Opened 8 years ago
Last modified 8 years ago
#2298 new defect
Out-of-bound read parsing a mp3 file
| Reported by: | ggrieco | Owned by: | beastd |
|---|---|---|---|
| Priority: | normal | Component: | libavcodec |
| Version: | unspecified | Severity: | blocker |
| Keywords: | Cc: | ||
| Blocked By: | Blocking: | ||
| Reproduced by developer: | no | Analyzed by developer: | no |
Description
Summary of the bug: An out-of-bound read parsing a mp3 file is affecting mplayer (tested with snapshot 2016-04-25). Find attached the file to reproduce this issue (ASAN-recompilation or valgrind are required)
How to reproduce:
$ mplayer overflow.mp3
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
MPlayer SVN-r37856-snapshot-4.8 (C) 2000-2016 MPlayer Team
Playing overflow.mp3.
libavformat version 57.34.103 (internal)
libavformat file format detected.
[mp3 @ 0x55555812c400]Skipping 12 bytes of junk at 0.
=================================================================
==19843== ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60220001f910 at pc 0x5555569f861c bp 0x7fffffffb920 sp 0x7fffffffb918
READ of size 4 at 0x60220001f910 thread T0
#0 0x5555569f861b (/home/vagrant/repos/mplayer-export-2016-04-25/mplayer+0x14a461b)
0x60220001f910 is located 0 bytes to the right of 208-byte region [0x60220001f840,0x60220001f910)
allocated by thread T0 here:
#0 0x7ffff32cd55f (/usr/lib/x86_64-linux-gnu/libasan.so.0.0.0+0x1555f)
#1 0x555557743099 (/home/vagrant/repos/mplayer-export-2016-04-25/mplayer+0x21ef099)
Shadow bytes around the buggy address:
0x0c04bfffbed0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c04bfffbee0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c04bfffbef0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c04bfffbf00: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
0x0c04bfffbf10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c04bfffbf20: 00 00[fa]fa fa fa fa fa fa fa fa fa 00 00 00 00
0x0c04bfffbf30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c04bfffbf40: 00 00 00 00 00 00 fa fa fa fa fa fa fa fa fa fa
0x0c04bfffbf50: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c04bfffbf60: fd fd fd fd fd fd fd fd fd fd fd fa fa fa fa fa
0x0c04bfffbf70: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap righ redzone: fb
Freed Heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
ASan internal: fe
==19843== ABORTING
Program received signal SIGABRT, Aborted.
0x00007ffff2d0bcc9 in __GI_raise (sig=sig@entry=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:56
56 ../nptl/sysdeps/unix/sysv/linux/raise.c: No such file or directory.
(gdb) bt
#0 0x00007ffff2d0bcc9 in __GI_raise (sig=sig@entry=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:56
#1 0x00007ffff2d0f0d8 in __GI_abort () at abort.c:89
#2 0x00007ffff32d3829 in ?? () from /usr/lib/x86_64-linux-gnu/libasan.so.0
#3 0x00007ffff32ca3ec in ?? () from /usr/lib/x86_64-linux-gnu/libasan.so.0
#4 0x00007ffff32d1012 in ?? () from /usr/lib/x86_64-linux-gnu/libasan.so.0
#5 0x00007ffff32d0121 in __asan_report_error () from /usr/lib/x86_64-linux-gnu/libasan.so.0
#6 0x00007ffff32ca704 in __asan_report_load4 () from /usr/lib/x86_64-linux-gnu/libasan.so.0
#7 0x00005555569f861c in get_bits (s=0x60920001b848, s=0x60920001b848, n=<optimized out>) at libavcodec/get_bits.h:265
#8 mp_decode_layer1 (s=0x60920001b400) at libavcodec/mpegaudiodec_template.c:541
#9 mp_decode_frame (s=s@entry=0x60920001b400, samples=samples@entry=0x0, buf=buf@entry=0x60220001f840 "\377\377S", buf_size=buf_size@entry=176) at libavcodec/mpegaudiodec_template.c:1571
#10 0x00005555569f8e8c in decode_frame (avctx=0x60440000f580, data=0x60340000fa80, got_frame_ptr=0x7fffffffbde0, avpkt=0x7fffffffbcf0) at libavcodec/mpegaudiodec_template.c:1693
#11 0x0000555556dc427c in avcodec_decode_audio4 (avctx=avctx@entry=0x60440000f580, frame=0x60340000fa80, got_frame_ptr=got_frame_ptr@entry=0x7fffffffbde0, avpkt=avpkt@entry=0x7fffffffc120) at libavcodec/utils.c:2319
#12 0x0000555556dc5f58 in do_decode (avctx=avctx@entry=0x60440000f580, pkt=pkt@entry=0x7fffffffc120) at libavcodec/utils.c:2729
#13 0x0000555556dc87f8 in avcodec_send_packet (avctx=avctx@entry=0x60440000f580, avpkt=<optimized out>, avpkt@entry=0x7fffffffc120) at libavcodec/utils.c:2804
#14 0x000055555611546f in try_decode_frame (s=s@entry=0x604a0000f780, st=st@entry=0x603e0000f800, avpkt=avpkt@entry=0x7fffffffc8d0, options=<optimized out>) at libavformat/utils.c:2896
#15 0x000055555612fe31 in avformat_find_stream_info (ic=0x604a0000f780, options=options@entry=0x0) at libavformat/utils.c:3590
#16 0x0000555555d2b92e in demux_open_lavf (demuxer=0x606a00020900) at libmpdemux/demux_lavf.c:610
#17 0x0000555555b925a9 in demux_open_stream (stream=stream@entry=0x60720000b500, file_format=<optimized out>, file_format@entry=0, force=force@entry=0, audio_id=-1, video_id=video_id@entry=-1, dvdsub_id=-1,
filename=filename@entry=0x60040000bf30 "overflow.mp3") at libmpdemux/demuxer.c:1165
#18 0x0000555555b93eb1 in demux_open (vs=0x60720000b500, file_format=0, audio_id=-1, video_id=-1, dvdsub_id=-1, filename=0x60040000bf30 "overflow.mp3") at libmpdemux/demuxer.c:1286
#19 0x00005555559808a0 in main (argc=2, argv=0x7fffffffe5e8) at mplayer.c:3380
Attachments (1)
Note:
See TracTickets
for help on using tickets.
does this crash in ffmpeg?