#10691 closed defect (fixed)
heap-buffer-overflow at libavfilter/af_dialoguenhance.c:261:5 in de_stereo in FFmpeg
Reported by: | ZengYunxiang | Owned by: | |
---|---|---|---|
Priority: | important | Component: | undetermined |
Version: | git-master | Keywords: | bugs |
Cc: | ZengYunxiang | Blocked By: | |
Blocking: | Reproduced by developer: | no | |
Analyzed by developer: | no |
Description
Summary of the bug:
Dear developers,
We found the following heap-buffer-overflow bug on FFmpeg6.1 when using dialoguenhance filter, please confirm.
The poc file(poc4ffmpeg) will be attached to this ticket.
How to reproduce:
git clone https://github.com/FFmpeg/FFmpeg.git ffmpeg6-1 cd ffmpeg6-1 git checkout 466799d ./configure --cc=clang --cxx=clang++ --ld=clang --enable-debug --toolchain=clang-asan make -j30 ./ffmpeg_g -y -i poc4ffmpeg -filter_complex dialoguenhance tmp.mp4
ASAN Log:
================================================================= ==2202591==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61b000000680 at pc 0x5590c9039267 bp 0x7fffad14d830 sp 0x7fffad14d000 READ of size 2048 at 0x61b000000680 thread T0 #0 0x5590c9039266 in __asan_memcpy (/ffmpeg6-1/ffmpeg_g+0x924266) (BuildId: 235e8d23658b9f137a6f44e3f2d1bddad7c9bf95) #1 0x5590c98dd5f1 in de_stereo /ffmpeg6-1/libavfilter/af_dialoguenhance.c:261:5 #2 0x5590c98dd5f1 in filter_frame /ffmpeg6-1/libavfilter/af_dialoguenhance.c:322:5 #3 0x5590c98dd5f1 in activate /ffmpeg6-1/libavfilter/af_dialoguenhance.c:349:16 #4 0x5590c918a3d3 in ff_filter_activate /ffmpeg6-1/libavfilter/avfilter.c:1330:38 #5 0x5590c919d997 in push_frame /ffmpeg6-1/libavfilter/buffersrc.c:167:15 #6 0x5590c919d997 in av_buffersrc_close /ffmpeg6-1/libavfilter/buffersrc.c:285:47 #7 0x5590c909f65c in ifilter_send_eof /ffmpeg6-1/fftools/ffmpeg_filter.c:2318:15 #8 0x5590c907617d in send_filter_eof /ffmpeg6-1/fftools/ffmpeg_dec.c:536:15 #9 0x5590c907617d in dec_packet /ffmpeg6-1/fftools/ffmpeg_dec.c:835:15 #10 0x5590c90e6f7b in process_input_packet /ffmpeg6-1/fftools/ffmpeg.c:811:15 #11 0x5590c90e3d93 in process_input /ffmpeg6-1/fftools/ffmpeg.c:1087:23 #12 0x5590c90e3d93 in transcode_step /ffmpeg6-1/fftools/ffmpeg.c:1142:11 #13 0x5590c90e3d93 in transcode /ffmpeg6-1/fftools/ffmpeg.c:1204:15 #14 0x5590c90e3d93 in main /ffmpeg6-1/fftools/ffmpeg.c:1330:11 #15 0x7f06fceedd8f (/lib/x86_64-linux-gnu/libc.so.6+0x29d8f) (BuildId: a43bfc8428df6623cd498c9c0caeb91aec9be4f9) #16 0x7f06fceede3f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x29e3f) (BuildId: a43bfc8428df6623cd498c9c0caeb91aec9be4f9) #17 0x5590c8fb70f4 in _start (/ffmpeg6-1/ffmpeg_g+0x8a20f4) (BuildId: 235e8d23658b9f137a6f44e3f2d1bddad7c9bf95) 0x61b000000680 is located 0 bytes to the right of 1536-byte region [0x61b000000080,0x61b000000680) allocated by thread T1 (dec0:0:mp3float) here: #0 0x5590c903aab7 in __interceptor_posix_memalign (/ffmpeg6-1/ffmpeg_g+0x925ab7) (BuildId: 235e8d23658b9f137a6f44e3f2d1bddad7c9bf95) #1 0x5590cc672a5e in av_malloc /ffmpeg6-1/libavutil/mem.c:105:9 #2 0x5590cc629141 in av_buffer_alloc /ffmpeg6-1/libavutil/buffer.c:82:12 #3 0x5590cc62b4f3 in pool_alloc_buffer /ffmpeg6-1/libavutil/buffer.c:363:26 #4 0x5590cc62b4f3 in av_buffer_pool_get /ffmpeg6-1/libavutil/buffer.c:401:15 #5 0x5590ca4a3d0c in audio_get_buffer /ffmpeg6-1/libavcodec/get_buffer.c:203:25 #6 0x5590ca4a3d0c in avcodec_default_get_buffer2 /ffmpeg6-1/libavcodec/get_buffer.c:278:16 #7 0x5590ca1d1313 in ff_get_buffer /ffmpeg6-1/libavcodec/decode.c:1672:11 #8 0x5590caa61172 in mp_decode_frame /ffmpeg6-1/libavcodec/mpegaudiodec_template.c:1523:20 #9 0x5590caa467f4 in decode_frame /ffmpeg6-1/libavcodec/mpegaudiodec_template.c:1601:11 Thread T1 (dec0:0:mp3float) created by T0 here: #0 0x5590c90233bc in __interceptor_pthread_create (/ffmpeg6-1/ffmpeg_g+0x90e3bc) (BuildId: 235e8d23658b9f137a6f44e3f2d1bddad7c9bf95) #1 0x5590c9077136 in dec_thread_start /ffmpeg6-1/fftools/ffmpeg_dec.c:871:11 #2 0x5590c9077136 in dec_open /ffmpeg6-1/fftools/ffmpeg_dec.c:1137:11 #3 0x5590c907cae1 in ist_use /ffmpeg6-1/fftools/ffmpeg_demux.c:845:19 #4 0x5590c907cae1 in ist_filter_add /ffmpeg6-1/fftools/ffmpeg_demux.c:874:11 #5 0x5590c90c5ebc in init_complex_filters /ffmpeg6-1/fftools/ffmpeg_opt.c:800:15 #6 0x5590c90c5ebc in ffmpeg_parse_options /ffmpeg6-1/fftools/ffmpeg_opt.c:1333:11 #7 0x5590c90e1d84 in main /ffmpeg6-1/fftools/ffmpeg.c:1312:11 #8 0x7f06fceedd8f (/lib/x86_64-linux-gnu/libc.so.6+0x29d8f) (BuildId: a43bfc8428df6623cd498c9c0caeb91aec9be4f9) SUMMARY: AddressSanitizer: heap-buffer-overflow (/ffmpeg6-1/ffmpeg_g+0x924266) (BuildId: 235e8d23658b9f137a6f44e3f2d1bddad7c9bf95) in __asan_memcpy Shadow bytes around the buggy address: 0x0c367fff8080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c367fff8090: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c367fff80a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c367fff80b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c367fff80c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x0c367fff80d0:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c367fff80e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c367fff80f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c367fff8100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c367fff8110: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c367fff8120: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==2202591==ABORTING
ffmpeg version:
# ./ffmpeg -version ffmpeg version n6.1-3-g466799d4f5 Copyright (c) 2000-2023 the FFmpeg developers built with clang version 9.0.0 (https://github.com/llvm-mirror/llvm c62b24f070c9a4bb1a76409e623042a740cac4cd) configuration: --cc=clang --cxx=clang++ --ld=clang --enable-debug --toolchain=clang-asan libavutil 58. 29.100 / 58. 29.100 libavcodec 60. 31.102 / 60. 31.102 libavformat 60. 16.100 / 60. 16.100 libavdevice 60. 3.100 / 60. 3.100 libavfilter 9. 12.100 / 9. 12.100 libswscale 7. 5.100 / 7. 5.100 libswresample 4. 12.100 / 4. 12.100
Credit:
Zhang Ling Zeng Yunxiang
Thanks for your time!
Attachments (1)
Change History (3)
by , 11 months ago
Attachment: | poc4ffmpeg added |
---|
comment:1 by , 11 months ago
Resolution: | → fixed |
---|---|
Status: | new → closed |
comment:2 by , 4 months ago
FWIW, this was assigned CVE-2023-49528 (by Red Hat) and, if I'm not mistaken, was fixed by https://git.ffmpeg.org/gitweb/ffmpeg.git/commit/2d9ed64859c9887d0504cd71dbd5b2c15e14251a .
Could this be backported to 6.1 branch?
Note:
See TracTickets
for help on using tickets.
POC file