Opened 14 years ago

Closed 14 years ago

#182 closed defect (fixed)

libavformat crashes on damaged mp3

Reported by: jwarren Owned by:
Priority: important Component: avformat
Version: git-master Keywords: regression
Cc: Blocked By:
Blocking: Reproduced by developer: yes
Analyzed by developer: yes

Description

When I call av_open_input_file() on the attached damaged mp3, the program crashes. The file does open correctly in other decoder software. While I don't really expect ffmpeg to play every partially broken file, assumably it should fail gracefully if given such a file.

Attachments (1)

Allaby_cut.mp3 (30.0 KB ) - added by Carl Eugen Hoyos 14 years ago.

Download all attachments as: .zip

Change History (5)

comment:1 by jwarren, 14 years ago

The file turned out to be too big for attachment (13MB) and I can't seem to connect to the ffmpeg ftp... so linking it here http://dl.dropbox.com/u/1162977/01%20-%20Allaby%20-%20Uberstar.mp3

Version 0, edited 14 years ago by jwarren (next)

comment:2 by Carl Eugen Hoyos, 14 years ago

Keywords: regression added
Reproduced by developer: set
Status: newopen
Version: gitgit-master

For future bug reports, please consider reading http://ffmpeg.org/bugreports.html

(gdb) r -i Allaby_cut.mp3
Starting program: ffmpeg_g -i Allaby_cut.mp3
ffmpeg version git-N-29734-g38bb5a5, Copyright (c) 2000-2011 the FFmpeg developers
  built on May 10 2011 00:36:05 with gcc 4.5.2
  configuration: --cc='/usr/local/gcc-4.5.2/bin/gcc -m32' --enable-gpl
  libavutil    51.  2. 1 / 51.  2. 1
  libavcodec   53.  5. 0 / 53.  5. 0
  libavformat  53.  0. 3 / 53.  0. 3
  libavdevice  53.  0. 0 / 53.  0. 0
  libavfilter   2.  5. 0 /  2.  5. 0
  libswscale    0. 14. 0 /  0. 14. 0

Program received signal SIGSEGV, Segmentation fault.
0x081657c6 in ff_id3v2_parse (flags=<value optimized out>, version=4 '\004', len=17922, s=0x8c97b20) at libavformat/id3v2.c:263
263                         buffer[j] = avio_r8(s->pb);
(gdb) bt
#0  0x081657c6 in ff_id3v2_parse (flags=<value optimized out>, version=4 '\004', len=17922, s=0x8c97b20) at libavformat/id3v2.c:263
#1  ff_id3v2_read (flags=<value optimized out>, version=4 '\004', len=17922, s=0x8c97b20) at libavformat/id3v2.c:316
#2  0x0814de96 in av_open_input_stream (ic_ptr=0xffffce2c, pb=0x8ca00c0, filename=0xffffd285 "Allaby_cut.mp3", fmt=0x871a520, ap=0xffffce04) at libavformat/utils.c:442
#3  0x0814e516 in av_open_input_file (ic_ptr=0xffffce2c, filename=0xffffd285 "Allaby_cut.mp3", fmt=0x871a520, buf_size=0, ap=0xffffce04) at libavformat/utils.c:613
#4  0x08054f7f in opt_input_file (filename=<value optimized out>) at ffmpeg.c:3262
#5  0x08059636 in parse_options (argc=3, argv=0xffffd014, options=0x85e1880, parse_arg_function=0x8057b40 <opt_output_file>) at cmdutils.c:282
#6  0x08058699 in main (argc=3, argv=0xffffd014) at ffmpeg.c:4486
(gdb) disass $pc-32 $pc+32
Dump of assembler code from 0x81657a6 to 0x81657e6:
0x081657a6 <ff_id3v2_parse+1301>:       je     0x8165ba9 <ff_id3v2_parse+2328>
0x081657ac <ff_id3v2_parse+1307>:       mov    0x10(%edi),%eax
0x081657af <ff_id3v2_parse+1310>:       mov    0xdc(%esp),%edx
0x081657b6 <ff_id3v2_parse+1317>:       mov    %eax,(%esp)
0x081657b9 <ff_id3v2_parse+1320>:       mov    %edx,0x20(%esp)
0x081657bd <ff_id3v2_parse+1324>:       call   0x80bd0f0 <avio_r8>
0x081657c2 <ff_id3v2_parse+1329>:       mov    0x20(%esp),%edx
0x081657c6 <ff_id3v2_parse+1333>:       mov    %al,(%edx)
0x081657c8 <ff_id3v2_parse+1335>:       xor    %eax,%eax
0x081657ca <ff_id3v2_parse+1337>:       mov    0xdc(%esp),%ecx
0x081657d1 <ff_id3v2_parse+1344>:       mov    %ebp,0x34(%esp)
0x081657d5 <ff_id3v2_parse+1348>:       mov    %eax,%ebp
0x081657d7 <ff_id3v2_parse+1350>:       xor    %edx,%edx
0x081657d9 <ff_id3v2_parse+1352>:       add    $0x1,%ebp
0x081657dc <ff_id3v2_parse+1355>:       cmp    %ebp,0x2c(%esp)
0x081657e0 <ff_id3v2_parse+1359>:       mov    %ebx,0x50(%esp)
0x081657e4 <ff_id3v2_parse+1363>:       mov    %edx,%ebx
End of assembler dump.
(gdb) info register
eax            0x4f     79
ecx            0xffffcc7c       -13188
edx            0x0      0
ebx            0x16e    366
esp            0xffffcba0       0xffffcba0
ebp            0x3      0x3
esi            0x0      0
edi            0x8c97b20        147421984
eip            0x81657c6        0x81657c6 <ff_id3v2_parse+1333>
eflags         0x10282  [ SF IF RF ]
cs             0x23     35
ss             0x2b     43
ds             0x2b     43
es             0x2b     43
fs             0x0      0
gs             0x63     99

by Carl Eugen Hoyos, 14 years ago

Attachment: Allaby_cut.mp3 added

comment:3 by Stefano Sabatini, 14 years ago

This is due to the code:

if (tflags & ID3v2_FLAG_DATALEN) {

avio_rb32(s->pb);
tlen -= 4;

}

when tlen = 3, results in integer underflow (tlen is unsigned), and the following av_fast_realloc() will fail and will crash when reading the NULL buffer.

comment:4 by Stefano Sabatini, 14 years ago

Analyzed by developer: set
Resolution: fixed
Status: openclosed

Fixed in commit:

commit 64be0d1edad630f5bc0f287022f5880de07915b2
Author: Stefano Sabatini <stefano.sabatini-lala@poste.it>
Date: Wed May 18 00:43:25 2011 +0200

id3v2: prevent unsigned integer overflow in ff_id3v2_parse()


In ff_id3v2_parse(), prevent unsigned integer overflow if data length
indicator is skipped and tlen is < 4.


Fix crash decoding file Allaby_cut.mp3, fix trac issue #182.

Note: See TracTickets for help on using tickets.