[FFmpeg-trac] #11471(avformat:new): Integer wrap-around in oggparsevorbis.c vorbis_packet() final packet handling creating frames with very long duration

FFmpeg trac at avcodec.org
Sat Feb 15 19:53:13 EET 2025 

#11471: Integer wrap-around in oggparsevorbis.c vorbis_packet() final packet
handling creating frames with very long duration
-------------------------------------+-------------------------------------
             Reporter:  Jøger        |                    Owner:  (none)
  Hansegård                          |
                 Type:  defect       |                   Status:  new
             Priority:  normal       |                Component:  avformat
              Version:  7.0          |               Resolution:
             Keywords:               |               Blocked By:
             Blocking:               |  Reproduced by developer:  0
Analyzed by developer:  0            |
-------------------------------------+-------------------------------------
Description changed by Jøger Hansegård:

Old description:

> Summary of the bug:
> With attached file, unsigned integer wrap-around in
> oggparsevorbis.c/vorbis_packet() during the calculation of
> priv->final_duration/os->pduration creates packets with very long
> durations (4294967232us). The os->end_trimming also becomes invalid,
> which prevents the discard_samples() function from discarding the
> padding. Here discard_padding becomes greater than the number of samples
> in the frame, allowing the AVFrame with a long duration to pass through.
>
> How to reproduce:
> {{{
> % ffprobe -show_frames -show_packets corrupt_end.ogg
> ffprobe version 7.0.2-full_build-www.gyan.dev Copyright (c) 2007-2024 the
> FFmpeg developers
>   built with gcc 13.2.0 (Rev5, Built by MSYS2 project)
> }}}

New description:

 Summary of the bug:
 With attached file, unsigned integer wrap-around in
 oggparsevorbis.c/vorbis_packet() during the calculation of
 priv->final_duration/os->pduration creates packets with very long
 durations (4294967232us). The os->end_trimming also becomes invalid, which
 prevents the discard_samples() function from discarding the padding. Here
 discard_padding becomes greater than the number of samples in the frame,
 allowing the AVFrame with a long duration to pass through.

 See also https://bugreports.qt.io/browse/QTBUG-126592

 How to reproduce:
 {{{
 % ffprobe -show_frames -show_packets corrupt_end.ogg
 ffprobe version 7.0.2-full_build-www.gyan.dev Copyright (c) 2007-2024 the
 FFmpeg developers
   built with gcc 13.2.0 (Rev5, Built by MSYS2 project)
 }}}

--
-- 
Ticket URL: <https://trac.ffmpeg.org/ticket/11471#comment:1>
FFmpeg <https://ffmpeg.org>
FFmpeg issue tracker

More information about the FFmpeg-trac mailing list