Opened 6 months ago
Closed 6 months ago
#11679 closed defect (invalid)
Segmentation fault when processing malformed AVI files with CFHD codec due to null function pointer call in buffer management.
| Reported by: | xdc | Owned by: | |
|---|---|---|---|
| Priority: | normal | Component: | tools |
| Version: | unspecified | Keywords: | libav |
| Cc: | Blocked By: | ||
| Blocking: | Reproduced by developer: | no | |
| Analyzed by developer: | no |
Description
Summary of the bug:
## How to reproduce:
`
% avconv -i /workspace/POC/POC_libav_avconv_segfault_avi_cfhd -f null -
avconv version 13_dev0, Copyright (c) 2000-2018 the Libav developers
built on Jul 19 2025 14:57:50 with Ubuntu clang version 16.0.6 (++20231112100510+7cbf1a259152-1~exp1~20231112100554.106)
configuration: --cc=/Fuzzer/OPA++/afl-clang-lto --extra-cflags= --prefix=/workspace/benchmark/program/libav-c464278-Apr16-2019/install --disable-shared --enable-static --disable-x86asm --disable-inline-asm
libavutil 56. 8. 0 / 56. 8. 0
libavcodec 58. 12. 1 / 58. 12. 1
libavformat 58. 2. 0 / 58. 2. 0
libavdevice 57. 0. 2 / 57. 0. 2
libavfilter 7. 1. 0 / 7. 1. 0
libavresample 4. 0. 0 / 4. 0. 0
libswscale 5. 0. 1 / 5. 0. 1
Input #0, avi, from '/workspace/POC/POC_libav_avconv_segfault_avi_cfhd':
Metadata:
encoder : Lavf57.7.1
Duration: 00:00:00.33, start: 0.000000, bitrate: 13103 kb/s
Stream #0:0: Video: cfhd [CFHD / 0x44484643]
yuv422p10le, 720x480
29.97 fps, 29.97 tbn
Stream mapping:
Stream #0:0 -> #0:0 (cfhd (native) -> wrapped_avframe (native))
Press ctrl-c to stop encoding
Output #0, null, to 'pipe:':
Metadata:
encoder : Lavf58.2.0
Stream #0:0: Video: wrapped_avframe
yuv422p10le, 720x480, q=2-31, 200 kb/s
29.97 tbn
Metadata:
encoder : Lavc58.12.1 wrapped_avframe
Segmentation fault (core dumped)
`
## GDB Analysis:
`
Program received signal SIGSEGV, Segmentation fault.
0x0000000000000000 in ?? ()
#0 0x0000000000000000 in ?? ()
#1 0x00005555568275bf in av_buffer_unref (buf=0x5555573257c8) at libavutil/buffer.c:117
#2 av_frame_unref (frame=0x5555573256a0) at libavutil/frame.c:302
#3 0x000055555675313e in av_frame_free (frame=<optimized out>) at libavutil/frame.c:86
#4 wrapped_avframe_release_buffer (unused=<optimized out>, data=0x0) at libavcodec/wrapped_avframe.c:39
#5 0x00005555558aa68d in av_buffer_unref (buf=0x7fffffffd160) at libavutil/buffer.c:117
#6 av_packet_unref (pkt=0x7fffffffd160) at libavcodec/avpacket.c:351
#7 av_interleaved_write_frame (s=0x555557168480, pkt=0x0) at libavformat/mux.c:686
#8 write_packet (of=<optimized out>, pkt=<optimized out>, ost=<optimized out>) at avtools/avconv.c:358
#9 0x00005555558a6b8d in do_video_out (of=0x55555716d880, ost=0x555557168de0, in_picture=<optimized out>, frame_size=<optimized out>) at avtools/avconv.c:607
#10 poll_filter (ost=0x555557168de0) at avtools/avconv.c:729
#11 poll_filters () at avtools/avconv.c:803
#12 0x0000555555898d16 in transcode () at avtools/avconv.c:2806
#13 main (argc=<optimized out>, argv=<optimized out>) at avtools/avconv.c:2975
`
## Root Cause:
The crash occurs when a buffer's release function pointer is NULL (0x0000000000000000) but still gets called during cleanup. This happens in the wrapped_avframe codec when processing malformed AVI files with CFHD video codec. The buffer management system fails to properly validate function pointers before calling them.
## POC File:
The malformed AVI file is available at: [/workspace/POC/POC_libav_avconv_segfault_avi_cfhd][https://drive.google.com/file/d/1OwDNHuTbZFNTDX9afmvez_old3oRC7dM/view?usp=sharing]
Attachments (1)
Change History (2)
by , 6 months ago
| Attachment: | POC_libav_avconv_segfault_avi_cfhd added |
|---|
comment:1 by , 6 months ago
| Resolution: | → invalid |
|---|---|
| Status: | new → closed |
This is the FFmpeg bug tracker. Libav is a different (now dead) project.