[libav-bugs] [Bug 1113] New: Infinite loop in event_loop (avtools/avplay.c)

bugzilla at libav.org bugzilla at libav.org
Thu Jan 18 17:13:47 CET 2018


https://bugzilla.libav.org/show_bug.cgi?id=1113

            Bug ID: 1113
           Summary: Infinite loop in event_loop (avtools/avplay.c)
           Product: Libav
           Version: git HEAD
          Hardware: Other
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: ---
         Component: utilities
          Assignee: bugzilla at libav.org
          Reporter: probefuzzer at gmail.com

Created attachment 705
  --> https://bugzilla.libav.org/attachment.cgi?id=705&action=edit
poc for libav

On git HEAD of libav:
there is an infinite loop and application hang in the event_loop function
(avtools/avplay.c), which can be triggered by the POC with the command: avplay
$POC. 

Looking into the event_loop function (coders/bmp.c), we found that in the
refresh_thread function (line 908), FF_REFRESH_EVENT event is continuously
pushed on event queue if "abort_request" is zero. However, this variable could
be manipulated by the POC (although the POC file size < 300 bytes). In this
case, the event handling "event_loop" function would stuck in a infinite loop. 

908 static int refresh_thread(void *opaque)
909 {
    ...
911    while (!is->abort_request) {
912        SDL_Event event;
913        event.type = FF_REFRESH_EVENT;
915        if (!is->refresh) {
916            is->refresh = 1;
917            SDL_PushEvent(&event);
918        }
920    }
922 }

2698 static void event_loop(void)
2699 {
    ...
2703     for (;;) {
2705         SDL_WaitEvent(&event);
2706        switch (event.type) {
     ...
2844        case FF_REFRESH_EVENT:
2845            video_refresh_timer(event.user.data1);
2846            player->refresh = 0;
2847            break;

POC:
https://github.com/ProbeFuzzer/poc/blob/master/libav/libav_12-1_avplay_infinite-loop_event_loop.avi

the back trace is as follows´╝Ü
#0  0x00000038c480f00d in nanosleep () from /lib64/libpthread.so.0
#1  0x00000038dea587f4 in SDL_Delay () from /usr/lib64/libSDL-1.2.so.0
#2  0x00000038dea0e32e in SDL_WaitEvent () from /usr/lib64/libSDL-1.2.so.0
#3  0x0000000000459398 in main () at
/u/youwei/ProbeFuzzer/product/libav/patch/src/avtools/avplay.c:2708

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.libav.org/pipermail/libav-bugs/attachments/20180118/430a4d69/attachment.html>


More information about the libav-bugs mailing list