oss-sec mailing list archives
[CVE-2017-9608] null-point-exception happened when ffmpeg using dnxhd decoder to parsing a crafted mv file.
From: 连一汉 <lianyihan () 360 cn>
Date: Mon, 14 Aug 2017 09:52:51 +0000
Hi,
I’m Yihan Lian, a security researcher of Qihoo 360 GearTeam.
I found a vulnerability of ffmpeg-3.3.2.
FFmpeg could be crashed when it is parsing a crafted mov file.
======================== test command =========================
ffmpeg -c:v dnxhd -i poc.mov -y output.ts
======================== crash info ===========================
Program received signal SIGSEGV, Segmentation fault.
0x0000000000b672e7 in ff_combine_frame (pc=0x22f4bf0, next=-1, buf=0x7fffffffd5b8, buf_size=0x7fffffffd5b4) at
libavcodec/parser.c:311
311 pc->state = pc->state << 8 | pc->buffer[pc->last_index + next];
Missing separate debuginfos, use: debuginfo-install glibc-2.17-106.el7_2.4.x86_64 libXau-1.0.8-2.1.el7.x86_64
libxcb-1.11-4.el7.x86_64 xz-libs-5.1.2-12alpha.el7.x86_64
(gdb) bt
#0 0x0000000000b672e7 in ff_combine_frame (pc=0x22f4bf0, next=-1, buf=0x7fffffffd5b8, buf_size=0x7fffffffd5b4) at
libavcodec/parser.c:311
#1 0x000000000088f3b6 in dnxhd_parse (s=0x22f4a80, avctx=0x22f45f0, poutbuf=0x7fffffffd728,
poutbuf_size=0x7fffffffd730, buf=0x22f5f50 "", buf_size=-1)
at libavcodec/dnxhd_parser.c:138
#2 0x0000000000b66d8e in av_parser_parse2 (s=0x22f4a80, avctx=0x22f45f0, poutbuf=0x7fffffffd728,
poutbuf_size=0x7fffffffd730, buf=0x22f5f50 "", buf_size=1024,
pts=-9223372036854775808, dts=-9223372036854775808, pos=0) at libavcodec/parser.c:182
#3 0x00000000007cb35c in parse_packet (s=0x22f3310, pkt=0x7fffffffd800, stream_index=0) at libavformat/utils.c:1415
#4 0x00000000007cbf5c in read_frame_internal (s=0x22f3310, pkt=0x7fffffffdb50) at libavformat/utils.c:1610
#5 0x00000000007d2ae0 in avformat_find_stream_info (ic=0x22f3310, options=0x22f3cf0) at libavformat/utils.c:3574
#6 0x000000000040f3d8 in open_input_file (o=0x7fffffffde70, filename=0x7fffffffe725 "mov/input.mov") at
ffmpeg_opt.c:1013
#7 0x00000000004186ff in open_files (l=0x22f3028, inout=0x13dd697 "input", open_file=0x40ea94 <open_input_file>) at
ffmpeg_opt.c:3203
#8 0x0000000000418860 in ffmpeg_parse_options (argc=7, argv=0x7fffffffe478) at ffmpeg_opt.c:3243
#9 0x000000000042d193 in main (argc=7, argv=0x7fffffffe478) at ffmpeg.c:4760
(gdb) p pc->buffer
$1 = (uint8_t *) 0x0
We can see that the value of pc->buffer is NULL !!!
And I have sent this POC to HYPERLINK "mailto:cve-request () mitre org"cve-request () mitre org. They give me a CVE
number. Use CVE-2017-9608.
Below is its email:
-----邮件原件-----
发件人: cve-request () mitre org<mailto:cve-request () mitre org> [mailto:cve-request () mitre org]
发送时间: 2017年6月14日 10:50
收件人: 连一汉
抄送: cve-request () mitre org<mailto:cve-request () mitre org>
主题: Re: [scr346798] ffmpeg - 3.3.2
[VulnerabilityType Other] null-point-exception ------------------------------------------ [Affected Product Code Base] ffmpeg - 3.3.2 ------------------------------------------ [Attack Type Other] Local and remote ------------------------------------------ [Impact Denial of Service] true
Use CVE-2017-9608. -- CVE Assignment Team M/S M300, 202 Burlington Road, Bedford, MA 01730 USA [ A PGP key is available for encrypted communications at http://cve.mitre.org/cve/request_id.html ]
Current thread:
- [CVE-2017-9608] null-point-exception happened when ffmpeg using dnxhd decoder to parsing a crafted mv file. 连一汉 (Aug 14)