[libav-bugs] [Bug 981] New: signed integer overflow in mpegvideo_parser.c and mpeg12dec.c

bugzilla at libav.org bugzilla at libav.org
Tue Nov 8 17:34:32 CET 2016


https://bugzilla.libav.org/show_bug.cgi?id=981

            Bug ID: 981
           Summary: signed integer overflow in mpegvideo_parser.c and
                    mpeg12dec.c
           Product: Libav
           Version: 11
          Hardware: Other
                OS: Linux
            Status: NEW
          Severity: enhancement
          Priority: ---
         Component: general
          Assignee: bugzilla at libav.org
          Reporter: ago at gentoo.org

Found with the undefined behavior sanitizer.
Compiler: clang-3.8.1
Tested on: 11.8
Command to reproduce: avconv -i $FILE -f null -
Testcase:
https://github.com/asarubbo/poc/blob/master/00037-libav-signedintoverflow-mpegvideo_parser
Output:
avconv version 11.8, Copyright (c) 2000-2016 the Libav developers
  built on Oct 28 2016 13:04:18 with clang version 3.8.1
(tags/RELEASE_381/final)
[mpeg1video @ 0x2b39640] Invalid frame dimensions 0x0.
[mpeg1video @ 0x2b39640] ignoring pic cod ext after 0
[mpeg1video @ 0x2b39640] intra matrix invalid, ignoring
[mpeg1video @ 0x2b39640] matrix damaged
[mpeg1video @ 0x2b39640] sequence header damaged
/tmp/portage/media-video/libav-11.8/work/libav-11.8/libavcodec/mpegvideo_parser.c:91:65:
runtime error: signed integer overflow: 28573696 * 400 cannot be represented in
type 'int'
/tmp/portage/media-video/libav-11.8/work/libav-11.8/libavcodec/mpeg12dec.c:1401:41:
runtime error: signed integer overflow: 28573696 * 400 cannot be represented in
type 'int'
[mpeg1video @ 0x2b39640] intra matrix invalid, ignoring
[mpeg1video @ 0x2b39640] matrix damaged
[mpeg1video @ 0x2b39640] sequence header damaged
[mpeg1video @ 0x2b39640] picture_structure 0 invalid, ignoring
/tmp/portage/media-video/libav-11.8/work/libav-11.8/libavcodec/mpegvideo.c:2381:65:
runtime error: left shift of negative value -1
/tmp/portage/media-video/libav-11.8/work/libav-11.8/libavcodec/mpegvideo.c:2382:65:
runtime error: left shift of negative value -1
/tmp/portage/media-video/libav-11.8/work/libav-11.8/libavcodec/mpegvideo.c:2383:65:
runtime error: left shift of negative value -1
[mpeg1video @ 0x2b39640] ac-tex damaged at 0 0
[mpeg1video @ 0x2b39640] ignoring pic after 100
    Last message repeated 2 times
[mpeg1video @ 0x2b39640] ac-tex damaged at 0 0

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.libav.org/pipermail/libav-bugs/attachments/20161108/da99b8e8/attachment.html>


More information about the libav-bugs mailing list