[FFmpeg-trac] #1907(avformat:new): use-after-free in matroska demuxer

Sun Nov 11 09:23:22 CET 2012

#1907: use-after-free in matroska demuxer
-------------------------------------+------------------------------------
             Reporter:  eugenis      |                    Owner:
                 Type:  defect       |                   Status:  new
             Priority:  important    |                Component:  avformat
              Version:  unspecified  |               Resolution:
             Keywords:  mkv          |               Blocked By:
             Blocking:               |  Reproduced by developer:  0
Analyzed by developer:  0            |
-------------------------------------+------------------------------------
Changes (by cehoyos):

 * keywords:   => mkv
 * priority:  normal => important
 * component:  undetermined => avformat

Old description:

> I've got this AddressSanitizer report twice, both times when seeking back
> in mplayer in an .mkv file. I don't have a reliable reproducer. "Heap-
> buffer-overflow" in the first line is really a use-after-free, that's an
> issue with the tool.
>
> Looks like matroska_parse_cluster_incremental() deletes the current
> cluster when it encounters a new one, but the old one can still be used
> for seeking?
>
> ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7f9b247b1480
> at pc 0xa2639c bp 0x7ffff0c41cb0 sp 0x7ffff0c41ca8
> READ of size 8 at 0x7f9b247b1480 thread T0
>     #0 0xa2639b in matroska_read_seek
> /build/mplayer/ffmpeg/libavformat/matroskadec.c:2410
>     #1 0xb76c34 in seek_frame_internal
> /build/mplayer/ffmpeg/libavformat/utils.c:1952
>     #2 0x8360a4 in demux_seek_lavf
> /build/mplayer/libmpdemux/demux_lavf.c:690
>     #3 0x6941b9 in demux_seek /build/mplayer/libmpdemux/demuxer.c:1372
>     #4 0x4a0f30 in seek /build/mplayer/mplayer.c:2710
>     #5 0x49db59 in main /build/mplayer/mplayer.c:3964
>     #6 0x7f9b374c0efe in __libc_start_main /build/buildd/eglibc-2.13/csu
> /libc-start.c:226
> 0x7f9b247b1480 is located 1088 bytes inside of 13340-byte region
> [0x7f9b247b1040,0x7f9b247b445c)
> freed by thread T0 here:
>     #0 0x1a2c710 in free ??:0
>     #1 0x19edaca in av_free /build/mplayer/ffmpeg/libavutil/mem.c:190
>     #2 0xa29e69 in ebml_free
> /build/mplayer/ffmpeg/libavformat/matroskadec.c:969
>     #3 0xa29f17 in ebml_free
> /build/mplayer/ffmpeg/libavformat/matroskadec.c:975
>     #4 0xa26b00 in matroska_parse_cluster_incremental
> /build/mplayer/ffmpeg/libavformat/matroskadec.c:2281
>     #5 0xa249e5 in matroska_read_packet
> /build/mplayer/ffmpeg/libavformat/matroskadec.c:2361
>     #6 0xb6ffb9 in ff_read_packet
> /build/mplayer/ffmpeg/libavformat/utils.c:710
>     #7 0xb72d63 in read_frame_internal
> /build/mplayer/ffmpeg/libavformat/utils.c:1284
>     #8 0xb71fa6 in av_read_frame
> /build/mplayer/ffmpeg/libavformat/utils.c:1436
>     #9 0x833c6f in demux_lavf_fill_buffer
> /build/mplayer/libmpdemux/demux_lavf.c:612
>     #10 0x690af5 in demux_fill_buffer
> /build/mplayer/libmpdemux/demuxer.c:633
>     #11 0x691a29 in ds_get_packet /build/mplayer/libmpdemux/demuxer.c:832
>     #12 0x8245f5 in decode_audio
> /build/mplayer/libmpcodecs/ad_ffmpeg.c:271
>     #13 0x5e1fdb in filter_n_bytes
> /build/mplayer/libmpcodecs/dec_audio.c:393
>     #14 0x49ad47 in fill_audio_out_buffers /build/mplayer/mplayer.c:2173
> previously allocated by thread T0 here:
>     #0 0x1a2ca4a in posix_memalign ??:0
>     #1 0x19edbad in av_malloc /build/mplayer/ffmpeg/libavutil/mem.c:97
>     #2 0x14729a6 in ff_fast_malloc
> /build/mplayer/ffmpeg/libavcodec/utils.c:82
>     #3 0xa2b69a in ebml_read_binary
> /build/mplayer/ffmpeg/libavformat/matroskadec.c:765
>     #4 0xa2b81f in ebml_parse_elem
> /build/mplayer/ffmpeg/libavformat/matroskadec.c:947
>     #5 0xa26984 in ebml_parse
> /build/mplayer/ffmpeg/libavformat/matroskadec.c:865
>     #6 0xa249e5 in matroska_read_packet
> /build/mplayer/ffmpeg/libavformat/matroskadec.c:2361
>     #7 0xb6ffb9 in ff_read_packet
> /build/mplayer/ffmpeg/libavformat/utils.c:710
>     #8 0xb72d63 in read_frame_internal
> /build/mplayer/ffmpeg/libavformat/utils.c:1284
>     #9 0xb71fa6 in av_read_frame
> /build/mplayer/ffmpeg/libavformat/utils.c:1436

New description:

 I've got this AddressSanitizer report twice, both times when seeking back
 in mplayer in an .mkv file. I don't have a reliable reproducer. "Heap-
 buffer-overflow" in the first line is really a use-after-free, that's an
 issue with the tool.

 Looks like matroska_parse_cluster_incremental() deletes the current
 cluster when it encounters a new one, but the old one can still be used
 for seeking?
 {{{
 ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7f9b247b1480 at
 pc 0xa2639c bp 0x7ffff0c41cb0 sp 0x7ffff0c41ca8
 READ of size 8 at 0x7f9b247b1480 thread T0
     #0 0xa2639b in matroska_read_seek
 /build/mplayer/ffmpeg/libavformat/matroskadec.c:2410
     #1 0xb76c34 in seek_frame_internal
 /build/mplayer/ffmpeg/libavformat/utils.c:1952
     #2 0x8360a4 in demux_seek_lavf
 /build/mplayer/libmpdemux/demux_lavf.c:690
     #3 0x6941b9 in demux_seek /build/mplayer/libmpdemux/demuxer.c:1372
     #4 0x4a0f30 in seek /build/mplayer/mplayer.c:2710
     #5 0x49db59 in main /build/mplayer/mplayer.c:3964
     #6 0x7f9b374c0efe in __libc_start_main /build/buildd/eglibc-2.13/csu
 /libc-start.c:226
 0x7f9b247b1480 is located 1088 bytes inside of 13340-byte region
 [0x7f9b247b1040,0x7f9b247b445c)
 freed by thread T0 here:
     #0 0x1a2c710 in free ??:0
     #1 0x19edaca in av_free /build/mplayer/ffmpeg/libavutil/mem.c:190
     #2 0xa29e69 in ebml_free
 /build/mplayer/ffmpeg/libavformat/matroskadec.c:969
     #3 0xa29f17 in ebml_free
 /build/mplayer/ffmpeg/libavformat/matroskadec.c:975
     #4 0xa26b00 in matroska_parse_cluster_incremental
 /build/mplayer/ffmpeg/libavformat/matroskadec.c:2281
     #5 0xa249e5 in matroska_read_packet
 /build/mplayer/ffmpeg/libavformat/matroskadec.c:2361
     #6 0xb6ffb9 in ff_read_packet
 /build/mplayer/ffmpeg/libavformat/utils.c:710
     #7 0xb72d63 in read_frame_internal
 /build/mplayer/ffmpeg/libavformat/utils.c:1284
     #8 0xb71fa6 in av_read_frame
 /build/mplayer/ffmpeg/libavformat/utils.c:1436
     #9 0x833c6f in demux_lavf_fill_buffer
 /build/mplayer/libmpdemux/demux_lavf.c:612
     #10 0x690af5 in demux_fill_buffer
 /build/mplayer/libmpdemux/demuxer.c:633
     #11 0x691a29 in ds_get_packet /build/mplayer/libmpdemux/demuxer.c:832
     #12 0x8245f5 in decode_audio
 /build/mplayer/libmpcodecs/ad_ffmpeg.c:271
     #13 0x5e1fdb in filter_n_bytes
 /build/mplayer/libmpcodecs/dec_audio.c:393
     #14 0x49ad47 in fill_audio_out_buffers /build/mplayer/mplayer.c:2173
 previously allocated by thread T0 here:
     #0 0x1a2ca4a in posix_memalign ??:0
     #1 0x19edbad in av_malloc /build/mplayer/ffmpeg/libavutil/mem.c:97
     #2 0x14729a6 in ff_fast_malloc
 /build/mplayer/ffmpeg/libavcodec/utils.c:82
     #3 0xa2b69a in ebml_read_binary
 /build/mplayer/ffmpeg/libavformat/matroskadec.c:765
     #4 0xa2b81f in ebml_parse_elem
 /build/mplayer/ffmpeg/libavformat/matroskadec.c:947
     #5 0xa26984 in ebml_parse
 /build/mplayer/ffmpeg/libavformat/matroskadec.c:865
     #6 0xa249e5 in matroska_read_packet
 /build/mplayer/ffmpeg/libavformat/matroskadec.c:2361
     #7 0xb6ffb9 in ff_read_packet
 /build/mplayer/ffmpeg/libavformat/utils.c:710
     #8 0xb72d63 in read_frame_internal
 /build/mplayer/ffmpeg/libavformat/utils.c:1284
     #9 0xb71fa6 in av_read_frame
 /build/mplayer/ffmpeg/libavformat/utils.c:1436

--

Comment:

 Could you add the FFmpeg version you are testing?
 (A crash in mkv was fixed tonight.)

-- 
Ticket URL: <https://ffmpeg.org/trac/ffmpeg/ticket/1907#comment:1>
FFmpeg <http://ffmpeg.org>
FFmpeg issue tracker