<html>
    <head>
      <base href="https://bugzilla.libav.org/" />
    </head>
    <body><table border="1" cellspacing="0" cellpadding="8">
        <tr>
          <th>Bug ID</th>
          <td><a class="bz_bug_link 
          bz_status_NEW "
   title="NEW - Out of bounds access in build_table"
   href="https://bugzilla.libav.org/show_bug.cgi?id=1098">1098</a>
          </td>
        </tr>

        <tr>
          <th>Summary</th>
          <td>Out of bounds access in build_table
          </td>
        </tr>

        <tr>
          <th>Product</th>
          <td>Libav
          </td>
        </tr>

        <tr>
          <th>Version</th>
          <td>git HEAD
          </td>
        </tr>

        <tr>
          <th>Hardware</th>
          <td>All
          </td>
        </tr>

        <tr>
          <th>OS</th>
          <td>Linux
          </td>
        </tr>

        <tr>
          <th>Status</th>
          <td>NEW
          </td>
        </tr>

        <tr>
          <th>Severity</th>
          <td>normal
          </td>
        </tr>

        <tr>
          <th>Priority</th>
          <td>---
          </td>
        </tr>

        <tr>
          <th>Component</th>
          <td>general
          </td>
        </tr>

        <tr>
          <th>Assignee</th>
          <td>bugzilla@libav.org
          </td>
        </tr>

        <tr>
          <th>Reporter</th>
          <td>zhihua.yao@dbappsecurity.com.cn
          </td>
        </tr></table>
      <p>
        <div>
        <pre>Created <span class=""><a href="attachment.cgi?id=694" name="attach_694" title="avconv -i poc -f null">attachment 694</a> <a href="attachment.cgi?id=694&action=edit" title="avconv -i poc -f null">[details]</a></span>
avconv -i poc -f null

avconv -i poc -f null

[----------------------------------registers-----------------------------------]
RAX: 0x51f200 (<udp_read_packet+816>:    jmp    0x51f15f <udp_read_packet+655>)
RBX: 0x200 
RCX: 0x9 ('\t')
RDX: 0x292aec0 
RSI: 0x14ae6c0 --> 0xffff0000ffff 
RDI: 0x9 ('\t')
RBP: 0x9 ('\t')
RSP: 0x7fffffffcd90 --> 0x2000007b0 
RIP: 0x57241c (<build_table+316>:    cmp    WORD PTR [rdx+0x2],0x0)
R8 : 0x1 
R9 : 0x1e 
R10: 0x200 
R11: 0x14a26a8 --> 0x4f8a00001e0009 
R12: 0x17 
R13: 0x96 
R14: 0x14a26a8 --> 0x4f8a00001e0009 
R15: 0x0
EFLAGS: 0x10202 (carry parity adjust zero sign trap INTERRUPT direction
overflow)
[-------------------------------------code-------------------------------------]
   0x572413 <build_table+307>:    jle    0x572473 <build_table+403>
   0x572415 <build_table+309>:    movsxd rax,edx
   0x572418 <build_table+312>:    lea    rdx,[rsi+rax*4]
=> 0x57241c <build_table+316>:    cmp    WORD PTR [rdx+0x2],0x0
   0x572421 <build_table+321>:    jne    0x572648 <build_table+872>
   0x572427 <build_table+327>:    movsxd r10,r10d
   0x57242a <build_table+330>:    movzx  ecx,dil
   0x57242e <build_table+334>:    xor    edi,edi
[------------------------------------stack-------------------------------------]
0000| 0x7fffffffcd90 --> 0x2000007b0 
0008| 0x7fffffffcd98 --> 0x14a26a8 --> 0x4f8a00001e0009 
0016| 0x7fffffffcda0 --> 0x14a3e00 --> 0xfffffff70400 
0024| 0x7fffffffcda8 --> 0x7fffffffcfc8 --> 0x9 ('\t')
0032| 0x7fffffffcdb0 --> 0xb0c0 
0040| 0x7fffffffcdb8 --> 0x2c3000000002 
0048| 0x7fffffffcdc0 --> 0x0 
0056| 0x7fffffffcdc8 --> 0xb3 
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
0x000000000057241c in build_table (vlc=vlc@entry=0x7fffffffcfc8,
table_nb_bits=0x9, nb_codes=0x96, codes=<optimized out>, flags=flags@entry=0x2)
at libavcodec/bitstream.c:196
196                    if (table[j][1] /*bits*/ != 0) {
LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
[──────────────────────────────────REGISTERS───────────────────────────────────]
 RAX  0x51f200 (udp_read_packet.constprop+816) ◂— jmp    0x51f15f
 RBX  0x200
 RCX  0x9
 RDX  0x292aec0
 RDI  0x9
 RSI  0x14ae6c0 ◂— 0xffff0000ffff
 R8   0x1
 R9   0x1e
 R10  0x200
 R11  0x14a26a8 ◂— 0x4f8a00001e0009 /* '\t' */
 R12  0x17
 R13  0x96
 R14  0x14a26a8 ◂— 0x4f8a00001e0009 /* '\t' */
 R15  0x0
 RBP  0x9
 RSP  0x7fffffffcd90 ◂— 0x2000007b0
 RIP  0x57241c (build_table+316) ◂— cmp    word ptr [rdx + 2], 0
[────────────────────────────────────DISASM────────────────────────────────────]
 ► 0x57241c <build_table+316>    cmp    word ptr [rdx + 2], 0
   0x572421 <build_table+321>    jne    build_table+872              
<0x572648>
    ↓
   0x572648 <build_table+872>    xor    eax, eax
   0x57264a <build_table+874>    mov    edx, 0xa3e134
   0x57264f <build_table+879>    mov    esi, 0x10
   0x572654 <build_table+884>    xor    edi, edi
   0x572656 <build_table+886>    call   av_log                       
<0x9e2020>

   0x57265b <build_table+891>    add    rsp, 0x38
   0x57265f <build_table+895>    mov    eax, 0xc1444e49
   0x572664 <build_table+900>    pop    rbx
   0x572665 <build_table+901>    pop    rbp
[────────────────────────────────────SOURCE────────────────────────────────────]
191                    j = bitswap_32(code);
192                    inc = 1 << n;
193                }
194                for (k = 0; k < nb; k++) {
195                    av_dlog(NULL, "%4x: code=%d n=%d\n", j, i, n);
196                    if (table[j][1] /*bits*/ != 0) {
197                        av_log(NULL, AV_LOG_ERROR, "incorrect codes\n");
198                        return AVERROR_INVALIDDATA;
199                    }
200                    table[j][1] = n; //bits
[────────────────────────────────────STACK─────────────────────────────────────]
00:0000│ rsp  0x7fffffffcd90 ◂— 0x2000007b0
01:0008│      0x7fffffffcd98 —▸ 0x14a26a8 ◂— 0x4f8a00001e0009 /* '\t' */
02:0010│      0x7fffffffcda0 —▸ 0x14a3e00 ◂— 0xfffffff70400
03:0018│      0x7fffffffcda8 —▸ 0x7fffffffcfc8 ◂— 9 /* '\t' */
04:0020│      0x7fffffffcdb0 ◂— 0xb0c0
05:0028│      0x7fffffffcdb8 ◂— 0x2c3000000002
06:0030│      0x7fffffffcdc0 ◂— 0x0
07:0038│      0x7fffffffcdc8 ◂— 0xb3
[──────────────────────────────────BACKTRACE───────────────────────────────────]
 ► f 0           57241c build_table+316
   f 1           5725c0 build_table+736
   f 2           572dac ff_init_vlc_sparse+1004
   f 3           428150 smacker_decode_header_tree.isra+720
   f 4           428586 decode_init+282
   f 5           428586 decode_init+282
   f 6           806c7c avcodec_open2+2140
   f 7           53605e try_decode_frame+462
   f 8           53a241 avformat_find_stream_info+1169
   f 9           451b69 open_input_file+633
   f 10           452caf avconv_parse_options+175
Program received signal SIGSEGV (fault address 0x292aec2)
pwndbg> p j
$1 = 0x51f200</pre>
        </div>
      </p>
      <hr>
      <span>You are receiving this mail because:</span>
      
      <ul>
          <li>You are watching all bug changes.</li>
      </ul>
    </body>
</html>