Bug#906532: x264: heap buffer overflow

Jaeseung Choi jschoi.2022 at gmail.com
Sat Aug 18 04:02:11 BST 2018 

Package: x264
Version: 2:0.148.2748+git97eaef2-1
Severity: normal

Dear Maintainer,

Running x264 with the attached poc file raises a heap buffer overflow.

Following gdb log shows the program resulting in segfault.

jason at debian-amd64-stretch:~/report/debian-latest/x264$ gdb x264 -q
Reading symbols from x264...(no debugging symbols found)...done.
(gdb) run --crf 24 -o output.264 ./poc_ovf
Starting program: /usr/bin/x264 --crf 24 -o output.264 ./poc_ovf
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
ffms [info]: 352x288p 12:11 @ 250000/8839 fps (vfr)
x264 [info]: using SAR=12/11
x264 [info]: using cpu capabilities: MMX2 SSE2Fast SSSE3 SSE4.2 AVX FMA3
AVX2 LZCNT BMI2
x264 [info]: profile High, level 1.3

Program received signal SIGSEGV, Segmentation fault.
__memmove_avx_unaligned_erms () at
../sysdeps/x86_64/multiarch/memmove-vec-unaligned-erms.S:364
364     ../sysdeps/x86_64/multiarch/memmove-vec-unaligned-erms.S: No such
file or directory.
(gdb) x/i $rip
=> 0x7ffff4735f50 <__memmove_avx_unaligned_erms+368>:   vmovdqu
-0x20(%rsi,%rdx,1),%ymm5
(gdb) info reg rsi rdx
rsi            0x555555d21ee0   93825000414944
rdx            0x160    352
(gdb) bt 10
#0  __memmove_avx_unaligned_erms () at
../sysdeps/x86_64/multiarch/memmove-vec-unaligned-erms.S:364
#1  0x00005555555665b6 in ?? ()
#2  0x00005555555666df in ?? ()
#3  0x000055555556840b in ?? ()
#4  0x000055555555b5b9 in ?? ()
#5  0x00007ffff462d2e1 in __libc_start_main (main=0x55555555a030, argc=6,
argv=0x7fffffffe5f8, init=<optimized out>, fini=<optimized out>,
rtld_fini=<optimized out>,
    stack_end=0x7fffffffe5e8) at ../csu/libc-start.c:291
#6  0x000055555555cb3a in ?? ()

When we compiled the source with AddressSanitizer, the program reports a
heap-buffer-overflow error in  x264_cli_plane_copy() function as follow.

jason at debian-amd64-stretch:~/report/source-latest/x264$ ./x264-0.148/x264
--crf 24 -o output.264 poc_ovf
ffms [info]: 352x288p 12:11 @ 250000/8839 fps (vfr)
x264 [info]: using SAR=12/11
x264 [info]: using cpu capabilities: none!
x264 [info]: profile High, level 1.3
=================================================================
==6186==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x62c000007a2f at pc 0x0000004aac55 bp 0x7fffffffcf90 sp 0x7fffffffc740
READ of size 352 at 0x62c000007a2f thread T0
    #0 0x4aac54 in __asan_memcpy
(/home/jason/report/source-latest/x264/x264-0.148/x264+0x4aac54)
    #1 0x5174f9 in x264_cli_plane_copy
/home/jason/report/source-latest/x264/x264-0.148/filters/video/internal.c:33:9
    #2 0x5174f9 in x264_cli_pic_copy
/home/jason/report/source-latest/x264/x264-0.148/filters/video/internal.c:55
    #3 0x51cc46 in get_frame
/home/jason/report/source-latest/x264/x264-0.148/filters/video/fix_vfr_pts.c:100:13
    #4 0x4f667d in encode
/home/jason/report/source-latest/x264/x264-0.148/x264.c:1921:13
    #5 0x4f667d in main
/home/jason/report/source-latest/x264/x264-0.148/x264.c:382
    #6 0x7ffff45b02e0 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x202e0)
    #7 0x422969 in _start
(/home/jason/report/source-latest/x264/x264-0.148/x264+0x422969)

0x62c000007a2f is located 0 bytes to the right of 30767-byte region
[0x62c000000200,0x62c000007a2f)
allocated by thread T0 here:
    #0 0x4c18d0 in __interceptor_posix_memalign
(/home/jason/report/source-latest/x264/x264-0.148/x264+0x4c18d0)
    #1 0x7ffff552b93f in av_malloc
(/usr/lib/x86_64-linux-gnu/libavutil.so.55+0x2b93f)

SUMMARY: AddressSanitizer: heap-buffer-overflow
(/home/jason/report/source-latest/x264/x264-0.148/x264+0x4aac54) in
__asan_memcpy
Shadow bytes around the buggy address:
  0x0c587fff8ef0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c587fff8f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c587fff8f10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c587fff8f20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c587fff8f30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c587fff8f40: 00 00 00 00 00[07]fa fa fa fa fa fa fa fa fa fa
  0x0c587fff8f50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c587fff8f60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c587fff8f70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c587fff8f80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c587fff8f90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa



-- System Information:
Debian Release: 9.1
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.9.0-3-amd64 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8),
LANGUAGE=en_US:en (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages x264 depends on:
ii  libavcodec57   7:3.2.10-1~deb9u1
ii  libavformat57  7:3.2.10-1~deb9u1
ii  libavutil55    7:3.2.10-1~deb9u1
ii  libc6          2.24-11+deb9u3
ii  libffms2-4     2.23-1
ii  libgpac4       0.5.2-426-gc5ad4e4+dfsg5-3+b1
ii  libswscale4    7:3.2.10-1~deb9u1
ii  libx264-148    2:0.148.2748+git97eaef2-1
ii  zlib1g         1:1.2.8.dfsg-5

x264 recommends no packages.

x264 suggests no packages.

-- no debconf information
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-multimedia-maintainers/attachments/20180818/14ff6543/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: poc_ovf
Type: application/octet-stream
Size: 3060 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-multimedia-maintainers/attachments/20180818/14ff6543/attachment-0001.obj>

More information about the pkg-multimedia-maintainers mailing list