Opened 2 weeks ago

Last modified 13 days ago

#11418 new defect

stack-buffer-overflow on libavcodec/aacenc_tns.c

Reported by: 0x20z Owned by:
Priority: important Component: undetermined
Version: git-master Keywords:
Cc: 0x20z Blocked By:
Blocking: Reproduced by developer: no
Analyzed by developer: no

Description

Summary of the bug:

I have discovered a stack-buffer-overflow vulnerability. The POC file is attached to the session, and the version of ffmpeg is the main branch. Please confirm.

How to reproduce:

git clone https://github.com/FFmpeg/FFmpeg.git
cd FFmpeg
./configure --cc=clang --cxx=clang++ --toolchain=clang-asan --extra-cflags="-I$HOME/ffmpeg_build/include -O0 -fno-omit-frame-pointer -g"   --extra-cxxflags="-O0 -fno-omit-frame-pointer -g" --extra-ldflags="-L$HOME/ffmpeg_build/include -fsanitize=address -fsanitize=undefined -lubsan" --disable-optimizations --disable-stripping --enable-cross-compile
make -j30
./ffmpeg -i poc -aac_pred true -profile:a aac_low output.mpd

log:

=================================================================
==1108156==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7f286b5fe998 at pc 0x572aadc11f35 bp 0x7f286b5fe8e0 sp 0x7f286b5fe8d0
READ of size 4 at 0x7f286b5fe998 thread T1 (enc0:0:aac)
    #0 0x572aadc11f34 in ff_aac_search_for_tns libavcodec/aacenc_tns.c:204
    #1 0x572aacede67e in aac_encode_frame libavcodec/aacenc.c:1020
    #2 0x572aaaa197e2 in ff_encode_encode_cb libavcodec/encode.c:254
    #3 0x572aaaa1b896 in encode_simple_internal libavcodec/encode.c:340
    #4 0x572aaaa1bbfb in encode_simple_receive_packet libavcodec/encode.c:354
    #5 0x572aaaa1cb13 in encode_receive_packet_internal libavcodec/encode.c:388
    #6 0x572aaaa1e97e in avcodec_send_frame libavcodec/encode.c:531
    #7 0x572aa7edbe65 in encode_frame fftools/ffmpeg_enc.c:643
    #8 0x572aa7edf861 in frame_encode fftools/ffmpeg_enc.c:812
    #9 0x572aa7ee0a09 in encoder_thread fftools/ffmpeg_enc.c:899
    #10 0x572aa7fb17b2 in task_wrapper fftools/ffmpeg_sched.c:2534
    #11 0x7f286f094ac2 in start_thread nptl/pthread_create.c:442
    #12 0x7f286f12684f  (/usr/lib/x86_64-linux-gnu/libc.so.6+0x12684f)

Address 0x7f286b5fe998 is located in stack of thread T1 (enc0:0:aac) at offset 40 in frame
    #0 0x572aadc1038a in ff_aac_search_for_tns libavcodec/aacenc_tns.c:162

  This frame has 2 object(s):
    [32, 40) 'en' (line 183) <== Memory access at offset 40 overflows this variable
    [64, 320) 'coefs' (line 165)
HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
      (longjmp and C++ exceptions *are* supported)
Thread T1 (enc0:0:aac) created by T0 here:
    #0 0x7f286fc58685 in __interceptor_pthread_create ../../../../src/libsanitizer/asan/asan_interceptors.cpp:216
    #1 0x572aa7f8ad4b in task_start fftools/ffmpeg_sched.c:414
    #2 0x572aa7fa09d7 in sch_start fftools/ffmpeg_sched.c:1615
    #3 0x572aa8006dea in transcode fftools/ffmpeg.c:864
    #4 0x572aa80081a8 in main fftools/ffmpeg.c:992
    #5 0x7f286f029d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58

SUMMARY: AddressSanitizer: stack-buffer-overflow libavcodec/aacenc_tns.c:204 in ff_aac_search_for_tns

Found by:

0x20z

Thank you for your time and attention

Attachments (1)

poc (22.1 KB ) - added by 0x20z 2 weeks ago.

Download all attachments as: .zip

Change History (3)

by 0x20z, 2 weeks ago

Attachment: poc added

comment:1 by somehacker, 13 days ago

This should have probably been reported as a security bug to ffmpeg-security@ffmpeg.org since this bug may have security implications . See https://www.ffmpeg.org/security.html

comment:2 by 0x20z, 13 days ago

The issue has been notified via email and cc has been sent to Lynne, and is currently being processed

Note: See TracTickets for help on using tickets.