FFMPEG: heap-buffer-overflow in [@decode_coeffs_b_generic]

RESOLVED FIXED

Status

()

P1
critical
RESOLVED FIXED
3 years ago
2 years ago

People

(Reporter: tsmith, Assigned: gerald)

Tracking

(Blocks: 1 bug, {csectype-bounds, sec-other, testcase})

Trunk
csectype-bounds, sec-other, testcase
Points:
---

Firefox Tracking Flags

(firefox45 affected)

Details

Attachments

(3 attachments)

(Reporter)

Description

3 years ago
Created attachment 8693737 [details]
call_stack.txt

Found fuzzing ffmpeg commit: 6b978dadc654906130de46a8b83b6f67f90d3e17
(Reporter)

Comment 1

3 years ago
Created attachment 8693738 [details]
test_case.ivf
(Reporter)

Updated

3 years ago
Blocks: 1229131
(Reporter)

Updated

3 years ago
No longer blocks: 1229131
Priority: -- → P1
Assignee: nobody → gsquelart
Cant reproduce with ./ffmpeg -i 1229128/test_case.ivf -f null -
what command line was used ?
also according to the call stack the issue is in the vp9 code. "Ronald S. Bultje" <rsbultje@gmail.com> is our vp9 expert. Should i just add FFmpeg developers to the CC when it seems to make sense or is there some other recommanded procedure ?
(Reporter)

Comment 3

3 years ago
(In reply to Michael Niedermayer [:mn] from comment #2)
> Cant reproduce with ./ffmpeg -i 1229128/test_case.ivf -f null -
> what command line was used ?
I used:
./ffmpeg -f ivf -i <test_case> -f null -
I usually add '-nostats' and '-v 0' as well but they are not needed to reproduce this issue.

Also did you build with AddressSanitizer?

> also according to the call stack the issue is in the vp9 code. "Ronald S.
> Bultje" <rsbultje@gmail.com> is our vp9 expert. Should i just add FFmpeg
> developers to the CC when it seems to make sense or is there some other
> recommanded procedure ?

Yes please add the appropriate developer to the CC list as needed.
(Reporter)

Comment 4

3 years ago
Created attachment 8693877 [details]
valgrind_log.txt

Valgrind has a number of complaints about this test case.
ok, adding ronald as the stack trace suggests a vp9 issue

Comment 6

3 years ago
I can't reproduce this (under asan, clang-3.6 on Mac OS X, x86-64). What ffmpeg version, what asan/clang version, any other special considerations I should use to reproduce?
The version tested is at commit 6b978dadc654906130de46a8b83b6f67f90d3e17

git describe gives: n2.9-dev-2068-g6b978da

Comment 8

3 years ago
Michael, can you reproduce?
(Reporter)

Comment 9

3 years ago
(In reply to Ronald S. Bultje from comment #6)
> I can't reproduce this (under asan, clang-3.6 on Mac OS X, x86-64). What
> ffmpeg version, what asan/clang version, any other special considerations I
> should use to reproduce?
Hmm strange. I am using clang 3.7 but that shouldn't matter. I am using the source found at git://source.ffmpeg.org/ffmpeg

Here is the config I used.
CFLAGS='-fno-omit-frame-pointer -fsanitize=address -O3 -fstack-protector-all -D_FORTIFY_SOURCE=2 -funroll-loops' LDLAGS='-fsanitize=address' ./configure --cc=clang --cxx=clang++ --disable-logging --disable-ffprobe --disable-ffplay --disable-sdl --disable-ffserver --disable-doc --disable-pthreads --disable-network --disable-d3d11va --disable-dxva2 --disable-vaapi --disable-vda --disable-vdpau --enable-pic --disable-stripping --disable-runtime-cpudetect --disable-postproc --disable-everything --enable-encoder=pcm_s16le,wrapped_avframe --disable-lzma --enable-protocol=file,pipe --enable-muxer=null --enable-filter=aresample --enable-demuxer=aac,mp3,h264,ivf --enable-parser=aac,mpegaudio,h264,vp9,vp8 --enable-decoder=aac,mp3,mp3float,h264,vp9,vp8 --enable-bsf=mp3_header_decompress,h264_mp4toannexb
(Reporter)

Comment 10

3 years ago
Oops I mistyped LDFLAGS above (so fix that if you copy and paste).

Also I am building on Linux x86_64. Remember to 'make clean' between ASan and non-ASan builds (I assume you did)
(Reporter)

Updated

3 years ago
Keywords: sec-other
(Reporter)

Comment 13

3 years ago
(In reply to Ronald S. Bultje from comment #12)
> Better fix:
> 
> http://ffmpeg.org/pipermail/ffmpeg-devel/2015-December/184280.html

Thanks Ronald!

Verified with patch + commit 25e37f5ea92d4201976a59ae306ce848d257a7e6 (n2.9-dev-2076-g25e37f5)
Status: NEW → RESOLVED
Last Resolved: 3 years ago
Resolution: --- → FIXED
As as side note, in bug 1214462 we are integrating the ffvp8+ffvp9 decoder into our source tree which is based on ffmpeg 2.8 branch at this stage.

Could we ensure that all the security related bugs are uplifted/backported to the 2.8 branch?

it would make our life much easier than having to follow the ffmpeg dev tree and manually backport everything we need (and even more so when those are things we reported :) )

Thank you

PS: Awesome work BTW on the VP9 decoder, the performance gain we get is fantastic, making us use less power, drop less frames and give us an edge on chrome.

Comment 15

3 years ago
I think 2.8 needs a lightly modified patch, let me see if I can figure that out. Note that 2.8 (afair) has no 10/12bpp or 422/440/444 or scalability support, it only supports vp9 profile 0 w/o svc.
(In reply to Ronald S. Bultje from comment #15)
> I think 2.8 needs a lightly modified patch, let me see if I can figure that
> out. Note that 2.8 (afair) has no 10/12bpp or 422/440/444 or scalability
> support, it only supports vp9 profile 0 w/o svc.

interesting...
do you think I should go ahead and move to the master branch instead then?

Comment 17

3 years ago
Slight correction, it looks like 2.8 has 10/12bpp support, but no assembly, so it'll be super-slow. In practice that means the same thing, yes I'd recommend updating to git master, at least for now.

Comment 18

3 years ago
(Patch was just applied to master, just to close this bug off: http://ffmpeg.org/pipermail/ffmpeg-cvslog/2015-December/095974.html)
Group: media-core-security → core-security-release
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.