[FFmpeg-devel] [PATCH 8/9] avcodec/smcenc: width < 4 is unsupported
Michael Niedermayer
michael at niedermayer.cc
Tue Jun 18 02:52:51 EEST 2024
On Mon, Jun 17, 2024 at 09:50:18AM +0200, Paul B Mahol wrote:
> On Mon, Jun 17, 2024 at 1:09 AM Michael Niedermayer <michael at niedermayer.cc>
> wrote:
>
> > Fixes: out of array read
> > Fixes:
> > 68939/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SMC_fuzzer-587804104884224
> >
> > Found-by: continuous fuzzing process
> > https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> > Signed-off-by
> > <https://github.com/google/oss-fuzz/tree/master/projects/ffmpegSigned-off-by>:
> > Michael Niedermayer <michael at niedermayer.cc>
> > ---
> > libavcodec/smcenc.c | 3 +++
> > 1 file changed, 3 insertions(+)
> >
> > diff --git a/libavcodec/smcenc.c b/libavcodec/smcenc.c
> > index 789aef4f770..d70cce900ec 100644
> > --- a/libavcodec/smcenc.c
> > +++ b/libavcodec/smcenc.c
> > @@ -537,6 +537,9 @@ static int smc_encode_frame(AVCodecContext *avctx,
> > AVPacket *pkt,
> > uint8_t *pal;
> > int ret;
> >
> > + if (avctx->width < 4)
> > + return AVERROR_PATCHWELCOME;
> > +
> >
>
> I just enabled address sanitizer for smc encoder and i do not get any
> errors.
> Where is log of where overread happens?
log is below:
+----------------------------------------Release Build Stacktrace----------------------------------------+
Command: /mnt/scratch0/clusterfuzz/resources/platform/linux/unshare -c -n /mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds-i386_ffmpeg_bbf927d7e4cde0b71897048111a2d684e48dfab7/revisions/ffmpeg_AV_CODEC_ID_SMC_fuzzer -rss_limit_mb=2560 -timeout=60 -runs=100 /mnt/scratch0/clusterfuzz/bot/inputs/fuzzer-testcases/crash-0e842ae89cdd58a7ef107605832b8beb5821004e
Time ran: 0.04435396194458008
INFO: Running with entropic power schedule (0xFF, 100).
INFO: Seed: 267861690
INFO: Loaded 1 modules (65950 inline 8-bit counters): 65950 [0x8b8e570, 0x8b9e70e),
INFO: Loaded 1 PC tables (65950 PCs): 65950 [0x8a2d0d0,0x8aaddc0),
/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds-i386_ffmpeg_bbf927d7e4cde0b71897048111a2d684e48dfab7/revisions/ffmpeg_AV_CODEC_ID_SMC_fuzzer: Running 1 inputs 100 time(s) each.
Running: /mnt/scratch0/clusterfuzz/bot/inputs/fuzzer-testcases/crash-0e842ae89cdd58a7ef107605832b8beb5821004e
=================================================================
==23375==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xf76af7fe at pc 0x08141703 bp 0xffb541a8 sp 0xffb53d80
READ of size 1 at 0xf76af7fe thread T0
SCARINESS: 12 (1-byte-read-heap-buffer-overflow)
#0 0x8141702 in MemcmpInterceptorCommon(void*, int (*)(void const*, void const*, unsigned int), void const*, void const*, unsigned int) /src/llvm-project/compiler-rt/lib/sanitizer_common/sanitizer_common_interceptors.inc:860:7
#1 0x8141c31 in memcmp /src/llvm-project/compiler-rt/lib/sanitizer_common/sanitizer_common_interceptors.inc:892:10
#2 0x822ccab in smc_encode_stream /src/ffmpeg/libavcodec/smcenc.c:193:30
#3 0x822ccab in smc_encode_frame /src/ffmpeg/libavcodec/smcenc.c:560:5
#4 0x820f5cc in ff_encode_encode_cb /src/ffmpeg/libavcodec/encode.c:254:11
#5 0x82114db in encode_simple_internal /src/ffmpeg/libavcodec/encode.c:340:15
#6 0x82114db in encode_simple_receive_packet /src/ffmpeg/libavcodec/encode.c:354:15
#7 0x82114db in encode_receive_packet_internal /src/ffmpeg/libavcodec/encode.c:388:15
#8 0x821082f in avcodec_send_frame /src/ffmpeg/libavcodec/encode.c:531:15
#9 0x81ef067 in encode /src/ffmpeg/tools/target_enc_fuzzer.c:56:11
#10 0x81ef067 in LLVMFuzzerTestOneInput /src/ffmpeg/tools/target_enc_fuzzer.c:186:15
#11 0x80aefce in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned int) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:611:15
#12 0x8099f2e in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned int) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:324:6
#13 0x809fb30 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned int)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:860:9
#14 0x80c9717 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10
#15 0xf7c6aed4 in __libc_start_main
#16 0x8091075 in _start
0xf76af7fe is located 2 bytes to the left of 264320-byte region [0xf76af800,0xf76f0080)
allocated by thread T0 here:
#0 0x81ab67a in posix_memalign /src/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:145:3
#1 0x884f02f in av_malloc /src/ffmpeg/libavutil/mem.c:107:9
#2 0x880036a in av_buffer_alloc /src/ffmpeg/libavutil/buffer.c:82:12
#3 0x8821c97 in get_video_buffer /src/ffmpeg/libavutil/frame.c:215:21
#4 0x8821c97 in av_frame_get_buffer /src/ffmpeg/libavutil/frame.c:294:16
#5 0x81eed9f in LLVMFuzzerTestOneInput /src/ffmpeg/tools/target_enc_fuzzer.c:171:15
#6 0x80aefce in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned int) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:611:15
#7 0x8099f2e in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned int) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:324:6
#8 0x809fb30 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned int)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:860:9
#9 0x80c9717 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10
#10 0xf7c6aed4 in __libc_start_main
SUMMARY: AddressSanitizer: heap-buffer-overflow (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds-i386_ffmpeg_bbf927d7e4cde0b71897048111a2d684e48dfab7/revisions/ffmpeg_AV_CODEC_ID_SMC_fuzzer+0x8141702)
Shadow bytes around the buggy address:
0x3eed5ea0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x3eed5eb0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x3eed5ec0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x3eed5ed0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x3eed5ee0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x3eed5ef0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa[fa]
0x3eed5f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x3eed5f10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x3eed5f20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x3eed5f30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x3eed5f40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==23375==ABORTING
+----------------------------------------Release Build Unsymbolized Stacktrace (diff)----------------------------------------+
READ of size 1 at 0xf76af7fe thread T0
SCARINESS: 12 (1-byte-read-heap-buffer-overflow)
#0 0x8141702 (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds-i386_ffmpeg_bbf927d7e4cde0b71897048111a2d684e48dfab7/revisions/ffmpeg_AV_CODEC_ID_SMC_fuzzer+0x8141702)
#1 0x8141c31 (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds-i386_ffmpeg_bbf927d7e4cde0b71897048111a2d684e48dfab7/revisions/ffmpeg_AV_CODEC_ID_SMC_fuzzer+0x8141c31)
#2 0x822ccab (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds-i386_ffmpeg_bbf927d7e4cde0b71897048111a2d684e48dfab7/revisions/ffmpeg_AV_CODEC_ID_SMC_fuzzer+0x822ccab)
#3 0x820f5cc (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds-i386_ffmpeg_bbf927d7e4cde0b71897048111a2d684e48dfab7/revisions/ffmpeg_AV_CODEC_ID_SMC_fuzzer+0x820f5cc)
#4 0x82114db (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds-i386_ffmpeg_bbf927d7e4cde0b71897048111a2d684e48dfab7/revisions/ffmpeg_AV_CODEC_ID_SMC_fuzzer+0x82114db)
#5 0x821082f (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds-i386_ffmpeg_bbf927d7e4cde0b71897048111a2d684e48dfab7/revisions/ffmpeg_AV_CODEC_ID_SMC_fuzzer+0x821082f)
#6 0x81ef067 (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds-i386_ffmpeg_bbf927d7e4cde0b71897048111a2d684e48dfab7/revisions/ffmpeg_AV_CODEC_ID_SMC_fuzzer+0x81ef067)
#7 0x80aefce (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds-i386_ffmpeg_bbf927d7e4cde0b71897048111a2d684e48dfab7/revisions/ffmpeg_AV_CODEC_ID_SMC_fuzzer+0x80aefce)
#8 0x8099f2e (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds-i386_ffmpeg_bbf927d7e4cde0b71897048111a2d684e48dfab7/revisions/ffmpeg_AV_CODEC_ID_SMC_fuzzer+0x8099f2e)
#9 0x809fb30 (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds-i386_ffmpeg_bbf927d7e4cde0b71897048111a2d684e48dfab7/revisions/ffmpeg_AV_CODEC_ID_SMC_fuzzer+0x809fb30)
#10 0x80c9717 (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds-i386_ffmpeg_bbf927d7e4cde0b71897048111a2d684e48dfab7/revisions/ffmpeg_AV_CODEC_ID_SMC_fuzzer+0x80c9717)
#11 0xf7c6aed4 (/lib32/libc.so.6+0x1aed4) (BuildId: 8c11d7b4ac6d685f0bba1cf2506a80f64d314582)
#12 0x8091075 (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds-i386_ffmpeg_bbf927d7e4cde0b71897048111a2d684e48dfab7/revisions/ffmpeg_AV_CODEC_ID_SMC_fuzzer+0x8091075)
0xf76af7fe is located 2 bytes to the left of 264320-byte region [0xf76af800,0xf76f0080)
allocated by thread T0 here:
#0 0x81ab67a (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds-i386_ffmpeg_bbf927d7e4cde0b71897048111a2d684e48dfab7/revisions/ffmpeg_AV_CODEC_ID_SMC_fuzzer+0x81ab67a)
#1 0x884f02f (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds-i386_ffmpeg_bbf927d7e4cde0b71897048111a2d684e48dfab7/revisions/ffmpeg_AV_CODEC_ID_SMC_fuzzer+0x884f02f)
#2 0x880036a (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds-i386_ffmpeg_bbf927d7e4cde0b71897048111a2d684e48dfab7/revisions/ffmpeg_AV_CODEC_ID_SMC_fuzzer+0x880036a)
#3 0x8821c97 (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds-i386_ffmpeg_bbf927d7e4cde0b71897048111a2d684e48dfab7/revisions/ffmpeg_AV_CODEC_ID_SMC_fuzzer+0x8821c97)
#4 0x81eed9f (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds-i386_ffmpeg_bbf927d7e4cde0b71897048111a2d684e48dfab7/revisions/ffmpeg_AV_CODEC_ID_SMC_fuzzer+0x81eed9f)
#5 0x80aefce (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds-i386_ffmpeg_bbf927d7e4cde0b71897048111a2d684e48dfab7/revisions/ffmpeg_AV_CODEC_ID_SMC_fuzzer+0x80aefce)
#6 0x8099f2e (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds-i386_ffmpeg_bbf927d7e4cde0b71897048111a2d684e48dfab7/revisions/ffmpeg_AV_CODEC_ID_SMC_fuzzer+0x8099f2e)
#7 0x809fb30 (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds-i386_ffmpeg_bbf927d7e4cde0b71897048111a2d684e48dfab7/revisions/ffmpeg_AV_CODEC_ID_SMC_fuzzer+0x809fb30)
#8 0x80c9717 (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds-i386_ffmpeg_bbf927d7e4cde0b71897048111a2d684e48dfab7/revisions/ffmpeg_AV_CODEC_ID_SMC_fuzzer+0x80c9717)
#9 0xf7c6aed4 (/lib32/libc.so.6+0x1aed4) (BuildId: 8c11d7b4ac6d685f0bba1cf2506a80f64d314582)
ORIGINAL STACKTRACE ON REVISION 9C6C4F3D476D7A8D423EC3B954254C6A67EBC792 (110 LINES)
+----------------------------------------Release Build Stacktrace----------------------------------------+
Command: /mnt/scratch0/clusterfuzz/resources/platform/linux/unshare -c -n /mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds-i386_ffmpeg_bbf927d7e4cde0b71897048111a2d684e48dfab7/revisions/ffmpeg_AV_CODEC_ID_SMC_fuzzer -rss_limit_mb=2560 -timeout=60 -runs=100 /mnt/scratch0/clusterfuzz/bot/inputs/fuzzer-testcases/e3430abcedf901dbb1adbcd2478114b79cdd58a7ef107605832b8beb5821004e
Time ran: 0.05047249794006348
INFO: Running with entropic power schedule (0xFF, 100).
INFO: Seed: 2836813750
INFO: Loaded 1 modules (65781 inline 8-bit counters): 65781 [0x8b7f310, 0x8b8f405),
INFO: Loaded 1 PC tables (65781 PCs): 65781 [0x8a20d40,0x8aa14e8),
/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds-i386_ffmpeg_bbf927d7e4cde0b71897048111a2d684e48dfab7/revisions/ffmpeg_AV_CODEC_ID_SMC_fuzzer: Running 1 inputs 100 time(s) each.
Running: /mnt/scratch0/clusterfuzz/bot/inputs/fuzzer-testcases/e3430abcedf901dbb1adbcd2478114b79cdd58a7ef107605832b8beb5821004e
=================================================================
==1182==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xf791b7fe at pc 0x08141413 bp 0xffafff08 sp 0xffaffae0
READ of size 1 at 0xf791b7fe thread T0
#0 0x8141412 in MemcmpInterceptorCommon(void*, int (*)(void const*, void const*, unsigned int), void const*, void const*, unsigned int) /src/llvm-project/compiler-rt/lib/sanitizer_common/sanitizer_common_interceptors.inc:860:7
#1 0x8141941 in memcmp /src/llvm-project/compiler-rt/lib/sanitizer_common/sanitizer_common_interceptors.inc:892:10
#2 0x822c60b in smc_encode_stream /src/ffmpeg/libavcodec/smcenc.c:193:30
#3 0x822c60b in smc_encode_frame /src/ffmpeg/libavcodec/smcenc.c:560:5
#4 0x820efcc in ff_encode_encode_cb /src/ffmpeg/libavcodec/encode.c:254:11
#5 0x8210edb in encode_simple_internal /src/ffmpeg/libavcodec/encode.c:340:15
#6 0x8210edb in encode_simple_receive_packet /src/ffmpeg/libavcodec/encode.c:354:15
#7 0x8210edb in encode_receive_packet_internal /src/ffmpeg/libavcodec/encode.c:388:15
#8 0x821022f in avcodec_send_frame /src/ffmpeg/libavcodec/encode.c:531:15
#9 0x81eed77 in encode /src/ffmpeg/tools/target_enc_fuzzer.c:56:11
#10 0x81eed77 in LLVMFuzzerTestOneInput /src/ffmpeg/tools/target_enc_fuzzer.c:186:15
#11 0x80aecde in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned int) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:611:15
#12 0x8099c3e in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned int) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:324:6
#13 0x809f840 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned int)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:860:9
#14 0x80c9427 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10
#15 0xf7bdced4 in __libc_start_main
#16 0x8090d85 in _start
0xf791b7fe is located 2 bytes to the left of 296064-byte region [0xf791b800,0xf7963c80)
allocated by thread T0 here:
#0 0x81ab38a in posix_memalign /src/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:145:3
#1 0x885246f in av_malloc /src/ffmpeg/libavutil/mem.c:107:9
#2 0x88037ca in av_buffer_alloc /src/ffmpeg/libavutil/buffer.c:82:12
#3 0x88250d7 in get_video_buffer /src/ffmpeg/libavutil/frame.c:215:21
#4 0x88250d7 in av_frame_get_buffer /src/ffmpeg/libavutil/frame.c:294:16
#5 0x81eeaaf in LLVMFuzzerTestOneInput /src/ffmpeg/tools/target_enc_fuzzer.c:171:15
#6 0x80aecde in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned int) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:611:15
#7 0x8099c3e in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned int) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:324:6
#8 0x809f840 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned int)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:860:9
#9 0x80c9427 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10
#10 0xf7bdced4 in __libc_start_main
SUMMARY: AddressSanitizer: heap-buffer-overflow (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds-i386_ffmpeg_bbf927d7e4cde0b71897048111a2d684e48dfab7/revisions/ffmpeg_AV_CODEC_ID_SMC_fuzzer+0x8141412)
Shadow bytes around the buggy address:
0x3ef236a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x3ef236b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x3ef236c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x3ef236d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x3ef236e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x3ef236f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa[fa]
0x3ef23700: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x3ef23710: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x3ef23720: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x3ef23730: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x3ef23740: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==1182==ABORTING
+----------------------------------------Release Build Unsymbolized Stacktrace (diff)----------------------------------------+
==1182==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xf791b7fe at pc 0x08141413 bp 0xffafff08 sp 0xffaffae0
READ of size 1 at 0xf791b7fe thread T0
#0 0x8141412 (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds-i386_ffmpeg_bbf927d7e4cde0b71897048111a2d684e48dfab7/revisions/ffmpeg_AV_CODEC_ID_SMC_fuzzer+0x8141412)
#1 0x8141941 (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds-i386_ffmpeg_bbf927d7e4cde0b71897048111a2d684e48dfab7/revisions/ffmpeg_AV_CODEC_ID_SMC_fuzzer+0x8141941)
#2 0x822c60b (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds-i386_ffmpeg_bbf927d7e4cde0b71897048111a2d684e48dfab7/revisions/ffmpeg_AV_CODEC_ID_SMC_fuzzer+0x822c60b)
#3 0x820efcc (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds-i386_ffmpeg_bbf927d7e4cde0b71897048111a2d684e48dfab7/revisions/ffmpeg_AV_CODEC_ID_SMC_fuzzer+0x820efcc)
#4 0x8210edb (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds-i386_ffmpeg_bbf927d7e4cde0b71897048111a2d684e48dfab7/revisions/ffmpeg_AV_CODEC_ID_SMC_fuzzer+0x8210edb)
#5 0x821022f (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds-i386_ffmpeg_bbf927d7e4cde0b71897048111a2d684e48dfab7/revisions/ffmpeg_AV_CODEC_ID_SMC_fuzzer+0x821022f)
#6 0x81eed77 (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds-i386_ffmpeg_bbf927d7e4cde0b71897048111a2d684e48dfab7/revisions/ffmpeg_AV_CODEC_ID_SMC_fuzzer+0x81eed77)
#7 0x80aecde (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds-i386_ffmpeg_bbf927d7e4cde0b71897048111a2d684e48dfab7/revisions/ffmpeg_AV_CODEC_ID_SMC_fuzzer+0x80aecde)
#8 0x8099c3e (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds-i386_ffmpeg_bbf927d7e4cde0b71897048111a2d684e48dfab7/revisions/ffmpeg_AV_CODEC_ID_SMC_fuzzer+0x8099c3e)
#9 0x809f840 (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds-i386_ffmpeg_bbf927d7e4cde0b71897048111a2d684e48dfab7/revisions/ffmpeg_AV_CODEC_ID_SMC_fuzzer+0x809f840)
#10 0x80c9427 (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds-i386_ffmpeg_bbf927d7e4cde0b71897048111a2d684e48dfab7/revisions/ffmpeg_AV_CODEC_ID_SMC_fuzzer+0x80c9427)
#11 0xf7bdced4 (/lib32/libc.so.6+0x1aed4) (BuildId: 8c11d7b4ac6d685f0bba1cf2506a80f64d314582)
#12 0x8090d85 (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds-i386_ffmpeg_bbf927d7e4cde0b71897048111a2d684e48dfab7/revisions/ffmpeg_AV_CODEC_ID_SMC_fuzzer+0x8090d85)
0xf791b7fe is located 2 bytes to the left of 296064-byte region [0xf791b800,0xf7963c80)
allocated by thread T0 here:
#0 0x81ab38a (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds-i386_ffmpeg_bbf927d7e4cde0b71897048111a2d684e48dfab7/revisions/ffmpeg_AV_CODEC_ID_SMC_fuzzer+0x81ab38a)
#1 0x885246f (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds-i386_ffmpeg_bbf927d7e4cde0b71897048111a2d684e48dfab7/revisions/ffmpeg_AV_CODEC_ID_SMC_fuzzer+0x885246f)
#2 0x88037ca (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds-i386_ffmpeg_bbf927d7e4cde0b71897048111a2d684e48dfab7/revisions/ffmpeg_AV_CODEC_ID_SMC_fuzzer+0x88037ca)
#3 0x88250d7 (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds-i386_ffmpeg_bbf927d7e4cde0b71897048111a2d684e48dfab7/revisions/ffmpeg_AV_CODEC_ID_SMC_fuzzer+0x88250d7)
#4 0x81eeaaf (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds-i386_ffmpeg_bbf927d7e4cde0b71897048111a2d684e48dfab7/revisions/ffmpeg_AV_CODEC_ID_SMC_fuzzer+0x81eeaaf)
#5 0x80aecde (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds-i386_ffmpeg_bbf927d7e4cde0b71897048111a2d684e48dfab7/revisions/ffmpeg_AV_CODEC_ID_SMC_fuzzer+0x80aecde)
#6 0x8099c3e (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds-i386_ffmpeg_bbf927d7e4cde0b71897048111a2d684e48dfab7/revisions/ffmpeg_AV_CODEC_ID_SMC_fuzzer+0x8099c3e)
#7 0x809f840 (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds-i386_ffmpeg_bbf927d7e4cde0b71897048111a2d684e48dfab7/revisions/ffmpeg_AV_CODEC_ID_SMC_fuzzer+0x809f840)
#8 0x80c9427 (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds-i386_ffmpeg_bbf927d7e4cde0b71897048111a2d684e48dfab7/revisions/ffmpeg_AV_CODEC_ID_SMC_fuzzer+0x80c9427)
#9 0xf7bdced4 (/lib32/libc.so.6+0x1aed4) (BuildId: 8c11d7b4ac6d685f0bba1cf2506a80f64d314582)
[...]
--
Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB
Democracy is the form of government in which you can choose your dictator
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 195 bytes
Desc: not available
URL: <https://ffmpeg.org/pipermail/ffmpeg-devel/attachments/20240618/cc83d457/attachment.sig>
More information about the ffmpeg-devel
mailing list