Opened 9 months ago
#10462 new defect
Segmentation fault occurs during decoding of corrupted AVI file
| Reported by: | downtorak | Owned by: | |
|---|---|---|---|
| Priority: | normal | Component: | avcodec |
| Version: | git-master | Keywords: | |
| Cc: | Blocked By: | ||
| Blocking: | Reproduced by developer: | no | |
| Analyzed by developer: | no |
Description
Summary of the bug:
I am reporting a segmentation fault that occurs in a specific file.
Although it is not a valid file, I expect it not to cause a segmentation fault.
How to reproduce:
% ./ffmpeg -i mpeg4video_decoding_error_with_segfault.avi -f null /dev/null ... [1] 61434 segmentation fault ./ffmpeg -i mpeg4video_decoding_error_with_segfault.avi -f null /dev/null
The segmentation fault occurs at error_resilience.c:1254
dc += dest_y[x + (n & 1) * 8 +
(y + (n >> 1) * 8) * linesize[0]];
To investigate the cause, I added the following log:
if (s->mb_height * 16 >= s->cur_pic.f->height + 16) {
av_log(s->avctx, AV_LOG_ERROR, "CHECK ERROR h=%d, mb_h=%d\n", s->cur_pic.f->height, s->mb_height * 16);
}
The following log output was observed:
[mpeg4 @ 0x7f85b2a14040] CHECK ERROR h=1616, mb_h=5136
It appears that accessing incorrect memory occurs because the value of ERContext's mb_height is larger than the height of AVFrame.
While segmentation faults may not occur consistently, accessing incorrect memory remains the same issue.
I will upload the AVI file to VideoLAN file uploader.
Thank you.
Note:
See TracTickets
for help on using tickets.
