Closed Bug 1224277 Opened 9 years ago Closed 9 years ago

FFMPEG: heap-buffer-overflow in [@av_image_copy_plane]

Categories

(Core :: Audio/Video: Playback, defect)

Product:
Core
Component:
Audio/Video: Playback
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Tracking Flags:
Tracking Status
firefox45 --- affected

People

(Reporter: tsmith, Unassigned)

References

Details

(Keywords: csectype-bounds, testcase)

Attachments

(2 files)

call_stack.txt
3.38 KB, text/plain
Details
test_case.vp9
68 bytes, text/plain
Details
Attached file call_stack.txt 
Found fuzzing ffmpeg commit: 3692d859f45fa8765fa5a330e79108b03c17c6bd
Attached file test_case.vp9 

    
    

    
  
Could we ensure and liaise with ffmpeg's folks to get them notified of those security issue. They are extremely responsive in fixing bugs. But they need to know about it. 

I can contact one of their key member, it would then be a matter of ccing him on all bugs related to ffmpeg

    
    

    
  
That would be great. I have more bugs to log and if they are happy using BZ that makes tracking simple for us.

    
    

    
  
I cant reproduce this one with the testcase and command line ffmpeg but i belive this is a duplicate of ac6ab77741f5e57c8c1d3980bfaf3690eb1cd8c0 (https://github.com/FFmpeg/FFmpeg/commit/ac6ab77741f5e57c8c1d3980bfaf3690eb1cd8c0)

    
    

    
  
The tests are done using a ASAN build ; that will crash if any memory conditions are found such as buffer overflow or use after free etc...

    
    

    
  
the problem i have with reproducing isnt that it doesnt crash but more that command line ffmpeg considers this file invalid before it even reaches the code.
./ffmpeg -i test_case.vp9 -f null -
test_case.vp9: Invalid data found when processing input

I can force various containers and the rscc codec but no combination i tried seems to reproduce the crash (that was with a asan ffmpeg build from a few hours before the bugfix)
but the commit (ac6ab77741f5e57c8c1d3980bfaf3690eb1cd8c0) should have fixed this i think

    
    

    
  
Hi Michael,

Thanks for looking at this. I did a pull this morning (now at a62178be80dd6a643973f62002fc0ed42495c358) and the bug appears to be fixed. 

For completeness the command line I used to run the test case was:
$ ./ffmpeg -f ivf -i test_case.vp9 -f null -
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED

    
  
Blocks: fuzzing-ffmpeg
Group: media-core-security → core-security-release
Group: core-security-release

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: