[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Thu, 16 Jul 2015 12:34:13 +0200
From: Agostino Sarubbo <ago@...too.org>
To: oss-security@...ts.openwall.com
Subject: libav: divide-by-zero in ff_h263_decode_mba()
Description:
Libav is an open source set of tools for audio and video processing.
After talking with Luca Barbato which is both a Gentoo and Libav
developer, I spent a bit of my time fuzzing libav and in particular I
fuzzed libavcodec though avplay.
I hit a crash and after I reported it to upstream, they confirmed the
issue as a divide-by-zero.
The complete gdb output:
ago@...loughby $ gdb --args /usr/bin/avplay avplay.crash
GNU gdb (Gentoo 7.7.1 p1) 7.7.1
Copyright (C) 2014 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law. Type "show
copying"
and "show warranty" for details.
This GDB was configured as "x86_64-pc-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
.
Find the GDB manual and other documentation resources online at:
.
For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from /usr/bin/avplay...Reading symbols from
/usr/lib64/debug//usr/bin/avplay.debug...done.
done.
(gdb) run
Starting program: /usr/bin/avplay avplay.crash
warning: Could not load shared library symbols for linux-vdso.so.1.
Do you need "set solib-search-path" or "set sysroot"?
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib64/libthread_db.so.1".
avplay version 11.3, Copyright (c) 2003-2014 the Libav developers
built on Jun 19 2015 09:50:59 with gcc 4.8.4 (Gentoo 4.8.4 p1.6,
pie-0.6.1)
[New Thread 0x7fffec4c7700 (LWP 7016)]
[New Thread 0x7fffeb166700 (LWP 7017)]
INFO: AddressSanitizer ignores mlock/mlockall/munlock/munlockall
[New Thread 0x7fffe9e28700 (LWP 7018)]
[h263 @ 0x60480000f680] Format detected only with low score of 25,
misdetection possible!
[h263 @ 0x60440001f980] Syntax-based Arithmetic Coding (SAC) not
supported
[h263 @ 0x60440001f980] Reference Picture Selection not supported
[h263 @ 0x60440001f980] Independent Segment Decoding not supported
[h263 @ 0x60440001f980] header damaged
Program received signal SIGFPE, Arithmetic exception.
[Switching to Thread 0x7fffe9e28700 (LWP 7018)]
0x00007ffff21e3313 in ff_h263_decode_mba (s=s@...ry=0x60720005a100) at
/tmp/portage/media-
video/libav-11.3/work/libav-11.3/libavcodec/ituh263dec.c:142
142 /tmp/portage/media-
video/libav-11.3/work/libav-11.3/libavcodec/ituh263dec.c: No such file
or directory.
(gdb) bt
#0 0x00007ffff21e3313 in ff_h263_decode_mba (s=s@...ry=0x60720005a100)
at /tmp/portage/media-
video/libav-11.3/work/libav-11.3/libavcodec/ituh263dec.c:142
#1 0x00007ffff21f3c2d in ff_h263_decode_picture_header
(s=0x60720005a100) at /tmp/portage/media-
video/libav-11.3/work/libav-11.3/libavcodec/ituh263dec.c:1112
#2 0x00007ffff1ae16ed in ff_h263_decode_frame (avctx=0x60440001f980,
data=0x60380002f480, got_frame=0x7fffe9e272f0, avpkt=) at
/tmp/portage/media-
video/libav-11.3/work/libav-11.3/libavcodec/h263dec.c:444
#3 0x00007ffff2cd963e in avcodec_decode_video2 (avctx=0x60440001f980,
picture=0x60380002f480,
got_picture_ptr=got_picture_ptr@...ry=0x7fffe9e272f0,
avpkt=avpkt@...ry=0x7fffe9e273b0) at /tmp/portage/media-
video/libav-11.3/work/libav-11.3/libavcodec/utils.c:1600
#4 0x00007ffff44d4fb4 in try_decode_frame (st=st@...ry=0x60340002fb00,
avpkt=avpkt@...ry=0x601c00037b00, options=) at /tmp/portage/media-
video/libav-11.3/work/libav-11.3/libavformat/utils.c:1910
#5 0x00007ffff44ebd89 in avformat_find_stream_info (ic=0x60480000f680,
options=0x600a00009e80) at /tmp/portage/media-
video/libav-11.3/work/libav-11.3/libavformat/utils.c:2276
#6 0x0000000000431834 in decode_thread (arg=0x7ffff7e0b800) at
/tmp/portage/media-video/libav-11.3/work/libav-11.3/avplay.c:2268
#7 0x00007ffff0284b08 in ?? () from /usr/lib64/libSDL-1.2.so.0
#8 0x00007ffff02b4be9 in ?? () from /usr/lib64/libSDL-1.2.so.0
#9 0x00007ffff4e65aa8 in ?? () from /usr/lib/gcc/x86_64-pc-linux-
gnu/4.8.4/libasan.so.0
#10 0x00007ffff0062204 in start_thread () from /lib64/libpthread.so.0
#11 0x00007fffefda957d in clone () from /lib64/libc.so.6
(gdb)
Affected version:
11.3 (and maybe past versions)
Fixed version:
11.5 and 12.0
Commit fix:
https://git.libav.org/?p=libav.git;a=commitdiff;h=0a49a62f998747cfa564d98d36a459fe70d3299b;hp=6f4cd33efb5a9ec75db1677d5f7846c60337129f
Credit:
This bug was discovered by Agostino Sarubbo of Gentoo.
CVE:
CVE-2015-5479
Timeline:
2015-06-21: bug discovered
2015-06-22: bug reported privately to upstream
2015-06-30: upstream commit the fix
2015-07-14: CVE assigned
2015-07-16: advisory release
Note:
This bug was found with American Fuzzy Lop.
This bug does not affect ffmpeg.
Permalink:
http://blogs.gentoo.org/ago/2015/07/16/libav-divide-by-zero-in-ff_h263_decode_mba
--
Agostino Sarubbo
Gentoo Linux Developer
Powered by blists - more mailing lists
Please check out the
Open Source Software Security Wiki, which is counterpart to this
mailing list.
Confused about mailing lists and their use?
Read about mailing lists on Wikipedia
and check out these
guidelines on proper formatting of your messages.
