Opened 6 weeks ago

#11326 new defect

Null Pointer Dereference in iamf_read_header /ffmpeg/libavformat/iamfdec.c:110:54

Reported by: SuTong Owned by:
Priority: normal Component: ffmpeg
Version: git-master Keywords:
Cc: Blocked By:
Blocking: Reproduced by developer: no
Analyzed by developer: no

Description

Summary of the bug: a null pointer dereference problem in the latest version of ffmpeg
How to reproduce:

% ffmpeg -y -i ./poc -c:v mpeg4 -c:a copy -f mp4 /dev/null 

>>   built with gcc 9 (Ubuntu 9.4.0-1ubuntu1~20.04.2)
>>   configuration: --cc=gcc --cxx=g++ --extra-cflags=-g --extra-cxxflags=-g --disable-x86asm

gdb information:

# gdb --args /fuzz/oss-ffmpeg/ffmpeg-gdb/ffmpeg_g -y -i ./poc -c:v mpeg4 -c:a copy -f mp4 /dev/null 
GNU gdb (Ubuntu 9.2-0ubuntu1~20.04.2) 9.2
Copyright (C) 2020 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Type "show copying" and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
    <http://www.gnu.org/software/gdb/documentation/>.

For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from /fuzz/oss-ffmpeg/ffmpeg-gdb/ffmpeg_g...
(gdb) r
Starting program: /fuzz/oss-ffmpeg/ffmpeg-gdb/ffmpeg_g -y -i ./id:000000,sig:11,src:011919,time:12549736,execs:1895023,op:havoc,rep:3 -c:v mpeg4 -c:a copy -f mp4 /dev/null
warning: Error disabling address space randomization: Operation not permitted
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
ffmpeg version N-117939-g351fd8460a Copyright (c) 2000-2024 the FFmpeg developers
  built with gcc 9 (Ubuntu 9.4.0-1ubuntu1~20.04.2)
  configuration: --cc=gcc --cxx=g++ --extra-cflags=-g --extra-cxxflags=-g --disable-x86asm
  libavutil      59. 47.101 / 59. 47.101
  libavcodec     61. 26.100 / 61. 26.100
  libavformat    61.  9.100 / 61.  9.100
  libavdevice    61.  4.100 / 61.  4.100
  libavfilter    10.  6.101 / 10.  6.101
  libswscale      8. 12.100 /  8. 12.100
  libswresample   5.  4.100 /  5.  4.100
[iamf @ 0x55fe4836f980] Underread in audio_element_obu. 3 bytes left at the end
[iamf @ 0x55fe4836f980] Underread in mix_presentation_obu. 22 bytes left at the end

Program received signal SIGSEGV, Segmentation fault.
0x000055fe3a6021e1 in iamf_read_header (s=0x55fe4836f980) at libavformat/iamfdec.c:110
110                 if (!i && !j && audio_element->layers[0].substream_count == 1)
(gdb) bt
#0  0x000055fe3a6021e1 in iamf_read_header (s=0x55fe4836f980) at libavformat/iamfdec.c:110
#1  0x000055fe3a5c3d49 in avformat_open_input (ps=ps@entry=0x7ffe7510b100, 
    filename=filename@entry=0x7ffe7510d44b "./id:000000,sig:11,src:011919,time:12549736,execs:1895023,op:havoc,rep:3", 
    fmt=fmt@entry=0x0, options=0x55fe4836f558) at libavformat/demux.h:140
#2  0x000055fe3a3006fb in ifile_open (o=o@entry=0x7ffe7510b4a0, filename=<optimized out>, sch=sch@entry=0x55fe4836f040)
    at fftools/ffmpeg_demux.c:1727
#3  0x000055fe3a317abd in open_files (inout=inout@entry=0x55fe3b11cf01 "input", sch=sch@entry=0x55fe4836f040, 
    open_file=0x55fe3a300010 <ifile_open>, l=<optimized out>, l=<optimized out>) at fftools/ffmpeg_opt.c:1363
#4  0x000055fe3a319aa6 in ffmpeg_parse_options (argc=<optimized out>, argv=<optimized out>, sch=0x55fe4836f040)
    at fftools/ffmpeg_opt.c:1412
#5  0x000055fe3a2f8fe8 in main (argc=11, argv=0x7ffe7510c178) at fftools/ffmpeg.c:974

Attachments (1)

poc (423 bytes ) - added by SuTong 6 weeks ago.

Download all attachments as: .zip

Change History (1)

by SuTong, 6 weeks ago

Attachment: poc added
Note: See TracTickets for help on using tickets.