[FFmpeg-trac] #1907(avformat:new): use-after-free in matroska demuxer

FFmpeg trac at avcodec.org
Mon Nov 12 20:56:36 CET 2012

#1907: use-after-free in matroska demuxer
             Reporter:  eugenis      |                    Owner:
                 Type:  defect       |                   Status:  new
             Priority:  important    |                Component:  avformat
              Version:  unspecified  |               Resolution:
             Keywords:  mkv          |               Blocked By:
             Blocking:               |  Reproduced by developer:  0
Analyzed by developer:  0            |

Comment (by eugenis):

 I think I got this.
 First of all, the report is a bit off. This is indeed a heap-buffer-
 overflow, but the original allocation stack is lost because it is waaay
 off to the right of the actual allocation.

 This is what I believe is going on.

 At matroskadev.c:2414 index_sub value is obtained as an index into the
 index table of the subtitle track. Then, in line 2417 it is used as an
 index into whatever track we are seeking in:
 st->index_entries[index_sub].pos. It seems like sizes of index tables for
 different tracks do not have to be connected in any way, right?

Ticket URL: <https://ffmpeg.org/trac/ffmpeg/ticket/1907#comment:3>
FFmpeg <http://ffmpeg.org>
FFmpeg issue tracker

More information about the FFmpeg-trac mailing list