[libav-bugs] [Bug 994] New: Null pointer dereference in nsv_read_chunk()

bugzilla at libav.org bugzilla at libav.org
Wed Dec 7 15:58:07 CET 2016


https://bugzilla.libav.org/show_bug.cgi?id=994

            Bug ID: 994
           Summary: Null pointer dereference in nsv_read_chunk()
           Product: Libav
           Version: git HEAD
          Hardware: Other
                OS: Linux
            Status: NEW
          Severity: enhancement
          Priority: ---
         Component: libavformat
          Assignee: bugzilla at libav.org
          Reporter: fumfi.255 at gmail.com

Created attachment 622
  --> https://bugzilla.libav.org/attachment.cgi?id=622&action=edit
POC to trigger null pointer dereference (avconv)

After some fuzz testing I found a crashing test case.

Command: avconv -i nullptrderef_nsv_read_chunk -f /dev/null

Git Head: f22da2cdf90dc892d483e2d4003cffc0500816f6

Output + ASAN:

==1657==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc
0x00000079a28c bp 0x7ffe46ebfc60 sp 0x7ffe46ebfb20 T0)
==1657==The signal is caused by a READ memory access.
==1657==Hint: address points to the zero page.
    #0 0x79a28b in nsv_read_chunk XYZ/libav/libavformat/nsvdec.c:580:23
    #1 0x797e72 in nsv_read_header XYZ/libav/libavformat/nsvdec.c:505:11
    #2 0x8c56b7 in avformat_open_input XYZ/libav/libavformat/utils.c:336:20
    #3 0x4f849b in open_input_file XYZ/libav/avconv_opt.c:754:11
    #4 0x4f7394 in open_files XYZ/libav/avconv_opt.c:2408:15
    #5 0x4f6bd2 in avconv_parse_options XYZ/libav/avconv_opt.c:2445:11
    #6 0x51c0cf in main XYZ/libav/avconv.c:2876:11
    #7 0x7fa86783a82f in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #8 0x41af48 in _start (/usr/local/bin/avconv+0x41af48)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV XYZ/libav/libavformat/nsvdec.c:580:23 in
nsv_read_chunk
==1657==ABORTING

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.libav.org/pipermail/libav-bugs/attachments/20161207/9ae135c2/attachment.html>


More information about the libav-bugs mailing list