FFMPEG: signed integer overflow in [@ff_h264_direct_ref_list_init]

RESOLVED FIXED

Status

()

Core
Audio/Video: Playback
--
critical
RESOLVED FIXED
3 years ago
3 years ago

People

(Reporter: tsmith, Unassigned)

Tracking

(Blocks: 1 bug, {csectype-intoverflow, sec-other, testcase})

Trunk
csectype-intoverflow, sec-other, testcase
Points:
---

Firefox Tracking Flags

(firefox45 affected)

Details

Attachments

(2 attachments)

(Reporter)

Description

3 years ago
Found fuzzing ffmpeg commit: 259c71c199e9b4ea89bf4cb90ed0e207ddc9dff7

This is an Undefined behavior sanitizer (UBSan) runtime error.

libavcodec/h264_direct.c:140:27: runtime error: signed integer overflow: 2147483647 - -8150 cannot be represented in type 'int'

Run this command with an UBSan build:
$ ./ffmpeg -v 0 -nostats -f h264 -i test_case.264 -f null -
(Reporter)

Comment 1

3 years ago
Created attachment 8695432 [details]
test_case.264
(Reporter)

Comment 2

3 years ago
Created attachment 8695434 [details]
call_stack.txt
this doesnt look security relevant
(Reporter)

Updated

3 years ago
Group: media-core-security
Should be fixed in upstream commit 77a644e6fa4aaeb2c26cfaa0e8ec3b19829b8d88.

Tyson, could you please verify?
Status: NEW → RESOLVED
Last Resolved: 3 years ago
Flags: needinfo?(twsmith)
Resolution: --- → FIXED
(Reporter)

Comment 5

3 years ago
Verified.
Flags: needinfo?(twsmith)
You need to log in before you can comment on or make changes to this bug.