Bug#881138: ffmpeg2theora: use uninitialized stack value as a pointer while running ffmpeg2theora

Joonun Jang joonun.jang at gmail.com
Wed Nov 8 06:00:05 UTC 2017 

Package: ffmpeg2theora
Version: 0.30-1+b2
Severity: important
Tags: security

use uninitialized stack value as a pointer while running ffmpeg2theora with "poc" option

Running 'ffmpeg2theora poc' with the attached file uses uninitialized stack value as a pointer
which may allow a remote attacker to cause unspecified impact including denial-of-service attack
I expected the program to terminate without segfault, but the program crashes as follow

-------------------------------------------

june at yuweol:~/poc/ffmpeg2theora/crash3$ ffmpeg2theora poc
[h263 @ 0x557eb7fb5840] Format h263 detected only with low score of 25, misdetection possible!
Input #0, h263, from 'poc':
  Duration: N/A, bitrate: N/A
    Stream #0:0: Video: h263, yuv420p, 176x144 [SAR 12:11 DAR 4:3], 29.97 tbr, 1200k tbn, 29.97 tbc
  Pixel Aspect Ratio: 1.09/1   Frame Aspect Ratio: 1.33/1

WARNING: Can't get duration of media, not indexing, writing Skeleton 3 track.
[h263 @ 0x557eb7fb6880] I cbpc damaged at 0 0
[h263 @ 0x557eb7fb6880] Error at MB: 0
[h263 @ 0x557eb7fb6880] concealing 99 DC, 99 AC, 99 MV errors in I frame
  0:00:00.03 audio: 0kbps video: 16kbps, time elapsed: 00:00:00           Segmentation fault

-------------------------------------------

Starting program: /usr/bin/ffmpeg2theora poc
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
[h263 @ 0x555555811820] Format h263 detected only with low score of 25, misdetection possible!
Input #0, h263, from 'poc':
  Duration: N/A, bitrate: N/A
    Stream #0:0: Video: h263, yuv420p, 176x144 [SAR 12:11 DAR 4:3], 29.97 tbr, 1200k tbn, 29.97 tbc

************************************************************
Breakpoint 1, 0x0000555555563ab8 in ?? ()
(gdb) x/2x $rbp - 0x368
0x7fffffffca18: 0xf493f960  0x00007fff
************************************************************
- This is entry point of function,local variable $rbp - 0x368 is 0x7ffff693f960.

************************************************************
(gdb) c
Continuing.
  Pixel Aspect Ratio: 1.09/1   Frame Aspect Ratio: 1.33/1

WARNING: Can't get duration of media, not indexing, writing Skeleton 3 track.
[h263 @ 0x555555812860] I cbpc damaged at 0 0
[h263 @ 0x555555812860] Error at MB: 0
[h263 @ 0x555555812860] concealing 99 DC, 99 AC, 99 MV errors in I frame
  0:00:00.03 audio: 0kbps video: 16kbps, time elapsed: 00:01:55

Program received signal SIGSEGV, Segmentation fault.
clear_context (s=0x7ffff493f960) at libswresample/swresample.c:116
116     s->in_buffer_index= 0;
************************************************************

- the value 7ffff493f960 which is same as the above uninitialized value
  was passed to clear_context function as a parameter.

************************************************************
(gdb) bt
#0  clear_context (s=0x7ffff493f960) at libswresample/swresample.c:116
#1  0x00005555555648e6 in ?? ()
#2  0x000055555555c8da in main ()
(gdb) f 1
#1  0x00005555555648e6 in ?? ()
(gdb) x/5i $rip-16
   0x5555555648d6:  mov    -0x368(%rbp),%edi
   0x5555555648dc:  test   %rdi,%rdi
   0x5555555648df:  je     0x5555555648e6
   0x5555555648e1:  callq  0x55555555b650 <swr_close at plt>
=> 0x5555555648e6:  mov    -0x38(%rbp),%rax
(gdb) x/2x $rbp - 0x368
0x7fffffffca18: 0xf493f960  0x00007fff

************************************************************
- argument %rdi comes from -0x368(%rbp) which is same position
  when we check at the entry point of this function

-------------------------------------------

This bug was found with a fuzzer developed by 'SoftSec' group at KAIST.

-- System Information:
Debian Release: buster/sid
  APT prefers unstable-debug
  APT policy: (500, 'unstable-debug'), (500, 'testing-debug'), (500, 'stable-updates'), (500, 'testing'), (500, 'stable'), (1, 'experimental-debug')
Architecture: amd64 (x86_64)

Kernel: Linux 4.9.0-3-amd64 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US:en (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages ffmpeg2theora depends on:
ii  libavcodec57    7:3.3.4-2+b2
ii  libavdevice57   7:3.3.4-2+b2
ii  libavfilter6    7:3.3.4-2+b2
ii  libavformat57   7:3.3.4-2+b2
ii  libavutil55     7:3.3.4-2+b2
ii  libc6           2.24-17
ii  libkate1        0.4.1-7+b1
ii  libogg0         1.3.2-1+b1
ii  liboggkate1     0.4.1-7+b1
ii  libpostproc54   7:3.3.4-2+b2
ii  libswresample2  7:3.3.4-2+b2
ii  libswscale4     7:3.3.4-2+b2
ii  libtheora0      1.1.1+dfsg.1-14+b1
ii  libvorbis0a     1.3.5-4
ii  libvorbisenc2   1.3.5-4

ffmpeg2theora recommends no packages.

ffmpeg2theora suggests no packages.

-- no debconf information
-------------- next part --------------
A non-text attachment was scrubbed...
Name: poc
Type: application/octet-stream
Size: 51 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-multimedia-maintainers/attachments/20171108/ff57b36c/attachment-0001.obj>

More information about the pkg-multimedia-maintainers mailing list