[gstreamer-bugs] [Bug 399342] [mpeg2dec] crash in libmpeg2 with specially crafted .m2v file

Thu Mar 8 05:17:22 PST 2007

Do not reply to this via email (we are currently unable to handle email
responses and they get discarded).  You can add comments to this bug at
http://bugzilla.gnome.org/show_bug.cgi?id=399342

  GStreamer | gst-plugins-ugly | Ver: 0.10.5

Tim-Philipp Müller changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|UNCONFIRMED                 |NEW
     Ever Confirmed|0                           |1
            Summary|Crash in the libmpeg2 plugin|[mpeg2dec] crash in libmpeg2
                   |when trying to play a       |with specially crafted .m2v
                   |specially crafted MPEG 2    |file
                   |Video file                  |

------- Comment #1 from Tim-Philipp Müller  2007-03-08 13:15 UTC -------
Stack trace against libmpeg2 CVS from today:

Program received signal SIGSEGV, Segmentation fault.

mpeg2_init_fbuf (decoder=0x813a840, current_fbuf=0x0, forward_fbuf=0x813ec40,
backward_fbuf=0x813ec30) at slice.c:1600

1600        decoder->picture_dest[0] = current_fbuf[0] + offset;

(gdb) print current_fbuf[0]
Cannot access memory at address 0x0

(gdb) bt
#0  mpeg2_init_fbuf (decoder=0x813a840, current_fbuf=0x0,
forward_fbuf=0x813ec40, backward_fbuf=0x813ec30) at slice.c:1600
#1  0xb75789fb in mpeg2_header_slice_start (mpeg2dec=0x813a840) at header.c:923
#2  0xb756205e in mpeg2_parse (mpeg2dec=0x813a840) at decode.c:159
#3  0xb755f721 in gst_mpeg2dec_chain (pad=0x8120400, buf=0x8144ed0) at
gstmpeg2dec.c:985

Anyone know if this is our fault or libmpeg2dec's?

(Also - regarding the security keyword - is a NULL dereference actually
exploitable?)

-- 
Configure bugmail: http://bugzilla.gnome.org/userprefs.cgi?tab=email