[FFmpeg-trac] #4152(avformat:new): jacosub: deadlock with fuzzed file

FFmpeg trac at avcodec.org
Wed Dec 3 11:54:14 CET 2014

#4152: jacosub: deadlock with fuzzed file
             Reporter:  tholin    |                     Type:  defect
               Status:  new       |                 Priority:  normal
            Component:  avformat  |                  Version:  git-master
             Keywords:            |               Blocked By:
             Blocking:            |  Reproduced by developer:  0
Analyzed by developer:  0         |
 I found a deadlock in mpv with fuzzed file. The problem appears to be in
 ffmpeg so I report it here directly.

 jacosub_read_header() in ffmpeg/libavformat/jacosubdec.c:156 will
 continuesly call ff_get_line() as long as eof isn't reached.

 When ff_get_line() reads a \r it tries to remove the following \n if it
 exists. If eof is triggered after the first read the next read will return
 0 which is not a \n and the stream is rewound one byte and the eof flag is
 cleared. This puts the stream in the same state as before and
 jacosub_read_header() loops indefinitely.

 int ff_get_line(AVIOContext *s, char *buf, int maxlen)
     int i = 0;
     char c;

     do {
         c = avio_r8(s);                     <--- last byte read in stream
         if (c && i < maxlen-1)
             buf[i++] = c;
     } while (c != '\n' && c != '\r' && c);
     if (c == '\r' && avio_r8(s) != '\n')    <--- trigger EOF and returns 0
         avio_skip(s, -1);                   <--- rewinds and clears
 eof_reached flag

     buf[i] = 0;
     return i;


 Here is a base64 encoded example file

Ticket URL: <https://trac.ffmpeg.org/ticket/4152>
FFmpeg <https://ffmpeg.org>
FFmpeg issue tracker

More information about the FFmpeg-trac mailing list