#123(FFplay:new): Fuzzed sample crashes ffplay
#123: Fuzzed sample crashes ffplay ----------------------+--------------------- Reporter: cehoyos | Owner: michael Type: defect | Status: new Priority: normal | Component: FFplay Version: git | Keywords: Blocked By: | Blocking: Reproduced: 0 | Analyzed: 0 ----------------------+--------------------- The sample from ticket #74 now crashes ffplay, no useful backtrace, valgrind shows some invalid reads. {{{ $ valgrind ./ffplay_g crash_pirateszz_2_s25_r003.fuzz.sample ==14017== Memcheck, a memory error detector ==14017== Copyright (C) 2002-2009, and GNU GPL'd, by Julian Seward et al. ==14017== Using Valgrind-3.5.0 and LibVEX; rerun with -h for copyright info ==14017== Command: ./ffplay_g crash_pirateszz_2_s25_r003.fuzz.sample ==14017== ffplay version git-N-29391-gd84f191, Copyright (c) 2003-2011 the FFmpeg developers built on Apr 26 2011 20:33:16 with gcc 4.5.2 configuration: --cc='/usr/local/gcc-4.5.2/bin/gcc -m32' --enable-gpl libavutil 51. 0. 0 / 51. 0. 0 libavcodec 53. 1. 0 / 53. 1. 0 libavformat 53. 0. 3 / 53. 0. 3 libavdevice 53. 0. 0 / 53. 0. 0 libavfilter 2. 0. 0 / 2. 0. 0 libswscale 0. 13. 0 / 0. 13. 0 ... Input #0, mpegvideo, from 'crash_pirateszz_2_s25_r003.fuzz.sample': Duration: 00:00:08.35, bitrate: 9800 kb/s Stream #0.0: Video: mpeg2video (4:2:2), yuv420p, 720x4576 [PAR 4576:405 DAR 16:9], 9800 kb/s, 17.53 fps, 3.33 tbr, 1200k tbn, 6.66 tbc ... ==14017== Invalid read of size 1 ==14017== at 0x644C138: memcpy (in /usr/lib64/valgrind/vgpreload_memcheck-x86-linux.so) ==14017== by 0x85BC128: av_image_copy (imgutils.c:230) ==14017== Address 0xf02292f is not stack'd, malloc'd or (recently) free'd ==14017== ==14017== Invalid read of size 1 ==14017== at 0x644C142: memcpy (in /usr/lib64/valgrind/vgpreload_memcheck-x86-linux.so) ==14017== by 0x85BC128: av_image_copy (imgutils.c:230) ==14017== Address 0xf02292e is not stack'd, malloc'd or (recently) free'd ==14017== ==14017== Invalid read of size 1 ==14017== at 0x644C14B: memcpy (in /usr/lib64/valgrind/vgpreload_memcheck-x86-linux.so) ==14017== by 0x85BC128: av_image_copy (imgutils.c:230) ==14017== Address 0xf02292d is not stack'd, malloc'd or (recently) free'd ==14017== ==14017== Invalid read of size 1 ==14017== at 0x644C154: memcpy (in /usr/lib64/valgrind/vgpreload_memcheck-x86-linux.so) ==14017== by 0x85BC128: av_image_copy (imgutils.c:230) ==14017== Address 0xf02292c is not stack'd, malloc'd or (recently) free'd ==14017== }}} -- Ticket URL: <https://avcodec.org/trac/ffmpeg/ticket/123> FFmpeg <http://ffmpeg.org> FFmpeg issue tracker
#123: Fuzzed sample crashes ffplay --------------------+---------------------- Reporter: cehoyos | Owner: michael Type: defect | Status: open Priority: normal | Component: FFplay Version: git | Resolution: Keywords: | Blocked By: Blocking: | Reproduced: 0 Analyzed: 0 | --------------------+---------------------- Changes (by michael): * status: new => open Comment: Id guess SDL bug, but i could be wrong mplayer crashes too ==21084== Invalid write of size 8 ==21084== at 0x4C2A33A: memcpy (mc_replace_strmem.c:635) ==21084== by 0x974550: av_image_copy (string3.h:52) ==21084== by 0x68E640: av_picture_copy (imgconvert.c:669) ==21084== by 0x437E2B: video_thread (ffplay.c:1404) ==21084== by 0x5129874: ??? (in /usr/lib/libSDL-1.2.so.0.11.3) ==21084== by 0x516C048: ??? (in /usr/lib/libSDL-1.2.so.0.11.3) ==21084== by 0x66E9D8B: start_thread (pthread_create.c:304) ==21084== by 0x69E704C: clone (clone.S:112) ==21084== Address 0xe618108 is not stack'd, malloc'd or (recently) free'd -- Ticket URL: <https://ffmpeg.org/trac/ffmpeg/ticket/123#comment:1> FFmpeg <http://ffmpeg.org> FFmpeg issue tracker
#123: Fuzzed sample crashes ffplay --------------------+---------------------- Reporter: cehoyos | Owner: michael Type: defect | Status: open Priority: normal | Component: FFplay Version: git | Resolution: Keywords: | Blocked By: Blocking: | Reproduced: 0 Analyzed: 0 | --------------------+---------------------- Comment (by cehoyos): mplayer -vo sdl does not crash for me, but I was able to produce a backtrace with ffplay: {{{ (gdb) r crash_pirateszz_2_s25_r003.fuzz.sample ffplay version git-N-30584-gd58ed64, Copyright (c) 2003-2011 the FFmpeg developers built on Jun 7 2011 01:57:06 with gcc 4.5.3 configuration: --cc=/usr/local/gcc-4.5.3/bin/gcc --enable-gpl libavutil 51. 6. 1 / 51. 6. 1 libavcodec 53. 6. 1 / 53. 6. 1 libavformat 53. 2. 0 / 53. 2. 0 libavdevice 53. 1. 1 / 53. 1. 1 libavfilter 2. 14. 0 / 2. 14. 0 libswscale 0. 14. 1 / 0. 14. 1 libpostproc 51. 2. 0 / 51. 2. 0 ... [mpeg2video @ 0x13286c0] slice below image (57 >= 30) [mpeg2video @ 0x13286c0] ignoring pic cod ext after 0 [mpeg2video @ 0x13286c0] slice below image (67 >= 30) [mpeg2video @ 0x13286c0] warning: first frame is no keyframe [mpeg2video @ 0x13286c0] slice mismatch [mpeg2video @ 0x13286c0] invalid mb type in P Frame at 51 2 [mpeg2video @ 0x13286c0] ac-tex damaged at 0 3 [mpeg2video @ 0x13286c0] ac-tex damaged at 0 5 [mpeg2video @ 0x13286c0] ac-tex damaged at 0 8 [mpeg2video @ 0x13286c0] ac-tex damaged at 14 9 [mpeg2video @ 0x13286c0] ac-tex damaged at 0 16 [mpeg2video @ 0x13286c0] ac-tex damaged at 1 18 [mpeg2video @ 0x13286c0] ac-tex damaged at 0 20 [mpeg2video @ 0x13286c0] slice below image (53 >= 30) [mpeg2video @ 0x13286c0] slice mismatch [mpeg2video @ 0x13286c0] slice below image (70 >= 30) [mpeg2video @ 0x13286c0] matrix damaged [mpeg2video @ 0x13286c0] sequence header damaged [mpeg2video @ 0x13286c0] Warning MVs not available [mpeg2video @ 0x13286c0] concealing 9030 DC, 9030 AC, 9030 MV errors 3.19 A-V: 0.000 s:0.2 aq= 0KB vq= 69KB sq= 0B f=0/8 Program received signal SIGSEGV, Segmentation fault. [Switching to Thread 0x7ffff43f4910 (LWP 8473)] 0x00007ffff6ae4722 in memcpy () from /lib64/libc.so.6 (gdb) bt #0 0x00007ffff6ae4722 in memcpy () from /lib64/libc.so.6 #1 0x0000000000970e6f in av_image_copy_plane (height=151, bytewidth=720, src_linesize=4816, src=<value optimized out>, dst_linesize=720, dst=<value optimized out>) at libavutil/imgutils.c:238 #2 av_image_copy (height=151, bytewidth=720, src_linesize=4816, src=<value optimized out>, dst_linesize=720, dst=<value optimized out>) at libavutil/imgutils.c:271 #3 0x000000000066b931 in av_picture_copy (dst=<value optimized out>, src=<value optimized out>, pix_fmt=<value optimized out>, width=<value optimized out>, height=<value optimized out>) at libavcodec/imgconvert.c:669 #4 0x000000000040961b in queue_picture (pos=-1, pts1=3.7198833333333332, src_frame=0x1327840, is=0x7ffff4bf6040) at ffplay.c:1403 #5 video_thread (pos=-1, pts1=3.7198833333333332, src_frame=0x1327840, is=0x7ffff4bf6040) at ffplay.c:1790 #6 0x00007ffff766a3b5 in ?? () from /usr/lib64/libSDL-1.2.so.0 #7 0x00007ffff76ad539 in ?? () from /usr/lib64/libSDL-1.2.so.0 #8 0x00007ffff744065d in start_thread () from /lib64/libpthread.so.0 #9 0x00007ffff6b35ecd in clone () from /lib64/libc.so.6 #10 0x0000000000000000 in ?? () (gdb) disass $pc-32 $pc+32 Dump of assembler code from 0x7ffff6ae4702 to 0x7ffff6ae4742: 0x00007ffff6ae4702 <memcpy+178>: nopw %cs:0x0(%rax,%rax,1) 0x00007ffff6ae4710 <memcpy+192>: cmp $0x400,%rdx 0x00007ffff6ae4717 <memcpy+199>: ja 0x7ffff6ae4790 <memcpy+320> 0x00007ffff6ae4719 <memcpy+201>: mov %edx,%ecx 0x00007ffff6ae471b <memcpy+203>: shr $0x5,%ecx 0x00007ffff6ae471e <memcpy+206>: je 0x7ffff6ae4780 <memcpy+304> 0x00007ffff6ae4720 <memcpy+208>: dec %ecx 0x00007ffff6ae4722 <memcpy+210>: mov (%rsi),%rax 0x00007ffff6ae4725 <memcpy+213>: mov 0x8(%rsi),%r8 0x00007ffff6ae4729 <memcpy+217>: mov 0x10(%rsi),%r9 0x00007ffff6ae472d <memcpy+221>: mov 0x18(%rsi),%r10 0x00007ffff6ae4731 <memcpy+225>: mov %rax,(%rdi) 0x00007ffff6ae4734 <memcpy+228>: mov %r8,0x8(%rdi) 0x00007ffff6ae4738 <memcpy+232>: mov %r9,0x10(%rdi) 0x00007ffff6ae473c <memcpy+236>: mov %r10,0x18(%rdi) 0x00007ffff6ae4740 <memcpy+240>: lea 0x20(%rsi),%rsi End of assembler dump. (gdb) info register rax 0x7ffff1c00d50 140737249283408 rbx 0x2d0 720 rcx 0x15 21 rdx 0x2d0 720 rsi 0x7fffec1f3d90 140737154858384 rdi 0x7ffff1c00d50 140737249283408 rbp 0x96 0x96 rsp 0x7ffff43f3e88 0x7ffff43f3e88 r8 0x0 0 r9 0x0 0 r10 0x0 0 r11 0x2d0 720 r12 0x7fffec1f5060 140737154863200 r13 0x7ffff1c01020 140737249284128 r14 0x12d0 4816 r15 0x2d0 720 rip 0x7ffff6ae4722 0x7ffff6ae4722 <memcpy+210> eflags 0x10203 [ CF IF RF ] cs 0x33 51 ss 0x2b 43 ds 0x0 0 es 0x0 0 fs 0x0 0 gs 0x0 0 fctrl 0x37f 895 fstat 0x0 0 ftag 0xffff 65535 fiseg 0x0 0 fioff 0x0 0 foseg 0x0 0 fooff 0x0 0 fop 0x0 0 mxcsr 0x1fa0 [ PE IM DM ZM OM UM PM ] }}} -- Ticket URL: <https://avcodec.org/trac/ffmpeg/ticket/123#comment:2> FFmpeg <http://ffmpeg.org> FFmpeg issue tracker
#123: Fuzzed sample crashes ffplay ---------------------------------+----------------------------------- Reporter: cehoyos | Owner: michael Type: defect | Status: closed Priority: normal | Component: FFplay Version: git | Resolution: fixed Keywords: | Blocked By: Blocking: | Reproduced by developer: 0 Analyzed by developer: 0 | ---------------------------------+----------------------------------- Changes (by cus): * status: open => closed * resolution: => fixed Comment: Fixed in latest git master. Crash was caused by changing resolution and pixel format. -- Ticket URL: <https://ffmpeg.org/trac/ffmpeg/ticket/123#comment:3> FFmpeg <http://ffmpeg.org> FFmpeg issue tracker
#123: Fuzzed sample crashes ffplay ---------------------------------+------------------------------------ Reporter: cehoyos | Owner: michael Type: defect | Status: reopened Priority: normal | Component: FFplay Version: git | Resolution: Keywords: | Blocked By: Blocking: | Reproduced by developer: 0 Analyzed by developer: 0 | ---------------------------------+------------------------------------ Changes (by cehoyos): * status: closed => reopened * resolution: fixed => Comment: I still get a crash with ffplay with current git master (but no invalid access with ffmpeg -f null), unfortunately without a useful backtrace... {{{ ==18325== Invalid write of size 1 ==18325== at 0x40245A7: memcpy (in /usr/lib/valgrind/x86-linux/vgpreload_memcheck.so) ==18325== by 0x8747A68: av_image_copy_plane (imgutils.c:239) ==18325== by 0x8747C22: av_image_copy (imgutils.c:273) ==18325== by 0x838356B: av_picture_copy (imgconvert.c:524) ==18325== by 0x804F8EE: queue_picture (ffplay.c:1446) ==18325== by 0x80506EF: video_thread (ffplay.c:1749) ==18325== by 0x40543DA: (within /usr/lib/libSDL-1.2.so.0.11.1) ==18325== by 0x40A22DC: (within /usr/lib/libSDL-1.2.so.0.11.1) ==18325== by 0x40DE191: start_thread (in /lib/libpthread-2.6.1.so) ==18325== by 0x420502D: clone (in /lib/libc-2.6.1.so) ==18325== Address 0xA5460CF is not stack'd, malloc'd or (recently) free'd }}} -- Ticket URL: <https://ffmpeg.org/trac/ffmpeg/ticket/123#comment:4> FFmpeg <http://ffmpeg.org> FFmpeg issue tracker
#123: Fuzzed sample crashes ffplay ---------------------------------+------------------------------------ Reporter: cehoyos | Owner: michael Type: defect | Status: reopened Priority: normal | Component: FFplay Version: git | Resolution: Keywords: | Blocked By: Blocking: | Reproduced by developer: 0 Analyzed by developer: 0 | ---------------------------------+------------------------------------ Comment (by michael): cant reproduce any crash -- Ticket URL: <https://ffmpeg.org/trac/ffmpeg/ticket/123#comment:5> FFmpeg <http://ffmpeg.org> FFmpeg issue tracker
#123: Fuzzed sample crashes ffplay ---------------------------------+------------------------------------ Reporter: cehoyos | Owner: michael Type: defect | Status: reopened Priority: normal | Component: FFplay Version: git | Resolution: Keywords: leak | Blocked By: Blocking: | Reproduced by developer: 0 Analyzed by developer: 0 | ---------------------------------+------------------------------------ Changes (by cehoyos): * keywords: => leak Comment: I still get invalid reads and memleaks with this sample. -- Ticket URL: <https://ffmpeg.org/trac/ffmpeg/ticket/123#comment:6> FFmpeg <http://ffmpeg.org> FFmpeg issue tracker
#123: Fuzzed sample crashes ffplay ---------------------------------+------------------------------------ Reporter: cehoyos | Owner: michael Type: defect | Status: reopened Priority: normal | Component: FFplay Version: git | Resolution: Keywords: leak | Blocked By: Blocking: | Reproduced by developer: 0 Analyzed by developer: 0 | ---------------------------------+------------------------------------ Comment (by michael): The invalid reads look like valgrind bugs -- Ticket URL: <https://ffmpeg.org/trac/ffmpeg/ticket/123#comment:7> FFmpeg <http://ffmpeg.org> FFmpeg issue tracker
#123: Fuzzed sample crashes ffplay ---------------------------------+----------------------------------- Reporter: cehoyos | Owner: michael Type: defect | Status: closed Priority: normal | Component: FFplay Version: git | Resolution: fixed Keywords: leak | Blocked By: Blocking: | Reproduced by developer: 0 Analyzed by developer: 0 | ---------------------------------+----------------------------------- Changes (by cehoyos): * status: reopened => closed * resolution: => fixed Comment: The invalid memory accesses with the fuzzed sample appear to be fixed, the memleaks are not reproducible with FFmpeg. -- Ticket URL: <https://ffmpeg.org/trac/ffmpeg/ticket/123#comment:8> FFmpeg <http://ffmpeg.org> FFmpeg issue tracker
participants (1)
-
FFmpeg