subject:"\[FFmpeg\-trac\] #10688\(avfilter\:new\)\: heap\-buffer\-overflow at libavfilter\/bwdifdsp.c\:125\:5 in ff_bwdif_filter_intra

Re: [FFmpeg-trac] #10688(avfilter:new): heap-buffer-overflow at libavfilter/bwdifdsp.c:125:5 in ff_bwdif_filter_intra_c in FFmpeg

2023-12-24 Thread FFmpeg

#10688: heap-buffer-overflow at libavfilter/bwdifdsp.c:125:5 in
ff_bwdif_filter_intra_c in FFmpeg
--+
 Reporter:  ZengYunxiang  |Owner:  (none)
 Type:  defect|   Status:  new
 Priority:  critical  |Component:  avfilter
  Version:  unspecified   |   Resolution:
 Keywords:  bugs  |   Blocked By:
 Blocking:|  Reproduced by developer:  0
Analyzed by developer:  0 |
--+
Comment (by Cosmin Stejerean):

 Fixed by 737ede405b11a37fdd61d19cf25df296a0cb0b75
-- 
Ticket URL: 
FFmpeg 
FFmpeg issue tracker___
FFmpeg-trac mailing list
FFmpeg-trac@avcodec.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-trac

To unsubscribe, visit link above, or email
ffmpeg-trac-requ...@ffmpeg.org with subject "unsubscribe".

Re: [FFmpeg-trac] #10688(avfilter:new): heap-buffer-overflow at libavfilter/bwdifdsp.c:125:5 in ff_bwdif_filter_intra_c in FFmpeg

2023-11-25 Thread FFmpeg

#10688: heap-buffer-overflow at libavfilter/bwdifdsp.c:125:5 in
ff_bwdif_filter_intra_c in FFmpeg
--+
 Reporter:  ZengYunxiang  |Owner:  (none)
 Type:  defect|   Status:  new
 Priority:  critical  |Component:  avfilter
  Version:  unspecified   |   Resolution:
 Keywords:  bugs  |   Blocked By:
 Blocking:|  Reproduced by developer:  0
Analyzed by developer:  0 |
--+
Comment (by Cosmin Stejerean):

 This can be reproduced with a simple YUV420p input with a height of 6 or
 lower, where after chroma subsampling the height of the chroma planes will
 be < 4. For example

 {{{
 ffmpeg -f lavfi -i testsrc=duration=1:size=16x6:rate=30 -vf format=yuv420p
 -y out.mp4
 }}}
-- 
Ticket URL: 
FFmpeg 
FFmpeg issue tracker___
FFmpeg-trac mailing list
FFmpeg-trac@avcodec.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-trac

To unsubscribe, visit link above, or email
ffmpeg-trac-requ...@ffmpeg.org with subject "unsubscribe".

Re: [FFmpeg-trac] #10688(avfilter:new): heap-buffer-overflow at libavfilter/bwdifdsp.c:125:5 in ff_bwdif_filter_intra_c in FFmpeg

2023-11-23 Thread FFmpeg

#10688: heap-buffer-overflow at libavfilter/bwdifdsp.c:125:5 in
ff_bwdif_filter_intra_c in FFmpeg
--+
 Reporter:  ZengYunxiang  |Owner:  (none)
 Type:  defect|   Status:  new
 Priority:  critical  |Component:  avfilter
  Version:  unspecified   |   Resolution:
 Keywords:  bugs  |   Blocked By:
 Blocking:|  Reproduced by developer:  0
Analyzed by developer:  0 |
--+
Changes (by ZengYunxiang):

 * Attachment "poc3ffmpeg" added.

-- 
Ticket URL: 
FFmpeg 
FFmpeg issue tracker___
FFmpeg-trac mailing list
FFmpeg-trac@avcodec.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-trac

To unsubscribe, visit link above, or email
ffmpeg-trac-requ...@ffmpeg.org with subject "unsubscribe".

[FFmpeg-trac] #10688(avfilter:new): heap-buffer-overflow at libavfilter/bwdifdsp.c:125:5 in ff_bwdif_filter_intra_c in FFmpeg

2023-11-23 Thread FFmpeg

#10688: heap-buffer-overflow at libavfilter/bwdifdsp.c:125:5 in
ff_bwdif_filter_intra_c in FFmpeg
-+-
 Reporter:   | Type:  defect
  ZengYunxiang   |
   Status:  new  | Priority:  critical
Component:  avfilter |  Version:
 |  unspecified
 Keywords:  bugs |   Blocked By:
 Blocking:   |  Reproduced by developer:  0
Analyzed by developer:  0|
-+-
 Summary of the bug:

 Dear developers, hello!
 I recently proposed a new fuzzing method named fuzzyx, and found the
 following heap-buffer-overflow bug on FFmpeg6.1 when using bwdif filter,
 please confirm.

 POC file link:
 poc3ffmpeg:
 [https://github.com/Frank-Z7/z-vulnerabilitys/blob/main/poc3ffmpeg]

 How to reproduce:
 {{{
 git clone https://github.com/FFmpeg/FFmpeg.git ffmpeg6-1
 cd ffmpeg6-1
 git checkout 466799d
 ./configure --cc=clang --cxx=clang++ --ld=clang --enable-debug --toolchain
 =clang-asan
 make -j30

 ./ffmpeg_g -y -i poc3ffmpeg -filter_complex bwdif tmp.mkv
 }}}

 ASAN Log:
 {{{
 =
 ==716046==ERROR: AddressSanitizer: heap-buffer-overflow on address
 0x61aafe40 at pc 0x55871b706904 bp 0x7ffd0ee6d2a0 sp 0x7ffd0ee6d298
 READ of size 8 at 0x61aafe40 thread T0
 #0 0x55871b706903 in ff_bwdif_filter_intra_c
 /ffmpeg/libavfilter/bwdifdsp.c:125:5
 #1 0x55871ae6ba71 in filter_slice /ffmpeg/libavfilter/vf_bwdif.c:80:17
 #2 0x55871ad49638 in worker_func /ffmpeg/libavfilter/pthread.c:49:15
 #3 0x55871eddd45e in run_jobs /ffmpeg/libavutil/slicethread.c:65:9
 #4 0x55871eddd45e in avpriv_slicethread_execute
 /ffmpeg/libavutil/slicethread.c:192:19
 #5 0x55871ad494a6 in thread_execute /ffmpeg/libavfilter/pthread.c:71:5
 #6 0x55871ae6b021 in ff_filter_execute
 /ffmpeg/libavfilter/internal.h:147:12
 #7 0x55871ae6b021 in filter /ffmpeg/libavfilter/vf_bwdif.c:132:9
 #8 0x55871b4b2867 in return_frame
 /ffmpeg/libavfilter/yadif_common.c:57:5
 #9 0x55871b4b2fdf in ff_yadif_request_frame
 /ffmpeg/libavfilter/yadif_common.c:185:9
 #10 0x55871acdabfb in ff_request_frame_to_filter
 /ffmpeg/libavfilter/avfilter.c:482:15
 #11 0x55871acd5e21 in ff_filter_activate_default
 /ffmpeg/libavfilter/avfilter.c:1184:20
 #12 0x55871acd5e21 in ff_filter_activate
 /ffmpeg/libavfilter/avfilter.c:1331:11
 #13 0x55871acea5cc in get_frame_internal
 /ffmpeg/libavfilter/buffersink.c:139:19
 #14 0x55871ace7030 in avfilter_graph_request_oldest
 /afltest/ffmpegasan/libavfilter/avfiltergraph.c:1306:17
 #15 0x55871abac97f in fg_transcode_step
 /ffmpeg/fftools/ffmpeg_filter.c:2485:11
 #16 0x55871ac08326 in transcode_step /ffmpeg/fftools/ffmpeg.c:1134:20
 #17 0x55871ac08326 in transcode /ffmpeg/fftools/ffmpeg.c:1205:15
 #18 0x55871ac08326 in main /ffmpeg/fftools/ffmpeg.c:1331:11
 #19 0x7fe4a2370d8f  (/lib/x86_64-linux-gnu/libc.so.6+0x29d8f)
 (BuildId: a43bfc8428df6623cd498c9c0caeb91aec9be4f9)
 #20 0x7fe4a2370e3f in __libc_start_main (/lib/x86_64-linux-
 gnu/libc.so.6+0x29e3f) (BuildId: a43bfc8428df6623cd498c9c0caeb91aec9be4f9)
 #21 0x55871aab6824 in _start (/ffmpeg/ffmpeg_g+0x90e824) (BuildId:
 9832a23ddc031de766b82a345766231d990b42d2)

 0x61aafe40 is located 64 bytes to the left of 1167-byte region
 [0x61aafe80,0x61ab030f)
 allocated by thread T11 (av:h264:df10) here:
 #0 0x55871ab3a1e7 in __interceptor_posix_memalign
 (/ffmpeg/ffmpeg_g+0x9921e7) (BuildId:
 9832a23ddc031de766b82a345766231d990b42d2)
 #1 0x55871ed98c21 in av_malloc /ffmpeg/libavutil/mem.c:105:9
 #2 0x55871ed376ec in av_buffer_alloc /ffmpeg/libavutil/buffer.c:82:12
 #3 0x55871ed376ec in av_buffer_allocz /ffmpeg/libavutil/buffer.c:95:24
 #4 0x55871ed3a156 in pool_alloc_buffer
 /ffmpeg/libavutil/buffer.c:363:26
 #5 0x55871ed3a156 in av_buffer_pool_get
 /ffmpeg/libavutil/buffer.c:401:15
 #6 0x55871c548777 in video_get_buffer
 /ffmpeg/libavcodec/get_buffer.c:240:23
 #7 0x55871c548777 in avcodec_default_get_buffer2
 /ffmpeg/libavcodec/get_buffer.c:276:16
 #8 0x55871c1c2d6f in ff_get_buffer /ffmpeg/libavcodec/decode.c:1672:11
 #9 0x55871cf4a87f in thread_get_buffer_internal
 /ffmpeg/libavcodec/pthread_frame.c:969:11
 #10 0x55871cf4a87f in ff_thread_get_buffer
 /ffmpeg/libavcodec/pthread_frame.c:978:15

 Thread T11 (av:h264:df10) created by T0 here:
 #0 0x55871ab22aec in __interceptor_pthread_create
 (/ffmpeg/ffmpeg_g+0x97aaec) (BuildId:
 9832a23ddc031de766b82a345766231d990b42d2)
 #1 0x55871a9b0d4b in init_thread
 /ffmpeg/libavcodec/pthread_frame.c:844:11

 SUMMARY: AddressSanitizer: heap-buffer-overflow
 /ffmpeg/libavfilter/bwdifdsp.c:125:5 in

Re: [FFmpeg-trac] #10688(avfilter:new): heap-buffer-overflow at libavfilter/bwdifdsp.c:125:5 in ff_bwdif_filter_intra_c in FFmpeg

Re: [FFmpeg-trac] #10688(avfilter:new): heap-buffer-overflow at libavfilter/bwdifdsp.c:125:5 in ff_bwdif_filter_intra_c in FFmpeg

Re: [FFmpeg-trac] #10688(avfilter:new): heap-buffer-overflow at libavfilter/bwdifdsp.c:125:5 in ff_bwdif_filter_intra_c in FFmpeg

[FFmpeg-trac] #10688(avfilter:new): heap-buffer-overflow at libavfilter/bwdifdsp.c:125:5 in ff_bwdif_filter_intra_c in FFmpeg

4 matches

Site Navigation

Mail list logo

Footer information