#11681: Segmentation fault in binary seek function when processing malformed
MPEG
files due to null pointer dereference in index_entries array access.
-------------------------------------+-------------------------------------
Reporter: xdc | Type: defect
Status: new | Priority: normal
Component: | Version:
undetermined | unspecified
Keywords: libav | Blocked By:
Blocking: | Reproduced by developer: 0
Analyzed by developer: 0 |
-------------------------------------+-------------------------------------
## How to reproduce:
```
% avconv -ss 0.1 -i /workspace/POC/POC_libav_avconv_segfault_mpeg_seek -f
null -
avconv version 13_dev0, Copyright (c) 2000-2018 the Libav developers
built on Jul 19 2025 14:57:50 with Ubuntu clang version 16.0.6
(++20231112100510+7cbf1a259152-1~exp1~20231112100554.106)
configuration: --cc=/Fuzzer/OPA++/afl-clang-lto --extra-cflags=
--prefix=/workspace/benchmark/program/libav-c464278-Apr16-2019/install
--disable-shared --enable-static --disable-x86asm --disable-inline-asm
libavutil 56. 8. 0 / 56. 8. 0
libavcodec 58. 12. 1 / 58. 12. 1
libavformat 58. 2. 0 / 58. 2. 0
libavdevice 57. 0. 2 / 57. 0. 2
libavfilter 7. 1. 0 / 7. 1. 0
libavresample 4. 0. 0 / 4. 0. 0
libswscale 5. 0. 1 / 5. 0. 1
[mpeg @ 0x555557165800] Format detected only with low score of 25,
misdetection possible!
[mpeg @ 0x555557165800] Could not find codec parameters (Video:
[0][0][0][0] / 0x0000
none)
[mpeg @ 0x555557165800] start time is not set in estimate_timings_from_pts
Segmentation fault (core dumped)
```
## GDB Analysis:
```
Program received signal SIGSEGV, Segmentation fault.
0x0000555555bfd3aa in ff_seek_frame_binary (s=0x555557165800,
stream_index=0, target_ts=9000, flags=1) at libavformat/utils.c:1289
1289 e = &st->index_entries[index];
#0 0x0000555555bfd3aa in ff_seek_frame_binary (s=0x555557165800,
stream_index=0, target_ts=9000, flags=1) at libavformat/utils.c:1289
#1 0x0000555555bfea54 in seek_frame_internal (stream_index=<optimized
out>, timestamp=9000, s=<optimized out>, flags=<optimized out>) at
libavformat/utils.c:1556
#2 av_seek_frame (s=0x555557165800, stream_index=<optimized out>,
timestamp=<optimized out>, flags=1) at libavformat/utils.c:1567
#3 0x00005555558705b6 in open_input_file (o=0x7fffffffd380,
filename=0x7fffffffe071
"/workspace/POC/POC_libav_avconv_segfault_mpeg_seek") at
avtools/avconv_opt.c:835
#4 0x0000555555873a5b in open_files (l=0x555557153098,
inout=0x5555555d4d9a "input", open_file=0x55555586f940 <open_input_file>)
at avtools/avconv_opt.c:2467
#5 0x0000555555893816 in avconv_parse_options (argc=<optimized out>,
argv=<optimized out>) at avtools/avconv_opt.c:2504
#6 main (argc=<optimized out>, argv=<optimized out>) at
avtools/avconv.c:2953
Disassembly around crash point:
0x0000555555bfd38a <ff_seek_frame_binary+794>: mov
$0x11d70,%edx
0x0000555555bfd38f <ff_seek_frame_binary+799>: sub %r8d,%edx
0x0000555555bfd392 <ff_seek_frame_binary+802>: mov (%r11),%rsi
0x0000555555bfd395 <ff_seek_frame_binary+805>: movzbl
(%rsi,%rdx,1),%r8d
0x0000555555bfd39a <ff_seek_frame_binary+810>: add $0x1,%r8b
0x0000555555bfd39e <ff_seek_frame_binary+814>: adc $0x0,%r8b
0x0000555555bfd3a2 <ff_seek_frame_binary+818>: mov
%r8b,(%rsi,%rdx,1)
0x0000555555bfd3a6 <ff_seek_frame_binary+822>: lea
(%rdi,%rdi,2),%rdx
=> 0x0000555555bfd3aa <ff_seek_frame_binary+826>: mov
(%rax,%rdx,8),%rcx <-- CRASH HERE
0x0000555555bfd3ae <ff_seek_frame_binary+830>: mov
0x8(%rax,%rdx,8),%r8
```
## Root Cause:
The crash occurs in `ff_seek_frame_binary()` function at
`libavformat/utils.c:1289` when attempting to access:
```c
e = &st->index_entries[index];
```
The issue is that:
1. The file is detected as MPEG format with low confidence score (25)
2. Codec parameters cannot be determined properly
3. The stream's `index_entries` array is NULL
4. The seek operation tries to access `index_entries[index]` without null
checking
The malformed file causes the MPEG demuxer to enter an inconsistent state
where seeking is attempted on a stream without proper index
initialization.
## POC File:
The malformed file is available at:
`/workspace/POC/POC_libav_avconv_segfault_mpeg_seek`[https://drive.google.com/file/d/1CX1GZUyJVzyDDGLVa8FG58XUt_30kHKT/view?usp=sharing]
--
Ticket URL: <https://trac.ffmpeg.org/ticket/11681>
FFmpeg <https://ffmpeg.org>
FFmpeg issue tracker
_______________________________________________
FFmpeg-trac mailing list
FFmpeg-trac@avcodec.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-trac
To unsubscribe, visit link above, or email
ffmpeg-trac-requ...@ffmpeg.org with subject "unsubscribe".
