[FFmpeg-trac] #2949(undetermined:new): tgv: invalid write with max_alloc

FFmpeg trac at avcodec.org
Mon Sep 9 13:26:56 CEST 2013


#2949: tgv: invalid write with max_alloc
-------------------------------------+-------------------------------------
               Reporter:  ami_stuff  |                  Owner:
                   Type:  defect     |                 Status:  new
               Priority:  normal     |              Component:
                Version:             |  undetermined
  unspecified                        |               Keywords:
             Blocked By:             |               Blocking:
Reproduced by developer:  0          |  Analyzed by developer:  0
-------------------------------------+-------------------------------------
 http://www1.datafilehost.com/d/2d320c51

 {{{
 knoppix at Microknoppix:/media/sdb1$ gdb ffmpeg-HEAD-a67dcd7/ffmpeg_gGNU gdb
 (GDB) 7.4.1-debian
 Copyright (C) 2012 Free Software Foundation, Inc.
 License GPLv3+: GNU GPL version 3 or later
 <http://gnu.org/licenses/gpl.html>
 This is free software: you are free to change and redistribute it.
 There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
 and "show warranty" for details.
 This GDB was configured as "i486-linux-gnu".
 For bug reporting instructions, please see:
 <http://www.gnu.org/software/gdb/bugs/>...
 Reading symbols from /media/sdb1/ffmpeg-HEAD-a67dcd7/ffmpeg_g...done.
 (gdb) r -max_alloc 500000 -i ./fuzz.tgv -an -f null -
 Starting program: /media/sdb1/ffmpeg-HEAD-a67dcd7/ffmpeg_g -max_alloc
 500000 -i ./fuzz.tgv -an -f null -
 [Thread debugging using libthread_db enabled]
 Using host libthread_db library "/lib/i386-linux-gnu/libthread_db.so.1".
 ffmpeg version 2.0-a67dcd7 Copyright (c) 2000-2013 the FFmpeg developers
   built on Sep  5 2013 17:23:55 with gcc 4.7 (Debian 4.7.2-5)
   configuration: --disable-yasm --disable-ffprobe --disable-ffserver
 --enable-gpl
   libavutil      52. 43.100 / 52. 43.100
   libavcodec     55. 31.101 / 55. 31.101
   libavformat    55. 16.101 / 55. 16.101
   libavdevice    55.  3.100 / 55.  3.100
   libavfilter     3. 83.102 /  3. 83.102
   libswscale      2.  5.100 /  2.  5.100
   libswresample   0. 17.103 /  0. 17.103
   libpostproc    52.  3.100 / 52.  3.100
 Guessed Channel Layout for  Input Stream #0.1 : stereo
 Input #0, ea, from './fuzz.tgv':
   Duration: N/A, start: 0.000000, bitrate: N/A
     Stream #0:0: Video: tgv, pal8, 320x132, 15 fps, 15 tbr, 90k tbn, 15
 tbc
     Stream #0:1: Audio: adpcm_ima_ea_sead, 22050 Hz, stereo, s16, 176 kb/s
 [New Thread 0xb7df8b70 (LWP 25733)]
 [New Thread 0xb75f8b70 (LWP 25734)]
 [New Thread 0xb6df8b70 (LWP 25735)]
 [New Thread 0xb65f8b70 (LWP 25736)]
 [New Thread 0xb5df8b70 (LWP 25737)]
 [New Thread 0xb55f8b70 (LWP 25738)]
 [New Thread 0xb4df8b70 (LWP 25739)]
 [New Thread 0xb45f8b70 (LWP 25740)]
 [New Thread 0xb3df8b70 (LWP 25741)]
 Output #0, null, to 'pipe:':
   Metadata:
     encoder         : Lavf55.16.101
     Stream #0:0: Video: rawvideo, pal8, 320x132, q=2-31, 200 kb/s, 90k
 tbn, 15 tbc
 Stream mapping:
   Stream #0:0 -> #0:0 (eatgv -> rawvideo)
 Press [q] to stop, [?] for help
 [null @ 0x91070c0] Encoder did not produce proper pts, making some up.
 [eatgv @ 0x9106600] MV 31 -6 out of picture
 [eatgv @ 0x9106600] MV 380 13 out of picture
 [eatgv @ 0x9106600] MV -223 13 out of picture
 [eatgv @ 0x9106600] MV -51 37 out of picture
 [eatgv @ 0x9106600] MV 318 81 out of picture
 [eatgv @ 0x9106600] MV 19 351 out of picture
 [eatgv @ 0x9106600] MV 87 383 out of picture
 [eatgv @ 0x9106600] MV -175 113 out of picture
 [eatgv @ 0x9106600] MV -42 11 out of picture
 [eatgv @ 0x9106600] MV 233 -126 out of picture
 [eatgv @ 0x9106600] MV -58 111 out of picture
 [eatgv @ 0x9106600] MV 213 -22 out of picture
 [eatgv @ 0x9106600] MV 44 135 out of picture
 [eatgv @ 0x9106600] MV 93 -10 out of picture
 [eatgv @ 0x9106600] MV -2 1 out of picture
 [eatgv @ 0x9106600] MV 340 133 out of picture
 [eatgv @ 0x9106600] MV -279 3 out of picture
 [eatgv @ 0x9106600] MV -279 7 out of picture
 [eatgv @ 0x9106600] MV -267 7 out of picture
 [eatgv @ 0x9106600] MV -283 11 out of picture
 [eatgv @ 0x9106600] MV -431 19 out of picture
 [eatgv @ 0x9106600] MV -199 23 out of picture
 [eatgv @ 0x9106600] MV -271 31 out of picture
 [eatgv @ 0x9106600] MV -223 31 out of picture
 [eatgv @ 0x9106600] MV -455 35 out of picture
 [eatgv @ 0x9106600] MV -211 43 out of picture
 [eatgv @ 0x9106600] MV -199 43 out of picture
 [eatgv @ 0x9106600] MV -411 47 out of picture
 [eatgv @ 0x9106600] MV -239 51 out of picture
 [eatgv @ 0x9106600] MV -219 55 out of picture
 [eatgv @ 0x9106600] MV -207 55 out of picture
 [eatgv @ 0x9106600] MV -207 63 out of picture
 [eatgv @ 0x9106600] MV -239 67 out of picture
 [eatgv @ 0x9106600] MV -211 67 out of picture
 [eatgv @ 0x9106600] MV -331 79 out of picture
 [eatgv @ 0x9106600] MV -311 91 out of picture
 [eatgv @ 0x9106600] MV -427 95 out of picture
 [eatgv @ 0x9106600] MV -431 99 out of picture
 [eatgv @ 0x9106600] MV -427 99 out of picture
 [eatgv @ 0x9106600] MV 237 134 out of picture
 [eatgv @ 0x9106600] MV -219 111 out of picture
 [eatgv @ 0x9106600] MV -34 23 out of picture
 [eatgv @ 0x9106600] MV -30 23 out of picture
 [eatgv @ 0x9106600] MV 363 92 out of picture
 [eatgv @ 0x9106600] MV 205 135 out of picture
 [eatgv @ 0x9106600] MV 324 0 out of picture
 [eatgv @ 0x9106600] MV 281 -13 out of picture
 [eatgv @ 0x9106600] MV 814 15 out of picture
 [eatgv @ 0x9106600] MV 782 19 out of picture
 [eatgv @ 0x9106600] MV 802 19 out of picture
 [eatgv @ 0x9106600] MV 778 23 out of picture
 [eatgv @ 0x9106600] MV 786 23 out of picture
 [eatgv @ 0x9106600] MV 790 23 out of picture
 [eatgv @ 0x9106600] MV 798 23 out of picture
 [eatgv @ 0x9106600] MV 802 23 out of picture
 [eatgv @ 0x9106600] MV 806 23 out of picture
 [eatgv @ 0x9106600] MV 818 23 out of picture
 [eatgv @ 0x9106600] MV 58 -1 out of picture
 [eatgv @ 0x9106600] MV 782 27 out of picture
 [eatgv @ 0x9106600] MV 786 27 out of picture
 [eatgv @ 0x9106600] MV 742 31 out of picture
 [eatgv @ 0x9106600] MV 762 31 out of picture
 [eatgv @ 0x9106600] MV 798 31 out of picture
 [eatgv @ 0x9106600] MV 818 31 out of picture
 [eatgv @ 0x9106600] MV 778 43 out of picture
 [eatgv @ 0x9106600] MV 762 47 out of picture
 [eatgv @ 0x9106600] MV 538 55 out of picture
 [eatgv @ 0x9106600] MV 758 55 out of picture
 [eatgv @ 0x9106600] MV 630 59 out of picture
 [eatgv @ 0x9106600] MV 750 67 out of picture
 [eatgv @ 0x9106600] MV 670 71 out of picture
 [eatgv @ 0x9106600] MV 674 83 out of picture
 [eatgv @ 0x9106600] MV 562 95 out of picture
 [eatgv @ 0x9106600] MV 686 103 out of picture
 [eatgv @ 0x9106600] MV 602 115 out of picture
 [eatgv @ 0x9106600] MV 686 119 out of picture
 [eatgv @ 0x9106600] MV 682 127 out of picture
 [eatgv @ 0x9106600] MV 196 136 out of picture
 [eatgv @ 0x9106600] MV 116 144 out of picture
 [eatgv @ 0x9106600] MV 12 148 out of picture
 [eatgv @ 0x9106600] MV 156 152 out of picture
 [eatgv @ 0x9106600] MV 104 156 out of picture
 [eatgv @ 0x9106600] MV 104 160 out of picture
 [eatgv @ 0x9106600] MV 112 160 out of picture
 [eatgv @ 0x9106600] MV 109 -22 out of picture
 [eatgv @ 0x9106600] MV 160 160 out of picture
 [eatgv @ 0x9106600] MV 172 160 out of picture
 [eatgv @ 0x9106600] MV 29 139 out of picture
 [eatgv @ 0x9106600] truncated inter frame
 Error while decoding stream #0:0: Invalid data found when processing input

 Program received signal SIGSEGV, Segmentation fault.
 0x0831bad3 in tgv_decode_inter (buf_end=<optimized out>,
     buf=0x918707c "H\312s\215\377\327\t\031\217\207", s=0x90f5080,
     frame=<optimized out>) at libavcodec/eatgv.c:205
 205                 s->block_codebook[i][15-j] = tmp[get_bits(&gb, 2)];
 (gdb) bt
 #0  0x0831bad3 in tgv_decode_inter (buf_end=<optimized out>,
     buf=0x918707c "H\312s\215\377\327\t\031\217\207", s=0x90f5080,
     frame=<optimized out>) at libavcodec/eatgv.c:205
 #1  tgv_decode_frame (avctx=0x9106600, data=0x90f56c0,
 got_frame=0xbffff4e4,
     avpkt=0xbffff288) at libavcodec/eatgv.c:323
 #2  0x086770fe in avcodec_decode_video2 (avctx=0x9106600,
     picture=picture at entry=0x90f56c0,
     got_picture_ptr=got_picture_ptr at entry=0xbffff4e4,
     avpkt=avpkt at entry=0xbffff730) at libavcodec/utils.c:1983
 #3  0x080b36fd in decode_video (ist=ist at entry=0x9107b80,
     pkt=pkt at entry=0xbffff730, got_output=got_output at entry=0xbffff4e4)
     at ffmpeg.c:1668
 #4  0x080b761a in output_packet (pkt=0xbffff6c8, ist=0x9107b80)
     at ffmpeg.c:1866
 #5  process_input (file_index=2) at ffmpeg.c:3085
 #6  0x080a2ec3 in transcode_step () at ffmpeg.c:3181
 #7  transcode () at ffmpeg.c:3233
 #8  main (argc=<optimized out>, argv=<optimized out>) at ffmpeg.c:3411
 (gdb)
 }}}

 {{{
 knoppix at Microknoppix:/media/sdb1$ valgrind --leak-check=full ffmpeg-HEAD-
 a67dcd7/ffmpeg_g -max_alloc 500000 -i ./fuzz.tgv -f null -
 ==25707== Memcheck, a memory error detector
 ==25707== Copyright (C) 2002-2011, and GNU GPL'd, by Julian Seward et al.
 ==25707== Using Valgrind-3.7.0 and LibVEX; rerun with -h for copyright
 info
 ==25707== Command: ffmpeg-HEAD-a67dcd7/ffmpeg_g -max_alloc 500000 -i
 ./fuzz.tgv -f null -
 ==25707==
 ffmpeg version 2.0-a67dcd7 Copyright (c) 2000-2013 the FFmpeg developers
   built on Sep  5 2013 17:23:55 with gcc 4.7 (Debian 4.7.2-5)
   configuration: --disable-yasm --disable-ffprobe --disable-ffserver
 --enable-gpl
   libavutil      52. 43.100 / 52. 43.100
   libavcodec     55. 31.101 / 55. 31.101
   libavformat    55. 16.101 / 55. 16.101
   libavdevice    55.  3.100 / 55.  3.100
   libavfilter     3. 83.102 /  3. 83.102
   libswscale      2.  5.100 /  2.  5.100
   libswresample   0. 17.103 /  0. 17.103
   libpostproc    52.  3.100 / 52.  3.100
 Guessed Channel Layout for  Input Stream #0.1 : stereo
 Input #0, ea, from './fuzz.tgv':
   Duration: N/A, start: 0.000000, bitrate: N/A
     Stream #0:0: Video: tgv, pal8, 320x132, 15 fps, 15 tbr, 90k tbn, 15
 tbc
     Stream #0:1: Audio: adpcm_ima_ea_sead, 22050 Hz, stereo, s16, 176 kb/s
 Output #0, null, to 'pipe:':
   Metadata:
     encoder         : Lavf55.16.101
     Stream #0:0: Video: rawvideo, pal8, 320x132, q=2-31, 200 kb/s, 90k
 tbn, 15 tbc
     Stream #0:1: Audio: pcm_s16le, 22050 Hz, stereo, s16, 705 kb/s
 Stream mapping:
   Stream #0:0 -> #0:0 (eatgv -> rawvideo)
   Stream #0:1 -> #0:1 (adpcm_ima_ea_sead -> pcm_s16le)
 Press [q] to stop, [?] for help
 [null @ 0x4379000] Encoder did not produce proper pts, making some up.
 [eatgv @ 0x423a4c0] MV 31 -6 out of picture
 [eatgv @ 0x423a4c0] MV 380 13 out of picture
 [eatgv @ 0x423a4c0] MV -223 13 out of picture
 [eatgv @ 0x423a4c0] MV -51 37 out of picture
 [eatgv @ 0x423a4c0] MV 318 81 out of picture
 [eatgv @ 0x423a4c0] MV 19 351 out of picture
 [eatgv @ 0x423a4c0] MV 87 383 out of picture
 [eatgv @ 0x423a4c0] MV -175 113 out of picture
 [eatgv @ 0x423a4c0] MV -42 11 out of picture
 [eatgv @ 0x423a4c0] MV 233 -126 out of picture
 [eatgv @ 0x423a4c0] MV -58 111 out of picture
 [eatgv @ 0x423a4c0] MV 213 -22 out of picture
 [eatgv @ 0x423a4c0] MV 44 135 out of picture
 [eatgv @ 0x423a4c0] MV 93 -10 out of picture
 [eatgv @ 0x423a4c0] MV -2 1 out of picture
 [eatgv @ 0x423a4c0] MV 340 133 out of picture
 [eatgv @ 0x423a4c0] MV -279 3 out of picture
 [eatgv @ 0x423a4c0] MV -279 7 out of picture
 [eatgv @ 0x423a4c0] MV -267 7 out of picture
 [eatgv @ 0x423a4c0] MV -283 11 out of picture
 [eatgv @ 0x423a4c0] MV -431 19 out of picture
 [eatgv @ 0x423a4c0] MV -199 23 out of picture
 [eatgv @ 0x423a4c0] MV -271 31 out of picture
 [eatgv @ 0x423a4c0] MV -223 31 out of picture
 [eatgv @ 0x423a4c0] MV -455 35 out of picture
 [eatgv @ 0x423a4c0] MV -211 43 out of picture
 [eatgv @ 0x423a4c0] MV -199 43 out of picture
 [eatgv @ 0x423a4c0] MV -411 47 out of picture
 [eatgv @ 0x423a4c0] MV -239 51 out of picture
 [eatgv @ 0x423a4c0] MV -219 55 out of picture
 [eatgv @ 0x423a4c0] MV -207 55 out of picture
 [eatgv @ 0x423a4c0] MV -207 63 out of picture
 [eatgv @ 0x423a4c0] MV -239 67 out of picture
 [eatgv @ 0x423a4c0] MV -211 67 out of picture
 [eatgv @ 0x423a4c0] MV -331 79 out of picture
 [eatgv @ 0x423a4c0] MV -311 91 out of picture
 [eatgv @ 0x423a4c0] MV -427 95 out of picture
 [eatgv @ 0x423a4c0] MV -431 99 out of picture
 [eatgv @ 0x423a4c0] MV -427 99 out of picture
 [eatgv @ 0x423a4c0] MV 237 134 out of picture
 [eatgv @ 0x423a4c0] MV -219 111 out of picture
 [eatgv @ 0x423a4c0] MV -34 23 out of picture
 [eatgv @ 0x423a4c0] MV -30 23 out of picture
 [eatgv @ 0x423a4c0] MV 363 92 out of picture
 [eatgv @ 0x423a4c0] MV 205 135 out of picture
 [eatgv @ 0x423a4c0] MV 324 0 out of picture
 [eatgv @ 0x423a4c0] MV 281 -13 out of picture
 [eatgv @ 0x423a4c0] MV 814 15 out of picture
 [eatgv @ 0x423a4c0] MV 782 19 out of picture
 [eatgv @ 0x423a4c0] MV 802 19 out of picture
 [eatgv @ 0x423a4c0] MV 778 23 out of picture
 [eatgv @ 0x423a4c0] MV 786 23 out of picture
 [eatgv @ 0x423a4c0] MV 790 23 out of picture
 [eatgv @ 0x423a4c0] MV 798 23 out of picture
 [eatgv @ 0x423a4c0] MV 802 23 out of picture
 [eatgv @ 0x423a4c0] MV 806 23 out of picture
 [eatgv @ 0x423a4c0] MV 818 23 out of picture
 [eatgv @ 0x423a4c0] MV 58 -1 out of picture
 [eatgv @ 0x423a4c0] MV 782 27 out of picture
 [eatgv @ 0x423a4c0] MV 786 27 out of picture
 [eatgv @ 0x423a4c0] MV 742 31 out of picture
 [eatgv @ 0x423a4c0] MV 762 31 out of picture
 [eatgv @ 0x423a4c0] MV 798 31 out of picture
 [eatgv @ 0x423a4c0] MV 818 31 out of picture
 [eatgv @ 0x423a4c0] MV 778 43 out of picture
 [eatgv @ 0x423a4c0] MV 762 47 out of picture
 [eatgv @ 0x423a4c0] MV 538 55 out of picture
 [eatgv @ 0x423a4c0] MV 758 55 out of picture
 [eatgv @ 0x423a4c0] MV 630 59 out of picture
 [eatgv @ 0x423a4c0] MV 750 67 out of picture
 [eatgv @ 0x423a4c0] MV 670 71 out of picture
 [eatgv @ 0x423a4c0] MV 674 83 out of picture
 [eatgv @ 0x423a4c0] MV 562 95 out of picture
 [eatgv @ 0x423a4c0] MV 686 103 out of picture
 [eatgv @ 0x423a4c0] MV 602 115 out of picture
 [eatgv @ 0x423a4c0] MV 686 119 out of picture
 [eatgv @ 0x423a4c0] MV 682 127 out of picture
 [eatgv @ 0x423a4c0] MV 196 136 out of picture
 [eatgv @ 0x423a4c0] MV 116 144 out of picture
 [eatgv @ 0x423a4c0] MV 12 148 out of picture
 [eatgv @ 0x423a4c0] MV 156 152 out of picture
 [eatgv @ 0x423a4c0] MV 104 156 out of picture
 [eatgv @ 0x423a4c0] MV 104 160 out of picture
 [eatgv @ 0x423a4c0] MV 112 160 out of picture
 [eatgv @ 0x423a4c0] MV 109 -22 out of picture
 [eatgv @ 0x423a4c0] MV 160 160 out of picture
 [eatgv @ 0x423a4c0] MV 172 160 out of picture
 [eatgv @ 0x423a4c0] MV 29 139 out of picture
 [eatgv @ 0x423a4c0] truncated inter frame
 Error while decoding stream #0:0: Invalid data found when processing input
 ==25707== Invalid write of size 1
 ==25707==    at 0x831BAD3: tgv_decode_frame (eatgv.c:205)
 ==25707==    by 0x86770FD: avcodec_decode_video2 (utils.c:1983)
 ==25707==    by 0x80B36FC: decode_video (ffmpeg.c:1668)
 ==25707==    by 0x9DC46F0: ???
 ==25707==  Address 0xf is not stack'd, malloc'd or (recently) free'd
 ==25707==
 ==25707==
 ==25707== Process terminating with default action of signal 11 (SIGSEGV)
 ==25707==  Access not within mapped region at address 0xF
 ==25707==    at 0x831BAD3: tgv_decode_frame (eatgv.c:205)
 ==25707==    by 0x86770FD: avcodec_decode_video2 (utils.c:1983)
 ==25707==    by 0x80B36FC: decode_video (ffmpeg.c:1668)
 ==25707==    by 0x9DC46F0: ???
 ==25707==  If you believe this happened as a result of a stack
 ==25707==  overflow in your program's main thread (unlikely but
 ==25707==  possible), you can try to increase the size of the
 ==25707==  main thread stack using the --main-stacksize= flag.
 ==25707==  The main thread stack size used in this run was 8388608.
 ==25707==
 ==25707== HEAP SUMMARY:
 ==25707==     in use at exit: 984,530 bytes in 564 blocks
 ==25707==   total heap usage: 2,890 allocs, 2,326 frees, 2,605,079 bytes
 allocated
 ==25707==
 ==25707== 2,592 bytes in 18 blocks are possibly lost in loss record 132 of
 145
 ==25707==    at 0x4026A68: calloc (vg_replace_malloc.c:566)
 ==25707==    by 0x40111FB: _dl_allocate_tls (dl-tls.c:300)
 ==25707==    by 0x407C2A8: pthread_create@@GLIBC_2.1 (allocatestack.c:580)
 ==25707==    by 0x80D9651: ff_graph_thread_init (pthread.c:180)
 ==25707==    by 0x80CD5C7: avfilter_graph_alloc_filter
 (avfiltergraph.c:186)
 ==25707==    by 0x80D8204: create_filter (graphparser.c:112)
 ==25707==    by 0x80D8C59: avfilter_graph_parse2 (graphparser.c:169)
 ==25707==
 ==25707== 30,944 bytes in 1 blocks are possibly lost in loss record 139 of
 145
 ==25707==    at 0x4028308: malloc (vg_replace_malloc.c:263)
 ==25707==    by 0x402849F: realloc (vg_replace_malloc.c:632)
 ==25707==    by 0x831C361: tgv_decode_frame (eatgv.c:177)
 ==25707==    by 0x86770FD: avcodec_decode_video2 (utils.c:1983)
 ==25707==    by 0x80B36FC: decode_video (ffmpeg.c:1668)
 ==25707==    by 0x4EE3900: ???
 ==25707==
 ==25707== LEAK SUMMARY:
 ==25707==    definitely lost: 0 bytes in 0 blocks
 ==25707==    indirectly lost: 0 bytes in 0 blocks
 ==25707==      possibly lost: 33,536 bytes in 19 blocks
 ==25707==    still reachable: 950,994 bytes in 545 blocks
 ==25707==         suppressed: 0 bytes in 0 blocks
 ==25707== Reachable blocks (those to which a pointer was found) are not
 shown.
 ==25707== To see them, rerun with: --leak-check=full --show-reachable=yes
 ==25707==
 ==25707== For counts of detected and suppressed errors, rerun with: -v
 ==25707== ERROR SUMMARY: 3 errors from 3 contexts (suppressed: 59 from 6)
 Killed
 }}}

-- 
Ticket URL: <https://ffmpeg.org/trac/ffmpeg/ticket/2949>
FFmpeg <http://ffmpeg.org>
FFmpeg issue tracker


More information about the FFmpeg-trac mailing list