Bug#884232: ffmpeg: CVE-2017-17555

Salvatore Bonaccorso carnil at debian.org
Tue Dec 12 20:16:02 UTC 2017 

Source: ffmpeg
Version: 7:3.4-4
Severity: normal
Tags: security upstream
Control: found -1 7:3.4.1-1

Hi,

the following vulnerability was published for ffmpeg.

CVE-2017-17555[0]:
| The swri_audio_convert function in audioconvert.c in FFmpeg
| libswresample through 3.0.101, as used in FFmpeg 3.4.1, aubio 0.4.6,
| and other products, allows remote attackers to cause a denial of
| service (NULL pointer dereference and application crash) via a crafted
| audio file.

The issue is triggerable/demostrable with the POC attached to [1]:

$ ./aubio/build/examples/aubiomfcc ./crash-2-null-ptr
[mp3 @ 0x61b000000080] Format mp3 detected only with low score of 1, misdetection possible!
[mp3 @ 0x61b000000080] Skipping 3350 bytes of junk at 0.
[mp3 @ 0x61b000000080] Estimating duration from bitrate, this may be inaccurate
0.000000        -18.015953 -0.012183 -0.867832 -0.616462 0.813869 -1.063807 -0.276262 -0.236723 -1.673019 1.016008 -0.041898 0.450148 -0.699137
ASAN:DEADLYSIGNAL
=================================================================
==13255==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7fd18a85df33 bp 0x000000000004 sp 0x7ffec8afd8e8 T0)
==13255==The signal is caused by a READ memory access.
==13255==Hint: address points to the zero page.
    #0 0x7fd18a85df32  (/usr/lib/x86_64-linux-gnu/libswresample.so.2+0x11f32)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (/usr/lib/x86_64-linux-gnu/libswresample.so.2+0x11f32)
==13255==ABORTING

Backtrace:

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff2af0f33 in ff_int16_to_float_a_sse2.next ()
    at src/libswresample/x86/audio_convert.asm:656
656     src/libswresample/x86/audio_convert.asm: No such file or directory.
(gdb) bt
#0  0x00007ffff2af0f33 in ff_int16_to_float_a_sse2.next ()
    at src/libswresample/x86/audio_convert.asm:656
#1  0x00007ffff2ae78de in swri_audio_convert (ctx=0x607000001740, out=out at entry=0x6320000037d0, in=in at entry=0x6320000035b0, len=len at entry=384) at src/libswresample/audioconvert.c:226
#2  0x00007ffff2aee190 in swr_convert_internal (s=s at entry=0x632000000800, out=out at entry=0x632000003e30, out_count=out_count at entry=384, in=in at entry=0x6320000035b0, in_count=in_count at entry=384)
    at src/libswresample/swresample.c:633
#3  0x00007ffff2aef252 in swr_convert_internal (in_count=384, in=0x6320000035b0, out_count=384, out=0x632000003e30, s=0x632000000800) at src/libswresample/swresample.c:470
#4  0x00007ffff2aef252 in swr_convert (s=0x632000000800, out_arg=<optimized out>, out_count=<optimized out>, in_arg=<optimized out>, in_count=<optimized out>)
    at src/libswresample/swresample.c:800
#5  0x00007ffff6c08af5 in aubio_source_avcodec_readframe ()
    at /usr/lib/x86_64-linux-gnu/libaubio.so.5
#6  0x00007ffff6c08c65 in aubio_source_avcodec_do () at /usr/lib/x86_64-linux-gnu/libaubio.so.5
#7  0x0000555555559db4 in examples_common_process (process_func=0x5555555591fb <process_block>, print=0x555555559266 <process_print>) at ../examples/utils.c:160
#8  0x0000555555559875 in main (argc=2, argv=0x7fffffffeb88) at ../examples/aubiomfcc.c:66


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2017-17555
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17555
[1] https://github.com/IvanCql/vulnerability/blob/master/An%20NULL%20pointer%20dereference(DoS)%20Vulnerability%20was%20found%20in%20function%20swri_audio_convert%20of%20ffmpeg%20libswresample.md

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

More information about the pkg-multimedia-maintainers mailing list