[FFmpeg-trac] #3273(undetermined:new): vp9: crash with fuzzed file

FFmpeg trac at avcodec.org
Sun Jan 5 19:30:37 CET 2014 

#3273: vp9: crash with fuzzed file
-------------------------------------+-------------------------------------
               Reporter:  ami_stuff  |                  Owner:
                   Type:  defect     |                 Status:  new
               Priority:  normal     |              Component:
                Version:             |  undetermined
  unspecified                        |               Keywords:
             Blocked By:             |               Blocking:
Reproduced by developer:  0          |  Analyzed by developer:  0
-------------------------------------+-------------------------------------
 {{{
 (gdb) r -i vp9_f1.avi -f null -
 Starting program: /media/sdb1/ffmpeg-HEAD-8a0d446/ffmpeg_g -i vp9_f1.avi
 -f null -
 [Thread debugging using libthread_db enabled]
 Using host libthread_db library "/lib/i386-linux-gnu/libthread_db.so.1".
 ffmpeg version 2.1.git-8a0d446 Copyright (c) 2000-2013 the FFmpeg
 developers
   built on Dec 29 2013 20:43:02 with gcc 4.7 (Debian 4.7.2-5)
   configuration: --disable-yasm --enable-gpl --disable-ffprobe --disable-
 ffserver
   libavutil      52. 59.100 / 52. 59.100
   libavcodec     55. 47.100 / 55. 47.100
   libavformat    55. 22.100 / 55. 22.100
   libavdevice    55.  5.102 / 55.  5.102
   libavfilter     4.  0.103 /  4.  0.103
   libswscale      2.  5.101 /  2.  5.101
   libswresample   0. 17.104 /  0. 17.104
   libpostproc    52.  3.100 / 52.  3.100
 [avi @ 0x929ed80] Something went wrong during header parsing, I will
 ignore it and try to continue anyway.
 Input #0, avi, from 'vp9_f1.avi':
   Duration: 00:00:12.64, start: 0.000000, bitrate: 213 kb/s
     Stream #0:0: Video: vp9 (VP90 / 0x30395056), yuv420p, 320x240, 23.97
 tbr, 23.97 tbn, 23.97 tbc
 [New Thread 0xb7df8b70 (LWP 30872)]
 [New Thread 0xb75f8b70 (LWP 30873)]
 [New Thread 0xb6df8b70 (LWP 30874)]
 [New Thread 0xb65f8b70 (LWP 30875)]
 [New Thread 0xb5df8b70 (LWP 30876)]
 [New Thread 0xb55f8b70 (LWP 30877)]
 [New Thread 0xb4df8b70 (LWP 30878)]
 [New Thread 0xb45f8b70 (LWP 30879)]
 [New Thread 0xb3df8b70 (LWP 30880)]
 [New Thread 0xb35f8b70 (LWP 30881)]
 [New Thread 0xb2df8b70 (LWP 30882)]
 [New Thread 0xb25f8b70 (LWP 30883)]
 [New Thread 0xb1df8b70 (LWP 30884)]
 [New Thread 0xb15f8b70 (LWP 30885)]
 [New Thread 0xb0df8b70 (LWP 30886)]
 [New Thread 0xb05f8b70 (LWP 30887)]
 [New Thread 0xafdf8b70 (LWP 30888)]
 [New Thread 0xaf5f8b70 (LWP 30889)]
 Output #0, null, to 'pipe:':
   Metadata:
     encoder         : Lavf55.22.100
     Stream #0:0: Video: rawvideo (I420 / 0x30323449), yuv420p, 320x240,
 q=2-31, 200 kb/s, 90k tbn, 23.97 tbc
 Stream mapping:
   Stream #0:0 -> #0:0 (vp9 -> rawvideo)
 Press [q] to stop, [?] for help
 [vp9 @ 0x929e000] Invalid frame marker
 [vp9 @ 0x92a49a0] Reserved bit should be zero
 [vp9 @ 0x928d040] Not all references are available
 [vp9 @ 0x928f5c0] Invalid sync code
 [vp9 @ 0x9291d20] Not all references are available
 [vp9 @ 0x92d9ce0] Not all references are available
 [vp9 @ 0x92e68c0] Not all references are available
 [vp9 @ 0x92f3540] Invalid frame marker
 Error while decoding stream #0:0: Invalid data found when processing input
 [vp9 @ 0x9300480] Not all references are available

 Program received signal SIGSEGV, Segmentation fault.
 0x00000000 in ?? ()
 (gdb) bt
 #0  0x00000000 in ?? ()
 #1  0x08910542 in format_line (ptr=0x929ff80,
     fmt=fmt at entry=0x8ae70e0 "Superframe packet size too big: %d > %d\n",
     vl=vl at entry=0xbffff08c "", part=part at entry=0xbfffe450,
     print_prefix=print_prefix at entry=0x8bfe21c, type=type at entry=0xbfffe048,
     level=<error reading variable: Unhandled dwarf expression opcode
 0xfa>)
     at libavutil/log.c:207
 #2  0x08910709 in av_log_default_callback (ptr=<optimized out>, level=16,
     fmt=0x8ae70e0 "Superframe packet size too big: %d > %d\n",
     vl=0xbffff08c "") at libavutil/log.c:245
 #3  0x08910a92 in av_vlog (vl=0xbffff08c "",
     fmt=0x8ae70e0 "Superframe packet size too big: %d > %d\n",
     level=<optimized out>, avcl=0x929ff80) at libavutil/log.c:297
 #4  av_log (avcl=0x929ff80, level=<optimized out>, level at entry=16,
     fmt=fmt at entry=0x8ae70e0 "Superframe packet size too big: %d > %d\n")
     at libavutil/log.c:289
 #5  0x08785742 in parse (ctx=0x929ff80, avctx=0x929f6a0,
 out_data=0xbffff1c4,
     out_size=0xbffff1c8, data=<optimized out>, size=<optimized out>)
     at libavcodec/vp9_parser.c:101
 #6  0x08617ee0 in av_parser_parse2 (s=0x929ff80, avctx=0x929f6a0,
     poutbuf=poutbuf at entry=0xbffff1c4,
     poutbuf_size=poutbuf_size at entry=0xbffff1c8,
     buf=buf at entry=0x9310430 "\206", buf_size=buf_size at entry=2528,
     pts=-9223372036854775808, dts=9, pos=53900) at libavcodec/parser.c:156
 #7  0x082483b1 in parse_packet (s=s at entry=0x929ed80,
 pkt=pkt at entry=0xbffff358,
     stream_index=<optimized out>) at libavformat/utils.c:1213
 #8  0x0824931d in read_frame_internal (s=s at entry=0x929ed80,
     pkt=pkt at entry=0xbffff708) at libavformat/utils.c:1391
 #9  0x08249c52 in av_read_frame (s=0x929ed80, pkt=pkt at entry=0xbffff708)
     at libavformat/utils.c:1447
 #10 0x080c4ff6 in get_input_packet (pkt=0xbffff6e8, f=0x92a0460)
     at ffmpeg.c:3005
 ---Type <return> to continue, or q <return> to quit---
 #11 process_input (file_index=0) at ffmpeg.c:3042
 #12 0x080aa85b in transcode_step () at ffmpeg.c:3312
 #13 transcode () at ffmpeg.c:3364
 #14 main (argc=<optimized out>, argv=<optimized out>) at ffmpeg.c:3544
 (gdb)
 }}}

--
Ticket URL: <https://trac.ffmpeg.org/ticket/3273>
FFmpeg <http://ffmpeg.org>
FFmpeg issue tracker

More information about the FFmpeg-trac mailing list