<html>
    <head>
      <base href="https://bugzilla.libav.org/" />
    </head>
    <body><table border="1" cellspacing="0" cellpadding="8">
        <tr>
          <th>Bug ID</th>
          <td><a class="bz_bug_link 
          bz_status_NEW "
   title="NEW - Null pointer dereference in ff_h264_execute_ref_pic_marking()"
   href="https://bugzilla.libav.org/show_bug.cgi?id=1035">1035</a>
          </td>
        </tr>

        <tr>
          <th>Summary</th>
          <td>Null pointer dereference in ff_h264_execute_ref_pic_marking()
          </td>
        </tr>

        <tr>
          <th>Product</th>
          <td>Libav
          </td>
        </tr>

        <tr>
          <th>Version</th>
          <td>git HEAD
          </td>
        </tr>

        <tr>
          <th>Hardware</th>
          <td>X86
          </td>
        </tr>

        <tr>
          <th>OS</th>
          <td>Linux
          </td>
        </tr>

        <tr>
          <th>Status</th>
          <td>NEW
          </td>
        </tr>

        <tr>
          <th>Severity</th>
          <td>normal
          </td>
        </tr>

        <tr>
          <th>Priority</th>
          <td>---
          </td>
        </tr>

        <tr>
          <th>Component</th>
          <td>libavcodec
          </td>
        </tr>

        <tr>
          <th>Assignee</th>
          <td>bugzilla@libav.org
          </td>
        </tr>

        <tr>
          <th>Reporter</th>
          <td>fumfi.255@gmail.com
          </td>
        </tr></table>
      <p>
        <div>
        <pre>Created <span class=""><a href="attachment.cgi?id=653" name="attach_653" title="POC to trigger null pointer dereference (avprobe)">attachment 653</a> <a href="attachment.cgi?id=653&action=edit" title="POC to trigger null pointer dereference (avprobe)">[details]</a></span>
POC to trigger null pointer dereference (avprobe)

After some fuzz testing I found a crashing test case.

Command: avprobe libav_nullptr_ff_h264_execute_ref_pic_marking

Git Head: 698ac8f9cabd053f2c19346a77b92f8eae4218fc

Output + ASAN:

avprobe version v13_dev0-897-g698ac8f, Copyright (c) 2007-2017 the Libav
developers
  built on Feb 28 2017 11:03:05 with clang version 3.9.1
(tags/RELEASE_391/final)
[h264 @ 0x619000000080] missing picture in access unit
[h264 @ 0x619000000080] missing picture in access unit
[h264 @ 0x619000000080] slice type 32 too large at -1
[h264 @ 0x619000000080] decode_slice_header error
[h264 @ 0x619000000080] no frame!
[h264 @ 0x619000000080] slice type 32 too large at -1
[h264 @ 0x619000000080] decode_slice_header error
[h264 @ 0x619000000080] no frame!
[h264 @ 0x619000000080] error while decoding MB 0 0, bytestream -3
[h264 @ 0x619000000080] data partitioning is not implemented. Update your Libav
version to the newest one from Git. If the problem still occurs, it means that
your file has a feature which has not been implemented.
[h264 @ 0x619000000080] If you want to help, upload a sample of this file to
<a href="ftp://upload.libav.org/incoming/">ftp://upload.libav.org/incoming/</a> and contact the libav-devel mailing list.
ASAN:DEADLYSIGNAL
=================================================================
==12506==ERROR: AddressSanitizer: SEGV on unknown address 0x0000000000a8 (pc
0x000001c240d5 bp 0x62e0000077ec sp 0x7ffc61f87bb0 T0)
==12506==The signal is caused by a READ memory access.
==12506==Hint: address points to the zero page.
    #0 0x1c240d4 in ff_h264_execute_ref_pic_marking
XYZ/libav/libavcodec/h264_refs.c:626:33
    #1 0x1c1cc2e in ff_h264_field_end
XYZ/libav/libavcodec/h264_picture.c:157:19
    #2 0x1c30e86 in ff_h264_queue_decode_slice
XYZ/libav/libavcodec/h264_slice.c:1895:17
    #3 0xbf4148 in decode_nal_units XYZ/libav/libavcodec/h264dec.c:576:24
    #4 0xbf4148 in h264_decode_frame XYZ/libav/libavcodec/h264dec.c:725
    #5 0xa13435 in decode_simple_internal XYZ/libav/libavcodec/decode.c:335:15
    #6 0xa13435 in decode_simple_receive_frame
XYZ/libav/libavcodec/decode.c:391
    #7 0xa13435 in decode_receive_frame_internal
XYZ/libav/libavcodec/decode.c:409
    #8 0xa121f4 in avcodec_send_packet XYZ/libav/libavcodec/decode.c:446:15
    #9 0x8358bb in try_decode_frame XYZ/libav/libavformat/utils.c:1950:19
    #10 0x82f413 in avformat_find_stream_info
XYZ/libav/libavformat/utils.c:2459:9
    #11 0x4f6669 in open_input_file XYZ/libav/avtools/avprobe.c:866:16
    #12 0x4f6669 in probe_file XYZ/libav/avtools/avprobe.c:944
    #13 0x4f6669 in main XYZ/libav/avtools/avprobe.c:1178
    #14 0x7f1f1036a82f in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #15 0x41a988 in _start (XYZ/libav/avprobe+0x41a988)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV XYZ/libav/libavcodec/h264_refs.c:626:33 in
ff_h264_execute_ref_pic_marking
==12506==ABORTING</pre>
        </div>
      </p>
      <hr>
      <span>You are receiving this mail because:</span>
      
      <ul>
          <li>You are watching all bug changes.</li>
      </ul>
    </body>
</html>