[FFmpeg-devel] [BUG] on ff_parse with unknown constant
Ramiro Ribeiro Polla
ramiro
Sat Jun 16 02:37:31 CEST 2007
Hello,
ff_parse segfaults if it's passed an unknown constant. Apparently,
p->error is not checked for before being written to.
ramiro at drake:/usrc/ffmpeg/build$ gdb --args ./ffmpeg_g -i test.mpg
-vhook 'vhook/imlib2.so -x unknown_constant' output.mpg
GNU gdb 6.4-debian
Copyright 2005 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain
conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB. Type "show warranty" for details.
This GDB was configured as "i486-linux-gnu"...Using host libthread_db
library "/lib/tls/i686/cmov/libthread_db.so.1".
(gdb) r
Starting program: /export/usrc/ffmpeg/build/ffmpeg_g -i test.mpg -vhook
vhook/imlib2.so\ -x\ unknown_constant output.mpg
FFmpeg version SVN-r9329, Copyright (c) 2000-2007 Fabrice Bellard, et al.
configuration: --extra-cflags=-DX_DISPLAY_MISSING
libavutil version: 49.4.0
libavcodec version: 51.40.4
libavformat version: 51.12.1
built on Jun 15 2007 21:31:23, gcc: 4.0.3 (Ubuntu 4.0.3-1ubuntu5)
Input #0, mpeg, from 'test.mpg':
Duration: 00:00:45.8, start: 0.000000, bitrate: 541 kb/s
Stream #0.0[0x1e0]: Video: mpeg1video, yuv420p, 352x288, 104857 kb/s,
25.00 fps(r)
Stream #0.1[0x1c0]: Audio: mp2, 44100 Hz, stereo, 64 kb/s
Program received signal SIGSEGV, Segmentation fault.
0x08196981 in parse_primary (p=0xbfa1af20) at
/usrc/ffmpeg/src/libavcodec/eval.c:222
222 *p->error = "missing (";
(gdb) bt
#0 0x08196981 in parse_primary (p=0xbfa1af20) at
/usrc/ffmpeg/src/libavcodec/eval.c:222
#1 0x08196ffb in parse_factor (p=0xbfa1af20) at
/usrc/ffmpeg/src/libavcodec/eval.c:314
#2 0x081970bb in parse_expr (p=0xbfa1af20) at
/usrc/ffmpeg/src/libavcodec/eval.c:330
#3 0x0819747e in ff_parse (s=0x853f300 "", const_name=0x0, func1=0x0,
func1_name=0x0, func2=0x0, func2_name=0x0, error=0x0) at
/usrc/ffmpeg/src/libavcodec/eval.c:401
#4 0xb7f02391 in Configure (ctxp=0x0, argc=3, argv=0xbfa1b18c) at
/usrc/ffmpeg/src/vhook/imlib2.c:303
#5 0x0806b123 in frame_hook_add (argc=3, argv=0xbfa1b18c) at
/usrc/ffmpeg/src/libavformat/framehook.c:78
#6 0x08057f09 in add_frame_hooker (arg=0xbfa1bbb8 "vhook/imlib2.so -x
unknown_constant") at /usrc/ffmpeg/src/ffmpeg.c:2407
#7 0x0806154a in parse_options (argc=6, argv=0xbfa1b9d4,
options=0x835d1a0) at /usrc/ffmpeg/src/cmdutils.c:107
#8 0x0805e82a in main (argc=6, argv=0x0) at /usrc/ffmpeg/src/ffmpeg.c:3812
(gdb) disass $pc-32 $pc+32
Dump of assembler code from 0x8196961 to 0x81969a1:
0x08196961 <parse_primary+1183>: and %cl,0xc72442(%ebx)
0x08196967 <parse_primary+1189>: es
0x08196968 <parse_primary+1190>: enter $0x837,$0x8b
0x0819696c <parse_primary+1194>: inc %esp
0x0819696d <parse_primary+1195>: and $0x44,%al
0x0819696f <parse_primary+1197>: mov %eax,0x3c(%esp)
0x08196973 <parse_primary+1201>: test %eax,%eax
0x08196975 <parse_primary+1203>: jne 0x819699a
<parse_primary+1240>
0x08196977 <parse_primary+1205>: xor %eax,%eax
0x08196979 <parse_primary+1207>: jmp 0x819654e <parse_primary+140>
0x0819697e <parse_primary+1212>: mov 0x24(%ecx),%eax
0x08196981 <parse_primary+1215>: movl $0x837c81c,(%eax)
0x08196987 <parse_primary+1221>: mov 0x24(%esp),%edi
0x0819698b <parse_primary+1225>: mov %edi,0x4(%ecx)
0x0819698e <parse_primary+1228>: mov 0x18(%esp),%eax
0x08196992 <parse_primary+1232>: mov %eax,0x3c(%esp)
0x08196996 <parse_primary+1236>: test %eax,%eax
0x08196998 <parse_primary+1238>: je 0x8196977
<parse_primary+1205>
0x0819699a <parse_primary+1240>: mov 0x10(%eax),%eax
0x0819699d <parse_primary+1243>: mov %eax,(%esp)
0x081969a0 <parse_primary+1246>: call 0x8196355 <ff_eval_free>
End of assembler dump.
(gdb) info all-registers
eax 0x0 0
ecx 0xbfa1af20 -1079922912
edx 0x28282828 673720360
ebx 0x0 0
esp 0xbfa1ae40 0xbfa1ae40
ebp 0xb7f031e0 0xb7f031e0
esi 0x9 9
edi 0x0 0
eip 0x8196981 0x8196981 <parse_primary+1215>
eflags 0x210246 2163270
cs 0x73 115
ss 0x7b 123
ds 0x7b 123
es 0x7b 123
fs 0x0 0
gs 0x33 51
st0 -nan(0xefefeeedebeae9e9) (raw 0xffffefefeeedebeae9e9)
st1 -nan(0xef00ef00ee00ed) (raw 0xffff00ef00ef00ee00ed)
st2 -nan(0xefefeeedebeae9e9) (raw 0xffffefefeeedebeae9e9)
st3 -nan(0xef00ef00ee00ed) (raw 0xffff00ef00ef00ee00ed)
st4 44.35564422607421875 (raw 0x4004b16c2e0000000000)
st5 0.02686046666666666643296160470882894 (raw
0x3ff9dc0a7b3c6fab4167)
st6 45880000 (raw 0x4018af04b00000000000)
st7 0 (raw 0x00000000000000000000)
fctrl 0x37f 895
fstat 0x120 288
ftag 0xffff 65535
fiseg 0x73 115
fioff 0x8196529 135882025
foseg 0x7b 123
fooff 0x853f394 139719572
fop 0x531 1329
xmm0 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0,
0x0, 0x0, 0x0, 0x0}, v4_int32 = {
0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0}, uint128 =
0x00000000000000000000000000000000}
xmm1 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0,
0x0, 0x0, 0x0, 0x0}, v4_int32 = {
0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0}, uint128 =
0x00000000000000000000000000000000}
xmm2 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0,
0x0, 0x0, 0x0, 0x0}, v4_int32 = {
0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0}, uint128 =
0x00000000000000000000000000000000}
xmm3 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0,
0x0, 0x0, 0x0, 0x0}, v4_int32 = {
0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0}, uint128 =
0x00000000000000000000000000000000}
xmm4 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0,
0x0, 0x0, 0x0, 0x0}, v4_int32 = {
0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0}, uint128 =
0x00000000000000000000000000000000}
xmm5 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0,
0x0, 0x0, 0x0, 0x0}, v4_int32 = {
0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0}, uint128 =
0x00000000000000000000000000000000}
xmm6 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0,
0x0, 0x0, 0x0, 0x0}, v4_int32 = {
0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0}, uint128 =
0x00000000000000000000000000000000}
xmm7 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0,
0x0, 0x0, 0x0, 0x0}, v4_int32 = {
0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0}, uint128 =
0x00000000000000000000000000000000}
mxcsr 0x1f80 8064
mm0 {uint64 = 0xefefeeedebeae9e9, v2_int32 = {0xebeae9e9,
0xefefeeed}, v4_int16 = {0xe9e9, 0xebea, 0xeeed, 0xefef}, v8_int8 =
{0xe9, 0xe9, 0xea, 0xeb, 0xed, 0xee,
0xef, 0xef}}
mm1 {uint64 = 0xef00ef00ee00ed, v2_int32 = {0xee00ed,
0xef00ef}, v4_int16 = {0xed, 0xee, 0xef, 0xef}, v8_int8 = {0xed, 0x0,
0xee, 0x0, 0xef, 0x0, 0xef, 0x0}}
mm2 {uint64 = 0xefefeeedebeae9e9, v2_int32 = {0xebeae9e9,
0xefefeeed}, v4_int16 = {0xe9e9, 0xebea, 0xeeed, 0xefef}, v8_int8 =
{0xe9, 0xe9, 0xea, 0xeb, 0xed, 0xee,
0xef, 0xef}}
mm3 {uint64 = 0xef00ef00ee00ed, v2_int32 = {0xee00ed,
0xef00ef}, v4_int16 = {0xed, 0xee, 0xef, 0xef}, v8_int8 = {0xed, 0x0,
0xee, 0x0, 0xef, 0x0, 0xef, 0x0}}
mm4 {uint64 = 0xb16c2e0000000000, v2_int32 = {0x0,
0xb16c2e00}, v4_int16 = {0x0, 0x0, 0x2e00, 0xb16c}, v8_int8 = {0x0, 0x0,
0x0, 0x0, 0x0, 0x2e, 0x6c, 0xb1}}
mm5 {uint64 = 0xdc0a7b3c6fab4167, v2_int32 = {0x6fab4167,
0xdc0a7b3c}, v4_int16 = {0x4167, 0x6fab, 0x7b3c, 0xdc0a}, v8_int8 =
{0x67, 0x41, 0xab, 0x6f, 0x3c, 0x7b,
0xa, 0xdc}}
mm6 {uint64 = 0xaf04b00000000000, v2_int32 = {0x0,
0xaf04b000}, v4_int16 = {0x0, 0x0, 0xb000, 0xaf04}, v8_int8 = {0x0, 0x0,
0x0, 0x0, 0x0, 0xb0, 0x4, 0xaf}}
mm7 {uint64 = 0x0, v2_int32 = {0x0, 0x0}, v4_int16 = {0x0,
0x0, 0x0, 0x0}, v8_int8 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}
(gdb)
Ramiro Polla
More information about the ffmpeg-devel
mailing list