[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

CVE-2016-6920 ffmpeg exr file Heap Overflow



=======

Product: ffmpeg
Affected Versions: <= 3.1.2
Vulnerability Type: Heap Overflow
Security Risk: High
Credit: Yaoguang Chen of Aliapy unLimit Security Team

Introduction
============



$ ffmpeg_debug_312/bin/ffmpeg -i tiled_with_deeptile_type.exr -y xx.png
ffmpeg version 3.1.2 Copyright (c) 2000-2016 the FFmpeg developers
  built with gcc 4.8 (Ubuntu 4.8.4-2ubuntu1~14.04.3)
  configuration: --prefix=/home/burningcodes/ffmpeg_debug_312/ --disable-yasm --assert-level=2 --enable-debug=3 --disable-optimizations --disable-asm --disable-stripping
  libavutil      55. 28.100 / 55. 28.100
  libavcodec     57. 48.101 / 57. 48.101
  libavformat    57. 41.100 / 57. 41.100
  libavdevice    57.  0.101 / 57.  0.101
  libavfilter     6. 47.100 /  6. 47.100
  libswscale      4.  1.100 /  4.  1.100
  libswresample   2.  1.100 /  2.  1.100
*** Error in `ffmpeg_debug_312/bin/ffmpeg': free(): invalid next size (normal): 0x00000000024a44c0 ***
Aborted (core dumped)


gdb backtrace:


$ gdb ffmpeg_debug_312/bin/ffmpeg /tmp/core.1471448229 -q
Reading symbols from ffmpeg_debug_312/bin/ffmpeg...done.
[New LWP 6771]
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Core was generated by `ffmpeg_debug_312/bin/ffmpeg -i tiled_with_deeptile_type.exr -y xx.png'.
Program terminated with signal SIGABRT, Aborted.
#0  0x00007f100f696267 in __GI_raise (sig=sig@entry=0x6)
    at ../sysdeps/unix/sysv/linux/raise.c:55
55	../sysdeps/unix/sysv/linux/raise.c: No such file or directory.
gdb-peda$ bt
#0  0x00007f100f696267 in __GI_raise (sig=sig@entry=0x6)
    at ../sysdeps/unix/sysv/linux/raise.c:55
#1  0x00007f100f697eca in __GI_abort () at abort.c:89
#2  0x00007f100f6d9c53 in __libc_message (do_abort=do_abort@entry=0x1, 
    fmt=fmt@entry=0x7f100f7f21a8 "*** Error in `%s': %s: 0x%s ***\n")
    at ../sysdeps/posix/libc_fatal.c:175
#3  0x00007f100f6e1c69 in malloc_printerr (ptr=<optimized out>, 
    str=0x7f100f7f2300 "free(): invalid next size (normal)", action=0x1)
    at malloc.c:4965
#4  _int_free (av=<optimized out>, p=<optimized out>, have_lock=0x0)
    at malloc.c:3834
#5  0x00007f100f6e589c in __GI___libc_free (mem=<optimized out>)
    at malloc.c:2950
#6  0x00000000013e3039 in av_free (ptr=0x24a44c0) at libavutil/mem.c:239
#7  0x00000000013d149c in av_buffer_default_free (opaque=0x0, 
    data=0x24a44c0 "\377\377\360j \241\377\377\377\377\020^")
    at libavutil/buffer.c:63
#8  0x00000000013d165d in buffer_replace (dst=0x7ffd71aa3180, src=0x0)
    at libavutil/buffer.c:119
#9  0x00000000013d169d in av_buffer_unref (buf=0x7ffd71aa3180)
    at libavutil/buffer.c:129
#10 0x00000000008184e6 in av_packet_unref (pkt=0x7ffd71aa3180)
    at libavcodec/avpacket.c:566
#11 0x000000000069e1bb in ff_img_read_packet (s1=0x248c2c0, pkt=0x7ffd71aa3180)
    at libavformat/img2dec.c:502
#12 0x00000000007a4dc1 in ff_read_packet (s=0x248c2c0, pkt=0x7ffd71aa3180)
    at libavformat/utils.c:759
#13 0x00000000007a7ef3 in read_frame_internal (s=0x248c2c0, pkt=0x7ffd71aa3460)
    at libavformat/utils.c:1457
#14 0x00000000007af3c4 in avformat_find_stream_info (ic=0x248c2c0, 
    options=0x248d110) at libavformat/utils.c:3475
#15 0x00000000004103f2 in open_input_file (o=0x7ffd71aa37b0, 
    filename=0x7ffd71aa41c6 "tiled_with_deeptile_type.exr")
    at ffmpeg_opt.c:1002
#16 0x0000000000419274 in open_files (l=0x248c058, inout=0x1413717 "input", 
    open_file=0x40fa95 <open_input_file>) at ffmpeg_opt.c:3036
#17 0x0000000000419401 in ffmpeg_parse_options (argc=0x5, argv=0x7ffd71aa3d98)
    at ffmpeg_opt.c:3073
#18 0x000000000042e8a6 in main (argc=0x5, argv=0x7ffd71aa3d98) at ffmpeg.c:4335
#19 0x00007f100f681a40 in __libc_start_main (main=0x42e7c6 <main>, argc=0x5, 
    argv=0x7ffd71aa3d98, init=<optimized out>, fini=<optimized out>, 
    rtld_fini=<optimized out>, stack_end=0x7ffd71aa3d88) at libc-start.c:289
#20 0x00000000004061c9 in _start ()