Skip to content

Stack buffer overflow in av_parsers.c #997

Closed
@gsingh93

Description

@gsingh93

The stack buffer overflow occurs here:

sps->poc_cycle_length = bs_get_ue(bs);
for(i=0; i<sps->poc_cycle_length; i++) sps->offset_for_ref_frame[i] = bs_get_se(bs);

I don't know exactly how bs_get_ue works, but it seems to return a u32. The size of offset_for_ref_frame is only 256 entries, so we can get this to overflow. The sps variable is a stack variable that comes from a parent function, for example in avcc_Read.

Using this bug, I can craft an MP4 file that can overwrite anything above this variable in the stack, such as other fields in AVC_SPS, stack variables, etc.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions