Opened 4 years ago

Closed 4 years ago

Last modified 4 years ago

#8503 closed defect (worksforme)

heap-use-after-free (libavformat)

Reported by: satbaby Owned by:
Priority: normal Component: undetermined
Version: git-master Keywords:
Cc: Blocked By:
Blocking: Reproduced by developer: no
Analyzed by developer: no


Summary of the bug:
[hls @ 0x61b0000b7580] Skip ('#EXT-X-PROGRAM-DATE-TIME:2020-01-30T12:19:55Z')
[hls @ 0x61b0000b7580] Skip ('#EXT-X-PROGRAM-DATE-TIME:2020-01-30T12:19:57Z')
[hls @ 0x61b0000b7580] Skip ('#EXT-X-PROGRAM-DATE-TIME:2020-01-30T12:19:59Z')
[hls @ 0x61b0000b7580] Skip ('#EXT-X-PROGRAM-DATE-TIME:2020-01-30T12:20:01Z')
[hls @ 0x61b0000b7580] Skip ('#EXT-X-PROGRAM-DATE-TIME:2020-01-30T12:20:03Z')
[hls @ 0x61b0000b7580] Opening '' for reading
[hls @ 0x61b0000b7580] Opening '' for reading
==26433==ERROR: AddressSanitizer: heap-use-after-free on address 0x60b0001786c0 at pc 0x7fa210658bf5 bp 0x7ffff0105260 sp 0x7ffff0104a08
READ of size 2 at 0x60b0001786c0 thread T0
Invalid return value 0 for stream protocol

#0 0x7fa210658bf4 (/usr/lib/gcc/x86_64-pc-linux-gnu/9.2.0/
#1 0x5590326e6c82 in av_match_ext libavformat/format.c:45
#2 0x5590326e7121 in av_probe_input_format3 libavformat/format.c:168
#3 0x5590326e7311 in av_probe_input_format2 libavformat/format.c:208
#4 0x5590326e7479 in av_probe_input_buffer2 libavformat/format.c:280
#5 0x5590326e7668 in av_probe_input_buffer libavformat/format.c:316
#6 0x55903275e777 in hls_read_header libavformat/hls.c:1945
#7 0x559032707aa1 in avformat_open_input libavformat/utils.c:631


0x60b0001786c0 is located 0 bytes inside of 100-byte region [0x60b0001786c0,0x60b000178724)
freed by thread T0 here:

#0 0x7fa2106f9e4f in interceptor_free (/usr/lib/gcc/x86_64-pc-linux-gnu/9.2.0/
#1 0x55903275b357 in free_segment_dynarray libavformat/hls.c:223
#2 0x55903275b357 in parse_playlist libavformat/hls.c:950

previously allocated by thread T0 here:

#0 0x7fa2106fa669 in realloc (/usr/lib/gcc/x86_64-pc-linux-gnu/9.2.0/
#1 0x559033149454 in av_strdup libavutil/mem.c:256
#2 0x2d736c682d666479 (<unknown module>)

How to reproduce:

	AVFormatContext *ifcx = NULL;
	if (avformat_open_input(&ifcx, "", NULL, NULL) != 0) {

Patches should be submitted to the ffmpeg-devel mailing list and not this bug tracker.

Change History (4)

comment:1 by Carl Eugen Hoyos, 4 years ago

Is the issue you see reproducible with ffmpeg, the command line application? If not, please provide sample code that allows compilation.

comment:2 by satbaby, 4 years ago

#include <string>

extern "C" {
#include <libavformat/avformat.h>

int main()
	std::string name = "";

	AVFormatContext *ifcx = NULL;
	if (avformat_open_input(&ifcx, name.c_str(), NULL, NULL) != 0) {
		return -1;
	if (ifcx) {

    return 0;

c++ -g -lavutil -lavformat -lavcodec test.cpp -fsanitize=address -fno-omit-frame-pointer

Last edited 4 years ago by satbaby (previous) (diff)

in reply to:  2 comment:3 by Carl Eugen Hoyos, 4 years ago

Resolution: worksforme
Status: newclosed

Works fine here, a crash in avformat_open_input() should be easily reproducible including with ffmpeg.

comment:4 by Carl Eugen Hoyos, 4 years ago

Component: avformatundetermined
Note: See TracTickets for help on using tickets.