Submit #621826: libav avconv 13 && the newest master Segmentation faultinfo

Titlelibav avconv 13 && the newest master Segmentation fault
DescriptionSegmentation fault in binary seek function when processing malformed MPEG files due to null pointer dereference in index_entries array access. ## How to reproduce: ` % avconv -ss 0.1 -i /workspace/POC/POC_libav_avconv_segfault_mpeg_seek -f null - avconv version 13_dev0, Copyright (c) 2000-2018 the Libav developers built on Jul 19 2025 14:57:50 with Ubuntu clang version 16.0.6 (++20231112100510+7cbf1a259152-1~exp1~20231112100554.106) configuration: --cc=/Fuzzer/OPA++/afl-clang-lto --extra-cflags= --prefix=/workspace/benchmark/program/libav-c464278-Apr16-2019/install --disable-shared --enable-static --disable-x86asm --disable-inline-asm libavutil 56. 8. 0 / 56. 8. 0 libavcodec 58. 12. 1 / 58. 12. 1 libavformat 58. 2. 0 / 58. 2. 0 libavdevice 57. 0. 2 / 57. 0. 2 libavfilter 7. 1. 0 / 7. 1. 0 libavresample 4. 0. 0 / 4. 0. 0 libswscale 5. 0. 1 / 5. 0. 1 [mpeg @ 0x555557165800] Format detected only with low score of 25, misdetection possible! [mpeg @ 0x555557165800] Could not find codec parameters (Video: [0][0][0][0] / 0x0000 none) [mpeg @ 0x555557165800] start time is not set in estimate_timings_from_pts Segmentation fault (core dumped) ` ## GDB Analysis: ` Program received signal SIGSEGV, Segmentation fault. 0x0000555555bfd3aa in ff_seek_frame_binary (s=0x555557165800, stream_index=0, target_ts=9000, flags=1) at libavformat/utils.c:1289 1289 e = &st->index_entries[index]; #0 0x0000555555bfd3aa in ff_seek_frame_binary (s=0x555557165800, stream_index=0, target_ts=9000, flags=1) at libavformat/utils.c:1289 #1 0x0000555555bfea54 in seek_frame_internal (stream_index=<optimized out>, timestamp=9000, s=<optimized out>, flags=<optimized out>) at libavformat/utils.c:1556 #2 av_seek_frame (s=0x555557165800, stream_index=<optimized out>, timestamp=<optimized out>, flags=1) at libavformat/utils.c:1567 #3 0x00005555558705b6 in open_input_file (o=0x7fffffffd380, filename=0x7fffffffe071 "/workspace/POC/POC_libav_avconv_segfault_mpeg_seek") at avtools/avconv_opt.c:835 #4 0x0000555555873a5b in open_files (l=0x555557153098, inout=0x5555555d4d9a "input", open_file=0x55555586f940 <open_input_file>) at avtools/avconv_opt.c:2467 #5 0x0000555555893816 in avconv_parse_options (argc=<optimized out>, argv=<optimized out>) at avtools/avconv_opt.c:2504 #6 main (argc=<optimized out>, argv=<optimized out>) at avtools/avconv.c:2953 Disassembly around crash point: 0x0000555555bfd38a <ff_seek_frame_binary+794>: mov $0x11d70,%edx 0x0000555555bfd38f <ff_seek_frame_binary+799>: sub %r8d,%edx 0x0000555555bfd392 <ff_seek_frame_binary+802>: mov (%r11),%rsi 0x0000555555bfd395 <ff_seek_frame_binary+805>: movzbl (%rsi,%rdx,1),%r8d 0x0000555555bfd39a <ff_seek_frame_binary+810>: add $0x1,%r8b 0x0000555555bfd39e <ff_seek_frame_binary+814>: adc $0x0,%r8b 0x0000555555bfd3a2 <ff_seek_frame_binary+818>: mov %r8b,(%rsi,%rdx,1) 0x0000555555bfd3a6 <ff_seek_frame_binary+822>: lea (%rdi,%rdi,2),%rdx => 0x0000555555bfd3aa <ff_seek_frame_binary+826>: mov (%rax,%rdx,8),%rcx <-- CRASH HERE 0x0000555555bfd3ae <ff_seek_frame_binary+830>: mov 0x8(%rax,%rdx,8),%r8 ` ## Root Cause: The crash occurs in ff_seek_frame_binary() function at libavformat/utils.c:1289 when attempting to access: `c e = &st->index_entries[index]; ` The issue is that: The file is detected as MPEG format with low confidence score (25) Codec parameters cannot be determined properly The stream's index_entries array is NULL The seek operation tries to access index_entries[index] without null checking The malformed file causes the MPEG demuxer to enter an inconsistent state where seeking is attempted on a stream without proper index initialization. ## POC File: The malformed file is available at: /workspace/POC/POC_libav_avconv_segfault_mpeg_seek​https://drive.google.com/file/d/1CX1GZUyJVzyDDGLVa8FG58XUt_30kHKT/view?usp=sharing
Source⚠️ https://trac.ffmpeg.org/ticket/11681
User
 Anonymous User
Submission07/24/2025 12:10 (11 months ago)
Moderation08/05/2025 10:57 (12 days later)
StatusAccepted
VulDB entry318819 [libav up to 12.3 MPEG File Parser /libavformat/utils.c ff_seek_frame_binary null pointer dereference]
Points20

PreviousOverviewNext

Interested in the pricing of exploits?

See the underground prices here!