[FFmpeg-devel] [PATCH] ogg: Fix OOB write during ogg_read_seek()
dalecurtis at chromium.org
Tue Apr 17 05:54:16 CEST 2012
On Mon, Apr 16, 2012 at 8:51 PM, Dale Curtis <dalecurtis at chromium.org>wrote:
> On Mon, Apr 16, 2012 at 8:00 PM, Michael Niedermayer <michaelni at gmx.at>wrote:
>> On Mon, Apr 16, 2012 at 01:57:21PM -0700, dalecurtis at chromium.org wrote:
>> > From: Dale Curtis <dalecurtis at chromium.org>
>> > Prevents an OOB write of size 4 when ogg_read_seek is called with
>> > a stream_index >= ogg->nstreams.
>> > In this case s->nb_streams == 3, yet ogg->nstreams == 1 and
>> > stream_index == 1; causing os->keyframe_seek = 1 to write OOB.
>> > Test case available on request.
>> i tried both valgrind and address sanitizer, neither shows anything
>> invalid with
>> ./ffmpeg_g -i oob-write.ogv -f null -
>> maybe reimar could take a look at the patch, iam a bit tired and
>> need to sleep a few hours ...
> Did you try seeking in ffplay? I was able to induce a crash, but ASAN
> should show the issue. Aside from that, logging the values of ogg->nstreams
> and stream_index in ogg_read_seek will show the issue. Here's the relevant
> ASAN snippet from Chrome:
> WRITE of size 4 at 0x7fbd4e8bc37c thread T22
> #0 0x7fbd4e53d63b in ogg_read_seek chrome-asan/src/third_party/ffmpeg/libavformat/oggdec.c:711
> #1 0x7fbd4e559bf7 in av_seek_frame chrome-asan/src/third_party/ffmpeg/libavformat/utils.c:1772
> (line numbers slightly off due to older FFmpeg cut in trace).
> - dale
Sorry, that should read, "I was __not__ able to induce a crash..."
More information about the ffmpeg-devel