<div dir="ltr"><div dir="ltr"><div dir="ltr">Dear developers,<div><br></div><div> I reported an x264 crash issue to ffmpeg security and Michael Niedermayer suggests I should only report ffmpeg issues by running ffmpeg cli. Since I was not able to reproduce this with ffmpeg libx264, I forward the following to this mailing list instead.</div><div><br clear="all"><div><div dir="ltr" class="gmail_signature"><div dir="ltr"><div><div dir="ltr"><font color="#313131" face="Arial, sans-serif"><span style="font-size:12px">Best Regards,</span></font><div><font color="#313131" face="Arial, sans-serif"><span style="font-size:12px">Hongxu</span></font></div></div></div></div></div></div><br><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">---------- Forwarded message ---------<br>From: <strong class="gmail_sendername" dir="auto">Hongxu Chen</strong> <span dir="ltr"><<a href="mailto:leftcopy.chx@gmail.com">leftcopy.chx@gmail.com</a>></span><br>Date: Fri, Feb 1, 2019 at 11:42 AM<br>Subject: x264 heap-buffer-overflow inside x264_cli_plane_copy<br>To: <<a href="mailto:ffmpeg-security@ffmpeg.org">ffmpeg-security@ffmpeg.org</a>><br></div><br><br><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div>Hi,</div><div><br></div><div> (I followed <a href="https://www.videolan.org/developers/x264.html" target="_blank">https://www.videolan.org/developers/x264.html</a> about the crash bugs and came here; forgive me if I came to the wrong place.)</div><div><br></div><div> We found x264 may have a heap-buffer-overflow issue. Here is an error reported by AddressSanitizer when executing "x264 --threads 1 --quiet --output /dev/null hbo_internal.c:34_2".</div><div><br></div><div><div>=================================================================</div><div>==66950==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7f32d900d82f at pc 0x0000004bf7e1 bp 0x7ffd9ba0ac70 sp 0x7ffd9ba0a420</div><div>READ of size 1408 at 0x7f32d900d82f thread T0</div><div> #0 0x4bf7e0 in __asan_memcpy (/home/ubuntu/work/x264/x264-asan/install/bin/x264+0x4bf7e0)</div><div> #1 0x525a7d in x264_cli_plane_copy /home/ubuntu/work/x264/x264-asan/filters/video/internal.c:34:9</div><div> #2 0x525dec in x264_cli_pic_copy /home/ubuntu/work/x264/x264-asan/filters/video/internal.c:56:9</div><div> #3 0x529fb8 in get_frame /home/ubuntu/work/x264/x264-asan/filters/video/fix_vfr_pts.c:100:13</div><div> #4 0x512ff7 in encode /home/ubuntu/work/x264/x264-asan/x264.c:1980:13</div><div> #5 0x50ea89 in main_internal /home/ubuntu/work/x264/x264-asan/x264.c:388:15</div><div> #6 0x5b66cb in x264_stack_align (/home/ubuntu/work/x264/x264-asan/install/bin/x264+0x5b66cb)</div><div><br></div><div>0x7f32d900d82f is located 0 bytes to the right of 405551-byte region [0x7f32d8faa800,0x7f32d900d82f)</div><div>allocated by thread T0 here:</div><div> #0 0x4d51f8 in __interceptor_posix_memalign (/home/ubuntu/work/x264/x264-asan/install/bin/x264+0x4d51f8)</div><div> #1 0x7f32f0215762 in av_malloc (/usr/lib/x86_64-linux-gnu/libavutil.so.55+0x31762)</div><div><br></div><div>SUMMARY: AddressSanitizer: heap-buffer-overflow (/home/ubuntu/work/x264/x264-asan/install/bin/x264+0x4bf7e0) in __asan_memcpy</div><div>Shadow bytes around the buggy address:</div><div> 0x0fe6db1f9ab0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00</div><div> 0x0fe6db1f9ac0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00</div><div> 0x0fe6db1f9ad0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00</div><div> 0x0fe6db1f9ae0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00</div><div> 0x0fe6db1f9af0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00</div><div>=>0x0fe6db1f9b00: 00 00 00 00 00[07]fa fa fa fa fa fa fa fa fa fa</div><div> 0x0fe6db1f9b10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa</div><div> 0x0fe6db1f9b20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa</div><div> 0x0fe6db1f9b30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa</div><div> 0x0fe6db1f9b40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa</div><div> 0x0fe6db1f9b50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa</div><div>Shadow byte legend (one shadow byte represents 8 application bytes):</div><div> Addressable: 00</div><div> Partially addressable: 01 02 03 04 05 06 07 </div><div> Heap left redzone: fa</div><div> Freed heap region: fd</div><div> Stack left redzone: f1</div><div> Stack mid redzone: f2</div><div> Stack right redzone: f3</div><div> Stack after return: f5</div><div> Stack use after scope: f8</div><div> Global redzone: f9</div><div> Global init order: f6</div><div> Poisoned by user: f7</div><div> Container overflow: fc</div><div> Array cookie: ac</div><div> Intra object redzone: bb</div><div> ASan internal: fe</div><div> Left alloca redzone: ca</div><div> Right alloca redzone: cb</div><div>==66950==ABORTING</div><div>[1] 66950 abort ~/work/x264/x264-asan/install/bin/x264 --threads 1 --quiet --output /dev/null</div></div><div><br></div><div>The crash site is a call to memcpy however it seems that it should have been wrong earlier (values of "w"/"h").</div><div>Plus, there seem some non-deterministic behaviors since each time it may crash at different iterations of call to memcpy.</div><br clear="all"><div><div dir="ltr" class="gmail-m_-7680758572900914612gmail_signature"><div dir="ltr"><div><div dir="ltr"><font color="#313131" face="Arial, sans-serif"><span style="font-size:12px">Best Regards,</span></font><div><font color="#313131" face="Arial, sans-serif"><span style="font-size:12px">Hongxu</span></font></div></div></div></div></div></div></div></div></div></div>
</div></div></div></div></div>