Null pointer dereference on malformed buffersink expression in filter graph

[somehacker]

Summary of the bug:

There is a null pointer dereference introduced in commit b8bf2f4e1758a9f7f34160245b5f663d53159c2d when parsing a specially crafted filter graphs involving buffersinks.

How to reproduce:

% ffmpeg -i input -vf "abuffersink=::a" output

ffmpeg version git-2024-12-27-5f38c82 Copyright (c) 2000-2024 the FFmpeg developers
built with gcc 13 (Ubuntu 13.3.0-6ubuntu2~24.04)
configuration:
libavutil      59. 53.100 / 59. 53.100
libavcodec     61. 28.100 / 61. 28.100
libavformat    61.  9.102 / 61.  9.102
libavdevice    61.  4.100 / 61.  4.100
libavfilter    10.  6.101 / 10.  6.101
libswscale      8. 13.100 /  8. 13.100
libswresample   5.  4.100 /  5.  4.100

built on Description:    Ubuntu 24.04.1 LTS (windows WSL)

This bug occurs regardless of the contents of the input file as the bug is in the processing of the filter graph command line argument.
I discovered this bug via fuzzing the filter graph parsing. I wrote up a report of that here in a blog post: ​https://personnumber3377.github.io/projects/fuzzing_ffmpeg_avfilter_graph_parse_ptr.html#fixing-the-fuzzer . This bug is caused by this commit: ​https://github.com/FFmpeg/FFmpeg/commit/b8bf2f4e1758a9f7f34160245b5f663d53159c2d because I tried with the previous commit and it did not crash with the same input. In the same blog post I also described my development of a fuzzer for these filter graphs, because looking at the codebase there doesn't appear to be such a fuzzer for filter graphs.

Here is the output from my fuzzer:

oof@elskun-lppri:~/ffmpegfuzzerthing/myfork/FFmpeg/tools/fuzzingcampaign$ ./target_graph_fuzzer final.bin
INFO: Running with entropic power schedule (0xFF, 100).
INFO: Seed: 1544958777
INFO: Loaded 1 modules   (1514265 inline 8-bit counters): 1514265 [0x564dd6f9bc38, 0x564dd710d751),
INFO: Loaded 1 PC tables (1514265 PCs): 1514265 [0x564dd710d758,0x564dd88288e8),
./target_graph_fuzzer: Running 1 inputs 1 time(s) each.
Running: final.bin
[Parsed_abuffersink_0 @ 0x511000000180] The "sample_fmts" option is deprecated: set the supported sample formats
[Parsed_abuffersink_0 @ 0x511000000180] The "sample_rates" option is deprecated: set the supported sample rates
[Parsed_abuffersink_0 @ 0x511000000180] The "ch_layouts" option is deprecated: set a '|'-separated list of supported channel layouts
libavfilter/buffersink.c:208:25: runtime error: applying zero offset to null pointer
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior libavfilter/buffersink.c:208:25
libavfilter/buffersink.c:208:24: runtime error: null pointer passed as argument 1, which is declared to never be null
/usr/include/string.h:61:62: note: nonnull attribute specified here
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior libavfilter/buffersink.c:208:24
AddressSanitizer:DEADLYSIGNAL
=================================================================
==459309==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7fa74f5ce500 bp 0x7ffe69af11f0 sp 0x7ffe69af09b8 T0)
==459309==The signal is caused by a WRITE memory access.
==459309==Hint: address points to the zero page.
    #0 0x7fa74f5ce500 in __memset_avx2_unaligned_erms string/../sysdeps/x86_64/multiarch/memset-vec-unaligned-erms.S:378
    #1 0x564dd174729e in __asan_memset (/home/oof/ffmpegfuzzerthing/myfork/FFmpeg/tools/fuzzingcampaign/target_graph_fuzzer+0x41ee29e) (BuildId: c1e736a748ca18c0ca919e9db2eaf1561ad2f67a)
    #2 0x564dd147507d in common_init /home/oof/ffmpegfuzzerthing/myfork/FFmpeg/libavfilter/buffersink.c:208:17
    #3 0x564dd1964a90 in avfilter_init_dict /home/oof/ffmpegfuzzerthing/myfork/FFmpeg/libavfilter/avfilter.c:939:15
    #4 0x564dd17e82ab in avfilter_graph_segment_init /home/oof/ffmpegfuzzerthing/myfork/FFmpeg/libavfilter/graphparser.c:634:19
    #5 0x564dd17ecabc in avfilter_graph_parse_ptr /home/oof/ffmpegfuzzerthing/myfork/FFmpeg/libavfilter/graphparser.c:948:11
    #6 0x564dd1787bae in LLVMFuzzerTestOneInput /home/oof/ffmpegfuzzerthing/myfork/FFmpeg/tools/target_graph_fuzzer.c:104:11
    #7 0x564dd1695174 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) (/home/oof/ffmpegfuzzerthing/myfork/FFmpeg/tools/fuzzingcampaign/target_graph_fuzzer+0x413c174) (BuildId: c1e736a748ca18c0ca919e9db2eaf1561ad2f67a)
    #8 0x564dd167e2a6 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) (/home/oof/ffmpegfuzzerthing/myfork/FFmpeg/tools/fuzzingcampaign/target_graph_fuzzer+0x41252a6) (BuildId: c1e736a748ca18c0ca919e9db2eaf1561ad2f67a)
    #9 0x564dd1683d5a in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) (/home/oof/ffmpegfuzzerthing/myfork/FFmpeg/tools/fuzzingcampaign/target_graph_fuzzer+0x412ad5a) (BuildId: c1e736a748ca18c0ca919e9db2eaf1561ad2f67a)
    #10 0x564dd16ae516 in main (/home/oof/ffmpegfuzzerthing/myfork/FFmpeg/tools/fuzzingcampaign/target_graph_fuzzer+0x4155516) (BuildId: c1e736a748ca18c0ca919e9db2eaf1561ad2f67a)
    #11 0x7fa74f46f1c9 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #12 0x7fa74f46f28a in __libc_start_main csu/../csu/libc-start.c:360:3
    #13 0x564dd1678e74 in _start (/home/oof/ffmpegfuzzerthing/myfork/FFmpeg/tools/fuzzingcampaign/target_graph_fuzzer+0x411fe74) (BuildId: c1e736a748ca18c0ca919e9db2eaf1561ad2f67a)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV string/../sysdeps/x86_64/multiarch/memset-vec-unaligned-erms.S:378 in __memset_avx2_unaligned_erms
==459309==ABORTING

[James]

Fixed in 041a6c36142f89addf2bc850f5bd27a089d900f5.