Bugzilla – Bug 1015120
VUL-0: CVE-2016-9561: ffmpeg: Huge amount memory allocated, resulting in DoS of ffmpeg
Last modified: 2018-07-18 14:40:11 UTC
CVE-2016-9561 [CVE-2016-9561] ffmpeg crashes on decoding MOV file From: 连一汉 <lianyihan () 360 cn> Date: Thu, 8 Dec 2016 02:33:57 +0000 Hi , I’m Lian Yihan ,a security researcher in Qihoo 360 Gear Team. I found a vulnerability in ffmpeg <= 3.2. When ffmpeg decodes a small craft MOV file which is just a few megabits, it will allocate a huge memory(about a few gigabits) and then be killed by OS . ========================= target version ========================== Ffmpeg 3.2 ========================= target command ========================= Ffmpeg -i input.mov -y 1.ts ============================= key information ========================== 0x00000000007ae7b6 in avformat_find_stream_info (ic=0x2173290, options=0x7ffff7f74010) at libavformat/utils.c:3377 3377 avctx = st->internal->avctx; (gdb) p ic->nb_streams $3 = 26418 ------------------------------------------------------------------------------------------------------------------------------------------------------------------ Breakpoint 3, che_configure (ac=0x19ff1810, che_pos=AAC_CHANNEL_FRONT, type=1, id=0, channels=0x7fffffffd458) at libavcodec/aacdec_template.c:135 135 if (!(ac->che[type][id] = av_mallocz(sizeof(ChannelElement)))) // malloc a big memory on every loop. (gdb) p sizeof(ChannelElement) $4 = 547744 The total memory allocated is about 26418*547744 at last. ============================ my test info =========================== ffmpeg version 3.2 Copyright (c) 2000-2016 the FFmpeg developers built with clang version 3.8.0 (tags/RELEASE_380/final) configuration: --cc=afl-clang-fast --enable-debug=3 --disable-asm --disable-stripping --disable-optimizations --disable-shared libavutil 55. 34.100 / 55. 34.100 libavcodec 57. 64.100 / 57. 64.100 libavformat 57. 56.100 / 57. 56.100 libavdevice 57. 1.100 / 57. 1.100 libavfilter 6. 65.100 / 6. 65.100 libswscale 4. 2.100 / 4. 2.100 libswresample 2. 3.100 / 2. 3.100 [mov,mp4,m4a,3gp,3g2,mj2 @ 0x2a582b0] overread end of atom 'tkhd' by 32 bytes [mov,mp4,m4a,3gp,3g2,mj2 @ 0x2a582b0] stream 1, timescale not set Killed -----邮件原件----- 发件人: cve-request () mitre org [mailto:cve-request () mitre org] 发送时间: 2016年11月23日 8:40 收件人: 连一汉 抄送: cve-request () mitre org 主题: Re: [scr264871] Huge memory allocated [VulnerabilityType Other] Huge memory allocated , result in DoS of ffmpeg. ------------------------------------------ [Affected Product Code Base] ffmpeg - 3.2 Use CVE-2016-9561. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-9561 http://seclists.org/oss-sec/2016/q4/626 http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-9561.html
bugbot adjusting priority
This is an autogenerated message for OBS integration: This bug (1015120) was mentioned in https://build.opensuse.org/request/show/489155 42.1 / ffmpeg
openSUSE-SU-2017:1433-1: An update that fixes 7 vulnerabilities is now available. Category: security (moderate) Bug References: 1015120,1022920,1022921,1022922,1034176,1034177,1034179 CVE References: CVE-2016-10190,CVE-2016-10191,CVE-2016-10192,CVE-2016-9561,CVE-2017-7863,CVE-2017-7865,CVE-2017-7866 Sources used: openSUSE Leap 42.2 (src): ffmpeg2-2.8.11-25.3.1
openSUSE-SU-2017:1531-1: An update that fixes 5 vulnerabilities is now available. Category: security (moderate) Bug References: 1015120,1022921,1022922 CVE References: CVE-2016-10191,CVE-2016-10192,CVE-2016-9561,CVE-2017-5024,CVE-2017-5025 Sources used: SUSE Package Hub for SUSE Linux Enterprise 12 (src): ffmpeg-3.1.8-8.1
openSUSE-SU-2017:1532-1: An update that solves 6 vulnerabilities and has one errata is now available. Category: security (moderate) Bug References: 1015120,1022921,1022922,1034176,1034177,1034179,980542 CVE References: CVE-2016-10191,CVE-2016-10192,CVE-2016-9561,CVE-2017-7863,CVE-2017-7865,CVE-2017-7866 Sources used: SUSE Package Hub for SUSE Linux Enterprise 12 (src): ffmpeg2-2.8.11-12.1
released
openSUSE-SU-2017:2502-1: An update that solves 20 vulnerabilities and has one errata is now available. Category: security (important) Bug References: 1015120,1022920,1022921,1022922,1034176,1034177,1034179,1046211,1049095,1056760,1056761,1056762,1056763,1056765,1056766,1057536,1057537,1057539,1058018,1058019,1058020 CVE References: CVE-2016-10190,CVE-2016-10191,CVE-2016-10192,CVE-2016-9561,CVE-2017-11399,CVE-2017-14054,CVE-2017-14055,CVE-2017-14056,CVE-2017-14057,CVE-2017-14058,CVE-2017-14059,CVE-2017-14169,CVE-2017-14170,CVE-2017-14171,CVE-2017-14222,CVE-2017-14223,CVE-2017-14225,CVE-2017-7863,CVE-2017-7865,CVE-2017-7866 Sources used: openSUSE Leap 42.3 (src): ffmpeg-3.3.4-7.1, ffmpeg2-2.8.13-32.1, lame-3.99.5-2.1, twolame-0.3.13-2.1
This is an autogenerated message for OBS integration: This bug (1015120) was mentioned in https://build.opensuse.org/request/show/623663 15.0+42.3+Backports:SLE-12-SP2 / chromium+codec2+ffmpeg-2+ffmpeg-3+ffmpeg-4+libsodium+libvpx-1_6+zeromq