[FFmpeg-trac] #11681(undetermined:new): Segmentation fault in binary seek function when processing malformed MPEG files due to null pointer dereference in index_entries array access.

FFmpeg trac at avcodec.org
Thu Jul 24 12:57:08 EEST 2025 

#11681: Segmentation fault in binary seek function when processing malformed MPEG
files due to null pointer dereference in index_entries array access.
-------------------------------------+-------------------------------------
             Reporter:  xdc          |                     Type:  defect
               Status:  new          |                 Priority:  normal
            Component:               |                  Version:
  undetermined                       |  unspecified
             Keywords:  libav        |               Blocked By:
             Blocking:               |  Reproduced by developer:  0
Analyzed by developer:  0            |
-------------------------------------+-------------------------------------
 ## How to reproduce:
 ```
 % avconv -ss 0.1 -i /workspace/POC/POC_libav_avconv_segfault_mpeg_seek -f
 null -
 avconv version 13_dev0, Copyright (c) 2000-2018 the Libav developers
   built on Jul 19 2025 14:57:50 with Ubuntu clang version 16.0.6
 (++20231112100510+7cbf1a259152-1~exp1~20231112100554.106)
   configuration: --cc=/Fuzzer/OPA++/afl-clang-lto --extra-cflags=
 --prefix=/workspace/benchmark/program/libav-c464278-Apr16-2019/install
 --disable-shared --enable-static --disable-x86asm --disable-inline-asm
   libavutil     56.  8. 0 / 56.  8. 0
   libavcodec    58. 12. 1 / 58. 12. 1
   libavformat   58.  2. 0 / 58.  2. 0
   libavdevice   57.  0. 2 / 57.  0. 2
   libavfilter    7.  1. 0 /  7.  1. 0
   libavresample  4.  0. 0 /  4.  0. 0
   libswscale     5.  0. 1 /  5.  0. 1
 [mpeg @ 0x555557165800] Format detected only with low score of 25,
 misdetection possible!
 [mpeg @ 0x555557165800] Could not find codec parameters (Video:
 [0][0][0][0] / 0x0000
       none)
 [mpeg @ 0x555557165800] start time is not set in estimate_timings_from_pts
 Segmentation fault (core dumped)
 ```

 ## GDB Analysis:
 ```
 Program received signal SIGSEGV, Segmentation fault.
 0x0000555555bfd3aa in ff_seek_frame_binary (s=0x555557165800,
 stream_index=0, target_ts=9000, flags=1) at libavformat/utils.c:1289
 1289        e     = &st->index_entries[index];
 #0  0x0000555555bfd3aa in ff_seek_frame_binary (s=0x555557165800,
 stream_index=0, target_ts=9000, flags=1) at libavformat/utils.c:1289
 #1  0x0000555555bfea54 in seek_frame_internal (stream_index=<optimized
 out>, timestamp=9000, s=<optimized out>, flags=<optimized out>) at
 libavformat/utils.c:1556
 #2  av_seek_frame (s=0x555557165800, stream_index=<optimized out>,
 timestamp=<optimized out>, flags=1) at libavformat/utils.c:1567
 #3  0x00005555558705b6 in open_input_file (o=0x7fffffffd380,
 filename=0x7fffffffe071
 "/workspace/POC/POC_libav_avconv_segfault_mpeg_seek") at
 avtools/avconv_opt.c:835
 #4  0x0000555555873a5b in open_files (l=0x555557153098,
 inout=0x5555555d4d9a "input", open_file=0x55555586f940 <open_input_file>)
 at avtools/avconv_opt.c:2467
 #5  0x0000555555893816 in avconv_parse_options (argc=<optimized out>,
 argv=<optimized out>) at avtools/avconv_opt.c:2504
 #6  main (argc=<optimized out>, argv=<optimized out>) at
 avtools/avconv.c:2953

 Disassembly around crash point:
    0x0000555555bfd38a <ff_seek_frame_binary+794>:       mov
 $0x11d70,%edx
    0x0000555555bfd38f <ff_seek_frame_binary+799>:       sub    %r8d,%edx
    0x0000555555bfd392 <ff_seek_frame_binary+802>:       mov    (%r11),%rsi
    0x0000555555bfd395 <ff_seek_frame_binary+805>:       movzbl
 (%rsi,%rdx,1),%r8d
    0x0000555555bfd39a <ff_seek_frame_binary+810>:       add    $0x1,%r8b
    0x0000555555bfd39e <ff_seek_frame_binary+814>:       adc    $0x0,%r8b
    0x0000555555bfd3a2 <ff_seek_frame_binary+818>:       mov
 %r8b,(%rsi,%rdx,1)
    0x0000555555bfd3a6 <ff_seek_frame_binary+822>:       lea
 (%rdi,%rdi,2),%rdx
 => 0x0000555555bfd3aa <ff_seek_frame_binary+826>:       mov
 (%rax,%rdx,8),%rcx  <-- CRASH HERE
    0x0000555555bfd3ae <ff_seek_frame_binary+830>:       mov
 0x8(%rax,%rdx,8),%r8
 ```

 ## Root Cause:
 The crash occurs in `ff_seek_frame_binary()` function at
 `libavformat/utils.c:1289` when attempting to access:
 ```c
 e = &st->index_entries[index];
 ```

 The issue is that:
 1. The file is detected as MPEG format with low confidence score (25)
 2. Codec parameters cannot be determined properly
 3. The stream's `index_entries` array is NULL
 4. The seek operation tries to access `index_entries[index]` without null
 checking

 The malformed file causes the MPEG demuxer to enter an inconsistent state
 where seeking is attempted on a stream without proper index
 initialization.


 ## POC File:
 The malformed file is available at:
 `/workspace/POC/POC_libav_avconv_segfault_mpeg_seek`[https://drive.google.com/file/d/1CX1GZUyJVzyDDGLVa8FG58XUt_30kHKT/view?usp=sharing]
-- 
Ticket URL: <https://trac.ffmpeg.org/ticket/11681>
FFmpeg <https://ffmpeg.org>
FFmpeg issue tracker

More information about the FFmpeg-trac mailing list