[libav-bugs] [Bug 96] New: heap-buffer-overflow in avfilter on corrupt mpeg-2 stream

bugzilla-daemon at aruru.libav.org bugzilla-daemon at aruru.libav.org
Wed Nov 23 20:21:23 CET 2011


http://bugzilla.libav.org/show_bug.cgi?id=96

           Summary: heap-buffer-overflow in avfilter on corrupt mpeg-2
                    stream
           Product: Libav
           Version: git HEAD
          Platform: PC
        OS/Version: Linux
            Status: NEW
          Severity: normal
          Priority: Normal
         Component: libavfilter
        AssignedTo: bugzilla at libav.org
        ReportedBy: alex.converse at gmail.com


Created attachment 58
  --> http://bugzilla.libav.org/attachment.cgi?id=58
Full decoding log

avconv -i ~/Downloads/lol-mpeg2.mp4 -f null -
avconv version v0.7-1925-ga78fa3b, Copyright (c) 2000-2011 the Libav developers
  built on Nov 23 2011 10:15:48 with clang 3.1 (trunk 144800)
[mpeg2video @ 0x7f161d3de880] slice below image (41 >= 36)
Input #0, mov,mp4,m4a,3gp,3g2,mj2, from
'/home/aconverse/Downloads/lol-mpeg2.mp4':
  Metadata:
    major_brand     : isom
    minor_version   : 512
    compatible_brands: isomiso2mp41
    creation_time   : 1970-01-01 00:00:00
    encoder         : Lavf52.61.0
aconverse at garak ~/local/src-ext/libav/build$ head -n 20
/home/aconverse/Downloads/lol-mpeg2.log 
avconv version v0.7-1925-ga78fa3b, Copyright (c) 2000-2011 the Libav developers
  built on Nov 23 2011 10:15:48 with clang 3.1 (trunk 144800)
[mpeg2video @ 0x7f161d3de880] slice below image (41 >= 36)
Input #0, mov,mp4,m4a,3gp,3g2,mj2, from
'/home/aconverse/Downloads/lol-mpeg2.mp4':
  Metadata:
    major_brand     : isom
    minor_version   : 512
    compatible_brands: isomiso2mp41
    creation_time   : 1970-01-01 00:00:00
    encoder         : Lavf52.61.0
  Duration: 00:00:29.32, start: 0.000000, bitrate: 6391 kb/s
    Stream #0.0(und): Video: mpeg2video (Main), yuv420p, 720x576 [PAR 16:15 DAR
4:3], 8000 kb/s, 24.52 fps, 25 tbr, 50 tbn, 50 tbc
    Metadata:
      creation_time   : 1970-01-01 00:00:00
[buffer @ 0x7f161e45f980] w:720 h:576 pixfmt:yuv420p
Output #0, null, to 'pipe:':
  Metadata:
    major_brand     : isom
    minor_version   : 512
    compatible_brands: isomiso2mp41

>>> SNIP <<<

[mpeg2video @ 0x7f161d3de880] concealing 1620 DC, 1620 AC, 1620 MV errors
=================================================================
==29483== ERROR: AddressSanitizer heap-buffer-overflow on address
0x7f161bce6a90 at pc 0x147e0c4 bp 0x7fff1a581d90 sp 0x7fff1a581d68
READ of size 1 at 0x7f161bce6a90 thread T0
    #0 0x147e0c4 in av_image_copy_plane
/usr/local/google/home/aconverse/src-ext/libav/libav/libavutil/imgutils.c:231
    #1 0x4a42a9 in request_frame
/usr/local/google/home/aconverse/src-ext/libav/libav/libavfilter/vsrc_buffer.c:134
    #2 0x46c8fd in avfilter_request_frame
/usr/local/google/home/aconverse/src-ext/libav/libav/libavfilter/avfilter.c:373
    #3 0x46c960 in avfilter_request_frame
/usr/local/google/home/aconverse/src-ext/libav/libav/libavfilter/avfilter.c:377
    #4 0x45ac37 in get_filtered_video_frame
/usr/local/google/home/aconverse/src-ext/libav/libav/cmdutils.c:1036
    #5 0x44bd28 in transcode_video
/usr/local/google/home/aconverse/src-ext/libav/libav/avconv.c:1786
    #6 0x43ea0e in transcode
/usr/local/google/home/aconverse/src-ext/libav/libav/avconv.c:2519
    #7 0x7f161f02cc4d in __libc_start_main ??:0
    #8 0x434229 in _start ??:0
0x7f161bce6a90 is located 0 bytes to the right of 457232-byte region
[0x7f161bc77080,0x7f161bce6a90)
allocated by thread T0 here:
    #0 0x14a1e5a in posix_memalign _asan_rtl_
    #1 0x1483ea3 in av_malloc
/usr/local/google/home/aconverse/src-ext/libav/libav/libavutil/mem.c:83
    #2 0xf3c92e in avcodec_default_get_buffer
/usr/local/google/home/aconverse/src-ext/libav/libav/libavcodec/utils.c:331
    #3 0xd0bdb7 in alloc_frame_buffer
/usr/local/google/home/aconverse/src-ext/libav/libav/libavcodec/mpegvideo.c:240
==29483== ABORTING
Shadow byte and word:
  0x1fe2c379cd52: fb
  0x1fe2c379cd50: 00 00 fb fb fb fb fb fb
More shadow bytes:
  0x1fe2c379cd30: 00 00 00 00 00 00 00 00
  0x1fe2c379cd38: 00 00 00 00 00 00 00 00
  0x1fe2c379cd40: 00 00 00 00 00 00 00 00
  0x1fe2c379cd48: 00 00 00 00 00 00 00 00
=>0x1fe2c379cd50: 00 00 fb fb fb fb fb fb
  0x1fe2c379cd58: fb fb fb fb fb fb fb fb
  0x1fe2c379cd60: fa fa fa fa fa fa fa fa
  0x1fe2c379cd68: fa fa fa fa fa fa fa fa
  0x1fe2c379cd70: fa fa fa fa fa fa fa fa

File:
http://samples.libav.org/samples/ffmpeg-bugs/roundup/issue1872/lol-mpeg2.mp4
Full log attached

-- 
Configure bugmail: http://bugzilla.libav.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching all bug changes.


More information about the libav-bugs mailing list