what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

ffmpeg 3.1.2 Heap Overflow

ffmpeg 3.1.2 Heap Overflow
Posted Sep 7, 2016
Authored by unLimit Security Group, Yaoguang Chen

ffmpeg versions 3.1.2 and below suffer from a heap overflow vulnerability.

tags | advisory, overflow
advisories | CVE-2016-6920
SHA-256 | bb7bc6eb8a6573fd4d187e7077d2e999ddb1dc6fb1498ca5fed3f183713322a5

ffmpeg 3.1.2 Heap Overflow

Change Mirror Download
=======

Product: ffmpeg
Affected Versions: <= 3.1.2
Vulnerability Type: Heap Overflow
Security Risk: High
Credit: Yaoguang Chen of Aliapy unLimit Security Team

Introduction
============



$ ffmpeg_debug_312/bin/ffmpeg -i tiled_with_deeptile_type.exr -y xx.png
ffmpeg version 3.1.2 Copyright (c) 2000-2016 the FFmpeg developers
built with gcc 4.8 (Ubuntu 4.8.4-2ubuntu1~14.04.3)
configuration: --prefix=/home/burningcodes/ffmpeg_debug_312/ --disable-yasm --assert-level=2 --enable-debug=3 --disable-optimizations --disable-asm --disable-stripping
libavutil 55. 28.100 / 55. 28.100
libavcodec 57. 48.101 / 57. 48.101
libavformat 57. 41.100 / 57. 41.100
libavdevice 57. 0.101 / 57. 0.101
libavfilter 6. 47.100 / 6. 47.100
libswscale 4. 1.100 / 4. 1.100
libswresample 2. 1.100 / 2. 1.100
*** Error in `ffmpeg_debug_312/bin/ffmpeg': free(): invalid next size (normal): 0x00000000024a44c0 ***
Aborted (core dumped)


gdb backtrace:


$ gdb ffmpeg_debug_312/bin/ffmpeg /tmp/core.1471448229 -q
Reading symbols from ffmpeg_debug_312/bin/ffmpeg...done.
[New LWP 6771]
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Core was generated by `ffmpeg_debug_312/bin/ffmpeg -i tiled_with_deeptile_type.exr -y xx.png'.
Program terminated with signal SIGABRT, Aborted.
#0 0x00007f100f696267 in __GI_raise (sig=sig@entry=0x6)
at ../sysdeps/unix/sysv/linux/raise.c:55
55 ../sysdeps/unix/sysv/linux/raise.c: No such file or directory.
gdb-peda$ bt
#0 0x00007f100f696267 in __GI_raise (sig=sig@entry=0x6)
at ../sysdeps/unix/sysv/linux/raise.c:55
#1 0x00007f100f697eca in __GI_abort () at abort.c:89
#2 0x00007f100f6d9c53 in __libc_message (do_abort=do_abort@entry=0x1,
fmt=fmt@entry=0x7f100f7f21a8 "*** Error in `%s': %s: 0x%s ***\n")
at ../sysdeps/posix/libc_fatal.c:175
#3 0x00007f100f6e1c69 in malloc_printerr (ptr=<optimized out>,
str=0x7f100f7f2300 "free(): invalid next size (normal)", action=0x1)
at malloc.c:4965
#4 _int_free (av=<optimized out>, p=<optimized out>, have_lock=0x0)
at malloc.c:3834
#5 0x00007f100f6e589c in __GI___libc_free (mem=<optimized out>)
at malloc.c:2950
#6 0x00000000013e3039 in av_free (ptr=0x24a44c0) at libavutil/mem.c:239
#7 0x00000000013d149c in av_buffer_default_free (opaque=0x0,
data=0x24a44c0 "\377\377\360j \241\377\377\377\377\020^")
at libavutil/buffer.c:63
#8 0x00000000013d165d in buffer_replace (dst=0x7ffd71aa3180, src=0x0)
at libavutil/buffer.c:119
#9 0x00000000013d169d in av_buffer_unref (buf=0x7ffd71aa3180)
at libavutil/buffer.c:129
#10 0x00000000008184e6 in av_packet_unref (pkt=0x7ffd71aa3180)
at libavcodec/avpacket.c:566
#11 0x000000000069e1bb in ff_img_read_packet (s1=0x248c2c0, pkt=0x7ffd71aa3180)
at libavformat/img2dec.c:502
#12 0x00000000007a4dc1 in ff_read_packet (s=0x248c2c0, pkt=0x7ffd71aa3180)
at libavformat/utils.c:759
#13 0x00000000007a7ef3 in read_frame_internal (s=0x248c2c0, pkt=0x7ffd71aa3460)
at libavformat/utils.c:1457
#14 0x00000000007af3c4 in avformat_find_stream_info (ic=0x248c2c0,
options=0x248d110) at libavformat/utils.c:3475
#15 0x00000000004103f2 in open_input_file (o=0x7ffd71aa37b0,
filename=0x7ffd71aa41c6 "tiled_with_deeptile_type.exr")
at ffmpeg_opt.c:1002
#16 0x0000000000419274 in open_files (l=0x248c058, inout=0x1413717 "input",
open_file=0x40fa95 <open_input_file>) at ffmpeg_opt.c:3036
#17 0x0000000000419401 in ffmpeg_parse_options (argc=0x5, argv=0x7ffd71aa3d98)
at ffmpeg_opt.c:3073
#18 0x000000000042e8a6 in main (argc=0x5, argv=0x7ffd71aa3d98) at ffmpeg.c:4335
#19 0x00007f100f681a40 in __libc_start_main (main=0x42e7c6 <main>, argc=0x5,
argv=0x7ffd71aa3d98, init=<optimized out>, fini=<optimized out>,
rtld_fini=<optimized out>, stack_end=0x7ffd71aa3d88) at libc-start.c:289
#20 0x00000000004061c9 in _start ()
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close