Heap buffer overflow (WRITE) in 2.2.0-git-800-ga8f7d9fa
There is a 8 bytes Heap Buffer Overflow in the latest nightly when opening a particularly crafted avi file with ogg sound.
[#7](https://code.videolan.org/videolan/vlc/-/issues/7) 0x00007fffdff4b0eb in Ogg_SendOrQueueBlocks (p_demux=0x60280000f858, p_stream=0x60480004e680, p_block=0x60440003ed80) at demux/ogg.c:1058
1058 p_stream->p_prepcr_blocks[p_stream->i_prepcr_blocks++] = p_block;
Useful bt full:
[#7](https://code.videolan.org/videolan/vlc/-/issues/7) 0x00007fffdff4b0eb in Ogg_SendOrQueueBlocks (p_demux=0x60280000f858, p_stream=0x60480004e680, p_block=0x60440003ed80) at demux/ogg.c:1058
p_ogg = 0x60220002f200
__PRETTY_FUNCTION__ = "Ogg_SendOrQueueBlocks"
[#8](https://code.videolan.org/videolan/vlc/-/issues/8) 0x00007fffdff4e1ff in Ogg_DecodePacket (p_demux=0x60280000f858, p_stream=0x60480004e680, p_oggpacket=0x7fffe9676520) at demux/ogg.c:1412
p_block = 0x60440003ed80
b_selected = true
i_header_len = 1
[#9](https://code.videolan.org/videolan/vlc/-/issues/9) 0x00007fffdff45c93 in Demux (p_demux=0x60280000f858) at demux/ogg.c:488
p_stream = 0x60480004e680
i_pagestamp = 140737285092525
p_sys = 0x60220002f200
oggpacket = {
packet = 0x608200012c48 " E\217", '\377' <repeats 19 times>, "\360\333", '\377' <repeats 24 times>, "\373Y\033\063[\355k\377\177^\021\002\b\306H\324%tY\254e\375\017i\340B\a\257\306\\EH\230\242\202\177\277\256+!\030$\262\066h\320 %\330%\256\255\242+\302\006\005\331#Ys\211\201%\020\250,L\232zF\003\205\214\256\224)\364\226PҼ\215a8\231\030\026\177>\254s\241", bytes = 975, b_o_s = 0, e_o_s = 0, granulepos = 2, packetno = 3}
i_stream = 0
b_skipping = false
b_canseek = true
i_active_streams = 0
__PRETTY_FUNCTION__ = "Demux"
i_pcr_candidate = 1102416563
[#10](https://code.videolan.org/videolan/vlc/-/issues/10) 0x00007fffdff44052 in Open (p_this=0x60280000f858) at demux/ogg.c:245
p_demux = 0x60280000f858
p_sys = 0x60220002f200
p_peek = 0x7fffe7d22800 "OggS"
[#11](https://code.videolan.org/videolan/vlc/-/issues/11) 0x00007ffff3ea4bb9 in generic_start (func=0x7fffdff43ae8 <Open>, ap=0x7fffe9676730) at modules/modules.c:351
obj = 0x60280000f858
activate = 0x7fffdff43ae8 <Open>
[#12](https://code.videolan.org/videolan/vlc/-/issues/12) 0x00007ffff3ea3f97 in module_load (obj=0x60280000f858, m=0x601a0000ac80, init=0x7ffff3ea4aa6 <generic_start>, args=0x7fffe9676880) at modules/modules.c:185
ap = {{gp_offset = 48, fp_offset = 48, overflow_arg_area = 0x7fffe96769f0, reg_save_area = 0x7fffe9676920}}
ret = 0
[#13](https://code.videolan.org/videolan/vlc/-/issues/13) 0x00007ffff3ea465a in vlc_module_load (obj=0x60280000f858, capability=0x7ffff3f52500 "demux", name=0x60040003e733 "", strict=true, probe=0x7ffff3ea4aa6 <generic_start>)
at modules/modules.c:277
cand = 0x601a0000ac80
ret = -1
i = 15
buf = "any\000\000\000\000\000\300\374\002\000&`\000\000\020\375\002\000&`\000\000\000\000\000\000\000\000\000"
slen = 3
shortcut = 0x7fffe96768c0 "any"
var = 0x0
mods = 0x60360002fd00
total = 66
module = 0x0
b_force_backup = false
args = {{gp_offset = 40, fp_offset = 48, overflow_arg_area = 0x7fffe96769f0, reg_save_area = 0x7fffe9676920}}
__PRETTY_FUNCTION__ = "vlc_module_load"
Activity
ASAN output:
==24956== ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6006000465b8 at pc 0x7fffdff4b0eb bp 0x7fffe9676300 sp 0x7fffe96762f8 WRITE of size 8 at 0x6006000465b8 thread T3 [#0](https://code.videolan.org/videolan/vlc/-/issues/0) 0x7fffdff4b0ea (/usr/local/lib/vlc/plugins/demux/libogg_plugin.so+0x110ea) [#1](https://code.videolan.org/videolan/vlc/-/issues/1) 0x7fffdff4e1fe (/usr/local/lib/vlc/plugins/demux/libogg_plugin.so+0x141fe) [#2](https://code.videolan.org/videolan/vlc/-/issues/2) 0x7fffdff45c92 (/usr/local/lib/vlc/plugins/demux/libogg_plugin.so+0xbc92) [#3](https://code.videolan.org/videolan/vlc/-/issues/3) 0x7fffdff44051 (/usr/local/lib/vlc/plugins/demux/libogg_plugin.so+0xa051) [#4](https://code.videolan.org/videolan/vlc/-/issues/4) 0x7ffff3ea4bb8 (/tmp/vlc/src/.libs/libvlccore.so.8.0.0+0x178bb8) [#5](https://code.videolan.org/videolan/vlc/-/issues/5) 0x7ffff3ea3f96 (/tmp/vlc/src/.libs/libvlccore.so.8.0.0+0x177f96) [#6](https://code.videolan.org/videolan/vlc/-/issues/6) 0x7ffff3ea4659 (/tmp/vlc/src/.libs/libvlccore.so.8.0.0+0x178659) [#7](https://code.videolan.org/videolan/vlc/-/issues/7) 0x7ffff3ea4d13 (/tmp/vlc/src/.libs/libvlccore.so.8.0.0+0x178d13) [#8](https://code.videolan.org/videolan/vlc/-/issues/8) 0x7ffff3dd7162 (/tmp/vlc/src/.libs/libvlccore.so.8.0.0+0xab162) [#9](https://code.videolan.org/videolan/vlc/-/issues/9) 0x7ffff3e0f7ca (/tmp/vlc/src/.libs/libvlccore.so.8.0.0+0xe37ca) [#10](https://code.videolan.org/videolan/vlc/-/issues/10) 0x7ffff3e062c8 (/tmp/vlc/src/.libs/libvlccore.so.8.0.0+0xda2c8) [#11](https://code.videolan.org/videolan/vlc/-/issues/11) 0x7ffff3dfe8ab (/tmp/vlc/src/.libs/libvlccore.so.8.0.0+0xd28ab) [#12](https://code.videolan.org/videolan/vlc/-/issues/12) 0x7ffff3da5d29 (/tmp/vlc/src/.libs/libvlccore.so.8.0.0+0x79d29) [#13](https://code.videolan.org/videolan/vlc/-/issues/13) 0x7ffff3da638d (/tmp/vlc/src/.libs/libvlccore.so.8.0.0+0x7a38d) [#14](https://code.videolan.org/videolan/vlc/-/issues/14) 0x7ffff4e63b97 (/usr/lib/x86_64-linux-gnu/libasan.so.0.0.0+0x18b97) [#15](https://code.videolan.org/videolan/vlc/-/issues/15) 0x7ffff49ee181 (/lib/x86_64-linux-gnu/libpthread-2.19.so+0x8181) [#16](https://code.videolan.org/videolan/vlc/-/issues/16) 0x7ffff4516fbc (/lib/x86_64-linux-gnu/libc-2.19.so+0xfafbc) 0x6006000465b8 is located 105260924231090 bytes inside Program received signal SIGSEGV, Segmentation fault.I have uploaded the file through http://streams.videolan.org/upload/ but I can't see it here. Hope you can see it.
assigned to @fcartegnie
commit 5e009c72 Author: Francois Cartegnie fcvlcdev@free.fr Date: Wed Sep 24 12:58:04 2014 +0200
demux: ogg: fix packet count heap overflow (fix [#12265](https://code.videolan.org/videolan/vlc/-/issues/12265))added Status::fixed label
changed milestone to %2.2.0
Please register or sign in to reply