Opened 6 years ago

Closed 6 years ago

#6804 closed defect (fixed)

Corrupt file crashes ffmpeg with assertion failure.

Reported by: Dale Curtis Owned by:
Priority: important Component: avformat
Version: git-master Keywords: crash abort codecpar regression
Cc: Blocked By:
Blocking: Reproduced by developer: yes
Analyzed by developer: no

Description

Using master branch, run ffmpeg -i on the attached file and observe the following:

[ogg @ 0x125f380] Codec not found
[ogg @ 0x125f380] Invalid timing values.

Last message repeated 1 times

[ogg @ 0x125f380] Header parsing failed for stream 1
[ogg @ 0x125f380] Header parsing failed for stream 2
[ogg @ 0x125f380] Headers mismatch for stream 3: expected 2 received 0.
[ogg @ 0x125f380] New streams are not supposed to be added in between Ogg context save/restore operations.
[ogg @ 0x125f380] failed to create or replace stream
[ogg @ 0x125f380] Codec not found
[ogg @ 0x125f380] Invalid timing values.
Assertion 0 failed at libavcodec/gsm_parser.c:59
Aborted (core dumped)

Seems this should return an error instead of crashing, but the parse() api doesn't seem to provide a way for error codes to be returned.

Attachments (1)

clusterfuzz-testcase-minimized-4580570865860608 (1.4 KB ) - added by Dale Curtis 6 years ago.

Download all attachments as: .zip

Change History (5)

comment:1 by Cigaes, 6 years ago

The assert is fine, the execution should not arrive there in the first place.

You should run your fuzzing tests with the highest assert level, it would have triggered an assert failure earlier.

I do not know the Ogg and parser infrastructure well enough to investigate further.

comment:2 by Carl Eugen Hoyos, 6 years ago

Keywords: crash abort codecpar regression added
Priority: normalimportant
Reproduced by developer: set
Status: newopen
Version: unspecifiedgit-master

comment:3 by Dale Curtis, 6 years ago

Ah, I think the issue is that AVERROR codes from oggdec->header() aren't handled at all. Will submit a patch shortly.

comment:4 by Carl Eugen Hoyos, 6 years ago

Component: undeterminedavformat
Resolution: fixed
Status: openclosed
Note: See TracTickets for help on using tickets.