<html>
    <head>
      <base href="https://bugzilla.libav.org/" />
    </head>
    <body><span class="vcard"><a class="email" href="mailto:fumfi.255@gmail.com" title="Kamil Frankowicz <fumfi.255@gmail.com>"> <span class="fn">Kamil Frankowicz</span></a>
</span> changed
              <a class="bz_bug_link 
          bz_status_NEW "
   title="NEW - SEGV (heap corruption) /negative size in memmove libavcodec/h264_refs.c remove_short_at_index()"
   href="https://bugzilla.libav.org/show_bug.cgi?id=1014">bug 1014</a>
          <br>
             <table border="1" cellspacing="0" cellpadding="8">
          <tr>
            <th>What</th>
            <th>Removed</th>
            <th>Added</th>
          </tr>

         <tr>
           <td style="text-align:right;">CC</td>
           <td>
                
           </td>
           <td>fumfi.255@gmail.com
           </td>
         </tr></table>
      <p>
        <div>
            <b><a class="bz_bug_link 
          bz_status_NEW "
   title="NEW - SEGV (heap corruption) /negative size in memmove libavcodec/h264_refs.c remove_short_at_index()"
   href="https://bugzilla.libav.org/show_bug.cgi?id=1014#c1">Comment # 1</a>
              on <a class="bz_bug_link 
          bz_status_NEW "
   title="NEW - SEGV (heap corruption) /negative size in memmove libavcodec/h264_refs.c remove_short_at_index()"
   href="https://bugzilla.libav.org/show_bug.cgi?id=1014">bug 1014</a>
              from <span class="vcard"><a class="email" href="mailto:fumfi.255@gmail.com" title="Kamil Frankowicz <fumfi.255@gmail.com>"> <span class="fn">Kamil Frankowicz</span></a>
</span></b>
        <pre>My full ASAN output with symbols (I found the same bug yesterday):

==30178==ERROR: AddressSanitizer: negative-size-param: (size=-8)
    #0 0x7f214576d05d in __asan_memmove
(/usr/lib/x86_64-linux-gnu/libasan.so.2+0x8d05d)
    #1 0x2458fc1 in remove_short_at_index libavcodec/h264_refs.c:466
    #2 0x2458fc1 in ff_h264_execute_ref_pic_marking libavcodec/h264_refs.c:623
    #3 0x2448fb5 in ff_h264_field_end libavcodec/h264_picture.c:157
    #4 0x2483f3d in ff_h264_queue_decode_slice libavcodec/h264_slice.c:1888
    #5 0x100293e in decode_nal_units libavcodec/h264dec.c:573
    #6 0x100293e in h264_decode_frame libavcodec/h264dec.c:742
    #7 0xd7baef in decode_simple_internal libavcodec/decode.c:334
    #8 0xd7baef in decode_simple_receive_frame libavcodec/decode.c:390
    #9 0xd7baef in decode_receive_frame_internal libavcodec/decode.c:408
    #10 0xd7d577 in avcodec_send_packet libavcodec/decode.c:445
    #11 0xaf72b8 in try_decode_frame libavformat/utils.c:1950
    #12 0xb10b34 in avformat_find_stream_info libavformat/utils.c:2459
    #13 0x5a3e41 in open_input_file XYZ/libav/avprobe.c:866
    #14 0x5a3e41 in probe_file XYZ/libav/avprobe.c:944
    #15 0x5a3e41 in main XYZ/libav/avprobe.c:1178
    #16 0x7f2144e1182f in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #17 0x5c4478 in _start (/usr/local/bin/avprobe+0x5c4478)

0x62e000007510 is located 28944 bytes inside of 47144-byte region
[0x62e000000400,0x62e00000bc28)
allocated by thread T0 here:
    #0 0x7f2145779076 in __interceptor_posix_memalign
(/usr/lib/x86_64-linux-gnu/libasan.so.2+0x99076)
    #1 0x2b2aefc in av_malloc libavutil/mem.c:71
    #2 0x2b2aefc in av_mallocz libavutil/mem.c:190

SUMMARY: AddressSanitizer: negative-size-param ??:0 __asan_memmove</pre>
        </div>
      </p>
      <hr>
      <span>You are receiving this mail because:</span>
      
      <ul>
          <li>You are watching all bug changes.</li>
      </ul>
    </body>
</html>