======= Product: ffmpeg Affected Versions: <= 3.1.2 Vulnerability Type: Heap Overflow Security Risk: High Credit: Yaoguang Chen of Aliapy unLimit Security Team Introduction ============ $ ffmpeg_debug_312/bin/ffmpeg -i tiled_with_deeptile_type.exr -y xx.png ffmpeg version 3.1.2 Copyright (c) 2000-2016 the FFmpeg developers built with gcc 4.8 (Ubuntu 4.8.4-2ubuntu1~14.04.3) configuration: --prefix=/home/burningcodes/ffmpeg_debug_312/ --disable-yasm --assert-level=2 --enable-debug=3 --disable-optimizations --disable-asm --disable-stripping libavutil 55. 28.100 / 55. 28.100 libavcodec 57. 48.101 / 57. 48.101 libavformat 57. 41.100 / 57. 41.100 libavdevice 57. 0.101 / 57. 0.101 libavfilter 6. 47.100 / 6. 47.100 libswscale 4. 1.100 / 4. 1.100 libswresample 2. 1.100 / 2. 1.100 *** Error in `ffmpeg_debug_312/bin/ffmpeg': free(): invalid next size (normal): 0x00000000024a44c0 *** Aborted (core dumped) gdb backtrace: $ gdb ffmpeg_debug_312/bin/ffmpeg /tmp/core.1471448229 -q Reading symbols from ffmpeg_debug_312/bin/ffmpeg...done. [New LWP 6771] [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1". Core was generated by `ffmpeg_debug_312/bin/ffmpeg -i tiled_with_deeptile_type.exr -y xx.png'. Program terminated with signal SIGABRT, Aborted. #0 0x00007f100f696267 in __GI_raise (sig=sig@entry=0x6) at ../sysdeps/unix/sysv/linux/raise.c:55 55 ../sysdeps/unix/sysv/linux/raise.c: No such file or directory. gdb-peda$ bt #0 0x00007f100f696267 in __GI_raise (sig=sig@entry=0x6) at ../sysdeps/unix/sysv/linux/raise.c:55 #1 0x00007f100f697eca in __GI_abort () at abort.c:89 #2 0x00007f100f6d9c53 in __libc_message (do_abort=do_abort@entry=0x1, fmt=fmt@entry=0x7f100f7f21a8 "*** Error in `%s': %s: 0x%s ***\n") at ../sysdeps/posix/libc_fatal.c:175 #3 0x00007f100f6e1c69 in malloc_printerr (ptr=<optimized out>, str=0x7f100f7f2300 "free(): invalid next size (normal)", action=0x1) at malloc.c:4965 #4 _int_free (av=<optimized out>, p=<optimized out>, have_lock=0x0) at malloc.c:3834 #5 0x00007f100f6e589c in __GI___libc_free (mem=<optimized out>) at malloc.c:2950 #6 0x00000000013e3039 in av_free (ptr=0x24a44c0) at libavutil/mem.c:239 #7 0x00000000013d149c in av_buffer_default_free (opaque=0x0, data=0x24a44c0 "\377\377\360j \241\377\377\377\377\020^") at libavutil/buffer.c:63 #8 0x00000000013d165d in buffer_replace (dst=0x7ffd71aa3180, src=0x0) at libavutil/buffer.c:119 #9 0x00000000013d169d in av_buffer_unref (buf=0x7ffd71aa3180) at libavutil/buffer.c:129 #10 0x00000000008184e6 in av_packet_unref (pkt=0x7ffd71aa3180) at libavcodec/avpacket.c:566 #11 0x000000000069e1bb in ff_img_read_packet (s1=0x248c2c0, pkt=0x7ffd71aa3180) at libavformat/img2dec.c:502 #12 0x00000000007a4dc1 in ff_read_packet (s=0x248c2c0, pkt=0x7ffd71aa3180) at libavformat/utils.c:759 #13 0x00000000007a7ef3 in read_frame_internal (s=0x248c2c0, pkt=0x7ffd71aa3460) at libavformat/utils.c:1457 #14 0x00000000007af3c4 in avformat_find_stream_info (ic=0x248c2c0, options=0x248d110) at libavformat/utils.c:3475 #15 0x00000000004103f2 in open_input_file (o=0x7ffd71aa37b0, filename=0x7ffd71aa41c6 "tiled_with_deeptile_type.exr") at ffmpeg_opt.c:1002 #16 0x0000000000419274 in open_files (l=0x248c058, inout=0x1413717 "input", open_file=0x40fa95 <open_input_file>) at ffmpeg_opt.c:3036 #17 0x0000000000419401 in ffmpeg_parse_options (argc=0x5, argv=0x7ffd71aa3d98) at ffmpeg_opt.c:3073 #18 0x000000000042e8a6 in main (argc=0x5, argv=0x7ffd71aa3d98) at ffmpeg.c:4335 #19 0x00007f100f681a40 in __libc_start_main (main=0x42e7c6 <main>, argc=0x5, argv=0x7ffd71aa3d98, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7ffd71aa3d88) at libc-start.c:289 #20 0x00000000004061c9 in _start ()