[libav-bugs] [Bug 703] New: Crash in ff_id3v2_read for not properly encoded ID3 tags

bugzilla at libav.org bugzilla at libav.org
Fri Jun 13 15:43:05 CEST 2014


           Summary: Crash in ff_id3v2_read for not properly encoded ID3
           Product: Libav
           Version: git HEAD
          Platform: IA64
        OS/Version: Linux
            Status: NEW
          Severity: normal
          Priority: Normal
         Component: libavformat
        AssignedTo: bugzilla at libav.org
        ReportedBy: ziembal86 at gmail.com

Created attachment 492
  --> https://bugzilla.libav.org/attachment.cgi?id=492
MP3 file with ID3 tag with invalid encoding


We are using libav to extract ID3 tags from mp3 files, and noticed that some
files were crashing our application. After investigation we found that the
source of the problem is that the ID3 tags in those files are not properly

Output from our java application (libav is used via JNI):

# A fatal error has been detected by the Java Runtime Environment:
#  SIGSEGV (0xb) at pc=0x00007ffb07a24789, pid=28234, tid=140715268867840
# JRE version: Java(TM) SE Runtime Environment (8.0_05-b13) (build
# Java VM: Java HotSpot(TM) 64-Bit Server VM (25.5-b02 mixed mode linux-amd64
compressed oops)
# Problematic frame:
# C  [libc.so.6+0x148789]  __nss_hosts_lookup+0x16709
# Core dump written.

Here is the core dump (libav was compiled with --enable-debug flag):

#11 <signal handler called>
#12 0x00007ffcaae88789 in ?? () from /lib/x86_64-linux-gnu/libc.so.6
#13 0x00007ffc76370ee1 in read (opaque=0x7ffc6ebca9a0, buf=<optimized out>,
bufSize=<optimized out>) at /usr/include/x86_64-linux-gnu/bits/string3.h:52
#14 0x00007ffc75e39c8d in fill_buffer (s=0x7ffbd40043e0) at
#15 0x00007ffc75e39e59 in avio_read (s=0x7ffbd40043e0, buf=0x7ffc6ebc9fd0
"ID3ml>\n<heܪ\374\177", size=10) at libavformat/aviobuf.c:480
#16 0x00007ffc75e5b73e in ff_id3v2_read (s=0x7ffbd40086a0, magic=0x7ffc75ef8409
"ID3", extra_meta=0x7ffc6ebca068) at libavformat/id3v2.c:703
#17 0x00007ffc75eec251 in avformat_open_input (ps=0x7ffc6ebca5b8,
filename=<optimized out>, fmt=<optimized out>, options=0x0) at

>From what we understand, avio_read() assumes that that buf is 10 bytes, while
indeed it is more (ܪ character), and that results in the segfault.

I attach the file which produced the error. The file also crashes some ID3 tags
editors (we tested easytag in ubuntu).

Configure bugmail: https://bugzilla.libav.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching all bug changes.

More information about the libav-bugs mailing list