Posted by Mateusz Jurczyk and Gynvael Coldwind, Information Security Engineers Vulnerabilities - Application Security ” list. We also try to employ the extensive computing power of our data centers in order to solve some of the security challenges by performing large-scale automated testing, commonly known as fuzzing.FFmpeg , a large cross-platform solution to record, convert and stream audio and video written in C. It is used in multiple applications and software libraries such as Google Chrome, MPlayer, VLC or xine. We started relatively small by making use of trivial mutation algorithms, some 500 cores and input media samples gathered from readily available sources such as the samples.mplayerhq.hu sample base and FFmpeg FATE regression testing suite. Later on, we grew to more complex and effective mutation methods, 2000 cores and an input corpus supported by sample files improving the overall code coverage.$ git log | grep Jurczyk | grep -c Coldwind 1120 c77be3a35a0160d6af88056b0899f120f2eef38e ). Since then, we have carried out several dozen fuzzing iterations (each typically resulting in less crashes than the previous ones) over the last two years, identifying bugs of a number of different classes:
NULL pointer dereferences,
Invalid pointer arithmetic leading to SIGSEGV due to unmapped memory access,
Out-of-bounds reads and writes to stack, heap and static-based arrays,
Invalid free() calls,
Double free() calls over the same pointer,
Division errors,
Assertion failures,
Use of uninitialized memory.
We have simultaneously worked with the developers of Libav, an independent fork of FFmpeg, in order to have both projects represent an equal, high level of robustness and security posture. Today, Libav is at 413 fixes and the library is slowly but surely catching up with FFmpeg."Found by Mateusz "j00ru" Jurczyk and Gynvael Coldwind" and watch out for new stable versions of the software packages.here or here .
Follow
4 commentaires :
Fantastic! We use FFMPEG heavily ourselves, thanks for your efforts!
Thanks very much for taking the time to do this! We use FFMpeg and really appreciate the increased stability.
>Until we can declare both projects "fuzz clean" we recommend that people refrain from using either of the two projects to process untrusted media files.
Are there any open source media projects that are fuzz clean?
Great!
Publier un commentaire