#2295 closed defect (fixed)
Integer overflow and crash parsing gif files
| Reported by: | ggrieco | Owned by: | beastd |
|---|---|---|---|
| Priority: | normal | Component: | demuxer |
| Version: | HEAD | Severity: | blocker |
| Keywords: | Cc: | ||
| Blocked By: | Blocking: | ||
| Reproduced by developer: | yes | Analyzed by developer: | no |
Description
Summary of the bug:
Mplayer is crashing when playing a fuzzed gif file (attached). This bug is present in the last source snapshot (mplayer-export-2016-04-25) as well as older versions. I suspect this crash is related with an integer overflow happening just before.
How to reproduce:
$ ASAN_OPTIONS='abort_on_error=1' gdb --args ./mplayer -ao null -vo null overflow.gif GNU gdb (Ubuntu 7.7.1-0ubuntu5~14.04.2) 7.7.1 Copyright (C) 2014 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html> This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Type "show copying" and "show warranty" for details. This GDB was configured as "x86_64-linux-gnu". Type "show configuration" for configuration details. For bug reporting instructions, please see: <http://www.gnu.org/software/gdb/bugs/>. Find the GDB manual and other documentation resources online at: <http://www.gnu.org/software/gdb/documentation/>. For help, type "help". Type "apropos word" to search for commands related to "word"... Reading symbols from mplayer...done. (gdb) r Starting program: ./mplayer -ao null -vo null overflow.gif [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1". MPlayer SVN-r37856-snapshot-4.8 (C) 2000-2016 MPlayer Team Playing overflow.gif. libavformat version 57.34.103 (internal) GIF file format detected. ==836== WARNING: AddressSanitizer failed to allocate 0xffffffffe48e6289 bytes VIDEO: RGB] 65341x58685 8bpp 5.000 fps 0.0 kbps ( 0.0 kbyte/s) ========================================================================== Opening video decoder: [ffmpeg] FFmpeg's libavcodec codec family libavcodec version 57.38.100 (internal) [IMGUTILS @ 0x555558187900]Picture size 65341x58685 is invalid Could not open codec. VDecoder init failed :( Opening video decoder: [raw] RAW Uncompressed Video Movie-Aspect is undefined - no prescaling applied. VO: [null] 65341x58685 => 65341x58685 BGR 8-bit Selected video codec: [rawbgr8] vfm: raw (RAW BGR8) ========================================================================== Load subtitles in ./ Program received signal SIGSEGV, Segmentation fault. 0x0000555555d4c1b3 in new_demux_packet (len=<optimized out>) at libmpdemux/demuxer.h:300 300 free(dp); (gdb) bt #0 0x0000555555d4c1b3 in new_demux_packet (len=<optimized out>) at libmpdemux/demuxer.h:300 #1 demux_gif_fill_buffer (demuxer=0x606a00003500, ds=<optimized out>) at libmpdemux/demux_gif.c:194 #2 0x0000555555b93395 in demux_fill_buffer (ds=0x601a0000aa10, demux=0x606a00003500) at libmpdemux/demuxer.c:649 #3 ds_get_next_pts (ds=0x601a0000aa10) at libmpdemux/demuxer.c:965 #4 0x0000555555981255 in print_file_properties (filename=<optimized out>, mpctx=0x55555818bd00 <mpctx_s>) at mplayer.c:526 #5 main (argc=6, argv=0x7fffffffe4c8) at mplayer.c:3603 ...
Attachments (1)
Change History (4)
by , 8 years ago
| Attachment: | overflow.gif added |
|---|
comment:1 by , 8 years ago
| Component: | demuxer → undetermined |
|---|---|
| Reproduced by developer: | set |
| Version: | unspecified → HEAD |
comment:2 by , 8 years ago
| Component: | undetermined → demuxer |
|---|---|
| Resolution: | → fixed |
| Status: | new → closed |
Fixed in r37857.
The gif demuxes assumes in many places that width*height is <= INT_MAX; this is not true with the sample. Fixed by validating the picture size.
Thanks for reporting.
comment:3 by , 8 years ago
For cross-reference CVE-2016-4352 was assigned for this issue in: http://www.openwall.com/lists/oss-security/2016/04/29/7
Note:
See TracTickets
for help on using tickets.
Reproducible only with -vo null