[FFmpeg-trac] #11064(avfilter:new): Potential crash when calling libass
FFmpeg
trac at avcodec.org
Thu Jun 20 11:37:59 EEST 2024
#11064: Potential crash when calling libass
-------------------------------------+-------------------------------------
Reporter: Spencer Wu | Type: defect
Status: new | Priority: minor
Component: avfilter | Version:
| unspecified
Keywords: | Blocked By:
Blocking: | Reproduced by developer: 0
Analyzed by developer: 0 |
-------------------------------------+-------------------------------------
Hi FFmpeg developers,
We are a team working on experimental program analysis features based on
fuzzing. Recently when tracking the usage of libass, we notice that the
function call to `ass_process_chunk` is passing data buffer `ass_line`
with size of data determined with `strlen` in
`libavfilter/vf_subtitles.c`.
While the call dependency being long and not a crash discovered by running
full FFmpeg, we wondered whether there will be a chance for `ass_line`
being passed with non null-byte terminated string, resulting in
calculating the wrong length of data to process for `ass_process_chunk`?
Similar doubt happens at the locations of calling
`ass_process_codec_private` and `ass_add_font` as well.
We attach the automatic synthesized fuzzing harness we used to discover
this potential issue. This is generated by extracting the local usage of
FFmpeg calling `ass_process_chunk` then fuzz with libfuzzer.
Thank you in advance for your time on clarifying our question.
--
Ticket URL: <https://trac.ffmpeg.org/ticket/11064>
FFmpeg <https://ffmpeg.org>
FFmpeg issue tracker
More information about the FFmpeg-trac
mailing list