Opened 14 years ago
Closed 14 years ago
#182 closed defect (fixed)
libavformat crashes on damaged mp3
Reported by: | jwarren | Owned by: | |
---|---|---|---|
Priority: | important | Component: | avformat |
Version: | git-master | Keywords: | regression |
Cc: | Blocked By: | ||
Blocking: | Reproduced by developer: | yes | |
Analyzed by developer: | yes |
Description
When I call av_open_input_file() on the attached damaged mp3, the program crashes. The file does open correctly in other decoder software. While I don't really expect ffmpeg to play every partially broken file, assumably it should fail gracefully if given such a file.
Attachments (1)
Change History (5)
comment:2 by , 14 years ago
Keywords: | regression added |
---|---|
Reproduced by developer: | set |
Status: | new → open |
Version: | git → git-master |
For future bug reports, please consider reading http://ffmpeg.org/bugreports.html
(gdb) r -i Allaby_cut.mp3 Starting program: ffmpeg_g -i Allaby_cut.mp3 ffmpeg version git-N-29734-g38bb5a5, Copyright (c) 2000-2011 the FFmpeg developers built on May 10 2011 00:36:05 with gcc 4.5.2 configuration: --cc='/usr/local/gcc-4.5.2/bin/gcc -m32' --enable-gpl libavutil 51. 2. 1 / 51. 2. 1 libavcodec 53. 5. 0 / 53. 5. 0 libavformat 53. 0. 3 / 53. 0. 3 libavdevice 53. 0. 0 / 53. 0. 0 libavfilter 2. 5. 0 / 2. 5. 0 libswscale 0. 14. 0 / 0. 14. 0 Program received signal SIGSEGV, Segmentation fault. 0x081657c6 in ff_id3v2_parse (flags=<value optimized out>, version=4 '\004', len=17922, s=0x8c97b20) at libavformat/id3v2.c:263 263 buffer[j] = avio_r8(s->pb); (gdb) bt #0 0x081657c6 in ff_id3v2_parse (flags=<value optimized out>, version=4 '\004', len=17922, s=0x8c97b20) at libavformat/id3v2.c:263 #1 ff_id3v2_read (flags=<value optimized out>, version=4 '\004', len=17922, s=0x8c97b20) at libavformat/id3v2.c:316 #2 0x0814de96 in av_open_input_stream (ic_ptr=0xffffce2c, pb=0x8ca00c0, filename=0xffffd285 "Allaby_cut.mp3", fmt=0x871a520, ap=0xffffce04) at libavformat/utils.c:442 #3 0x0814e516 in av_open_input_file (ic_ptr=0xffffce2c, filename=0xffffd285 "Allaby_cut.mp3", fmt=0x871a520, buf_size=0, ap=0xffffce04) at libavformat/utils.c:613 #4 0x08054f7f in opt_input_file (filename=<value optimized out>) at ffmpeg.c:3262 #5 0x08059636 in parse_options (argc=3, argv=0xffffd014, options=0x85e1880, parse_arg_function=0x8057b40 <opt_output_file>) at cmdutils.c:282 #6 0x08058699 in main (argc=3, argv=0xffffd014) at ffmpeg.c:4486 (gdb) disass $pc-32 $pc+32 Dump of assembler code from 0x81657a6 to 0x81657e6: 0x081657a6 <ff_id3v2_parse+1301>: je 0x8165ba9 <ff_id3v2_parse+2328> 0x081657ac <ff_id3v2_parse+1307>: mov 0x10(%edi),%eax 0x081657af <ff_id3v2_parse+1310>: mov 0xdc(%esp),%edx 0x081657b6 <ff_id3v2_parse+1317>: mov %eax,(%esp) 0x081657b9 <ff_id3v2_parse+1320>: mov %edx,0x20(%esp) 0x081657bd <ff_id3v2_parse+1324>: call 0x80bd0f0 <avio_r8> 0x081657c2 <ff_id3v2_parse+1329>: mov 0x20(%esp),%edx 0x081657c6 <ff_id3v2_parse+1333>: mov %al,(%edx) 0x081657c8 <ff_id3v2_parse+1335>: xor %eax,%eax 0x081657ca <ff_id3v2_parse+1337>: mov 0xdc(%esp),%ecx 0x081657d1 <ff_id3v2_parse+1344>: mov %ebp,0x34(%esp) 0x081657d5 <ff_id3v2_parse+1348>: mov %eax,%ebp 0x081657d7 <ff_id3v2_parse+1350>: xor %edx,%edx 0x081657d9 <ff_id3v2_parse+1352>: add $0x1,%ebp 0x081657dc <ff_id3v2_parse+1355>: cmp %ebp,0x2c(%esp) 0x081657e0 <ff_id3v2_parse+1359>: mov %ebx,0x50(%esp) 0x081657e4 <ff_id3v2_parse+1363>: mov %edx,%ebx End of assembler dump. (gdb) info register eax 0x4f 79 ecx 0xffffcc7c -13188 edx 0x0 0 ebx 0x16e 366 esp 0xffffcba0 0xffffcba0 ebp 0x3 0x3 esi 0x0 0 edi 0x8c97b20 147421984 eip 0x81657c6 0x81657c6 <ff_id3v2_parse+1333> eflags 0x10282 [ SF IF RF ] cs 0x23 35 ss 0x2b 43 ds 0x2b 43 es 0x2b 43 fs 0x0 0 gs 0x63 99
by , 14 years ago
Attachment: | Allaby_cut.mp3 added |
---|
comment:3 by , 14 years ago
This is due to the code:
if (tflags & ID3v2_FLAG_DATALEN) {
avio_rb32(s->pb);
tlen -= 4;
}
when tlen = 3, results in integer underflow (tlen is unsigned), and the following av_fast_realloc() will fail and will crash when reading the NULL buffer.
comment:4 by , 14 years ago
Analyzed by developer: | set |
---|---|
Resolution: | → fixed |
Status: | open → closed |
Fixed in commit:
commit 64be0d1edad630f5bc0f287022f5880de07915b2
Author: Stefano Sabatini <stefano.sabatini-lala@poste.it>
Date: Wed May 18 00:43:25 2011 +0200
id3v2: prevent unsigned integer overflow in ff_id3v2_parse()
In ff_id3v2_parse(), prevent unsigned integer overflow if data length
indicator is skipped and tlen is < 4.
Fix crash decoding file Allaby_cut.mp3, fix trac issue #182.
n/m