Bug#883200: ffmpeg2theora: null pointer dereference while running ffmpege2theora

[Joonun Jang]

Package: ffmpeg2theora
Version: 0.30-1+b2
Severity: normal
Tags: security

null pointer dereference while running ffmpeg2theora

Running 'ffmpeg2theora poc' with the attached file raises null pointer 
dereference
which may allow a remote attack to cause a denial-of-service attack

I expected the program to terminate without segfault, but the program crashes 
as follow

=======================================================

(gdb) r poc
Starting program: 
/home/june/project/analyze/bins/ffmpeg2theora-0.30/ffmpeg2theora poc
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
[wsd @ 0x61b000000080] reserved channel assignment
[wsd @ 0x61b000000080] Lr-middle is not implemented. Update your FFmpeg version 
to the newest one from Git. If the problem still occurs, it means that your 
file has a feature which has not been implemented.
[wsd @ 0x61b000000080] If you want to help, upload a sample of this file to 
ftp://upload.ffmpeg.org/incoming/ and contact the ffmpeg-devel mailing list. 
(ffmpeg-de...@ffmpeg.org)
[wsd @ 0x61b000000080] reserved channel assignment
[wsd @ 0x61b000000080] reserved channel assignment
[wsd @ 0x61b000000080] reserved channel assignment
[wsd @ 0x61b000000080] reserved channel assignment
[wsd @ 0x61b000000080] reserved channel assignment
[wsd @ 0x61b000000080] reserved channel assignment
[wsd @ 0x61b000000080] reserved channel assignment
[wsd @ 0x61b000000080] reserved channel assignment
[wsd @ 0x61b000000080] reserved channel assignment
[wsd @ 0x61b000000080] reserved channel assignment
[wsd @ 0x61b000000080] reserved channel assignment
[wsd @ 0x61b000000080] reserved channel assignment
[wsd @ 0x61b000000080] reserved channel assignment
[wsd @ 0x61b000000080] emphasis is not implemented. Update your FFmpeg version 
to the newest one from Git. If the problem still occurs, it means that your 
file has a feature which has not been implemented.
[wsd @ 0x61b000000080] If you want to help, upload a sample of this file to 
ftp://upload.ffmpeg.org/incoming/ and contact the ffmpeg-devel mailing list. 
(ffmpeg-de...@ffmpeg.org)
[dsd_msbf @ 0x619000000580] Channel layout '5 channels (FL+FR+BL+BR+FLC)' with 
5 channels does not match specified number of channels 6: ignoring specified 
channel layout
[wsd @ 0x61b000000080] Estimating duration from bitrate, this may be inaccurate
Input #0, wsd, from 'poc':
  Metadata:
    playback_time   : 00:00:00:00
  Duration: 00:00:00.00, bitrate: 118545 kb/s
    Stream #0:0: Audio: dsd_msbf, 198656 Hz, 6 channels, fltp, 9535 kb/s
[dsd_msbf @ 0x619000000080] Multiple frames in a packet.
[dsd_msbf @ 0x619000000080] get_buffer() failed

Program received signal SIGSEGV, Segmentation fault.
0x00005555555883a7 in oggmux_add_audio (info=0x5555557cd060 <info>, 
buffer=0x616000003380, samples=1, e_o_s=1) at src/theorautils.c:1254
1254                  vorbis_buffer[k][i] = ((const float  *)buffer[j])[i];
(gdb) bt
#0  0x00005555555883a7 in oggmux_add_audio (info=0x5555557cd060 <info>, 
buffer=0x616000003380, samples=1, e_o_s=1) at src/theorautils.c:1254
#1  0x00005555555792c5 in ff2theora_output (this=0x61a000000080) at 
src/ffmpeg2theora.c:1688
#2  0x0000555555580ad9 in main (argc=2, argv=0x7fffffffe0c8) at 
src/ffmpeg2theora.c:3095
(gdb) x/i $rip
=> 0x5555555883a7 <oggmux_add_audio+735>: movss  (%rsi),%xmm0
(gdb) i r rsi
rsi            0x0  0
(gdb)

=======================================================

This bug was found with a fuzzer developed by 'SoftSec' group at KAIST.

-- System Information:
Debian Release: buster/sid
  APT prefers unstable-debug
  APT policy: (500, 'unstable-debug'), (500, 'testing-debug'), (500, 
'stable-updates'), (500, 'testing'), (500, 'stable'), (1, 'experimental-debug')
Architecture: amd64 (x86_64)

Kernel: Linux 4.9.0-3-amd64 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_US:en (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages ffmpeg2theora depends on:
ii  libavcodec57    7:3.4-3
ii  libavdevice57   7:3.4-3
ii  libavfilter6    7:3.4-3
ii  libavformat57   7:3.4-3
ii  libavutil55     7:3.4-3
ii  libc6           2.24-17
ii  libkate1        0.4.1-7+b1
ii  libogg0         1.3.2-1+b1
ii  liboggkate1     0.4.1-7+b1
ii  libpostproc54   7:3.4-3
ii  libswresample2  7:3.4-3
ii  libswscale4     7:3.4-3
ii  libtheora0      1.1.1+dfsg.1-14+b1
ii  libvorbis0a     1.3.5-4
ii  libvorbisenc2   1.3.5-4

ffmpeg2theora recommends no packages.

ffmpeg2theora suggests no packages.

-- no debconf information

poc
Description: Binary data