[libav-bugs] [Bug 981] signed integer overflow in mpegvideo_parser.c and mpeg12dec.c

bugzilla at libav.org bugzilla at libav.org
Wed Dec 7 02:08:49 CET 2016


https://bugzilla.libav.org/show_bug.cgi?id=981

Sean McGovern <gseanmcg at gmail.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
              Flags|                            |Security-concern?

--- Comment #2 from Sean McGovern <gseanmcg at gmail.com> ---
The test case is fatal to avconv as well.

gdb session:

Program received signal SIGSEGV, Segmentation fault.
ff_put_pixels16_sse2 () at /src/libav/libavcodec/x86/fpel.asm:71
71          lea          r4, [r2*3]
(gdb) bt
#0  ff_put_pixels16_sse2 () at /src/libav/libavcodec/x86/fpel.asm:71
#1  0x00000000014d2060 in mpeg_motion_internal (s=<optimized out>,
dest_y=<optimized out>, dest_cb=<optimized out>, 
    dest_cr=<optimized out>, field_based=0, bottom_field=0,
field_select=<optimized out>, ref_picture=<optimized out>, 
    pix_op=<optimized out>, motion_x=<optimized out>, motion_y=<optimized out>,
h=<optimized out>, is_mpeg12=1, 
    mb_y=<optimized out>) at /src/libav/libavcodec/mpegvideo_motion.c:361
#2  mpeg_motion (s=<optimized out>, dest_y=<optimized out>, dest_cb=<optimized
out>, dest_cr=<optimized out>, 
    field_select=<optimized out>, ref_picture=<optimized out>,
pix_op=<optimized out>, motion_x=<optimized out>, 
    motion_y=<optimized out>, h=<optimized out>, mb_y=<optimized out>) at
/src/libav/libavcodec/mpegvideo_motion.c:383
#3  0x00000000014b424b in mpv_motion_internal (dest_y=<optimized out>,
dest_cb=<optimized out>, dest_cr=<optimized out>, 
    ref_picture=<optimized out>, pix_op=<optimized out>, is_mpeg12=0,
s=<optimized out>, dir=<optimized out>, 
    qpix_op=<optimized out>) at /src/libav/libavcodec/mpegvideo_motion.c:891
#4  ff_mpv_motion (s=<optimized out>, dest_y=<optimized out>,
dest_cb=<optimized out>, dest_cr=<optimized out>, 
    dir=<optimized out>, ref_picture=<optimized out>, pix_op=<optimized out>,
qpix_op=<optimized out>)
    at /src/libav/libavcodec/mpegvideo_motion.c:966
#5  0x0000000001411694 in mpv_decode_mb_internal (s=<optimized out>,
block=<optimized out>, is_mpeg12=1)
    at /src/libav/libavcodec/mpegvideo.c:1599
#6  ff_mpv_decode_mb (s=<optimized out>, block=<optimized out>) at
/src/libav/libavcodec/mpegvideo.c:1731
#7  0x00000000012e8335 in mpeg_decode_slice (s=<optimized out>, mb_y=<optimized
out>, buf=<optimized out>, 
    buf_size=<optimized out>) at /src/libav/libavcodec/mpeg12dec.c:1820
#8  0x00000000012d5a68 in decode_chunks (avctx=<optimized out>,
picture=<optimized out>, got_output=<optimized out>, 
    buf=<optimized out>, buf_size=<optimized out>) at
/src/libav/libavcodec/mpeg12dec.c:2551
#9  0x00000000012d271d in mpeg_decode_frame (avctx=<optimized out>,
data=<optimized out>, got_output=<optimized out>, 
    avpkt=<optimized out>) at /src/libav/libavcodec/mpeg12dec.c:2619
#10 0x0000000000b81138 in avcodec_decode_video2 (avctx=0x55ae880,
picture=<optimized out>, got_picture_ptr=<optimized out>, 
    avpkt=<optimized out>) at /src/libav/libavcodec/decode.c:320
#11 0x0000000000b7f76e in do_decode (avctx=0x55ae880, pkt=0x7fffffffdad0) at
/src/libav/libavcodec/decode.c:168
#12 0x00000000009847a9 in try_decode_frame (s=<optimized out>, st=<optimized
out>, avpkt=<optimized out>, options=<optimized out>)
    at /src/libav/libavformat/utils.c:1950
#13 0x000000000097bcde in avformat_find_stream_info (ic=<optimized out>,
options=<optimized out>)
    at /src/libav/libavformat/utils.c:2459
#14 0x0000000000431334 in open_input_file (o=<optimized out>,
filename=<optimized out>) at /src/libav/avconv_opt.c:771
#15 0x00000000004300b1 in open_files (l=<optimized out>, inout=<optimized out>,
open_file=<optimized out>)
    at /src/libav/avconv_opt.c:2408
#16 0x000000000042fd9c in avconv_parse_options (argc=<optimized out>,
argv=<optimized out>) at /src/libav/avconv_opt.c:2445
#17 0x0000000000459da1 in main (argc=6, argv=0x7fffffffe7f8) at
/src/libav/avconv.c:2876

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.libav.org/pipermail/libav-bugs/attachments/20161207/1dd3403e/attachment.html>


More information about the libav-bugs mailing list