[libav-bugs] [Bug 1036] New: Null pointer dereference in ff_h264_execute_ref_pic_marking() #2

bugzilla at libav.org bugzilla at libav.org
Tue Feb 28 14:01:43 CET 2017


            Bug ID: 1036
           Summary: Null pointer dereference in
                    ff_h264_execute_ref_pic_marking() #2
           Product: Libav
           Version: git HEAD
          Hardware: X86
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: ---
         Component: libavcodec
          Assignee: bugzilla at libav.org
          Reporter: fumfi.255 at gmail.com

Created attachment 654
  --> https://bugzilla.libav.org/attachment.cgi?id=654&action=edit
POC to trigger null pointer dereference (avprobe)

After some fuzz testing I found a crashing test case.

Command: avprobe libav_nullptr_ff_h264_execute_ref_pic_marking2

Git Head: 698ac8f9cabd053f2c19346a77b92f8eae4218fc

Output + ASAN:

avprobe version v13_dev0-897-g698ac8f, Copyright (c) 2007-2017 the Libav
  built on Feb 28 2017 11:03:05 with clang version 3.9.1
[h264 @ 0x619000000080] left block unavailable for requested intra4x4 mode -1
[h264 @ 0x619000000080] error while decoding MB 0 0, bytestream -3
[h264 @ 0x619000000080] Invalid crop parameters
==18699==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000030 (pc
0x000001c2625a bp 0x62e00000666c sp 0x7ffc63faecf0 T0)
==18699==The signal is caused by a READ memory access.
==18699==Hint: address points to the zero page.
    #0 0x1c26259 in ff_h264_execute_ref_pic_marking
    #1 0x1c1cc2e in ff_h264_field_end
    #2 0xbf50fd in h264_decode_frame XYZ/libav/libavcodec/h264dec.c:744:13
    #3 0xa13435 in decode_simple_internal XYZ/libav/libavcodec/decode.c:335:15
    #4 0xa13435 in decode_simple_receive_frame
    #5 0xa13435 in decode_receive_frame_internal
    #6 0xa121f4 in avcodec_send_packet XYZ/libav/libavcodec/decode.c:446:15
    #7 0x8358bb in try_decode_frame XYZ/libav/libavformat/utils.c:1950:19
    #8 0x82f413 in avformat_find_stream_info
    #9 0x4f6669 in open_input_file XYZ/libav/avtools/avprobe.c:866:16
    #10 0x4f6669 in probe_file XYZ/libav/avtools/avprobe.c:944
    #11 0x4f6669 in main XYZ/libav/avtools/avprobe.c:1178
    #12 0x7f13bf77382f in __libc_start_main
    #13 0x41a988 in _start (XYZ/libav/avprobe+0x41a988)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV XYZ/libav/libavcodec/h264_refs.c:700:48 in

You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.libav.org/pipermail/libav-bugs/attachments/20170228/487e7eb9/attachment-0001.html>

More information about the libav-bugs mailing list