[FFmpeg-trac] #2843(undetermined:new): jpeg2000: crash with fuzzed file 2

FFmpeg trac at avcodec.org
Fri Aug 9 19:52:34 CEST 2013


#2843: jpeg2000: crash with fuzzed file 2
-------------------------------------+-------------------------------------
             Reporter:  ami_stuff    |                    Owner:
                 Type:  defect       |                   Status:  new
             Priority:  normal       |                Component:
              Version:  unspecified  |  undetermined
             Keywords:               |               Resolution:
             Blocking:               |               Blocked By:
Analyzed by developer:  0            |  Reproduced by developer:  0
-------------------------------------+-------------------------------------

Comment (by ami_stuff):

 invalid read

 {{{
 knoppix at Microknoppix:/media/sdb1$ valgrind --leak-check=full
 ffmpeg/ffmpeg_g -i ./fuzzed3.avi -f null -
 ==2436== Memcheck, a memory error detector
 ==2436== Copyright (C) 2002-2011, and GNU GPL'd, by Julian Seward et al.
 ==2436== Using Valgrind-3.7.0 and LibVEX; rerun with -h for copyright info
 ==2436== Command: ffmpeg/ffmpeg_g -i ./fuzzed3.avi -f null -
 ==2436==
 ffmpeg version 2.0 Copyright (c) 2000-2013 the FFmpeg developers
   built on Aug  6 2013 21:17:38 with gcc 4.7 (Debian 4.7.2-4)
   configuration: --enable-gpl --disable-yasm --disable-ffprobe --disable-
 ffserver
   libavutil      52. 40.100 / 52. 40.100
   libavcodec     55. 20.100 / 55. 20.100
   libavformat    55. 13.101 / 55. 13.101
   libavdevice    55.  3.100 / 55.  3.100
   libavfilter     3. 82.100 /  3. 82.100
   libswscale      2.  4.100 /  2.  4.100
   libswresample   0. 17.103 /  0. 17.103
   libpostproc    52.  3.100 / 52.  3.100
 Input #0, avi, from './fuzzed3.avi':
   Duration: 00:00:05.96, start: 0.000000, bitrate: 320 kb/s
     Stream #0:0: Video: jpeg2000 (JPEG 2000 codestream restriction 0)
 (MJ2C / 0x43324A4D), rgb24, 192x128, 24 fps, 24 tbr, 24 tbn, 24 tbc
     Stream #0:1: Audio: mp3 (U[0][0][0] / 0x0055), 11025 Hz, mono, s16p, 7
 kb/s
 Output #0, null, to 'pipe:':
   Metadata:
     encoder         : Lavf55.13.101
     Stream #0:0: Video: rawvideo (RGB[24] / 0x18424752), rgb24, 192x128,
 q=2-31, 200 kb/s, 90k tbn, 24 tbc
     Stream #0:1: Audio: pcm_s16le, 11025 Hz, mono, s16, 176 kb/s
 Stream mapping:
   Stream #0:0 -> #0:0 (jpeg2000 -> rawvideo)
   Stream #0:1 -> #0:1 (mp3 -> pcm_s16le)
 Press [q] to stop, [?] for help
 [null @ 0x442d8a0] Encoder did not produce proper pts, making some up.
 Error while decoding stream #0:0: Invalid data found when processing input
 [jpeg2000 @ 0x43144e0] error during processing marker segment ff90
 Error while decoding stream #0:0: Invalid data found when processing input
 [jpeg2000 @ 0x43144e0] extra cblk styles C0
 [jpeg2000 @ 0x43144e0] error during processing marker segment ff53
 Error while decoding stream #0:0: Operation not permitted
 [jpeg2000 @ 0x43144e0] error during processing marker segment ff51
 Error while decoding stream #0:0: Invalid argument
 [jpeg2000 @ 0x43144e0] [IMGUTILS @ 0xbefe0004] Picture size 192x4294967168
 is invalid
 [jpeg2000 @ 0x43144e0] video_get_buffer: image parameters invalid
 [jpeg2000 @ 0x43144e0] get_buffer() failed
 [jpeg2000 @ 0x43144e0] thread_get_buffer() failed
 Error while decoding stream #0:0: Invalid argument
 ==2436== Invalid read of size 4
 ==2436==    at 0x8506CC0: jpeg2000_decode_tile (jpeg2000dec.c:1164)
 ==2436==    by 0x850929B: jpeg2000_decode_frame (jpeg2000dec.c:1626)
 ==2436==    by 0x8671B0D: avcodec_decode_video2 (utils.c:1986)
 ==2436==    by 0x80B2CDC: decode_video (ffmpeg.c:1653)
 ==2436==    by 0x3171987: ???
 ==2436==  Address 0x0 is not stack'd, malloc'd or (recently) free'd
 ==2436==
 ==2436==
 ==2436== Process terminating with default action of signal 11 (SIGSEGV)
 ==2436==  Access not within mapped region at address 0x0
 ==2436==    at 0x8506CC0: jpeg2000_decode_tile (jpeg2000dec.c:1164)
 ==2436==    by 0x850929B: jpeg2000_decode_frame (jpeg2000dec.c:1626)
 ==2436==    by 0x8671B0D: avcodec_decode_video2 (utils.c:1986)
 ==2436==    by 0x80B2CDC: decode_video (ffmpeg.c:1653)
 ==2436==    by 0x3171987: ???
 ==2436==  If you believe this happened as a result of a stack
 ==2436==  overflow in your program's main thread (unlikely but
 ==2436==  possible), you can try to increase the size of the
 ==2436==  main thread stack using the --main-stacksize= flag.
 ==2436==  The main thread stack size used in this run was 8388608.
 ==2436==
 ==2436== HEAP SUMMARY:
 ==2436==     in use at exit: 15,377,228 bytes in 350 blocks
 ==2436==   total heap usage: 31,821 allocs, 31,471 frees, 119,720,893
 bytes allocated
 ==2436==
 ==2436== LEAK SUMMARY:
 ==2436==    definitely lost: 0 bytes in 0 blocks
 ==2436==    indirectly lost: 0 bytes in 0 blocks
 ==2436==      possibly lost: 0 bytes in 0 blocks
 ==2436==    still reachable: 15,377,228 bytes in 350 blocks
 ==2436==         suppressed: 0 bytes in 0 blocks
 ==2436== Reachable blocks (those to which a pointer was found) are not
 shown.
 ==2436== To see them, rerun with: --leak-check=full --show-reachable=yes
 ==2436==
 ==2436== For counts of detected and suppressed errors, rerun with: -v
 ==2436== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 23 from 6)
 Segmentation fault
 }}}

-- 
Ticket URL: <https://ffmpeg.org/trac/ffmpeg/ticket/2843#comment:1>
FFmpeg <http://ffmpeg.org>
FFmpeg issue tracker


More information about the FFmpeg-trac mailing list