[FFmpeg-trac] #2843(undetermined:new): jpeg2000: crash with fuzzed file 2
FFmpeg
trac at avcodec.org
Fri Aug 9 19:52:34 CEST 2013
#2843: jpeg2000: crash with fuzzed file 2
-------------------------------------+-------------------------------------
Reporter: ami_stuff | Owner:
Type: defect | Status: new
Priority: normal | Component:
Version: unspecified | undetermined
Keywords: | Resolution:
Blocking: | Blocked By:
Analyzed by developer: 0 | Reproduced by developer: 0
-------------------------------------+-------------------------------------
Comment (by ami_stuff):
invalid read
{{{
knoppix at Microknoppix:/media/sdb1$ valgrind --leak-check=full
ffmpeg/ffmpeg_g -i ./fuzzed3.avi -f null -
==2436== Memcheck, a memory error detector
==2436== Copyright (C) 2002-2011, and GNU GPL'd, by Julian Seward et al.
==2436== Using Valgrind-3.7.0 and LibVEX; rerun with -h for copyright info
==2436== Command: ffmpeg/ffmpeg_g -i ./fuzzed3.avi -f null -
==2436==
ffmpeg version 2.0 Copyright (c) 2000-2013 the FFmpeg developers
built on Aug 6 2013 21:17:38 with gcc 4.7 (Debian 4.7.2-4)
configuration: --enable-gpl --disable-yasm --disable-ffprobe --disable-
ffserver
libavutil 52. 40.100 / 52. 40.100
libavcodec 55. 20.100 / 55. 20.100
libavformat 55. 13.101 / 55. 13.101
libavdevice 55. 3.100 / 55. 3.100
libavfilter 3. 82.100 / 3. 82.100
libswscale 2. 4.100 / 2. 4.100
libswresample 0. 17.103 / 0. 17.103
libpostproc 52. 3.100 / 52. 3.100
Input #0, avi, from './fuzzed3.avi':
Duration: 00:00:05.96, start: 0.000000, bitrate: 320 kb/s
Stream #0:0: Video: jpeg2000 (JPEG 2000 codestream restriction 0)
(MJ2C / 0x43324A4D), rgb24, 192x128, 24 fps, 24 tbr, 24 tbn, 24 tbc
Stream #0:1: Audio: mp3 (U[0][0][0] / 0x0055), 11025 Hz, mono, s16p, 7
kb/s
Output #0, null, to 'pipe:':
Metadata:
encoder : Lavf55.13.101
Stream #0:0: Video: rawvideo (RGB[24] / 0x18424752), rgb24, 192x128,
q=2-31, 200 kb/s, 90k tbn, 24 tbc
Stream #0:1: Audio: pcm_s16le, 11025 Hz, mono, s16, 176 kb/s
Stream mapping:
Stream #0:0 -> #0:0 (jpeg2000 -> rawvideo)
Stream #0:1 -> #0:1 (mp3 -> pcm_s16le)
Press [q] to stop, [?] for help
[null @ 0x442d8a0] Encoder did not produce proper pts, making some up.
Error while decoding stream #0:0: Invalid data found when processing input
[jpeg2000 @ 0x43144e0] error during processing marker segment ff90
Error while decoding stream #0:0: Invalid data found when processing input
[jpeg2000 @ 0x43144e0] extra cblk styles C0
[jpeg2000 @ 0x43144e0] error during processing marker segment ff53
Error while decoding stream #0:0: Operation not permitted
[jpeg2000 @ 0x43144e0] error during processing marker segment ff51
Error while decoding stream #0:0: Invalid argument
[jpeg2000 @ 0x43144e0] [IMGUTILS @ 0xbefe0004] Picture size 192x4294967168
is invalid
[jpeg2000 @ 0x43144e0] video_get_buffer: image parameters invalid
[jpeg2000 @ 0x43144e0] get_buffer() failed
[jpeg2000 @ 0x43144e0] thread_get_buffer() failed
Error while decoding stream #0:0: Invalid argument
==2436== Invalid read of size 4
==2436== at 0x8506CC0: jpeg2000_decode_tile (jpeg2000dec.c:1164)
==2436== by 0x850929B: jpeg2000_decode_frame (jpeg2000dec.c:1626)
==2436== by 0x8671B0D: avcodec_decode_video2 (utils.c:1986)
==2436== by 0x80B2CDC: decode_video (ffmpeg.c:1653)
==2436== by 0x3171987: ???
==2436== Address 0x0 is not stack'd, malloc'd or (recently) free'd
==2436==
==2436==
==2436== Process terminating with default action of signal 11 (SIGSEGV)
==2436== Access not within mapped region at address 0x0
==2436== at 0x8506CC0: jpeg2000_decode_tile (jpeg2000dec.c:1164)
==2436== by 0x850929B: jpeg2000_decode_frame (jpeg2000dec.c:1626)
==2436== by 0x8671B0D: avcodec_decode_video2 (utils.c:1986)
==2436== by 0x80B2CDC: decode_video (ffmpeg.c:1653)
==2436== by 0x3171987: ???
==2436== If you believe this happened as a result of a stack
==2436== overflow in your program's main thread (unlikely but
==2436== possible), you can try to increase the size of the
==2436== main thread stack using the --main-stacksize= flag.
==2436== The main thread stack size used in this run was 8388608.
==2436==
==2436== HEAP SUMMARY:
==2436== in use at exit: 15,377,228 bytes in 350 blocks
==2436== total heap usage: 31,821 allocs, 31,471 frees, 119,720,893
bytes allocated
==2436==
==2436== LEAK SUMMARY:
==2436== definitely lost: 0 bytes in 0 blocks
==2436== indirectly lost: 0 bytes in 0 blocks
==2436== possibly lost: 0 bytes in 0 blocks
==2436== still reachable: 15,377,228 bytes in 350 blocks
==2436== suppressed: 0 bytes in 0 blocks
==2436== Reachable blocks (those to which a pointer was found) are not
shown.
==2436== To see them, rerun with: --leak-check=full --show-reachable=yes
==2436==
==2436== For counts of detected and suppressed errors, rerun with: -v
==2436== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 23 from 6)
Segmentation fault
}}}
--
Ticket URL: <https://ffmpeg.org/trac/ffmpeg/ticket/2843#comment:1>
FFmpeg <http://ffmpeg.org>
FFmpeg issue tracker
More information about the FFmpeg-trac
mailing list