[x264-devel] Fwd: x264 heap-buffer-overflow inside x264_cli_plane_copy

Hongxu Chen leftcopy.chx at gmail.com
Sat Feb 2 04:44:45 CET 2019 

Dear developers,

    I reported an x264 crash issue to ffmpeg security and Michael
Niedermayer suggests I should only report ffmpeg issues by running ffmpeg
cli. Since I was not able to reproduce this with ffmpeg libx264, I forward
the following to this mailing list instead.

Best Regards,
Hongxu


---------- Forwarded message ---------
From: Hongxu Chen <leftcopy.chx at gmail.com>
Date: Fri, Feb 1, 2019 at 11:42 AM
Subject: x264 heap-buffer-overflow inside x264_cli_plane_copy
To: <ffmpeg-security at ffmpeg.org>


Hi,

    (I followed https://www.videolan.org/developers/x264.html about the
crash bugs and came here; forgive me if I came to the wrong place.)

    We found x264 may have a heap-buffer-overflow issue. Here is an error
reported by AddressSanitizer when executing "x264 --threads 1 --quiet
--output /dev/null hbo_internal.c:34_2".

=================================================================
==66950==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x7f32d900d82f at pc 0x0000004bf7e1 bp 0x7ffd9ba0ac70 sp 0x7ffd9ba0a420
READ of size 1408 at 0x7f32d900d82f thread T0
    #0 0x4bf7e0 in __asan_memcpy
(/home/ubuntu/work/x264/x264-asan/install/bin/x264+0x4bf7e0)
    #1 0x525a7d in x264_cli_plane_copy
/home/ubuntu/work/x264/x264-asan/filters/video/internal.c:34:9
    #2 0x525dec in x264_cli_pic_copy
/home/ubuntu/work/x264/x264-asan/filters/video/internal.c:56:9
    #3 0x529fb8 in get_frame
/home/ubuntu/work/x264/x264-asan/filters/video/fix_vfr_pts.c:100:13
    #4 0x512ff7 in encode /home/ubuntu/work/x264/x264-asan/x264.c:1980:13
    #5 0x50ea89 in main_internal
/home/ubuntu/work/x264/x264-asan/x264.c:388:15
    #6 0x5b66cb in x264_stack_align
(/home/ubuntu/work/x264/x264-asan/install/bin/x264+0x5b66cb)

0x7f32d900d82f is located 0 bytes to the right of 405551-byte region
[0x7f32d8faa800,0x7f32d900d82f)
allocated by thread T0 here:
    #0 0x4d51f8 in __interceptor_posix_memalign
(/home/ubuntu/work/x264/x264-asan/install/bin/x264+0x4d51f8)
    #1 0x7f32f0215762 in av_malloc
(/usr/lib/x86_64-linux-gnu/libavutil.so.55+0x31762)

SUMMARY: AddressSanitizer: heap-buffer-overflow
(/home/ubuntu/work/x264/x264-asan/install/bin/x264+0x4bf7e0) in
__asan_memcpy
Shadow bytes around the buggy address:
  0x0fe6db1f9ab0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0fe6db1f9ac0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0fe6db1f9ad0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0fe6db1f9ae0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0fe6db1f9af0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0fe6db1f9b00: 00 00 00 00 00[07]fa fa fa fa fa fa fa fa fa fa
  0x0fe6db1f9b10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0fe6db1f9b20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0fe6db1f9b30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0fe6db1f9b40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0fe6db1f9b50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==66950==ABORTING
[1]    66950 abort      ~/work/x264/x264-asan/install/bin/x264 --threads 1
--quiet --output /dev/null

The crash site is a call to memcpy however it seems that it should have
been wrong earlier (values of "w"/"h").
Plus, there seem some non-deterministic behaviors since each time it may
crash at different iterations of call to memcpy.

Best Regards,
Hongxu
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.videolan.org/pipermail/x264-devel/attachments/20190202/dbfa50ad/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: hbo_internal.c:34_2
Type: application/octet-stream
Size: 14 bytes
Desc: not available
URL: <http://mailman.videolan.org/pipermail/x264-devel/attachments/20190202/dbfa50ad/attachment.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: hbo_internal.c:34_1
Type: application/octet-stream
Size: 14 bytes
Desc: not available
URL: <http://mailman.videolan.org/pipermail/x264-devel/attachments/20190202/dbfa50ad/attachment-0001.obj>

More information about the x264-devel mailing list