oss-sec mailing list archives
libav: NULL pointer dereference in put_no_rnd_pixels8_xy2_mmx (rnd_template.c)
From: Agostino Sarubbo <ago () gentoo org>
Date: Sat, 17 Sep 2016 00:12:09 +0200
If suitable for a CVE please assign one.
Thanks.
Description:
Libav is an open source set of tools for audio and video processing.
A fuzzing, with an mp3 file as input, discovered a null pointer access in
put_no_rnd_pixels8_xy2_mmx.
The complete ASan output:
# avconv -i $FILE -f null -
avconv version 11.7, Copyright (c) 2000-2016 the Libav developers
built on Aug 16 2016 15:34:42 with clang version 3.8.1
(tags/RELEASE_381/final)
[h263 @ 0x61a00001f280] Format detected only with low score of 25,
misdetection possible!
[IMGUTILS @ 0x7ff589955420] Picture size 0x0 is invalid
[h263 @ 0x619000000580] header damaged
[h263 @ 0x619000000580] Syntax-based Arithmetic Coding (SAC) not supported
[h263 @ 0x619000000580] Independent Segment Decoding not supported
[h263 @ 0x619000000580] warning: first frame is no keyframe
[h263 @ 0x619000000580] cbpc damaged at 0 0
[h263 @ 0x619000000580] Error at MB: 0
[h263 @ 0x619000000580] concealing 1584 DC, 1584 AC, 1584 MV errors
[h263 @ 0x61a00001f280] Estimating duration from bitrate, this may be
inaccurate
Input #0, h263, from '9.crashes':
Duration: N/A, bitrate: N/A
Stream #0.0: Video: h263, yuv420p, 704x576 [PAR 12:11 DAR 4:3], 25 fps, 25
tbn, 18.73 tbc
Output #0, null, to 'pipe:':
Metadata:
encoder : Lavf56.1.0
Stream #0.0: Video: rawvideo, yuv420p, 704x576 [PAR 12:11 DAR 4:3],
q=2-31, 200 kb/s, 25 tbn, 25 tbc
Metadata:
encoder : Lavc56.1.0 rawvideo
Stream mapping:
Stream #0:0 -> #0:0 (h263 (native) -> rawvideo (native))
Press ctrl-c to stop encoding
[h263 @ 0x61900001ea80] warning: first frame is no keyframe
ASAN:DEADLYSIGNAL
=================================================================
==26790==ERROR: AddressSanitizer: SEGV on unknown address 0x7ff584ddb77f (pc
0x7ff5910cdeee bp 0x7ffdc464d7f0 sp 0x7ffdc464d780 T0)
#0 0x7ff5910cdeed in put_no_rnd_pixels8_xy2_mmx /var/tmp/portage/media-
video/libav-11.7/work/libav-11.7/libavcodec/x86/rnd_template.c:37:5
#1 0x7ff590209de0 in hpel_motion /var/tmp/portage/media-
video/libav-11.7/work/libav-11.7/libavcodec/mpegvideo_motion.c:224:5
#2 0x7ff590209de0 in apply_8x8 /var/tmp/portage/media-
video/libav-11.7/work/libav-11.7/libavcodec/mpegvideo_motion.c:798
#3 0x7ff590209de0 in mpv_motion_internal /var/tmp/portage/media-
video/libav-11.7/work/libav-11.7/libavcodec/mpegvideo_motion.c:877
#4 0x7ff590209de0 in ff_mpv_motion /var/tmp/portage/media-
video/libav-11.7/work/libav-11.7/libavcodec/mpegvideo_motion.c:981
#5 0x7ff59013659b in mpv_decode_mb_internal /var/tmp/portage/media-
video/libav-11.7/work/libav-11.7/libavcodec/mpegvideo.c:2223:21
#6 0x7ff59013659b in ff_mpv_decode_mb /var/tmp/portage/media-
video/libav-11.7/work/libav-11.7/libavcodec/mpegvideo.c:2358
#7 0x7ff58f048c95 in decode_slice /var/tmp/portage/media-
video/libav-11.7/work/libav-11.7/libavcodec/h263dec.c:273:13
#8 0x7ff58f0442cd in ff_h263_decode_frame /var/tmp/portage/media-
video/libav-11.7/work/libav-11.7/libavcodec/h263dec.c:575:11
#9 0x7ff5909cf906 in avcodec_decode_video2 /var/tmp/portage/media-
video/libav-11.7/work/libav-11.7/libavcodec/utils.c:1600:19
#10 0x5647eb in decode_video /var/tmp/portage/media-
video/libav-11.7/work/libav-11.7/avconv.c:1259:11
#11 0x5647eb in process_input_packet /var/tmp/portage/media-
video/libav-11.7/work/libav-11.7/avconv.c:1398
#12 0x550e63 in process_input /var/tmp/portage/media-
video/libav-11.7/work/libav-11.7/avconv.c:2440:11
#13 0x550e63 in transcode /var/tmp/portage/media-
video/libav-11.7/work/libav-11.7/avconv.c:2488
#14 0x550e63 in main /var/tmp/portage/media-
video/libav-11.7/work/libav-11.7/avconv.c:2647
#15 0x7ff58cd6461f in __libc_start_main /var/tmp/portage/sys-
libs/glibc-2.22-r4/work/glibc-2.22/csu/libc-start.c:289
#16 0x41d098 in _init (/usr/bin/avconv+0x41d098)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /var/tmp/portage/media-
video/libav-11.7/work/libav-11.7/libavcodec/x86/rnd_template.c:37:5 in
put_no_rnd_pixels8_xy2_mmx
==26790==ABORTING
Affected version:
11.7
Fixed version:
N/A
Commit fix:
https://git.libav.org/?p=libav.git;a=commit;h=136f55207521f0b03194ef5b55ba70f1635d6aee
Credit:
This bug was discovered by Agostino Sarubbo of Gentoo.
CVE:
N/A
Timeline:
2016-08-15: bug discovered
2016-08-16: bug reported to upstream
2016-09-16: upstream released a patch
2016-09-17: blog post about the issue
Note:
This bug was found with American Fuzzy Lop.
This bug was reported F4B3CD@STARLAB on 2016-09-12 via libav-security while it
was already public since 2016-08-15 on the upstream bugtracker.
Permalink:
https://blogs.gentoo.org/ago/2016/09/17/libav-null-pointer-dereference-in-put_no_rnd_pixels8_xy2_mmx-rnd_template-c/
--
Agostino Sarubbo
Gentoo Linux Developer
Current thread:
- libav: NULL pointer dereference in put_no_rnd_pixels8_xy2_mmx (rnd_template.c) Agostino Sarubbo (Sep 16)
- Re: libav: NULL pointer dereference in put_no_rnd_pixels8_xy2_mmx (rnd_template.c) cve-assign (Sep 16)
- Re: Re: libav: NULL pointer dereference in put_no_rnd_pixels8_xy2_mmx (rnd_template.c) Agostino Sarubbo (Sep 17)
- Re: libav: NULL pointer dereference in put_no_rnd_pixels8_xy2_mmx (rnd_template.c) cve-assign (Sep 16)