[FFmpeg-trac] #11639(ffmpeg:new): libavcodec/aac/aacdec.c:195:27 SEGV in frame_configure_elements

FFmpeg trac at avcodec.org
Tue Jun 17 20:30:11 EEST 2025 

#11639: libavcodec/aac/aacdec.c:195:27 SEGV in frame_configure_elements
----------------------------------+----------------------------------
             Reporter:  sigdevel  |                     Type:  defect
               Status:  new       |                 Priority:  normal
            Component:  ffmpeg    |                  Version:  7.1
             Keywords:  SIGSEGV   |               Blocked By:
             Blocking:            |  Reproduced by developer:  0
Analyzed by developer:  0         |
----------------------------------+----------------------------------
 Summary of the bug:
 Crafted MP4 file containing invalid metadata (negative time scales in
 mvhd/mdhd atoms, excessive sample size of 4294966935 and zero-duration
 smples) triggers a SEGV in the AAC decoder during USAC initialization,
 where frame_configure_elements attempts a WRITE memory access at address
 0x70 due to an uninitialized/invalid Channel element pointer when
 processing the malformed audio configuration

 How to reproduce:
 {{{
 ./ffmpeg -i ./2_poc_libavcodec_aac_aacdec_c_195 -f null
 }}}

 ENV:

 {{{
 ffmpeg OS version: 7.1.1-1+b1 ;
 ffmpeg debug version: N-119918-gee1f79b0fa (ffmpeg commit hash
 ee1f79b0fa4c82da9c19328b049b593c71611402) ;
 built on: 6.12.25-amd64 ;
 build opts debug: --disable-shared --enable-static --disable-doc --enable-
 gpl --enable-libass --enable-libfreetype --enable-libmp3lame --enable-
 libopus --enable-libvorbis --enable-libx264 --enable-libx265 --enable-
 nonfree --toolchain=clang-asan --enable-debug=3 --disable-optimizations
 --disable-stripping ;

 }}}


 Asan output:

 {{{

 == ffmpeg version N-119886-g52441bd4cd Copyright (c) 2000-2025 the FFmpeg
 developers
   built with Debian clang version 19.1.7 (1+b1)
   configuration: --disable-shared --enable-static --disable-doc --enable-
 gpl --enable-libass --enable-libfreetype --enable-libmp3lame --enable-
 libopus --enable-libvorbis --enable-libx264 --enable-libx265 --enable-
 nonfree --toolchain=clang-asan --enable-debug=3 --disable-optimizations
 --disable-stripping
   libavutil      60.  3.100 / 60.  3.100
   libavcodec     62.  3.101 / 62.  3.101
   libavformat    62.  1.100 / 62.  1.100
   libavdevice    62.  0.100 / 62.  0.100
   libavfilter    11.  0.100 / 11.  0.100
   libswscale      9.  0.100 /  9.  0.100
   libswresample   6.  0.100 /  6.  0.100
 Trailing option(s) found in the command: may be ignored.
 [mov,mp4,m4a,3gp,3g2,mj2 @ 0x517000000080] Invalid mvhd time scale
 -956300712, defaulting to 1
 [mov,mp4,m4a,3gp,3g2,mj2 @ 0x517000000080] Invalid mdhd time scale
 -1761563580, defaulting to 1
 [mov,mp4,m4a,3gp,3g2,mj2 @ 0x517000000080] Sample size 4294966935 is too
 large
 [mov,mp4,m4a,3gp,3g2,mj2 @ 0x517000000080] All samples in data stream
 index:id [3:4] have zero duration, stream set to be discarded by default.
 Override using AVStream->discard or -discard for ffmpeg command.
 AddressSanitizer:DEADLYSIGNAL
 =================================================================
 ==88932==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000070
 (pc 0x55bcf83bbc74 bp 0x7ffd58251870 sp 0x7ffd58251770 T0)
 ==88932==The signal is caused by a WRITE memory access.
 ==88932==Hint: address points to the zero page.
     #0 0x55bcf83bbc74 in frame_configure_elements /media/user/6d3eeb8a-
 a93b-4220-bb13-a4e488ce0ce2/gpac/runtime/ffmpeg_asan/libavcodec/aac/aacdec.c:195:27
     #1 0x55bcf83ba731 in ff_aac_output_configure /media/user/6d3eeb8a-
 a93b-4220-bb13-a4e488ce0ce2/gpac/runtime/ffmpeg_asan/libavcodec/aac/aacdec.c:518:20
     #2 0x55bcf83bc848 in ff_aac_get_che /media/user/6d3eeb8a-
 a93b-4220-bb13-a4e488ce0ce2/gpac/runtime/ffmpeg_asan/libavcodec/aac/aacdec.c:632:13
     #3 0x55bcf83f3ad2 in ff_aac_usac_reset_state /media/user/6d3eeb8a-
 a93b-4220-bb13-a4e488ce0ce2/gpac/runtime/ffmpeg_asan/libavcodec/aac/aacdec_usac.c:308:15
     #4 0x55bcf83f5980 in ff_aac_usac_config_decode /media/user/6d3eeb8a-
 a93b-4220-bb13-a4e488ce0ce2/gpac/runtime/ffmpeg_asan/libavcodec/aac/aacdec_usac.c:553:11
     #5 0x55bcf83c8a93 in decode_audio_specific_config_gb /media/user
 /6d3eeb8a-
 a93b-4220-bb13-a4e488ce0ce2/gpac/runtime/ffmpeg_asan/libavcodec/aac/aacdec.c:1053:20
     #6 0x55bcf83bed97 in decode_audio_specific_config /media/user
 /6d3eeb8a-
 a93b-4220-bb13-a4e488ce0ce2/gpac/runtime/ffmpeg_asan/libavcodec/aac/aacdec.c:1097:12
     #7 0x55bcf83be4d6 in ff_aac_decode_init /media/user/6d3eeb8a-
 a93b-4220-bb13-a4e488ce0ce2/gpac/runtime/ffmpeg_asan/libavcodec/aac/aacdec.c:1193:20
     #8 0x55bcf83e3a66 in ff_aac_decode_init_float /media/user/6d3eeb8a-
 a93b-4220-bb13-a4e488ce0ce2/gpac/runtime/ffmpeg_asan/libavcodec/aac/aacdec_float.c:181:12
     #9 0x55bcf671b34f in avcodec_open2 /media/user/6d3eeb8a-
 a93b-4220-bb13-a4e488ce0ce2/gpac/runtime/ffmpeg_asan/libavcodec/avcodec.c:336:19
     #10 0x55bcf5fea1de in avformat_find_stream_info /media/user/6d3eeb8a-
 a93b-4220-bb13-a4e488ce0ce2/gpac/runtime/ffmpeg_asan/libavformat/demux.c:2592:21
     #11 0x55bcf51527d0 in ifile_open /media/user/6d3eeb8a-
 a93b-4220-bb13-a4e488ce0ce2/gpac/runtime/ffmpeg_asan/fftools/ffmpeg_demux.c:1814:15
     #12 0x55bcf51b6f94 in open_files /media/user/6d3eeb8a-
 a93b-4220-bb13-a4e488ce0ce2/gpac/runtime/ffmpeg_asan/fftools/ffmpeg_opt.c:1366:15
     #13 0x55bcf51b69d8 in ffmpeg_parse_options /media/user/6d3eeb8a-
 a93b-4220-bb13-a4e488ce0ce2/gpac/runtime/ffmpeg_asan/fftools/ffmpeg_opt.c:1415:11
     #14 0x55bcf51fa099 in main /media/user/6d3eeb8a-
 a93b-4220-bb13-a4e488ce0ce2/gpac/runtime/ffmpeg_asan/fftools/ffmpeg.c:991:11
     #15 0x7ffa2c433ca7 in __libc_start_call_main
 csu/../sysdeps/nptl/libc_start_call_main.h:58:16
     #16 0x7ffa2c433d64 in __libc_start_main csu/../csu/libc-start.c:360:3
     #17 0x55bcf505b710 in _start (/media/user/6d3eeb8a-
 a93b-4220-bb13-a4e488ce0ce2/gpac/runtime/ffmpeg_asan/ffmpeg+0x521710)
 (BuildId: d2246b878abfa9a260cfb4c2c78620ba94243a83)

 ==88932==Register values:
 rax = 0x0000000000000070  rbx = 0x00007ffd58251880  rcx =
 0x00000000000001f8  rdx = 0x0000000000000018
 rdi = 0x0000000000000000  rsi = 0x000052d000023f10  rbp =
 0x00007ffd58251870  rsp = 0x00007ffd58251770
  r8 = 0x00000a32000003fc   r9 = 0x0000519000001ff7  r10 =
 0x00000a32000003fe  r11 = 0x00000a327fff83f8
 r12 = 0x0000000000000000  r13 = 0x00007ffd58255908  r14 =
 0x00007ffa2e5af000  r15 = 0x000055bcf9ccb1b0
 AddressSanitizer can not provide additional info.
 SUMMARY: AddressSanitizer: SEGV /media/user/6d3eeb8a-
 a93b-4220-bb13-a4e488ce0ce2/gpac/runtime/ffmpeg_asan/libavcodec/aac/aacdec.c:195:27
 in frame_configure_elements
 ==88932==ABORTING

 }}}

 [[Image(https://github.com/sigdevel/pocs/blob/d65a0c4ece90b07878ae098f93d925c1301ce676/res/FFmpeg/ffmpeg/2/ffmpeg_2_asan_2025-06-15_17-20.png)]]

 Poc-sample was uploaded to https://streams.videolan.org/upload/
-- 
Ticket URL: <https://trac.ffmpeg.org/ticket/11639>
FFmpeg <https://ffmpeg.org>
FFmpeg issue tracker

More information about the FFmpeg-trac mailing list