Headline
CVE-2020-22025: #8260 (heap-buffer-overflow at libavfilter/vf_edgedetect.c:153) – FFmpeg
A heap-based Buffer Overflow vulnerability exists in gaussian_blur at libavfilter/vf_edgedetect.c, which might lead to memory corruption and other potential consequences.
#8260 closed defect (fixed)
Reported by:
Owned by:
Priority:
normal
Component:
undetermined
Version:
git-master
Keywords:
asan
Cc:
Blocked By:
Blocking:
Reproduced by developer:
no
Analyzed by developer:
no
Summary of the bug:
There is a heap-buffer-overflow at libavfilter/vf_edgedetect.c:153 in gaussian_blur.
I compiled ffmpeg with “–toolchain=clang-asan” to check the memory corruption and attached log file.
How to reproduce:
% ffmpeg_g -y -i $PoC -filter_complex edgedetect -target dvd -loglevel 99 tmp.u32le
ffmpeg version N-95336-g4f4334bcbc Copyright © 2000-2019 the FFmpeg developers built with clang version 6.0.0-1ubuntu2 (tags/RELEASE_600/final) configuration: --cc=clang --cxx=clang++ --ld=clang --enable-debug --toolchain=clang-asan
Here’s ASAN log
================================================================= ==24040==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60900000b681 at pc 0x0000004dcadc bp 0x7fffffffa750 sp 0x7fffffff9f00 WRITE of size 1 at 0x60900000b681 thread T0 #0 0x4dcadb in __asan_memcpy (ffmpeg_asan+0x4dcadb) #1 0xcd16cd in gaussian_blur ffmpeg/libavfilter/vf_edgedetect.c:153:5 #2 0xcd16cd in filter_frame ffmpeg/libavfilter/vf_edgedetect.c:359 #3 0x826e29 in ff_filter_activate_default ffmpeg/libavfilter/avfilter.c:1071:11 #4 0x826e29 in ff_filter_activate ffmpeg/libavfilter/avfilter.c:1430 #5 0x86fd22 in push_frame ffmpeg/libavfilter/buffersrc.c:187:15 #6 0x86fd22 in av_buffersrc_add_frame_internal ffmpeg/libavfilter/buffersrc.c:261 #7 0x86e762 in av_buffersrc_add_frame_flags ffmpeg/libavfilter/buffersrc.c:170:16 #8 0x666407 in ifilter_send_frame ffmpeg/fftools/ffmpeg.c:2186:11 #9 0x666407 in send_frame_to_filters ffmpeg/fftools/ffmpeg.c:2260 #10 0x607666 in decode_video ffmpeg/fftools/ffmpeg.c:2459:11 #11 0x607666 in process_input_packet ffmpeg/fftools/ffmpeg.c:2613 #12 0x644c58 in process_input ffmpeg/fftools/ffmpeg.c:4303:23 #13 0x5e7157 in transcode_step ffmpeg/fftools/ffmpeg.c:4628:11 #14 0x5e7157 in transcode ffmpeg/fftools/ffmpeg.c:4682 #15 0x5db65b in main ffmpeg/fftools/ffmpeg.c:4884:9 #16 0x7ffff5c93b96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/…/csu/libc-start.c:310 #17 0x41def9 in _start (ffmpeg_asan+0x41def9)
0x60900000b681 is located 0 bytes to the right of 1-byte region [0x60900000b680,0x60900000b681) allocated by thread T0 here: #0 0x4de9e8 in posix_memalign (ffmpeg_asan+0x4de9e8) #1 0x8598211 in av_malloc ffmpeg/libavutil/mem.c:87:9 #2 0xcdc71c in config_props ffmpeg/libavfilter/vf_edgedetect.c:137:29
SUMMARY: AddressSanitizer: heap-buffer-overflow (ffmpeg_asan+0x4dcadb) in __asan_memcpy
Please confirm.
Thanks
Related news
Implemented protections on AWS credentials that were not properly protected.
Ubuntu Security Notice 5472-1 - It was discovered that FFmpeg would attempt to divide by zero when using Linear Predictive Coding or AAC codecs. An attacker could possibly use this issue to cause a denial of service. This issue only affected Ubuntu 18.04 LTS, Ubuntu 20.04 LTS and Ubuntu 21.10. It was discovered that FFmpeg incorrectly handled certain input. An attacker could possibly use this issue to cause a denial of service. This issue only affected Ubuntu 18.04 LTS, Ubuntu 20.04 LTS and Ubuntu 21.10.
File and directory permissions have been corrected to prevent unintended users from modifying or accessing resources. It would be more difficult for an authenticated attacker to now traverse through the files and directories. This can only be exploited once an attacker has already found a way to get authenticated access to the device.