Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2021-38291: #9312 (assertion failed in av_rescale_delta) – FFmpeg

FFmpeg version (git commit de8e6e67e7523e48bb27ac224a0b446df05e1640) suffers from a an assertion failure at src/libavutil/mathematics.c.

CVE
#ubuntu#linux#git#c++

Summary of the bug
there is an assertion failure at src/libavutil/mathematics.c, causing ffmpeg aborted.

System info
Ubuntu 18.04.5 LTS
clang version 10.0.0
ffmpeg version (git commit de8e6e67e7523e48bb27ac224a0b446df05e1640)
commit date:Wed Jun 30 09:34:09 2021

How to build

./configure --cc=clang --cxx=clang++ --ld=clang --enable-debug make

How to reproduce

ffmpeg ffmpeg -y -i crash_input -c:v mpeg4 -c:a copy -f mp4 /dev/null

Gdb output

Assertion duration >= 0 failed at src/libavutil/mathematics.c:172

Thread 1 “ffmpeg_g” received signal SIGABRT, Aborted. __GI_raise (sig=sig@entry=6) at …/sysdeps/unix/sysv/linux/raise.c:51 51 …/sysdeps/unix/sysv/linux/raise.c: No such file or directory. (gdb) bt #0 __GI_raise (sig=sig@entry=6) at …/sysdeps/unix/sysv/linux/raise.c:51 #1 0x00007ffff7248921 in __GI_abort () at abort.c:79 #2 0x00000000014689a5 in av_rescale_delta (in_tb=…, in_ts=<optimized out>, fs_tb=…, duration=<optimized out>, last=<optimized out>, out_tb=…) at src/libavutil/mathematics.c:172 #3 0x0000000000422647 in do_streamcopy (ist=0x22b4040, ost=0x22cab00, pkt=0x22b4240) at src/fftools/ffmpeg.c:2110 #4 process_input_packet (ist=<optimized out>, pkt=<optimized out>, no_eof=<optimized out>) at src/fftools/ffmpeg.c:2801 #5 0x000000000041e4a6 in process_input (file_index=<optimized out>) at src/fftools/ffmpeg.c:4618 #6 transcode_step () at src/fftools/ffmpeg.c:4758 #7 transcode () at src/fftools/ffmpeg.c:4812 #8 0x000000000041a822 in main (argc=<optimized out>, argv=<optimized out>) at src/fftools/ffmpeg.c:5017 (gdb) disass $pc-32,$pc+32 Dump of assembler code from 0x7ffff7246f97 to 0x7ffff7246fd7: 0x00007ffff7246f97 <__GI_raise+167>: add %dh,%al 0x00007ffff7246f99 <__GI_raise+169>: (bad)
0x00007ffff7246f9a <__GI_raise+170>: pushq 0x3b(%rdi) 0x00007ffff7246f9d <__GI_raise+173>: mov %eax,%r8d 0x00007ffff7246fa0 <__GI_raise+176>: mov $0x8,%r10d 0x00007ffff7246fa6 <__GI_raise+182>: xor %edx,%edx 0x00007ffff7246fa8 <__GI_raise+184>: mov %r9,%rsi 0x00007ffff7246fab <__GI_raise+187>: mov $0x2,%edi 0x00007ffff7246fb0 <__GI_raise+192>: mov $0xe,%eax 0x00007ffff7246fb5 <__GI_raise+197>: syscall => 0x00007ffff7246fb7 <__GI_raise+199>: mov 0x108(%rsp),%rcx 0x00007ffff7246fbf <__GI_raise+207>: xor %fs:0x28,%rcx 0x00007ffff7246fc8 <__GI_raise+216>: mov %r8d,%eax 0x00007ffff7246fcb <__GI_raise+219>: jne 0x7ffff7246fec <__GI_raise+252> 0x00007ffff7246fcd <__GI_raise+221>: add $0x118,%rsp 0x00007ffff7246fd4 <__GI_raise+228>: retq
0x00007ffff7246fd5 <__GI_raise+229>: nopl (%rax) End of assembler dump. (gdb) info all-registers rax 0x0 0 rbx 0x22b4040 36388928 rcx 0x7ffff7246fb7 140737339748279 rdx 0x0 0 rsi 0x7fffffffcdc0 140737488342464 rdi 0x2 2 rbp 0x22cab00 0x22cab00 rsp 0x7fffffffcdc0 0x7fffffffcdc0 r8 0x0 0 r9 0x7fffffffcdc0 140737488342464 r10 0x8 8 r11 0x246 582 r12 0xffffe412 4294960146 r13 0x22b3b80 36387712 r14 0x22b4240 36389440 r15 0x22cc4c0 36488384 rip 0x7ffff7246fb7 0x7ffff7246fb7 <__GI_raise+199> eflags 0x246 [ PF ZF IF ] cs 0x33 51 ss 0x2b 43 ds 0x0 0 es 0x0 0 fs 0x0 0 gs 0x0 0 st0 0 (raw 0x00000000000000000000) st1 0 (raw 0x00000000000000000000) st2 0 (raw 0x00000000000000000000) st3 0 (raw 0x00000000000000000000) st4 0 (raw 0x00000000000000000000) st5 0 (raw 0x00000000000000000000) st6 0 (raw 0x00000000000000000000) st7 0 (raw 0x00000000000000000000) fctrl 0x37f 895 fstat 0x0 0 ftag 0xffff 65535 fiseg 0x0 0 fioff 0x0 0 foseg 0x0 0 fooff 0x0 0 fop 0x0 0 mxcsr 0x1fa0 [ PE IM DM ZM OM UM PM ] bndcfgu {raw = 0x0, config = {base = 0x0, reserved = 0x0, preserved = 0x0, enabled = 0x0}} {raw = 0x0, config = {base = 0, reserved = 0, preserved = 0, enabled = 0}} bndstatus {raw = 0x0, status = {bde = 0x0, error = 0x0}} {raw = 0x0, status = {bde = 0, error = 0}} k0 0x0 0 k1 0x0 0 k2 0x0 0 k3 0x0 0 k4 0x0 0 k5 0x0 0 k6 0x0 0 k7 0x0 0 pkru 0x55555554 1431655764 zmm0 {v16_float = {0x0, 0x0, 0x0, 0x0, 0x0 <repeats 12 times>}, v8_double = {0x8000000000000000, 0x8000000000000000, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v64_int8 = {0xff <repeats 16 times>, 0x0 <repeats 48 times>}, v32_int16 = {0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0x0 <repeats 24 times>}, v16_int32 = {0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0x0 <repeats 12 times>}, v8_int64 = {0xffffffffffffffff, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_int128 = { 0xffffffffffffffffffffffffffffffff, 0x0, 0x0, 0x0}}

Related news

Gentoo Linux Security Advisory 202312-14

Gentoo Linux Security Advisory 202312-14 - Multiple vulnerabilities have been discovered in FFmpeg, the worst of which could lead to code execution. Versions greater than or equal to 6.0 are affected.

Ubuntu Security Notice USN-5472-1

Ubuntu Security Notice 5472-1 - It was discovered that FFmpeg would attempt to divide by zero when using Linear Predictive Coding or AAC codecs. An attacker could possibly use this issue to cause a denial of service. This issue only affected Ubuntu 18.04 LTS, Ubuntu 20.04 LTS and Ubuntu 21.10. It was discovered that FFmpeg incorrectly handled certain input. An attacker could possibly use this issue to cause a denial of service. This issue only affected Ubuntu 18.04 LTS, Ubuntu 20.04 LTS and Ubuntu 21.10.

CVE-2022-22988: WDC-22003 EdgeRover Desktop App Version 1.5.0-576 | Western Digital

File and directory permissions have been corrected to prevent unintended users from modifying or accessing resources. It would be more difficult for an authenticated attacker to now traverse through the files and directories. This can only be exploited once an attacker has already found a way to get authenticated access to the device. 

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907