[FFmpeg-trac] #11693(swscale:new): [Security] heap-buffer-overflow on output.c:1740

[FFmpeg]

#11693: [Security]  heap-buffer-overflow on output.c:1740
------------------------------------+--------------------------------------
             Reporter:  flyfish101  |                     Type:  defect
               Status:  new         |                 Priority:  important
            Component:  swscale     |                  Version:  git-master
             Keywords:  fuzz        |               Blocked By:
             Blocking:              |  Reproduced by developer:  0
Analyzed by developer:  0           |
------------------------------------+--------------------------------------
 Summary of the bug:

 {{{
 fuzz@Fuzz2:~/Desktop/projects_oss/FFmpeg/tools/fuzzout/sws_fuzz$
 ./target_sws_fuzzer1072
 
/home/fuzz/Desktop/projects_oss/FFmpeg/tools/fuzzout/sws_fuzz/out_sws_1072/default/crashes/id:000005,sig:06,src:000722_time:492556_execs:367251_op:havoc_rep:4
 Reading 145 bytes from
 
/home/fuzz/Desktop/projects_oss/FFmpeg/tools/fuzzout/sws_fuzz/out_sws_1072/default/crashes/id:000005,sig:06,src:000722_time:492556_execs:367251_op:havoc_rep:4
 [swscaler @ 0x62f000000400] full chroma interpolation for destination
 format 'rgb555le' not yet implemented
 [swscaler @ 0x62f000000400] full chroma interpolation for destination
 format 'rgb555le' not yet implemented
 =================================================================
 ==3988335==ERROR: AddressSanitizer: heap-buffer-overflow on address
 0x6090000016e6 at pc 0x555555fa84d6 bp 0x7fffffffc220 sp 0x7fffffffc218
 WRITE of size 2 at 0x6090000016e6 thread T0
     #0 0x555555fa84d5 in yuv2rgb_write
 /home/fuzz/Desktop/projects_oss/FFmpeg/libswscale/output.c:1740:25
     #1 0x555555fa84d5 in yuv2rgb_X_c_template
 /home/fuzz/Desktop/projects_oss/FFmpeg/libswscale/output.c:1830:9
     #2 0x555555fa84d5 in yuv2rgb15_X_c
 /home/fuzz/Desktop/projects_oss/FFmpeg/libswscale/output.c:1983:1
     #3 0x5555559e892d in packed_vscale
 /home/fuzz/Desktop/projects_oss/FFmpeg/libswscale/vscale.c:166:9
     #4 0x555555970cf7 in ff_swscale
 /home/fuzz/Desktop/projects_oss/FFmpeg/libswscale/swscale.c:531:13
     #5 0x555555997df4 in scale_internal
 /home/fuzz/Desktop/projects_oss/FFmpeg/libswscale/swscale.c:1165:15
     #6 0x5555559a536a in sws_scale
 /home/fuzz/Desktop/projects_oss/FFmpeg/libswscale/swscale.c:1514:12
     #7 0x55555596705d in LLVMFuzzerTestOneInput
 /home/fuzz/Desktop/projects_oss/FFmpeg/tools/./target_sws_fuzzer1072.c:76:5
     #8 0x55555595e37d in ExecuteFilesOnyByOne
 
/home/fuzz/Desktop/DDGF_Project/AFLplusplus/utils/aflpp_driver/aflpp_driver.c:255:7
     #9 0x55555595e188 in LLVMFuzzerRunDriver
 /home/fuzz/Desktop/DDGF_Project/AFLplusplus/utils/aflpp_driver/aflpp_driver.c
     #10 0x55555595dd48 in main
 
/home/fuzz/Desktop/DDGF_Project/AFLplusplus/utils/aflpp_driver/aflpp_driver.c:300:10
     #11 0x7ffff7c3b082 in __libc_start_main /build/glibc-
 B3wQXB/glibc-2.31/csu/../csu/libc-start.c:308:16
     #12 0x555555868fdd in _start
 
(/home/fuzz/Desktop/projects_oss/FFmpeg/tools/fuzzout/sws_fuzz/target_sws_fuzzer1072+0x314fdd)

 0x6090000016e7 is located 0 bytes to the right of 39-byte region
 [0x6090000016c0,0x6090000016e7)
 allocated by thread T0 here:
     #0 0x55555591851c in posix_memalign /home/fuzz/Desktop/fuzz-
 introspector/build/llvm-project/compiler-
 rt/lib/asan/asan_malloc_linux.cpp:145:3
     #1 0x555556371314 in av_malloc
 /home/fuzz/Desktop/projects_oss/FFmpeg/libavutil/mem.c:107:9
     #2 0x555556358a16 in av_image_alloc
 /home/fuzz/Desktop/projects_oss/FFmpeg/libavutil/imgutils.c:248:11
     #3 0x55555596633c in LLVMFuzzerTestOneInput
 /home/fuzz/Desktop/projects_oss/FFmpeg/tools/./target_sws_fuzzer1072.c:65:9
     #4 0x55555595e37d in ExecuteFilesOnyByOne
 
/home/fuzz/Desktop/DDGF_Project/AFLplusplus/utils/aflpp_driver/aflpp_driver.c:255:7

 SUMMARY: AddressSanitizer: heap-buffer-overflow
 /home/fuzz/Desktop/projects_oss/FFmpeg/libswscale/output.c:1740:25 in
 yuv2rgb_write
 Shadow bytes around the buggy address:
   0x0c127fff8280: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
   0x0c127fff8290: 00 fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
   0x0c127fff82a0: 00 fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
   0x0c127fff82b0: 00 00 00 fa fa fa fa fa fa fa fa fa fa fa fa fa
   0x0c127fff82c0: 00 00 00 fa fa fa fa fa fa fa fa fa fa fa fa fa
 =>0x0c127fff82d0: fa fa fa fa fa fa fa fa 00 00 00 00[07]fa fa fa
   0x0c127fff82e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
   0x0c127fff82f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
   0x0c127fff8300: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
   0x0c127fff8310: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
   0x0c127fff8320: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
 Shadow byte legend (one shadow byte represents 8 application bytes):
   Addressable:           00
   Partially addressable: 01 02 03 04 05 06 07
   Heap left redzone:       fa
   Freed heap region:       fd
   Stack left redzone:      f1
   Stack mid redzone:       f2
   Stack right redzone:     f3
   Stack after return:      f5
   Stack use after scope:   f8
   Global redzone:          f9
   Global init order:       f6
   Poisoned by user:        f7
   Container overflow:      fc
   Array cookie:            ac
   Intra object redzone:    bb
   ASan internal:           fe
   Left alloca redzone:     ca
   Right alloca redzone:    cb
 ==3988335==ABORTING
 }}}
-- 
Ticket URL: <https://trac.ffmpeg.org/ticket/11693>
FFmpeg <https://ffmpeg.org>
FFmpeg issue tracker

_______________________________________________
FFmpeg-trac mailing list
FFmpeg-trac@avcodec.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-trac

To unsubscribe, visit link above, or email
ffmpeg-trac-requ...@ffmpeg.org with subject "unsubscribe".