[libav-bugs] [Bug 509] New: wmalossless seek causes a read after free.

bugzilla-daemon at aruru.libav.org bugzilla-daemon at aruru.libav.org
Wed May 8 09:36:46 CEST 2013


https://bugzilla.libav.org/show_bug.cgi?id=509

           Summary: wmalossless seek causes a read after free.
           Product: Libav
           Version: git HEAD
          Platform: All
        OS/Version: Linux
            Status: NEW
          Severity: normal
          Priority: Normal
         Component: libavcodec
        AssignedTo: bugzilla at libav.org
        ReportedBy: lu_zero at gentoo.org


As reported by asan


Seek to 12% ( 0:00:07) of total duration ( 0:01:00)
[asf @ 0x61a00000f680] asf_read_pts failed
=================================================================
==19640==ERROR: AddressSanitizer: heap-use-after-free on address 0x6050000085e0
at pc 0x1309503 bp 0x7f2843fa89f0 sp 0x7f2843fa89e8
READ of size 8 at 0x6050000085e0 thread T5
    #0 0x1309502 in av_buffer_unref /usr/src/libav/libavutil/buffer.c:111
    #1 0x1316034 in av_frame_unref /usr/src/libav/libavutil/frame.c:285
    #2 0xe225f8 in avcodec_decode_audio4 /usr/src/libav/libavcodec/utils.c:1467
    #3 0x46b032 in audio_decode_frame /usr/src/libav/avplay.c:1853
    #4 0x7f285339ed07 in ?? ??:0
    #5 0x7f28533a6fa4 in ?? ??:0
    #6 0x7f28533d9068 in ?? ??:0
    #7 0x4591d3 in _ZN6__asan10AsanThread11ThreadStartEm ??:0
    #8 0x7f2853181f3a in ?? ??:0
    #9 0x7f2852a9dbdc in ?? ??:0
0x6050000085e0 is located 0 bytes inside of 24-byte region
[0x6050000085e0,0x6050000085f8)
freed by thread T5 here:
    #0 0x452b54 in free ??:0
    #1 0x132143e in av_free /usr/src/libav/libavutil/mem.c:147
    #2 0x1316034 in av_frame_unref /usr/src/libav/libavutil/frame.c:285
previously allocated by thread T5 here:
    #0 0x452ecc in posix_memalign ??:0
    #1 0x1321518 in av_malloc /usr/src/libav/libavutil/mem.c:80
    #2 0x130abad in av_buffer_create /usr/src/libav/libavutil/buffer.c:47
    #3 0xe1b7b6 in audio_get_buffer /usr/src/libav/libavcodec/utils.c:432
    #4 0xe1cf7c in ff_get_buffer /usr/src/libav/libavcodec/utils.c:717
    #5 0xf713f2 in decode_frame /usr/src/libav/libavcodec/wmalosslessdec.c:1019
    #6 0xf6fef7 in decode_packet
/usr/src/libav/libavcodec/wmalosslessdec.c:1255
Thread T5 created by T4 here:
    #0 0x44ed38 in pthread_create ??:0
    #1 0x7f28533d90a7 in ?? ??:0
Thread T4 created by T0 here:
    #0 0x44ed38 in pthread_create ??:0
    #1 0x7f28533d90a7 in ?? ??:0
Shadow bytes around the buggy address:
  0x0c0a7fff9060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0a7fff9070: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0a7fff9080: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0a7fff9090: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0a7fff90a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c0a7fff90b0: fd fd fd fa fa fa fa fa fa fa fa fa[fd]fd fd fa
  0x0c0a7fff90c0: fa fa fa fa fd fd fd fa fa fa fa fa fa fa fa fa
  0x0c0a7fff90d0: fd fd fd fa fa fa fa fa fd fd fd fa fa fa fa fa
  0x0c0a7fff90e0: fa fa fa fa fd fd fd fa fa fa fa fa fd fd fd fa
  0x0c0a7fff90f0: fa fa fa fa fa fa fa fa fd fd fd fa fa fa fa fa
  0x0c0a7fff9100: fd fd fd fa fa fa fa fa fa fa fa fa fd fd fd fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:     fa
  Heap right redzone:    fb
  Freed heap region:     fd
  Stack left redzone:    f1
  Stack mid redzone:     f2
  Stack right redzone:   f3
  Stack partial redzone: f4
  Stack after return:    f5
  Stack use after scope: f8
  Global redzone:        f9
  Global init order:     f6
  Poisoned by user:      f7
  ASan internal:         fe
==19640==ABORTING

-- 
Configure bugmail: https://bugzilla.libav.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching all bug changes.


More information about the libav-bugs mailing list