[FFmpeg-trac] #9289(avcodec:new): ffmpeg decode aac crashed in get_bits function
FFmpeg
trac at avcodec.org
Fri Jun 11 11:00:30 EEST 2021
#9289: ffmpeg decode aac crashed in get_bits function
------------------------------------+-----------------------------------
Reporter: hyhmaffia | Owner: (none)
Type: defect | Status: new
Priority: normal | Component: avcodec
Version: git-master | Resolution:
Keywords: crash | Blocked By:
Blocking: | Reproduced by developer: 0
Analyzed by developer: 0 |
------------------------------------+-----------------------------------
Comment (by hyhmaffia):
static inline unsigned int get_bits(GetBitContext *s, int n)
{
register unsigned int tmp;
#if CACHED_BITSTREAM_READER
av_assert2(n>0 && n<=32);
if (n > s->bits_left) {
#ifdef BITSTREAM_READER_LE
refill_32(s, 1);
#else
refill_32(s, 0);
#endif
if (s->bits_left < 32)
s->bits_left = n;
}
#ifdef BITSTREAM_READER_LE
tmp = get_val(s, n, 1);
#else
tmp = get_val(s, n, 0);
#endif
#else
OPEN_READER(re, s);
av_assert2(n>0 && n<=25);
UPDATE_CACHE(re, s);
tmp = SHOW_UBITS(re, s, n);
LAST_SKIP_BITS(re, s, n);
CLOSE_READER(re, s);
#endif
av_assert2(tmp < UINT64_C(1) << n);
return tmp;
}
the problem is, when re_index is 2792 and (gb)->buffer is
0x000000013bbffea0
the source code: tmp = NEG_USR32(re_cache, num);
will read 32bit, from 0x000000013bbffffd to 0x000000013bc00001
but valid memory range is from 0x000000013bbffffd to 0x000000013bbffffe
static inline unsigned int get_bits(GetBitContext *s, int n)
{
unsigned int re_index = (gb)->index;
unsigned int av_unused re_cache;
av_assert2(n>0 && n<=25);
AV_RB32((gb)->buffer + (re_index >> 3)) << (re_index & 7)
tmp = NEG_USR32(re_cache, num);
LAST_SKIP_BITS(re, s, n);
CLOSE_READER(re, s);
}
--
Ticket URL: <https://trac.ffmpeg.org/ticket/9289#comment:3>
FFmpeg <https://ffmpeg.org>
FFmpeg issue tracker
More information about the FFmpeg-trac
mailing list