[FFmpeg-devel] [PATCH 3/3] avcodec/cfhd: More strictly check tag order and multiplicity

Michael Niedermayer michael at niedermayer.cc
Fri Apr 2 01:49:26 EEST 2021 

On Fri, Apr 02, 2021 at 12:25:53AM +0200, Michael Niedermayer wrote:
> On Thu, Apr 01, 2021 at 09:22:23PM +0200, Paul B Mahol wrote:
> > Try this attached patch. I have not looked at all samples, as some allocate
> > too much memory for my system.
> 
> > But this patch points where real bugs are, unlike yours patch which hides
> > real bugs even more.
> 
> I would appreciate if cfhd wouldnt have so many real bugs.
> Your approach seems to be to fix what the fuzzer finds. What my patch was
> moving toward is to make the code more secure and robust not to fix individual
> bugs. My patch was never intended to be the end of such improvment, but with
> the first stage being rejected iam of course not putting time in the next ...
> 
> but thats not so importrant now, whats important is the bugs here
> and your patch eliminates all of the current group but one. Thats good!
> Heres what remains:
> ffmpeg -threads 1 -i dec_fuzzer-30739.nut -f null -

correction, the fuzzer found an alternative sample for 29754 which still crashes
this seems to also use less memory than the other remaining sample
will send the sample privatly

[cfhd @ 0x16d92180] Invalid lowpass height
==24087==    at 0x123322D: VALGRIND_PRINTF_BACKTRACE (valgrind.h:6303)
==24087==    by 0x1233DEB: av_log_default_callback (log.c:397)
==24087==    by 0x1234092: av_vlog (log.c:432)
==24087==    by 0x1233EF1: av_log (log.c:411)
==24087==    by 0x82FCFB: cfhd_decode (cfhd.c:721)
==24087==    by 0x860064: decode_simple_internal (decode.c:327)
==24087==    by 0x860C9B: decode_simple_receive_frame (decode.c:526)
==24087==    by 0x860D95: decode_receive_frame_internal (decode.c:546)
==24087==    by 0x861019: avcodec_send_packet (decode.c:608)
==24087==    by 0x2525A7: decode (ffmpeg.c:2285)
==24087==    by 0x252DC7: decode_video (ffmpeg.c:2425)
==24087==    by 0x253EF3: process_input_packet (ffmpeg.c:2672)
==24087==    by 0x25BB79: process_input (ffmpeg.c:4606)
==24087==    by 0x25C06D: transcode_step (ffmpeg.c:4746)
==24087==    by 0x25C1D5: transcode (ffmpeg.c:4800)
==24087==    by 0x25CB3F: main (ffmpeg.c:5005)
Error while decoding stream #0:0: Invalid argument
==24087==    at 0x123322D: VALGRIND_PRINTF_BACKTRACE (valgrind.h:6303)
==24087==    by 0x1233DEB: av_log_default_callback (log.c:397)
==24087==    by 0x1234092: av_vlog (log.c:432)
==24087==    by 0x1233EF1: av_log (log.c:411)
==24087==    by 0x254285: process_input_packet (ffmpeg.c:2718)
==24087==    by 0x25BB79: process_input (ffmpeg.c:4606)
==24087==    by 0x25C06D: transcode_step (ffmpeg.c:4746)
==24087==    by 0x25C1D5: transcode (ffmpeg.c:4800)
==24087==    by 0x25CB3F: main (ffmpeg.c:5005)
[cfhd @ 0x16d92180] Invalid lowpass height
==24087==    at 0x123322D: VALGRIND_PRINTF_BACKTRACE (valgrind.h:6303)
==24087==    by 0x1233DEB: av_log_default_callback (log.c:397)
==24087==    by 0x1234092: av_vlog (log.c:432)
==24087==    by 0x1233EF1: av_log (log.c:411)
==24087==    by 0x82FCFB: cfhd_decode (cfhd.c:721)
==24087==    by 0x860064: decode_simple_internal (decode.c:327)
==24087==    by 0x860C9B: decode_simple_receive_frame (decode.c:526)
==24087==    by 0x860D95: decode_receive_frame_internal (decode.c:546)
==24087==    by 0x861019: avcodec_send_packet (decode.c:608)
==24087==    by 0x2525A7: decode (ffmpeg.c:2285)
==24087==    by 0x252DC7: decode_video (ffmpeg.c:2425)
==24087==    by 0x253EF3: process_input_packet (ffmpeg.c:2672)
==24087==    by 0x25BB79: process_input (ffmpeg.c:4606)
==24087==    by 0x25C06D: transcode_step (ffmpeg.c:4746)
==24087==    by 0x25C1D5: transcode (ffmpeg.c:4800)
==24087==    by 0x25CB3F: main (ffmpeg.c:5005)
Error while decoding stream #0:0: Invalid argument
==24087==    at 0x123322D: VALGRIND_PRINTF_BACKTRACE (valgrind.h:6303)
==24087==    by 0x1233DEB: av_log_default_callback (log.c:397)
==24087==    by 0x1234092: av_vlog (log.c:432)
==24087==    by 0x1233EF1: av_log (log.c:411)
==24087==    by 0x254285: process_input_packet (ffmpeg.c:2718)
==24087==    by 0x25BB79: process_input (ffmpeg.c:4606)
==24087==    by 0x25C06D: transcode_step (ffmpeg.c:4746)
==24087==    by 0x25C1D5: transcode (ffmpeg.c:4800)
==24087==    by 0x25CB3F: main (ffmpeg.c:5005)
[cfhd @ 0x16d92180] Sample format of 1039 is not implemented. Update your FFmpeg version to the newest one from Git. If the problem still occurs, it means that your file has a feature which has not been implemented.
Error while decoding stream #0:0: Not yet implemented in FFmpeg, patches welcome
==24087==    at 0x123322D: VALGRIND_PRINTF_BACKTRACE (valgrind.h:6303)
==24087==    by 0x1233DEB: av_log_default_callback (log.c:397)
==24087==    by 0x1234092: av_vlog (log.c:432)
==24087==    by 0x1233EF1: av_log (log.c:411)
==24087==    by 0x254285: process_input_packet (ffmpeg.c:2718)
==24087==    by 0x25BB79: process_input (ffmpeg.c:4606)
==24087==    by 0x25C06D: transcode_step (ffmpeg.c:4746)
==24087==    by 0x25C1D5: transcode (ffmpeg.c:4800)
==24087==    by 0x25CB3F: main (ffmpeg.c:5005)
[cfhd @ 0x16d92180] Invalid lowpass height
==24087==    at 0x123322D: VALGRIND_PRINTF_BACKTRACE (valgrind.h:6303)
==24087==    by 0x1233DEB: av_log_default_callback (log.c:397)
==24087==    by 0x1234092: av_vlog (log.c:432)
==24087==    by 0x1233EF1: av_log (log.c:411)
==24087==    by 0x82FCFB: cfhd_decode (cfhd.c:721)
==24087==    by 0x860064: decode_simple_internal (decode.c:327)
==24087==    by 0x860C9B: decode_simple_receive_frame (decode.c:526)
==24087==    by 0x860D95: decode_receive_frame_internal (decode.c:546)
==24087==    by 0x861019: avcodec_send_packet (decode.c:608)
==24087==    by 0x2525A7: decode (ffmpeg.c:2285)
==24087==    by 0x252DC7: decode_video (ffmpeg.c:2425)
==24087==    by 0x253EF3: process_input_packet (ffmpeg.c:2672)
==24087==    by 0x25BB79: process_input (ffmpeg.c:4606)
==24087==    by 0x25C06D: transcode_step (ffmpeg.c:4746)
==24087==    by 0x25C1D5: transcode (ffmpeg.c:4800)
==24087==    by 0x25CB3F: main (ffmpeg.c:5005)
Error while decoding stream #0:0: Invalid argument
==24087==    at 0x123322D: VALGRIND_PRINTF_BACKTRACE (valgrind.h:6303)
==24087==    by 0x1233DEB: av_log_default_callback (log.c:397)
==24087==    by 0x1234092: av_vlog (log.c:432)
==24087==    by 0x1233EF1: av_log (log.c:411)
==24087==    by 0x254285: process_input_packet (ffmpeg.c:2718)
==24087==    by 0x25BB79: process_input (ffmpeg.c:4606)
==24087==    by 0x25C06D: transcode_step (ffmpeg.c:4746)
==24087==    by 0x25C1D5: transcode (ffmpeg.c:4800)
==24087==    by 0x25CB3F: main (ffmpeg.c:5005)
==24087== Invalid read of size 16
==24087==    at 0x10A1385: ??? (libavcodec/x86/cfhddsp.asm:384)
==24087==    by 0x1FFEFFF74F: ???
==24087==  Address 0x0 is not stack'd, malloc'd or (recently) free'd
==24087== 
==24087== 
==24087== Process terminating with default action of signal 11 (SIGSEGV)
==24087==  Access not within mapped region at address 0x0
==24087==    at 0x10A1385: ??? (libavcodec/x86/cfhddsp.asm:384)
==24087==    by 0x1FFEFFF74F: ???
==24087==  If you believe this happened as a result of a stack
==24087==  overflow in your program's main thread (unlikely but
==24087==  possible), you can try to increase the size of the
==24087==  main thread stack using the --main-stacksize= flag.
==24087==  The main thread stack size used in this run was 8388608.
==24087== 
==24087== HEAP SUMMARY:
==24087==     in use at exit: 4,909,751 bytes in 242 blocks
==24087==   total heap usage: 1,961 allocs, 1,719 frees, 23,859,585 bytes allocated
==24087== 
==24087== 11,776 bytes in 32 blocks are possibly lost in loss record 174 of 181
==24087==    at 0x4C33B25: calloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==24087==    by 0x4013646: allocate_dtv (dl-tls.c:286)
==24087==    by 0x4013646: _dl_allocate_tls (dl-tls.c:530)
==24087==    by 0xCB4F227: allocate_stack (allocatestack.c:627)
==24087==    by 0xCB4F227: pthread_create@@GLIBC_2.2.5 (pthread_create.c:644)
==24087==    by 0x12669C2: avpriv_slicethread_create (slicethread.c:147)
==24087==    by 0x2BC153: thread_init_internal (pthread.c:78)
==24087==    by 0x2BC1F1: ff_graph_thread_init (pthread.c:97)
==24087==    by 0x29FE2E: avfilter_graph_alloc_filter (avfiltergraph.c:180)
==24087==    by 0x2BA603: create_filter (graphparser.c:132)
==24087==    by 0x2BA896: parse_filter (graphparser.c:201)
==24087==    by 0x2BB171: avfilter_graph_parse2 (graphparser.c:438)
==24087==    by 0x240FD9: configure_filtergraph (ffmpeg_filter.c:1034)
==24087==    by 0x2523A2: ifilter_send_frame (ffmpeg.c:2234)
==24087==    by 0x2526DA: send_frame_to_filters (ffmpeg.c:2315)
==24087==    by 0x25348B: decode_video (ffmpeg.c:2512)
==24087==    by 0x253EF3: process_input_packet (ffmpeg.c:2672)
==24087==    by 0x25BB79: process_input (ffmpeg.c:4606)
==24087==    by 0x25C06D: transcode_step (ffmpeg.c:4746)
==24087==    by 0x25C1D5: transcode (ffmpeg.c:4800)
==24087==    by 0x25CB3F: main (ffmpeg.c:5005)
==24087== 
==24087== LEAK SUMMARY:
==24087==    definitely lost: 0 bytes in 0 blocks
==24087==    indirectly lost: 0 bytes in 0 blocks
==24087==      possibly lost: 11,776 bytes in 32 blocks
==24087==    still reachable: 4,897,975 bytes in 210 blocks
==24087==         suppressed: 0 bytes in 0 blocks
==24087== Reachable blocks (those to which a pointer was found) are not shown.
==24087== To see them, rerun with: --leak-check=full --show-leak-kinds=all





[...]

-- 
Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

Does the universe only have a finite lifespan? No, its going to go on
forever, its just that you wont like living in it. -- Hiranya Peiri
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 195 bytes
Desc: not available
URL: <https://ffmpeg.org/pipermail/ffmpeg-devel/attachments/20210402/d9a0001d/attachment.sig>

More information about the ffmpeg-devel mailing list