[libav-bugs] [Bug 1159] New: hang and CPU 100% in infinite loop (libavformat/mpc8.c)

bugzilla at libav.org bugzilla at libav.org
Thu Jun 27 11:25:35 CEST 2019


https://bugzilla.libav.org/show_bug.cgi?id=1159

            Bug ID: 1159
           Summary: hang and CPU 100% in infinite loop
                    (libavformat/mpc8.c)
           Product: Libav
           Version: git HEAD
          Hardware: X86
                OS: Linux
            Status: NEW
          Severity: major
          Priority: ---
         Component: libavformat
          Assignee: bugzilla at libav.org
          Reporter: yanshb at gmail.com

Created attachment 742
  --> https://bugzilla.libav.org/attachment.cgi?id=742&action=edit
poc1_hang

On git HEAD of libav:
There is an infinite loop and application hang in mpc8_read_header function
(libavformat/mpc8.c), which can be triggered by the POC with the command:
avconv -i $POC -f /dev/null

It's stuck all the time, and it takes up 100% of the CPU. This may cause DoS
attacks.


The location of the loop code is as follows:
203 static int mpc8_read_header(AVFormatContext *s)
204 {
        ...

217     while(!pb->eof_reached){
218         pos = avio_tell(pb);
219         mpc8_get_chunk_header(pb, &tag, &size);
220         if(tag == TAG_STREAMHDR)
221             break;
222         mpc8_handle_chunk(s, tag, pos, size);
223     }

        ...
263 }


The back trace is as follows´╝Ü
(gdb) bt
#0  0x00000000004920d1 in avio_seek (s=s at entry=0x16da9a0,
offset=offset at entry=0, whence=whence at entry=1) at libavformat/aviobuf.c:252
#1  0x00000000004e46eb in avio_tell (s=0x16da9a0) at libavformat/avio.h:313
#2  mpc8_read_header (s=<optimized out>) at libavformat/mpc8.c:218
#3  0x00000000005567a9 in avformat_open_input (ps=ps at entry=0x7fffffffd560,
filename=filename at entry=0x7fffffffe57e
"../id:000000,src:000003,op:havoc,rep:2", fmt=fmt at entry=0x0,
    options=0x16ccff8) at libavformat/utils.c:336
#4  0x00000000004529e2 in open_input_file (o=o at entry=0x7fffffffd750,
filename=<optimized out>) at avtools/avconv_opt.c:804
#5  0x0000000000454b7a in open_files (l=0x16c7898, l=0x16c7898,
open_file=0x452810 <open_input_file>, inout=0xbd8fbc "input") at
avtools/avconv_opt.c:2467
#6  avconv_parse_options (argc=argc at entry=5, argv=argv at entry=0x7fffffffe278) at
avtools/avconv_opt.c:2504
#7  0x000000000044cca4 in main (argc=5, argv=0x7fffffffe278) at
avtools/avconv.c:2953

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.libav.org/pipermail/libav-bugs/attachments/20190627/006d5ccd/attachment.html>


More information about the libav-bugs mailing list