Headline
CVE-2022-1475: #9651 (Assertion next >= 0 || pc->buffer failed at libavcodec/parser.c:240) – FFmpeg
An integer overflow vulnerability was found in FFmpeg versions before 4.4.2 and before 5.0.1 in g729_parse() in llibavcodec/g729_parser.c when processing a specially crafted file.
#9651 closed defect (fixed)
Reported by:
Owned by:
Priority:
normal
Component:
avcodec
Version:
unspecified
Keywords:
Cc:
Blocked By:
Blocking:
Reproduced by developer:
no
Analyzed by developer:
no
This bug was found by fuzzing the current master branch, to reproduce it you have to build the OSS-Fuzz harness for FFmpeg with ASan and UBsan.
You can use the scripts in https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg with clang as compiler and the following flags:
CFLAGS=’-O1 -fsanitize=address -fsanitize=array-bounds,bool,builtin,enum,float-divide-by-zero,function,integer-divide-by-zero,null,object-size,return,returns-nonnull-attribute,shift,signed-integer-overflow,unreachable,vla-bound,vptr’ CXXFLAGS=’-O1 -fsanitize=address -fsanitize=array-bounds,bool,builtin,enum,float-divide-by-zero,function,integer-divide-by-zero,null,object-size,return,returns-nonnull-attribute,shift,signed-integer-overflow,unreachable,vla-bound,vptr’
The sanitizer report when executing the testcase is the following:
INFO: Seed: 108531316 INFO: Loaded 1 modules (436082 inline 8-bit counters): 436082 [0x2f32583, 0x2f9ccf5), INFO: Loaded 1 PC tables (436082 PCs): 436082 [0x1d0bf68,0x23b3688), /out/ffmpeg_DEMUXER_fuzzer: Running 1 inputs 1 time(s) each. Running: crashes/ffmpeg_ffmpeg_demuxer_fuzzer/id:000169,sig:06,src:012185,time:73697278,op:havoc,rep:4,trial:1493913 libavcodec/g729_parser.c:51:23: runtime error: signed integer overflow: 10 * 808464428 cannot be represented in type ‘int’ SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior libavcodec/g729_parser.c:51:23 in Assertion next >= 0 || pc->buffer failed at libavcodec/parser.c:240 ==1324766== ERROR: libFuzzer: deadly signal #0 0x4a20f1 in __sanitizer_print_stack_trace (/out/ffmpeg_DEMUXER_fuzzer+0x4a20f1) #1 0x19f3828 in fuzzer::PrintStackTrace() (/out/ffmpeg_DEMUXER_fuzzer+0x19f3828) #2 0x19d8629 in fuzzer::Fuzzer::CrashCallback() (/out/ffmpeg_DEMUXER_fuzzer+0x19d8629) #3 0x7ffff7e033bf (/lib/x86_64-linux-gnu/libpthread.so.0+0x153bf) #4 0x7ffff7a3218a in __libc_signal_restore_set /build/glibc-eX1tMB/glibc-2.31/signal/…/sysdeps/unix/sysv/linux/internal-signals.h:86:3 #5 0x7ffff7a3218a in raise /build/glibc-eX1tMB/glibc-2.31/signal/…/sysdeps/unix/sysv/linux/raise.c:48:3 #6 0x7ffff7a11858 in abort /build/glibc-eX1tMB/glibc-2.31/stdlib/abort.c:79:7 #7 0xa628d2 in ff_combine_frame /src/ffmpeg/libavcodec/parser.c:240:5 #8 0xc9ca5f in g729_parse /src/ffmpeg/libavcodec/g729_parser.c:71:9 #9 0xa5fdd3 in av_parser_parse2 /src/ffmpeg/libavcodec/parser.c:164:13 #10 0x502cca in parse_packet /src/ffmpeg/libavformat/demux.c:1126:15 #11 0x4e8013 in read_frame_internal /src/ffmpeg/libavformat/demux.c:1240:21 #12 0x4f343c in avformat_find_stream_info /src/ffmpeg/libavformat/demux.c:2586:15 #13 0x4cba3e in LLVMFuzzerTestOneInput /src/ffmpeg/tools/target_dem_fuzzer.c:192:11 #14 0x19d9d59 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) (/out/ffmpeg_DEMUXER_fuzzer+0x19d9d59) #15 0x19c4c69 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) (/out/ffmpeg_DEMUXER_fuzzer+0x19c4c69) #16 0x19c9b72 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) (/out/ffmpeg_DEMUXER_fuzzer+0x19c9b72) #17 0x19c49f2 in main (/out/ffmpeg_DEMUXER_fuzzer+0x19c49f2) #18 0x7ffff7a130b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/…/csu/libc-start.c:308:16 #19 0x420e7d in _start (/out/ffmpeg_DEMUXER_fuzzer+0x420e7d)
NOTE: libFuzzer has rudimentary signal handlers. Combine libFuzzer with AddressSanitizer or similar for better crash reports. SUMMARY: libFuzzer: deadly signal
There is an UBSan violation that is likely the root cause of the failed assertion.
You find the crashing testcase attached, execute it with ./ffmpeg_DEMUXER_fuzzer ./testcase
Related news
Gentoo Linux Security Advisory 202312-14 - Multiple vulnerabilities have been discovered in FFmpeg, the worst of which could lead to code execution. Versions greater than or equal to 6.0 are affected.
Ubuntu Security Notice 5472-1 - It was discovered that FFmpeg would attempt to divide by zero when using Linear Predictive Coding or AAC codecs. An attacker could possibly use this issue to cause a denial of service. This issue only affected Ubuntu 18.04 LTS, Ubuntu 20.04 LTS and Ubuntu 21.10. It was discovered that FFmpeg incorrectly handled certain input. An attacker could possibly use this issue to cause a denial of service. This issue only affected Ubuntu 18.04 LTS, Ubuntu 20.04 LTS and Ubuntu 21.10.