#1907: use-after-free in matroska demuxer
-------------------------------------+------------------------------------
Reporter: eugenis | Owner:
Type: defect | Status: new
Priority: important | Component: avformat
Version: unspecified | Resolution:
Keywords: mkv | Blocked By:
Blocking: | Reproduced by developer: 0
Analyzed by developer: 0 |
-------------------------------------+------------------------------------
Comment (by eugenis):
I think I got this.
First of all, the report is a bit off. This is indeed a heap-buffer-
overflow, but the original allocation stack is lost because it is waaay
off to the right of the actual allocation.
This is what I believe is going on.
At matroskadev.c:2414 index_sub value is obtained as an index into the
index table of the subtitle track. Then, in line 2417 it is used as an
index into whatever track we are seeking in:
st->index_entries[index_sub].pos. It seems like sizes of index tables for
different tracks do not have to be connected in any way, right?
--
Ticket URL: <https://ffmpeg.org/trac/ffmpeg/ticket/1907#comment:3>
FFmpeg <http://ffmpeg.org>
FFmpeg issue tracker
_______________________________________________
FFmpeg-trac mailing list
[email protected]
http://avcodec.org/mailman/listinfo/ffmpeg-trac
