Context Navigation

#8193 closed defect (fixed)

signed integer overflow in libavformat/yuv4mpegdec.c:329

Reported by:	Suhwan	Owned by:
Priority:	normal	Component:	avformat
Version:	git-master	Keywords:	yuv4mpeg ubsan
Cc:		Blocked By:
Blocking:		Reproduced by developer:	no
Analyzed by developer:	no

Description

Summary of the bug:
There is a signed integer overflow in libavformat/yuv4mpegdec.c:329

libavformat/yuv4mpegdec.c:329:15: runtime error: signed integer overflow: -230584300921369 * 152070 cannot be represented in type 'long'
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior libavformat/yuv4mpegdec.c:329:15 in 
331	    if (avio_seek(s->pb, pos + s->internal->data_offset, SEEK_SET) < 0)
(gdb) bt
#0  yuv4_read_seek (s=0x61b000000080, stream_index=<optimized out>, pts=-230584300921369, 
    flags=<optimized out>) at libavformat/yuv4mpegdec.c:331
#1  0x00000000027b113f in seek_frame_internal (s=0x61b000000080, stream_index=0, 
    timestamp=-230584300921369, flags=<optimized out>) at libavformat/utils.c:2499
#2  av_seek_frame (s=0x61b000000080, stream_index=0, timestamp=-230584300921369, flags=<optimized out>)
    at libavformat/utils.c:2531
#3  0x00000000027b4ec9 in avformat_seek_file (s=0x61b000000080, stream_index=-1, 
    min_ts=-9223372036854775808, ts=-9223372036854775808, max_ts=-9223372036854775808, 
    flags=<optimized out>) at libavformat/utils.c:2583
#4  0x0000000000642dc6 in seek_to_start (ifile=0x611000000400, is=0x61b000000080)
    at fftools/ffmpeg.c:4198
#5  process_input (file_index=0) at fftools/ffmpeg.c:4288
#6  0x00000000005e71e8 in transcode_step () at fftools/ffmpeg.c:4638
#7  transcode () at fftools/ffmpeg.c:4692
#8  0x00000000005db6ec in main (argc=<optimized out>, argv=<optimized out>) at fftools/ffmpeg.c:4894

How to reproduce:

% ./ffmpeg_g -t 1 -stream_loop 11 -y -i y4m_invalid_header_crash_small.y4m -target svcd -loglevel 0 -map 0 -c copy -aframes 58 -ar 22050 -b:v 310k tmp.wsaud

ffmpeg version N-94982-gea673a0edb Copyright (c) 2000-2019 the FFmpeg developers
  built with clang version 6.0.0-1ubuntu2 (tags/RELEASE_600/final)
  configuration: --cc=clang --cxx=clang++ --ld=clang --enable-debug --toolchain=clang-usan

Patches should be submitted to the ffmpeg-devel mailing list and not this bug tracker.

Attachments (2)

gdb-yuv (23.9 KB ) - added by Suhwan 5 years ago.
y4m_invalid_header_crash_small.y4m (1.0 KB ) - added by Suhwan 5 years ago.: poc

Download all attachments as: .zip

Change History (3)

by Suhwan, 5 years ago

Attachment:	gdb-yuv added

by Suhwan, 5 years ago

Attachment:	y4m_invalid_header_crash_small.y4m added

poc

comment:1 by Carl Eugen Hoyos, 5 years ago

Component:	undetermined → avformat
Keywords:	yuv4mpeg added
Resolution:	→ fixed
Status:	new → closed

Should be fixed by Paul in 05a2ce93265442285b2838530ba5bb5702cd18b1

Note: See TracTickets for help on using tickets.

Download in other formats: