libav: null pointer dereference in get_vlc2 (get_bits.h)

Description:
Libav is an open source set of tools for audio and video processing.

A crafted file causes a NULL pointer access.
This issue was discovered the past year, but I didn’t make the report and I didn’t follow the state because of a lack of time.

Since I saw that the issue does not happen anymore on the git head, I asked to a libav developer (Luca Barbato) about. He said that the commit e5b019725f53b79159931d3a7317107cbbfd0860 make the issue not anymore reachable through the provided testcase, but the issue is still here (maybe another round of fuzzing will re-discover it on master)

The complete ASan output:

# avconv -i $FILE -f null -
ASAN:SIGSEGV
=================================================================
==20876==ERROR: AddressSanitizer: SEGV on unknown address 0x0000000000fc (pc 0x7f5273202c6c bp 0x7ffc8442a690 sp 0x7ffc8442a520 T0)
    #0 0x7f5273202c6b in get_vlc2 /var/tmp/portage/media-video/libav-11.3/work/libav-11.3/libavcodec/get_bits.h:530:5
    #1 0x7f5273202c6b in mpeg4_decode_sprite_trajectory /var/tmp/portage/media-video/libav-11.3/work/libav-11.3/libavcodec/mpeg4videodec.c:182
    #2 0x7f527322cbd8 in decode_vop_header /var/tmp/portage/media-video/libav-11.3/work/libav-11.3/libavcodec/mpeg4videodec.c:2232:13
    #3 0x7f527322cbd8 in ff_mpeg4_decode_picture_header /var/tmp/portage/media-video/libav-11.3/work/libav-11.3/libavcodec/mpeg4videodec.c:2491
    #4 0x7f52731fa9ae in mpeg4_decode_header /var/tmp/portage/media-video/libav-11.3/work/libav-11.3/libavcodec/mpeg4video_parser.c:92:11
    #5 0x7f52731fa9ae in mpeg4video_parse /var/tmp/portage/media-video/libav-11.3/work/libav-11.3/libavcodec/mpeg4video_parser.c:132
    #6 0x7f52735c88e6 in av_parser_parse2 /var/tmp/portage/media-video/libav-11.3/work/libav-11.3/libavcodec/parser.c:157:13
    #7 0x7f52754f84dd in parse_packet /var/tmp/portage/media-video/libav-11.3/work/libav-11.3/libavformat/utils.c:794:15
    #8 0x7f52754d5e64 in read_frame_internal /var/tmp/portage/media-video/libav-11.3/work/libav-11.3/libavformat/utils.c:960:24
    #9 0x7f52754e3783 in avformat_find_stream_info /var/tmp/portage/media-video/libav-11.3/work/libav-11.3/libavformat/utils.c:2156:15
    #10 0x4f62f6 in open_input_file /var/tmp/portage/media-video/libav-11.3/work/libav-11.3/avconv_opt.c:726:11
    #11 0x4f474f in open_files /var/tmp/portage/media-video/libav-11.3/work/libav-11.3/avconv_opt.c:2127:15
    #12 0x4f3f62 in avconv_parse_options /var/tmp/portage/media-video/libav-11.3/work/libav-11.3/avconv_opt.c:2164:11
    #13 0x528727 in main /var/tmp/portage/media-video/libav-11.3/work/libav-11.3/avconv.c:2629:11
    #14 0x7f527027eaa4 in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.20-r2/work/glibc-2.20/csu/libc-start.c:289
    #15 0x43a5d6 in _start (/usr/bin/avconv+0x43a5d6)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /var/tmp/portage/media-video/libav-11.3/work/libav-11.3/libavcodec/get_bits.h:530 get_vlc2
==20876==ABORTING

Affected version:
11.3 (and maybe past versions) to 11.7

Fixed version:
11.9

Commit fix:
https://git.libav.org/?p=libav.git;a=blobdiff;f=libavformat/m4vdec.c;h=9d69dcc042142a93b0a61a2a41854e84a4c26b42;hp=4a0af3c03735e91c0883d797cc34f3f45060b965;hb=45abbe2041753d761b69fbdccc44dbcbd491daea;hpb=d1429c064a68dd0db3fb98af010028fd975ccfdd

Credit:
This bug was discovered by Agostino Sarubbo of Gentoo.

CVE:
CVE-2016-8676

Timeline:
2015-07-27: bug discovered
2016-09-14: bug reported to upstream
2016-09-24: blog post about the issue
2016-10-16: CVE Assigned
2016-12-06: upstream released a patch

Note:
This bug was found with American Fuzzy Lop.
This bug does not affect ffmpeg.
The stacktrace is about 11.3 but as said before, the issue is present on 11.7 too.

Permalink:

libav: null pointer dereference in get_vlc2 (get_bits.h)

This entry was posted in advisories, security. Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.