[FFmpeg-trac] #1907(avformat:new): use-after-free in matroska demuxer
FFmpeg
trac at avcodec.org
Mon Nov 12 20:56:36 CET 2012
#1907: use-after-free in matroska demuxer
-------------------------------------+------------------------------------
Reporter: eugenis | Owner:
Type: defect | Status: new
Priority: important | Component: avformat
Version: unspecified | Resolution:
Keywords: mkv | Blocked By:
Blocking: | Reproduced by developer: 0
Analyzed by developer: 0 |
-------------------------------------+------------------------------------
Comment (by eugenis):
I think I got this.
First of all, the report is a bit off. This is indeed a heap-buffer-
overflow, but the original allocation stack is lost because it is waaay
off to the right of the actual allocation.
This is what I believe is going on.
At matroskadev.c:2414 index_sub value is obtained as an index into the
index table of the subtitle track. Then, in line 2417 it is used as an
index into whatever track we are seeking in:
st->index_entries[index_sub].pos. It seems like sizes of index tables for
different tracks do not have to be connected in any way, right?
--
Ticket URL: <https://ffmpeg.org/trac/ffmpeg/ticket/1907#comment:3>
FFmpeg <http://ffmpeg.org>
FFmpeg issue tracker
More information about the FFmpeg-trac
mailing list