not seek to
 position 0.100
 Input #0, dss, from
 '/workspace/POC/POC_libav_avconv_abort_dss_doublefree':
   Metadata:
     author          : �0
     date            : 2000-32-00T32768:-341855643:-352951808
     comment         :
   Duration: N/A, start: 0.000000, bitrate: N/A
     Stream #0:0: Audio: dss_sp
       11025 Hz, mono, s16
 Stream mapping:
   Stream #0:0 -> #0:0 (dss_sp (native) -> pcm_s16le (native))
 Press ctrl-c to stop encoding
 Nothing was written into output file 0 (pipe:), because at least one of
 its streams received no packets.
 size=       0kB time=10000000000.00 bitrate=   0.0kbits/s
 video:0kB audio:0kB other streams:0kB global headers:0kB muxing overhead:
 unknown
 free(): invalid pointer
 Aborted (core dumped)
 ```

 ## GDB Analysis:
 ```
 Program received signal SIGABRT, Aborted.
 __pthread_kill_implementation (no_tid=0, signo=6,
 threadid=140737349322624) at ./nptl/pthread_kill.c:44
 #0  __pthread_kill_implementation (no_tid=0, signo=6,
 threadid=140737349322624) at ./nptl/pthread_kill.c:44
 #1  __pthread_kill_internal (signo=6, threadid=140737349322624) at
 ./nptl/pthread_kill.c:78
 #2  __GI___pthread_kill (threadid=140737349322624, signo=signo@entry=6) at
 ./nptl/pthread_kill.c:89
 #3  0x00007ffff7baf476 in __GI_raise (sig=sig@entry=6) at
 ../sysdeps/posix/raise.c:26
 #4  0x00007ffff7b957f3 in __GI_abort () at ./stdlib/abort.c:79
 #5  0x00007ffff7bf6677 in __libc_message (action=action@entry=do_abort,
 fmt=fmt@entry=0x7ffff7d48b77 "%s\n") at ../sysdeps/posix/libc_fatal.c:156
 #6  0x00007ffff7c0dcfc in malloc_printerr (str=str@entry=0x7ffff7d46744
 "free(): invalid pointer") at ./malloc/malloc.c:5664
 #7  0x00007ffff7c0fa44 in _int_free (av=<optimized out>, p=<optimized
 out>, have_lock=0) at ./malloc/malloc.c:4439
 #8  0x00007ffff7c12453 in __GI___libc_free (mem=<optimized out>) at
 ./malloc/malloc.c:3391
 #9  0x000055555596822b in av_free (ptr=0x3dc3de) at libavutil/mem.c:189
 #10 dss_read_close (s=<optimized out>) at libavformat/dss.c:328
 #11 0x000055555589cb30 in avformat_close_input (ps=<optimized out>) at
 libavformat/utils.c:2751
 #12 avconv_cleanup (ret=<optimized out>) at avtools/avconv.c:217
 #13 0x0000555555887543 in exit_program (ret=0) at avtools/cmdutils.c:98
 #14 0x0000555555896962 in main (argc=<optimized out>, argv=<optimized
 out>) at avtools/avconv.c:2983
 ```

 ## Root Cause:
 The crash occurs in the DSS demuxer's cleanup function `dss_read_close()`
 at line 328 in `libavformat/dss.c`. The function attempts to free a
 pointer (0x3dc3de) that has either:
 1. Already been freed (double-free)
 2. Was never properly allocated
 3. Has been corrupted

 The malformed DSS file triggers incorrect memory management in the DSS
 format handler, leading to heap corruption.


 ## POC File:
 The malformed DSS file is available at:
 
`/workspace/POC/POC_libav_avconv_abort_dss_doublefree`[https://drive.google.com/file/d/1I4VVXGys156UdeSTgya_GGxLZxwuxUPw/view?usp=sharing]
-- 
Ticket URL: <https://trac.ffmpeg.org/ticket/11680>
FFmpeg <https://ffmpeg.org>
FFmpeg issue tracker

_______________________________________________
FFmpeg-trac mailing list
FFmpeg-trac@avcodec.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-trac

To unsubscribe, visit link above, or email
ffmpeg-trac-requ...@ffmpeg.org with subject "unsubscribe".