Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2020-22032: #8275 (heap-buffer-overflow at libavfilter/vf_edgedetect.c:180 in gaussian_blur) – FFmpeg

A heap-based Buffer Overflow vulnerability exists FFmpeg 4.2 at libavfilter/vf_edgedetect.c in gaussian_blur, which might lead to memory corruption and other potential consequences.

CVE
#vulnerability#ubuntu#git#c++#buffer_overflow

#8275 closed defect (fixed)

Reported by:

Owned by:

Priority:

normal

Component:

undetermined

Version:

git-master

Keywords:

asan

Cc:

Blocked By:

Blocking:

Reproduced by developer:

no

Analyzed by developer:

no

Summary of the bug:
There is a heap-buffer-overflow at libavfilter/vf_edgedetect.c:180 in gaussian_blur

I compiled ffmpeg with “–toolchain=clang-asan” to check the memory corruption and attached log file.
How to reproduce:

% ffmpeg_g -y -i $PoC -filter_complex edgedetect -target dv tmp.daud

ffmpeg version N-95382-g62f4722582 Copyright © 2000-2019 the FFmpeg developers built with clang version 6.0.0-1ubuntu2 (tags/RELEASE_600/final) configuration: --cc=clang --cxx=clang++ --ld=clang --enable-debug --toolchain=clang-asan

Here’s ASAN log

==47511==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61500001bee2 at pc 0x000000cd9f0e bp 0x7fffffffa710 sp 0x7fffffffa708 WRITE of size 1 at 0x61500001bee2 thread T0 #0 0xcd9f0d in gaussian_blur ffmpeg/libavfilter/vf_edgedetect.c:180:20 #1 0xcd9f0d in filter_frame ffmpeg/libavfilter/vf_edgedetect.c:364 #2 0x8271b9 in ff_filter_activate_default ffmpeg/libavfilter/avfilter.c:1084:11 #3 0x8271b9 in ff_filter_activate ffmpeg/libavfilter/avfilter.c:1443 #4 0x8700b2 in push_frame ffmpeg/libavfilter/buffersrc.c:187:15 #5 0x8700b2 in av_buffersrc_add_frame_internal ffmpeg/libavfilter/buffersrc.c:261 #6 0x86eaf2 in av_buffersrc_add_frame_flags ffmpeg/libavfilter/buffersrc.c:170:16 #7 0x666407 in ifilter_send_frame ffmpeg/fftools/ffmpeg.c:2186:11 #8 0x666407 in send_frame_to_filters ffmpeg/fftools/ffmpeg.c:2260 #9 0x607666 in decode_video ffmpeg/fftools/ffmpeg.c:2459:11 #10 0x607666 in process_input_packet ffmpeg/fftools/ffmpeg.c:2613 #11 0x644c58 in process_input ffmpeg/fftools/ffmpeg.c:4303:23 #12 0x5e7157 in transcode_step ffmpeg/fftools/ffmpeg.c:4628:11 #13 0x5e7157 in transcode ffmpeg/fftools/ffmpeg.c:4682 #14 0x5db65b in main ffmpeg/fftools/ffmpeg.c:4884:9 #15 0x7ffff5c93b96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/…/csu/libc-start.c:310 #16 0x41def9 in _start (ffmpeg_asan+0x41def9)

0x61500001bee2 is located 0 bytes to the right of 418-byte region [0x61500001bd40,0x61500001bee2) allocated by thread T0 here: #0 0x4de9e8 in posix_memalign (ffmpeg_asan+0x4de9e8) #1 0x85924d1 in av_malloc ffmpeg/libavutil/mem.c:87:9 #2 0xcda91c in config_props ffmpeg/libavfilter/vf_edgedetect.c:137:29

SUMMARY: AddressSanitizer: heap-buffer-overflow ffmpeg/libavfilter/vf_edgedetect.c:180:20 in gaussian_blur Shadow bytes around the buggy address: 0x0c2a7fffb780: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c2a7fffb790: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c2a7fffb7a0: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00 0x0c2a7fffb7b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c2a7fffb7c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x0c2a7fffb7d0: 00 00 00 00 00 00 00 00 00 00 00 00[02]fa fa fa 0x0c2a7fffb7e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c2a7fffb7f0: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00 0x0c2a7fffb800: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c2a7fffb810: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c2a7fffb820: 00 00 00 00 00 00 00 00 00 00 00 00 02 fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==47511==ABORTING

Please confirm.
Thanks

Related news

CVE-2022-22998: WDC-22009 My Cloud Home Firmware Version 8.7.0-107 | Western Digital

Implemented protections on AWS credentials that were not properly protected.

Ubuntu Security Notice USN-5472-1

Ubuntu Security Notice 5472-1 - It was discovered that FFmpeg would attempt to divide by zero when using Linear Predictive Coding or AAC codecs. An attacker could possibly use this issue to cause a denial of service. This issue only affected Ubuntu 18.04 LTS, Ubuntu 20.04 LTS and Ubuntu 21.10. It was discovered that FFmpeg incorrectly handled certain input. An attacker could possibly use this issue to cause a denial of service. This issue only affected Ubuntu 18.04 LTS, Ubuntu 20.04 LTS and Ubuntu 21.10.

CVE-2022-22988: WDC-22003 EdgeRover Desktop App Version 1.5.0-576 | Western Digital

File and directory permissions have been corrected to prevent unintended users from modifying or accessing resources. It would be more difficult for an authenticated attacker to now traverse through the files and directories. This can only be exploited once an attacker has already found a way to get authenticated access to the device. 

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907