id summary reporter owner description type status priority component version resolution keywords cc blockedby blocking reproduced analyzed 1907 use-after-free in matroska demuxer eugenis "I've got this AddressSanitizer report twice, both times when seeking back in mplayer in an .mkv file. I don't have a reliable reproducer. ""Heap-buffer-overflow"" in the first line is really a use-after-free, that's an issue with the tool. Looks like matroska_parse_cluster_incremental() deletes the current cluster when it encounters a new one, but the old one can still be used for seeking? {{{ ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7f9b247b1480 at pc 0xa2639c bp 0x7ffff0c41cb0 sp 0x7ffff0c41ca8 READ of size 8 at 0x7f9b247b1480 thread T0 #0 0xa2639b in matroska_read_seek /build/mplayer/ffmpeg/libavformat/matroskadec.c:2410 #1 0xb76c34 in seek_frame_internal /build/mplayer/ffmpeg/libavformat/utils.c:1952 #2 0x8360a4 in demux_seek_lavf /build/mplayer/libmpdemux/demux_lavf.c:690 #3 0x6941b9 in demux_seek /build/mplayer/libmpdemux/demuxer.c:1372 #4 0x4a0f30 in seek /build/mplayer/mplayer.c:2710 #5 0x49db59 in main /build/mplayer/mplayer.c:3964 #6 0x7f9b374c0efe in __libc_start_main /build/buildd/eglibc-2.13/csu/libc-start.c:226 0x7f9b247b1480 is located 1088 bytes inside of 13340-byte region [0x7f9b247b1040,0x7f9b247b445c) freed by thread T0 here: #0 0x1a2c710 in free ??:0 #1 0x19edaca in av_free /build/mplayer/ffmpeg/libavutil/mem.c:190 #2 0xa29e69 in ebml_free /build/mplayer/ffmpeg/libavformat/matroskadec.c:969 #3 0xa29f17 in ebml_free /build/mplayer/ffmpeg/libavformat/matroskadec.c:975 #4 0xa26b00 in matroska_parse_cluster_incremental /build/mplayer/ffmpeg/libavformat/matroskadec.c:2281 #5 0xa249e5 in matroska_read_packet /build/mplayer/ffmpeg/libavformat/matroskadec.c:2361 #6 0xb6ffb9 in ff_read_packet /build/mplayer/ffmpeg/libavformat/utils.c:710 #7 0xb72d63 in read_frame_internal /build/mplayer/ffmpeg/libavformat/utils.c:1284 #8 0xb71fa6 in av_read_frame /build/mplayer/ffmpeg/libavformat/utils.c:1436 #9 0x833c6f in demux_lavf_fill_buffer /build/mplayer/libmpdemux/demux_lavf.c:612 #10 0x690af5 in demux_fill_buffer /build/mplayer/libmpdemux/demuxer.c:633 #11 0x691a29 in ds_get_packet /build/mplayer/libmpdemux/demuxer.c:832 #12 0x8245f5 in decode_audio /build/mplayer/libmpcodecs/ad_ffmpeg.c:271 #13 0x5e1fdb in filter_n_bytes /build/mplayer/libmpcodecs/dec_audio.c:393 #14 0x49ad47 in fill_audio_out_buffers /build/mplayer/mplayer.c:2173 previously allocated by thread T0 here: #0 0x1a2ca4a in posix_memalign ??:0 #1 0x19edbad in av_malloc /build/mplayer/ffmpeg/libavutil/mem.c:97 #2 0x14729a6 in ff_fast_malloc /build/mplayer/ffmpeg/libavcodec/utils.c:82 #3 0xa2b69a in ebml_read_binary /build/mplayer/ffmpeg/libavformat/matroskadec.c:765 #4 0xa2b81f in ebml_parse_elem /build/mplayer/ffmpeg/libavformat/matroskadec.c:947 #5 0xa26984 in ebml_parse /build/mplayer/ffmpeg/libavformat/matroskadec.c:865 #6 0xa249e5 in matroska_read_packet /build/mplayer/ffmpeg/libavformat/matroskadec.c:2361 #7 0xb6ffb9 in ff_read_packet /build/mplayer/ffmpeg/libavformat/utils.c:710 #8 0xb72d63 in read_frame_internal /build/mplayer/ffmpeg/libavformat/utils.c:1284 #9 0xb71fa6 in av_read_frame /build/mplayer/ffmpeg/libavformat/utils.c:1436 " defect new important avformat unspecified mkv 0 0