<html>
    <head>
      <base href="https://bugzilla.libav.org/" />
    </head>
    <body><table border="1" cellspacing="0" cellpadding="8">
        <tr>
          <th>Bug ID</th>
          <td><a class="bz_bug_link 
          bz_status_NEW "
   title="NEW - avconv crashes -- global buffer overflow"
   href="https://bugzilla.libav.org/show_bug.cgi?id=1127">1127</a>
          </td>
        </tr>

        <tr>
          <th>Summary</th>
          <td>avconv crashes -- global buffer overflow
          </td>
        </tr>

        <tr>
          <th>Product</th>
          <td>Libav
          </td>
        </tr>

        <tr>
          <th>Version</th>
          <td>git HEAD
          </td>
        </tr>

        <tr>
          <th>Hardware</th>
          <td>Other
          </td>
        </tr>

        <tr>
          <th>OS</th>
          <td>Linux
          </td>
        </tr>

        <tr>
          <th>Status</th>
          <td>NEW
          </td>
        </tr>

        <tr>
          <th>Severity</th>
          <td>normal
          </td>
        </tr>

        <tr>
          <th>Priority</th>
          <td>---
          </td>
        </tr>

        <tr>
          <th>Component</th>
          <td>general
          </td>
        </tr>

        <tr>
          <th>Assignee</th>
          <td>bugzilla@libav.org
          </td>
        </tr>

        <tr>
          <th>Reporter</th>
          <td>thuanpv@comp.nus.edu.sg
          </td>
        </tr></table>
      <p>
        <div>
        <pre>Created <span class=""><a href="attachment.cgi?id=716" name="attach_716" title="crash-inducing sample file">attachment 716</a> <a href="attachment.cgi?id=716&action=edit" title="crash-inducing sample file">[details]</a></span>
crash-inducing sample file

Dear all,

This bug was found with AFLSmart, an extension of AFL. Thanks also to Marcel
Böhme, Andrew Santosa and Alexandru Razvan Caciulescu. 

This bug was found on Ubuntu 16.04 64-bit & libav revision 39f3b6 (HEAD)

To reproduce:
Download the attached file - libav_crash_3.avi
avconv -i libav_crash_3.avi -f null -


ASAN says:

avconv version v13_dev0-1538-g39f3b6f, Copyright (c) 2000-2018 the Libav
developers
  built on Apr 27 2018 08:54:43 with gcc 6.4.0 (Ubuntu 6.4.0-17ubuntu1~16.04)
20180424
Input #0, avi, from 'libav_crash_3.avi':
  Duration: 00:00:13.16, start: 0.000000, bitrate: 164 kb/s
    Stream #0:0: Video: indeo4 [IV41 / 0x31345649]
      yuv410p, 160x120
      12 fps, 12 tbn
Stream mapping:
  Stream #0:0 -> #0:0 (indeo4 (native) -> wrapped_avframe (native))
Press ctrl-c to stop encoding
[indeo4 @ 0x61900001ea80] Tile data_size mismatch!
[indeo4 @ 0x61900001ea80] Error while decoding band: 0, plane: 0
Error while decoding stream #0:0
[indeo4 @ 0x61900001ea80] Scan pattern is not set.
[indeo4 @ 0x61900001ea80] Corrupted tile data encountered!
[indeo4 @ 0x61900001ea80] Error while decoding band: 0, plane: 1
Error while decoding stream #0:0
[indeo4 @ 0x61900001ea80] Corrupted tile data encountered!
[indeo4 @ 0x61900001ea80] Error while decoding band: 0, plane: 0
Error while decoding stream #0:0
[indeo4 @ 0x61900001ea80] Scan pattern is not set.
[indeo4 @ 0x61900001ea80] Corrupted tile data encountered!
[indeo4 @ 0x61900001ea80] Error while decoding band: 0, plane: 1
Error while decoding stream #0:0
[indeo4 @ 0x61900001ea80] Too many corrections: 89
[indeo4 @ 0x61900001ea80] Error while decoding band header: -1052488119
[indeo4 @ 0x61900001ea80] Error while decoding band: 0, plane: 1
Error while decoding stream #0:0
[indeo4 @ 0x61900001ea80] The band block size does not match the configuration
inherited
[indeo4 @ 0x61900001ea80] Error while decoding band header: -1052488119
[indeo4 @ 0x61900001ea80] Error while decoding band: 0, plane: 1
Error while decoding stream #0:0
[indeo4 @ 0x61900001ea80] Corrupted tile data encountered!
[indeo4 @ 0x61900001ea80] Error while decoding band: 0, plane: 0
Error while decoding stream #0:0
[indeo4 @ 0x61900001ea80] Corrupted tile data encountered!
[indeo4 @ 0x61900001ea80] Error while decoding band: 0, plane: 0
Error while decoding stream #0:0
=================================================================
==122389==ERROR: AddressSanitizer: global-buffer-overflow on address
0x000001838464 at pc 0x000000b72ac7 bp 0x7ffd42fa8ad0 sp 0x7ffd42fa8ac0
READ of size 2 at 0x000001838464 thread T0
    #0 0xb72ac6  (/home/thuan/aflsmart-experiments/libav-asan/avconv+0xb72ac6)
    #1 0x8a305f  (/home/thuan/aflsmart-experiments/libav-asan/avconv+0x8a305f)
    #2 0x8a3cb7  (/home/thuan/aflsmart-experiments/libav-asan/avconv+0x8a3cb7)
    #3 0x5117cd  (/home/thuan/aflsmart-experiments/libav-asan/avconv+0x5117cd)
    #4 0x4d2b0a  (/home/thuan/aflsmart-experiments/libav-asan/avconv+0x4d2b0a)
    #5 0x7f713d8bd82f  (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #6 0x4e22c8  (/home/thuan/aflsmart-experiments/libav-asan/avconv+0x4e22c8)

0x000001838464 is located 28 bytes to the left of global variable
'ivi4_quant_4x4_intra' defined in 'libavcodec/indeo4data.h:275:23' (0x1838480)
of size 160
0x000001838464 is located 4 bytes to the right of global variable
'ivi4_quant_4x4_inter' defined in 'libavcodec/indeo4data.h:308:23' (0x18383c0)
of size 160
SUMMARY: AddressSanitizer: global-buffer-overflow
(/home/thuan/aflsmart-experiments/libav-asan/avconv+0xb72ac6)

Regards,

Thuan</pre>
        </div>
      </p>
      <hr>
      <span>You are receiving this mail because:</span>
      
      <ul>
          <li>You are watching all bug changes.</li>
      </ul>
    </body>
</html>