<html>
    <head>
      <base href="https://bugzilla.libav.org/" />
    </head>
    <body><table border="1" cellspacing="0" cellpadding="8">
        <tr>
          <th>Bug ID</th>
          <td><a class="bz_bug_link 
          bz_status_NEW "
   title="NEW - Infinite loop in event_loop (avtools/avplay.c)"
   href="https://bugzilla.libav.org/show_bug.cgi?id=1113">1113</a>
          </td>
        </tr>

        <tr>
          <th>Summary</th>
          <td>Infinite loop in event_loop (avtools/avplay.c)
          </td>
        </tr>

        <tr>
          <th>Product</th>
          <td>Libav
          </td>
        </tr>

        <tr>
          <th>Version</th>
          <td>git HEAD
          </td>
        </tr>

        <tr>
          <th>Hardware</th>
          <td>Other
          </td>
        </tr>

        <tr>
          <th>OS</th>
          <td>Linux
          </td>
        </tr>

        <tr>
          <th>Status</th>
          <td>NEW
          </td>
        </tr>

        <tr>
          <th>Severity</th>
          <td>normal
          </td>
        </tr>

        <tr>
          <th>Priority</th>
          <td>---
          </td>
        </tr>

        <tr>
          <th>Component</th>
          <td>utilities
          </td>
        </tr>

        <tr>
          <th>Assignee</th>
          <td>bugzilla@libav.org
          </td>
        </tr>

        <tr>
          <th>Reporter</th>
          <td>probefuzzer@gmail.com
          </td>
        </tr></table>
      <p>
        <div>
        <pre>Created <span class=""><a href="attachment.cgi?id=705" name="attach_705" title="poc for libav">attachment 705</a> <a href="attachment.cgi?id=705&action=edit" title="poc for libav">[details]</a></span>
poc for libav

On git HEAD of libav:
there is an infinite loop and application hang in the event_loop function
(avtools/avplay.c), which can be triggered by the POC with the command: avplay
$POC. 

Looking into the event_loop function (coders/bmp.c), we found that in the
refresh_thread function (line 908), FF_REFRESH_EVENT event is continuously
pushed on event queue if "abort_request" is zero. However, this variable could
be manipulated by the POC (although the POC file size < 300 bytes). In this
case, the event handling "event_loop" function would stuck in a infinite loop. 

908 static int refresh_thread(void *opaque)
909 {
    ...
911    while (!is->abort_request) {
912        SDL_Event event;
913        event.type = FF_REFRESH_EVENT;
915        if (!is->refresh) {
916            is->refresh = 1;
917            SDL_PushEvent(&event);
918        }
920    }
922 }

2698 static void event_loop(void)
2699 {
    ...
2703     for (;;) {
2705         SDL_WaitEvent(&event);
2706        switch (event.type) {
     ...
2844        case FF_REFRESH_EVENT:
2845            video_refresh_timer(event.user.data1);
2846            player->refresh = 0;
2847            break;

POC:
<a href="https://github.com/ProbeFuzzer/poc/blob/master/libav/libav_12-1_avplay_infinite-loop_event_loop.avi">https://github.com/ProbeFuzzer/poc/blob/master/libav/libav_12-1_avplay_infinite-loop_event_loop.avi</a>

the back trace is as follows´╝Ü
#0  0x00000038c480f00d in nanosleep () from /lib64/libpthread.so.0
#1  0x00000038dea587f4 in SDL_Delay () from /usr/lib64/libSDL-1.2.so.0
#2  0x00000038dea0e32e in SDL_WaitEvent () from /usr/lib64/libSDL-1.2.so.0
#3  0x0000000000459398 in main () at
/u/youwei/ProbeFuzzer/product/libav/patch/src/avtools/avplay.c:2708</pre>
        </div>
      </p>
      <hr>
      <span>You are receiving this mail because:</span>
      
      <ul>
          <li>You are watching all bug changes.</li>
      </ul>
    </body>
</html>