<html>
    <head>
      <base href="https://bugzilla.libav.org/" />
    </head>
    <body><table border="1" cellspacing="0" cellpadding="8">
        <tr>
          <th>Bug ID</th>
          <td><a class="bz_bug_link 
          bz_status_NEW "
   title="NEW - heap-use-after-free in vc1_decode_frame in vc1dec.c"
   href="https://bugzilla.libav.org/show_bug.cgi?id=1154">1154</a>
          </td>
        </tr>

        <tr>
          <th>Summary</th>
          <td>heap-use-after-free in vc1_decode_frame in vc1dec.c
          </td>
        </tr>

        <tr>
          <th>Product</th>
          <td>Libav
          </td>
        </tr>

        <tr>
          <th>Version</th>
          <td>git HEAD
          </td>
        </tr>

        <tr>
          <th>Hardware</th>
          <td>Other
          </td>
        </tr>

        <tr>
          <th>OS</th>
          <td>Linux
          </td>
        </tr>

        <tr>
          <th>Status</th>
          <td>NEW
          </td>
        </tr>

        <tr>
          <th>Severity</th>
          <td>normal
          </td>
        </tr>

        <tr>
          <th>Priority</th>
          <td>---
          </td>
        </tr>

        <tr>
          <th>Component</th>
          <td>libavcodec
          </td>
        </tr>

        <tr>
          <th>Assignee</th>
          <td>bugzilla@libav.org
          </td>
        </tr>

        <tr>
          <th>Reporter</th>
          <td>92wyunchao@gmail.com
          </td>
        </tr></table>
      <p>
        <div>
        <pre>Created <span class=""><a href="attachment.cgi?id=739" name="attach_739" title="poc to reproduce the bug">attachment 739</a> <a href="attachment.cgi?id=739&action=edit" title="poc to reproduce the bug">[details]</a></span>
poc to reproduce the bug

ASAN_OPTIONS=halt_on_error=false:allow_addr2line=true ./avconv -i $poc -f null
-

==77305==ERROR: AddressSanitizer: heap-use-after-free on address 0x60800000ae28
at pc 0x00000178f21f bp 0x7ffe0d645850 sp 0x7ffe0d645848
READ of size 4 at 0x60800000ae28 thread T0
    #0 0x178f21e in vc1_decode_frame
/home/s2e/Desktop/libav-12.3/libavcodec/vc1dec.c:883
    #1 0x169bb87 in avcodec_decode_video2
/home/s2e/Desktop/libav-12.3/libavcodec/utils.c:1588
    #2 0x169e6eb in do_decode
/home/s2e/Desktop/libav-12.3/libavcodec/utils.c:1727
    #3 0x169e346 in avcodec_send_packet
/home/s2e/Desktop/libav-12.3/libavcodec/utils.c:1804
    #4 0x5335d1 in decode /home/s2e/Desktop/libav-12.3/avconv.c:1295
    #5 0x5335d1 in decode_video /home/s2e/Desktop/libav-12.3/avconv.c:1395
    #6 0x5335d1 in process_input_packet
/home/s2e/Desktop/libav-12.3/avconv.c:1514
    #7 0x528f8d in process_input /home/s2e/Desktop/libav-12.3/avconv.c:2690
    #8 0x528f8d in transcode /home/s2e/Desktop/libav-12.3/avconv.c:2732
    #9 0x528f8d in main /home/s2e/Desktop/libav-12.3/avconv.c:2905
    #10 0x7f3c56a8082f in __libc_start_main
/build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291
    #11 0x41b368 in _start
(/home/s2e/Desktop/libav-12.3/build/bin/avconv+0x41b368)

0x60800000ae28 is located 8 bytes inside of 96-byte region
[0x60800000ae20,0x60800000ae80)
freed by thread T0 here:
    #0 0x4bb818 in realloc
(/home/s2e/Desktop/libav-12.3/build/bin/avconv+0x4bb818)
    #1 0x240476d in av_realloc /home/s2e/Desktop/libav-12.3/libavutil/mem.c:136
    #2 0x57172b in ff_default_query_formats
/home/s2e/Desktop/libav-12.3/libavfilter/formats.c:401

previously allocated by thread T0 here:
    #0 0x4bb818 in realloc
(/home/s2e/Desktop/libav-12.3/build/bin/avconv+0x4bb818)
    #1 0x240476d in av_realloc /home/s2e/Desktop/libav-12.3/libavutil/mem.c:136
    #2 0x57172b in ff_default_query_formats
/home/s2e/Desktop/libav-12.3/libavfilter/formats.c:401

SUMMARY: AddressSanitizer: heap-use-after-free
/home/s2e/Desktop/libav-12.3/libavcodec/vc1dec.c:883 in vc1_decode_frame
Shadow bytes around the buggy address:
  0x0c107fff9570: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c107fff9580: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c107fff9590: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c107fff95a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c107fff95b0: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c107fff95c0: fa fa fa fa fd[fd]fd fd fd fd fd fd fd fd fd fd
  0x0c107fff95d0: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c107fff95e0: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fa
  0x0c107fff95f0: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fa
  0x0c107fff9600: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c107fff9610: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==77305==ABORTING</pre>
        </div>
      </p>
      <hr>
      <span>You are receiving this mail because:</span>
      
      <ul>
          <li>You are watching all bug changes.</li>
      </ul>
    </body>
</html>