#9161 closed defect (fixed)
null pointer dereference in ff_mpeg_unref_picture (libavcodec/mpegpicture.c)
Reported by: | AAA-zraxx | Owned by: | |
---|---|---|---|
Priority: | important | Component: | avcodec |
Version: | 4.3.2 | Keywords: | crash SIGSEGV regression |
Cc: | Marton Balint | Blocked By: | |
Blocking: | Reproduced by developer: | yes | |
Analyzed by developer: | no |
Description
Summary
During fuzzing, we found a null pointer dereference (CWE-476) in the
latest FFmpeg/libavcodec.
Test Version
$ git log | head -n 4
commit f719f869907764e6412a6af6e178c46e5f915d25
Author: Michael Niedermayer <michael@niedermayer.cc>
Date: Sat Feb 20 14:22:23 2021 +0100
Reproduce & ASAN Report
linux64@ubuntu:~/ffmpeg-afl$ ./ffmpeg_g -i ../hangs/test_001.avi output_001.mp4 ffmpeg version 4.3.2-c872040 Copyright (c) 2000-2021 the FFmpeg developers built with clang version 6.0.0-1ubuntu2 (tags/RELEASE_600/final) configuration: --enable-debug --cc=afl-clang libavutil 56. 51.100 / 56. 51.100 libavcodec 58. 91.100 / 58. 91.100 libavformat 58. 45.100 / 58. 45.100 libavdevice 58. 10.100 / 58. 10.100 libavfilter 7. 85.100 / 7. 85.100 libswscale 5. 7.100 / 5. 7.100 libswresample 3. 7.100 / 3. 7.100 [pictor_pipe @ 0x61b000000080] Format pictor_pipe detected only with low score of 12, misdetection possible! Input #0, pictor_pipe, from '../hangs/test_001.avi': Duration: N/A, bitrate: N/A Stream #0:0: Video: pictor, pal8, 4039x32783, 25 tbr, 25 tbn, 25 tbc File 'output_001.mp4' already exists. Overwrite? [y/N] y Stream mapping: Stream #0:0 -> #0:0 (pictor (native) -> mpeg4 (native)) Press [q] to stop, [?] for help [mpeg4 @ 0x619000001e80] dimensions too large for MPEG-4 AddressSanitizer:DEADLYSIGNAL ================================================================= ==41208==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000018 (pc 0x00000378e8b5 bp 0x7ffc7f2c7bb0 sp 0x7ffc7f2c7120 T0) ==41208==The signal is caused by a READ memory access. ==41208==Hint: address points to the zero page. #0 0x378e8b4 in ff_mpeg_unref_picture /home/linux64/ffmpeg-c872040/libavcodec/mpegpicture.c:306:50 #1 0x37ac423 in ff_mpv_common_end /home/linux64/ffmpeg-c872040/libavcodec/mpegvideo.c:1163:5 #2 0x382abfc in ff_mpv_encode_end /home/linux64/ffmpeg-c872040/libavcodec/mpegvideo_enc.c:1074:5 #3 0x466fa69 in avcodec_open2 /home/linux64/ffmpeg-c872040/libavcodec/utils.c:1029:9 #4 0x5dd479 in init_output_stream /home/linux64/ffmpeg-c872040/fftools/ffmpeg.c:3476:20 #5 0x5eaf0a in reap_filters /home/linux64/ffmpeg-c872040/fftools/ffmpeg.c:1432:19 #6 0x5b6a0f in transcode_step /home/linux64/ffmpeg-c872040/fftools/ffmpeg.c:4621:12 #7 0x5b6a0f in transcode /home/linux64/ffmpeg-c872040/fftools/ffmpeg.c:4665 #8 0x5a161e in main /home/linux64/ffmpeg-c872040/fftools/ffmpeg.c:4870:9 #9 0x7ff15e466bf6 in __libc_start_main /build/glibc-S9d2JN/glibc-2.27/csu/../csu/libc-start.c:310 #10 0x41d159 in _start (/home/linux64/ffmpeg-afl/ffmpeg_g+0x41d159) AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV /home/linux64/ffmpeg-c872040/libavcodec/mpegpicture.c:306:50 in ff_mpeg_unref_picture ==41208==ABORTING
GDB Output(complied with gcc)
[#0] Id 1, Name: "ffmpeg_g", stopped 0x555555cb7e59 in ff_mpeg_unref_picture (), reason: SIGSEGV [#1] Id 2, Name: "ffmpeg_g", stopped 0x7ffff71dbad3 in futex_wait_cancelable (), reason: SIGSEGV [#2] Id 3, Name: "ffmpeg_g", stopped 0x7ffff71dbad3 in futex_wait_cancelable (), reason: SIGSEGV [#3] Id 4, Name: "ffmpeg_g", stopped 0x7ffff71dbad3 in futex_wait_cancelable (), reason: SIGSEGV [#4] Id 5, Name: "ffmpeg_g", stopped 0x7ffff71dbad3 in futex_wait_cancelable (), reason: SIGSEGV [#5] Id 6, Name: "ffmpeg_g", stopped 0x7ffff71dbad3 in futex_wait_cancelable (), reason: SIGSEGV [#6] Id 7, Name: "ffmpeg_g", stopped 0x7ffff71dbad3 in futex_wait_cancelable (), reason: SIGSEGV [#7] Id 8, Name: "ffmpeg_g", stopped 0x7ffff71dbad3 in futex_wait_cancelable (), reason: SIGSEGV [#8] Id 9, Name: "ffmpeg_g", stopped 0x7ffff71dbad3 in futex_wait_cancelable (), reason: SIGSEGV [#9] Id 10, Name: "ffmpeg_g", stopped 0x7ffff71dbad3 in futex_wait_cancelable (), reason: SIGSEGV [#10] Id 11, Name: "ffmpeg_g", stopped 0x7ffff71dbad3 in futex_wait_cancelable (), reason: SIGSEGV [#11] Id 12, Name: "ffmpeg_g", stopped 0x7ffff71dbad3 in futex_wait_cancelable (), reason: SIGSEGV [#12] Id 13, Name: "ffmpeg_g", stopped 0x7ffff71dbad3 in futex_wait_cancelable (), reason: SIGSEGV ───────────────────────────────────────────────────────────────────────────────────────────────────────────── trace ──── [#0] 0x555555cb7e59 → ff_mpeg_unref_picture(avctx=0x0, pic=0x555557598ba8) [#1] 0x555555cbddf6 → ff_mpv_common_end(s=0x555557598740) [#2] 0x55555567eca9 → ff_mpv_encode_end(avctx=0x55555758d8c0) [#3] 0x555555e24b26 → avcodec_open2(avctx=0x55555758d8c0, codec=0x555556b75f20 <ff_mpeg4_encoder>, options=0x55555758d7d8) [#4] 0x5555556ecdfc → init_output_stream(ost=<optimized out>, error=<optimized out>, error_len=0x400) [#5] 0x5555556eec19 → reap_filters(flush=0x0) [#6] 0x5555556f2d1e → transcode_step() [#7] 0x5555556f2d1e → transcode() [#8] 0x5555556cccfe → main(argc=0x4, argv=0x7fffffffdcb8) [#9] 0x7ffff6dfebf7 → __libc_start_main(main=0x5555556ccbc0 <main>, argc=0x4, argv=0x7fffffffdcb8, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffdca8) ──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── ff_mpeg_unref_picture (avctx=0x0, pic=pic@entry=0x555557598ba8) at libavcodec/mpegpicture.c:306 306 if (avctx->codec_id != AV_CODEC_ID_WMV3IMAGE &&
PoC
linux64@ubuntu:~/hangs$ base64 test_001.avi
NBLHDw+AAAALNAMtECXUJR0UD4D/NA3/5Q==
Attachments (1)
Change History (12)
by , 4 years ago
comment:1 by , 4 years ago
Is the issue you see reproducible with current FFmpeg git head? This information is necessary for every valid ticket.
comment:3 by , 4 years ago
Keywords: | crash SIGSEGV regression added |
---|---|
Reproduced by developer: | set |
Status: | new → open |
Regression since 467d9e27e0cb2bf74f41dc832f2f8d191ba58ec9, needs a backport of a0f20c3b3f197f1655a2e11c25c4f3332bc9c9a5
comment:4 by , 4 years ago
Cc: | added |
---|
I suggest we simply revert the commit causing the issue, because the fix depends on several commits, not only the one you mentioned... Will do it in a few days.
comment:5 by , 4 years ago
Resolution: | → fixed |
---|---|
Status: | open → closed |
This particular crash has already fixed in 87d87e6587deec1fa8ed5f5c6901535becdb0358. I am therefore closing this.
See https://patchwork.ffmpeg.org/project/ffmpeg/patch/20201225154724.287465-5-andreas.rheinhardt@gmail.com/ for more regressions caused by this commit. I am currently preparing a new version of this patch(set).
comment:6 by , 4 years ago
Ok, I meant the revert only for the 4.3 branch, there I guess that is the simplest thing to do.
comment:8 by , 4 years ago
Resolution: | fixed |
---|---|
Status: | closed → reopened |
comment:9 by , 4 years ago
Resolution: | → fixed |
---|---|
Status: | reopened → closed |
poc