FFMPEG: signed integer overflow in [@update_initial_timestamps]

RESOLVED FIXED

Status

()

Core
Audio/Video: Playback
--
critical
RESOLVED FIXED
2 years ago
2 years ago

People

(Reporter: tsmith, Unassigned)

Tracking

(Blocks: 1 bug, {csectype-intoverflow, sec-other, testcase})

Trunk
csectype-intoverflow, sec-other, testcase
Points:
---

Firefox Tracking Flags

(firefox45 affected)

Details

Attachments

(2 attachments)

(Reporter)

Description

2 years ago
Created attachment 8693833 [details]
call_stack.txt

Found fuzzing ffmpeg commit: 6b978dadc654906130de46a8b83b6f67f90d3e17

This is an Undefined behavior sanitizer (UBSan) run time error.

libavformat/utils.c:922:35: runtime error: signed integer overflow: -2450238577049583619 - 9223090561878065151 cannot be represented in type 'long long'

I am marking it as security as precaution. Feel free to open it if this is not necessary.
(Reporter)

Comment 1

2 years ago
Created attachment 8693834 [details]
test_case.ivf
(Reporter)

Updated

2 years ago
Keywords: sec-other
not security relevant, and very likely no bug at the binary level just undefined in the C source. Will push a fix to ffmpeg
(Reporter)

Updated

2 years ago
Group: media-core-security
Should be fixed in upstream commit cafb19560401612a07760d230a50d9c1d0564daf. Can you verify please, Tyson?
Status: NEW → RESOLVED
Last Resolved: 2 years ago
Flags: needinfo?(twsmith)
Resolution: --- → FIXED
(Reporter)

Comment 4

2 years ago
Verified.
Flags: needinfo?(twsmith)
You need to log in before you can comment on or make changes to this bug.