Opened 5 months ago
#11065 new defect
global-buffer-overflow in ffmpeg_DEMUXER_fuzzer
| Reported by: | Giacomo Priamo | Owned by: | |
|---|---|---|---|
| Priority: | normal | Component: | ffmpeg |
| Version: | git-master | Keywords: | |
| Cc: | Giacomo Priamo | Blocked By: | |
| Blocking: | Reproduced by developer: | no | |
| Analyzed by developer: | no |
Description
Describe the bug
AddressSanitizer: global-buffer-overflow in ffmpeg_DEMUXER_fuzzer (ipcm_decoder_configdecNumberCopy).
To Reproduce
I cloned the latest version of ffmpeg, compiled it using the build script from oss-fuzz, and fuzzed the ffmpeg_DEMUXER_fuzzer harness.
ASAN Output
./ffmpeg_DEMUXER_fuzzer testcase
==2936342==ERROR: AddressSanitizer: global-buffer-overflow on address 0x0000012273d8 at pc 0x000000761cdd bp 0x7ffdce7b2da0 sp 0x7ffdce7b2d98
READ of size 4 at 0x0000012273d8 thread T0
#0 0x761cdc in ipcm_decoder_config ffmpeg/libavformat/iamf_parse.c:152:30
#1 0x75ec93 in codec_config_obu ffmpeg/libavformat/iamf_parse.c:241:15
#2 0x75e61b in ff_iamfdec_read_descriptors ffmpeg/libavformat/iamf_parse.c:1079:19
#3 0x5caefe in iamf_read_header ffmpeg/libavformat/iamfdec.c:78:11
#4 0x4f8b24 in avformat_open_input ffmpeg/libavformat/demux.c:305:20
#5 0x4f157c in LLVMFuzzerTestOneInput ffmpeg/tools/target_dem_fuzzer.c:202:11
#6 0x115bf4d in ExecuteFilesOnyByOne utils/aflpp_driver/aflpp_driver.c:255:7
#7 0x115bd58 in LLVMFuzzerRunDriver utils/aflpp_driver/aflpp_driver.c
#8 0x115b918 in main utils/aflpp_driver/aflpp_driver.c:300:10
#9 0x7f6a68203082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082)
#10 0x43f49d in _start (target+0x43f49d)
0x0000012273d8 is located 8 bytes to the left of global variable 'sample_fmt' defined in 'libavformat/iamf_parse.c:143:33' (0x12273e0) of size 24
0x0000012273d8 is located 31 bytes to the right of global variable '<string literal>' defined in 'libavformat/iamf_parse.c:253:34' (0x1227380) of size 57
'<string literal>' is ascii string 'Underread in codec_config_obu. %d bytes left at the end
'
SUMMARY: AddressSanitizer: global-buffer-overflow ffmpeg/libavformat/iamf_parse.c:152:30 in ipcm_decoder_config
Shadow bytes around the buggy address:
0x00008023ce20: f9 f9 f9 f9 00 00 00 00 00 00 00 02 f9 f9 f9 f9
0x00008023ce30: 00 f9 f9 f9 f9 f9 f9 f9 06 f9 f9 f9 f9 f9 f9 f9
0x00008023ce40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x00008023ce50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x00008023ce60: 00 00 00 03 f9 f9 f9 f9 00 00 00 04 f9 f9 f9 f9
=>0x00008023ce70: 00 00 00 00 00 00 00 01 f9 f9 f9[f9]00 00 00 f9
0x00008023ce80: f9 f9 f9 f9 00 00 00 07 f9 f9 f9 f9 00 00 00 00
0x00008023ce90: 00 00 00 00 f9 f9 f9 f9 00 00 00 00 00 00 00 03
0x00008023cea0: f9 f9 f9 f9 00 00 00 00 00 00 00 00 07 f9 f9 f9
0x00008023ceb0: f9 f9 f9 f9 00 00 00 00 00 00 00 02 f9 f9 f9 f9
0x00008023cec0: 00 00 00 06 f9 f9 f9 f9 00 06 f9 f9 f9 f9 f9 f9
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==2936342==ABORTING
Environment info
uname -a output: Linux ThinkPad 5.15.0-107-generic #117~20.04.1-Ubuntu SMP Tue Apr 30 10:35:57 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux
Clang version: 12.0.1
Testcase
See attached testcase file
Attachments (1)
Note:
See TracTickets
for help on using tickets.
