Opened 20 months ago
Last modified 20 months ago
#2400 new defect
A heap-buffer-overflow occurred in function play() of libaf/af_pan.c
| Reported by: | ylzs | Owned by: | beastd |
|---|---|---|---|
| Priority: | normal | Component: | mencoder |
| Version: | HEAD | Severity: | major |
| Keywords: | Cc: | ||
| Blocked By: | Blocking: | ||
| Reproduced by developer: | no | Analyzed by developer: | no |
Description
Version: SVN-r38374-13.0.1
Build command: ../configure --disable-ffmpeg_a && make (compiling with asan)
Summary of the bug: An heap-buffer-overflow is found in fucnction play() which affects mencoder. The attached file can reproduce this issue (ASAN-recompilation is needed).
How to reproduce:
1.Command: ./mencoder -ovc lavc -oac lavc -o /dev/null ./testcase
2.Result:
=================================================================
==13789==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x62b000006a08 at pc 0x564573017a4a bp 0x7ffe66bbd880 sp 0x7ffe66bbd878
WRITE of size 4 at 0x62b000006a08 thread T0
#0 0x564573017a49 in play /home/jlx/good_mplayer/mplayer/libaf/af_pan.c:177:14
0x62b000006a09 is located 0 bytes to the right of 26633-byte region [0x62b000000200,0x62b000006a09)
allocated by thread T0 here:
#0 0x564572f1b43d in malloc (/home/jlx/good_mplayer/asan_mplayer/mencoder+0x1a643d)
#1 0x564572fe895b in af_resize_local_buffer /home/jlx/good_mplayer/mplayer/libaf/af.c:639:21
SUMMARY: AddressSanitizer: heap-buffer-overflow /home/jlx/good_mplayer/mplayer/libaf/af_pan.c:177:14 in play
Shadow bytes around the buggy address:
0x0c567fff8cf0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c567fff8d00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c567fff8d10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c567fff8d20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c567fff8d30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c567fff8d40: 00[01]fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c567fff8d50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c567fff8d60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c567fff8d70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c567fff8d80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c567fff8d90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==13789==ABORTING
Attachments (2)
Change History (5)
by , 20 months ago
comment:1 by , 20 months ago
comment:2 by , 20 months ago
I've ran this test case and put the valgrind result into the attached file.:-)
by , 20 months ago
comment:3 by , 20 months ago
Hm, that's strange, valgrind does not detect anything in af_pan here either.
It shows some issues that are fixed in latest MPlayer but that's all...
While there are some issues valgrind can't detect reliably, heap buffer overflows should not be in that category.
Unable to reproduce unfortunately.