[FFmpeg-trac] #4294(avformat:new): tta: crash with fuzzed file

FFmpeg trac at avcodec.org
Tue Feb 3 13:20:46 CET 2015


#4294: tta: crash with fuzzed file
----------------------------------+--------------------------------------
             Reporter:  tholin    |                     Type:  defect
               Status:  new       |                 Priority:  important
            Component:  avformat  |                  Version:  git-master
             Keywords:            |               Blocked By:
             Blocking:            |  Reproduced by developer:  0
Analyzed by developer:  0         |
----------------------------------+--------------------------------------
 The attached file segfaults.
 I had to manually edit the file to make the seek table crc match. It would
 be nice if the tta code could honor the avctx->err_recognition &
 AV_EF_CRCCHECK flag. It's easier to fuzz that way.


 {{{
 $ gdb --args ./ffmpeg -i ~/fuzz/ffmpeg_tta_crash.tta
 GNU gdb (Gentoo 7.7.1 p1) 7.7.1
 Copyright (C) 2014 Free Software Foundation, Inc.
 License GPLv3+: GNU GPL version 3 or later
 <http://gnu.org/licenses/gpl.html>
 This is free software: you are free to change and redistribute it.
 There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
 and "show warranty" for details.
 This GDB was configured as "x86_64-pc-linux-gnu".
 Type "show configuration" for configuration details.
 For bug reporting instructions, please see:
 <http://bugs.gentoo.org/>.
 Find the GDB manual and other documentation resources online at:
 <http://www.gnu.org/software/gdb/documentation/>.
 For help, type "help".
 Type "apropos word" to search for commands related to "word"...
 Reading symbols from ./ffmpeg...done.
 (gdb) r
 Starting program: /home/cocobo/repository/mpv-
 build_ffmpeg_vanilla/ffmpeg_build/ffmpeg -i
 /home/cocobo/fuzz/ffmpeg_tta_crash.tta
 warning: Could not load shared library symbols for linux-vdso.so.1.
 Do you need "set solib-search-path" or "set sysroot"?
 [Thread debugging using libthread_db enabled]
 Using host libthread_db library "/lib64/libthread_db.so.1".
 ffmpeg version N-69499-gfc35df8 Copyright (c) 2000-2015 the FFmpeg
 developers
   built with gcc 4.8.3 (Gentoo 4.8.3 p1.1, pie-0.5.9)
   configuration: --prefix=/home/cocobo/repository/mpv-
 build_ffmpeg_vanilla/build_libs --enable-static --disable-shared --enable-
 gpl --enable-avresample --enable-debug=gdb --disable-doc --disable-
 optimizations --disable-stripping
   libavutil      54. 18.100 / 54. 18.100
   libavcodec     56. 21.102 / 56. 21.102
   libavformat    56. 19.100 / 56. 19.100
   libavdevice    56.  4.100 / 56.  4.100
   libavfilter     5.  9.103 /  5.  9.103
   libavresample   2.  1.  0 /  2.  1.  0
   libswscale      3.  1.101 /  3.  1.101
   libswresample   1.  1.100 /  1.  1.100
   libpostproc    53.  3.100 / 53.  3.100

 Program received signal SIGSEGV, Segmentation fault.
 0x00000000006c17d8 in tta_read_packet (s=0x1e83360, pkt=0x7fffffffce80)
     at /home/cocobo/repository/mpv-
 build_ffmpeg_vanilla/ffmpeg/libavformat/tta.c:156
 156         size = st->index_entries[c->currentframe].size;
 (gdb) bt
 #0  0x00000000006c17d8 in tta_read_packet (s=0x1e83360,
 pkt=0x7fffffffce80)
     at /home/cocobo/repository/mpv-
 build_ffmpeg_vanilla/ffmpeg/libavformat/tta.c:156
 #1  0x00000000006c76d1 in ff_read_packet (s=0x1e83360, pkt=0x7fffffffce80)
     at /home/cocobo/repository/mpv-
 build_ffmpeg_vanilla/ffmpeg/libavformat/utils.c:665
 #2  0x00000000006ca0b3 in read_frame_internal (s=0x1e83360,
 pkt=0x7fffffffd120)
     at /home/cocobo/repository/mpv-
 build_ffmpeg_vanilla/ffmpeg/libavformat/utils.c:1317
 #3  0x00000000006d0573 in avformat_find_stream_info (ic=0x1e83360,
 options=0x1e829e0)
     at /home/cocobo/repository/mpv-
 build_ffmpeg_vanilla/ffmpeg/libavformat/utils.c:3171
 #4  0x0000000000411202 in open_input_file (o=0x7fffffffd440,
     filename=0x7fffffffde2b "/home/cocobo/fuzz/ffmpeg_tta_crash.tta")
     at /home/cocobo/repository/mpv-
 build_ffmpeg_vanilla/ffmpeg/ffmpeg_opt.c:908
 #5  0x000000000041931a in open_files (l=0x1e6f0d8, inout=0x1238af7
 "input",
     open_file=0x410953 <open_input_file>)
     at /home/cocobo/repository/mpv-
 build_ffmpeg_vanilla/ffmpeg/ffmpeg_opt.c:2718
 #6  0x00000000004194a7 in ffmpeg_parse_options (argc=3,
 argv=0x7fffffffd9e8)
     at /home/cocobo/repository/mpv-
 build_ffmpeg_vanilla/ffmpeg/ffmpeg_opt.c:2755
 #7  0x000000000042ce83 in main (argc=3, argv=0x7fffffffd9e8)
     at /home/cocobo/repository/mpv-
 build_ffmpeg_vanilla/ffmpeg/ffmpeg.c:3996
 }}}

--
Ticket URL: <https://trac.ffmpeg.org/ticket/4294>
FFmpeg <https://ffmpeg.org>
FFmpeg issue tracker


More information about the FFmpeg-trac mailing list