Opened 3 days ago

#11393 new defect

SEGV on libavcodec/jpeg2000dec.c:1491:59

Reported by: 0x20z Owned by:
Priority: important Component: avcodec
Version: git-master Keywords:
Cc: 0x20z Blocked By:
Blocking: Reproduced by developer: no
Analyzed by developer: no

Description

Summary of the bug:
Dear developers,
I have discovered a Segmentation Fault vulnerability. The POC file is attached to the session, and the version of ffmpeg is N-118197-gbb85423142, the main branch. Please confirm.

How to reproduce:

git clone https://github.com/FFmpeg/FFmpeg.git
cd FFmpeg
./configure --cc=clang --cxx=clang++ --toolchain=clang-asan --extra-cflags="-I$HOME/ffmpeg_build/include -O0 -fno-omit-frame-pointer -g"   --extra-cxxflags="-O0 -fno-omit-frame-pointer -g" --extra-ldflags="-L$HOME/ffmpeg_build/include -fsanitize=address -fsanitize=undefined -lubsan" --disable-optimizations --disable-stripping --enable-cross-compile
make -j30
./ffmpeg -y -i poc tmp.mp4

ASAN log:

AddressSanitizer:DEADLYSIGNAL
=================================================================
==4155776==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x5c833916beed bp 0x707b21dfe040 sp 0x707b21dfd150 T1)
==4155776==The signal is caused by a READ memory access.
==4155776==Hint: address points to the zero page.
    #0 0x5c833916beed in jpeg2000_decode_packet FFmpeg/libavcodec/jpeg2000dec.c:1491:59
    #1 0x5c83391635ae in jpeg2000_decode_packets_po_iteration FFmpeg/libavcodec/jpeg2000dec.c:1595:40
    #2 0x5c8339162ae6 in jpeg2000_decode_packets FFmpeg/libavcodec/jpeg2000dec.c:1856:15
    #3 0x5c833914e32b in jpeg2000_read_bitstream_packets FFmpeg/libavcodec/jpeg2000dec.c:2651:20
    #4 0x5c8339143d46 in jpeg2000_decode_frame FFmpeg/libavcodec/jpeg2000dec.c:2880:15
    #5 0x5c8338ac27f5 in decode_simple_internal FFmpeg/libavcodec/decode.c:443:16
    #6 0x5c8338ab04f4 in decode_simple_receive_frame FFmpeg/libavcodec/decode.c:613:15
    #7 0x5c8338aadd59 in ff_decode_receive_frame_internal FFmpeg/libavcodec/decode.c:649:15
    #8 0x5c83396b21ff in frame_worker_thread FFmpeg/libavcodec/pthread_frame.c:295:19
    #9 0x707b24694ac2 in start_thread nptl/./nptl/pthread_create.c:442:8
    #10 0x707b2472684f  misc/../sysdeps/unix/sysv/linux/x86_64/clone3.S:81

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV FFmpeg/libavcodec/jpeg2000dec.c:1491:59 in jpeg2000_decode_packet
Thread T1 (av:jpeg200:df0) created by T0 here:
    #0 0x5c8336dd625c in __interceptor_pthread_create (FFmpeg/ffmpeg+0x7b725c) (BuildId: e9074a31dadd6ca9f015fa496c6951e0bb7210b0)
    #1 0x5c83396afe91 in init_thread FFmpeg/libavcodec/pthread_frame.c:913:11
    #2 0x5c83396aeb2f in ff_frame_thread_init FFmpeg/libavcodec/pthread_frame.c:972:15
    #3 0x5c83396a7678 in ff_thread_init /FFmpeg/libavcodec/pthread.c:79:16
    #4 0x5c833868ebbd in avcodec_open2 FFmpeg/libavcodec/avcodec.c:323:15
    #5 0x5c8336e2aed4 in dec_open FFmpeg/fftools/ffmpeg_dec.c:1602:16
    #6 0x5c8336e2915b in dec_init FFmpeg/fftools/ffmpeg_dec.c:1662:11
    #7 0x5c8336e3e474 in ist_use FFmpeg/fftools/ffmpeg_demux.c:950:15
    #8 0x5c8336e3f272 in ist_filter_add FFmpeg/fftools/ffmpeg_demux.c:986:11
    #9 0x5c8336e6d919 in ifilter_bind_ist FFmpeg/fftools/ffmpeg_filter.c:690:11
    #10 0x5c8336e6ceeb in fg_create_simple FFmpeg/fftools/ffmpeg_filter.c:1230:11
    #11 0x5c8336eb21ff in ost_bind_filter FFmpeg/fftools/ffmpeg_mux_init.c:999:15
    #12 0x5c8336ea67ad in ost_add FFmpeg/fftools/ffmpeg_mux_init.c:1536:15
    #13 0x5c8336ea09be in map_auto_video FFmpeg/fftools/ffmpeg_mux_init.c:1640:16
    #14 0x5c8336e99724 in create_streams FFmpeg/fftools/ffmpeg_mux_init.c:1969:19
    #15 0x5c8336e97b55 in of_open FFmpeg/fftools/ffmpeg_mux_init.c:3335:11
    #16 0x5c8336ec4512 in open_files FFmpeg/fftools/ffmpeg_opt.c:1363:15
    #17 0x5c8336ec3e38 in ffmpeg_parse_options FFmpeg/fftools/ffmpeg_opt.c:1419:11
    #18 0x5c8336f0cfad in main FFmpeg/fftools/ffmpeg.c:974:11
    #19 0x707b24629d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16

==4155776==ABORTING

ffmpeg version:

# ./ffmpeg -version
ffmpeg version N-118197-gbb85423142 Copyright (c) 2000-2024 the FFmpeg developers
built with Ubuntu clang version 14.0.0-1ubuntu1.1
configuration: --cc=clang --cxx=clang++ --ld=clang --enable-debug --toolchain=clang-asan --enable-cross-compile
libavutil      59. 53.100 / 59. 53.100
libavcodec     61. 28.100 / 61. 28.100
libavformat    61.  9.102 / 61.  9.102
libavdevice    61.  4.100 / 61.  4.100
libavfilter    10.  6.101 / 10.  6.101
libswscale      8. 13.100 /  8. 13.100
libswresample   5.  4.100 /  5.  4.100

Found by:

Found by 0x20z

Thank you for your time and attention

Attachments (1)

poc (842 bytes ) - added by 0x20z 3 days ago.

Download all attachments as: .zip

Change History (1)

by 0x20z, 3 days ago

Attachment: poc added
Note: See TracTickets for help on using tickets.