[FFmpeg-trac] #5383(undetermined:new): cfhd: crash with fuzzed file (threads 1)
FFmpeg
trac at avcodec.org
Sun Mar 27 17:46:30 CEST 2016
#5383: cfhd: crash with fuzzed file (threads 1)
-------------------------------------+-------------------------------------
Reporter: ami_stuff | Owner:
Type: defect | Status: new
Priority: normal | Component:
Version: | undetermined
unspecified | Keywords:
Blocked By: | Blocking:
Reproduced by developer: 0 | Analyzed by developer: 0
-------------------------------------+-------------------------------------
http://www.datafilehost.com/d/877580e1
{{{
==2690== Invalid write of size 2
==2690== at 0x83A0030: av_bswap16 (bswap.h:60)
==2690== by 0x83A0030: bytestream_get_be16 (bytestream.h:94)
==2690== by 0x83A0030: bytestream2_get_be16u (bytestream.h:94)
==2690== by 0x83A0030: cfhd_decode (cfhd.c:465)
==2690== by 0x874E125: avcodec_decode_video2 (utils.c:2172)
==2690== by 0x80DE19E: decode_video (ffmpeg.c:2078)
==2690== by 0x80E6A35: process_input_packet (ffmpeg.c:2331)
==2690== by 0x80E6A35: process_input (ffmpeg.c:4001)
==2690== by 0x80E95CF: transcode_step (ffmpeg.c:4089)
==2690== by 0x80E95CF: transcode (ffmpeg.c:4143)
==2690== by 0x80C6B84: main (ffmpeg.c:4334)
==2690== Address 0x74b69c0 is 0 bytes inside a block of size 153,600
free'd
==2690== at 0x402B3D8: free (in
/usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
==2690== by 0x83A0659: free_buffers (cfhd.c:145)
==2690== by 0x83A0659: cfhd_decode (cfhd.c:431)
==2690== by 0x874E125: avcodec_decode_video2 (utils.c:2172)
==2690== by 0x80DE19E: decode_video (ffmpeg.c:2078)
==2690== by 0x80E6A35: process_input_packet (ffmpeg.c:2331)
==2690== by 0x80E6A35: process_input (ffmpeg.c:4001)
==2690== by 0x80E95CF: transcode_step (ffmpeg.c:4089)
==2690== by 0x80E95CF: transcode (ffmpeg.c:4143)
==2690== by 0x80C6B84: main (ffmpeg.c:4334)
==2690==
==2690== Invalid write of size 2
==2690== at 0x83A0390: cfhd_decode (cfhd.c:522)
==2690== by 0x874E125: avcodec_decode_video2 (utils.c:2172)
==2690== by 0x80DE19E: decode_video (ffmpeg.c:2078)
==2690== by 0x80E6A35: process_input_packet (ffmpeg.c:2331)
==2690== by 0x80E6A35: process_input (ffmpeg.c:4001)
==2690== by 0x80E95CF: transcode_step (ffmpeg.c:4089)
==2690== by 0x80E95CF: transcode (ffmpeg.c:4143)
==2690== by 0x80C6B84: main (ffmpeg.c:4334)
==2690== Address 0x74b69c0 is 0 bytes inside a block of size 153,600
free'd
==2690== at 0x402B3D8: free (in
/usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
==2690== by 0x83A0659: free_buffers (cfhd.c:145)
==2690== by 0x83A0659: cfhd_decode (cfhd.c:431)
==2690== by 0x874E125: avcodec_decode_video2 (utils.c:2172)
==2690== by 0x80DE19E: decode_video (ffmpeg.c:2078)
==2690== by 0x80E6A35: process_input_packet (ffmpeg.c:2331)
==2690== by 0x80E6A35: process_input (ffmpeg.c:4001)
==2690== by 0x80E95CF: transcode_step (ffmpeg.c:4089)
==2690== by 0x80E95CF: transcode (ffmpeg.c:4143)
==2690== by 0x80C6B84: main (ffmpeg.c:4334)
==2690==
==2690== Invalid write of size 2
==2690== at 0x83A0399: cfhd_decode (cfhd.c:521)
==2690== by 0x874E125: avcodec_decode_video2 (utils.c:2172)
==2690== by 0x80DE19E: decode_video (ffmpeg.c:2078)
==2690== by 0x80E6A35: process_input_packet (ffmpeg.c:2331)
==2690== by 0x80E6A35: process_input (ffmpeg.c:4001)
==2690== by 0x80E95CF: transcode_step (ffmpeg.c:4089)
==2690== by 0x80E95CF: transcode (ffmpeg.c:4143)
==2690== by 0x80C6B84: main (ffmpeg.c:4334)
==2690== Address 0x74b69fe is 62 bytes inside a block of size 153,600
free'd
==2690== at 0x402B3D8: free (in
/usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
==2690== by 0x83A0659: free_buffers (cfhd.c:145)
==2690== by 0x83A0659: cfhd_decode (cfhd.c:431)
==2690== by 0x874E125: avcodec_decode_video2 (utils.c:2172)
==2690== by 0x80DE19E: decode_video (ffmpeg.c:2078)
==2690== by 0x80E6A35: process_input_packet (ffmpeg.c:2331)
==2690== by 0x80E6A35: process_input (ffmpeg.c:4001)
==2690== by 0x80E95CF: transcode_step (ffmpeg.c:4089)
==2690== by 0x80E95CF: transcode (ffmpeg.c:4143)
==2690== by 0x80C6B84: main (ffmpeg.c:4334)
}}}
{{{
aaa at aaa-VirtualBox /media/sdb1 $ ffmpeg/ffmpeg_g
ffmpeg version 3.0.git Copyright (c) 2000-2016 the FFmpeg developers
built with gcc 4.8 (Ubuntu 4.8.4-2ubuntu1~14.04.1)
configuration: --disable-ffplay --disable-ffprobe --disable-ffserver
--enable-gpl
libavutil 55. 19.100 / 55. 19.100
libavcodec 57. 28.103 / 57. 28.103
libavformat 57. 28.102 / 57. 28.102
libavdevice 57. 0.101 / 57. 0.101
libavfilter 6. 39.102 / 6. 39.102
libswscale 4. 0.100 / 4. 0.100
libswresample 2. 0.101 / 2. 0.101
libpostproc 54. 0.100 / 54. 0.100
Hyper fast Audio and Video encoder
usage: ffmpeg [options] [[infile options] -i infile]... {[outfile options]
outfile}...
}}}
{{{
(gdb) r -threads 1 -loglevel -1 -i f/cfhd_q_low_444_alpha_fuzz2.avi -f
null -
Starting program: /media/sdb1/ffmpeg/ffmpeg_g -threads 1 -loglevel -1 -i
f/cfhd_q_low_444_alpha_fuzz2.avi -f null -
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/i386-linux-gnu/libthread_db.so.1".
[New Thread 0xb7d94b40 (LWP 9717)]
[New Thread 0xb7593b40 (LWP 9718)]
[New Thread 0xb6d92b40 (LWP 9719)]
[New Thread 0xb6591b40 (LWP 9720)]
[New Thread 0xb5d90b40 (LWP 9721)]
Program received signal SIGSEGV, Segmentation fault.
0x083a0030 in av_bswap16 (x=11716) at ./libavutil/bswap.h:60
60 x= (x>>8) | (x<<8);
(gdb) bt
#0 0x083a0030 in av_bswap16 (x=11716) at ./libavutil/bswap.h:60
#1 bytestream_get_be16 (b=<synthetic pointer>) at
libavcodec/bytestream.h:94
#2 bytestream2_get_be16u (g=<synthetic pointer>) at
libavcodec/bytestream.h:94
#3 cfhd_decode (avctx=0x9717a60, data=0x972c860, got_frame=0xbfffe310,
avpkt=0xbfffe0cc) at libavcodec/cfhd.c:465
#4 0x0874e126 in avcodec_decode_video2 (avctx=0x9717a60,
picture=picture at entry=0x972c860,
got_picture_ptr=got_picture_ptr at entry=0xbfffe310,
avpkt=avpkt at entry=0xbfffe358) at libavcodec/utils.c:2172
#5 0x080de19f in decode_video (ist=ist at entry=0x9711b60,
pkt=pkt at entry=0xbfffe358, got_output=got_output at entry=0xbfffe310)
at ffmpeg.c:2078
#6 0x080e6a36 in process_input_packet (no_eof=0, pkt=0xbfffe314,
ist=0x9711b60) at ffmpeg.c:2331
#7 process_input (file_index=<optimized out>) at ffmpeg.c:4001
#8 0x080e95d0 in transcode_step () at ffmpeg.c:4089
#9 transcode () at ffmpeg.c:4143
#10 0x080c6b85 in main (argc=<optimized out>, argv=<optimized out>)
at ffmpeg.c:4334
(gdb)
}}}
--
Ticket URL: <https://trac.ffmpeg.org/ticket/5383>
FFmpeg <https://ffmpeg.org>
FFmpeg issue tracker
More information about the FFmpeg-trac
mailing list