[FFmpeg-trac] #5383(undetermined:new): cfhd: crash with fuzzed file (threads 1)

FFmpeg trac at avcodec.org
Sun Mar 27 17:46:30 CEST 2016


#5383: cfhd: crash with fuzzed file (threads 1)
-------------------------------------+-------------------------------------
               Reporter:  ami_stuff  |                  Owner:
                   Type:  defect     |                 Status:  new
               Priority:  normal     |              Component:
                Version:             |  undetermined
  unspecified                        |               Keywords:
             Blocked By:             |               Blocking:
Reproduced by developer:  0          |  Analyzed by developer:  0
-------------------------------------+-------------------------------------
 http://www.datafilehost.com/d/877580e1

 {{{
 ==2690== Invalid write of size 2
 ==2690==    at 0x83A0030: av_bswap16 (bswap.h:60)
 ==2690==    by 0x83A0030: bytestream_get_be16 (bytestream.h:94)
 ==2690==    by 0x83A0030: bytestream2_get_be16u (bytestream.h:94)
 ==2690==    by 0x83A0030: cfhd_decode (cfhd.c:465)
 ==2690==    by 0x874E125: avcodec_decode_video2 (utils.c:2172)
 ==2690==    by 0x80DE19E: decode_video (ffmpeg.c:2078)
 ==2690==    by 0x80E6A35: process_input_packet (ffmpeg.c:2331)
 ==2690==    by 0x80E6A35: process_input (ffmpeg.c:4001)
 ==2690==    by 0x80E95CF: transcode_step (ffmpeg.c:4089)
 ==2690==    by 0x80E95CF: transcode (ffmpeg.c:4143)
 ==2690==    by 0x80C6B84: main (ffmpeg.c:4334)
 ==2690==  Address 0x74b69c0 is 0 bytes inside a block of size 153,600
 free'd
 ==2690==    at 0x402B3D8: free (in
 /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
 ==2690==    by 0x83A0659: free_buffers (cfhd.c:145)
 ==2690==    by 0x83A0659: cfhd_decode (cfhd.c:431)
 ==2690==    by 0x874E125: avcodec_decode_video2 (utils.c:2172)
 ==2690==    by 0x80DE19E: decode_video (ffmpeg.c:2078)
 ==2690==    by 0x80E6A35: process_input_packet (ffmpeg.c:2331)
 ==2690==    by 0x80E6A35: process_input (ffmpeg.c:4001)
 ==2690==    by 0x80E95CF: transcode_step (ffmpeg.c:4089)
 ==2690==    by 0x80E95CF: transcode (ffmpeg.c:4143)
 ==2690==    by 0x80C6B84: main (ffmpeg.c:4334)
 ==2690==
 ==2690== Invalid write of size 2
 ==2690==    at 0x83A0390: cfhd_decode (cfhd.c:522)
 ==2690==    by 0x874E125: avcodec_decode_video2 (utils.c:2172)
 ==2690==    by 0x80DE19E: decode_video (ffmpeg.c:2078)
 ==2690==    by 0x80E6A35: process_input_packet (ffmpeg.c:2331)
 ==2690==    by 0x80E6A35: process_input (ffmpeg.c:4001)
 ==2690==    by 0x80E95CF: transcode_step (ffmpeg.c:4089)
 ==2690==    by 0x80E95CF: transcode (ffmpeg.c:4143)
 ==2690==    by 0x80C6B84: main (ffmpeg.c:4334)
 ==2690==  Address 0x74b69c0 is 0 bytes inside a block of size 153,600
 free'd
 ==2690==    at 0x402B3D8: free (in
 /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
 ==2690==    by 0x83A0659: free_buffers (cfhd.c:145)
 ==2690==    by 0x83A0659: cfhd_decode (cfhd.c:431)
 ==2690==    by 0x874E125: avcodec_decode_video2 (utils.c:2172)
 ==2690==    by 0x80DE19E: decode_video (ffmpeg.c:2078)
 ==2690==    by 0x80E6A35: process_input_packet (ffmpeg.c:2331)
 ==2690==    by 0x80E6A35: process_input (ffmpeg.c:4001)
 ==2690==    by 0x80E95CF: transcode_step (ffmpeg.c:4089)
 ==2690==    by 0x80E95CF: transcode (ffmpeg.c:4143)
 ==2690==    by 0x80C6B84: main (ffmpeg.c:4334)
 ==2690==
 ==2690== Invalid write of size 2
 ==2690==    at 0x83A0399: cfhd_decode (cfhd.c:521)
 ==2690==    by 0x874E125: avcodec_decode_video2 (utils.c:2172)
 ==2690==    by 0x80DE19E: decode_video (ffmpeg.c:2078)
 ==2690==    by 0x80E6A35: process_input_packet (ffmpeg.c:2331)
 ==2690==    by 0x80E6A35: process_input (ffmpeg.c:4001)
 ==2690==    by 0x80E95CF: transcode_step (ffmpeg.c:4089)
 ==2690==    by 0x80E95CF: transcode (ffmpeg.c:4143)
 ==2690==    by 0x80C6B84: main (ffmpeg.c:4334)
 ==2690==  Address 0x74b69fe is 62 bytes inside a block of size 153,600
 free'd
 ==2690==    at 0x402B3D8: free (in
 /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
 ==2690==    by 0x83A0659: free_buffers (cfhd.c:145)
 ==2690==    by 0x83A0659: cfhd_decode (cfhd.c:431)
 ==2690==    by 0x874E125: avcodec_decode_video2 (utils.c:2172)
 ==2690==    by 0x80DE19E: decode_video (ffmpeg.c:2078)
 ==2690==    by 0x80E6A35: process_input_packet (ffmpeg.c:2331)
 ==2690==    by 0x80E6A35: process_input (ffmpeg.c:4001)
 ==2690==    by 0x80E95CF: transcode_step (ffmpeg.c:4089)
 ==2690==    by 0x80E95CF: transcode (ffmpeg.c:4143)
 ==2690==    by 0x80C6B84: main (ffmpeg.c:4334)
 }}}

 {{{
 aaa at aaa-VirtualBox /media/sdb1 $ ffmpeg/ffmpeg_g
 ffmpeg version 3.0.git Copyright (c) 2000-2016 the FFmpeg developers
   built with gcc 4.8 (Ubuntu 4.8.4-2ubuntu1~14.04.1)
   configuration: --disable-ffplay --disable-ffprobe --disable-ffserver
 --enable-gpl
   libavutil      55. 19.100 / 55. 19.100
   libavcodec     57. 28.103 / 57. 28.103
   libavformat    57. 28.102 / 57. 28.102
   libavdevice    57.  0.101 / 57.  0.101
   libavfilter     6. 39.102 /  6. 39.102
   libswscale      4.  0.100 /  4.  0.100
   libswresample   2.  0.101 /  2.  0.101
   libpostproc    54.  0.100 / 54.  0.100
 Hyper fast Audio and Video encoder
 usage: ffmpeg [options] [[infile options] -i infile]... {[outfile options]
 outfile}...
 }}}

 {{{
 (gdb) r -threads 1 -loglevel -1 -i f/cfhd_q_low_444_alpha_fuzz2.avi -f
 null -
 Starting program: /media/sdb1/ffmpeg/ffmpeg_g -threads 1 -loglevel -1 -i
 f/cfhd_q_low_444_alpha_fuzz2.avi -f null -
 [Thread debugging using libthread_db enabled]
 Using host libthread_db library "/lib/i386-linux-gnu/libthread_db.so.1".
 [New Thread 0xb7d94b40 (LWP 9717)]
 [New Thread 0xb7593b40 (LWP 9718)]
 [New Thread 0xb6d92b40 (LWP 9719)]
 [New Thread 0xb6591b40 (LWP 9720)]
 [New Thread 0xb5d90b40 (LWP 9721)]

 Program received signal SIGSEGV, Segmentation fault.
 0x083a0030 in av_bswap16 (x=11716) at ./libavutil/bswap.h:60
 60          x= (x>>8) | (x<<8);
 (gdb) bt
 #0  0x083a0030 in av_bswap16 (x=11716) at ./libavutil/bswap.h:60
 #1  bytestream_get_be16 (b=<synthetic pointer>) at
 libavcodec/bytestream.h:94
 #2  bytestream2_get_be16u (g=<synthetic pointer>) at
 libavcodec/bytestream.h:94
 #3  cfhd_decode (avctx=0x9717a60, data=0x972c860, got_frame=0xbfffe310,
     avpkt=0xbfffe0cc) at libavcodec/cfhd.c:465
 #4  0x0874e126 in avcodec_decode_video2 (avctx=0x9717a60,
     picture=picture at entry=0x972c860,
     got_picture_ptr=got_picture_ptr at entry=0xbfffe310,
     avpkt=avpkt at entry=0xbfffe358) at libavcodec/utils.c:2172
 #5  0x080de19f in decode_video (ist=ist at entry=0x9711b60,
     pkt=pkt at entry=0xbfffe358, got_output=got_output at entry=0xbfffe310)
     at ffmpeg.c:2078
 #6  0x080e6a36 in process_input_packet (no_eof=0, pkt=0xbfffe314,
     ist=0x9711b60) at ffmpeg.c:2331
 #7  process_input (file_index=<optimized out>) at ffmpeg.c:4001
 #8  0x080e95d0 in transcode_step () at ffmpeg.c:4089
 #9  transcode () at ffmpeg.c:4143
 #10 0x080c6b85 in main (argc=<optimized out>, argv=<optimized out>)
     at ffmpeg.c:4334
 (gdb)
 }}}

--
Ticket URL: <https://trac.ffmpeg.org/ticket/5383>
FFmpeg <https://ffmpeg.org>
FFmpeg issue tracker


More information about the FFmpeg-trac mailing list