Bug#881122: ffmpeg2theora: null pointer dereference while running ffmpeg2theora

Joonun Jang joonun.jang at gmail.com
Wed Nov 8 02:13:46 UTC 2017 

Package: ffmpeg2theora
Version: 0.30-1+b2
Severity: normal
Tags: security

null pointer dereference while running ffmpeg2theora with "poc" option

Running 'ffmpeg2theora poc' with the attached file raises null pointer dereference
which may allow a remote attack to cause a denial-of-service attack
I expected the program to terminate without segfault, but the program crashes as follow

-------------------------------------------

june at yuweol:~/poc/ffmpeg2theora/crash2$ ffmpeg2theora poc
[adp @ 0x55fbce8ff840] Format adp detected only with low score of 1, misdetection possible!
Input #0, adp, from 'poc':
  Duration: 00:00:00.00, start: 0.000000, bitrate: 658 kb/s
    Stream #0:0: Audio: adpcm_dtk, 48000 Hz, stereo, s16p
Segmentation fault

-------------------------------------------

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff4b98199 in av_samples_fill_arrays () from /usr/lib/x86_64-linux-gnu/libavutil.so.55
(gdb) bt
#0  0x00007ffff4b98199 in av_samples_fill_arrays () from /usr/lib/x86_64-linux-gnu/libavutil.so.55
#1  0x00007ffff4b984d9 in av_samples_alloc () from /usr/lib/x86_64-linux-gnu/libavutil.so.55
#2  0x0000555555565e7a in ?? ()
#3  0x000055555555c8da in main ()
(gdb) x/i $rip
=> 0x7ffff4b98199 <av_samples_fill_arrays+105>: mov    %rbx,(%r12)
(gdb) i r r12
r12            0x0  0

-------------------------------------------

This bug was found with a fuzzer developed by 'SoftSec' group at KAIST.

-- System Information:
Debian Release: buster/sid
  APT prefers unstable-debug
  APT policy: (500, 'unstable-debug'), (500, 'testing-debug'), (500, 'stable-updates'), (500, 'testing'), (500, 'stable'), (1, 'experimental-debug')
Architecture: amd64 (x86_64)

Kernel: Linux 4.9.0-3-amd64 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US:en (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages ffmpeg2theora depends on:
ii  libavcodec57    7:3.3.4-2+b2
ii  libavdevice57   7:3.3.4-2+b2
ii  libavfilter6    7:3.3.4-2+b2
ii  libavformat57   7:3.3.4-2+b2
ii  libavutil55     7:3.3.4-2+b2
ii  libc6           2.24-17
ii  libkate1        0.4.1-7+b1
ii  libogg0         1.3.2-1+b1
ii  liboggkate1     0.4.1-7+b1
ii  libpostproc54   7:3.3.4-2+b2
ii  libswresample2  7:3.3.4-2+b2
ii  libswscale4     7:3.3.4-2+b2
ii  libtheora0      1.1.1+dfsg.1-14+b1
ii  libvorbis0a     1.3.5-4
ii  libvorbisenc2   1.3.5-4

ffmpeg2theora recommends no packages.

ffmpeg2theora suggests no packages.

-- no debconf information
-------------- next part --------------

More information about the pkg-multimedia-maintainers mailing list