#11691: [Security] heap-buffer-overflow on yuv2rgb.c:558
------------------------------------+--------------------------------------
Reporter: flyfish101 | Type: defect
Status: new | Priority: important
Component: swscale | Version: git-master
Keywords: fuzz | Blocked By:
Blocking: | Reproduced by developer: 0
Analyzed by developer: 0 |
------------------------------------+--------------------------------------
Summary of the bug:
{{{
fuzz@Fuzz2:~/Desktop/projects_oss/FFmpeg/tools/fuzzout/sws_fuzz$
./target_sws_fuzzer1143
/home/fuzz/Desktop/projects_oss/FFmpeg/tools/fuzzout/sws_fuzz/out_sws_1143/default/crashes/id:000495,sig:06,src:015818_time:53332181_execs:35594827_op:havoc_rep:2
Reading 132 bytes from
/home/fuzz/Desktop/projects_oss/FFmpeg/tools/fuzzout/sws_fuzz/out_sws_1143/default/crashes/id:000495,sig:06,src:015818_time:53332181_execs:35594827_op:havoc_rep:2
2 x 2 yuv422p -> 2 x 2 rgb4
[swscaler @ 0x62f000000400] No accelerated colorspace conversion found
from yuv422p to rgb4.
libswscale/swscale.c:1127:17: runtime error: applying zero offset to null
pointer
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior
libswscale/swscale.c:1127:17 in
libswscale/swscale.c:1129:17: runtime error: applying zero offset to null
pointer
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior
libswscale/swscale.c:1129:17 in
libswscale/swscale.c:1130:17: runtime error: applying zero offset to null
pointer
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior
libswscale/swscale.c:1130:17 in
libswscale/swscale.c:1131:17: runtime error: applying zero offset to null
pointer
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior
libswscale/swscale.c:1131:17 in
=================================================================
==2095131==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x60e0000000e0 at pc 0x555555b15e9a bp 0x7fffffffc790 sp 0x7fffffffc788
READ of size 1 at 0x60e0000000e0 thread T0
#0 0x555555b15e99 in yuv422p_bgr4
/home/fuzz/Desktop/projects_oss/FFmpeg/libswscale/yuv2rgb.c:558:1
#1 0x55555599ce4c in scale_internal
/home/fuzz/Desktop/projects_oss/FFmpeg/libswscale/swscale.c:1160:15
#2 0x5555559a94ca in sws_scale
/home/fuzz/Desktop/projects_oss/FFmpeg/libswscale/swscale.c:1514:12
#3 0x555555968c32 in LLVMFuzzerTestOneInput
/home/fuzz/Desktop/projects_oss/FFmpeg/tools/./target_sws_fuzzer1143.c:197:9
#4 0x55555595f37d in ExecuteFilesOnyByOne
/home/fuzz/Desktop/DDGF_Project/AFLplusplus/utils/aflpp_driver/aflpp_driver.c:255:7
#5 0x55555595f188 in LLVMFuzzerRunDriver
/home/fuzz/Desktop/DDGF_Project/AFLplusplus/utils/aflpp_driver/aflpp_driver.c
#6 0x55555595ed48 in main
/home/fuzz/Desktop/DDGF_Project/AFLplusplus/utils/aflpp_driver/aflpp_driver.c:300:10
#7 0x7ffff7c3b082 in __libc_start_main /build/glibc-
B3wQXB/glibc-2.31/csu/../csu/libc-start.c:308:16
#8 0x555555869fdd in _start
(/home/fuzz/Desktop/projects_oss/FFmpeg/tools/fuzzout/sws_fuzz/target_sws_fuzzer1143+0x315fdd)
0x60e0000000e0 is located 32 bytes to the left of 96-byte region
[0x60e000000100,0x60e000000160)
allocated by thread T0 here:
#0 0x55555591951c in posix_memalign /home/fuzz/Desktop/fuzz-
introspector/build/llvm-project/compiler-
rt/lib/asan/asan_malloc_linux.cpp:145:3
#1 0x555556375474 in av_malloc
/home/fuzz/Desktop/projects_oss/FFmpeg/libavutil/mem.c:107:9
#2 0x55555637691b in av_mallocz
/home/fuzz/Desktop/projects_oss/FFmpeg/libavutil/mem.c:258:17
#3 0x55555596a96e in alloc_plane
/home/fuzz/Desktop/projects_oss/FFmpeg/tools/./target_sws_fuzzer1143.c:65:23
#4 0x5555559672e6 in LLVMFuzzerTestOneInput
/home/fuzz/Desktop/projects_oss/FFmpeg/tools/./target_sws_fuzzer1143.c:156:11
#5 0x55555595f37d in ExecuteFilesOnyByOne
/home/fuzz/Desktop/DDGF_Project/AFLplusplus/utils/aflpp_driver/aflpp_driver.c:255:7
SUMMARY: AddressSanitizer: heap-buffer-overflow
/home/fuzz/Desktop/projects_oss/FFmpeg/libswscale/yuv2rgb.c:558:1 in
yuv422p_bgr4
Shadow bytes around the buggy address:
0x0c1c7fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c1c7fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c1c7fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c1c7fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c1c7fff8000: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
=>0x0c1c7fff8010: 00 00 00 00 fa fa fa fa fa fa fa fa[fa]fa fa fa
0x0c1c7fff8020: 00 00 00 00 00 00 00 00 00 00 00 00 fa fa fa fa
0x0c1c7fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c1c7fff8040: 00 00 00 00 00 00 00 00 00 00 00 00 fa fa fa fa
0x0c1c7fff8050: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
0x0c1c7fff8060: 00 00 00 00 fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==2095131==ABORTING
}}}
--
Ticket URL: <https://trac.ffmpeg.org/ticket/11691>
FFmpeg <https://ffmpeg.org>
FFmpeg issue tracker
_______________________________________________
FFmpeg-trac mailing list
[email protected]
https://ffmpeg.org/mailman/listinfo/ffmpeg-trac
To unsubscribe, visit link above, or email
[email protected] with subject "unsubscribe".
