[FFmpeg-trac] #600(avcodec:open): Crash (segmentation fault) decoding a bad flac (my fix incl.)

FFmpeg trac at avcodec.org
Mon Oct 31 10:15:58 CET 2011


#600: Crash (segmentation fault) decoding a bad flac (my fix incl.)
-------------------------------------+-------------------------------------
             Reporter:  BJoe         |                    Owner:
                 Type:  defect       |                   Status:  open
             Priority:  important    |                Component:  avcodec
              Version:  git-master   |               Resolution:
             Keywords:  flac crash   |               Blocked By:
  SIGSEGV                            |  Reproduced by developer:  1
             Blocking:               |
Analyzed by developer:  0            |
-------------------------------------+-------------------------------------
Changes (by cehoyos):

 * keywords:   => flac crash SIGSEGV
 * priority:  normal => important
 * version:  unspecified => git-master
 * status:  new => open
 * reproduced:  0 => 1


Comment:

 Not reproducible on ia32.
 {{{
 (gdb) r -i small-fileEEmUGd.flac -f null -
 Starting program: ffmpeg_g -i small-fileEEmUGd.flac -f null -
 [Thread debugging using libthread_db enabled]
 ffmpeg version N-34304-gc0dbab9, Copyright (c) 2000-2011 the FFmpeg
 developers
   built on Oct 31 2011 10:08:50 with gcc 4.5.3
   configuration: --cc=/usr/local/gcc-4.5.3/bin/gcc --disable-optimizations
   libavutil    51. 22. 0 / 51. 22. 0
   libavcodec   53. 26. 0 / 53. 26. 0
   libavformat  53. 18. 0 / 53. 18. 0
   libavdevice  53.  4. 0 / 53.  4. 0
   libavfilter   2. 45. 2 /  2. 45. 2
   libswscale    2.  1. 0 /  2.  1. 0
 Input #0, flac, from 'small-fileEEmUGd.flac':
   Metadata:
     track           : 4
     TITLE           : Blackest Eyes
     ARTIST          : Porcupine Tree
     ALBUM           : 2007-10-26 New Orleans, LA (tooligan Matrix) [FINAL
 MIX]
     DATE            : 2007
     GENRE           : Progressive Rock
   Duration: 00:05:33.69, bitrate: 736 kb/s
     Stream #0:0: Audio: flac, 44100 Hz, stereo, s16
 Output #0, null, to 'pipe:':
   Metadata:
     track           : 4
     TITLE           : Blackest Eyes
     ARTIST          : Porcupine Tree
     ALBUM           : 2007-10-26 New Orleans, LA (tooligan Matrix) [FINAL
 MIX]
     DATE            : 2007
     GENRE           : Progressive Rock
     encoder         : Lavf53.18.0
     Stream #0:0: Audio: pcm_s16le, 44100 Hz, stereo, s16, 1411 kb/s
 Stream mapping:
   Stream #0.0 -> #0.0 (flac -> pcm_s16le)
 Press [q] to stop, [?] for help
 [flac @ 0x14afaa0] overread: 266343
 Error while decoding stream #0.0
 size=      -0kB time=00:00:04.73 bitrate=  -0.0kbits/s
 Program received signal SIGSEGV, Segmentation fault.
 0x000000000062d637 in get_ur_golomb_jpegls (gb=0x14a5368, k=9,
 limit=2147483647, esc_len=0)
     at libavcodec/golomb.h:306
 306                 UPDATE_CACHE(re, gb);
 (gdb) bt
 #0  0x000000000062d637 in get_ur_golomb_jpegls (gb=0x14a5368, k=9,
 limit=2147483647, esc_len=0)
     at libavcodec/golomb.h:306
 #1  0x000000000062d72e in get_sr_golomb_flac (gb=0x14a5368, k=9,
 limit=2147483647, esc_len=0)
     at libavcodec/golomb.h:348
 #2  0x000000000062dfa6 in decode_residuals (s=0x14a5340, channel=1,
 pred_order=6)
     at libavcodec/flacdec.c:274
 #3  0x000000000062e42d in decode_subframe_lpc (s=0x14a5340, channel=1,
 pred_order=6)
     at libavcodec/flacdec.c:361
 #4  0x000000000062e92b in decode_subframe (s=0x14a5340, channel=1) at
 libavcodec/flacdec.c:443
 #5  0x000000000062ed1e in decode_frame (s=0x14a5340) at
 libavcodec/flacdec.c:533
 #6  0x000000000062eed5 in flac_decode_frame (avctx=0x14afaa0,
 data=0x7ffff340b040,
     data_size=0x7fffffffc4ec, avpkt=0x7fffffffc4f0) at
 libavcodec/flacdec.c:583
 #7  0x000000000084479b in avcodec_decode_audio3 (avctx=0x14afaa0,
 samples=0x7ffff340b040,
     frame_size_ptr=0x7fffffffc4ec, avpkt=0x7fffffffc4f0) at
 libavcodec/utils.c:875
 #8  0x000000000040a1c5 in output_packet (ist=0x14b1000, ist_index=0,
 ost_table=0x14af6a0, nb_ostreams=1,
     pkt=0x7fffffffd910) at ffmpeg.c:1666
 #9  0x000000000040de7f in transcode (output_files=0x14af910,
 nb_output_files=1, input_files=0x14b10d0,
     nb_input_files=1) at ffmpeg.c:2636
 #10 0x00000000004149fb in main (argc=6, argv=0x7fffffffdde8) at
 ffmpeg.c:4506
 (gdb) disass $pc-32 $pc+32
 Dump of assembler code from 0x62d617 to 0x62d657:
 0x000000000062d617 <get_ur_golomb_jpegls+212>:  add    %al,(%rax)
 0x000000000062d619 <get_ur_golomb_jpegls+214>:  add    %al,(%rax)
 0x000000000062d61b <get_ur_golomb_jpegls+216>:  jmp    0x62d651
 <get_ur_golomb_jpegls+270>
 0x000000000062d61d <get_ur_golomb_jpegls+218>:  addl   $0x1,-0x10(%rbp)
 0x000000000062d621 <get_ur_golomb_jpegls+222>:  mov    -0x30(%rbp),%rax
 0x000000000062d625 <get_ur_golomb_jpegls+226>:  mov    (%rax),%rax
 0x000000000062d628 <get_ur_golomb_jpegls+229>:  mov    %rax,%rdx
 0x000000000062d62b <get_ur_golomb_jpegls+232>:  mov    -0x10(%rbp),%eax
 0x000000000062d62e <get_ur_golomb_jpegls+235>:  shr    $0x3,%eax
 0x000000000062d631 <get_ur_golomb_jpegls+238>:  mov    %eax,%eax
 0x000000000062d633 <get_ur_golomb_jpegls+240>:  lea    (%rdx,%rax,1),%rax
 0x000000000062d637 <get_ur_golomb_jpegls+244>:  mov    (%rax),%eax
 0x000000000062d639 <get_ur_golomb_jpegls+246>:  mov    %eax,%edi
 0x000000000062d63b <get_ur_golomb_jpegls+248>:  callq  0x62c9ba
 <av_bswap32>
 0x000000000062d640 <get_ur_golomb_jpegls+253>:  mov    -0x10(%rbp),%edx
 0x000000000062d643 <get_ur_golomb_jpegls+256>:  and    $0x7,%edx
 0x000000000062d646 <get_ur_golomb_jpegls+259>:  mov    %edx,%ecx
 0x000000000062d648 <get_ur_golomb_jpegls+261>:  shl    %cl,%eax
 0x000000000062d64a <get_ur_golomb_jpegls+263>:  mov    %eax,-0x14(%rbp)
 0x000000000062d64d <get_ur_golomb_jpegls+266>:  addl   $0x1,-0x18(%rbp)
 0x000000000062d651 <get_ur_golomb_jpegls+270>:  mov    -0x14(%rbp),%eax
 0x000000000062d654 <get_ur_golomb_jpegls+273>:  mov    $0x1,%esi
 End of assembler dump.
 (gdb) info register
 rax            0x4414ffd        71389181
 rbx            0x0      0
 rcx            0xffffffff       4294967295
 rdx            0x32a51c8        53105096
 rsi            0x1      1
 rdi            0x0      0
 rbp            0x7fffffffc0a0   0x7fffffffc0a0
 rsp            0x7fffffffc060   0x7fffffffc060
 r8             0x62ed62 6483298
 r9             0x0      0
 r10            0x22     34
 r11            0x246    582
 r12            0x405500 4216064
 r13            0x7fffffffdde0   140737488346592
 r14            0x0      0
 r15            0x0      0
 rip            0x62d637 0x62d637 <get_ur_golomb_jpegls+244>
 eflags         0x10206  [ PF IF RF ]
 cs             0x33     51
 ss             0x2b     43
 ds             0x0      0
 es             0x0      0
 fs             0x0      0
 gs             0x0      0
 fctrl          0x37f    895
 fstat          0x0      0
 ftag           0xffff   65535
 fiseg          0x0      0
 fioff          0x0      0
 foseg          0x0      0
 fooff          0x0      0
 fop            0x0      0
 mxcsr          0x1fa0   [ PE IM DM ZM OM UM PM ]
 }}}

-- 
Ticket URL: <https://ffmpeg.org/trac/ffmpeg/ticket/600#comment:3>
FFmpeg <http://ffmpeg.org>
FFmpeg issue tracker


More information about the FFmpeg-trac mailing list