[FFmpeg-trac] #8193(undetermined:new): signed integer overflow in libavformat/yuv4mpegdec.c:329

FFmpeg trac at avcodec.org
Sun Sep 22 19:27:17 EEST 2019 

#8193: signed integer overflow in libavformat/yuv4mpegdec.c:329
-------------------------------------+-------------------------------------
             Reporter:  Suhwan       |                     Type:  defect
               Status:  new          |                 Priority:  normal
            Component:               |                  Version:  git-
  undetermined                       |  master
             Keywords:  ubsan        |               Blocked By:
             Blocking:               |  Reproduced by developer:  0
Analyzed by developer:  0            |
-------------------------------------+-------------------------------------
 Summary of the bug:
 There is a signed integer overflow in libavformat/yuv4mpegdec.c:329
 {{{
 libavformat/yuv4mpegdec.c:329:15: runtime error: signed integer overflow:
 -230584300921369 * 152070 cannot be represented in type 'long'
 SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior
 libavformat/yuv4mpegdec.c:329:15 in
 331         if (avio_seek(s->pb, pos + s->internal->data_offset, SEEK_SET)
 < 0)
 (gdb) bt
 #0  yuv4_read_seek (s=0x61b000000080, stream_index=<optimized out>,
 pts=-230584300921369,
     flags=<optimized out>) at libavformat/yuv4mpegdec.c:331
 #1  0x00000000027b113f in seek_frame_internal (s=0x61b000000080,
 stream_index=0,
     timestamp=-230584300921369, flags=<optimized out>) at
 libavformat/utils.c:2499
 #2  av_seek_frame (s=0x61b000000080, stream_index=0,
 timestamp=-230584300921369, flags=<optimized out>)
     at libavformat/utils.c:2531
 #3  0x00000000027b4ec9 in avformat_seek_file (s=0x61b000000080,
 stream_index=-1,
     min_ts=-9223372036854775808, ts=-9223372036854775808,
 max_ts=-9223372036854775808,
     flags=<optimized out>) at libavformat/utils.c:2583
 #4  0x0000000000642dc6 in seek_to_start (ifile=0x611000000400,
 is=0x61b000000080)
     at fftools/ffmpeg.c:4198
 #5  process_input (file_index=0) at fftools/ffmpeg.c:4288
 #6  0x00000000005e71e8 in transcode_step () at fftools/ffmpeg.c:4638
 #7  transcode () at fftools/ffmpeg.c:4692
 #8  0x00000000005db6ec in main (argc=<optimized out>, argv=<optimized
 out>) at fftools/ffmpeg.c:4894
 }}}

 How to reproduce:
 {{{
 % ./ffmpeg_g -t 1 -stream_loop 11 -y -i y4m_invalid_header_crash_small.y4m
 -target svcd -loglevel 0 -map 0 -c copy -aframes 58 -ar 22050 -b:v 310k
 tmp.wsaud

 ffmpeg version N-94982-gea673a0edb Copyright (c) 2000-2019 the FFmpeg
 developers
   built with clang version 6.0.0-1ubuntu2 (tags/RELEASE_600/final)
   configuration: --cc=clang --cxx=clang++ --ld=clang --enable-debug
 --toolchain=clang-usan
 }}}
 Patches should be submitted to the ffmpeg-devel mailing list and not this
 bug tracker.

--
Ticket URL: <https://trac.ffmpeg.org/ticket/8193>
FFmpeg <https://ffmpeg.org>
FFmpeg issue tracker

More information about the FFmpeg-trac mailing list