[FFmpeg-trac] #3152(avcodec:new): Pointer overflow in libavcodec/mpegvideo.c

FFmpeg trac at avcodec.org
Tue Nov 19 06:30:39 CET 2013

#3152: Pointer overflow in libavcodec/mpegvideo.c
             Reporter:  dtzWill      |                     Type:  defect
               Status:  new          |                 Priority:  normal
            Component:  avcodec      |                  Version:  git-
             Keywords:  undefined    |  master
  overflow                           |               Blocked By:
             Blocking:               |  Reproduced by developer:  0
Analyzed by developer:  0            |
 Summary of the bug:

 mpegvideo.c invokes undefined behavior by causing a pointer to overflow.

 This occurs in libavcodec/mpegvideo.c:3010:47 of ffmpeg 2.0.2 and at
 libavcodec/mpegvideo.c:3018:47 on latest git as of commit

 Here's the error report, produced by coming-soon-to-you -fsanitize
 =pointer-overflow in clang:

 libavcodec/mpegvideo.c:3018:47: runtime error: pointer index expression
 with base 0x000000000000 overflowed to 0xfffffffffffffff0

 This occurs during execution of the "vsynth1-svq1" test (and only this
 test) during execution of the FATE test suite.

 How to reproduce:
 * Build ffmpeg with clang using -fsanitize=pointer-overflow -fno-sanitize-
 * Run fate test-suite
 * Observe test failure, look in "./tests/data/fate/vsynth1-svq1.err" for
 an error report like the above.

 Alternatively, since this sanitizer is not yet included in clang mainline,
 simply add a check to mpegvideo.c:3018 to report if the LHS is zero when
 the RHS is negative.

 Please let me know if more information is required, thanks!

Ticket URL: <https://ffmpeg.org/trac/ffmpeg/ticket/3152>
FFmpeg <http://ffmpeg.org>
FFmpeg issue tracker

More information about the FFmpeg-trac mailing list