#11690: [Security] Null pointer dereference on libswscale/swscale.c:1125
------------------------------------+-----------------------------------
Reporter: flyfish101 | Owner: (none)
Type: defect | Status: new
Priority: important | Component: swscale
Version: git-master | Resolution:
Keywords: fuzz | Blocked By:
Blocking: | Reproduced by developer: 0
Analyzed by developer: 0 |
------------------------------------+-----------------------------------
Changes (by flyfish101):
* summary: [Security] Null pointer deference on libswscale/swscale.c:1125
=> [Security] Null pointer dereference on libswscale/swscale.c:1125
Old description:
> Summary of the bug:
>
> {{{
> fuzz@Fuzz2:~/Desktop/projects_oss/FFmpeg/tools/fuzzout/sws_fuzz$
> ./target_sws_fuzzer1143
> /home/fuzz/Desktop/projects_oss/FFmpeg/tools/fuzzout/sws_fuzz/out_sws_1143/default/crashes/id:000444,sig:11,src:014509+008528_time:21110904_execs:14763970_op:splice_rep:16
> Reading 134 bytes from
> /home/fuzz/Desktop/projects_oss/FFmpeg/tools/fuzzout/sws_fuzz/out_sws_1143/default/crashes/id:000444,sig:11,src:014509+008528_time:21110904_execs:14763970_op:splice_rep:16
> 6171 x 2 bgr444be -> 142 x 2 yuv420p
> libswscale/swscale.c:1125:21: runtime error: applying zero offset to null
> pointer
> SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior
> libswscale/swscale.c:1125:21 in
> libswscale/swscale.c:1126:17: runtime error: applying zero offset to null
> pointer
> SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior
> libswscale/swscale.c:1126:17 in
> libswscale/swscale.c:1127:17: runtime error: applying zero offset to null
> pointer
> SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior
> libswscale/swscale.c:1127:17 in
> libswscale/swscale.c:1131:17: runtime error: applying zero offset to null
> pointer
> SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior
> libswscale/swscale.c:1131:17 in
> libswscale/swscale.c:302:28: runtime error: applying zero offset to null
> pointer
> SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior
> libswscale/swscale.c:302:28 in
> libswscale/swscale.c:303:29: runtime error: applying non-zero offset
> 18446744073709551312 to null pointer
> SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior
> libswscale/swscale.c:303:29 in
> libswscale/swscale.c:304:29: runtime error: applying non-zero offset
> 18446744073709551464 to null pointer
> SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior
> libswscale/swscale.c:304:29 in
> libswscale/vscale.c:273:22: runtime error: applying non-zero offset
> 18446744073709551576 to null pointer
> SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior
> libswscale/vscale.c:273:22 in
> libswscale/vscale.c:273:22: runtime error: member access within address
> 0xffffffffffffffd8 with insufficient space for an object of type 'struct
> SwsFilterDescriptor'
> 0xffffffffffffffd8: note: pointer points here
> <memory cannot be printed>
> SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior
> libswscale/vscale.c:273:22 in
> AddressSanitizer:DEADLYSIGNAL
> =================================================================
> ==115787==ERROR: AddressSanitizer: SEGV on unknown address (pc
> 0x5555559f7a9f bp 0x7fffffffc410 sp 0x7fffffffc380 T0)
> ==115787==The signal is caused by a READ memory access.
> ==115787==Hint: this fault was caused by a dereference of a high value
> address (see register values below). Disassemble the provided pc to
> learn which register was used.
> #0 0x5555559f7a9f in ff_init_vscale_pfn
> /home/fuzz/Desktop/projects_oss/FFmpeg/libswscale/vscale.c:273:35
> #1 0x55555596ec87 in ff_swscale
> /home/fuzz/Desktop/projects_oss/FFmpeg/libswscale/swscale.c:387:5
> #2 0x55555599bf54 in scale_internal
> /home/fuzz/Desktop/projects_oss/FFmpeg/libswscale/swscale.c:1165:15
> #3 0x5555559a94ca in sws_scale
> /home/fuzz/Desktop/projects_oss/FFmpeg/libswscale/swscale.c:1514:12
> #4 0x555555968c32 in LLVMFuzzerTestOneInput
> /home/fuzz/Desktop/projects_oss/FFmpeg/tools/./target_sws_fuzzer1143.c:197:9
> #5 0x55555595f37d in ExecuteFilesOnyByOne
> /home/fuzz/Desktop/DDGF_Project/AFLplusplus/utils/aflpp_driver/aflpp_driver.c:255:7
> #6 0x55555595f188 in LLVMFuzzerRunDriver
> /home/fuzz/Desktop/DDGF_Project/AFLplusplus/utils/aflpp_driver/aflpp_driver.c
> #7 0x55555595ed48 in main
> /home/fuzz/Desktop/DDGF_Project/AFLplusplus/utils/aflpp_driver/aflpp_driver.c:300:10
> #8 0x7ffff7c3b082 in __libc_start_main /build/glibc-
> B3wQXB/glibc-2.31/csu/../csu/libc-start.c:308:16
> #9 0x555555869fdd in _start
> (/home/fuzz/Desktop/projects_oss/FFmpeg/tools/fuzzout/sws_fuzz/target_sws_fuzzer1143+0x315fdd)
>
> AddressSanitizer can not provide additional info.
> SUMMARY: AddressSanitizer: SEGV
> /home/fuzz/Desktop/projects_oss/FFmpeg/libswscale/vscale.c:273:35 in
> ff_init_vscale_pfn
> ==115787==ABORTING
>
>
> -------------------------------------------------------------------
> fuzz@Fuzz2:~/Desktop/projects_oss/FFmpeg/tools/fuzzout/sws_fuzz$
> ./target_sws_fuzzer1143
> /home/fuzz/Desktop/projects_oss/FFmpeg/tools/fuzzout/sws_fuzz/out_sws_1143/default/crashes/id:000454,sig:11,src:010843_time:25643361_execs:18002259_op:havoc_rep:4
> Reading 151 bytes from
> /home/fuzz/Desktop/projects_oss/FFmpeg/tools/fuzzout/sws_fuzz/out_sws_1143/default/crashes/id:000454,sig:11,src:010843_time:25643361_execs:18002259_op:havoc_rep:4
> 5011 x 2 rgb444be -> 1 x 3 xv36le
> libswscale/swscale.c:1125:21: runtime error: applying zero offset to null
> pointer
> SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior
> libswscale/swscale.c:1125:21 in
> libswscale/swscale.c:1126:17: runtime error: applying zero offset to null
> pointer
> SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior
> libswscale/swscale.c:1126:17 in
> libswscale/swscale.c:1127:17: runtime error: applying zero offset to null
> pointer
> SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior
> libswscale/swscale.c:1127:17 in
> libswscale/swscale.c:1129:17: runtime error: applying zero offset to null
> pointer
> SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior
> libswscale/swscale.c:1129:17 in
> libswscale/swscale.c:1130:17: runtime error: applying zero offset to null
> pointer
> SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior
> libswscale/swscale.c:1130:17 in
> libswscale/swscale.c:1131:17: runtime error: applying zero offset to null
> pointer
> SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior
> libswscale/swscale.c:1131:17 in
> libswscale/swscale.c:302:28: runtime error: applying zero offset to null
> pointer
> SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior
> libswscale/swscale.c:302:28 in
> libswscale/swscale.c:303:29: runtime error: applying non-zero offset
> 18446744073709551312 to null pointer
> SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior
> libswscale/swscale.c:303:29 in
> libswscale/swscale.c:304:29: runtime error: applying non-zero offset
> 18446744073709551464 to null pointer
> SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior
> libswscale/swscale.c:304:29 in
> libswscale/vscale.c:298:18: runtime error: applying non-zero offset
> 18446744073709551576 to null pointer
> SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior
> libswscale/vscale.c:298:18 in
> libswscale/vscale.c:298:18: runtime error: member access within address
> 0xffffffffffffffd8 with insufficient space for an object of type 'struct
> SwsFilterDescriptor'
> 0xffffffffffffffd8: note: pointer points here
> <memory cannot be printed>
> SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior
> libswscale/vscale.c:298:18 in
> AddressSanitizer:DEADLYSIGNAL
> =================================================================
> ==199274==ERROR: AddressSanitizer: SEGV on unknown address (pc
> 0x5555559f6b92 bp 0x7fffffffc410 sp 0x7fffffffc380 T0)
> ==199274==The signal is caused by a READ memory access.
> ==199274==Hint: this fault was caused by a dereference of a high value
> address (see register values below). Disassemble the provided pc to
> learn which register was used.
> #0 0x5555559f6b92 in ff_init_vscale_pfn
> /home/fuzz/Desktop/projects_oss/FFmpeg/libswscale/vscale.c:298:31
> #1 0x55555596ec87 in ff_swscale
> /home/fuzz/Desktop/projects_oss/FFmpeg/libswscale/swscale.c:387:5
> #2 0x55555599bf54 in scale_internal
> /home/fuzz/Desktop/projects_oss/FFmpeg/libswscale/swscale.c:1165:15
> #3 0x5555559a94ca in sws_scale
> /home/fuzz/Desktop/projects_oss/FFmpeg/libswscale/swscale.c:1514:12
> #4 0x555555968c32 in LLVMFuzzerTestOneInput
> /home/fuzz/Desktop/projects_oss/FFmpeg/tools/./target_sws_fuzzer1143.c:197:9
> #5 0x55555595f37d in ExecuteFilesOnyByOne
> /home/fuzz/Desktop/DDGF_Project/AFLplusplus/utils/aflpp_driver/aflpp_driver.c:255:7
> #6 0x55555595f188 in LLVMFuzzerRunDriver
> /home/fuzz/Desktop/DDGF_Project/AFLplusplus/utils/aflpp_driver/aflpp_driver.c
> #7 0x55555595ed48 in main
> /home/fuzz/Desktop/DDGF_Project/AFLplusplus/utils/aflpp_driver/aflpp_driver.c:300:10
> #8 0x7ffff7c3b082 in __libc_start_main /build/glibc-
> B3wQXB/glibc-2.31/csu/../csu/libc-start.c:308:16
> #9 0x555555869fdd in _start
> (/home/fuzz/Desktop/projects_oss/FFmpeg/tools/fuzzout/sws_fuzz/target_sws_fuzzer1143+0x315fdd)
>
> AddressSanitizer can not provide additional info.
> SUMMARY: AddressSanitizer: SEGV
> /home/fuzz/Desktop/projects_oss/FFmpeg/libswscale/vscale.c:298:31 in
> ff_init_vscale_pfn
> ==199274==ABORTING
> }}}
>
> How to reproduce:
> {{{
> % ffmpeg -i input ... output
> ffmpeg version
> built on ...
> }}}
> Patches should be submitted to the ffmpeg-devel mailing list and not this
> bug tracker.
New description:
Summary of the bug:
{{{
fuzz@Fuzz2:~/Desktop/projects_oss/FFmpeg/tools/fuzzout/sws_fuzz$
./target_sws_fuzzer1143
/home/fuzz/Desktop/projects_oss/FFmpeg/tools/fuzzout/sws_fuzz/out_sws_1143/default/crashes/id:000444,sig:11,src:014509+008528_time:21110904_execs:14763970_op:splice_rep:16
Reading 134 bytes from
/home/fuzz/Desktop/projects_oss/FFmpeg/tools/fuzzout/sws_fuzz/out_sws_1143/default/crashes/id:000444,sig:11,src:014509+008528_time:21110904_execs:14763970_op:splice_rep:16
6171 x 2 bgr444be -> 142 x 2 yuv420p
libswscale/swscale.c:1125:21: runtime error: applying zero offset to null
pointer
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior
libswscale/swscale.c:1125:21 in
libswscale/swscale.c:1126:17: runtime error: applying zero offset to null
pointer
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior
libswscale/swscale.c:1126:17 in
libswscale/swscale.c:1127:17: runtime error: applying zero offset to null
pointer
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior
libswscale/swscale.c:1127:17 in
libswscale/swscale.c:1131:17: runtime error: applying zero offset to null
pointer
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior
libswscale/swscale.c:1131:17 in
libswscale/swscale.c:302:28: runtime error: applying zero offset to null
pointer
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior
libswscale/swscale.c:302:28 in
libswscale/swscale.c:303:29: runtime error: applying non-zero offset
18446744073709551312 to null pointer
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior
libswscale/swscale.c:303:29 in
libswscale/swscale.c:304:29: runtime error: applying non-zero offset
18446744073709551464 to null pointer
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior
libswscale/swscale.c:304:29 in
libswscale/vscale.c:273:22: runtime error: applying non-zero offset
18446744073709551576 to null pointer
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior
libswscale/vscale.c:273:22 in
libswscale/vscale.c:273:22: runtime error: member access within address
0xffffffffffffffd8 with insufficient space for an object of type 'struct
SwsFilterDescriptor'
0xffffffffffffffd8: note: pointer points here
<memory cannot be printed>
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior
libswscale/vscale.c:273:22 in
AddressSanitizer:DEADLYSIGNAL
=================================================================
==115787==ERROR: AddressSanitizer: SEGV on unknown address (pc
0x5555559f7a9f bp 0x7fffffffc410 sp 0x7fffffffc380 T0)
==115787==The signal is caused by a READ memory access.
==115787==Hint: this fault was caused by a dereference of a high value
address (see register values below). Disassemble the provided pc to learn
which register was used.
#0 0x5555559f7a9f in ff_init_vscale_pfn
/home/fuzz/Desktop/projects_oss/FFmpeg/libswscale/vscale.c:273:35
#1 0x55555596ec87 in ff_swscale
/home/fuzz/Desktop/projects_oss/FFmpeg/libswscale/swscale.c:387:5
#2 0x55555599bf54 in scale_internal
/home/fuzz/Desktop/projects_oss/FFmpeg/libswscale/swscale.c:1165:15
#3 0x5555559a94ca in sws_scale
/home/fuzz/Desktop/projects_oss/FFmpeg/libswscale/swscale.c:1514:12
#4 0x555555968c32 in LLVMFuzzerTestOneInput
/home/fuzz/Desktop/projects_oss/FFmpeg/tools/./target_sws_fuzzer1143.c:197:9
#5 0x55555595f37d in ExecuteFilesOnyByOne
/home/fuzz/Desktop/DDGF_Project/AFLplusplus/utils/aflpp_driver/aflpp_driver.c:255:7
#6 0x55555595f188 in LLVMFuzzerRunDriver
/home/fuzz/Desktop/DDGF_Project/AFLplusplus/utils/aflpp_driver/aflpp_driver.c
#7 0x55555595ed48 in main
/home/fuzz/Desktop/DDGF_Project/AFLplusplus/utils/aflpp_driver/aflpp_driver.c:300:10
#8 0x7ffff7c3b082 in __libc_start_main /build/glibc-
B3wQXB/glibc-2.31/csu/../csu/libc-start.c:308:16
#9 0x555555869fdd in _start
(/home/fuzz/Desktop/projects_oss/FFmpeg/tools/fuzzout/sws_fuzz/target_sws_fuzzer1143+0x315fdd)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV
/home/fuzz/Desktop/projects_oss/FFmpeg/libswscale/vscale.c:273:35 in
ff_init_vscale_pfn
==115787==ABORTING
-------------------------------------------------------------------
fuzz@Fuzz2:~/Desktop/projects_oss/FFmpeg/tools/fuzzout/sws_fuzz$
./target_sws_fuzzer1143
/home/fuzz/Desktop/projects_oss/FFmpeg/tools/fuzzout/sws_fuzz/out_sws_1143/default/crashes/id:000454,sig:11,src:010843_time:25643361_execs:18002259_op:havoc_rep:4
Reading 151 bytes from
/home/fuzz/Desktop/projects_oss/FFmpeg/tools/fuzzout/sws_fuzz/out_sws_1143/default/crashes/id:000454,sig:11,src:010843_time:25643361_execs:18002259_op:havoc_rep:4
5011 x 2 rgb444be -> 1 x 3 xv36le
libswscale/swscale.c:1125:21: runtime error: applying zero offset to null
pointer
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior
libswscale/swscale.c:1125:21 in
libswscale/swscale.c:1126:17: runtime error: applying zero offset to null
pointer
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior
libswscale/swscale.c:1126:17 in
libswscale/swscale.c:1127:17: runtime error: applying zero offset to null
pointer
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior
libswscale/swscale.c:1127:17 in
libswscale/swscale.c:1129:17: runtime error: applying zero offset to null
pointer
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior
libswscale/swscale.c:1129:17 in
libswscale/swscale.c:1130:17: runtime error: applying zero offset to null
pointer
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior
libswscale/swscale.c:1130:17 in
libswscale/swscale.c:1131:17: runtime error: applying zero offset to null
pointer
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior
libswscale/swscale.c:1131:17 in
libswscale/swscale.c:302:28: runtime error: applying zero offset to null
pointer
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior
libswscale/swscale.c:302:28 in
libswscale/swscale.c:303:29: runtime error: applying non-zero offset
18446744073709551312 to null pointer
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior
libswscale/swscale.c:303:29 in
libswscale/swscale.c:304:29: runtime error: applying non-zero offset
18446744073709551464 to null pointer
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior
libswscale/swscale.c:304:29 in
libswscale/vscale.c:298:18: runtime error: applying non-zero offset
18446744073709551576 to null pointer
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior
libswscale/vscale.c:298:18 in
libswscale/vscale.c:298:18: runtime error: member access within address
0xffffffffffffffd8 with insufficient space for an object of type 'struct
SwsFilterDescriptor'
0xffffffffffffffd8: note: pointer points here
<memory cannot be printed>
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior
libswscale/vscale.c:298:18 in
AddressSanitizer:DEADLYSIGNAL
=================================================================
==199274==ERROR: AddressSanitizer: SEGV on unknown address (pc
0x5555559f6b92 bp 0x7fffffffc410 sp 0x7fffffffc380 T0)
==199274==The signal is caused by a READ memory access.
==199274==Hint: this fault was caused by a dereference of a high value
address (see register values below). Disassemble the provided pc to learn
which register was used.
#0 0x5555559f6b92 in ff_init_vscale_pfn
/home/fuzz/Desktop/projects_oss/FFmpeg/libswscale/vscale.c:298:31
#1 0x55555596ec87 in ff_swscale
/home/fuzz/Desktop/projects_oss/FFmpeg/libswscale/swscale.c:387:5
#2 0x55555599bf54 in scale_internal
/home/fuzz/Desktop/projects_oss/FFmpeg/libswscale/swscale.c:1165:15
#3 0x5555559a94ca in sws_scale
/home/fuzz/Desktop/projects_oss/FFmpeg/libswscale/swscale.c:1514:12
#4 0x555555968c32 in LLVMFuzzerTestOneInput
/home/fuzz/Desktop/projects_oss/FFmpeg/tools/./target_sws_fuzzer1143.c:197:9
#5 0x55555595f37d in ExecuteFilesOnyByOne
/home/fuzz/Desktop/DDGF_Project/AFLplusplus/utils/aflpp_driver/aflpp_driver.c:255:7
#6 0x55555595f188 in LLVMFuzzerRunDriver
/home/fuzz/Desktop/DDGF_Project/AFLplusplus/utils/aflpp_driver/aflpp_driver.c
#7 0x55555595ed48 in main
/home/fuzz/Desktop/DDGF_Project/AFLplusplus/utils/aflpp_driver/aflpp_driver.c:300:10
#8 0x7ffff7c3b082 in __libc_start_main /build/glibc-
B3wQXB/glibc-2.31/csu/../csu/libc-start.c:308:16
#9 0x555555869fdd in _start
(/home/fuzz/Desktop/projects_oss/FFmpeg/tools/fuzzout/sws_fuzz/target_sws_fuzzer1143+0x315fdd)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV
/home/fuzz/Desktop/projects_oss/FFmpeg/libswscale/vscale.c:298:31 in
ff_init_vscale_pfn
==199274==ABORTING
}}}
--
--
Ticket URL: <https://trac.ffmpeg.org/ticket/11690#comment:1>
FFmpeg <https://ffmpeg.org>
FFmpeg issue tracker
_______________________________________________
FFmpeg-trac mailing list
[email protected]
https://ffmpeg.org/mailman/listinfo/ffmpeg-trac
To unsubscribe, visit link above, or email
[email protected] with subject "unsubscribe".
