[FFmpeg-devel] [PATCH] ogg: Fix OOB write during ogg_read_seek()

Dale Curtis dalecurtis at chromium.org
Tue Apr 17 05:54:16 CEST 2012


On Mon, Apr 16, 2012 at 8:51 PM, Dale Curtis <dalecurtis at chromium.org>wrote:

> On Mon, Apr 16, 2012 at 8:00 PM, Michael Niedermayer <michaelni at gmx.at>wrote:
>
>>
>> On Mon, Apr 16, 2012 at 01:57:21PM -0700, dalecurtis at chromium.org wrote:
>> > From: Dale Curtis <dalecurtis at chromium.org>
>> >
>> > Prevents an OOB write of size 4 when ogg_read_seek is called with
>> > a stream_index >= ogg->nstreams.
>> >
>> > In this case s->nb_streams == 3, yet ogg->nstreams == 1 and
>> > stream_index == 1; causing os->keyframe_seek = 1 to write OOB.
>> >
>>
>> > Test case available on request.
>>
>> i tried both valgrind and address sanitizer, neither shows anything
>> invalid with
>> ./ffmpeg_g -i oob-write.ogv  -f null -
>>
>> maybe reimar could take a look at the patch, iam a bit tired and
>> need to sleep a few hours ...
>>
>>
> Did you try seeking in ffplay? I was able to induce a crash, but ASAN
> should show the issue. Aside from that, logging the values of ogg->nstreams
> and stream_index in ogg_read_seek will show the issue. Here's the relevant
> ASAN snippet from Chrome:
>
> WRITE of size 4 at 0x7fbd4e8bc37c thread T22
>     #0 0x7fbd4e53d63b in ogg_read_seek chrome-asan/src/third_party/ffmpeg/libavformat/oggdec.c:711
>     #1 0x7fbd4e559bf7 in av_seek_frame chrome-asan/src/third_party/ffmpeg/libavformat/utils.c:1772
>
> (line numbers slightly off due to older FFmpeg cut in trace).
>
> - dale
>

Sorry, that should read, "I was __not__ able to induce a crash..."

- dale


More information about the ffmpeg-devel mailing list