Opened 20 months ago
Closed 4 months ago
#10242 closed defect (fixed)
heap overflow in ffmpeg (base64.c:133)
| Reported by: | Youngseok Choi | Owned by: | |
|---|---|---|---|
| Priority: | normal | Component: | avutil |
| Version: | git-master | Keywords: | |
| Cc: | Blocked By: | ||
| Blocking: | Reproduced by developer: | no | |
| Analyzed by developer: | no |
Description
Hi, while running afl++ on ffmpeg,
I found heap overflow in ffmpeg.
How to reproduce:
% ./ffmpeg -i "data:/;;,doubleweend"
Stack Trace:
==19450==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x609000000407 at pc 0x55838811cade bp 0x7ffd42d3c400 sp 0x7ffd42d3c3f0
WRITE of size 1 at 0x609000000407 thread T0
#0 0x55838811cadd in av_base64_decode libavutil/base64.c:133
#1 0x558385eb5f9e in data_open libavformat/data_uri.c:79
#2 0x5583859af0ef in ffurl_connect libavformat/avio.c:209
#3 0x5583859b015c in ffurl_open_whitelist libavformat/avio.c:347
#4 0x5583859ba239 in ffio_open_whitelist libavformat/aviobuf.c:1230
#5 0x558385d0c9d0 in io_open_default libavformat/options.c:151
#6 0x558385a061c4 in init_input libavformat/demux.c:174
#7 0x558385a06c66 in avformat_open_input libavformat/demux.c:254
#8 0x558384ef1532 in ifile_open fftools/ffmpeg_demux.c:1051
#9 0x558384f372f4 in open_files fftools/ffmpeg_opt.c:1244
#10 0x558384f37669 in ffmpeg_parse_options fftools/ffmpeg_opt.c:1283
#11 0x558384f750df in main fftools/ffmpeg.c:4160
#12 0x7fcc4980fc86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21c86)
#13 0x558384ee0499 in _start (/home/youngseok/latest-subjects/ffmpeg/ffmpeg+0x52f499)
Environment:
- OS: Ubuntu 18.04
- gcc: 7.5.0
- ffmpeg: version N-109968-gcc76e8340d (git-master)
Note that I built ffmpeg with address sanitizer.
./configure --extra-cflags="-fsanitize=address -g -O0" \ --extra-cxxflags="-fsanitize=address -g -O0" --extra-ldflags="-fsanitize=address -g -O0" \ --disable-optimizations --disable-stripping
Change History (1)
comment:1 by , 4 months ago
| Component: | ffmpeg → avutil |
|---|---|
| Resolution: | → fixed |
| Status: | new → closed |
Note:
See TracTickets
for help on using tickets.
Fixed in 2d216566f258badd07bc58de1e089b6e4175dc46.