search

mpv-player / mpv

šŸŽ„ Command line video player
https://mpv.io
Other
28.24k stars 2.9k forks source link

AddressSanitizer: heap-buffer-overflow in filter_and_add sd_ass.c:379 #15086

Open forthrin opened 1 week ago

forthrin commented 1 week ago

mpv Information

mpv version: git-2024-10-06-7ca5fd2-dirty
FFmpeg version: git-2024-10-05-099f88b

Other Information

N/A

Reproduction Steps

https://github.com/mpv-player/mpv/blob/master/sub/sd_ass.c#L379

// Note: pkt is not necessarily a fully valid refcounted packet.
// static void filter_and_add(struct sd *sd, struct demux_packet *pkt)
pkt->animated = ctx->packets_animated[pkt->seen_pos]; // 379

Expected Behavior

No crash

Actual Behavior

Crash

Log File

crash.log

Sample Files

N/A

I carefully read all instruction and confirm that I did the following:

Akemi commented 1 week ago

@Dudemanguy any idea on this one. pinging you since you were the last one looking at that part of the code, i believe.

Dudemanguy commented 1 week ago

Not sure about this one. Seems like an obscure race of sorts? It looks like you manage to hit the redecode path while quitting which shouldn't matter but something is going wrong somewhere. The packet is detected as seen which means it should have been been added ctx->packets_animated already but it seems it wasn't and overflows. I tried some naive attempts at replicating redecoding while quitting and no dice.

Although we are probably redecoding packets more than necessary now that I look at this again.

Dudemanguy commented 5 days ago

Not a fix but with #15094, the code path you took to trigger this crash won't happen anymore for the vast majority of files.