[libav-bugs] [Bug 1014] SEGV (heap corruption) /negative size in memmove libavcodec/h264_refs.c remove_short_at_index()

bugzilla at libav.org bugzilla at libav.org
Sat Jan 7 14:47:13 CET 2017


https://bugzilla.libav.org/show_bug.cgi?id=1014

Kamil Frankowicz <fumfi.255 at gmail.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |fumfi.255 at gmail.com

--- Comment #1 from Kamil Frankowicz <fumfi.255 at gmail.com> ---
My full ASAN output with symbols (I found the same bug yesterday):

==30178==ERROR: AddressSanitizer: negative-size-param: (size=-8)
    #0 0x7f214576d05d in __asan_memmove
(/usr/lib/x86_64-linux-gnu/libasan.so.2+0x8d05d)
    #1 0x2458fc1 in remove_short_at_index libavcodec/h264_refs.c:466
    #2 0x2458fc1 in ff_h264_execute_ref_pic_marking libavcodec/h264_refs.c:623
    #3 0x2448fb5 in ff_h264_field_end libavcodec/h264_picture.c:157
    #4 0x2483f3d in ff_h264_queue_decode_slice libavcodec/h264_slice.c:1888
    #5 0x100293e in decode_nal_units libavcodec/h264dec.c:573
    #6 0x100293e in h264_decode_frame libavcodec/h264dec.c:742
    #7 0xd7baef in decode_simple_internal libavcodec/decode.c:334
    #8 0xd7baef in decode_simple_receive_frame libavcodec/decode.c:390
    #9 0xd7baef in decode_receive_frame_internal libavcodec/decode.c:408
    #10 0xd7d577 in avcodec_send_packet libavcodec/decode.c:445
    #11 0xaf72b8 in try_decode_frame libavformat/utils.c:1950
    #12 0xb10b34 in avformat_find_stream_info libavformat/utils.c:2459
    #13 0x5a3e41 in open_input_file XYZ/libav/avprobe.c:866
    #14 0x5a3e41 in probe_file XYZ/libav/avprobe.c:944
    #15 0x5a3e41 in main XYZ/libav/avprobe.c:1178
    #16 0x7f2144e1182f in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #17 0x5c4478 in _start (/usr/local/bin/avprobe+0x5c4478)

0x62e000007510 is located 28944 bytes inside of 47144-byte region
[0x62e000000400,0x62e00000bc28)
allocated by thread T0 here:
    #0 0x7f2145779076 in __interceptor_posix_memalign
(/usr/lib/x86_64-linux-gnu/libasan.so.2+0x99076)
    #1 0x2b2aefc in av_malloc libavutil/mem.c:71
    #2 0x2b2aefc in av_mallocz libavutil/mem.c:190

SUMMARY: AddressSanitizer: negative-size-param ??:0 __asan_memmove

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.libav.org/pipermail/libav-bugs/attachments/20170107/a46859c9/attachment.html>


More information about the libav-bugs mailing list