CVE-2022-1475: #9651 (Assertion next >= 0 || pc->buffer failed at libavcodec/parser.c:240) – FFmpeg

#9651 closed defect (fixed)

Reported by:

Owned by:

Priority:

normal

Component:

avcodec

Version:

unspecified

Keywords:

Cc:

Blocked By:

Blocking:

Reproduced by developer:

no

Analyzed by developer:

no

This bug was found by fuzzing the current master branch, to reproduce it you have to build the OSS-Fuzz harness for FFmpeg with ASan and UBsan.

You can use the scripts in ​https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg with clang as compiler and the following flags:

CFLAGS=’-O1 -fsanitize=address -fsanitize=array-bounds,bool,builtin,enum,float-divide-by-zero,function,integer-divide-by-zero,null,object-size,return,returns-nonnull-attribute,shift,signed-integer-overflow,unreachable,vla-bound,vptr’ CXXFLAGS=’-O1 -fsanitize=address -fsanitize=array-bounds,bool,builtin,enum,float-divide-by-zero,function,integer-divide-by-zero,null,object-size,return,returns-nonnull-attribute,shift,signed-integer-overflow,unreachable,vla-bound,vptr’

The sanitizer report when executing the testcase is the following:

INFO: Seed: 108531316 INFO: Loaded 1 modules (436082 inline 8-bit counters): 436082 [0x2f32583, 0x2f9ccf5), INFO: Loaded 1 PC tables (436082 PCs): 436082 [0x1d0bf68,0x23b3688), /out/ffmpeg_DEMUXER_fuzzer: Running 1 inputs 1 time(s) each. Running: crashes/ffmpeg_ffmpeg_demuxer_fuzzer/id:000169,sig:06,src:012185,time:73697278,op:havoc,rep:4,trial:1493913 libavcodec/g729_parser.c:51:23: runtime error: signed integer overflow: 10 * 808464428 cannot be represented in type ‘int’ SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior libavcodec/g729_parser.c:51:23 in Assertion next >= 0 || pc->buffer failed at libavcodec/parser.c:240 ==1324766== ERROR: libFuzzer: deadly signal #0 0x4a20f1 in __sanitizer_print_stack_trace (/out/ffmpeg_DEMUXER_fuzzer+0x4a20f1) #1 0x19f3828 in fuzzer::PrintStackTrace() (/out/ffmpeg_DEMUXER_fuzzer+0x19f3828) #2 0x19d8629 in fuzzer::Fuzzer::CrashCallback() (/out/ffmpeg_DEMUXER_fuzzer+0x19d8629) #3 0x7ffff7e033bf (/lib/x86_64-linux-gnu/libpthread.so.0+0x153bf) #4 0x7ffff7a3218a in __libc_signal_restore_set /build/glibc-eX1tMB/glibc-2.31/signal/…/sysdeps/unix/sysv/linux/internal-signals.h:86:3 #5 0x7ffff7a3218a in raise /build/glibc-eX1tMB/glibc-2.31/signal/…/sysdeps/unix/sysv/linux/raise.c:48:3 #6 0x7ffff7a11858 in abort /build/glibc-eX1tMB/glibc-2.31/stdlib/abort.c:79:7 #7 0xa628d2 in ff_combine_frame /src/ffmpeg/libavcodec/parser.c:240:5 #8 0xc9ca5f in g729_parse /src/ffmpeg/libavcodec/g729_parser.c:71:9 #9 0xa5fdd3 in av_parser_parse2 /src/ffmpeg/libavcodec/parser.c:164:13 #10 0x502cca in parse_packet /src/ffmpeg/libavformat/demux.c:1126:15 #11 0x4e8013 in read_frame_internal /src/ffmpeg/libavformat/demux.c:1240:21 #12 0x4f343c in avformat_find_stream_info /src/ffmpeg/libavformat/demux.c:2586:15 #13 0x4cba3e in LLVMFuzzerTestOneInput /src/ffmpeg/tools/target_dem_fuzzer.c:192:11 #14 0x19d9d59 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) (/out/ffmpeg_DEMUXER_fuzzer+0x19d9d59) #15 0x19c4c69 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) (/out/ffmpeg_DEMUXER_fuzzer+0x19c4c69) #16 0x19c9b72 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) (/out/ffmpeg_DEMUXER_fuzzer+0x19c9b72) #17 0x19c49f2 in main (/out/ffmpeg_DEMUXER_fuzzer+0x19c49f2) #18 0x7ffff7a130b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/…/csu/libc-start.c:308:16 #19 0x420e7d in _start (/out/ffmpeg_DEMUXER_fuzzer+0x420e7d)

NOTE: libFuzzer has rudimentary signal handlers. Combine libFuzzer with AddressSanitizer or similar for better crash reports. SUMMARY: libFuzzer: deadly signal

There is an UBSan violation that is likely the root cause of the failed assertion.
You find the crashing testcase attached, execute it with ./ffmpeg_DEMUXER_fuzzer ./testcase