[FFmpeg-trac] #4299(avcodec:new): mpeg2: crash with fuzzed file

FFmpeg trac at avcodec.org
Thu Feb 5 22:04:58 CET 2015


#4299: mpeg2: crash with fuzzed file
------------------------------------+-----------------------------------
             Reporter:  tholin      |                    Owner:
                 Type:  defect      |                   Status:  new
             Priority:  normal      |                Component:  avcodec
              Version:  git-master  |               Resolution:
             Keywords:              |               Blocked By:
             Blocking:              |  Reproduced by developer:  0
Analyzed by developer:  0           |
------------------------------------+-----------------------------------

Comment (by tholin):

 More info as requested.
 {{{
 $ gdb --args ~/repository/mpv-build_ffmpeg_vanilla/ffmpeg_build/ffmpeg -i
 ffmpeg_mpeg2_crash.mpg -f null -
 GNU gdb (Gentoo 7.7.1 p1) 7.7.1
 Copyright (C) 2014 Free Software Foundation, Inc.
 License GPLv3+: GNU GPL version 3 or later
 <http://gnu.org/licenses/gpl.html>
 This is free software: you are free to change and redistribute it.
 There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
 and "show warranty" for details.
 This GDB was configured as "x86_64-pc-linux-gnu".
 Type "show configuration" for configuration details.
 For bug reporting instructions, please see:
 <http://bugs.gentoo.org/>.
 Find the GDB manual and other documentation resources online at:
 <http://www.gnu.org/software/gdb/documentation/>.
 For help, type "help".
 Type "apropos word" to search for commands related to "word"...
 Reading symbols from /home/cocobo/repository/mpv-
 build_ffmpeg_vanilla/ffmpeg_build/ffmpeg...done.
 (gdb) r
 Starting program: /home/cocobo/repository/mpv-
 build_ffmpeg_vanilla/ffmpeg_build/ffmpeg -i ffmpeg_mpeg2_crash.mpg -f null
 -
 warning: Could not load shared library symbols for linux-vdso.so.1.
 Do you need "set solib-search-path" or "set sysroot"?
 [Thread debugging using libthread_db enabled]
 Using host libthread_db library "/lib64/libthread_db.so.1".
 ffmpeg version N-69570-g7801a54 Copyright (c) 2000-2015 the FFmpeg
 developers
   built with gcc 4.8.3 (Gentoo 4.8.3 p1.1, pie-0.5.9)
   configuration: --prefix=/home/cocobo/repository/mpv-
 build_ffmpeg_vanilla/build_libs --enable-static --disable-shared --enable-
 gpl --enable-avresample --enable-debug=gdb --disable-doc --disable-
 optimizations --disable-stripping
   libavutil      54. 18.100 / 54. 18.100
   libavcodec     56. 21.102 / 56. 21.102
   libavformat    56. 19.100 / 56. 19.100
   libavdevice    56.  4.100 / 56.  4.100
   libavfilter     5.  9.103 /  5.  9.103
   libavresample   2.  1.  0 /  2.  1.  0
   libswscale      3.  1.101 /  3.  1.101
   libswresample   1.  1.100 /  1.  1.100
   libpostproc    53.  3.100 / 53.  3.100
 [mpeg1video @ 0x1e90be0] frame_rate_index 0 is invalid
     Last message repeated 1 times
 [mpegvideo @ 0x1e901c0] Estimating duration from bitrate, this may be
 inaccurate
 Input #0, mpegvideo, from 'ffmpeg_mpeg2_crash.mpg':
   Duration: 00:00:00.00, bitrate: 19692 kb/s
     Stream #0:0: Video: mpeg2video (Main), yuv420p(tv), 4099x12 [SAR
 64:12297 DAR 16:9], 19737 kb/s, 11.99 tbr, 1200k tbn, 23.98 tbc
 [New Thread 0x7ffff4de9700 (LWP 17633)]
 [New Thread 0x7ffff45e8700 (LWP 17634)]
 [New Thread 0x7ffff3de7700 (LWP 17635)]
 [New Thread 0x7ffff35e6700 (LWP 17636)]
 [New Thread 0x7ffff2de5700 (LWP 17637)]
 [New Thread 0x7ffff25e4700 (LWP 17638)]
 [New Thread 0x7ffff1de3700 (LWP 17639)]
 [New Thread 0x7ffff15e2700 (LWP 17640)]
 [New Thread 0x7ffff0de1700 (LWP 17641)]
 Output #0, null, to 'pipe:':
   Metadata:
     encoder         : Lavf56.19.100
     Stream #0:0: Video: rawvideo (I420 / 0x30323449), yuv420p, 4099x12
 [SAR 64:12297 DAR 16:9], q=2-31, 200 kb/s, 11.99 fps, 11.99 tbn, 11.99 tbc
     Metadata:
       encoder         : Lavc56.21.102 rawvideo
 Stream mapping:
   Stream #0:0 -> #0:0 (mpeg2video (native) -> rawvideo (native))
 Press [q] to stop, [?] for help
 [mpeg2video @ 0x1e913c0] frame_rate_index 0 is invalid
     Last message repeated 1 times
 [mpeg2video @ 0x1e913c0] Missing picture start code, guessing missing
 values
 [mpeg2video @ 0x1e913c0] Missing picture start code
 [mpeg2video @ 0x1e913c0] warning: first frame is no keyframe

 Program received signal SIGSEGV, Segmentation fault.
 0x0000000001054171 in ff_put_pixels16_y2_sse2.loop ()
     at /home/cocobo/repository/mpv-
 build_ffmpeg_vanilla/ffmpeg/libavcodec/x86/hpeldsp.asm:263
 263     PUT_PIXELS8_Y2
 (gdb) info register
 rax            0x1054140        17121600
 rbx            0x0      0
 rcx            0x4      4
 rdx            0x2080   8320
 rsi            0x7ffff05dd780   140737226069888
 rdi            0x7ffff7fed600   140737354061312
 rbp            0x7fffffffc990   0x7fffffffc990
 rsp            0x7fffffffc7d8   0x7fffffffc7d8
 r8             0x4100   16640
 r9             0x1e7c660        31966816
 r10            0x1      1
 r11            0x0      0
 r12            0x407320 4223776
 r13            0x7fffffffd9e0   140737488345568
 r14            0x0      0
 r15            0x0      0
 rip            0x1054171        0x1054171
 <ff_put_pixels16_y2_sse2.loop+38>
 eflags         0x10202  [ IF RF ]
 cs             0x33     51
 ss             0x2b     43
 ds             0x0      0
 es             0x0      0
 fs             0x0      0
 gs             0x0      0
 (gdb) up
 #1  0x0000000000af2657 in mpeg_motion_internal (mb_y=0, is_mpeg12=1, h=16,
 motion_y=1,
     motion_x=0, pix_op=0x1e923a0, ref_picture=0x1e7c660, field_select=1,
     bottom_field=0, field_based=0, dest_cr=0x1e728e0 "", dest_cb=0x1e86a20
 "",
     dest_y=0x7ffff7fd7080 '\200' <repeats 16 times>, s=0x1e91880)
     at /home/cocobo/repository/mpv-
 build_ffmpeg_vanilla/ffmpeg/libavcodec/mpegvideo_motion.c:357
 357         pix_op[0][dxy](dest_y, ptr_y, linesize, h);
 (gdb) print dest_y
 $1 = (uint8_t *) 0x7ffff7fd7080 '\200' <repeats 16 times>
 (gdb) print ptr_y
 $2 = (uint8_t *) 0x7ffff05c1080 '\200' <repeats 200 times>...
 (gdb) print linesize
 $3 = 8320
 (gdb) info args
 mb_y = 0
 is_mpeg12 = 1
 h = 16
 motion_y = 1
 motion_x = 0
 pix_op = 0x1e923a0
 ref_picture = 0x1e7c660
 field_select = 1
 bottom_field = 0
 field_based = 0
 dest_cr = 0x1e728e0 ""
 dest_cb = 0x1e86a20 ""
 dest_y = 0x7ffff7fd7080 '\200' <repeats 16 times>
 s = 0x1e91880
 (gdb) info locals
 ptr_y = 0x7ffff05c1080 '\200' <repeats 200 times>...
 ptr_cr = 0x1eb19c0 '\200' <repeats 200 times>...
 dxy = 2
 src_y = 0
 mx = 0
 uvsrc_x = 0
 uvlinesize = 4160
 linesize = 8320
 ptr_cb = 0x1ea9780 '\200' <repeats 200 times>...
 uvdxy = 0
 my = 0
 src_x = 0
 uvsrc_y = 0
 v_edge_pos = 16
 }}}

--
Ticket URL: <https://trac.ffmpeg.org/ticket/4299#comment:2>
FFmpeg <https://ffmpeg.org>
FFmpeg issue tracker


More information about the FFmpeg-trac mailing list