Closed Bug 1229128 Opened 9 years ago Closed 9 years ago

FFMPEG: heap-buffer-overflow in [@decode_coeffs_b_generic]

Categories

(Core :: Audio/Video: Playback, defect, P1)

Product:
Core
Component:
Audio/Video: Playback
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Tracking Flags:
Tracking Status
firefox45 --- affected

People

(Reporter: tsmith, Assigned: mozbugz)

References

Details

(Keywords: csectype-bounds, sec-other, testcase)

Attachments

(3 files)

call_stack.txt
4.18 KB, text/plain
Details
test_case.ivf
224 bytes, text/plain
Details
valgrind_log.txt
36.47 KB, text/plain
Details
Attached file call_stack.txt
Found fuzzing ffmpeg commit: 6b978dadc654906130de46a8b83b6f67f90d3e17
Attached file test_case.ivf
Blocks: 1229131
No longer blocks: 1229131
Priority: -- → P1
Assignee: nobody → gsquelart
Cant reproduce with ./ffmpeg -i 1229128/test_case.ivf -f null - what command line was used ? also according to the call stack the issue is in the vp9 code. "Ronald S. Bultje" <rsbultje@gmail.com> is our vp9 expert. Should i just add FFmpeg developers to the CC when it seems to make sense or is there some other recommanded procedure ?
(In reply to Michael Niedermayer [:mn] from comment #2) > Cant reproduce with ./ffmpeg -i 1229128/test_case.ivf -f null - > what command line was used ? I used: ./ffmpeg -f ivf -i <test_case> -f null - I usually add '-nostats' and '-v 0' as well but they are not needed to reproduce this issue. Also did you build with AddressSanitizer? > also according to the call stack the issue is in the vp9 code. "Ronald S. > Bultje" <rsbultje@gmail.com> is our vp9 expert. Should i just add FFmpeg > developers to the CC when it seems to make sense or is there some other > recommanded procedure ? Yes please add the appropriate developer to the CC list as needed.
Attached file valgrind_log.txt
Valgrind has a number of complaints about this test case.
ok, adding ronald as the stack trace suggests a vp9 issue
I can't reproduce this (under asan, clang-3.6 on Mac OS X, x86-64). What ffmpeg version, what asan/clang version, any other special considerations I should use to reproduce?
The version tested is at commit 6b978dadc654906130de46a8b83b6f67f90d3e17 git describe gives: n2.9-dev-2068-g6b978da
Michael, can you reproduce?
(In reply to Ronald S. Bultje from comment #6) > I can't reproduce this (under asan, clang-3.6 on Mac OS X, x86-64). What > ffmpeg version, what asan/clang version, any other special considerations I > should use to reproduce? Hmm strange. I am using clang 3.7 but that shouldn't matter. I am using the source found at git://source.ffmpeg.org/ffmpeg Here is the config I used. CFLAGS='-fno-omit-frame-pointer -fsanitize=address -O3 -fstack-protector-all -D_FORTIFY_SOURCE=2 -funroll-loops' LDLAGS='-fsanitize=address' ./configure --cc=clang --cxx=clang++ --disable-logging --disable-ffprobe --disable-ffplay --disable-sdl --disable-ffserver --disable-doc --disable-pthreads --disable-network --disable-d3d11va --disable-dxva2 --disable-vaapi --disable-vda --disable-vdpau --enable-pic --disable-stripping --disable-runtime-cpudetect --disable-postproc --disable-everything --enable-encoder=pcm_s16le,wrapped_avframe --disable-lzma --enable-protocol=file,pipe --enable-muxer=null --enable-filter=aresample --enable-demuxer=aac,mp3,h264,ivf --enable-parser=aac,mpegaudio,h264,vp9,vp8 --enable-decoder=aac,mp3,mp3float,h264,vp9,vp8 --enable-bsf=mp3_header_decompress,h264_mp4toannexb
Oops I mistyped LDFLAGS above (so fix that if you copy and paste). Also I am building on Linux x86_64. Remember to 'make clean' between ASan and non-ASan builds (I assume you did)
Keywords: sec-other
(In reply to Ronald S. Bultje from comment #12) > Better fix: > > http://ffmpeg.org/pipermail/ffmpeg-devel/2015-December/184280.html Thanks Ronald! Verified with patch + commit 25e37f5ea92d4201976a59ae306ce848d257a7e6 (n2.9-dev-2076-g25e37f5)
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
As as side note, in bug 1214462 we are integrating the ffvp8+ffvp9 decoder into our source tree which is based on ffmpeg 2.8 branch at this stage. Could we ensure that all the security related bugs are uplifted/backported to the 2.8 branch? it would make our life much easier than having to follow the ffmpeg dev tree and manually backport everything we need (and even more so when those are things we reported :) ) Thank you PS: Awesome work BTW on the VP9 decoder, the performance gain we get is fantastic, making us use less power, drop less frames and give us an edge on chrome.
I think 2.8 needs a lightly modified patch, let me see if I can figure that out. Note that 2.8 (afair) has no 10/12bpp or 422/440/444 or scalability support, it only supports vp9 profile 0 w/o svc.
(In reply to Ronald S. Bultje from comment #15) > I think 2.8 needs a lightly modified patch, let me see if I can figure that > out. Note that 2.8 (afair) has no 10/12bpp or 422/440/444 or scalability > support, it only supports vp9 profile 0 w/o svc. interesting... do you think I should go ahead and move to the master branch instead then?
Slight correction, it looks like 2.8 has 10/12bpp support, but no assembly, so it'll be super-slow. In practice that means the same thing, yes I'd recommend updating to git master, at least for now.
(Patch was just applied to master, just to close this bug off: http://ffmpeg.org/pipermail/ffmpeg-cvslog/2015-December/095974.html)
Group: media-core-security → core-security-release
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: