New submission from Reimar Döffinger <[email protected]>: Attached sample (originally from http://bugzilla.mplayerhq.hu/show_bug.cgi?id=1156) causes invalid reads in the indeo3 decoder when run under valgrind. Might be possible to avoid without a significant performance impact by adding additional estimation-based checks before all the "for( ; blks_height > 0; ..." loops in iv_Decode_Chunk. Unfortunately I just realize that FFmpeg's AVI demuxer refuses to handle the file at all, so here's only a part of MPlayer's valgrind log for now.
[indeo3 @ 0xe56d20]y/u/v offset outside buffer Error while decoding frame! ==23044== Invalid read of size 1 ==23044== at 0x8E6253: iv_Decode_Chunk (indeo3.c:368) ==23044== by 0x8E7E4D: indeo3_decode_frame (indeo3.c:1042) ==23044== by 0xA327E7: avcodec_decode_video2 (utils.c:626) ==23044== by 0x67BB72: decode (vd_ffmpeg.c:838) ==23044== by 0x559983: decode_video (dec_video.c:393) ==23044== by 0x4998DB: update_video (mplayer.c:2413) ==23044== by 0x49DBE7: main (mplayer.c:3765) ==23044== Address 0x1469d22b is 0 bytes after a block of size 6,939 alloc'd ==23044== at 0x4C245E2: realloc (vg_replace_malloc.c:525) ==23044== by 0x5AB49A: ds_read_packet (demuxer.h:306) ==23044== by 0x5B3BAF: demux_avi_read_packet (demux_avi.c:188) ==23044== by 0x5B672F: demux_avi_fill_buffer (demux_avi.c:305) ==23044== by 0x5ADDA5: ds_fill_buffer (demuxer.c:625) ==23044== by 0x5AE051: ds_get_packet (demuxer.c:818) ==23044== by 0x5FBF4E: video_read_frame (video.c:583) ==23044== by 0x499593: update_video (mplayer.c:2387) ==23044== by 0x49DBE7: main (mplayer.c:3765) ==23044== ==23044== Invalid read of size 1 ==23044== at 0x8E6083: iv_Decode_Chunk (indeo3.c:361) ==23044== by 0x8E7E4D: indeo3_decode_frame (indeo3.c:1042) ==23044== by 0xA327E7: avcodec_decode_video2 (utils.c:626) ==23044== by 0x67BB72: decode (vd_ffmpeg.c:838) ==23044== by 0x559983: decode_video (dec_video.c:393) ==23044== by 0x4998DB: update_video (mplayer.c:2413) ==23044== by 0x49DBE7: main (mplayer.c:3765) ==23044== Address 0x1469d22c is 1 bytes after a block of size 6,939 alloc'd ==23044== at 0x4C245E2: realloc (vg_replace_malloc.c:525) ==23044== by 0x5AB49A: ds_read_packet (demuxer.h:306) ==23044== by 0x5B3BAF: demux_avi_read_packet (demux_avi.c:188) ==23044== by 0x5B672F: demux_avi_fill_buffer (demux_avi.c:305) ==23044== by 0x5ADDA5: ds_fill_buffer (demuxer.c:625) ==23044== by 0x5AE051: ds_get_packet (demuxer.c:818) ==23044== by 0x5FBF4E: video_read_frame (video.c:583) ==23044== by 0x499593: update_video (mplayer.c:2387) ==23044== by 0x49DBE7: main (mplayer.c:3765) ==23044== [indeo3 @ 0xe56d20]y/u/v offset outside buffer Error while decoding frame! ---------- messages: 12913 priority: normal status: open substatus: open title: out-of-bound reads in indeo3 decoder type: bug ________________________________________________ FFmpeg issue tracker <[email protected]> <https://roundup.ffmpeg.org/issue2417> ________________________________________________
