Closed Bug 1224277 Opened 9 years ago Closed 9 years ago

FFMPEG: heap-buffer-overflow in [@av_image_copy_plane]

Categories

(Core :: Audio/Video: Playback, defect)

defect
Not set
critical

Tracking

()

RESOLVED FIXED
Tracking Status
firefox45 --- affected

People

(Reporter: tsmith, Unassigned)

References

Details

(Keywords: csectype-bounds, testcase)

Attachments

(2 files)

Attached file call_stack.txt
Found fuzzing ffmpeg commit: 3692d859f45fa8765fa5a330e79108b03c17c6bd
Attached file test_case.vp9
Could we ensure and liaise with ffmpeg's folks to get them notified of those security issue. They are extremely responsive in fixing bugs. But they need to know about it. I can contact one of their key member, it would then be a matter of ccing him on all bugs related to ffmpeg
That would be great. I have more bugs to log and if they are happy using BZ that makes tracking simple for us.
I cant reproduce this one with the testcase and command line ffmpeg but i belive this is a duplicate of ac6ab77741f5e57c8c1d3980bfaf3690eb1cd8c0 (https://github.com/FFmpeg/FFmpeg/commit/ac6ab77741f5e57c8c1d3980bfaf3690eb1cd8c0)
The tests are done using a ASAN build ; that will crash if any memory conditions are found such as buffer overflow or use after free etc...
the problem i have with reproducing isnt that it doesnt crash but more that command line ffmpeg considers this file invalid before it even reaches the code. ./ffmpeg -i test_case.vp9 -f null - test_case.vp9: Invalid data found when processing input I can force various containers and the rscc codec but no combination i tried seems to reproduce the crash (that was with a asan ffmpeg build from a few hours before the bugfix) but the commit (ac6ab77741f5e57c8c1d3980bfaf3690eb1cd8c0) should have fixed this i think
Hi Michael, Thanks for looking at this. I did a pull this morning (now at a62178be80dd6a643973f62002fc0ed42495c358) and the bug appears to be fixed. For completeness the command line I used to run the test case was: $ ./ffmpeg -f ivf -i test_case.vp9 -f null -
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
Group: media-core-security → core-security-release
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: