Closed Bug 1230286 Opened 9 years ago Closed 8 years ago

FFMPEG: signed integer overflow in [@ff_h264_direct_ref_list_init]

Categories

(Core :: Audio/Video: Playback, defect)

Product:
Core
Component:
Audio/Video: Playback
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Tracking Flags:
Tracking Status
firefox45 --- affected

People

(Reporter: tsmith, Unassigned)

References

Details

(Keywords: csectype-intoverflow, sec-other, testcase)

Attachments

(2 files)

test_case.264
1.67 KB, text/x-matlab
Details
call_stack.txt
1.31 KB, text/plain
Details 
Found fuzzing ffmpeg commit: 259c71c199e9b4ea89bf4cb90ed0e207ddc9dff7

This is an Undefined behavior sanitizer (UBSan) runtime error.

libavcodec/h264_direct.c:140:27: runtime error: signed integer overflow: 2147483647 - -8150 cannot be represented in type 'int'

Run this command with an UBSan build:
$ ./ffmpeg -v 0 -nostats -f h264 -i test_case.264 -f null -
Attached file test_case.264 

    
    

    
  

      
      
      
      

        Attached file
          
        call_stack.txt
      

    


  

    
    

    
  
this doesnt look security relevant

    
  
Group: media-core-security

    
    

    
  
Should be fixed in upstream commit 77a644e6fa4aaeb2c26cfaa0e8ec3b19829b8d88.

Tyson, could you please verify?
Status: NEW → RESOLVED
Closed: 8 years ago
Flags: needinfo?(twsmith)
Resolution: --- → FIXED

    
    

    
  
Verified.
Flags: needinfo?(twsmith)

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: