libav: heap-based buffer overflow in ff_audio_resample (resample.c)

Description:
Libav is an open source set of tools for audio and video processing.

A crafted file can cause an overflow in the heap. This bug was discovered the last year, but I didn’t have time to do anything else.
Now, after more digging I discovered that it was reported independently by nfxjfg on the libav bugtracker.
He triggered the crash with a C program using the libav api; the difference with this crash resides in the size of the write out of the bound. In his case it is of 4.
In any case, the commit address both the issues.

The complete ASan output:

# avconv -i $file -f null -
==501==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60800000b0e0 at pc 0x0000004aab36 bp 0x7ffc0c199fd0 sp 0x7ffc0c199780
WRITE of size 2 at 0x60800000b0e0 thread T0
    #0 0x4aab35 in __asan_memcpy /var/tmp/portage/sys-devel/llvm-3.6.1/work/llvm-3.6.1.src/projects/compiler-rt/lib/asan/asan_interceptors.cc:435:3
    #1 0x7fb0ce8c7a49 in ff_audio_resample /var/tmp/portage/media-video/libav-11.3/work/libav-11.3/libavresample/resample.c:444:21
    #2 0x7fb0ce8cfa3e in avresample_convert /var/tmp/portage/media-video/libav-11.3/work/libav-11.3/libavresample/utils.c:449:15
    #3 0x7fb0d291c8de in request_frame /var/tmp/portage/media-video/libav-11.3/work/libav-11.3/libavfilter/af_resample.c:197:15
    #4 0x7fb0d292c578 in ff_request_frame /var/tmp/portage/media-video/libav-11.3/work/libav-11.3/libavfilter/avfilter.c:254:16
    #5 0x7fb0d292c648 in ff_request_frame /var/tmp/portage/media-video/libav-11.3/work/libav-11.3/libavfilter/avfilter.c:256:16
    #6 0x7fb0d294c6ad in request_frame /var/tmp/portage/media-video/libav-11.3/work/libav-11.3/libavfilter/fifo.c:234:20
    #7 0x7fb0d292c578 in ff_request_frame /var/tmp/portage/media-video/libav-11.3/work/libav-11.3/libavfilter/avfilter.c:254:16
    #8 0x7fb0d29414f3 in av_buffersink_get_frame /var/tmp/portage/media-video/libav-11.3/work/libav-11.3/libavfilter/buffersink.c:69:16
    #9 0x540f19 in poll_filter /var/tmp/portage/media-video/libav-11.3/work/libav-11.3/avconv.c:663:15
    #10 0x540f19 in poll_filters /var/tmp/portage/media-video/libav-11.3/work/libav-11.3/avconv.c:747
    #11 0x538eab in transcode /var/tmp/portage/media-video/libav-11.3/work/libav-11.3/avconv.c:2492:15
    #12 0x538eab in main /var/tmp/portage/media-video/libav-11.3/work/libav-11.3/avconv.c:2646
    #13 0x7fb0cd2e4aa4 in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.20-r2/work/glibc-2.20/csu/libc-start.c:289
    #14 0x43a5d6 in _start (/usr/bin/avconv+0x43a5d6)

0x60800000b0e0 is located 0 bytes to the right of 64-byte region [0x60800000b0a0,0x60800000b0e0)
allocated by thread T0 here:
    #0 0x4c1f4c in __interceptor_posix_memalign /var/tmp/portage/sys-devel/llvm-3.6.1/work/llvm-3.6.1.src/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:107:3
    #1 0x7fb0ce21aa16 in av_malloc /var/tmp/portage/media-video/libav-11.3/work/libav-11.3/libavutil/mem.c:81:9
    #2 0x7fb0ce2401ef in av_samples_alloc /var/tmp/portage/media-video/libav-11.3/work/libav-11.3/libavutil/samplefmt.c:171:11

SUMMARY: AddressSanitizer: heap-buffer-overflow /var/tmp/portage/sys-devel/llvm-3.6.1/work/llvm-3.6.1.src/projects/compiler-rt/lib/asan/asan_interceptors.cc:435 __asan_memcpy
Shadow bytes around the buggy address:
  0x0c107fff95c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c107fff95d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c107fff95e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c107fff95f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c107fff9600: fa fa fa fa 00 00 00 00 00 00 00 00 fa fa fa fa
=>0x0c107fff9610: fa fa fa fa 00 00 00 00 00 00 00 00[fa]fa fa fa
  0x0c107fff9620: fa fa fa fa 00 00 00 00 00 00 00 00 fa fa fa fa
  0x0c107fff9630: fa fa fa fa fd fd fd fd fd fd fd fd fa fa fa fa
  0x0c107fff9640: fa fa fa fa fd fd fd fd fd fd fd fd fa fa fa fa
  0x0c107fff9650: fa fa fa fa fd fd fd fd fd fd fd fa fa fa fa fa
  0x0c107fff9660: fa fa fa fa 00 00 00 00 00 00 00 fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==501==ABORTING                                                                                                                                                                                                                                                 

Affected version:
11.3 (and maybe past versions)

Fixed version:
11.4

Commit fix:
https://git.libav.org/?p=libav.git;a=commit;h=0ac8ff618c5e6d878c547a8877e714ed728950ce

Credit:
This bug was discovered by Agostino Sarubbo of Gentoo.
This bug was reported independently and in a different way by nfxjfg in the libav bugtracker.

CVE:
CVE-2016-6832

Timeline:
2015-07-27: bug discovered
2016-08-07: blog post about the issue
2016-08-18: CVE assigned

Note:
This bug was found with American Fuzzy Lop.
This bug does not affect ffmpeg.

Permalink:

libav: heap-based buffer overflow in ff_audio_resample (resample.c)

This entry was posted in advisories, security. Bookmark the permalink.

2 Responses to libav: heap-based buffer overflow in ff_audio_resample (resample.c)

  1. René Rhéaume says:

    Would that affect ffmpeg too?

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *