[FFmpeg-trac] #10462(avcodec:new): Segmentation fault occurs during decoding of corrupted AVI file
FFmpeg
trac at avcodec.org
Tue Jul 11 14:01:15 EEST 2023
#10462: Segmentation fault occurs during decoding of corrupted AVI file
-----------------------------------+--------------------------------------
Reporter: downtorak | Type: defect
Status: new | Priority: normal
Component: avcodec | Version: git-master
Keywords: | Blocked By:
Blocking: | Reproduced by developer: 0
Analyzed by developer: 0 |
-----------------------------------+--------------------------------------
Summary of the bug:
I am reporting a segmentation fault that occurs in a specific file.
Although it is not a valid file, I expect it not to cause a segmentation
fault.
How to reproduce:
{{{
% ./ffmpeg -i mpeg4video_decoding_error_with_segfault.avi -f null
/dev/null
...
[1] 61434 segmentation fault ./ffmpeg -i
mpeg4video_decoding_error_with_segfault.avi -f null /dev/null
}}}
The segmentation fault occurs at error_resilience.c:1254
{{{
dc += dest_y[x + (n & 1) * 8 +
(y + (n >> 1) * 8) * linesize[0]];
}}}
To investigate the cause, I added the following log:
{{{
if (s->mb_height * 16 >= s->cur_pic.f->height + 16) {
av_log(s->avctx, AV_LOG_ERROR, "CHECK ERROR h=%d, mb_h=%d\n",
s->cur_pic.f->height, s->mb_height * 16);
}
}}}
The following log output was observed:
{{{
[mpeg4 @ 0x7f85b2a14040] CHECK ERROR h=1616, mb_h=5136
}}}
It appears that accessing incorrect memory occurs because the value of
ERContext's mb_height is larger than the height of AVFrame.
While segmentation faults may not occur consistently, accessing incorrect
memory remains the same issue.
I will upload the AVI file to VideoLAN file uploader.
Thank you.
--
Ticket URL: <https://trac.ffmpeg.org/ticket/10462>
FFmpeg <https://ffmpeg.org>
FFmpeg issue tracker
More information about the FFmpeg-trac
mailing list