Closed Bug 1266129 Opened 8 years ago Closed 8 years ago

FFMPEG: heap-buffer-overflow read in [@av_packet_split_side_data]

Categories

(Core :: Audio/Video: Playback, defect)

48 Branch
defect
Not set
critical

Tracking

()

RESOLVED FIXED
mozilla49
Tracking Status
firefox46 --- unaffected
firefox47 --- fixed
firefox48 --- fixed
firefox49 + fixed
firefox-esr45 --- unaffected

People

(Reporter: tsmith, Assigned: jya)

References

Details

(4 keywords, Whiteboard: [post-critsmash-triage])

Attachments

(6 files)

Attached file call_stack.txt
I found this while fuzzing a nightly build of the browser not a standalone ffmpeg build.

==12364==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x617000002375 at pc 0x7f830c50a645 bp 0x7f82ee11ebc0 sp 0x7f82ee11ebb8
READ of size 8 at 0x617000002375 thread T110 (MediaPD~oder #2)
    #0 0x7f830c50a644 in av_packet_split_side_data /builds/slave/m-cen-l64-asan-000000000000000/build/src/media/ffvpx/libavcodec/avpacket.c:396:51
    #1 0x7f830c5c253d in avcodec_decode_video2 /builds/slave/m-cen-l64-asan-000000000000000/build/src/media/ffvpx/libavcodec/utils.c:2115
    #2 0x7f8345fa91a7 in mozilla::FFmpegVideoDecoder<46465650>::DoDecodeFrame(mozilla::MediaRawData*, unsigned char*, int) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/media/platforms/ffmpeg/FFmpegVideoDecoder.cpp:242
    #3 0x7f8345fa8a61 in mozilla::FFmpegVideoDecoder<46465650>::DoDecodeFrame(mozilla::MediaRawData*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/media/platforms/ffmpeg/FFmpegVideoDecoder.cpp:191
    #4 0x7f8345faa5bd in mozilla::FFmpegVideoDecoder<46465650>::DecodeFrame(mozilla::MediaRawData*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/media/platforms/ffmpeg/FFmpegVideoDecoder.cpp:326
    #5 0x7f8345fab077 in apply<mozilla::FFmpegVideoDecoder<LIBAV_VER>, void (mozilla::FFmpegVideoDecoder<LIBAV_VER>::*)(mozilla::MediaRawData *)> /builds/slave/m-cen-l64-asan-000000000000000/build/src/obj-firefox/dist/include/nsThreadUtils.h:676
    #6 0x7f8345fab077 in nsRunnableMethodImpl<void (mozilla::FFmpegVideoDecoder<46465650>::*)(mozilla::MediaRawData*), true, RefPtr<mozilla::MediaRawData> >::Run() /builds/slave/m-cen-l64-asan-000000000000000/build/src/obj-firefox/dist/include/nsThreadUtils.h:870
    #7 0x7f8340bb97d0 in mozilla::TaskQueue::Runner::Run() /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/threads/TaskQueue.cpp:171
    #8 0x7f8340bced83 in nsThreadPool::Run() /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/threads/nsThreadPool.cpp:228
    #9 0x7f8340bcf3bc in non-virtual thunk to nsThreadPool::Run() /builds/slave/m-cen-l64-asan-000000000000000/build/src/obj-firefox/xpcom/threads/Unified_cpp_xpcom_threads0.cpp:242
    #10 0x7f8340bc8340 in nsThread::ProcessNextEvent(bool, bool*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/threads/nsThread.cpp:994
    #11 0x7f8340c41eca in NS_ProcessNextEvent(nsIThread*, bool) /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/glue/nsThreadUtils.cpp:297
    #12 0x7f8341935df1 in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/glue/MessagePump.cpp:340
    #13 0x7f83418accfc in RunInternal /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:230
    #14 0x7f83418accfc in RunHandler /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:223
    #15 0x7f83418accfc in MessageLoop::Run() /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:203
    #16 0x7f8340bc3d8e in nsThread::ThreadFunc(void*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/threads/nsThread.cpp:396
    #17 0x7f8356f8d3ef in _pt_root /builds/slave/m-cen-l64-asan-000000000000000/build/src/nsprpub/pr/src/pthreads/ptthread.c:216
    #18 0x7f835a4be181 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x8181)
    #19 0x7f83595b047c (/lib/x86_64-linux-gnu/libc.so.6+0xfa47c)
Which revission / checkout is this from ffmpeg ?
is there some input file that one could try to reproduce with ?
(In reply to Michael Niedermayer [:mn] from comment #1)
> is there some input file that one could try to reproduce with ?

I working on collecting a valid test case at the moment. I'll post it asap.
Keywords: testcase-wanted
Attached file test_case.html
This is the test case that reproduces the issue. I will include the .webm as well for reference but it does not trigger the issue on it's own. The key to this seems to be 'v.playbackRate=100.00;'
Attached video test_case.webm
Attached file valgrind_log.txt
Attached patch potential fixSplinter Review
Can you try the attached patch?
It might fix this but as i havnt reproduced the issue so i cant say for sure
If it fixes it then ill apply it to ffmpeg master and backport to the release branches
(In reply to Michael Niedermayer [:mn] from comment #6)
> Created attachment 8743530 [details] [diff] [review]
> potential fix
> 
> Can you try the attached patch?
> It might fix this but as i havnt reproduced the issue so i cant say for sure
> If it fixes it then ill apply it to ffmpeg master and backport to the
> release branches

This is version n3.0-1-g0aa2fbd
(In reply to Michael Niedermayer [:mn] from comment #6)
> Created attachment 8743530 [details] [diff] [review]
> potential fix
> 
> Can you try the attached patch?
> It might fix this but as i havnt reproduced the issue so i cant say for sure
> If it fixes it then ill apply it to ffmpeg master and backport to the
> release branches

I cannot reproduce the issue with the patch applied.
patch applied to ffmpeg master, locally backported to releases, should be in the next release from each branch
Keywords: sec-high
FWIW, I can't reproduce it with my local asan build, which doesn't have the new ffmpeg patch applied
Assignee: nobody → jyavenard
[Security approval request comment]
How easily could an exploit be constructed based on the patch? Doubtful how it could be exploited.

Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem? no, generic upgrade version.

Which older supported branches are affected by this flaw? 47

If not all supported branches, which bug introduced the flaw? since likely a long time as the bug is also in stock system FFmpeg that we use to rely on.

Do you have backports for the affected branches? If not, how different, hard to create, and risky will they be? very simple to backport.

How likely is this patch to cause regressions; how much testing does it need? changes are minor. so very low

Upgrade ffvpx to 3.0.2, which includes the fix.
Attachment #8746493 - Flags: sec-approval?
Attachment #8746493 - Flags: review?(ajones)
Attachment #8746493 - Flags: review?(ajones) → review+
sec-approval+ for trunk. We'll want this on Aurora and Beta (48 and 47) since those are the only other branches affected.
Attachment #8746493 - Flags: sec-approval? → sec-approval+
Keywords: checkin-needed
https://hg.mozilla.org/mozilla-central/rev/17bac4bd5a1e
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla49
Hi Jean-Yves, could you please nominate patches for uplift to Beta47 and Aurora48? Thanks!
Flags: needinfo?(jyavenard)
Comment on attachment 8746493 [details] [diff] [review]
0001-Bug-1266129-ffmpeg-Upgrade-ffvpx-to-3.0.2.-r-kentuck.patch

Approval Request Comment
[Feature/regressing bug #]: 1266129
[User impact if declined]: heap overflow, potential security issue
[Describe test coverage new/current, TreeHerder]: in central, 
[Risks and why]: low, rejecting data that could potentially cause the overflow
[String/UUID change made/needed]: none
Flags: needinfo?(jyavenard)
Attachment #8746493 - Flags: approval-mozilla-beta?
Attachment #8746493 - Flags: approval-mozilla-aurora?
Comment on attachment 8746493 [details] [diff] [review]
0001-Bug-1266129-ffmpeg-Upgrade-ffvpx-to-3.0.2.-r-kentuck.patch

Sec-high, Aurora48+, Beta47+
Attachment #8746493 - Flags: approval-mozilla-beta?
Attachment #8746493 - Flags: approval-mozilla-beta+
Attachment #8746493 - Flags: approval-mozilla-aurora?
Attachment #8746493 - Flags: approval-mozilla-aurora+
Group: media-core-security → core-security-release
Flags: qe-verify-
Whiteboard: [post-critsmash-triage]
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.