{"id":342,"date":"2016-08-20T19:08:21","date_gmt":"2016-08-20T17:08:21","guid":{"rendered":"http:\/\/blogs.gentoo.org\/ago\/?p=342"},"modified":"2016-09-11T11:27:10","modified_gmt":"2016-09-11T09:27:10","slug":"libav-stack-based-buffer-overflow-in-aac_sync-aac_parser-c","status":"publish","type":"post","link":"https:\/\/blogs.gentoo.org\/ago\/2016\/08\/20\/libav-stack-based-buffer-overflow-in-aac_sync-aac_parser-c\/","title":{"rendered":"libav: stack-based buffer overflow in aac_sync (aac_parser.c)"},"content":{"rendered":"

Description<\/strong>:
\nLibav<\/a> is an open source set of tools for audio and video processing.<\/p>\n

A crafted file causes a stack-based buffer overflow. The ASan report may be confused because it mentions get_bits, but the issue is in aac_sync.
\nThis issue was discovered the past year, I reported it to Luca Barbato privately and I didn’t follow the state.
\nBefore I made the report, the bug was noticed by Janne Grunau because the fate test reported a failure, then he fixed it, but at that time there wasn’t stable release(s) that included the fix.<\/p>\n

The complete ASan output:<\/p>\n

~ # avconv -i $FILE -f null -\r\n==20736==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffd3bd34f4a at pc 0x7f0805611189 bp 0x7ffd3bd34e20 sp 0x7ffd3bd34e18\r\nREAD of size 4 at 0x7ffd3bd34f4a thread T0\r\n    #0 0x7f0805611188 in get_bits \/var\/tmp\/portage\/media-video\/libav-11.3\/work\/libav-11.3\/libavcodec\/get_bits.h:244:5\r\n    #1 0x7f0805611188 in avpriv_aac_parse_header \/var\/tmp\/portage\/media-video\/libav-11.3\/work\/libav-11.3\/libavcodec\/aacadtsdec.c:58\r\n    #2 0x7f080560f19e in aac_sync \/var\/tmp\/portage\/media-video\/libav-11.3\/work\/libav-11.3\/libavcodec\/aac_parser.c:43:17\r\n    #3 0x7f080560a87b in ff_aac_ac3_parse \/var\/tmp\/portage\/media-video\/libav-11.3\/work\/libav-11.3\/libavcodec\/aac_ac3_parser.c:48:25\r\n    #4 0x7f0806fcd8e6 in av_parser_parse2 \/var\/tmp\/portage\/media-video\/libav-11.3\/work\/libav-11.3\/libavcodec\/parser.c:157:13\r\n    #5 0x7f0808efd4dd in parse_packet \/var\/tmp\/portage\/media-video\/libav-11.3\/work\/libav-11.3\/libavformat\/utils.c:794:15\r\n    #6 0x7f0808edae64 in read_frame_internal \/var\/tmp\/portage\/media-video\/libav-11.3\/work\/libav-11.3\/libavformat\/utils.c:960:24\r\n    #7 0x7f0808ee8783 in avformat_find_stream_info \/var\/tmp\/portage\/media-video\/libav-11.3\/work\/libav-11.3\/libavformat\/utils.c:2156:15\r\n    #8 0x4f62f6 in open_input_file \/var\/tmp\/portage\/media-video\/libav-11.3\/work\/libav-11.3\/avconv_opt.c:726:11\r\n    #9 0x4f474f in open_files \/var\/tmp\/portage\/media-video\/libav-11.3\/work\/libav-11.3\/avconv_opt.c:2127:15\r\n    #10 0x4f3f62 in avconv_parse_options \/var\/tmp\/portage\/media-video\/libav-11.3\/work\/libav-11.3\/avconv_opt.c:2164:11\r\n    #11 0x528727 in main \/var\/tmp\/portage\/media-video\/libav-11.3\/work\/libav-11.3\/avconv.c:2629:11\r\n    #12 0x7f0803c83aa4 in __libc_start_main \/var\/tmp\/portage\/sys-libs\/glibc-2.20-r2\/work\/glibc-2.20\/csu\/libc-start.c:289\r\n    #13 0x43a5d6 in _start (\/usr\/bin\/avconv+0x43a5d6)\r\n\r\nAddress 0x7ffd3bd34f4a is located in stack of thread T0 at offset 170 in frame\r\n    #0 0x7f080560ee3f in aac_sync \/var\/tmp\/portage\/media-video\/libav-11.3\/work\/libav-11.3\/libavcodec\/aac_parser.c:31\r\n\r\n  This frame has 3 object(s):\r\n    [32, 64) 'bits'\r\n    [96, 116) 'hdr'\r\n    [160, 168) 'tmp' 0x10002779e9e0: 00 00 04 f2 f2 f2 f2 f2 00[f3]f3 f3 00 00 00 00                                                                                                                                                                                                              \r\n  0x10002779e9f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00                                                                                                                                                                                                              \r\n  0x10002779ea00: 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1                                                                                                                                                                                                              \r\n  0x10002779ea10: 00 f2 f2 f2 04 f2 04 f3 00 00 00 00 00 00 00 00                                                                                                                                                                                                              \r\n  0x10002779ea20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00                                                                                                                                                                                                              \r\n  0x10002779ea30: f1 f1 f1 f1 00 f3 f3 f3 00 00 00 00 00 00 00 00                                                                                                                                                                                                              \r\nShadow byte legend (one shadow byte represents 8 application bytes):                                                                                                                                                                                                           \r\n  Addressable:           00                                                                                                                                                                                                                                                    \r\n  Partially addressable: 01 02 03 04 05 06 07                                                                                                                                                                                                                                  \r\n  Heap left redzone:       fa                                                                                                                                                                                                                                                  \r\n  Heap right redzone:      fb                                                                                                                                                                                                                                                  \r\n  Freed heap region:       fd                                                                                                                                                                                                                                                  \r\n  Stack left redzone:      f1                                                                                                                                                                                                                                                  \r\n  Stack mid redzone:       f2                                                                                                                                                                                                                                                  \r\n  Stack right redzone:     f3                                                                                                                                                                                                                                                  \r\n  Stack partial redzone:   f4                                                                                                                                                                                                                                                  \r\n  Stack after return:      f5                                                                                                                                                                                                                                                  \r\n  Stack use after scope:   f8                                                                                                                                                                                                                                                  \r\n  Global redzone:          f9                                                                                                                                                                                                                                                  \r\n  Global init order:       f6                                                                                                                                                                                                                                                  \r\n  Poisoned by user:        f7                                                                                                                                                                                                                                                  \r\n  Container overflow:      fc                                                                                                                                                                                                                                                  \r\n  Array cookie:            ac                                                                                                                                                                                                                                                  \r\n  Intra object redzone:    bb                                                                                                                                                                                                                                                  \r\n  ASan internal:           fe                                                                                                                                                                                                                                                  \r\n  Left alloca redzone:     ca                                                                                                                                                                                                                                                  \r\n  Right alloca redzone:    cb                                                                                                                                                                                                                                                  \r\n==20736==ABORTING                                                                                                                                                                                                                                                              \r\n<\/font><\/pre>\n
Affected version:<\/strong>
\n11.3 (and maybe past versions)<\/p>\n
Fixed version:<\/strong>
\n11.5<\/p>\n
Commit fix:<\/strong>
\nhttps:\/\/git.libav.org\/?p=libav.git;a=commit;h=fb1473080223a634b8ac2cca48a632d037a0a69d<\/a><\/p>\n
Credit:<\/strong>
\nThis bug was discovered by Agostino Sarubbo of Gentoo.
\nThis bug was also discovered by Janne Grunau.<\/p>\n
CVE:<\/strong>
\nCVE-2016-7393<\/p>\n
Timeline:<\/strong>
\n2015-07-27: bug discovered
\n2015-07-28: bug reported privately to upstream
\n2016-08-20: blog post about the issue
\n2016-09-10: CVE sssigned<\/p>\n
Note:<\/strong>
\nThis bug was found with American Fuzzy Lop<\/a>.
\nThis bug does not affect ffmpeg<\/a>.
\nA same fix, was applied to another part of (similar) code in the ac3_parser.c<\/a> file.<\/p>\n
Permalink:<\/strong><\/p>\n
libav: stack-based buffer overflow in aac_sync (aac_parser.c)<\/a><\/p><\/blockquote>\n