Opened 3 years ago

Closed 2 years ago

#6804 closed defect (fixed)

Corrupt file crashes ffmpeg with assertion failure.

Reported by: dalecurtis Owned by:
Priority: important Component: avformat
Version: git-master Keywords: crash abort codecpar regression
Cc: Blocked By:
Blocking: Reproduced by developer: yes
Analyzed by developer: no


Using master branch, run ffmpeg -i on the attached file and observe the following:

[ogg @ 0x125f380] Codec not found
[ogg @ 0x125f380] Invalid timing values.

Last message repeated 1 times

[ogg @ 0x125f380] Header parsing failed for stream 1
[ogg @ 0x125f380] Header parsing failed for stream 2
[ogg @ 0x125f380] Headers mismatch for stream 3: expected 2 received 0.
[ogg @ 0x125f380] New streams are not supposed to be added in between Ogg context save/restore operations.
[ogg @ 0x125f380] failed to create or replace stream
[ogg @ 0x125f380] Codec not found
[ogg @ 0x125f380] Invalid timing values.
Assertion 0 failed at libavcodec/gsm_parser.c:59
Aborted (core dumped)

Seems this should return an error instead of crashing, but the parse() api doesn't seem to provide a way for error codes to be returned.

Attachments (1)

clusterfuzz-testcase-minimized-4580570865860608 (1.4 KB) - added by dalecurtis 3 years ago.

Download all attachments as: .zip

Change History (5)

Changed 3 years ago by dalecurtis

comment:1 Changed 3 years ago by Cigaes

The assert is fine, the execution should not arrive there in the first place.

You should run your fuzzing tests with the highest assert level, it would have triggered an assert failure earlier.

I do not know the Ogg and parser infrastructure well enough to investigate further.

comment:2 Changed 3 years ago by cehoyos

  • Keywords crash abort codecpar regression added
  • Priority changed from normal to important
  • Reproduced by developer set
  • Status changed from new to open
  • Version changed from unspecified to git-master

comment:3 Changed 3 years ago by dalecurtis

Ah, I think the issue is that AVERROR codes from oggdec->header() aren't handled at all. Will submit a patch shortly.

comment:4 Changed 2 years ago by cehoyos

  • Component changed from undetermined to avformat
  • Resolution set to fixed
  • Status changed from open to closed
Note: See TracTickets for help on using tickets.