A null pointer dereference was discovered lzo_decompress_buf in stream.c in Irzip 0.621 which allows an attacker to cause a denial of service (DOS) via a crafted compressed file.

Bug #1893641 reported by Doudou Huang on 2020-08-31

This bug affects 1 person

Affects

Status

Importance

Assigned to

Milestone

lrzip (Ubuntu)

Confirmed

Undecided

Unassigned

**Bug Description**

Hi, there.

There is invalid memory access in lzo\_decompress\_buf, stream.c 589 in the lrzip version 0.621 (newest branch 597be1f).  
According to the trace, it seems to be an incomplete fix of CVE-2017-8845 and CVE-2019-10654.  
System:

DISTRIB\_ID=Ubuntu  
DISTRIB\_RELEASE=16.04  
DISTRIB\_CODENAME=xenial  
DISTRIB\_DESCRIPTION="Ubuntu 16.04.6 LTS"

To reproduce, run:

lrzip -t seg-stream589

This is the output from the terminal:

Decompressing...  
Segmentation fault  
This is the trace reported by ASAN:

\==177389==ERROR: AddressSanitizer: SEGV on unknown address 0x606000010000 (pc 0x7f19986a0144 bp 0x62100001cd54 sp 0x7f1994afed60 T1)  
    #0 0x7f19986a0143 in lzo1x\_decompress (/lib/x86\_64-linux-gnu/liblzo2.so.2+0x13143)  
    #1 0x43faff in lzo\_decompress\_buf ../stream.c:589  
    #2 0x43faff in ucompthread ../stream.c:1529  
    #3 0x7f199804d6b9 in start\_thread (/lib/x86\_64-linux-gnu/libpthread.so.0+0x76b9)  
    #4 0x7f199747f41c in clone (/lib/x86\_64-linux-gnu/libc.so.6+0x10741c)

AddressSanitizer can not provide additional info.  
SUMMARY: AddressSanitizer: SEGV ??:0 lzo1x\_decompress  
Thread T1 created by T0 here:  
    #0 0x7f19988e51e3 in pthread\_create (/usr/lib/x86\_64-linux-gnu/libasan.so.2+0x361e3)  
    #1 0x451505 in create\_pthread ../stream.c:133  
    #2 0x451505 in fill\_buffer ../stream.c:1694  
    #3 0x451505 in read\_stream ../stream.c:1781  
    #4 0x18 (<unknown module>)

\==177389==ABORTING

CVE-2020-25467: Bug #1893641 “segmentation fault in lzo_decompress_buf, stream.c...” : Bugs : lrzip package : Ubuntu

An issue was discovered in the Linux kernel before 5.0.19. The XFRM subsystem has a use-after-free, related to an xfrm_state_fini panic, aka CID-dbb2483b2a46.

CVE-2019-25045

SOGo 2.x before 2.4.1 and 3.x through 5.x before 5.1.1 does not validate the signatures of any SAML assertions it receives. Any actor with network access to the deployment could impersonate users when SAML is the authentication method. (Only versions after 2.0.5a are affected.)

CVE-2021-33054: sogo/CHANGELOG.md at master · inverse-inc/sogo

A Denial of Service vulnerability exists in FFmpeg 4.2 due to a memory leak in the av_dict_set function in dict.c.

**#8315 closed defect (fixed)**

Reported by:

Owned by:

Priority:

minor

Component:

ffmpeg

Version:

git-master

Keywords:

leak

Cc:

Blocked By:

Blocking:

Reproduced by developer:

no

Analyzed by developer:

no

Summary of the bug:  
There're memory leaks detected in av\_dict\_set()  
How to reproduce:  

% ffmpeg\_g -y -i $PoC1 -i $PoC2 -filter\_complex acompressor -target dvd -loglevel 0 -c pcm\_s24le tmp.dnxhd

ffmpeg version N-95464-g7056ddc0e0 Copyright (c) 2000-2019 the FFmpeg developers
built with clang version 6.0.0-1ubuntu2 (tags/RELEASE\_600/final)
configuration: --cc=clang --cxx=clang++ --ld=clang --enable-debug

Here's Valgrind log  

\==36149== HEAP SUMMARY:
==36149==     in use at exit: 1,046 bytes in 61 blocks
==36149==   total heap usage: 643 allocs, 582 frees, 2,630,129 bytes allocated
==36149== 
==36149== 54 (16 direct, 38 indirect) bytes in 1 blocks are definitely lost in loss record 40 of 44
==36149==    at 0x9FE3E76: memalign (in /usr/lib/valgrind/vgpreload\_memcheck-amd64-linux.so)
==36149==    by 0x9FE3F91: posix\_memalign (in /usr/lib/valgrind/vgpreload\_memcheck-amd64-linux.so)
==36149==    by 0x592F079: av\_malloc (mem.c:87)
==36149==    by 0x592F079: av\_mallocz (mem.c:238)
==36149==    by 0x58EA3CC: av\_dict\_set (dict.c:89)
==36149==    by 0x45D36E: new\_output\_stream (ffmpeg\_opt.c:1554)
==36149==    by 0x455A25: new\_audio\_stream (ffmpeg\_opt.c:1860)
==36149==    by 0x4508EC: init\_output\_filter (ffmpeg\_opt.c:2062)
==36149==    by 0x43481F: open\_output\_file (ffmpeg\_opt.c:2187)
==36149==    by 0x42DE5E: open\_files (ffmpeg\_opt.c:3283)
==36149==    by 0x42DC06: ffmpeg\_parse\_options (ffmpeg\_opt.c:3337)
==36149==    by 0x487BB3: main (ffmpeg.c:4862)
==36149== 
==36149== LEAK SUMMARY:
==36149==    definitely lost: 16 bytes in 1 blocks
==36149==    indirectly lost: 38 bytes in 3 blocks
==36149==      possibly lost: 0 bytes in 0 blocks
==36149==    still reachable: 992 bytes in 57 blocks
==36149==         suppressed: 0 bytes in 0 blocks
==36149== Reachable blocks (those to which a pointer was found) are not shown.
==36149== To see them, rerun with: --leak-check=full --show-leak-kinds=all
==36149== 
==36149== For counts of detected and suppressed errors, rerun with: -v
==36149== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)

Please confirm.  
Thanks

CVE-2020-22054: #8315 (memory leaks in av_dict_set()) – FFmpeg

A Denial of Service vulnerability exists in FFmpeg 4.2 due to a memory leak in the wtvfile_open_sector function in wtvdec.c.

**#8314 closed defect (fixed)**

Reported by:

Owned by:

Priority:

normal

Component:

avformat

Version:

git-master

Keywords:

wtv leak

Cc:

Blocked By:

Blocking:

Reproduced by developer:

yes

Analyzed by developer:

no

Summary of the bug:  
There're memory leaks detected in wtvfile\_open\_sector()  
How to reproduce:  

% ffmpeg\_g -i $PoC tmp.lxf

ffmpeg version N-95464-g7056ddc0e0 Copyright (c) 2000-2019 the FFmpeg developers
built with clang version 6.0.0-1ubuntu2 (tags/RELEASE\_600/final)
configuration: --cc=clang --cxx=clang++ --ld=clang --enable-debug

Here's Valgrind log  

\==10445== HEAP SUMMARY:
==10445==     in use at exit: 5,236 bytes in 38 blocks
==10445==   total heap usage: 102 allocs, 64 frees, 79,475 bytes allocated
==10445== 
==10445== 4,412 (264 direct, 4,148 indirect) bytes in 1 blocks are definitely lost in loss record 33 of 33
==10445==    at 0x9FE3E76: memalign (in /usr/lib/valgrind/vgpreload\_memcheck-amd64-linux.so)
==10445==    by 0x9FE3F91: posix\_memalign (in /usr/lib/valgrind/vgpreload\_memcheck-amd64-linux.so)
==10445==    by 0x592EC7D: av\_malloc (mem.c:87)
==10445==    by 0x14731F6: avio\_alloc\_context (aviobuf.c:140)
==10445==    by 0x1AB7BA6: wtvfile\_open\_sector (wtvdec.c:238)
==10445==    by 0x1AB7BA6: wtvfile\_open2 (wtvdec.c:289)
==10445==    by 0x1AB3355: read\_header (wtvdec.c:989)
==10445==    by 0x1A145FC: avformat\_open\_input (utils.c:633)
==10445==    by 0x42FFF7: open\_input\_file (ffmpeg\_opt.c:1105)
==10445==    by 0x42DE5E: open\_files (ffmpeg\_opt.c:3283)
==10445==    by 0x42DB4F: ffmpeg\_parse\_options (ffmpeg\_opt.c:3323)
==10445==    by 0x487BB3: main (ffmpeg.c:4862)
==10445== 
==10445== LEAK SUMMARY:
==10445==    definitely lost: 264 bytes in 1 blocks
==10445==    indirectly lost: 4,148 bytes in 3 blocks
==10445==      possibly lost: 0 bytes in 0 blocks
==10445==    still reachable: 824 bytes in 34 blocks
==10445==         suppressed: 0 bytes in 0 blocks
==10445== Reachable blocks (those to which a pointer was found) are not shown.
==10445== To see them, rerun with: --leak-check=full --show-leak-kinds=all
==10445== 
==10445== For counts of detected and suppressed errors, rerun with: -v
==10445== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)

Please confirm.  
Thanks

CVE-2020-22049: #8314 (memory leaks in wtvfile_open_sector()) – FFmpeg

A Denial of Service vulnerability exists in FFmpeg 4.2 due to a memory leak in the ff_frame_pool_get function in framepool.c.

**#8303 closed defect (fixed)**

Reported by:

Owned by:

Priority:

important

Component:

undetermined

Version:

git-master

Keywords:

Cc:

Blocked By:

Blocking:

Reproduced by developer:

no

Analyzed by developer:

no

Summary of the bug:  
There are memory leaks in ff\_frame\_pool\_get()  
How to reproduce:  

% ffmpeg\_g -t 3 -y -i $PoC -filter\_complex colorspace -target dvd -loglevel 0 tmp.ads

ffmpeg version N-95441-g0ae6fb276b Copyright (c) 2000-2019 the FFmpeg developers
built with clang version 6.0.0-1ubuntu2 (tags/RELEASE\_600/final)
configuration: --cc=clang --cxx=clang++ --ld=clang --enable-debug

Here's Valgrind log  

\==6446== HEAP SUMMARY:
==6446==     in use at exit: 100,746 bytes in 33 blocks
==6446==   total heap usage: 3,265 allocs, 3,232 frees, 2,295,813 bytes allocated
==6446== 
==6446== 50,357 (536 direct, 49,821 indirect) bytes in 1 blocks are definitely lost in loss record 12 of 13
==6446==    at 0x9FE2E76: memalign (in /usr/lib/valgrind/vgpreload\_memcheck-amd64-linux.so)
==6446==    by 0x9FE2F91: posix\_memalign (in /usr/lib/valgrind/vgpreload\_memcheck-amd64-linux.so)
==6446==    by 0x592E949: av\_malloc (mem.c:87)
==6446==    by 0x592E949: av\_mallocz (mem.c:238)
==6446==    by 0x5902ADD: av\_frame\_alloc (frame.c:191)
==6446==    by 0x64FBD5: ff\_frame\_pool\_get (framepool.c:201)
==6446==    by 0xFB8A9C: ff\_default\_get\_video\_buffer (video.c:90)
==6446==    by 0xD20033: scale\_frame (vf\_scale.c:460)
==6446==    by 0xD1F24C: filter\_frame (vf\_scale.c:549)
==6446==    by 0x5CFE9C: ff\_filter\_frame\_framed (avfilter.c:1084)
==6446==    by 0x5CFE9C: ff\_filter\_frame\_to\_filter (avfilter.c:1232)
==6446==    by 0x5CFE9C: ff\_filter\_activate\_default (avfilter.c:1281)
==6446==    by 0x5CFE9C: ff\_filter\_activate (avfilter.c:1443)
==6446==    by 0x5F42A4: push\_frame (buffersrc.c:187)
==6446==    by 0x5F42A4: av\_buffersrc\_add\_frame\_internal (buffersrc.c:261)
==6446==    by 0x5F2E7D: av\_buffersrc\_add\_frame\_flags (buffersrc.c:170)
==6446==    by 0x4CAD5F: ifilter\_send\_frame (ffmpeg.c:2186)
==6446==    by 0x4CAD5F: send\_frame\_to\_filters (ffmpeg.c:2260)
==6446== 
==6446== 50,357 (536 direct, 49,821 indirect) bytes in 1 blocks are definitely lost in loss record 13 of 13
==6446==    at 0x9FE2E76: memalign (in /usr/lib/valgrind/vgpreload\_memcheck-amd64-linux.so)
==6446==    by 0x9FE2F91: posix\_memalign (in /usr/lib/valgrind/vgpreload\_memcheck-amd64-linux.so)
==6446==    by 0x592E949: av\_malloc (mem.c:87)
==6446==    by 0x592E949: av\_mallocz (mem.c:238)
==6446==    by 0x5902ADD: av\_frame\_alloc (frame.c:191)
==6446==    by 0x64FBD5: ff\_frame\_pool\_get (framepool.c:201)
==6446==    by 0xFB8A9C: ff\_default\_get\_video\_buffer (video.c:90)
==6446==    by 0x7FD3D4: filter\_frame (vf\_colorspace.c:770)
==6446==    by 0x5CFE9C: ff\_filter\_frame\_framed (avfilter.c:1084)
==6446==    by 0x5CFE9C: ff\_filter\_frame\_to\_filter (avfilter.c:1232)
==6446==    by 0x5CFE9C: ff\_filter\_activate\_default (avfilter.c:1281)
==6446==    by 0x5CFE9C: ff\_filter\_activate (avfilter.c:1443)
==6446==    by 0x5F42BE: push\_frame (buffersrc.c:187)
==6446==    by 0x5F42BE: av\_buffersrc\_add\_frame\_internal (buffersrc.c:261)
==6446==    by 0x5F2E7D: av\_buffersrc\_add\_frame\_flags (buffersrc.c:170)
==6446==    by 0x4CAD5F: ifilter\_send\_frame (ffmpeg.c:2186)
==6446==    by 0x4CAD5F: send\_frame\_to\_filters (ffmpeg.c:2260)
==6446==    by 0x4A07BB: decode\_video (ffmpeg.c:2459)
==6446==    by 0x4A07BB: process\_input\_packet (ffmpeg.c:2613)
==6446== 
==6446== LEAK SUMMARY:
==6446==    definitely lost: 1,072 bytes in 2 blocks
==6446==    indirectly lost: 99,642 bytes in 30 blocks
==6446==      possibly lost: 0 bytes in 0 blocks
==6446==    still reachable: 32 bytes in 1 blocks
==6446==         suppressed: 0 bytes in 0 blocks
==6446== Reachable blocks (those to which a pointer was found) are not shown.
==6446== To see them, rerun with: --leak-check=full --show-leak-kinds=all
==6446== 
==6446== For counts of detected and suppressed errors, rerun with: -v
==6446== ERROR SUMMARY: 2 errors from 2 contexts (suppressed: 0 from 0)

Please confirm.  
Thanks

CVE-2020-22048: #8303 (memory leaks in ff_frame_pool_get()) – FFmpeg

A Denial of Service vulnerability exists in FFmpeg 4.2 due to a memory leak in the avpriv_float_dsp_allocl function in libavutil/float_dsp.c.

**#8294 closed defect (fixed)**

Reported by:

Owned by:

Priority:

important

Component:

undetermined

Version:

git-master

Keywords:

Cc:

Blocked By:

Blocking:

Reproduced by developer:

no

Analyzed by developer:

no

Summary of the bug:  
There are memory leaks in avpriv\_float\_dsp\_alloc()  
How to reproduce:  

% ffmpeg\_g -y  -i $PoC -loglevel 0 -psnr tmp.eac3

ffmpeg version N-95425-g1e35519fe0 Copyright (c) 2000-2019 the FFmpeg developers
built with clang version 6.0.0-1ubuntu2 (tags/RELEASE\_600/final)
configuration: --cc=clang --cxx=clang++ --ld=clang --enable-debug

Here's Valgrind log  

\==16402== HEAP SUMMARY:
==16402==     in use at exit: 120 bytes in 2 blocks
==16402==   total heap usage: 889 allocs, 887 frees, 2,885,023 bytes allocated
==16402== 
==16402== 88 bytes in 1 blocks are definitely lost in loss record 2 of 2
==16402==    at 0x9FDFE76: memalign (in /usr/lib/valgrind/vgpreload\_memcheck-amd64-linux.so)
==16402==    by 0x9FDFF91: posix\_memalign (in /usr/lib/valgrind/vgpreload\_memcheck-amd64-linux.so)
==16402==    by 0x592C189: av\_malloc (mem.c:87)
==16402==    by 0x592C189: av\_mallocz (mem.c:238)
==16402==    by 0x58FC61E: avpriv\_float\_dsp\_alloc (float\_dsp.c:137)
==16402==    by 0x44EB76E: ff\_ac3\_float\_encode\_init (ac3enc\_float.c:135)
==16402==    by 0x346DC34: avcodec\_open2 (utils.c:946)
==16402==    by 0x4A6841: init\_output\_stream (ffmpeg.c:3507)
==16402==    by 0x4BFFE5: reap\_filters (ffmpeg.c:1442)
==16402==    by 0x48D661: transcode\_step (ffmpeg.c:4638)
==16402==    by 0x48D661: transcode (ffmpeg.c:4682)
==16402==    by 0x487DA3: main (ffmpeg.c:4884)
==16402== 
==16402== LEAK SUMMARY:
==16402==    definitely lost: 88 bytes in 1 blocks
==16402==    indirectly lost: 0 bytes in 0 blocks
==16402==      possibly lost: 0 bytes in 0 blocks
==16402==    still reachable: 32 bytes in 1 blocks
==16402==         suppressed: 0 bytes in 0 blocks
==16402== Reachable blocks (those to which a pointer was found) are not shown.
==16402== To see them, rerun with: --leak-check=full --show-leak-kinds=all
==16402== 
==16402== For counts of detected and suppressed errors, rerun with: -v
==16402== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)

ASAN log.  

\=================================================================
==33197==ERROR: LeakSanitizer: detected memory leaks

Direct leak of 88 byte(s) in 1 object(s) allocated from:
    #0 0x4de9e8 in posix\_memalign (ffmpeg\_usan+0x4de9e8)
    #1 0x85c2178 in av\_malloc ffmpeg/libavutil/mem.c:87:9
    #2 0x85c2178 in av\_mallocz ffmpeg/libavutil/mem.c:238
    #3 0x85651c0 in avpriv\_float\_dsp\_alloc ffmpeg/libavutil/float\_dsp.c:137:31

SUMMARY: AddressSanitizer: 88 byte(s) leaked in 1 allocation(s).

Please confirm.  
Thanks

CVE-2020-22046: #8294 (memory leaks in avpriv_float_dsp_alloc()) – FFmpeg

A Denial of Service vulnerability exists in FFmpeg 4.2 due to a memory leak in the url_open_dyn_buf_internal function in libavformat/aviobuf.c.

**#8295 closed defect (fixed)**

Reported by:

Owned by:

Priority:

important

Component:

avformat

Version:

git-master

Keywords:

Cc:

Blocked By:

Blocking:

Reproduced by developer:

no

Analyzed by developer:

no

Summary of the bug:  
There are memory leaks in url\_open\_dyn\_buf\_internal()  
How to reproduce:  

% ffmpeg\_g -y -i $PoC tmp.nut

ffmpeg version N-95425-g1e35519fe0 Copyright (c) 2000-2019 the FFmpeg developers
built with clang version 6.0.0-1ubuntu2 (tags/RELEASE\_600/final)
configuration: --cc=clang --cxx=clang++ --ld=clang --enable-debug

Here's Valgrind log  

\==38914== HEAP SUMMARY:
==38914==     in use at exit: 1,352 bytes in 3 blocks
==38914==   total heap usage: 4,302 allocs, 4,299 frees, 12,611,962 bytes allocated
==38914== 
==38914== 1,320 (264 direct, 1,056 indirect) bytes in 1 blocks are definitely lost in loss record 3 of 3
==38914==    at 0x9FDFE76: memalign (in /usr/lib/valgrind/vgpreload\_memcheck-amd64-linux.so)
==38914==    by 0x9FDFF91: posix\_memalign (in /usr/lib/valgrind/vgpreload\_memcheck-amd64-linux.so)
==38914==    by 0x592BD8D: av\_malloc (mem.c:87)
==38914==    by 0x147F261: avio\_alloc\_context (aviobuf.c:140)
==38914==    by 0x147F261: url\_open\_dyn\_buf\_internal (aviobuf.c:1419)
==38914==    by 0x186E4AD: nut\_write\_trailer (nutenc.c:1173)
==38914==    by 0x17EBB33: av\_write\_trailer (mux.c:1283)
==38914==    by 0x48FF5B: transcode (ffmpeg.c:4716)
==38914==    by 0x487DA3: main (ffmpeg.c:4884)
==38914== 
==38914== LEAK SUMMARY:
==38914==    definitely lost: 264 bytes in 1 blocks
==38914==    indirectly lost: 1,056 bytes in 1 blocks
==38914==      possibly lost: 0 bytes in 0 blocks
==38914==    still reachable: 32 bytes in 1 blocks
==38914==         suppressed: 0 bytes in 0 blocks
==38914== Reachable blocks (those to which a pointer was found) are not shown.
==38914== To see them, rerun with: --leak-check=full --show-leak-kinds=all
==38914== 
==38914== For counts of detected and suppressed errors, rerun with: -v
==38914== ERROR SUMMARY: 82534 errors from 137 contexts (suppressed: 0 from 0)

ASAN log.  

\=================================================================
==21625==ERROR: LeakSanitizer: detected memory leaks

Direct leak of 264 byte(s) in 1 object(s) allocated from:
    #0 0x4de9e8 in posix\_memalign (ffmpeg\_usan+0x4de9e8)
    #1 0x85c1021 in av\_malloc ffmpeg/libavutil/mem.c:87:9
    #2 0x1cdb48f in avio\_alloc\_context ffmpeg/libavformat/aviobuf.c:140:22
    #3 0x1cdb48f in url\_open\_dyn\_buf\_internal ffmpeg/libavformat/aviobuf.c:1419

Indirect leak of 1056 byte(s) in 1 object(s) allocated from:
    #0 0x4de9e8 in posix\_memalign (ffmpeg\_usan+0x4de9e8)
    #1 0x85c2178 in av\_malloc ffmpeg/libavutil/mem.c:87:9
    #2 0x85c2178 in av\_mallocz ffmpeg/libavutil/mem.c:238
    #3 0x1cdb3af in url\_open\_dyn\_buf\_internal ffmpeg/libavformat/aviobuf.c:1415:9
    #4 0x8a78fcd in \_fini (ffmpeg\_usan+0x8a78fcd)

SUMMARY: AddressSanitizer: 1320 byte(s) leaked in 2 allocation(s).

Please confirm.  
Thanks

CVE-2020-22044: #8295 (memory leaks in url_open_dyn_buf_internal()) – FFmpeg

A Denial of Service vulnerability exists in FFmpeg 4.2 due to a memory leak in the av_buffersrc_add_frame_flags function in buffersrc.

**#8296 closed defect (fixed)**

Reported by:

Owned by:

Priority:

important

Component:

undetermined

Version:

git-master

Keywords:

Cc:

Blocked By:

Blocking:

Reproduced by developer:

no

Analyzed by developer:

no

Summary of the bug:  
There are memory leaks from av\_buffersrc\_add\_frame\_flags()  
How to reproduce:  

% ffmpeg\_g -y -i $PoC -filter\_complex random -target dv50 -loglevel 0 -vbsf mjpeg2jpeg -disposition:a:51 pcm\_u24le tmp.tmv

ffmpeg version N-95425-g1e35519fe0 Copyright (c) 2000-2019 the FFmpeg developers
built with clang version 6.0.0-1ubuntu2 (tags/RELEASE\_600/final)
configuration: --cc=clang --cxx=clang++ --ld=clang --enable-debug

Here's Valgrind log  

\==34566== HEAP SUMMARY:
==34566==     in use at exit: 16,558 bytes in 20 blocks
==34566==   total heap usage: 3,798 allocs, 3,778 frees, 4,820,806 bytes allocated
==34566== 
==34566== 16,526 (536 direct, 15,990 indirect) bytes in 1 blocks are definitely lost in loss record 16 of 16
==34566==    at 0x9FDFE76: memalign (in /usr/lib/valgrind/vgpreload\_memcheck-amd64-linux.so)
==34566==    by 0x9FDFF91: posix\_memalign (in /usr/lib/valgrind/vgpreload\_memcheck-amd64-linux.so)
==34566==    by 0x592C189: av\_malloc (mem.c:87)
==34566==    by 0x592C189: av\_mallocz (mem.c:238)
==34566==    by 0x590031D: av\_frame\_alloc (frame.c:191)
==34566==    by 0x5F4170: av\_buffersrc\_add\_frame\_internal (buffersrc.c:237)
==34566==    by 0x5F2E7D: av\_buffersrc\_add\_frame\_flags (buffersrc.c:170)
==34566==    by 0x4CAD5F: ifilter\_send\_frame (ffmpeg.c:2186)
==34566==    by 0x4CAD5F: send\_frame\_to\_filters (ffmpeg.c:2260)
==34566==    by 0x4A07BB: decode\_video (ffmpeg.c:2459)
==34566==    by 0x4A07BB: process\_input\_packet (ffmpeg.c:2613)
==34566==    by 0x4BA037: process\_input (ffmpeg.c:4303)
==34566==    by 0x48D5EA: transcode\_step (ffmpeg.c:4628)
==34566==    by 0x48D5EA: transcode (ffmpeg.c:4682)
==34566==    by 0x487DA3: main (ffmpeg.c:4884)
==34566== 
==34566== LEAK SUMMARY:
==34566==    definitely lost: 536 bytes in 1 blocks
==34566==    indirectly lost: 15,990 bytes in 18 blocks
==34566==      possibly lost: 0 bytes in 0 blocks
==34566==    still reachable: 32 bytes in 1 blocks
==34566==         suppressed: 0 bytes in 0 blocks
==34566== Reachable blocks (those to which a pointer was found) are not shown.
==34566== To see them, rerun with: --leak-check=full --show-leak-kinds=all
==34566== 
==34566== For counts of detected and suppressed errors, rerun with: -v
==34566== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)

ASAN log.  

\=================================================================
==17259==ERROR: LeakSanitizer: detected memory leaks

Direct leak of 536 byte(s) in 1 object(s) allocated from:
    #0 0x4de9e8 in posix\_memalign (ffmpeg\_usan+0x4de9e8)
    #1 0x85c2178 in av\_malloc ffmpeg/libavutil/mem.c:87:9
    #2 0x85c2178 in av\_mallocz ffmpeg/libavutil/mem.c:238
    #3 0x856c977 in av\_frame\_alloc ffmpeg/libavutil/frame.c:191:22
    #4 0x86eaf2 in av\_buffersrc\_add\_frame\_flags ffmpeg/libavfilter/buffersrc.c:170:16
    #5 0x666407 in ifilter\_send\_frame ffmpeg/fftools/ffmpeg.c:2186:11
    #6 0x666407 in send\_frame\_to\_filters ffmpeg/fftools/ffmpeg.c:2260
    #7 0x607666 in decode\_video ffmpeg/fftools/ffmpeg.c:2459:11
    #8 0x607666 in process\_input\_packet ffmpeg/fftools/ffmpeg.c:2613
    #9 0x644c58 in process\_input ffmpeg/fftools/ffmpeg.c:4303:23
    #10 0x5e7157 in transcode\_step ffmpeg/fftools/ffmpeg.c:4628:11
    #11 0x5e7157 in transcode ffmpeg/fftools/ffmpeg.c:4682
    #12 0x5db65b in main ffmpeg/fftools/ffmpeg.c:4884:9
    #13 0x7f7cbca03b96 in \_\_libc\_start\_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310

Indirect leak of 15439 byte(s) in 1 object(s) allocated from:
    #0 0x4de9e8 in posix\_memalign (ffmpeg\_usan+0x4de9e8)
    #1 0x85c1021 in av\_malloc ffmpeg/libavutil/mem.c:87:9
    #2 0x8527f51 in av\_buffer\_alloc ffmpeg/libavutil/buffer.c:72:12
    #3 0x8527f51 in av\_buffer\_allocz ffmpeg/libavutil/buffer.c:85
    #4 0x852c776 in pool\_alloc\_buffer ffmpeg/libavutil/buffer.c:313:26
    #5 0x852c776 in av\_buffer\_pool\_get ffmpeg/libavutil/buffer.c:349
    #6 0x2ef03a2 in video\_get\_buffer ffmpeg/libavcodec/decode.c:1678:23
    #7 0x2ef03a2 in avcodec\_default\_get\_buffer2 ffmpeg/libavcodec/decode.c:1717
    #8 0x2ef7eac in get\_buffer\_internal ffmpeg/libavcodec/decode.c:1945:11
    #9 0x2ef7eac in ff\_get\_buffer ffmpeg/libavcodec/decode.c:1970

Indirect leak of 95 byte(s) in 6 object(s) allocated from:
    #0 0x4de230 in realloc (ffmpeg\_usan+0x4de230)
    #1 0x85c2be7 in av\_realloc ffmpeg/libavutil/mem.c:144:12
    #2 0x85c2be7 in av\_strdup ffmpeg/libavutil/mem.c:256
    #3 0x853981d in av\_dict\_copy ffmpeg/libavutil/dict.c:222:19

Indirect leak of 88 byte(s) in 1 object(s) allocated from:
    #0 0x4de9e8 in posix\_memalign (ffmpeg\_usan+0x4de9e8)
    #1 0x85c1021 in av\_malloc ffmpeg/libavutil/mem.c:87:9
    #2 0x8527dcd in av\_buffer\_alloc ffmpeg/libavutil/buffer.c:72:12
    #3 0x856b423 in av\_frame\_new\_side\_data ffmpeg/libavutil/frame.c:727:24
    #4 0x85b9419 in av\_mastering\_display\_metadata\_create\_side\_data ffmpeg/libavutil/mastering\_display\_metadata.c:34:34
    #5 0x47532c3 in decode\_frame\_png ffmpeg/libavcodec/pngdec.c:1474:16
    #6 0x48495d6 in frame\_worker\_thread ffmpeg/libavcodec/pthread\_frame.c:201:21

Indirect leak of 88 byte(s) in 1 object(s) allocated from:
    #0 0x4de9e8 in posix\_memalign (ffmpeg\_usan+0x4de9e8)
    #1 0x85c2178 in av\_malloc ffmpeg/libavutil/mem.c:87:9
    #2 0x85c2178 in av\_mallocz ffmpeg/libavutil/mem.c:238
    #3 0x852b093 in av\_buffer\_pool\_init ffmpeg/libavutil/buffer.c:240:26

Indirect leak of 48 byte(s) in 1 object(s) allocated from:
    #0 0x4de230 in realloc (ffmpeg\_usan+0x4de230)
    #1 0x8537020 in av\_dict\_set ffmpeg/libavutil/dict.c:106:34
    #2 0x853981d in av\_dict\_copy ffmpeg/libavutil/dict.c:222:19

Indirect leak of 40 byte(s) in 1 object(s) allocated from:
    #0 0x4de9e8 in posix\_memalign (ffmpeg\_usan+0x4de9e8)
    #1 0x85c2178 in av\_malloc ffmpeg/libavutil/mem.c:87:9
    #2 0x85c2178 in av\_mallocz ffmpeg/libavutil/mem.c:238
    #3 0x852c7a6 in pool\_alloc\_buffer ffmpeg/libavutil/buffer.c:317:11
    #4 0x852c7a6 in av\_buffer\_pool\_get ffmpeg/libavutil/buffer.c:349
    #5 0x2ef03a2 in video\_get\_buffer ffmpeg/libavcodec/decode.c:1678:23
    #6 0x2ef03a2 in avcodec\_default\_get\_buffer2 ffmpeg/libavcodec/decode.c:1717
    #7 0x2ef7eac in get\_buffer\_internal ffmpeg/libavcodec/decode.c:1945:11
    #8 0x2ef7eac in ff\_get\_buffer ffmpeg/libavcodec/decode.c:1970

Indirect leak of 40 byte(s) in 1 object(s) allocated from:
    #0 0x4de9e8 in posix\_memalign (ffmpeg\_usan+0x4de9e8)
    #1 0x85c2178 in av\_malloc ffmpeg/libavutil/mem.c:87:9
    #2 0x85c2178 in av\_mallocz ffmpeg/libavutil/mem.c:238
    #3 0x8527438 in av\_buffer\_create ffmpeg/libavutil/buffer.c:35:11
    #4 0x8527f86 in av\_buffer\_alloc ffmpeg/libavutil/buffer.c:76:11
    #5 0x8527f86 in av\_buffer\_allocz ffmpeg/libavutil/buffer.c:85
    #6 0x852c776 in pool\_alloc\_buffer ffmpeg/libavutil/buffer.c:313:26
    #7 0x852c776 in av\_buffer\_pool\_get ffmpeg/libavutil/buffer.c:349
    #8 0x2ef03a2 in video\_get\_buffer ffmpeg/libavcodec/decode.c:1678:23
    #9 0x2ef03a2 in avcodec\_default\_get\_buffer2 ffmpeg/libavcodec/decode.c:1717
    #10 0x2ef7eac in get\_buffer\_internal ffmpeg/libavcodec/decode.c:1945:11
    #11 0x2ef7eac in ff\_get\_buffer ffmpeg/libavcodec/decode.c:1970

Indirect leak of 40 byte(s) in 1 object(s) allocated from:
    #0 0x4de9e8 in posix\_memalign (ffmpeg\_usan+0x4de9e8)
    #1 0x85c2178 in av\_malloc ffmpeg/libavutil/mem.c:87:9
    #2 0x85c2178 in av\_mallocz ffmpeg/libavutil/mem.c:238
    #3 0x856aa29 in av\_frame\_new\_side\_data\_from\_buf ffmpeg/libavutil/frame.c:708:11

Indirect leak of 40 byte(s) in 1 object(s) allocated from:
    #0 0x4de9e8 in posix\_memalign (ffmpeg\_usan+0x4de9e8)
    #1 0x85c2178 in av\_malloc ffmpeg/libavutil/mem.c:87:9
    #2 0x85c2178 in av\_mallocz ffmpeg/libavutil/mem.c:238
    #3 0x8527438 in av\_buffer\_create ffmpeg/libavutil/buffer.c:35:11
    #4 0x8527dff in av\_buffer\_alloc ffmpeg/libavutil/buffer.c:76:11
    #5 0x856b423 in av\_frame\_new\_side\_data ffmpeg/libavutil/frame.c:727:24
    #6 0x85b9419 in av\_mastering\_display\_metadata\_create\_side\_data ffmpeg/libavutil/mastering\_display\_metadata.c:34:34
    #7 0x47532c3 in decode\_frame\_png ffmpeg/libavcodec/pngdec.c:1474:16
    #8 0x48495d6 in frame\_worker\_thread ffmpeg/libavcodec/pthread\_frame.c:201:21

Indirect leak of 24 byte(s) in 1 object(s) allocated from:
    #0 0x4de9e8 in posix\_memalign (ffmpeg\_usan+0x4de9e8)
    #1 0x85c2178 in av\_malloc ffmpeg/libavutil/mem.c:87:9
    #2 0x85c2178 in av\_mallocz ffmpeg/libavutil/mem.c:238
    #3 0x852816b in av\_buffer\_ref ffmpeg/libavutil/buffer.c:95:24

Indirect leak of 24 byte(s) in 1 object(s) allocated from:
    #0 0x4de9e8 in posix\_memalign (ffmpeg\_usan+0x4de9e8)
    #1 0x85c2178 in av\_malloc ffmpeg/libavutil/mem.c:87:9
    #2 0x85c2178 in av\_mallocz ffmpeg/libavutil/mem.c:238
    #3 0x852816b in av\_buffer\_ref ffmpeg/libavutil/buffer.c:95:24
    #4 0x8573eee in av\_frame\_ref ffmpeg/libavutil/frame.c:457:11

Indirect leak of 16 byte(s) in 1 object(s) allocated from:
    #0 0x4de9e8 in posix\_memalign (ffmpeg\_usan+0x4de9e8)
    #1 0x85c2178 in av\_malloc ffmpeg/libavutil/mem.c:87:9
    #2 0x85c2178 in av\_mallocz ffmpeg/libavutil/mem.c:238
    #3 0x8536e6e in av\_dict\_set ffmpeg/libavutil/dict.c:89:19
    #4 0x853981d in av\_dict\_copy ffmpeg/libavutil/dict.c:222:19

Indirect leak of 8 byte(s) in 1 object(s) allocated from:
    #0 0x4de230 in realloc (ffmpeg\_usan+0x4de230)
    #1 0x856a9d0 in av\_frame\_new\_side\_data\_from\_buf ffmpeg/libavutil/frame.c:702:11

SUMMARY: AddressSanitizer: 16526 byte(s) leaked in 19 allocation(s).

Please confirm.  
Thanks

CVE-2020-22041: #8296 (memory leaks from av_buffersrc_add_frame_flags()) – FFmpeg

A heap-based Buffer Overflow vulnerability exists in gaussian_blur at libavfilter/vf_edgedetect.c, which might lead to memory corruption and other potential consequences.

**#8260 closed defect (fixed)**

Reported by:

Owned by:

Priority:

normal

Component:

undetermined

Version:

git-master

Keywords:

asan

Cc:

Blocked By:

Blocking:

Reproduced by developer:

no

Analyzed by developer:

no

Summary of the bug:  
There is a heap-buffer-overflow at libavfilter/vf\_edgedetect.c:153 in gaussian\_blur.  

I compiled ffmpeg with "--toolchain=clang-asan" to check the memory corruption and attached log file.  
How to reproduce:  

% ffmpeg\_g -y -i $PoC -filter\_complex edgedetect -target dvd -loglevel 99 tmp.u32le

ffmpeg version N-95336-g4f4334bcbc Copyright (c) 2000-2019 the FFmpeg developers
built with clang version 6.0.0-1ubuntu2 (tags/RELEASE\_600/final)
configuration: --cc=clang --cxx=clang++ --ld=clang --enable-debug --toolchain=clang-asan

Here's ASAN log  

\=================================================================
==24040==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60900000b681 at pc 0x0000004dcadc bp 0x7fffffffa750 sp 0x7fffffff9f00
WRITE of size 1 at 0x60900000b681 thread T0
    #0 0x4dcadb in \_\_asan\_memcpy (ffmpeg\_asan+0x4dcadb)
    #1 0xcd16cd in gaussian\_blur ffmpeg/libavfilter/vf\_edgedetect.c:153:5
    #2 0xcd16cd in filter\_frame ffmpeg/libavfilter/vf\_edgedetect.c:359
    #3 0x826e29 in ff\_filter\_activate\_default ffmpeg/libavfilter/avfilter.c:1071:11
    #4 0x826e29 in ff\_filter\_activate ffmpeg/libavfilter/avfilter.c:1430
    #5 0x86fd22 in push\_frame ffmpeg/libavfilter/buffersrc.c:187:15
    #6 0x86fd22 in av\_buffersrc\_add\_frame\_internal ffmpeg/libavfilter/buffersrc.c:261
    #7 0x86e762 in av\_buffersrc\_add\_frame\_flags ffmpeg/libavfilter/buffersrc.c:170:16
    #8 0x666407 in ifilter\_send\_frame ffmpeg/fftools/ffmpeg.c:2186:11
    #9 0x666407 in send\_frame\_to\_filters ffmpeg/fftools/ffmpeg.c:2260
    #10 0x607666 in decode\_video ffmpeg/fftools/ffmpeg.c:2459:11
    #11 0x607666 in process\_input\_packet ffmpeg/fftools/ffmpeg.c:2613
    #12 0x644c58 in process\_input ffmpeg/fftools/ffmpeg.c:4303:23
    #13 0x5e7157 in transcode\_step ffmpeg/fftools/ffmpeg.c:4628:11
    #14 0x5e7157 in transcode ffmpeg/fftools/ffmpeg.c:4682
    #15 0x5db65b in main ffmpeg/fftools/ffmpeg.c:4884:9
    #16 0x7ffff5c93b96 in \_\_libc\_start\_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
    #17 0x41def9 in \_start (ffmpeg\_asan+0x41def9)

0x60900000b681 is located 0 bytes to the right of 1-byte region \[0x60900000b680,0x60900000b681)
allocated by thread T0 here:
    #0 0x4de9e8 in posix\_memalign (ffmpeg\_asan+0x4de9e8)
    #1 0x8598211 in av\_malloc ffmpeg/libavutil/mem.c:87:9
    #2 0xcdc71c in config\_props ffmpeg/libavfilter/vf\_edgedetect.c:137:29

SUMMARY: AddressSanitizer: heap-buffer-overflow (ffmpeg\_asan+0x4dcadb) in \_\_asan\_memcpy

Please confirm.  
Thanks

Tag

#ubuntu