On Sun, Aug 01, 2021 at 01:15:32AM +0000, Marton Balint wrote: > ffmpeg | branch: master | Marton Balint <c...@passwd.hu> | Sun Jun 27 > 22:59:49 2021 +0200| [7b4bdcd68e1e0abfab21a8be81789531d649c1ff] | committer: > Marton Balint > > avformat/mxfdec: prefer footer and complete partitions for metadata > > Also do not store inferior metadata with the same UID. > > Signed-off-by: Marton Balint <c...@passwd.hu> > > > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=7b4bdcd68e1e0abfab21a8be81789531d649c1ff > --- > > libavformat/mxfdec.c | 51 +++++++++++++++++++++++++++++++++++++++++++++++---- > 1 file changed, 47 insertions(+), 4 deletions(-) [...] > @@ -842,10 +855,39 @@ static int mxf_read_partition_pack(void *arg, > AVIOContext *pb, int tag, int size > return 0; > } > > +static int partition_score(MXFPartition *p) > +{ > + if (p->type == Footer)
This can fail both as null pointer dereference from mxf->current_partition
being NULL as well as a read after free from a realloc
here are the 2 traces:
==15334==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000008 (pc
0x000000cb211e bp 0x7ffde58f6780 sp 0x7ffde58f6760 T0)
==15334==The signal is caused by a READ memory access.
==15334==Hint: address points to the zero page.
#0 0xcb211d in partition_score ffmpeg/libavformat/mxfdec.c:860:12
#1 0xcb149e in mxf_add_metadata_set ffmpeg/libavformat/mxfdec.c:882:29
#2 0xc7e98c in mxf_read_local_tags ffmpeg/libavformat/mxfdec.c:3004:19
#3 0xc7e98c in mxf_parse_klv ffmpeg/libavformat/mxfdec.c:3031
#4 0xc69296 in mxf_read_header ffmpeg/libavformat/mxfdec.c:3445:28
#5 0xff3e67 in avformat_open_input ffmpeg/libavformat/utils.c:571:20
#6 0x4c779c in LLVMFuzzerTestOneInput
ffmpeg/tools/target_dem_fuzzer.c:187:11
#7 0x271b34d in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*,
unsigned long) Fuzzer/build/../FuzzerLoop.cpp:495:13
#8 0x270ff22 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned
long) Fuzzer/build/../FuzzerDriver.cpp:273:6
#9 0x2715121 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char
const*, unsigned long)) Fuzzer/build/../FuzzerDriver.cpp:690:9
#10 0x270fc00 in main Fuzzer/build/../FuzzerMain.cpp:20:10
#11 0x7ff2d603ebf6 in __libc_start_main
/build/glibc-S9d2JN/glibc-2.27/csu/../csu/libc-start.c:310
#12 0x41fb79 in _start (ffmpeg/tools/target_io_dem_fuzzer+0x41fb79)
=================================================================
==15313==ERROR: AddressSanitizer: heap-use-after-free on address 0x6120000006d8
at pc 0x000000d6eca2 bp 0x7ffd92ec0950 sp 0x7ffd92ec0948
READ of size 4 at 0x6120000006d8 thread T0
#0 0xd6eca1 in partition_score ffmpeg/libavformat/mxfdec.c:860:12
#1 0xd6deee in mxf_add_metadata_set ffmpeg/libavformat/mxfdec.c:882:29
#2 0xd3b3dc in mxf_read_local_tags ffmpeg/libavformat/mxfdec.c:3004:19
#3 0xd3b3dc in mxf_parse_klv ffmpeg/libavformat/mxfdec.c:3031
#4 0xd25ce6 in mxf_read_header ffmpeg/libavformat/mxfdec.c:3445:28
#5 0x4f2707 in avformat_open_input ffmpeg/libavformat/utils.c:571:20
#6 0x4c6c35 in LLVMFuzzerTestOneInput
ffmpeg/tools/target_dem_fuzzer.c:187:11
#7 0x271a86d in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*,
unsigned long) Fuzzer/build/../FuzzerLoop.cpp:495:13
#8 0x270f442 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned
long) Fuzzer/build/../FuzzerDriver.cpp:273:6
#9 0x2714641 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char
const*, unsigned long)) Fuzzer/build/../FuzzerDriver.cpp:690:9
#10 0x270f120 in main Fuzzer/build/../FuzzerMain.cpp:20:10
#11 0x7fbf99d16bf6 in __libc_start_main
/build/glibc-S9d2JN/glibc-2.27/csu/../csu/libc-start.c:310
#12 0x41fb79 in _start (ffmpeg/tools/target_dem_fuzzer+0x41fb79)
0x6120000006d8 is located 152 bytes inside of 288-byte region
[0x612000000640,0x612000000760)
freed by thread T0 here:
#0 0x497e19 in realloc
/b/swarming/w/ir/cache/builder/src/third_party/llvm/compiler-rt/lib/asan/asan_malloc_linux.cc:164:3
#1 0xd5e0f4 in mxf_read_partition_pack ffmpeg/libavformat/mxfdec.c:700:16
#2 0xd3a842 in mxf_parse_klv ffmpeg/libavformat/mxfdec.c:3034:15
#3 0xd25ce6 in mxf_read_header ffmpeg/libavformat/mxfdec.c:3445:28
#4 0x4f2707 in avformat_open_input ffmpeg/libavformat/utils.c:571:20
#5 0x4c6c35 in LLVMFuzzerTestOneInput
ffmpeg/tools/target_dem_fuzzer.c:187:11
#6 0x271a86d in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*,
unsigned long) Fuzzer/build/../FuzzerLoop.cpp:495:13
#7 0x270f442 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned
long) Fuzzer/build/../FuzzerDriver.cpp:273:6
#8 0x2714641 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char
const*, unsigned long)) Fuzzer/build/../FuzzerDriver.cpp:690:9
#9 0x270f120 in main Fuzzer/build/../FuzzerMain.cpp:20:10
#10 0x7fbf99d16bf6 in __libc_start_main
/build/glibc-S9d2JN/glibc-2.27/csu/../csu/libc-start.c:310
previously allocated by thread T0 here:
#0 0x497e19 in realloc
/b/swarming/w/ir/cache/builder/src/third_party/llvm/compiler-rt/lib/asan/asan_malloc_linux.cc:164:3
#1 0xd5e0f4 in mxf_read_partition_pack ffmpeg/libavformat/mxfdec.c:700:16
#2 0xd3a842 in mxf_parse_klv ffmpeg/libavformat/mxfdec.c:3034:15
#3 0xd25ce6 in mxf_read_header ffmpeg/libavformat/mxfdec.c:3445:28
#4 0x4f2707 in avformat_open_input ffmpeg/libavformat/utils.c:571:20
#5 0x4c6c35 in LLVMFuzzerTestOneInput
ffmpeg/tools/target_dem_fuzzer.c:187:11
#6 0x271a86d in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*,
unsigned long) Fuzzer/build/../FuzzerLoop.cpp:495:13
#7 0x270f442 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned
long) Fuzzer/build/../FuzzerDriver.cpp:273:6
#8 0x2714641 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char
const*, unsigned long)) Fuzzer/build/../FuzzerDriver.cpp:690:9
#9 0x270f120 in main Fuzzer/build/../FuzzerMain.cpp:20:10
#10 0x7fbf99d16bf6 in __libc_start_main
/build/glibc-S9d2JN/glibc-2.27/csu/../csu/libc-start.c:310
[...]
--
Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB
The greatest way to live with honor in this world is to be what we pretend
to be. -- Socrates
signature.asc
Description: PGP signature
_______________________________________________ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-devel To unsubscribe, visit link above, or email ffmpeg-devel-requ...@ffmpeg.org with subject "unsubscribe".
