[FFmpeg-trac] #4152(avformat:new): jacosub: deadlock with fuzzed file
FFmpeg
trac at avcodec.org
Wed Dec 3 11:54:14 CET 2014
#4152: jacosub: deadlock with fuzzed file
----------------------------------+--------------------------------------
Reporter: tholin | Type: defect
Status: new | Priority: normal
Component: avformat | Version: git-master
Keywords: | Blocked By:
Blocking: | Reproduced by developer: 0
Analyzed by developer: 0 |
----------------------------------+--------------------------------------
I found a deadlock in mpv with fuzzed file. The problem appears to be in
ffmpeg so I report it here directly.
jacosub_read_header() in ffmpeg/libavformat/jacosubdec.c:156 will
continuesly call ff_get_line() as long as eof isn't reached.
When ff_get_line() reads a \r it tries to remove the following \n if it
exists. If eof is triggered after the first read the next read will return
0 which is not a \n and the stream is rewound one byte and the eof flag is
cleared. This puts the stream in the same state as before and
jacosub_read_header() loops indefinitely.
{{{
int ff_get_line(AVIOContext *s, char *buf, int maxlen)
ffmpeg/libavformat/aviobuf.c:669
{
int i = 0;
char c;
do {
c = avio_r8(s); <--- last byte read in stream
(\r)
if (c && i < maxlen-1)
buf[i++] = c;
} while (c != '\n' && c != '\r' && c);
if (c == '\r' && avio_r8(s) != '\n') <--- trigger EOF and returns 0
avio_skip(s, -1); <--- rewinds and clears
eof_reached flag
buf[i] = 0;
return i;
}
}}}
Here is a base64 encoded example file
CQoKCgtAMUAxMwoKDQ0NDS4NDQ0LCwsLC6FcgAGhXIABDQ0NDQ0NDQ0NDYABDQ0fDQkNDQ0NDQ0NDQsNDQ0N
--
Ticket URL: <https://trac.ffmpeg.org/ticket/4152>
FFmpeg <https://ffmpeg.org>
FFmpeg issue tracker
More information about the FFmpeg-trac
mailing list