[FFmpeg-trac] #182(avformat:open): libavformat crashes on damaged mp3

FFmpeg trac at avcodec.org
Tue May 10 01:39:26 CEST 2011


#182: libavformat crashes on damaged mp3
-----------------------+-----------------------
Reporter:  jwarren     |       Owner:
    Type:  defect      |      Status:  open
Priority:  important   |   Component:  avformat
 Version:  git-master  |  Resolution:
Keywords:  regression  |  Blocked By:
Blocking:              |  Reproduced:  1
Analyzed:  0           |
-----------------------+-----------------------

Comment (by saste):

 This is due to the code:

         if (tflags & ID3v2_FLAG_DATALEN) {
             avio_rb32(s->pb);
             tlen -= 4;
         }

 when tlen = 3, results in integer underflow (tlen is unsigned), and the
 following av_fast_realloc() will fail and will crash when reading the NULL
 buffer.

-- 
Ticket URL: <https://ffmpeg.org/trac/ffmpeg/ticket/182#comment:3>
FFmpeg <http://ffmpeg.org>
FFmpeg issue tracker


More information about the FFmpeg-trac mailing list