Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

AddressSanitizer: heap-buffer-overflow in filter_and_add sd_ass.c:379 #15086

Open
6 tasks done
forthrin opened this issue Oct 14, 2024 · 3 comments
Open
6 tasks done

AddressSanitizer: heap-buffer-overflow in filter_and_add sd_ass.c:379 #15086

forthrin opened this issue Oct 14, 2024 · 3 comments
Labels
core:subtitle

Comments

@forthrin
Copy link

mpv Information

mpv version: git-2024-10-06-7ca5fd2-dirty
FFmpeg version: git-2024-10-05-099f88b

Other Information

N/A

Reproduction Steps

https://github.com/mpv-player/mpv/blob/master/sub/sd_ass.c#L379

// Note: pkt is not necessarily a fully valid refcounted packet.
// static void filter_and_add(struct sd *sd, struct demux_packet *pkt)
pkt->animated = ctx->packets_animated[pkt->seen_pos]; // 379

Expected Behavior

No crash

Actual Behavior

Crash

Log File

crash.log

Sample Files

N/A

I carefully read all instruction and confirm that I did the following:

  • I tested with the latest mpv version to validate that the issue is not already fixed.
  • I provided all required information including system and mpv version.
  • I produced the log file with the exact same set of files, parameters, and conditions used in "Reproduction Steps", with the addition of --log-file=output.txt.
  • I produced the log file while the behaviors described in "Actual Behavior" were actively observed.
  • I attached the full, untruncated log file.
  • I attached the backtrace in the case of a crash.
@Akemi
Copy link
Member

Akemi commented Oct 14, 2024

@Dudemanguy any idea on this one. pinging you since you were the last one looking at that part of the code, i believe.

@Dudemanguy
Copy link
Member

Dudemanguy commented Oct 14, 2024
edited
Loading

Not sure about this one. Seems like an obscure race of sorts? It looks like you manage to hit the redecode path while quitting which shouldn't matter but something is going wrong somewhere. The packet is detected as seen which means it should have been been added ctx->packets_animated already but it seems it wasn't and overflows. I tried some naive attempts at replicating redecoding while quitting and no dice.

Although we are probably redecoding packets more than necessary now that I look at this again.

@Dudemanguy
Copy link
Member

Not a fix but with #15094, the code path you took to trigger this crash won't happen anymore for the vast majority of files.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
core:subtitle
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@Akemi @forthrin @Dudemanguy