[FFmpeg-trac] #5371(avcodec:new): h264_cabac: crash during fuzzed file decode
FFmpeg
trac at avcodec.org
Wed Mar 23 22:30:45 CET 2016
#5371: h264_cabac: crash during fuzzed file decode
-------------------------------------+-------------------------------------
Reporter: qiubit | Type: defect
Status: new | Priority: normal
Component: avcodec | Version:
Keywords: cabac h264 | unspecified
SIGSEGV crash | Blocked By:
Blocking: | Reproduced by developer: 0
Analyzed by developer: 0 |
-------------------------------------+-------------------------------------
Summary of the bug:
Segfault when processing fuzzed file.
How to reproduce:
{{{
ffmpeg -i fuzzIn -vcodec copy -acodec copy fuzzOut
}}}
Backtrace:
gdb
{{{
pgolinski at Ubuntu-y580:~/Dokumenty/Programowanie/git/ffmpeg/build$ gdb
./ffmpeg_g
GNU gdb (Ubuntu 7.10-1ubuntu2) 7.10
Copyright (C) 2015 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later
<http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law. Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
<http://www.gnu.org/software/gdb/documentation/>.
For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from ./ffmpeg_g...done.
(gdb) r -v 9 -loglevel 99 -i fuzzIn -acodec copy -vcodec copy fuzzOut
Starting program:
/home/pgolinski/Dokumenty/Programowanie/git/ffmpeg/build/ffmpeg_g -v 9
-loglevel 99 -i fuzzIn -acodec copy -vcodec copy fuzzOut
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
ffmpeg version N-79116-gb098e1a Copyright (c) 2000-2016 the FFmpeg
developers
built with Ubuntu clang version 3.6.2-1 (tags/RELEASE_362/final) (based
on LLVM 3.6.2)
configuration: --cc=clang --cxx=clang++ --disable-stripping --disable-
optimizations --enable-debug
libavutil 55. 19.100 / 55. 19.100
libavcodec 57. 30.100 / 57. 30.100
libavformat 57. 29.100 / 57. 29.100
libavdevice 57. 0.101 / 57. 0.101
libavfilter 6. 39.102 / 6. 39.102
libswscale 4. 0.100 / 4. 0.100
libswresample 2. 0.101 / 2. 0.101
Splitting the commandline.
Reading option '-v' ... matched as option 'v' (set logging level) with
argument '9'.
Reading option '-loglevel' ... matched as option 'loglevel' (set logging
level) with argument '99'.
Reading option '-i' ... matched as input file with argument 'fuzzIn'.
Reading option '-acodec' ... matched as option 'acodec' (force audio codec
('copy' to copy stream)) with argument 'copy'.
Reading option '-vcodec' ... matched as option 'vcodec' (force video codec
('copy' to copy stream)) with argument 'copy'.
Reading option 'fuzzOut' ... matched as output file.
Finished splitting the commandline.
Parsing a group of options: global .
Applying option v (set logging level) with argument 9.
Successfully parsed a group of options.
Parsing a group of options: input file fuzzIn.
Successfully parsed a group of options.
Opening an input file: fuzzIn.
[file @ 0x241bb80] Setting default whitelist 'file,crypto'
Probing h264 score:51 size:1089
Probing mp3 score:1 size:1089
[h264 @ 0x241b3c0] Format h264 probed with size=2048 and score=51
[h264 @ 0x241b3c0] Before avformat_find_stream_info() pos: 0 bytes
read:1089 seeks:0
[h264 @ 0x241c4a0] luma_log2_weight_denom 3071 is out of range
[h264 @ 0x241c4a0] chroma_log2_weight_denom 17 is out of range
[h264 @ 0x241c4a0] luma_log2_weight_denom 1029 is out of range
[h264 @ 0x241c4a0] illegal memory management control operation 32
[h264 @ 0x241c4a0] Frame num gap 15 13
[h264 @ 0x241c4a0] luma_log2_weight_denom 3071 is out of range
[h264 @ 0x241c4a0] chroma_log2_weight_denom 17 is out of range
[h264 @ 0x241c4a0] cabac_init_idc 22 overflow
[h264 @ 0x241c4a0] decode_slice_header error
[h264 @ 0x241c4a0] Unknown NAL code: 0 (111 bits)
[h264 @ 0x241c4a0] luma_log2_weight_denom 1029 is out of range
[h264 @ 0x241c4a0] bytestream overread -15
[h264 @ 0x241c4a0] error while decoding MB 0 0, bytestream -15
[h264 @ 0x241c4a0] slice type 32 too large at 1
[h264 @ 0x241c4a0] decode_slice_header error
[h264 @ 0x241c4a0] mmco: unref short failure
[h264 @ 0x241c4a0] number of reference frames (0+2) exceeds max (1;
probably corrupt input), discarding one
[h264 @ 0x241c4a0] Frame num change from 12 to 15
[h264 @ 0x241c4a0] decode_slice_header error
[h264 @ 0x241c4a0] illegal short term reference assignment for second
field in complementary field pair (first field is long term)
Program received signal SIGSEGV, Segmentation fault.
0x0000000001324827 in decode_cabac_residual_internal (h=0x7ffff7ee1040,
sl=0x2438b40, block=0x2444190, cat=5, n=0,
scantable=0x7ffff7f143d0 "", qmul=0x1a00, max_coeff=64, is_dc=0,
chroma422=0) at src/libavcodec/h264_cabac.c:1761
1761 STORE_BLOCK(int16_t)
(gdb) bt
#0 0x0000000001324827 in decode_cabac_residual_internal
(h=0x7ffff7ee1040, sl=0x2438b40, block=0x2444190, cat=5, n=0,
scantable=0x7ffff7f143d0 "", qmul=0x1a00, max_coeff=64, is_dc=0,
chroma422=0) at src/libavcodec/h264_cabac.c:1761
#1 decode_cabac_residual_nondc_internal (h=0x7ffff7ee1040, sl=0x2438b40,
block=0x2444190, cat=5, n=0, scantable=0x7ffff7f143d0 "",
qmul=0x1a00, max_coeff=64) at src/libavcodec/h264_cabac.c:1799
#2 0x0000000001310e1b in decode_cabac_residual_nondc (h=0x7ffff7ee1040,
sl=0x2438b40, block=0x2444190, cat=5, n=0,
scantable=0x7ffff7f143d0 "", qmul=0x1a00, max_coeff=64) at
src/libavcodec/h264_cabac.c:1860
#3 decode_cabac_luma_residual (h=0x7ffff7ee1040, sl=0x2438b40,
scan=0x7ffff7f143c0 "", scan8x8=0x7ffff7f143d0 "", pixel_shift=0,
mb_type=16789664, cbp=29, p=0) at src/libavcodec/h264_cabac.c:1893
#4 ff_h264_decode_mb_cabac (h=0x7ffff7ee1040, sl=0x2438b40) at
src/libavcodec/h264_cabac.c:2407
#5 0x00000000009fb0ee in decode_slice (avctx=0x241c4a0, arg=0x2438b40) at
src/libavcodec/h264_slice.c:2378
#6 0x00000000009fa9cc in ff_h264_execute_decode_slices (h=0x7ffff7ee1040,
context_count=1) at src/libavcodec/h264_slice.c:2551
#7 0x0000000000967aff in decode_nal_units (h=0x7ffff7ee1040,
buf=0x2446e20 "", buf_size=145, parse_extradata=0) at
src/libavcodec/h264.c:1648
#8 0x0000000000969ee5 in h264_decode_frame (avctx=0x241c4a0,
data=0x247e7a0, got_frame=0x7fffffffd1dc, avpkt=0x7fffffffd048)
at src/libavcodec/h264.c:1874
#9 0x0000000000ded3b9 in avcodec_decode_video2 (avctx=0x241c4a0,
picture=0x247e7a0, got_picture_ptr=0x7fffffffd1dc, avpkt=0x7fffffffd158)
at src/libavcodec/utils.c:2172
#10 0x00000000007e7a15 in try_decode_frame (s=0x241b3c0, st=0x241c0c0,
avpkt=0x7fffffffd628, options=0x241bca0)
at src/libavformat/utils.c:2819
#11 0x00000000007e6476 in avformat_find_stream_info (ic=0x241b3c0,
options=0x241bca0) at src/libavformat/utils.c:3480
#12 0x0000000000410258 in open_input_file (o=0x7fffffffd900,
filename=0x7fffffffe31f "fuzzIn") at src/ffmpeg_opt.c:969
#13 0x000000000040f7cb in open_files (l=0x241b058, inout=0x1732b72
"input", open_file=0x40f860 <open_input_file>) at src/ffmpeg_opt.c:3003
#14 0x000000000040f572 in ffmpeg_parse_options (argc=12,
argv=0x7fffffffdf18) at src/ffmpeg_opt.c:3040
#15 0x000000000042189a in main (argc=12, argv=0x7fffffffdf18) at
src/ffmpeg.c:4312
(gdb) disass $pc-32,$pc+32
Dump of assembler code from 0x1324807 to 0x1324847:
0x0000000001324807 <decode_cabac_residual_nondc_internal+4375>:
add %al,(%rax)
0x0000000001324809 <decode_cabac_residual_nondc_internal+4377>:
xor %eax,%eax
0x000000000132480b <decode_cabac_residual_nondc_internal+4379>:
mov -0x178(%rbp),%rcx
0x0000000001324812 <decode_cabac_residual_nondc_internal+4386>:
add $0xc720,%rcx
0x0000000001324819 <decode_cabac_residual_nondc_internal+4393>:
movslq -0x314(%rbp),%rdx
0x0000000001324820 <decode_cabac_residual_nondc_internal+4400>:
mov -0x198(%rbp),%rsi
=> 0x0000000001324827 <decode_cabac_residual_nondc_internal+4407>:
sub (%rsi,%rdx,4),%eax
0x000000000132482a <decode_cabac_residual_nondc_internal+4410>:
mov %rcx,-0x58(%rbp)
0x000000000132482e <decode_cabac_residual_nondc_internal+4414>:
mov %eax,-0x5c(%rbp)
0x0000000001324831 <decode_cabac_residual_nondc_internal+4417>:
mov -0x5c(%rbp),%eax
0x0000000001324834 <decode_cabac_residual_nondc_internal+4420>:
mov -0x58(%rbp),%rcx
0x0000000001324838 <decode_cabac_residual_nondc_internal+4424>:
mov %rcx,-0x3d0(%rbp)
0x000000000132483f <decode_cabac_residual_nondc_internal+4431>:
mov %eax,%ecx
0x0000000001324841 <decode_cabac_residual_nondc_internal+4433>:
mov -0x3d0(%rbp),%rdi
End of assembler dump.
(gdb) info all-registers
rax 0x0 0
rbx 0x196a9a8 26651048
rcx 0x2445260 38031968
rdx 0x14 20
rsi 0x1a00 6656
rdi 0x2445260 38031968
rbp 0x7fffffffab80 0x7fffffffab80
rsp 0x7fffffffa770 0x7fffffffa770
r8 0x0 0
r9 0x100 256
r10 0x4c 76
r11 0x4e 78
r12 0x407170 4223344
r13 0x7fffffffdf10 140737488346896
r14 0x2444070 38027376
r15 0x0 0
rip 0x1324827 0x1324827
<decode_cabac_residual_nondc_internal+4407>
eflags 0x10206 [ PF IF RF ]
cs 0x33 51
ss 0x2b 43
ds 0x0 0
es 0x0 0
fs 0x0 0
gs 0x0 0
st0 -nan(0x8080808080808080) (raw 0xffff8080808080808080)
st1 -nan(0x8080808080808080) (raw 0xffff8080808080808080)
st2 0 (raw 0x00000000000000000000)
st3 0 (raw 0x00000000000000000000)
st4 0 (raw 0x00000000000000000000)
st5 0 (raw 0x00000000000000000000)
st6 0 (raw 0x00000000000000000000)
st7 0 (raw 0x00000000000000000000)
fctrl 0x37f 895
fstat 0x0 0
ftag 0x555a 21850
fiseg 0x0 0
fioff 0x0 0
foseg 0x0 0
---Type <return> to continue, or q <return> to quit---
fooff 0x0 0
fop 0x0 0
mxcsr 0x1fa0 [ PE IM DM ZM OM UM PM ]
ymm0 {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0},
v4_double = {0x0, 0x0, 0x0, 0x0}, v32_int8 = {0x0, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x0, 0x1, 0x0 <repeats 19 times>},
v16_int16 = {0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x1, 0x0, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0, 0x0, 0x0}, v8_int32 = {0x0, 0x0, 0x1, 0x1, 0x0, 0x0, 0x0,
0x0}, v4_int64 = {0x0, 0x100000001, 0x0, 0x0}, v2_int128 = {
0x00000001000000010000000000000000,
0x00000000000000000000000000000000}}
ymm1 {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0},
v4_double = {0x8000000000000000, 0x0, 0x0, 0x0}, v32_int8 = {0x80, 0x80,
0x80, 0x80, 0x79, 0x79, 0x79, 0x79, 0x0 <repeats 24 times>}, v16_int16
= {0x8080, 0x8080, 0x7979, 0x7979, 0x0 <repeats 12 times>},
v8_int32 = {0x80808080, 0x79797979, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0},
v4_int64 = {0x7979797980808080, 0x0, 0x0, 0x0}, v2_int128 = {
0x00000000000000007979797980808080,
0x00000000000000000000000000000000}}
ymm2 {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0},
v4_double = {0x0, 0x0, 0x0, 0x0}, v32_int8 = {0x0 <repeats 32 times>},
v16_int16 = {0x0 <repeats 16 times>}, v8_int32 = {0x0, 0x0, 0x0, 0x0,
0x0, 0x0, 0x0, 0x0}, v4_int64 = {0x0, 0x0, 0x0, 0x0}, v2_int128 = {
0x00000000000000000000000000000000,
0x00000000000000000000000000000000}}
ymm3 {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0},
v4_double = {0x0, 0x0, 0x0, 0x0}, v32_int8 = {0x0 <repeats 32 times>},
v16_int16 = {0x0 <repeats 16 times>}, v8_int32 = {0x0, 0x0, 0x0, 0x0,
0x0, 0x0, 0x0, 0x0}, v4_int64 = {0x0, 0x0, 0x0, 0x0}, v2_int128 = {
0x00000000000000000000000000000000,
0x00000000000000000000000000000000}}
ymm4 {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0},
v4_double = {0x8000000000000000, 0x0, 0x0, 0x0}, v32_int8 = {0x80, 0x80,
0x80, 0x80, 0x77, 0x77, 0x77, 0x77, 0x0 <repeats 24 times>}, v16_int16
= {0x8080, 0x8080, 0x7777, 0x7777, 0x0 <repeats 12 times>},
v8_int32 = {0x80808080, 0x77777777, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0},
v4_int64 = {0x7777777780808080, 0x0, 0x0, 0x0}, v2_int128 = {
0x00000000000000007777777780808080,
0x00000000000000000000000000000000}}
ymm5 {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0},
v4_double = {0x0, 0x0, 0x0, 0x0}, v32_int8 = {0x0 <repeats 32 times>},
v16_int16 = {0x0 <repeats 16 times>}, v8_int32 = {0x0, 0x0, 0x0, 0x0,
0x0, 0x0, 0x0, 0x0}, v4_int64 = {0x0, 0x0, 0x0, 0x0}, v2_int128 = {
0x00000000000000000000000000000000,
0x00000000000000000000000000000000}}
ymm6 {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0},
v4_double = {0x0, 0x0, 0x0, 0x0}, v32_int8 = {0x0 <repeats 32 times>},
v16_int16 = {0x0 <repeats 16 times>}, v8_int32 = {0x0, 0x0, 0x0, 0x0,
0x0, 0x0, 0x0, 0x0}, v4_int64 = {0x0, 0x0, 0x0, 0x0}, v2_int128 = {
0x00000000000000000000000000000000,
0x00000000000000000000000000000000}}
ymm7 {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0},
v4_double = {0x0, 0x0, 0x0, 0x0}, v32_int8 = {0x0 <repeats 32 times>},
v16_int16 = {0x0 <repeats 16 times>}, v8_int32 = {0x0, 0x0, 0x0, 0x0,
0x0, 0x0, 0x0, 0x0}, v4_int64 = {0x0, 0x0, 0x0, 0x0}, v2_int128 = {
0x00000000000000000000000000000000,
0x00000000000000000000000000000000}}
ymm8 {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0},
v4_double = {0x0, 0x0, 0x0, 0x0}, v32_int8 = {0x0 <repeats 32 times>},
v16_int16 = {0x0 <repeats 16 times>}, v8_int32 = {0x0, 0x0, 0x0, 0x0,
0x0, 0x0, 0x0, 0x0}, v4_int64 = {0x0, 0x0, 0x0, 0x0}, v2_int128 = {
0x00000000000000000000000000000000,
0x00000000000000000000000000000000}}
ymm9 {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0},
v4_double = {0x0, 0x0, 0x0, 0x0}, v32_int8 = {0x0, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0, 0x0, 0x0, 0x0, 0xff, 0x0 <repeats 21 times>}, v16_int16 =
{0x0, 0x0, 0x0, 0x0, 0x0, 0xff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0, 0x0}, v8_int32 = {0x0, 0x0, 0xff0000, 0x0, 0x0, 0x0, 0x0,
0x0}, v4_int64 = {0x0, 0xff0000, 0x0, 0x0}, v2_int128 = {
0x0000000000ff00000000000000000000,
0x00000000000000000000000000000000}}
ymm10 {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0},
v4_double = {0x0, 0x8000000000000000, 0x0, 0x0}, v32_int8 = {0x0, 0x0,
---Type <return> to continue, or q <return> to quit---
0x0, 0xff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xff, 0x0, 0x0,
0xff, 0x0 <repeats 16 times>}, v16_int16 = {0x0, 0xff00, 0x0, 0x0,
0x0, 0x0, 0xff, 0xff00, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0},
v8_int32 = {0xff000000, 0x0, 0x0, 0xff0000ff, 0x0, 0x0, 0x0, 0x0},
v4_int64 = {0xff000000, 0xff0000ff00000000, 0x0, 0x0}, v2_int128 =
{0xff0000ff0000000000000000ff000000, 0x00000000000000000000000000000000}}
ymm11 {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0},
v4_double = {0x0, 0x0, 0x0, 0x0}, v32_int8 = {0x0, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0, 0x0, 0xff, 0x0, 0x0, 0x0, 0xff, 0x0 <repeats 19 times>},
v16_int16 = {0x0, 0x0, 0x0, 0x0, 0xff, 0x0, 0xff, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0, 0x0, 0x0, 0x0}, v8_int32 = {0x0, 0x0, 0xff, 0xff, 0x0, 0x0,
0x0, 0x0}, v4_int64 = {0x0, 0xff000000ff, 0x0, 0x0}, v2_int128 = {
0x000000ff000000ff0000000000000000,
0x00000000000000000000000000000000}}
ymm12 {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0},
v4_double = {0x8000000000000000, 0x8000000000000000, 0x0, 0x0},
v32_int8 = {0x0, 0xff, 0x0, 0x0, 0x0, 0x0, 0xff, 0xff, 0x0, 0x0, 0x0,
0x0, 0xff, 0xff, 0xff, 0xff, 0x0 <repeats 16 times>}, v16_int16 = {
0xff00, 0x0, 0x0, 0xffff, 0x0, 0x0, 0xffff, 0xffff, 0x0, 0x0, 0x0,
0x0, 0x0, 0x0, 0x0, 0x0}, v8_int32 = {0xff00, 0xffff0000, 0x0,
0xffffffff, 0x0, 0x0, 0x0, 0x0}, v4_int64 = {0xffff00000000ff00,
0xffffffff00000000, 0x0, 0x0}, v2_int128 = {
0xffffffff00000000ffff00000000ff00,
0x00000000000000000000000000000000}}
ymm13 {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0},
v4_double = {0x0, 0x0, 0x0, 0x0}, v32_int8 = {0x0 <repeats 32 times>},
v16_int16 = {0x0 <repeats 16 times>}, v8_int32 = {0x0, 0x0, 0x0, 0x0,
0x0, 0x0, 0x0, 0x0}, v4_int64 = {0x0, 0x0, 0x0, 0x0}, v2_int128 = {
0x00000000000000000000000000000000,
0x00000000000000000000000000000000}}
ymm14 {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0},
v4_double = {0x0, 0x0, 0x0, 0x0}, v32_int8 = {0x0 <repeats 32 times>},
v16_int16 = {0x0 <repeats 16 times>}, v8_int32 = {0x0, 0x0, 0x0, 0x0,
0x0, 0x0, 0x0, 0x0}, v4_int64 = {0x0, 0x0, 0x0, 0x0}, v2_int128 = {
0x00000000000000000000000000000000,
0x00000000000000000000000000000000}}
ymm15 {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0},
v4_double = {0x0, 0x0, 0x0, 0x0}, v32_int8 = {0x0 <repeats 32 times>},
v16_int16 = {0x0 <repeats 16 times>}, v8_int32 = {0x0, 0x0, 0x0, 0x0,
0x0, 0x0, 0x0, 0x0}, v4_int64 = {0x0, 0x0, 0x0, 0x0}, v2_int128 = {
0x00000000000000000000000000000000,
0x00000000000000000000000000000000}}
}}}
valgrind
{{{
pgolinski at Ubuntu-y580:~/Dokumenty/Programowanie/git/ffmpeg/build$ valgrind
./ffmpeg_g -v 9 -loglevel 99 -i fuzzIn -acodec copy -vcodec copy fuzzOut
==31079== Memcheck, a memory error detector
==31079== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al.
==31079== Using Valgrind-3.11.0 and LibVEX; rerun with -h for copyright
info
==31079== Command: ./ffmpeg_g -v 9 -loglevel 99 -i fuzzIn -acodec copy
-vcodec copy fuzzOut
==31079==
ffmpeg version N-79116-gb098e1a Copyright (c) 2000-2016 the FFmpeg
developers
built with Ubuntu clang version 3.6.2-1 (tags/RELEASE_362/final) (based
on LLVM 3.6.2)
configuration: --cc=clang --cxx=clang++ --disable-stripping --disable-
optimizations --enable-debug
libavutil 55. 19.100 / 55. 19.100
libavcodec 57. 30.100 / 57. 30.100
libavformat 57. 29.100 / 57. 29.100
libavdevice 57. 0.101 / 57. 0.101
libavfilter 6. 39.102 / 6. 39.102
libswscale 4. 0.100 / 4. 0.100
libswresample 2. 0.101 / 2. 0.101
Splitting the commandline.
Reading option '-v' ... matched as option 'v' (set logging level) with
argument '9'.
Reading option '-loglevel' ... matched as option 'loglevel' (set logging
level) with argument '99'.
Reading option '-i' ... matched as input file with argument 'fuzzIn'.
Reading option '-acodec' ... matched as option 'acodec' (force audio codec
('copy' to copy stream)) with argument 'copy'.
Reading option '-vcodec' ... matched as option 'vcodec' (force video codec
('copy' to copy stream)) with argument 'copy'.
Reading option 'fuzzOut' ... matched as output file.
Finished splitting the commandline.
Parsing a group of options: global .
Applying option v (set logging level) with argument 9.
Successfully parsed a group of options.
Parsing a group of options: input file fuzzIn.
Successfully parsed a group of options.
Opening an input file: fuzzIn.
[file @ 0xa9796a0] Setting default whitelist 'file,crypto'
Probing h264 score:51 size:1089
Probing mp3 score:1 size:1089
[h264 @ 0xa9788c0] Format h264 probed with size=2048 and score=51
[h264 @ 0xa9788c0] Before avformat_find_stream_info() pos: 0 bytes
read:1089 seeks:0
[h264 @ 0xa98b560] luma_log2_weight_denom 3071 is out of range
==31079== at 0x165B901: VALGRIND_PRINTF_BACKTRACE (valgrind.h:6816)
==31079== by 0x165B4F3: av_log_default_callback (log.c:346)
==31079== by 0x165BB55: av_vlog (log.c:374)
==31079== by 0x165BB06: av_log (log.c:366)
==31079== by 0x968897: ff_pred_weight_table (h264.c:1014)
==31079== by 0x9E9709: scan_mmco_reset (h264_parser.c:176)
==31079== by 0x9E8A7F: parse_nal_units (h264_parser.c:404)
==31079== by 0x9E77BA: h264_parse (h264_parser.c:535)
==31079== by 0xCCCAEA: av_parser_parse2 (parser.c:180)
==31079== by 0x7EDF28: parse_packet (utils.c:1300)
==31079== by 0x7E0C5C: read_frame_internal (utils.c:1465)
==31079== by 0x7E596F: avformat_find_stream_info (utils.c:3360)
[h264 @ 0xa98b560] chroma_log2_weight_denom 17 is out of range
==31079== at 0x165B901: VALGRIND_PRINTF_BACKTRACE (valgrind.h:6816)
==31079== by 0x165B4F3: av_log_default_callback (log.c:346)
==31079== by 0x165BB55: av_vlog (log.c:374)
==31079== by 0x165BB06: av_log (log.c:366)
==31079== by 0x9688E4: ff_pred_weight_table (h264.c:1018)
==31079== by 0x9E9709: scan_mmco_reset (h264_parser.c:176)
==31079== by 0x9E8A7F: parse_nal_units (h264_parser.c:404)
==31079== by 0x9E77BA: h264_parse (h264_parser.c:535)
==31079== by 0xCCCAEA: av_parser_parse2 (parser.c:180)
==31079== by 0x7EDF28: parse_packet (utils.c:1300)
==31079== by 0x7E0C5C: read_frame_internal (utils.c:1465)
==31079== by 0x7E596F: avformat_find_stream_info (utils.c:3360)
[h264 @ 0xa98b560] luma_log2_weight_denom 1029 is out of range
==31079== at 0x165B901: VALGRIND_PRINTF_BACKTRACE (valgrind.h:6816)
==31079== by 0x165B4F3: av_log_default_callback (log.c:346)
==31079== by 0x165BB55: av_vlog (log.c:374)
==31079== by 0x165BB06: av_log (log.c:366)
==31079== by 0x968897: ff_pred_weight_table (h264.c:1014)
==31079== by 0x9E9709: scan_mmco_reset (h264_parser.c:176)
==31079== by 0x9E8A7F: parse_nal_units (h264_parser.c:404)
==31079== by 0x9E77BA: h264_parse (h264_parser.c:535)
==31079== by 0xCCCAEA: av_parser_parse2 (parser.c:180)
==31079== by 0x7EDF28: parse_packet (utils.c:1300)
==31079== by 0x7E0C5C: read_frame_internal (utils.c:1465)
==31079== by 0x7E596F: avformat_find_stream_info (utils.c:3360)
[h264 @ 0xa98b560] illegal memory management control operation 32
==31079== at 0x165B901: VALGRIND_PRINTF_BACKTRACE (valgrind.h:6816)
==31079== by 0x165B4F3: av_log_default_callback (log.c:346)
==31079== by 0x165BB55: av_vlog (log.c:374)
==31079== by 0x165BB06: av_log (log.c:366)
==31079== by 0x9E9783: scan_mmco_reset (h264_parser.c:183)
==31079== by 0x9E8A7F: parse_nal_units (h264_parser.c:404)
==31079== by 0x9E77BA: h264_parse (h264_parser.c:535)
==31079== by 0xCCCAEA: av_parser_parse2 (parser.c:180)
==31079== by 0x7EDF28: parse_packet (utils.c:1300)
==31079== by 0x7E0C5C: read_frame_internal (utils.c:1465)
==31079== by 0x7E596F: avformat_find_stream_info (utils.c:3360)
==31079== by 0x410257: open_input_file (ffmpeg_opt.c:969)
[h264 @ 0xa98b560] Frame num gap 15 13
[h264 @ 0xa98b560] luma_log2_weight_denom 3071 is out of range
==31079== at 0x165B901: VALGRIND_PRINTF_BACKTRACE (valgrind.h:6816)
==31079== by 0x165B4F3: av_log_default_callback (log.c:346)
==31079== by 0x165BB55: av_vlog (log.c:374)
==31079== by 0x165BB06: av_log (log.c:366)
==31079== by 0x968897: ff_pred_weight_table (h264.c:1014)
==31079== by 0x9F7A1C: ff_h264_decode_slice_header (h264_slice.c:1743)
==31079== by 0x96745A: decode_nal_units (h264.c:1527)
==31079== by 0x969EE4: h264_decode_frame (h264.c:1874)
==31079== by 0xDED3B8: avcodec_decode_video2 (utils.c:2172)
==31079== by 0x7E7A14: try_decode_frame (utils.c:2819)
==31079== by 0x7E6475: avformat_find_stream_info (utils.c:3480)
==31079== by 0x410257: open_input_file (ffmpeg_opt.c:969)
[h264 @ 0xa98b560] chroma_log2_weight_denom 17 is out of range
==31079== at 0x165B901: VALGRIND_PRINTF_BACKTRACE (valgrind.h:6816)
==31079== by 0x165B4F3: av_log_default_callback (log.c:346)
==31079== by 0x165BB55: av_vlog (log.c:374)
==31079== by 0x165BB06: av_log (log.c:366)
==31079== by 0x9688E4: ff_pred_weight_table (h264.c:1018)
==31079== by 0x9F7A1C: ff_h264_decode_slice_header (h264_slice.c:1743)
==31079== by 0x96745A: decode_nal_units (h264.c:1527)
==31079== by 0x969EE4: h264_decode_frame (h264.c:1874)
==31079== by 0xDED3B8: avcodec_decode_video2 (utils.c:2172)
==31079== by 0x7E7A14: try_decode_frame (utils.c:2819)
==31079== by 0x7E6475: avformat_find_stream_info (utils.c:3480)
==31079== by 0x410257: open_input_file (ffmpeg_opt.c:969)
[h264 @ 0xa98b560] cabac_init_idc 22 overflow
==31079== at 0x165B901: VALGRIND_PRINTF_BACKTRACE (valgrind.h:6816)
==31079== by 0x165B4F3: av_log_default_callback (log.c:346)
==31079== by 0x165BB55: av_vlog (log.c:374)
==31079== by 0x165BB06: av_log (log.c:366)
==31079== by 0x9F7CB8: ff_h264_decode_slice_header (h264_slice.c:1784)
==31079== by 0x96745A: decode_nal_units (h264.c:1527)
==31079== by 0x969EE4: h264_decode_frame (h264.c:1874)
==31079== by 0xDED3B8: avcodec_decode_video2 (utils.c:2172)
==31079== by 0x7E7A14: try_decode_frame (utils.c:2819)
==31079== by 0x7E6475: avformat_find_stream_info (utils.c:3480)
==31079== by 0x410257: open_input_file (ffmpeg_opt.c:969)
==31079== by 0x40F7CA: open_files (ffmpeg_opt.c:3003)
[h264 @ 0xa98b560] decode_slice_header error
==31079== at 0x165B901: VALGRIND_PRINTF_BACKTRACE (valgrind.h:6816)
==31079== by 0x165B4F3: av_log_default_callback (log.c:346)
==31079== by 0x165BB55: av_vlog (log.c:374)
==31079== by 0x165BB06: av_log (log.c:366)
==31079== by 0x967B82: decode_nal_units (h264.c:1656)
==31079== by 0x969EE4: h264_decode_frame (h264.c:1874)
==31079== by 0xDED3B8: avcodec_decode_video2 (utils.c:2172)
==31079== by 0x7E7A14: try_decode_frame (utils.c:2819)
==31079== by 0x7E6475: avformat_find_stream_info (utils.c:3480)
==31079== by 0x410257: open_input_file (ffmpeg_opt.c:969)
==31079== by 0x40F7CA: open_files (ffmpeg_opt.c:3003)
==31079== by 0x40F571: ffmpeg_parse_options (ffmpeg_opt.c:3040)
[h264 @ 0xa98b560] Unknown NAL code: 0 (111 bits)
[h264 @ 0xa98b560] luma_log2_weight_denom 1029 is out of range
==31079== at 0x165B901: VALGRIND_PRINTF_BACKTRACE (valgrind.h:6816)
==31079== by 0x165B4F3: av_log_default_callback (log.c:346)
==31079== by 0x165BB55: av_vlog (log.c:374)
==31079== by 0x165BB06: av_log (log.c:366)
==31079== by 0x968897: ff_pred_weight_table (h264.c:1014)
==31079== by 0x9F7A1C: ff_h264_decode_slice_header (h264_slice.c:1743)
==31079== by 0x96745A: decode_nal_units (h264.c:1527)
==31079== by 0x969EE4: h264_decode_frame (h264.c:1874)
==31079== by 0xDED3B8: avcodec_decode_video2 (utils.c:2172)
==31079== by 0x7E7A14: try_decode_frame (utils.c:2819)
==31079== by 0x7E6475: avformat_find_stream_info (utils.c:3480)
==31079== by 0x410257: open_input_file (ffmpeg_opt.c:969)
[h264 @ 0xa98b560] bytestream overread -15
[h264 @ 0xa98b560] error while decoding MB 0 0, bytestream -15
==31079== at 0x165B901: VALGRIND_PRINTF_BACKTRACE (valgrind.h:6816)
==31079== by 0x165B4F3: av_log_default_callback (log.c:346)
==31079== by 0x165BB55: av_vlog (log.c:374)
==31079== by 0x165BB06: av_log (log.c:366)
==31079== by 0x9FB343: decode_slice (h264_slice.c:2407)
==31079== by 0x9FA9CB: ff_h264_execute_decode_slices
(h264_slice.c:2551)
==31079== by 0x967AFE: decode_nal_units (h264.c:1648)
==31079== by 0x969EE4: h264_decode_frame (h264.c:1874)
==31079== by 0xDED3B8: avcodec_decode_video2 (utils.c:2172)
==31079== by 0x7E7A14: try_decode_frame (utils.c:2819)
==31079== by 0x7E6475: avformat_find_stream_info (utils.c:3480)
==31079== by 0x410257: open_input_file (ffmpeg_opt.c:969)
[h264 @ 0xa98b560] slice type 32 too large at 1
==31079== at 0x165B901: VALGRIND_PRINTF_BACKTRACE (valgrind.h:6816)
==31079== by 0x165B4F3: av_log_default_callback (log.c:346)
==31079== by 0x165BB55: av_vlog (log.c:374)
==31079== by 0x165BB06: av_log (log.c:366)
==31079== by 0x9F5881: ff_h264_decode_slice_header (h264_slice.c:1220)
==31079== by 0x96745A: decode_nal_units (h264.c:1527)
==31079== by 0x969EE4: h264_decode_frame (h264.c:1874)
==31079== by 0xDED3B8: avcodec_decode_video2 (utils.c:2172)
==31079== by 0x7E7A14: try_decode_frame (utils.c:2819)
==31079== by 0x7E6475: avformat_find_stream_info (utils.c:3480)
==31079== by 0x410257: open_input_file (ffmpeg_opt.c:969)
==31079== by 0x40F7CA: open_files (ffmpeg_opt.c:3003)
[h264 @ 0xa98b560] decode_slice_header error
==31079== at 0x165B901: VALGRIND_PRINTF_BACKTRACE (valgrind.h:6816)
==31079== by 0x165B4F3: av_log_default_callback (log.c:346)
==31079== by 0x165BB55: av_vlog (log.c:374)
==31079== by 0x165BB06: av_log (log.c:366)
==31079== by 0x967B82: decode_nal_units (h264.c:1656)
==31079== by 0x969EE4: h264_decode_frame (h264.c:1874)
==31079== by 0xDED3B8: avcodec_decode_video2 (utils.c:2172)
==31079== by 0x7E7A14: try_decode_frame (utils.c:2819)
==31079== by 0x7E6475: avformat_find_stream_info (utils.c:3480)
==31079== by 0x410257: open_input_file (ffmpeg_opt.c:969)
==31079== by 0x40F7CA: open_files (ffmpeg_opt.c:3003)
==31079== by 0x40F571: ffmpeg_parse_options (ffmpeg_opt.c:3040)
[h264 @ 0xa98b560] mmco: unref short failure
==31079== at 0x165B901: VALGRIND_PRINTF_BACKTRACE (valgrind.h:6816)
==31079== by 0x165B4F3: av_log_default_callback (log.c:346)
==31079== by 0x165BB55: av_vlog (log.c:374)
==31079== by 0x165BB06: av_log (log.c:366)
==31079== by 0x9EFD78: ff_h264_execute_ref_pic_marking
(h264_refs.c:646)
==31079== by 0x9EA17A: ff_h264_field_end (h264_picture.c:168)
==31079== by 0x9F55F6: ff_h264_decode_slice_header (h264_slice.c:1189)
==31079== by 0x96745A: decode_nal_units (h264.c:1527)
==31079== by 0x969EE4: h264_decode_frame (h264.c:1874)
==31079== by 0xDED3B8: avcodec_decode_video2 (utils.c:2172)
==31079== by 0x7E7A14: try_decode_frame (utils.c:2819)
==31079== by 0x7E6475: avformat_find_stream_info (utils.c:3480)
[h264 @ 0xa98b560] number of reference frames (0+2) exceeds max (1;
probably corrupt input), discarding one
==31079== at 0x165B901: VALGRIND_PRINTF_BACKTRACE (valgrind.h:6816)
==31079== by 0x165B4F3: av_log_default_callback (log.c:346)
==31079== by 0x165BB55: av_vlog (log.c:374)
==31079== by 0x165BB06: av_log (log.c:366)
==31079== by 0x9F05C8: ff_h264_execute_ref_pic_marking
(h264_refs.c:778)
==31079== by 0x9EA17A: ff_h264_field_end (h264_picture.c:168)
==31079== by 0x9F55F6: ff_h264_decode_slice_header (h264_slice.c:1189)
==31079== by 0x96745A: decode_nal_units (h264.c:1527)
==31079== by 0x969EE4: h264_decode_frame (h264.c:1874)
==31079== by 0xDED3B8: avcodec_decode_video2 (utils.c:2172)
==31079== by 0x7E7A14: try_decode_frame (utils.c:2819)
==31079== by 0x7E6475: avformat_find_stream_info (utils.c:3480)
[h264 @ 0xa98b560] Frame num change from 12 to 15
==31079== at 0x165B901: VALGRIND_PRINTF_BACKTRACE (valgrind.h:6816)
==31079== by 0x165B4F3: av_log_default_callback (log.c:346)
==31079== by 0x165BB55: av_vlog (log.c:374)
==31079== by 0x165BB06: av_log (log.c:366)
==31079== by 0x9F6665: ff_h264_decode_slice_header (h264_slice.c:1433)
==31079== by 0x96745A: decode_nal_units (h264.c:1527)
==31079== by 0x969EE4: h264_decode_frame (h264.c:1874)
==31079== by 0xDED3B8: avcodec_decode_video2 (utils.c:2172)
==31079== by 0x7E7A14: try_decode_frame (utils.c:2819)
==31079== by 0x7E6475: avformat_find_stream_info (utils.c:3480)
==31079== by 0x410257: open_input_file (ffmpeg_opt.c:969)
==31079== by 0x40F7CA: open_files (ffmpeg_opt.c:3003)
[h264 @ 0xa98b560] decode_slice_header error
==31079== at 0x165B901: VALGRIND_PRINTF_BACKTRACE (valgrind.h:6816)
==31079== by 0x165B4F3: av_log_default_callback (log.c:346)
==31079== by 0x165BB55: av_vlog (log.c:374)
==31079== by 0x165BB06: av_log (log.c:366)
==31079== by 0x967B82: decode_nal_units (h264.c:1656)
==31079== by 0x969EE4: h264_decode_frame (h264.c:1874)
==31079== by 0xDED3B8: avcodec_decode_video2 (utils.c:2172)
==31079== by 0x7E7A14: try_decode_frame (utils.c:2819)
==31079== by 0x7E6475: avformat_find_stream_info (utils.c:3480)
==31079== by 0x410257: open_input_file (ffmpeg_opt.c:969)
==31079== by 0x40F7CA: open_files (ffmpeg_opt.c:3003)
==31079== by 0x40F571: ffmpeg_parse_options (ffmpeg_opt.c:3040)
[h264 @ 0xa98b560] illegal short term reference assignment for second
field in complementary field pair (first field is long term)
==31079== at 0x165B901: VALGRIND_PRINTF_BACKTRACE (valgrind.h:6816)
==31079== by 0x165B4F3: av_log_default_callback (log.c:346)
==31079== by 0x165BB55: av_vlog (log.c:374)
==31079== by 0x165BB06: av_log (log.c:366)
==31079== by 0x9F041E: ff_h264_execute_ref_pic_marking
(h264_refs.c:750)
==31079== by 0x9EA17A: ff_h264_field_end (h264_picture.c:168)
==31079== by 0x96A0A5: h264_decode_frame (h264.c:1896)
==31079== by 0xDED3B8: avcodec_decode_video2 (utils.c:2172)
==31079== by 0x7E7A14: try_decode_frame (utils.c:2819)
==31079== by 0x7E6475: avformat_find_stream_info (utils.c:3480)
==31079== by 0x410257: open_input_file (ffmpeg_opt.c:969)
==31079== by 0x40F7CA: open_files (ffmpeg_opt.c:3003)
==31079== Invalid read of size 4
==31079== at 0x1324827: decode_cabac_residual_internal
(h264_cabac.c:1761)
==31079== by 0x1324827: decode_cabac_residual_nondc_internal
(h264_cabac.c:1799)
==31079== by 0x1310E1A: decode_cabac_residual_nondc (h264_cabac.c:1860)
==31079== by 0x1310E1A: decode_cabac_luma_residual (h264_cabac.c:1893)
==31079== by 0x1310E1A: ff_h264_decode_mb_cabac (h264_cabac.c:2407)
==31079== by 0x9FB0ED: decode_slice (h264_slice.c:2378)
==31079== by 0x9FA9CB: ff_h264_execute_decode_slices
(h264_slice.c:2551)
==31079== by 0x967AFE: decode_nal_units (h264.c:1648)
==31079== by 0x969EE4: h264_decode_frame (h264.c:1874)
==31079== by 0xDED3B8: avcodec_decode_video2 (utils.c:2172)
==31079== by 0x7E7A14: try_decode_frame (utils.c:2819)
==31079== by 0x7E6475: avformat_find_stream_info (utils.c:3480)
==31079== by 0x410257: open_input_file (ffmpeg_opt.c:969)
==31079== by 0x40F7CA: open_files (ffmpeg_opt.c:3003)
==31079== by 0x40F571: ffmpeg_parse_options (ffmpeg_opt.c:3040)
==31079== Address 0x1a50 is not stack'd, malloc'd or (recently) free'd
==31079==
==31079==
==31079== Process terminating with default action of signal 11 (SIGSEGV)
==31079== Access not within mapped region at address 0x1A50
==31079== at 0x1324827: decode_cabac_residual_internal
(h264_cabac.c:1761)
==31079== by 0x1324827: decode_cabac_residual_nondc_internal
(h264_cabac.c:1799)
==31079== by 0x1310E1A: decode_cabac_residual_nondc (h264_cabac.c:1860)
==31079== by 0x1310E1A: decode_cabac_luma_residual (h264_cabac.c:1893)
==31079== by 0x1310E1A: ff_h264_decode_mb_cabac (h264_cabac.c:2407)
==31079== by 0x9FB0ED: decode_slice (h264_slice.c:2378)
==31079== by 0x9FA9CB: ff_h264_execute_decode_slices
(h264_slice.c:2551)
==31079== by 0x967AFE: decode_nal_units (h264.c:1648)
==31079== by 0x969EE4: h264_decode_frame (h264.c:1874)
==31079== by 0xDED3B8: avcodec_decode_video2 (utils.c:2172)
==31079== by 0x7E7A14: try_decode_frame (utils.c:2819)
==31079== by 0x7E6475: avformat_find_stream_info (utils.c:3480)
==31079== by 0x410257: open_input_file (ffmpeg_opt.c:969)
==31079== by 0x40F7CA: open_files (ffmpeg_opt.c:3003)
==31079== by 0x40F571: ffmpeg_parse_options (ffmpeg_opt.c:3040)
==31079== If you believe this happened as a result of a stack
==31079== overflow in your program's main thread (unlikely but
==31079== possible), you can try to increase the size of the
==31079== main thread stack using the --main-stacksize= flag.
==31079== The main thread stack size used in this run was 8388608.
==31079==
==31079== HEAP SUMMARY:
==31079== in use at exit: 1,405,838 bytes in 209 blocks
==31079== total heap usage: 345 allocs, 136 frees, 1,472,242 bytes
allocated
==31079==
==31079== LEAK SUMMARY:
==31079== definitely lost: 0 bytes in 0 blocks
==31079== indirectly lost: 0 bytes in 0 blocks
==31079== possibly lost: 0 bytes in 0 blocks
==31079== still reachable: 1,405,838 bytes in 209 blocks
==31079== suppressed: 0 bytes in 0 blocks
==31079== Rerun with --leak-check=full to see details of leaked memory
==31079==
==31079== For counts of detected and suppressed errors, rerun with: -v
==31079== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)
Segmentation fault
}}}
--
Ticket URL: <https://trac.ffmpeg.org/ticket/5371>
FFmpeg <https://ffmpeg.org>
FFmpeg issue tracker
More information about the FFmpeg-trac
mailing list