Opened 4 years ago

Last modified 4 years ago

#2119 new defect

Stack buffer (kind of) overflow in spudec

Reported by: eugeni.stepanov@… Owned by: reimar
Priority: normal Component: core
Version: unspecified Severity: normal
Keywords: Cc:
Blocked By: Blocking:
Reproduced by developer: Analyzed by developer:

Description

ERROR: AddressSanitizer?: stack-buffer-overflow on address 0x7fffb0714fe8 at pc 0x193a03b bp 0x7fffb0714a70 sp 0x7fffb0714a68
READ of size 8 at 0x7fffb0714fe8 thread T0

#0 0x193a03a in sws_scale /build/mplayer/ffmpeg/libswscale/swscale.c:792
#1 0x7835d7 in sws_spu_image /build/mplayer/sub/spudec.c:890
#2 0x790499 in vo_draw_spudec_sub /build/mplayer/sub/sub.c:1073
#3 0x790662 in vo_draw_text /build/mplayer/sub/sub.c:1306
#4 0x679a16 in control /build/mplayer/libmpcodecs/vf_vo.c:98
#5 0x5ee664 in filter_video /build/mplayer/libmpcodecs/dec_video.c:487
#6 0x4a2c0e in generate_video_frame /build/mplayer/mplayer.c:1812
#7 0x49bee3 in main /build/mplayer/mplayer.c:3767
#8 0x7f736d84befe in libc_start_main /build/buildd/eglibc-2.13/csu/libc-start.c:226

Address 0x7fffb0714fe8 is located at offset 232 in frame <spudec_draw_scaled> of T0's stack:

This frame has 6 object(s):

[32, 40) 'd1.addr.i'
[96, 104) 'd2.addr.i'
[160, 164) 'ds.addr.i'
[224, 232) 's1.addr.i'
[288, 296) 's2.addr.i'
[352, 356) 'ss.addr.i'

Here sws_spu_image() calls sws_scale(), passing it a pointer to its own (const unsigned char*) argument, making it const unsigned char. Unfortunately, sws_scale() expects a (const uint8_t * const srcSlice[]), which is then treated as an array of 4 pointers.

Change History (2)

comment:1 Changed 4 years ago by reimar

I'm not convinced this should be considered an MPlayer bug.
I would say that libswscale should not be copying the pointers for planes that are not used.
Also consider it's signature: srcSlice[], not srcSlice[4] as in other places.
This is also relevant for ABI compatibility, if it always access all, adding more planes is not possible without API/ABI changes, but would not be a problem if the swscale code only copied the planes in use for the pix_fmt.

comment:2 Changed 4 years ago by eugeni.stepanov@…

Sounds right, libswscale should be fixed, not mplayer.

Note: See TracTickets for help on using tickets.