{"id":556,"date":"2016-09-17T00:08:52","date_gmt":"2016-09-16T22:08:52","guid":{"rendered":"http:\/\/blogs.gentoo.org\/ago\/?p=556"},"modified":"2016-10-08T21:11:34","modified_gmt":"2016-10-08T19:11:34","slug":"libav-null-pointer-dereference-in-put_no_rnd_pixels8_xy2_mmx-rnd_template-c","status":"publish","type":"post","link":"https:\/\/blogs.gentoo.org\/ago\/2016\/09\/17\/libav-null-pointer-dereference-in-put_no_rnd_pixels8_xy2_mmx-rnd_template-c\/","title":{"rendered":"libav: invalid memory access in put_no_rnd_pixels8_xy2_mmx (rnd_template.c)"},"content":{"rendered":"<p><strong>Description<\/strong>:<br \/>\n<a href=\"https:\/\/libav.org\/\">Libav<\/a> is an open source set of tools for audio and video processing.<\/p>\n<p>A fuzzing with an mp3 file as input discovered an invalid memory access in put_no_rnd_pixels8_xy2_mmx.<\/p>\n<p>The complete ASan output:<\/p>\n<pre><font size=\"2\"># avconv -i $FILE -f null -\r\navconv version 11.7, Copyright (c) 2000-2016 the Libav developers\r\n  built on Aug 16 2016 15:34:42 with clang version 3.8.1 (tags\/RELEASE_381\/final)\r\n[h263 @ 0x61a00001f280] Format detected only with low score of 25, misdetection possible!\r\n[IMGUTILS @ 0x7ff589955420] Picture size 0x0 is invalid\r\n[h263 @ 0x619000000580] header damaged\r\n[h263 @ 0x619000000580] Syntax-based Arithmetic Coding (SAC) not supported\r\n[h263 @ 0x619000000580] Independent Segment Decoding not supported\r\n[h263 @ 0x619000000580] warning: first frame is no keyframe\r\n[h263 @ 0x619000000580] cbpc damaged at 0 0\r\n[h263 @ 0x619000000580] Error at MB: 0\r\n[h263 @ 0x619000000580] concealing 1584 DC, 1584 AC, 1584 MV errors\r\n[h263 @ 0x61a00001f280] Estimating duration from bitrate, this may be inaccurate\r\nInput #0, h263, from '9.crashes':\r\n  Duration: N\/A, bitrate: N\/A\r\n    Stream #0.0: Video: h263, yuv420p, 704x576 [PAR 12:11 DAR 4:3], 25 fps, 25 tbn, 18.73 tbc\r\nOutput #0, null, to 'pipe:':\r\n  Metadata:\r\n    encoder         : Lavf56.1.0\r\n    Stream #0.0: Video: rawvideo, yuv420p, 704x576 [PAR 12:11 DAR 4:3], q=2-31, 200 kb\/s, 25 tbn, 25 tbc\r\n    Metadata:\r\n      encoder         : Lavc56.1.0 rawvideo\r\nStream mapping:\r\n  Stream #0:0 -&gt; #0:0 (h263 (native) -&gt; rawvideo (native))\r\nPress ctrl-c to stop encoding\r\n[h263 @ 0x61900001ea80] warning: first frame is no keyframe\r\nASAN:DEADLYSIGNAL\r\n=================================================================\r\n==26790==ERROR: AddressSanitizer: SEGV on unknown address 0x7ff584ddb77f (pc 0x7ff5910cdeee bp 0x7ffdc464d7f0 sp 0x7ffdc464d780 T0)\r\n    #0 0x7ff5910cdeed in put_no_rnd_pixels8_xy2_mmx \/var\/tmp\/portage\/media-video\/libav-11.7\/work\/libav-11.7\/libavcodec\/x86\/rnd_template.c:37:5\r\n    #1 0x7ff590209de0 in hpel_motion \/var\/tmp\/portage\/media-video\/libav-11.7\/work\/libav-11.7\/libavcodec\/mpegvideo_motion.c:224:5\r\n    #2 0x7ff590209de0 in apply_8x8 \/var\/tmp\/portage\/media-video\/libav-11.7\/work\/libav-11.7\/libavcodec\/mpegvideo_motion.c:798\r\n    #3 0x7ff590209de0 in mpv_motion_internal \/var\/tmp\/portage\/media-video\/libav-11.7\/work\/libav-11.7\/libavcodec\/mpegvideo_motion.c:877\r\n    #4 0x7ff590209de0 in ff_mpv_motion \/var\/tmp\/portage\/media-video\/libav-11.7\/work\/libav-11.7\/libavcodec\/mpegvideo_motion.c:981\r\n    #5 0x7ff59013659b in mpv_decode_mb_internal \/var\/tmp\/portage\/media-video\/libav-11.7\/work\/libav-11.7\/libavcodec\/mpegvideo.c:2223:21\r\n    #6 0x7ff59013659b in ff_mpv_decode_mb \/var\/tmp\/portage\/media-video\/libav-11.7\/work\/libav-11.7\/libavcodec\/mpegvideo.c:2358\r\n    #7 0x7ff58f048c95 in decode_slice \/var\/tmp\/portage\/media-video\/libav-11.7\/work\/libav-11.7\/libavcodec\/h263dec.c:273:13\r\n    #8 0x7ff58f0442cd in ff_h263_decode_frame \/var\/tmp\/portage\/media-video\/libav-11.7\/work\/libav-11.7\/libavcodec\/h263dec.c:575:11\r\n    #9 0x7ff5909cf906 in avcodec_decode_video2 \/var\/tmp\/portage\/media-video\/libav-11.7\/work\/libav-11.7\/libavcodec\/utils.c:1600:19\r\n    #10 0x5647eb in decode_video \/var\/tmp\/portage\/media-video\/libav-11.7\/work\/libav-11.7\/avconv.c:1259:11\r\n    #11 0x5647eb in process_input_packet \/var\/tmp\/portage\/media-video\/libav-11.7\/work\/libav-11.7\/avconv.c:1398\r\n    #12 0x550e63 in process_input \/var\/tmp\/portage\/media-video\/libav-11.7\/work\/libav-11.7\/avconv.c:2440:11\r\n    #13 0x550e63 in transcode \/var\/tmp\/portage\/media-video\/libav-11.7\/work\/libav-11.7\/avconv.c:2488\r\n    #14 0x550e63 in main \/var\/tmp\/portage\/media-video\/libav-11.7\/work\/libav-11.7\/avconv.c:2647\r\n    #15 0x7ff58cd6461f in __libc_start_main \/var\/tmp\/portage\/sys-libs\/glibc-2.22-r4\/work\/glibc-2.22\/csu\/libc-start.c:289\r\n    #16 0x41d098 in _init (\/usr\/bin\/avconv+0x41d098)\r\n\r\nAddressSanitizer can not provide additional info.\r\nSUMMARY: AddressSanitizer: SEGV \/var\/tmp\/portage\/media-video\/libav-11.7\/work\/libav-11.7\/libavcodec\/x86\/rnd_template.c:37:5 in put_no_rnd_pixels8_xy2_mmx\r\n==26790==ABORTING\r\n<\/font><\/pre>\n<p><strong>Affected version:<\/strong><br \/>\n11.7<\/p>\n<p><strong>Fixed version:<\/strong><br \/>\nN\/A<\/p>\n<p><strong>Commit fix:<\/strong><br \/>\n<a href=\"https:\/\/git.libav.org\/?p=libav.git;a=commit;h=136f55207521f0b03194ef5b55ba70f1635d6aee\">https:\/\/git.libav.org\/?p=libav.git;a=commit;h=136f55207521f0b03194ef5b55ba70f1635d6aee<\/a><\/p>\n<p><strong>Credit:<\/strong><br \/>\nThis bug was discovered by Agostino Sarubbo of Gentoo.<\/p>\n<p><strong>CVE:<\/strong><br \/>\nCVE-2016-7424<\/p>\n<p><strong>Timeline:<\/strong><br \/>\n2016-08-15: bug discovered<br \/>\n2016-08-16: bug reported to upstream<br \/>\n2016-09-16: upstream released a patch<br \/>\n2016-09-17: blog post about the issue<br \/>\n2016-09-17: CVE Assigned<\/p>\n<p><strong>Note:<\/strong><br \/>\nThis bug was found with <a href=\"http:\/\/lcamtuf.coredump.cx\/afl\">American Fuzzy Lop<\/a>.<br \/>\nThis bug was reported F4B3CD@STARLAB on 2016-09-12 via libav-security while it was already public since<br \/>\n2016-08-15 on the upstream bugtracker.<br \/>\nAfter an investigation it looks like an invalid memory access (read), so I&#8217;m changing a bit the description but I&#8217;m keeping the permalink as-is.<\/p>\n<p><strong>Permalink:<\/strong><\/p>\n<blockquote data-secret=\"uYwRPn7Yf5\" class=\"wp-embedded-content\"><p><a href=\"http:\/\/blogs.gentoo.org\/ago\/2016\/09\/17\/libav-null-pointer-dereference-in-put_no_rnd_pixels8_xy2_mmx-rnd_template-c\/\">libav: invalid memory access in put_no_rnd_pixels8_xy2_mmx (rnd_template.c)<\/a><\/p><\/blockquote>\n<p><iframe class=\"wp-embedded-content\" sandbox=\"allow-scripts\" security=\"restricted\" style=\"position: absolute; clip: rect(1px, 1px, 1px, 1px);\" src=\"http:\/\/blogs.gentoo.org\/ago\/2016\/09\/17\/libav-null-pointer-dereference-in-put_no_rnd_pixels8_xy2_mmx-rnd_template-c\/embed\/#?secret=uYwRPn7Yf5\" data-secret=\"uYwRPn7Yf5\" width=\"600\" height=\"338\" title=\"&#8220;libav: invalid memory access in put_no_rnd_pixels8_xy2_mmx (rnd_template.c)&#8221; &#8212; agostino&#039;s blog\" frameborder=\"0\" marginwidth=\"0\" marginheight=\"0\" scrolling=\"no\"><\/iframe><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Description: Libav is an open source set of tools for audio and video processing. A fuzzing with an mp3 file as input discovered an invalid memory access in put_no_rnd_pixels8_xy2_mmx. The complete ASan output: # avconv -i $FILE -f null &#8211; &hellip; <a href=\"https:\/\/blogs.gentoo.org\/ago\/2016\/09\/17\/libav-null-pointer-dereference-in-put_no_rnd_pixels8_xy2_mmx-rnd_template-c\/\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":140,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"spay_email":"","jetpack_publicize_message":"","jetpack_is_tweetstorm":false,"jetpack_publicize_feature_enabled":true},"categories":[12,10],"tags":[],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/p2EaBc-8Y","_links":{"self":[{"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/posts\/556"}],"collection":[{"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/users\/140"}],"replies":[{"embeddable":true,"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/comments?post=556"}],"version-history":[{"count":6,"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/posts\/556\/revisions"}],"predecessor-version":[{"id":678,"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/posts\/556\/revisions\/678"}],"wp:attachment":[{"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/media?parent=556"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/categories?post=556"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/tags?post=556"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}