[FFmpeg-trac] #10424(avutil:new): NULL deference in read_uslt after allocation failure

FFmpeg trac at avcodec.org
Tue Jun 20 22:41:15 EEST 2023 

#10424: NULL deference in read_uslt after allocation failure
-------------------------------------+-------------------------------------
             Reporter:  catenacyber  |                     Type:  defect
               Status:  new          |                 Priority:  minor
            Component:  avutil       |                  Version:  git-
                                     |  master
             Keywords:               |               Blocked By:
             Blocking:               |  Reproduced by developer:  0
Analyzed by developer:  0            |
-------------------------------------+-------------------------------------
 Summary of the bug:
 Stack trace is
     #0 0x5f3063 in read_uslt /src/ffmpeg/libavformat/id3v2.c:387:40
     #1 0x5f3063 in id3v2_parse /src/ffmpeg/libavformat/id3v2.c:1046:17
     #2 0x5f3063 in id3v2_read_internal
 /src/ffmpeg/libavformat/id3v2.c:1116:13
     #3 0x5f114a in ff_id3v2_read_dict
 /src/ffmpeg/libavformat/id3v2.c:1133:5
     #4 0x579cb0 in avformat_open_input
 /src/ffmpeg/libavformat/demux.c:311:9
     #5 0x4e9dd1 in LLVMFuzzerTestOneInput
 /src/ffmpeg/tools/target_dem_fuzzer.c:201:11

 Allocation failure stack trace is
 #4 0x934452 in av_realloc /src/ffmpeg/libavutil/mem.c:162
 #5 0x934452 in av_reallocp /src/ffmpeg/libavutil/mem.c:196
 #6 0x543671 in dyn_buf_write /src/ffmpeg/libavformat/aviobuf.c:1409
 #7 0x533f37 in writeout /src/ffmpeg/libavformat/aviobuf.c:163
 #8 0x533f37 in flush_buffer /src/ffmpeg/libavformat/aviobuf.c:188
 #9 0x54232e in avio_flush /src/ffmpeg/libavformat/aviobuf.c:247
 #10 0x54232e in avio_close_dyn_buf /src/ffmpeg/libavformat/aviobuf.c:1537
 #11 0x5f677c in decode_str /src/ffmpeg/libavformat/id3v2.c:311
 #12 0x5f2f91 in read_uslt /src/ffmpeg/libavformat/id3v2.c:380
 #13 0x5f2f91 in id3v2_parse /src/ffmpeg/libavformat/id3v2.c:1046
 #14 0x5f2f91 in id3v2_read_internal /src/ffmpeg/libavformat/id3v2.c:1116
 #15 0x5f114a in ff_id3v2_read_dict /src/ffmpeg/libavformat/id3v2.c:1133
 #16 0x579cb0 in avformat_open_input /src/ffmpeg/libavformat/demux.c:311
 #17 0x4e9dd1 in LLVMFuzzerTestOneInput
 /src/ffmpeg/tools/target_dem_fuzzer.c:201

 How to reproduce:
 Run base64 encoded input
 SUQzAwAAACAAUVVTTFQAAElEAAAA////////6QAAAP8GAwAAAAAAAAAAAAAAAAIAREkCUQIAAAAA//////////8AAAAAAAADACsA
 in ffmpeg_dem_FRM_fuzzer with nallocfuzz cf https://github.com/google/oss-
 fuzz/pull/9902
-- 
Ticket URL: <https://trac.ffmpeg.org/ticket/10424>
FFmpeg <https://ffmpeg.org>
FFmpeg issue tracker

More information about the FFmpeg-trac mailing list