Opened 8 years ago
Last modified 8 years ago
#2298 new defect
Out-of-bound read parsing a mp3 file
Reported by: | ggrieco | Owned by: | beastd |
---|---|---|---|
Priority: | normal | Component: | libavcodec |
Version: | unspecified | Severity: | blocker |
Keywords: | Cc: | ||
Blocked By: | Blocking: | ||
Reproduced by developer: | no | Analyzed by developer: | no |
Description
Summary of the bug: An out-of-bound read parsing a mp3 file is affecting mplayer (tested with snapshot 2016-04-25). Find attached the file to reproduce this issue (ASAN-recompilation or valgrind are required)
How to reproduce:
$ mplayer overflow.mp3 [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1". MPlayer SVN-r37856-snapshot-4.8 (C) 2000-2016 MPlayer Team Playing overflow.mp3. libavformat version 57.34.103 (internal) libavformat file format detected. [mp3 @ 0x55555812c400]Skipping 12 bytes of junk at 0. ================================================================= ==19843== ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60220001f910 at pc 0x5555569f861c bp 0x7fffffffb920 sp 0x7fffffffb918 READ of size 4 at 0x60220001f910 thread T0 #0 0x5555569f861b (/home/vagrant/repos/mplayer-export-2016-04-25/mplayer+0x14a461b) 0x60220001f910 is located 0 bytes to the right of 208-byte region [0x60220001f840,0x60220001f910) allocated by thread T0 here: #0 0x7ffff32cd55f (/usr/lib/x86_64-linux-gnu/libasan.so.0.0.0+0x1555f) #1 0x555557743099 (/home/vagrant/repos/mplayer-export-2016-04-25/mplayer+0x21ef099) Shadow bytes around the buggy address: 0x0c04bfffbed0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c04bfffbee0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c04bfffbef0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c04bfffbf00: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00 0x0c04bfffbf10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x0c04bfffbf20: 00 00[fa]fa fa fa fa fa fa fa fa fa 00 00 00 00 0x0c04bfffbf30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c04bfffbf40: 00 00 00 00 00 00 fa fa fa fa fa fa fa fa fa fa 0x0c04bfffbf50: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c04bfffbf60: fd fd fd fd fd fd fd fd fd fd fd fa fa fa fa fa 0x0c04bfffbf70: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap righ redzone: fb Freed Heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 ASan internal: fe ==19843== ABORTING Program received signal SIGABRT, Aborted. 0x00007ffff2d0bcc9 in __GI_raise (sig=sig@entry=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:56 56 ../nptl/sysdeps/unix/sysv/linux/raise.c: No such file or directory. (gdb) bt #0 0x00007ffff2d0bcc9 in __GI_raise (sig=sig@entry=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:56 #1 0x00007ffff2d0f0d8 in __GI_abort () at abort.c:89 #2 0x00007ffff32d3829 in ?? () from /usr/lib/x86_64-linux-gnu/libasan.so.0 #3 0x00007ffff32ca3ec in ?? () from /usr/lib/x86_64-linux-gnu/libasan.so.0 #4 0x00007ffff32d1012 in ?? () from /usr/lib/x86_64-linux-gnu/libasan.so.0 #5 0x00007ffff32d0121 in __asan_report_error () from /usr/lib/x86_64-linux-gnu/libasan.so.0 #6 0x00007ffff32ca704 in __asan_report_load4 () from /usr/lib/x86_64-linux-gnu/libasan.so.0 #7 0x00005555569f861c in get_bits (s=0x60920001b848, s=0x60920001b848, n=<optimized out>) at libavcodec/get_bits.h:265 #8 mp_decode_layer1 (s=0x60920001b400) at libavcodec/mpegaudiodec_template.c:541 #9 mp_decode_frame (s=s@entry=0x60920001b400, samples=samples@entry=0x0, buf=buf@entry=0x60220001f840 "\377\377S", buf_size=buf_size@entry=176) at libavcodec/mpegaudiodec_template.c:1571 #10 0x00005555569f8e8c in decode_frame (avctx=0x60440000f580, data=0x60340000fa80, got_frame_ptr=0x7fffffffbde0, avpkt=0x7fffffffbcf0) at libavcodec/mpegaudiodec_template.c:1693 #11 0x0000555556dc427c in avcodec_decode_audio4 (avctx=avctx@entry=0x60440000f580, frame=0x60340000fa80, got_frame_ptr=got_frame_ptr@entry=0x7fffffffbde0, avpkt=avpkt@entry=0x7fffffffc120) at libavcodec/utils.c:2319 #12 0x0000555556dc5f58 in do_decode (avctx=avctx@entry=0x60440000f580, pkt=pkt@entry=0x7fffffffc120) at libavcodec/utils.c:2729 #13 0x0000555556dc87f8 in avcodec_send_packet (avctx=avctx@entry=0x60440000f580, avpkt=<optimized out>, avpkt@entry=0x7fffffffc120) at libavcodec/utils.c:2804 #14 0x000055555611546f in try_decode_frame (s=s@entry=0x604a0000f780, st=st@entry=0x603e0000f800, avpkt=avpkt@entry=0x7fffffffc8d0, options=<optimized out>) at libavformat/utils.c:2896 #15 0x000055555612fe31 in avformat_find_stream_info (ic=0x604a0000f780, options=options@entry=0x0) at libavformat/utils.c:3590 #16 0x0000555555d2b92e in demux_open_lavf (demuxer=0x606a00020900) at libmpdemux/demux_lavf.c:610 #17 0x0000555555b925a9 in demux_open_stream (stream=stream@entry=0x60720000b500, file_format=<optimized out>, file_format@entry=0, force=force@entry=0, audio_id=-1, video_id=video_id@entry=-1, dvdsub_id=-1, filename=filename@entry=0x60040000bf30 "overflow.mp3") at libmpdemux/demuxer.c:1165 #18 0x0000555555b93eb1 in demux_open (vs=0x60720000b500, file_format=0, audio_id=-1, video_id=-1, dvdsub_id=-1, filename=0x60040000bf30 "overflow.mp3") at libmpdemux/demuxer.c:1286 #19 0x00005555559808a0 in main (argc=2, argv=0x7fffffffe5e8) at mplayer.c:3380
Attachments (1)
Note:
See TracTickets
for help on using tickets.
does this crash in ffmpeg?