subject:"\[FFmpeg\-trac\] #10686\(avfilter\:new\)\: heap\-buffer\-overflow at libavfilter\/asrc_afirsrc.c\:495\:30 in config_eq

Re: [FFmpeg-trac] #10686(avfilter:new): heap-buffer-overflow at libavfilter/asrc_afirsrc.c:495:30 in config_eq_output in FFmpeg

2023-11-23 Thread FFmpeg

#10686: heap-buffer-overflow at libavfilter/asrc_afirsrc.c:495:30 in
config_eq_output in FFmpeg
--+
 Reporter:  ZengYunxiang  |Owner:  (none)
 Type:  defect|   Status:  new
 Priority:  critical  |Component:  avfilter
  Version:  git-master|   Resolution:
 Keywords:  bugs  |   Blocked By:
 Blocking:|  Reproduced by developer:  0
Analyzed by developer:  0 |
--+
Changes (by ZengYunxiang):

 * Attachment "poc1ffmpeg" added.

 POC file
-- 
Ticket URL: 
FFmpeg 
FFmpeg issue tracker___
FFmpeg-trac mailing list
FFmpeg-trac@avcodec.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-trac

To unsubscribe, visit link above, or email
ffmpeg-trac-requ...@ffmpeg.org with subject "unsubscribe".

[FFmpeg-trac] #10686(avfilter:new): heap-buffer-overflow at libavfilter/asrc_afirsrc.c:495:30 in config_eq_output in FFmpeg

2023-11-23 Thread FFmpeg

#10686: heap-buffer-overflow at libavfilter/asrc_afirsrc.c:495:30 in
config_eq_output in FFmpeg
-+-
 Reporter:   | Type:  defect
  ZengYunxiang   |
   Status:  new  | Priority:  critical
Component:  avfilter |  Version:  git-
 |  master
 Keywords:  bugs |   Blocked By:
 Blocking:   |  Reproduced by developer:  0
Analyzed by developer:  0|
-+-
 Summary of the bug:

 Dear developers, hello!
 I recently proposed a new fuzzing method named fuzzyx, and found the
 following heap-buffer-overflow bug on FFmpeg6.1, please confirm.

 POC file link:

 poc1ffmpeg:
 [https://github.com/Frank-Z7/z-vulnerabilitys/blob/main/poc1ffmpeg]

 How to reproduce:
 {{{
 Reproduction：
 git clone https://github.com/FFmpeg/FFmpeg.git ffmpeg6-1
 cd ffmpeg6-1
 git checkout 466799d
 ./configure --cc=clang --cxx=clang++ --ld=clang --enable-debug --toolchain
 =clang-asan
 make -j30

 ./ffmpeg_g -y -i poc1ffmpeg -filter_complex afireqsrc tmp.mp4
 }}}

 ASAN Log:
 {{{
 =
 ==444674==ERROR: AddressSanitizer: heap-buffer-overflow on address
 0x60a00580 at pc 0x0054dfe7 bp 0x7fff6ad0 sp 0x7fff6ac8
 WRITE of size 4 at 0x60a00580 thread T0
 #0 0x54dfe6 in config_eq_output
 /ffmpeg6-1/libavfilter/asrc_afirsrc.c:495:30
 #1 0x5d5cd9 in avfilter_config_links
 /ffmpeg6-1/libavfilter/avfilter.c:340:31
 #2 0x5d5c91 in avfilter_config_links
 /ffmpeg6-1/libavfilter/avfilter.c:329:24
 #3 0x5d5c91 in avfilter_config_links
 /ffmpeg6-1/libavfilter/avfilter.c:329:24
 #4 0x5e44d6 in graph_config_links
 /ffmpeg6-1/libavfilter/avfiltergraph.c:254:24
 #5 0x5e44d6 in avfilter_graph_config
 /ffmpeg6-1/libavfilter/avfiltergraph.c:1177:16
 #6 0x4ea9bd in configure_filtergraph
 /ffmpeg6-1/fftools/ffmpeg_filter.c:1681:16
 #7 0x4e5e0b in ofilter_bind_ost
 /ffmpeg6-1/fftools/ffmpeg_filter.c:763:15
 #8 0x512b21 in ost_add /ffmpeg6-1/fftools/ffmpeg_mux_init.c:1428:19
 #9 0x4fd744 in create_streams
 /ffmpeg6-1/fftools/ffmpeg_mux_init.c:1809:19
 #10 0x4fd744 in of_open /ffmpeg6-1/fftools/ffmpeg_mux_init.c:2695:11
 #11 0x51828d in open_files /ffmpeg6-1/fftools/ffmpeg_opt.c:1286:15
 #12 0x51828d in ffmpeg_parse_options
 /ffmpeg6-1/fftools/ffmpeg_opt.c:1340:11
 #13 0x533747 in main /ffmpeg6-1/fftools/ffmpeg.c:1312:11
 #14 0x77c0d082 in __libc_start_main (/lib/x86_64-linux-
 gnu/libc.so.6+0x24082)
 #15 0x420b4d in _start (/ffmpeg6-1/ffmpeg_g+0x420b4d)

 0x60a00580 is located 0 bytes to the right of 64-byte region
 [0x60a00540,0x60a00580)
 allocated by thread T0 here:
 #0 0x4994e7 in posix_memalign /local/mnt/workspace/bcain_clang_bcain-
 ubuntu_23113/llvm/utils/release/final/llvm.src/projects/compiler-
 rt/lib/asan/asan_malloc_linux.cc:226:3
 #1 0x3c7bdf6 in av_malloc /ffmpeg6-1/libavutil/mem.c:105:9
 #2 0x3c7bdf6 in av_mallocz /ffmpeg6-1/libavutil/mem.c:256:17
 #3 0x3c7bdf6 in av_calloc /ffmpeg6-1/libavutil/mem.c:267:12
 #4 0x54cb75 in config_eq_output
 /ffmpeg6-1/libavfilter/asrc_afirsrc.c:483:24
 #5 0x5d5cd9 in avfilter_config_links
 /ffmpeg6-1/libavfilter/avfilter.c:340:31

 SUMMARY: AddressSanitizer: heap-buffer-overflow
 /ffmpeg6-1/libavfilter/asrc_afirsrc.c:495:30 in config_eq_output
 Shadow bytes around the buggy address:
   0x0c147fff8060: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
   0x0c147fff8070: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
   0x0c147fff8080: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa
   0x0c147fff8090: 00 00 00 00 00 00 00 fa fa fa fa fa fa fa fa fa
   0x0c147fff80a0: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
 =>0x0c147fff80b0:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
   0x0c147fff80c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
   0x0c147fff80d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
   0x0c147fff80e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
   0x0c147fff80f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
   0x0c147fff8100: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
 Shadow byte legend (one shadow byte represents 8 application bytes):
   Addressable:   00
   Partially addressable: 01 02 03 04 05 06 07
   Heap left redzone:   fa
   Freed heap region:   fd
   Stack left redzone:  f1
   Stack mid redzone:   f2
   Stack right redzone: f3
   Stack after return:  f5
   Stack use after scope:   f8
   Global redzone:  f9
   Global init order:   f6
   Poisoned by user:f7
   Container overflow:  fc
   Array cookie:ac
   Intra object redzone:bb
   ASan internal:   fe

Re: [FFmpeg-trac] #10686(avfilter:new): heap-buffer-overflow at libavfilter/asrc_afirsrc.c:495:30 in config_eq_output in FFmpeg

[FFmpeg-trac] #10686(avfilter:new): heap-buffer-overflow at libavfilter/asrc_afirsrc.c:495:30 in config_eq_output in FFmpeg

2 matches

Site Navigation

Mail list logo

Footer information