Bug#881019: ffmpeg2theora: null pointer dereference while running ffmpeg2theora with "poc" option

Joonun Jang joonun.jang at gmail.com
Tue Nov 7 07:15:09 UTC 2017 

Package: ffmpeg2theora
Version: 0.30-1+b2
Severity: normal
Tags: security

null pointer dereference while running ffmpeg2theora with "poc" option

Running 'ffmpeg2theora poc' with the attached file raises null pointer dereference
which may allow a remote attack to cause a denial-of-service attack
I expected the program to terminate without segfault, but the program crashes as follow

-------------------------------------------

june at yuweol:~/poc/ffmpeg2theora/crash1$ ffmpeg2theora poc
[lrc @ 0x558a4a3b6840] Format lrc detected only with low score of 5, misdetection possible!
Input #0, lrc, from 'poc':
  Duration: N/A, bitrate: N/A
    Stream #0:0: Subtitle: text
Segmentation fault

-------------------------------------------

Program received signal SIGSEGV, Segmentation fault.
0x0000555555565b8f in ?? ()
(gdb) bt
#0  0x0000555555565b8f in ?? ()
#1  0x000055555555c8da in main ()
(gdb) x/i $rip
=> 0x555555565b8f:  mov    0x8(%rax),%rdi
(gdb) i r rax
rax            0x0  0

-------------------------------------------

This bug was found with a fuzzer developed by 'SoftSec' group at KAIST.

-- System Information:
Debian Release: buster/sid
  APT prefers unstable-debug
  APT policy: (500, 'unstable-debug'), (500, 'testing-debug'), (500, 'stable-updates'), (500, 'testing'), (500, 'stable'), (1, 'experimental-debug')
Architecture: amd64 (x86_64)

Kernel: Linux 4.9.0-3-amd64 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US:en (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages ffmpeg2theora depends on:
ii  libavcodec57    7:3.3.4-2+b2
ii  libavdevice57   7:3.3.4-2+b2
ii  libavfilter6    7:3.3.4-2+b2
ii  libavformat57   7:3.3.4-2+b2
ii  libavutil55     7:3.3.4-2+b2
ii  libc6           2.24-17
ii  libkate1        0.4.1-7+b1
ii  libogg0         1.3.2-1+b1
ii  liboggkate1     0.4.1-7+b1
ii  libpostproc54   7:3.3.4-2+b2
ii  libswresample2  7:3.3.4-2+b2
ii  libswscale4     7:3.3.4-2+b2
ii  libtheora0      1.1.1+dfsg.1-14+b1
ii  libvorbis0a     1.3.5-4
ii  libvorbisenc2   1.3.5-4

ffmpeg2theora recommends no packages.

ffmpeg2theora suggests no packages.

-- no debconf information
-------------- next part --------------
A non-text attachment was scrubbed...
Name: poc
Type: application/octet-stream
Size: 48 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-multimedia-maintainers/attachments/20171107/088f8a02/attachment.obj>

More information about the pkg-multimedia-maintainers mailing list