[FFmpeg-trac] #3115(avcodec:open): hevc: crash with threads 1 (fuzzed file)

FFmpeg trac at avcodec.org
Tue Nov 19 11:41:39 CET 2013 

#3115: hevc: crash with threads 1 (fuzzed file)
------------------------------------+-----------------------------------
             Reporter:  ami_stuff   |                    Owner:
                 Type:  defect      |                   Status:  open
             Priority:  important   |                Component:  avcodec
              Version:  git-master  |               Resolution:
             Keywords:  hevc crash  |               Blocked By:
             Blocking:              |  Reproduced by developer:  1
Analyzed by developer:  0           |
------------------------------------+-----------------------------------

Comment (by cehoyos):

 {{{
 (gdb) r -threads 1 -i fahevc2.ts -f null -
 ffmpeg version N-58263-g1f7b7d5 Copyright (c) 2000-2013 the FFmpeg
 developers
   built on Nov 19 2013 11:36:45 with gcc 4.7 (SUSE Linux)
   configuration: --disable-optimizations --disable-asm --enable-debug=3
   libavutil      52. 53.100 / 52. 53.100
   libavcodec     55. 43.101 / 55. 43.101
   libavformat    55. 21.100 / 55. 21.100
   libavdevice    55.  5.100 / 55.  5.100
   libavfilter     3. 91.100 /  3. 91.100
   libswscale      2.  5.101 /  2.  5.101
   libswresample   0. 17.104 /  0. 17.104

 ...

 *** glibc detected *** ffmpeg_g: corrupted double-linked list:
 0x0000000002d6a680 ***

 ...

 (gdb) bt
 #0  0x00007ffff6104c0b in __lll_lock_wait_private () from /lib64/libc.so.6
 #1  0x00007ffff6092b5e in _L_lock_11285 () from /lib64/libc.so.6
 #2  0x00007ffff6090c22 in malloc () from /lib64/libc.so.6
 #3  0x00007ffff7de01d2 in local_strdup () from /lib64/ld-linux-x86-64.so.2
 #4  0x00007ffff7de33c7 in _dl_map_object () from /lib64/ld-
 linux-x86-64.so.2
 #5  0x00007ffff7ded81e in dl_open_worker () from /lib64/ld-
 linux-x86-64.so.2
 #6  0x00007ffff7de95f6 in _dl_catch_error () from /lib64/ld-
 linux-x86-64.so.2
 #7  0x00007ffff7ded28c in _dl_open () from /lib64/ld-linux-x86-64.so.2
 #8  0x00007ffff612e332 in do_dlopen () from /lib64/libc.so.6
 #9  0x00007ffff7de95f6 in _dl_catch_error () from /lib64/ld-
 linux-x86-64.so.2
 #10 0x00007ffff612e3cf in dlerror_run () from /lib64/libc.so.6
 #11 0x00007ffff612e441 in __libc_dlopen_mode () from /lib64/libc.so.6
 #12 0x00007ffff6109ed5 in init () from /lib64/libc.so.6
 #13 0x00007ffff6ce9c80 in pthread_once () from /lib64/libpthread.so.0
 #14 0x00007ffff6109ff4 in backtrace () from /lib64/libc.so.6
 #15 0x00007ffff6086fe5 in __libc_message () from /lib64/libc.so.6
 #16 0x00007ffff608cb66 in malloc_printerr () from /lib64/libc.so.6
 #17 0x00007ffff608edcc in _int_malloc () from /lib64/libc.so.6
 #18 0x00007ffff6090c30 in malloc () from /lib64/libc.so.6
 #19 0x00007ffff609261c in posix_memalign () from /lib64/libc.so.6
 #20 0x0000000000de95ba in av_malloc (size=1200) at libavutil/mem.c:94
 #21 0x000000000088d73b in av_malloc_array (nmemb=300, size=4) at
 ./libavutil/mem.h:97
 #22 0x0000000000892408 in ff_hevc_decode_nal_pps (s=0x19b75a0) at
 libavcodec/hevc_ps.c:1238
 #23 0x000000000088ce09 in parse_nal_units (s=0x19a4000, avctx=0x1932500,
     buf=0x19270c0 "D\001\300b\006\002\222", buf_size=8778) at
 libavcodec/hevc_parser.c:146
 #24 0x000000000088d4a0 in hevc_parse (s=0x19a4000, avctx=0x1932500,
 poutbuf=0x7fffffffd3b8,
     poutbuf_size=0x7fffffffd3c0, buf=0x1927080 "", buf_size=8778)
     at libavcodec/hevc_parser.c:279
 #25 0x00000000009e4cf1 in av_parser_parse2 (s=0x19a4000, avctx=0x1932500,
     poutbuf=0x7fffffffd3b8, poutbuf_size=0x7fffffffd3c0, buf=0x2f2e900 "",
 buf_size=4119,
     pts=499065, dts=495465, pos=920636) at libavcodec/parser.c:155
 #26 0x00000000005b74b3 in parse_packet (s=0x192e7e0, pkt=0x7fffffffd470,
 stream_index=0)
     at libavformat/utils.c:1206
 #27 0x00000000005b7f87 in read_frame_internal (s=0x192e7e0,
 pkt=0x7fffffffd7a0)
     at libavformat/utils.c:1384
 #28 0x00000000005b8265 in av_read_frame (s=0x192e7e0, pkt=0x7fffffffd7a0)
     at libavformat/utils.c:1425
 #29 0x000000000041e5e5 in get_input_packet (f=0x1b36b20,
 pkt=0x7fffffffd7a0) at ffmpeg.c:2919
 #30 0x000000000041e700 in process_input (file_index=0) at ffmpeg.c:2956
 #31 0x000000000041fe8d in transcode_step () at ffmpeg.c:3226
 #32 0x000000000041ff9a in transcode () at ffmpeg.c:3278
 #33 0x00000000004204ae in main (argc=8, argv=0x7fffffffdd48) at
 ffmpeg.c:3456
 }}}

-- 
Ticket URL: <https://ffmpeg.org/trac/ffmpeg/ticket/3115#comment:4>
FFmpeg <http://ffmpeg.org>
FFmpeg issue tracker

More information about the FFmpeg-trac mailing list