GNOME Bugzilla – Bug 399342
[mpeg2dec] crash in libmpeg2 with specially crafted .m2v file
Last modified: 2007-03-08 14:05:57 UTC
Hi, Sam Hocevar reported three different issues with GStreamer 0.10 modules in Debian bug http://bugs.debian.org/407004. The bugs were discovered with the help of a new media file fuzzer, "zzuf", which is available from http://sam.zoy.org/zzuf/. This particular bug is about the hang that happens when trying to play http://sam.zoy.org/zzuf/lol-gstreamer.m2v. This results in a segfault, obviously during MPEG2 decoding, but I couldn't get a clean backtrace:
+ Trace 104252
Thread 4 (Thread -1238971472 (LWP 1146))
This is with plugins-ugly 0.10.5, plugins-base 0.10.11, and GStreamer 0.10.11. Bye,
Stack trace against libmpeg2 CVS from today: Program received signal SIGSEGV, Segmentation fault. mpeg2_init_fbuf (decoder=0x813a840, current_fbuf=0x0, forward_fbuf=0x813ec40, backward_fbuf=0x813ec30) at slice.c:1600 1600 decoder->picture_dest[0] = current_fbuf[0] + offset; (gdb) print current_fbuf[0] Cannot access memory at address 0x0 (gdb) bt
+ Trace 116881
Anyone know if this is our fault or libmpeg2dec's? (Also - regarding the security keyword - is a NULL dereference actually exploitable?)
Re: security: It's at least a DoS. :-)
Concerning upstream-ness, I asked Sam Hocevar who is the current upstream for libmpeg2, and he said this is a libmpeg2 issue, not a GStreamer issue. He prefers tracking the issue in the Debian bug tracker as he is co-maintaining the Debian packages with me there; hence, I'll reassign Debian bug 407004 to libmpeg2.
Err Debian bug http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=407922, sorry.
Okay, will close this as NOTGNOME then. Thanks for following this up.