[<prev] [next>] [day] [month] [year] [list]
Message-Id: <201609070222.u872MLZB018294@sf01web1.securityfocus.com>
Date: Wed, 7 Sep 2016 02:22:21 GMT
From: unlimitsec@...il.com
To: bugtraq@...urityfocus.com
Subject: CVE-2016-6920 ffmpeg exr file Heap Overflow
=======
Product: ffmpeg
Affected Versions: <= 3.1.2
Vulnerability Type: Heap Overflow
Security Risk: High
Credit: Yaoguang Chen of Aliapy unLimit Security Team
Introduction
============
$ ffmpeg_debug_312/bin/ffmpeg -i tiled_with_deeptile_type.exr -y xx.png
ffmpeg version 3.1.2 Copyright (c) 2000-2016 the FFmpeg developers
built with gcc 4.8 (Ubuntu 4.8.4-2ubuntu1~14.04.3)
configuration: --prefix=/home/burningcodes/ffmpeg_debug_312/ --disable-yasm --assert-level=2 --enable-debug=3 --disable-optimizations --disable-asm --disable-stripping
libavutil 55. 28.100 / 55. 28.100
libavcodec 57. 48.101 / 57. 48.101
libavformat 57. 41.100 / 57. 41.100
libavdevice 57. 0.101 / 57. 0.101
libavfilter 6. 47.100 / 6. 47.100
libswscale 4. 1.100 / 4. 1.100
libswresample 2. 1.100 / 2. 1.100
*** Error in `ffmpeg_debug_312/bin/ffmpeg': free(): invalid next size (normal): 0x00000000024a44c0 ***
Aborted (core dumped)
gdb backtrace:
$ gdb ffmpeg_debug_312/bin/ffmpeg /tmp/core.1471448229 -q
Reading symbols from ffmpeg_debug_312/bin/ffmpeg...done.
[New LWP 6771]
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Core was generated by `ffmpeg_debug_312/bin/ffmpeg -i tiled_with_deeptile_type.exr -y xx.png'.
Program terminated with signal SIGABRT, Aborted.
#0 0x00007f100f696267 in __GI_raise (sig=sig@...ry=0x6)
at ../sysdeps/unix/sysv/linux/raise.c:55
55 ../sysdeps/unix/sysv/linux/raise.c: No such file or directory.
gdb-peda$ bt
#0 0x00007f100f696267 in __GI_raise (sig=sig@...ry=0x6)
at ../sysdeps/unix/sysv/linux/raise.c:55
#1 0x00007f100f697eca in __GI_abort () at abort.c:89
#2 0x00007f100f6d9c53 in __libc_message (do_abort=do_abort@...ry=0x1,
fmt=fmt@...ry=0x7f100f7f21a8 "*** Error in `%s': %s: 0x%s ***\n")
at ../sysdeps/posix/libc_fatal.c:175
#3 0x00007f100f6e1c69 in malloc_printerr (ptr=<optimized out>,
str=0x7f100f7f2300 "free(): invalid next size (normal)", action=0x1)
at malloc.c:4965
#4 _int_free (av=<optimized out>, p=<optimized out>, have_lock=0x0)
at malloc.c:3834
#5 0x00007f100f6e589c in __GI___libc_free (mem=<optimized out>)
at malloc.c:2950
#6 0x00000000013e3039 in av_free (ptr=0x24a44c0) at libavutil/mem.c:239
#7 0x00000000013d149c in av_buffer_default_free (opaque=0x0,
data=0x24a44c0 "\377\377\360j \241\377\377\377\377\020^")
at libavutil/buffer.c:63
#8 0x00000000013d165d in buffer_replace (dst=0x7ffd71aa3180, src=0x0)
at libavutil/buffer.c:119
#9 0x00000000013d169d in av_buffer_unref (buf=0x7ffd71aa3180)
at libavutil/buffer.c:129
#10 0x00000000008184e6 in av_packet_unref (pkt=0x7ffd71aa3180)
at libavcodec/avpacket.c:566
#11 0x000000000069e1bb in ff_img_read_packet (s1=0x248c2c0, pkt=0x7ffd71aa3180)
at libavformat/img2dec.c:502
#12 0x00000000007a4dc1 in ff_read_packet (s=0x248c2c0, pkt=0x7ffd71aa3180)
at libavformat/utils.c:759
#13 0x00000000007a7ef3 in read_frame_internal (s=0x248c2c0, pkt=0x7ffd71aa3460)
at libavformat/utils.c:1457
#14 0x00000000007af3c4 in avformat_find_stream_info (ic=0x248c2c0,
options=0x248d110) at libavformat/utils.c:3475
#15 0x00000000004103f2 in open_input_file (o=0x7ffd71aa37b0,
filename=0x7ffd71aa41c6 "tiled_with_deeptile_type.exr")
at ffmpeg_opt.c:1002
#16 0x0000000000419274 in open_files (l=0x248c058, inout=0x1413717 "input",
open_file=0x40fa95 <open_input_file>) at ffmpeg_opt.c:3036
#17 0x0000000000419401 in ffmpeg_parse_options (argc=0x5, argv=0x7ffd71aa3d98)
at ffmpeg_opt.c:3073
#18 0x000000000042e8a6 in main (argc=0x5, argv=0x7ffd71aa3d98) at ffmpeg.c:4335
#19 0x00007f100f681a40 in __libc_start_main (main=0x42e7c6 <main>, argc=0x5,
argv=0x7ffd71aa3d98, init=<optimized out>, fini=<optimized out>,
rtld_fini=<optimized out>, stack_end=0x7ffd71aa3d88) at libc-start.c:289
#20 0x00000000004061c9 in _start ()
Powered by blists - more mailing lists