#7989 closed defect (fixed)
heap-buffer-overflow at apng_do_inverse_blend in libavcodec/pngenc.c
Reported by: | Suhwan | Owned by: | |
---|---|---|---|
Priority: | important | Component: | avcodec |
Version: | git-master | Keywords: | apng crash |
Cc: | Blocked By: | ||
Blocking: | Reproduced by developer: | no | |
Analyzed by developer: | no |
Description
Summary of the bug:
There's a heap-buffer-overflow at apng_do_inverse_blend in libavcodec/pngenc.c
q
How to reproduce:
% ffmpeg_g -y -r 73 -i tmp.pbm -map 0 -c:v apng -c:a pcm_dvd -disposition:a ac3_fixed -disposition:s:13 ac3_fixed -ac 16 tmp_.pgm ffmpeg version : N-94163-g664a27ea40 built with clang version 9.0.0 (https://github.com/llvm/llvm-project.git 442a120567a4bc6c59bc754f9edabfb770086f36)
Patches should be submitted to the ffmpeg-devel mailing list and not this bug tracker.
Attachments (2)
Change History (7)
by , 5 years ago
Attachment: | gdb_log_7989 added |
---|
by , 5 years ago
comment:1 by , 5 years ago
comment:2 by , 5 years ago
Received SIGABRT due to free invalid pointer at FFmpeg4.12
ffmpeg version N-94906-gcb8d6a4e3e Copyright (c) 2000-2019 the FFmpeg developers built with clang version 6.0.0-1ubuntu2 (tags/RELEASE_600/final) configuration: --cc=clang --cxx=clang++ --ld=clang --enable-debug --toolchain=clang-usan libavutil 56. 35.100 / 56. 35.100 libavcodec 58. 56.101 / 58. 56.101 libavformat 58. 32.104 / 58. 32.104 libavdevice 58. 9.100 / 58. 9.100 libavfilter 7. 58.102 / 7. 58.102 libswscale 5. 6.100 / 5. 6.100 libswresample 3. 6.100 / 3. 6.100 Input #0, pbm_pipe, from 'tmp.pbm': Duration: N/A, bitrate: N/A Stream #0:0: Video: pbm, monow, 560x320, 25 tbr, 25 tbn, 25 tbc Stream mapping: Stream #0:0 -> #0:0 (pbm (native) -> apng (native)) Press [q] to stop, [?] for help [swscaler @ 0xa2327c0] full chroma interpolation for destination format 'monob' not yet implemented Output #0, image2, to 'tmp_.pgm': Metadata: encoder : Lavf58.32.104 Stream #0:0: Video: apng, monob, 560x320, q=2-31, 200 kb/s, 73 fps, 73 tbn, 73 tbc Metadata: encoder : Lavc58.56.101 apng free(): invalid pointer Aborted
comment:3 by , 4 years ago
Resolution: | → fixed |
---|---|
Status: | new → closed |
comment:4 by , 4 years ago
Component: | undetermined → avcodec |
---|---|
Keywords: | apng crash added; enc removed |
Version: | unspecified → git-master |
comment:5 by , 4 years ago
Yeah, that is what was forgotten in 372aa0777aaacf726de7cd7dd0e6797026a124ee, right? Is it possible in theory to add that to apng though?
Note:
See TracTickets
for help on using tickets.
code : libavcodec/pngenc.c,
I think it might happen on following line.
if (!memcmp(input_data + bpp * x, output_data + bpp * x, bpp))
bpp's size is bigger than the size of output_data + bpp * x.