[FFmpeg-trac] #2843(undetermined:new): jpeg2000: crash with fuzzed file 2

FFmpeg trac at avcodec.org
Wed Aug 7 20:29:58 CEST 2013 

#2843: jpeg2000: crash with fuzzed file 2
-------------------------------------+-------------------------------------
               Reporter:  ami_stuff  |                  Owner:
                   Type:  defect     |                 Status:  new
               Priority:  normal     |              Component:
                Version:             |  undetermined
  unspecified                        |               Keywords:
             Blocked By:             |               Blocking:
Reproduced by developer:  0          |  Analyzed by developer:  0
-------------------------------------+-------------------------------------
 {{{
 knoppix at Microknoppix:/media/sdb1/ffmpeg$ ./ffmpeg_g -i ../fuzzed3.avi -f
 null -
 ffmpeg version 2.0 Copyright (c) 2000-2013 the FFmpeg developers
   built on Aug  6 2013 21:17:38 with gcc 4.7 (Debian 4.7.2-4)
   configuration: --enable-gpl --disable-yasm --disable-ffprobe --disable-
 ffserver
   libavutil      52. 40.100 / 52. 40.100
   libavcodec     55. 20.100 / 55. 20.100
   libavformat    55. 13.101 / 55. 13.101
   libavdevice    55.  3.100 / 55.  3.100
   libavfilter     3. 82.100 /  3. 82.100
   libswscale      2.  4.100 /  2.  4.100
   libswresample   0. 17.103 /  0. 17.103
   libpostproc    52.  3.100 / 52.  3.100
 Input #0, avi, from '../fuzzed3.avi':
   Duration: 00:00:05.96, start: 0.000000, bitrate: 320 kb/s
     Stream #0:0: Video: jpeg2000 (JPEG 2000 codestream restriction 0)
 (MJ2C / 0x43324A4D), rgb24, 192x128, 24 fps, 24 tbr, 24 tbn, 24 tbc
     Stream #0:1: Audio: mp3 (U[0][0][0] / 0x0055), 11025 Hz, mono, s16p, 7
 kb/s
 Output #0, null, to 'pipe:':
   Metadata:
     encoder         : Lavf55.13.101
     Stream #0:0: Video: rawvideo (RGB[24] / 0x18424752), rgb24, 192x128,
 q=2-31, 200 kb/s, 90k tbn, 24 tbc
     Stream #0:1: Audio: pcm_s16le, 11025 Hz, mono, s16, 176 kb/s
 Stream mapping:
   Stream #0:0 -> #0:0 (jpeg2000 -> rawvideo)
   Stream #0:1 -> #0:1 (mp3 -> pcm_s16le)
 Press [q] to stop, [?] for help
 [null @ 0x90d7580] Encoder did not produce proper pts, making some up.
 Error while decoding stream #0:0: Invalid data found when processing input
 [jpeg2000 @ 0x90d4620] error during processing marker segment ff90
 Error while decoding stream #0:0: Invalid data found when processing input
 [jpeg2000 @ 0x90d4620] extra cblk styles C0
 [jpeg2000 @ 0x90d4620] error during processing marker segment ff53
 Error while decoding stream #0:0: Operation not permitted
 [jpeg2000 @ 0x90d4620] error during processing marker segment ff51
 Error while decoding stream #0:0: Invalid argument
 [jpeg2000 @ 0x90d4620] [IMGUTILS @ 0xbfd7cbb4] Picture size 192x4294967168
 is invalid
 [jpeg2000 @ 0x90d4620] video_get_buffer: image parameters invalid
 [jpeg2000 @ 0x90d4620] get_buffer() failed
 [jpeg2000 @ 0x90d4620] thread_get_buffer() failed
 Error while decoding stream #0:0: Invalid argument
 Segmentation fault (core dumped)
 knoppix at Microknoppix:/media/sdb1/ffmpeg$ gdb -c core ffmpeg_g
 GNU gdb (GDB) 7.4.1-debian
 Copyright (C) 2012 Free Software Foundation, Inc.
 License GPLv3+: GNU GPL version 3 or later
 <http://gnu.org/licenses/gpl.html>
 This is free software: you are free to change and redistribute it.
 There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
 and "show warranty" for details.
 This GDB was configured as "i486-linux-gnu".
 For bug reporting instructions, please see:
 <http://www.gnu.org/software/gdb/bugs/>...
 Reading symbols from /media/sdb1/ffmpeg/ffmpeg_g...done.
 [New LWP 8801]

 warning: Can't read pathname for load map: Input/output error.
 [Thread debugging using libthread_db enabled]
 Using host libthread_db library "/lib/i386-linux-gnu/libthread_db.so.1".
 Failed to read a valid object file image from memory.
 Core was generated by `./ffmpeg_g -i ../fuzzed3.avi -f null -'.
 Program terminated with signal 11, Segmentation fault.
 #0  0x08506cc0 in mct_decode (s=<optimized out>, tile=<optimized out>)
     at libavcodec/jpeg2000dec.c:1164
 1164                i1 = *src[0] - (*src[2] + *src[1] >> 2);
 (gdb) bt
 #0  0x08506cc0 in mct_decode (s=<optimized out>, tile=<optimized out>)
     at libavcodec/jpeg2000dec.c:1164
 #1  jpeg2000_decode_tile (s=s at entry=0x90c4d00, tile=0x90d93c0,
     picture=picture at entry=0x90c43c0) at libavcodec/jpeg2000dec.c:1236
 #2  0x0850929c in jpeg2000_decode_frame (avctx=0x90d4620, data=0x90c43c0,
     got_frame=0xbfd7d064, avpkt=0xbfd7ce08) at
 libavcodec/jpeg2000dec.c:1626
 #3  0x08671b0e in avcodec_decode_video2 (avctx=0x90d4620,
     picture=picture at entry=0x90c43c0,
     got_picture_ptr=got_picture_ptr at entry=0xbfd7d064,
     avpkt=avpkt at entry=0xbfd7d2b0) at libavcodec/utils.c:1986
 #4  0x080b2cdd in decode_video (ist=ist at entry=0x910e6a0,
     pkt=pkt at entry=0xbfd7d2b0, got_output=got_output at entry=0xbfd7d064)
     at ffmpeg.c:1653
 #5  0x080b6422 in output_packet (pkt=0xbfd7d248, ist=0x910e6a0)
     at ffmpeg.c:1851
 #6  process_input (file_index=2) at ffmpeg.c:3063
 #7  0x080a1fc3 in transcode_step () at ffmpeg.c:3159
 #8  transcode () at ffmpeg.c:3211
 #9  main (argc=<optimized out>, argv=<optimized out>) at ffmpeg.c:3389
 (gdb)
 }}}

-- 
Ticket URL: <https://ffmpeg.org/trac/ffmpeg/ticket/2843>
FFmpeg <http://ffmpeg.org>
FFmpeg issue tracker

More information about the FFmpeg-trac mailing list