Submit #621825: libav avconv 13 && the newest master Double-freeinfo

Titellibav avconv 13 && the newest master Double-free
BeschreibungDouble-free memory corruption in DSS (Digital Speech Standard) format demuxer during cleanup phase, leading to program abort. ## How to reproduce: ` % avconv -ss 0.1 -i /workspace/POC/POC_libav_avconv_abort_dss_doublefree -f null - avconv version 13_dev0, Copyright (c) 2000-2018 the Libav developers built on Jul 19 2025 14:57:50 with Ubuntu clang version 16.0.6 (++20231112100510+7cbf1a259152-1~exp1~20231112100554.106) configuration: --cc=/Fuzzer/AFL++/afl-clang-lto --extra-cflags= --prefix=/workspace/benchmark/program/libav-c464278-Apr16-2019/install --disable-shared --enable-static --disable-x86asm --disable-inline-asm libavutil 56. 8. 0 / 56. 8. 0 libavcodec 58. 12. 1 / 58. 12. 1 libavformat 58. 2. 0 / 58. 2. 0 libavdevice 57. 0. 2 / 57. 0. 2 libavfilter 7. 1. 0 / 7. 1. 0 libavresample 4. 0. 0 / 4. 0. 0 libswscale 5. 0. 1 / 5. 0. 1 [dss @ 0x555557165800] Estimating duration from bitrate, this may be inaccurate /workspace/POC/POC_libav_avconv_abort_dss_doublefree: could not seek to position 0.100 Input #0, dss, from '/workspace/POC/POC_libav_avconv_abort_dss_doublefree': Metadata: author : �0 date : 2000-32-00T32768:-341855643:-352951808 comment : Duration: N/A, start: 0.000000, bitrate: N/A Stream #0:0: Audio: dss_sp 11025 Hz, mono, s16 Stream mapping: Stream #0:0 -> #0:0 (dss_sp (native) -> pcm_s16le (native)) Press ctrl-c to stop encoding Nothing was written into output file 0 (pipe:), because at least one of its streams received no packets. size= 0kB time=10000000000.00 bitrate= 0.0kbits/s video:0kB audio:0kB other streams:0kB global headers:0kB muxing overhead: unknown free(): invalid pointer Aborted (core dumped) ` ## GDB Analysis: ` Program received signal SIGABRT, Aborted. pthread_kill_implementation (no_tid=0, signo=6, threadid=140737349322624) at ./nptl/pthread_kill.c:44 #0 pthread_kill_implementation (no_tid=0, signo=6, threadid=140737349322624) at ./nptl/pthread_kill.c:44 #1 pthread_kill_internal (signo=6, threadid=140737349322624) at ./nptl/pthread_kill.c:78 #2 GI_pthread_kill (threadid=140737349322624, signo=signo@entry=6) at ./nptl/pthread_kill.c:89 #3 0x00007ffff7baf476 in GI_raise (sig=sig@entry=6) at ../sysdeps/posix/raise.c:26 #4 0x00007ffff7b957f3 in GI_abort () at ./stdlib/abort.c:79 #5 0x00007ffff7bf6677 in libc_message (action=action@entry=do_abort, fmt=fmt@entry=0x7ffff7d48b77 "%s\n") at ../sysdeps/posix/libc_fatal.c:156 #6 0x00007ffff7c0dcfc in malloc_printerr (str=str@entry=0x7ffff7d46744 "free(): invalid pointer") at ./malloc/malloc.c:5664 #7 0x00007ffff7c0fa44 in _int_free (av=<optimized out>, p=<optimized out>, have_lock=0) at ./malloc/malloc.c:4439 #8 0x00007ffff7c12453 in GI_libc_free (mem=<optimized out>) at ./malloc/malloc.c:3391 #9 0x000055555596822b in av_free (ptr=0x3dc3de) at libavutil/mem.c:189 #10 dss_read_close (s=<optimized out>) at libavformat/dss.c:328 #11 0x000055555589cb30 in avformat_close_input (ps=<optimized out>) at libavformat/utils.c:2751 #12 avconv_cleanup (ret=<optimized out>) at avtools/avconv.c:217 #13 0x0000555555887543 in exit_program (ret=0) at avtools/cmdutils.c:98 #14 0x0000555555896962 in main (argc=<optimized out>, argv=<optimized out>) at avtools/avconv.c:2983 ` ## Root Cause: The crash occurs in the DSS demuxer's cleanup function dss_read_close() at line 328 in libavformat/dss.c. The function attempts to free a pointer (0x3dc3de) that has either: Already been freed (double-free) Was never properly allocated Has been corrupted The malformed DSS file triggers incorrect memory management in the DSS format handler, leading to heap corruption. ## POC File: The malformed DSS file is available at: /workspace/POC/POC_libav_avconv_abort_dss_doublefree​https://drive.google.com/file/d/1I4VVXGys156UdeSTgya_GGxLZxwuxUPw/view?usp=sharing
Quelle⚠️ https://trac.ffmpeg.org/ticket/11680
Benutzer
 Anonymous User
Einreichung24.07.2025 12:04 (vor 11 Monaten)
Moderieren05.08.2025 10:57 (12 days later)
StatusAkzeptiert
VulDB Eintrag318818 [libav bis 12.3 DSS File Demuxer /avtools/avconv.c main Pufferüberlauf]
Punkte20

ZurückÜbersichtWeiter

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!