Embedded Files
FFmpeg is a popular and active multimedia library; it contains nearly 500k lines of code. FFmpeg has been extensively fuzzed.
We gave the prototype of Windranger to a security expert to see whether it can help her to find bugs. Specially, we told the expert the instructions to use Windranger; the experts selected some suspicious program locations and provided Windranger with these locations as target sites to do fuzzing.
The left table shows the specific location information and whether the location had been reached during fuzzing.
Eventually, an assertion failure is found at location (mathematics.c:172 ). Note that all the assertions will be removed in the release version of the program, so the assertion failure found by WindRanger can possibly lead to security issues in the release version of FFmpeg. The source code snippet of the failed assertion is as follow
Line 172 of function av_rescale_delta is set as target site, WindRanger focused on testing this target and found an input causing this assertion failed. Below is the call site of function av_rescale_delta (line 2110), which is in function streamcopy
In some extrme cases, the function av_get_audio_frame_duration may return a negative frame duration value (line 2107). The negative value is then propagate to function av_rescale_delta (line 2110), causing the line 172 assertion in av_rescale_delta failed.
The assertion failure has been confirmed by developers and fixed in the latest verstion of FFmpeg. It has received a CVE ID. (For anonymity, we temporarily omit the detailed information (e.g. CVE-ID number) about this vulnerability, bug description etc.). The patch to fix this failure is as follow
The duration value return by function av_get_audio_frame_duration is pruned by FFMAX to ensure this value is not negative.
Page updated
Google Sites
Report abuse