{"id":344,"date":"2016-08-07T12:38:56","date_gmt":"2016-08-07T10:38:56","guid":{"rendered":"http:\/\/blogs.gentoo.org\/ago\/?p=344"},"modified":"2016-09-07T14:35:49","modified_gmt":"2016-09-07T12:35:49","slug":"libav-heap-based-buffer-overflow-in-ff_audio_resample-resample-c","status":"publish","type":"post","link":"https:\/\/blogs.gentoo.org\/ago\/2016\/08\/07\/libav-heap-based-buffer-overflow-in-ff_audio_resample-resample-c\/","title":{"rendered":"libav: heap-based buffer overflow in ff_audio_resample (resample.c)"},"content":{"rendered":"<p><strong>Description<\/strong>:<br \/>\n<a href=\"https:\/\/libav.org\/\">Libav<\/a> is an open source set of tools for audio and video processing.<\/p>\n<p>A crafted file can cause an overflow in the heap. This bug was discovered the last year, but I didn&#8217;t have time to do anything else.<br \/>\nNow, after more digging I discovered that it was reported independently by nfxjfg on the libav bugtracker.<br \/>\nHe triggered the crash with a C program using the libav api; the difference with this crash resides in the size of the write out of the bound. In his case it is of 4.<br \/>\nIn any case, the commit address both the issues.<\/p>\n<p>The complete ASan output:<\/p>\n<pre><font size=\"2\"># avconv -i $file -f null -\r\n==501==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60800000b0e0 at pc 0x0000004aab36 bp 0x7ffc0c199fd0 sp 0x7ffc0c199780\r\nWRITE of size 2 at 0x60800000b0e0 thread T0\r\n    #0 0x4aab35 in __asan_memcpy \/var\/tmp\/portage\/sys-devel\/llvm-3.6.1\/work\/llvm-3.6.1.src\/projects\/compiler-rt\/lib\/asan\/asan_interceptors.cc:435:3\r\n    #1 0x7fb0ce8c7a49 in ff_audio_resample \/var\/tmp\/portage\/media-video\/libav-11.3\/work\/libav-11.3\/libavresample\/resample.c:444:21\r\n    #2 0x7fb0ce8cfa3e in avresample_convert \/var\/tmp\/portage\/media-video\/libav-11.3\/work\/libav-11.3\/libavresample\/utils.c:449:15\r\n    #3 0x7fb0d291c8de in request_frame \/var\/tmp\/portage\/media-video\/libav-11.3\/work\/libav-11.3\/libavfilter\/af_resample.c:197:15\r\n    #4 0x7fb0d292c578 in ff_request_frame \/var\/tmp\/portage\/media-video\/libav-11.3\/work\/libav-11.3\/libavfilter\/avfilter.c:254:16\r\n    #5 0x7fb0d292c648 in ff_request_frame \/var\/tmp\/portage\/media-video\/libav-11.3\/work\/libav-11.3\/libavfilter\/avfilter.c:256:16\r\n    #6 0x7fb0d294c6ad in request_frame \/var\/tmp\/portage\/media-video\/libav-11.3\/work\/libav-11.3\/libavfilter\/fifo.c:234:20\r\n    #7 0x7fb0d292c578 in ff_request_frame \/var\/tmp\/portage\/media-video\/libav-11.3\/work\/libav-11.3\/libavfilter\/avfilter.c:254:16\r\n    #8 0x7fb0d29414f3 in av_buffersink_get_frame \/var\/tmp\/portage\/media-video\/libav-11.3\/work\/libav-11.3\/libavfilter\/buffersink.c:69:16\r\n    #9 0x540f19 in poll_filter \/var\/tmp\/portage\/media-video\/libav-11.3\/work\/libav-11.3\/avconv.c:663:15\r\n    #10 0x540f19 in poll_filters \/var\/tmp\/portage\/media-video\/libav-11.3\/work\/libav-11.3\/avconv.c:747\r\n    #11 0x538eab in transcode \/var\/tmp\/portage\/media-video\/libav-11.3\/work\/libav-11.3\/avconv.c:2492:15\r\n    #12 0x538eab in main \/var\/tmp\/portage\/media-video\/libav-11.3\/work\/libav-11.3\/avconv.c:2646\r\n    #13 0x7fb0cd2e4aa4 in __libc_start_main \/var\/tmp\/portage\/sys-libs\/glibc-2.20-r2\/work\/glibc-2.20\/csu\/libc-start.c:289\r\n    #14 0x43a5d6 in _start (\/usr\/bin\/avconv+0x43a5d6)\r\n\r\n0x60800000b0e0 is located 0 bytes to the right of 64-byte region [0x60800000b0a0,0x60800000b0e0)\r\nallocated by thread T0 here:\r\n    #0 0x4c1f4c in __interceptor_posix_memalign \/var\/tmp\/portage\/sys-devel\/llvm-3.6.1\/work\/llvm-3.6.1.src\/projects\/compiler-rt\/lib\/asan\/asan_malloc_linux.cc:107:3\r\n    #1 0x7fb0ce21aa16 in av_malloc \/var\/tmp\/portage\/media-video\/libav-11.3\/work\/libav-11.3\/libavutil\/mem.c:81:9\r\n    #2 0x7fb0ce2401ef in av_samples_alloc \/var\/tmp\/portage\/media-video\/libav-11.3\/work\/libav-11.3\/libavutil\/samplefmt.c:171:11\r\n\r\nSUMMARY: AddressSanitizer: heap-buffer-overflow \/var\/tmp\/portage\/sys-devel\/llvm-3.6.1\/work\/llvm-3.6.1.src\/projects\/compiler-rt\/lib\/asan\/asan_interceptors.cc:435 __asan_memcpy\r\nShadow bytes around the buggy address:\r\n  0x0c107fff95c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\r\n  0x0c107fff95d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\r\n  0x0c107fff95e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\r\n  0x0c107fff95f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\r\n  0x0c107fff9600: fa fa fa fa 00 00 00 00 00 00 00 00 fa fa fa fa\r\n=&gt;0x0c107fff9610: fa fa fa fa 00 00 00 00 00 00 00 00[fa]fa fa fa\r\n  0x0c107fff9620: fa fa fa fa 00 00 00 00 00 00 00 00 fa fa fa fa\r\n  0x0c107fff9630: fa fa fa fa fd fd fd fd fd fd fd fd fa fa fa fa\r\n  0x0c107fff9640: fa fa fa fa fd fd fd fd fd fd fd fd fa fa fa fa\r\n  0x0c107fff9650: fa fa fa fa fd fd fd fd fd fd fd fa fa fa fa fa\r\n  0x0c107fff9660: fa fa fa fa 00 00 00 00 00 00 00 fa fa fa fa fa\r\nShadow byte legend (one shadow byte represents 8 application bytes):\r\n  Addressable:           00\r\n  Partially addressable: 01 02 03 04 05 06 07 \r\n  Heap left redzone:       fa\r\n  Heap right redzone:      fb\r\n  Freed heap region:       fd\r\n  Stack left redzone:      f1\r\n  Stack mid redzone:       f2\r\n  Stack right redzone:     f3\r\n  Stack partial redzone:   f4\r\n  Stack after return:      f5\r\n  Stack use after scope:   f8\r\n  Global redzone:          f9\r\n  Global init order:       f6\r\n  Poisoned by user:        f7\r\n  Container overflow:      fc\r\n  Array cookie:            ac\r\n  Intra object redzone:    bb\r\n  ASan internal:           fe\r\n  Left alloca redzone:     ca\r\n  Right alloca redzone:    cb\r\n==501==ABORTING                                                                                                                                                                                                                                                 \r\n<\/font><\/pre>\n<p><strong>Affected version:<\/strong><br \/>\n11.3 (and maybe past versions)<\/p>\n<p><strong>Fixed version:<\/strong><br \/>\n11.4<\/p>\n<p><strong>Commit fix:<\/strong><br \/>\n<a href=\"https:\/\/git.libav.org\/?p=libav.git;a=commit;h=0ac8ff618c5e6d878c547a8877e714ed728950ce\">https:\/\/git.libav.org\/?p=libav.git;a=commit;h=0ac8ff618c5e6d878c547a8877e714ed728950ce<\/a><\/p>\n<p><strong>Credit:<\/strong><br \/>\nThis bug was discovered by Agostino Sarubbo of Gentoo.<br \/>\nThis bug was reported independently and in a different way by nfxjfg in the libav bugtracker. <\/p>\n<p><strong>CVE:<\/strong><br \/>\nCVE-2016-6832<\/p>\n<p><strong>Timeline:<\/strong><br \/>\n2015-07-27: bug discovered<br \/>\n2016-08-07: blog post about the issue<br \/>\n2016-08-18: CVE assigned<\/p>\n<p><strong>Note:<\/strong><br \/>\nThis bug was found with <a href=\"http:\/\/lcamtuf.coredump.cx\/afl\">American Fuzzy Lop<\/a>.<br \/>\nThis bug does not affect <a href=\"http:\/\/ffmpeg.org\/\">ffmpeg<\/a>.<\/p>\n<p><strong>Permalink:<\/strong><\/p>\n<blockquote data-secret=\"KbTclnxgZY\" class=\"wp-embedded-content\"><p><a href=\"http:\/\/blogs.gentoo.org\/ago\/2016\/08\/07\/libav-heap-based-buffer-overflow-in-ff_audio_resample-resample-c\/\">libav: heap-based buffer overflow in ff_audio_resample (resample.c)<\/a><\/p><\/blockquote>\n<p><iframe class=\"wp-embedded-content\" sandbox=\"allow-scripts\" security=\"restricted\" style=\"position: absolute; clip: rect(1px, 1px, 1px, 1px);\" src=\"http:\/\/blogs.gentoo.org\/ago\/2016\/08\/07\/libav-heap-based-buffer-overflow-in-ff_audio_resample-resample-c\/embed\/#?secret=KbTclnxgZY\" data-secret=\"KbTclnxgZY\" width=\"600\" height=\"338\" title=\"&#8220;libav: heap-based buffer overflow in ff_audio_resample (resample.c)&#8221; &#8212; agostino&#039;s blog\" frameborder=\"0\" marginwidth=\"0\" marginheight=\"0\" scrolling=\"no\"><\/iframe><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Description: Libav is an open source set of tools for audio and video processing. A crafted file can cause an overflow in the heap. This bug was discovered the last year, but I didn&#8217;t have time to do anything else. &hellip; <a href=\"https:\/\/blogs.gentoo.org\/ago\/2016\/08\/07\/libav-heap-based-buffer-overflow-in-ff_audio_resample-resample-c\/\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":140,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"spay_email":"","jetpack_publicize_message":"","jetpack_is_tweetstorm":false,"jetpack_publicize_feature_enabled":true},"categories":[12,10],"tags":[],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/p2EaBc-5y","_links":{"self":[{"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/posts\/344"}],"collection":[{"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/users\/140"}],"replies":[{"embeddable":true,"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/comments?post=344"}],"version-history":[{"count":8,"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/posts\/344\/revisions"}],"predecessor-version":[{"id":442,"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/posts\/344\/revisions\/442"}],"wp:attachment":[{"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/media?parent=344"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/categories?post=344"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/tags?post=344"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}