Opened 5 months ago
#11064 new defect
Potential crash when calling libass
| Reported by: | Spencer Wu | Owned by: | |
|---|---|---|---|
| Priority: | minor | Component: | avfilter |
| Version: | unspecified | Keywords: | |
| Cc: | Blocked By: | ||
| Blocking: | Reproduced by developer: | no | |
| Analyzed by developer: | no |
Description
Hi FFmpeg developers,
We are a team working on experimental program analysis features based on fuzzing. Recently when tracking the usage of libass, we notice that the function call to ass_process_chunk is passing data buffer ass_line with size of data determined with strlen in
libavfilter/vf_subtitles.c.
While the call dependency being long and not a crash discovered by running full FFmpeg, we wondered whether there will be a chance for ass_line being passed with non null-byte terminated string, resulting in calculating the wrong length of data to process for ass_process_chunk?
Similar doubt happens at the locations of calling ass_process_codec_private and ass_add_font as well.
We attach the automatic synthesized fuzzing harness we used to discover this potential issue. This is generated by extracting the local usage of FFmpeg calling ass_process_chunk then fuzz with libfuzzer.
Thank you in advance for your time on clarifying our question.
