Opened 3 months ago

Last modified 3 months ago

#2400 new defect

A heap-buffer-overflow occurred in function play() of libaf/af_pan.c

Reported by: ylzs Owned by: beastd
Priority: normal Component: mencoder
Version: HEAD Severity: major
Keywords: Cc:
Blocked By: Blocking:
Reproduced by developer: no Analyzed by developer: no

Description

Version: SVN-r38374-13.0.1

Build command: ../configure --disable-ffmpeg_a && make (compiling with asan)

Summary of the bug: An heap-buffer-overflow is found in fucnction play() which affects mencoder. The attached file can reproduce this issue (ASAN-recompilation is needed).

How to reproduce:

1.Command: ./mencoder -ovc lavc -oac lavc -o /dev/null ./testcase

2.Result:

=================================================================
==13789==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x62b000006a08 at pc 0x564573017a4a bp 0x7ffe66bbd880 sp 0x7ffe66bbd878
WRITE of size 4 at 0x62b000006a08 thread T0
    #0 0x564573017a49 in play /home/jlx/good_mplayer/mplayer/libaf/af_pan.c:177:14

0x62b000006a09 is located 0 bytes to the right of 26633-byte region [0x62b000000200,0x62b000006a09)
allocated by thread T0 here:
    #0 0x564572f1b43d in malloc (/home/jlx/good_mplayer/asan_mplayer/mencoder+0x1a643d)
    #1 0x564572fe895b in af_resize_local_buffer /home/jlx/good_mplayer/mplayer/libaf/af.c:639:21

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/jlx/good_mplayer/mplayer/libaf/af_pan.c:177:14 in play
Shadow bytes around the buggy address:
  0x0c567fff8cf0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c567fff8d00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c567fff8d10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c567fff8d20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c567fff8d30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c567fff8d40: 00[01]fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c567fff8d50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c567fff8d60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c567fff8d70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c567fff8d80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c567fff8d90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==13789==ABORTING

Attachments (2)

testcase (52.0 KB ) - added by ylzs 3 months ago.
valgrind (11.7 KB ) - added by ylzs 3 months ago.

Download all attachments as: .zip

Change History (5)

by ylzs, 3 months ago

Attachment: testcase added

comment:1 by reimar, 3 months ago

Unable to reproduce unfortunately.

comment:2 by ylzs, 3 months ago

I've ran this test case and put the valgrind result into the attached file.:-)

by ylzs, 3 months ago

Attachment: valgrind added

comment:3 by reimar, 3 months ago

Hm, that's strange, valgrind does not detect anything in af_pan here either.
It shows some issues that are fixed in latest MPlayer but that's all...
While there are some issues valgrind can't detect reliably, heap buffer overflows should not be in that category.

Note: See TracTickets for help on using tickets.