[FFmpeg-trac] #3152(avcodec:new): Pointer overflow in libavcodec/mpegvideo.c
FFmpeg
trac at avcodec.org
Tue Nov 19 06:30:39 CET 2013
#3152: Pointer overflow in libavcodec/mpegvideo.c
-------------------------------------+-------------------------------------
Reporter: dtzWill | Type: defect
Status: new | Priority: normal
Component: avcodec | Version: git-
Keywords: undefined | master
overflow | Blocked By:
Blocking: | Reproduced by developer: 0
Analyzed by developer: 0 |
-------------------------------------+-------------------------------------
Summary of the bug:
mpegvideo.c invokes undefined behavior by causing a pointer to overflow.
This occurs in libavcodec/mpegvideo.c:3010:47 of ffmpeg 2.0.2 and at
libavcodec/mpegvideo.c:3018:47 on latest git as of commit
f1f0b01c4700ae342bb245efcc00a724fd270c14.
Here's the error report, produced by coming-soon-to-you -fsanitize
=pointer-overflow in clang:
{{{
libavcodec/mpegvideo.c:3018:47: runtime error: pointer index expression
with base 0x000000000000 overflowed to 0xfffffffffffffff0
}}}
This occurs during execution of the "vsynth1-svq1" test (and only this
test) during execution of the FATE test suite.
How to reproduce:
* Build ffmpeg with clang using -fsanitize=pointer-overflow -fno-sanitize-
recover
* Run fate test-suite
* Observe test failure, look in "./tests/data/fate/vsynth1-svq1.err" for
an error report like the above.
Alternatively, since this sanitizer is not yet included in clang mainline,
simply add a check to mpegvideo.c:3018 to report if the LHS is zero when
the RHS is negative.
Please let me know if more information is required, thanks!
--
Ticket URL: <https://ffmpeg.org/trac/ffmpeg/ticket/3152>
FFmpeg <http://ffmpeg.org>
FFmpeg issue tracker
More information about the FFmpeg-trac
mailing list