[FFmpeg-trac] #9289(avcodec:new): ffmpeg decode aac crashed in get_bits function
FFmpeg
trac at avcodec.org
Thu Jun 10 12:58:18 EEST 2021
#9289: ffmpeg decode aac crashed in get_bits function
-------------------------------------+-------------------------------------
Reporter: hyhmaffia | Type: defect
Status: new | Priority: critical
Component: avcodec | Version: git-
Keywords: get_bits | master
crashed | Blocked By:
Blocking: | Reproduced by developer: 0
Analyzed by developer: 0 |
-------------------------------------+-------------------------------------
ffmpeg decode aac crashed in get_bits function on arm64 cpu
the get_bits has a code : ldr w11, [x10, x11]
(lldb) register read x10
x10 = 0x000000013bbffea0
(lldb) register read x11
x11 = 0x000000000000015d
(lldb) p/x 0x000000013bbffea0 + 0x000000000000015d
(long) $12 = 0x000000013bbffffd
(lldb) p *(GetBitContext*)0x000000017048a6c0
(GetBitContext) $13 = {
buffer = 0x000000013bbffea0 "
buffer_end = 0x000000013bbffffe ""
index = 2792
size_in_bits = 2800
size_in_bits_plus8 = 2808
}
(lldb) p 0x000000013bbffffe - 0x000000013bbffffd
(long) $14 = 1
(lldb) p 0x000000013bc00000 - 0x000000013bbffffd
(long) $15 = 3
when index is 2792 and size_in_bits is 2800, we call then function
get_bits(s, 3)
the get_bits will read 32 bits, but we only left 8 bits to read, so it
crashed
it only crashed when the last byte in other memory
page(0x000000013bc00000)
the aac packet with adts header is: (350 byte)
FFF15C802BDFFC216B44B5BA96CB40B090AC132839861B1029A6911717BBD4BC0318F0968D118EA36C32B80CEE092E16D98E230F90586D6F56CC312BD44DFCE56C2F4D08E0730B822240612F55E99BBCA15E79F9F972837C67555A4892CC4B0C70C414A838F91BE4130B2C25EFE39C126E038DB19D5A0DD0945D3EFB63F6CB19785F9CDB6515DB9E77977CECB9AE5E546D38402AAA259615B94F41255744F07666653ECA2C5954B2CBAAEBA108504B13B0C094185C55ADB763CA8550BE1175A520B949C263CBCB977E26F3946DF307DCBED83CD858AA162C1754F75B85D4FFC290EF5CD6FA4A6B56C3153BC0C456093CFB6354F09A910313F5797DE199ADEAB62272FB32A952A5E3E9A9BD18085F7B2D79247350A09F73EBC079C775A7CE7FFDA0752E19CE0006755BB1A20CD6AA6866C2440A7DCF45A0C775C8CAAA8445044D1FF70000000000006F05D12A32A26608274745FA2941D1D17E8A500000E0
--
Ticket URL: <https://trac.ffmpeg.org/ticket/9289>
FFmpeg <https://ffmpeg.org>
FFmpeg issue tracker
More information about the FFmpeg-trac
mailing list