Opened 9 months ago
Closed 9 months ago
#2396 closed defect (fixed)
A heap-buffer-overflow occurred in function mov_build_index() of libmpdemux/demux_mov.c
| Reported by: | ylzs | Owned by: | beastd |
|---|---|---|---|
| Priority: | normal | Component: | undetermined |
| Version: | HEAD | Severity: | major |
| Keywords: | Cc: | ||
| Blocked By: | Blocking: | ||
| Reproduced by developer: | no | Analyzed by developer: | no |
Description (last modified by )
Version: SVN-r38374-13.0.1
Build command: ../configure --disable-ffmpeg_a && make (compiling with asan)
Summary of the bug: An heap-buffer-overflow is found in fucnction mov_build_index () which affects mplayer and mencoder. The attached file can reproduce this issue (ASAN-recompilation is needed).
How to reproduce:
1.Command: ./mplayer testcase
2.Result:
MPlayer SVN-r38374-13.0.1 (C) 2000-2022 MPlayer Team
Playing
libavformat version 58.29.100 (external)
libavformat file format detected.
[mov,mp4,m4a,3gp,3g2,mj2 @ 0x7f665a275600]Version 22 is not implemented. Update your FFmpeg version to the newest one from Git. If the problem still occurs, it means that your file has a feature which has not been implemented. [mov,mp4,m4a,3gp,3g2,mj2 @ 0x7f665a275600]If you want to help, upload a sample of this file to ftp://upload.ffmpeg.org/incoming/ and contact the ffmpeg-devel mailing list. (ffmpeg-devel@ffmpeg.org) [mov,mp4,m4a,3gp,3g2,mj2 @ 0x7f665a275600]error reading header
LAVF_header: av_open_input_stream() failed
ISO: File Type Major Brand: Original QuickTime
Quicktime/MOV file format detected.
[mov] Video stream found, -vid 0
Warning! pts=-285211648 length=2048
MOV: durmap and chunkmap sample count differ (1 vs 2)
=================================================================
==24664==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x603000014580 at pc 0x563d661312e5 bp 0x7ffecfcd0050 sp 0x7ffecfcd0048
READ of size 4 at 0x603000014580 thread T0
#0 0x563d661312e4 in mov_build_index /home/jlx/good_mplayer/mplayer/libmpdemux/demux_mov.c:302:110
#1 0x563d661312e4 in lschunks /home/jlx/good_mplayer/mplayer/libmpdemux/demux_mov.c:1333:6
#2 0x563d6611c88c in mov_read_header /home/jlx/good_mplayer/mplayer/libmpdemux/demux_mov.c:1961:5
0x603000014580 is located 0 bytes to the right of 32-byte region [0x603000014560,0x603000014580)
allocated by thread T0 here:
#0 0x563d65d5a362 in __interceptor_calloc (/home/jlx/good_mplayer/asan_mplayer/mplayer+0x343362)
#1 0x563d661263f0 in lschunks_intrak /home/jlx/good_mplayer/mplayer/libmpdemux/demux_mov.c:1820:25
#2 0x563d661263f0 in lschunks /home/jlx/good_mplayer/mplayer/libmpdemux/demux_mov.c:1305:8
#3 0x563d66123576 in lschunks_intrak /home/jlx/good_mplayer/mplayer/libmpdemux/demux_mov.c
#4 0x563d66123576 in lschunks /home/jlx/good_mplayer/mplayer/libmpdemux/demux_mov.c:1305:8
#5 0x563d66123576 in lschunks_intrak /home/jlx/good_mplayer/mplayer/libmpdemux/demux_mov.c
#6 0x563d66123576 in lschunks /home/jlx/good_mplayer/mplayer/libmpdemux/demux_mov.c:1305:8
#7 0x563d66123576 in lschunks_intrak /home/jlx/good_mplayer/mplayer/libmpdemux/demux_mov.c
#8 0x563d66123576 in lschunks /home/jlx/good_mplayer/mplayer/libmpdemux/demux_mov.c:1305:8
#9 0x563d66124068 in lschunks /home/jlx/good_mplayer/mplayer/libmpdemux/demux_mov.c:1332:6
#10 0x563d6611c88c in mov_read_header /home/jlx/good_mplayer/mplayer/libmpdemux/demux_mov.c:1961:5
SUMMARY: AddressSanitizer: heap-buffer-overflow /home/jlx/good_mplayer/mplayer/libmpdemux/demux_mov.c:302:110 in mov_build_index Shadow bytes around the buggy address:
0x0c067fffa860: 00 fa fa fa fd fd fd fd fa fa fd fd fd fd fa fa
0x0c067fffa870: fd fd fd fd fa fa fd fd fd fd fa fa fd fd fd fd
0x0c067fffa880: fa fa fd fd fd fa fa fa fd fd fd fa fa fa fd fd
0x0c067fffa890: fd fd fa fa fd fd fd fd fa fa 00 00 00 04 fa fa
0x0c067fffa8a0: 00 00 00 fa fa fa 00 00 00 04 fa fa 00 00 00 00
=>0x0c067fffa8b0:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c067fffa8c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c067fffa8d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c067fffa8e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c067fffa8f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c067fffa900: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==24664==ABORTING
Attachments (1)
Change History (4)
by , 9 months ago
comment:1 by , 9 months ago
| Description: | modified (diff) |
|---|
comment:2 by , 9 months ago
| Severity: | critical → major |
|---|
comment:3 by , 9 months ago
| Resolution: | → fixed |
|---|---|
| Status: | new → closed |
Note:
See TracTickets
for help on using tickets.

Fixed by r38385.