[FFmpeg-trac] #5520(undetermined:new): m101: crash with fuzzed file

FFmpeg trac at avcodec.org
Sat May 7 14:06:22 CEST 2016 

#5520: m101: crash with fuzzed file
-------------------------------------+-------------------------------------
               Reporter:  ami_stuff  |                  Owner:
                   Type:  defect     |                 Status:  new
               Priority:  normal     |              Component:
                Version:             |  undetermined
  unspecified                        |               Keywords:
             Blocked By:             |               Blocking:
Reproduced by developer:  0          |  Analyzed by developer:  0
-------------------------------------+-------------------------------------
 https://www.datafilehost.com/d/da60db26

 {{{
 aaa at aaa-VirtualBox /media/sdb1 $ valgrind ffmpeg/ffmpeg_g -i
 m102_1280_720_10bit_i_fuzz.avi -f null -
 ==2421== Memcheck, a memory error detector
 ==2421== Copyright (C) 2002-2013, and GNU GPL'd, by Julian Seward et al.
 ==2421== Using Valgrind-3.10.1 and LibVEX; rerun with -h for copyright
 info
 ==2421== Command: ffmpeg/ffmpeg_g -i m102_1280_720_10bit_i_fuzz.avi -f
 null -
 ==2421==
 ffmpeg version 3.0.git Copyright (c) 2000-2016 the FFmpeg developers
   built with gcc 5.3.0 (Ubuntu 5.3.0-3ubuntu1~14.04) 20151204
   configuration: --disable-ffprobe --disable-ffserver --enable-gpl
   libavutil      55. 24.100 / 55. 24.100
   libavcodec     57. 39.100 / 57. 39.100
   libavformat    57. 36.100 / 57. 36.100
   libavdevice    57.  0.101 / 57.  0.101
   libavfilter     6. 45.100 /  6. 45.100
   libswscale      4.  1.100 /  4.  1.100
   libswresample   2.  0.101 /  2.  0.101
   libpostproc    54.  0.100 / 54.  0.100
 [avi @ 0x42bd4a0] Something went wrong during header parsing, I will
 ignore it and try to continue anyway.
 Input #0, avi, from 'm102_1280_720_10bit_i_fuzz.avi':
   Duration: 00:12:14.70, start: 0.000000, bitrate: 527 kb/s
     Stream #0:0: Video: m101 (M102 / 0x3230314D), yuyv422, 1280x720, 0.03
 fps, 0.03 tbr, 0.03 tbn
 [null @ 0x4504dc0] Using AVStream.codec to pass codec parameters to muxers
 is deprecated, use AVStream.codecpar instead.
 Output #0, null, to 'pipe:':
   Metadata:
     encoder         : Lavf57.36.100
     Stream #0:0: Video: wrapped_avframe, yuyv422, 1280x720, q=2-31, 200
 kb/s, 0.03 fps, 0.03 tbn
     Metadata:
       encoder         : Lavc57.39.100 wrapped_avframe
 Stream mapping:
   Stream #0:0 -> #0:0 (m101 (native) -> wrapped_avframe (native))
 Press [q] to stop, [?] for help
 ==2421== Invalid write of size 2
 ==2421==    at 0x85B00FB: m101_decode_frame (m101.c:91)
 ==2421==    by 0x87382ED: avcodec_decode_video2 (utils.c:2217)
 ==2421==    by 0x80DB4E0: decode_video (ffmpeg.c:2087)
 ==2421==    by 0x80DDEDF: process_input_packet (ffmpeg.c:2340)
 ==2421==    by 0x80BD5B5: process_input (ffmpeg.c:4010)
 ==2421==    by 0x80BD5B5: transcode_step (ffmpeg.c:4098)
 ==2421==    by 0x80BD5B5: transcode (ffmpeg.c:4152)
 ==2421==    by 0x80BD5B5: main (ffmpeg.c:4343)
 ==2421==  Address 0x0 is not stack'd, malloc'd or (recently) free'd
 ==2421==
 ==2421==
 ==2421== Process terminating with default action of signal 11 (SIGSEGV)
 ==2421==  Access not within mapped region at address 0x0
 ==2421==    at 0x85B00FB: m101_decode_frame (m101.c:91)
 ==2421==    by 0x87382ED: avcodec_decode_video2 (utils.c:2217)
 ==2421==    by 0x80DB4E0: decode_video (ffmpeg.c:2087)
 ==2421==    by 0x80DDEDF: process_input_packet (ffmpeg.c:2340)
 ==2421==    by 0x80BD5B5: process_input (ffmpeg.c:4010)
 ==2421==    by 0x80BD5B5: transcode_step (ffmpeg.c:4098)
 ==2421==    by 0x80BD5B5: transcode (ffmpeg.c:4152)
 ==2421==    by 0x80BD5B5: main (ffmpeg.c:4343)
 ==2421==  If you believe this happened as a result of a stack
 ==2421==  overflow in your program's main thread (unlikely but
 ==2421==  possible), you can try to increase the size of the
 ==2421==  main thread stack using the --main-stacksize= flag.
 ==2421==  The main thread stack size used in this run was 8388608.
 ==2421==
 ==2421== HEAP SUMMARY:
 ==2421==     in use at exit: 8,847,180 bytes in 130 blocks
 ==2421==   total heap usage: 1,043 allocs, 913 frees, 9,149,355 bytes
 allocated
 ==2421==
 ==2421== LEAK SUMMARY:
 ==2421==    definitely lost: 0 bytes in 0 blocks
 ==2421==    indirectly lost: 0 bytes in 0 blocks
 ==2421==      possibly lost: 0 bytes in 0 blocks
 ==2421==    still reachable: 8,847,180 bytes in 130 blocks
 ==2421==         suppressed: 0 bytes in 0 blocks
 ==2421== Rerun with --leak-check=full to see details of leaked memory
 ==2421==
 ==2421== For counts of detected and suppressed errors, rerun with: -v
 ==2421== ERROR SUMMARY: 2 errors from 1 contexts (suppressed: 0 from 0)
 Segmentation fault
 }}}

 {{{
 (gdb) r -i m102_1280_720_10bit_i_fuzz.avi -f null -
 Starting program: /media/sdb1/ffmpeg/ffmpeg_g -i
 m102_1280_720_10bit_i_fuzz.avi -f null -
 [Thread debugging using libthread_db enabled]
 Using host libthread_db library "/lib/i386-linux-gnu/libthread_db.so.1".
 ffmpeg version 3.0.git Copyright (c) 2000-2016 the FFmpeg developers
   built with gcc 5.3.0 (Ubuntu 5.3.0-3ubuntu1~14.04) 20151204
   configuration: --disable-ffprobe --disable-ffserver --enable-gpl
   libavutil      55. 24.100 / 55. 24.100
   libavcodec     57. 39.100 / 57. 39.100
   libavformat    57. 36.100 / 57. 36.100
   libavdevice    57.  0.101 / 57.  0.101
   libavfilter     6. 45.100 /  6. 45.100
   libswscale      4.  1.100 /  4.  1.100
   libswresample   2.  0.101 /  2.  0.101
   libpostproc    54.  0.100 / 54.  0.100
 [avi @ 0x983d200] Something went wrong during header parsing, I will
 ignore it and try to continue anyway.
 Input #0, avi, from 'm102_1280_720_10bit_i_fuzz.avi':
   Duration: 00:12:14.70, start: 0.000000, bitrate: 527 kb/s
     Stream #0:0: Video: m101 (M102 / 0x3230314D), yuyv422, 1280x720, 0.03
 fps, 0.03 tbr, 0.03 tbn
 [null @ 0x983f520] Using AVStream.codec to pass codec parameters to muxers
 is deprecated, use AVStream.codecpar instead.
 Output #0, null, to 'pipe:':
   Metadata:
     encoder         : Lavf57.36.100
     Stream #0:0: Video: wrapped_avframe, yuyv422, 1280x720, q=2-31, 200
 kb/s, 0.03 fps, 0.03 tbn
     Metadata:
       encoder         : Lavc57.39.100 wrapped_avframe
 Stream mapping:
   Stream #0:0 -> #0:0 (m101 (native) -> wrapped_avframe (native))
 Press [q] to stop, [?] for help

 Program received signal SIGSEGV, Segmentation fault.
 0x085b00fb in m101_decode_frame (avctx=0x983f100, data=0x98425a0,
     got_frame=0xbfffeb20, avpkt=0xbfffe8fc) at libavcodec/m101.c:91
 91                              cb[xd>>1] = (4*buf_src[2*x + 1]) +
 ((buf_src[32 + (x>>1)]>>2)&3);
 (gdb) bt
 #0  0x085b00fb in m101_decode_frame (avctx=0x983f100, data=0x98425a0,
     got_frame=0xbfffeb20, avpkt=0xbfffe8fc) at libavcodec/m101.c:91
 #1  0x087382ee in avcodec_decode_video2 (avctx=0x983f100,
 picture=0x98425a0,
     got_picture_ptr=0xbfffeb20, avpkt=0xbfffeb64) at
 libavcodec/utils.c:2217
 #2  0x080db4e1 in decode_video (ist=ist at entry=0x983eea0,
     pkt=pkt at entry=0xbfffeb64, got_output=got_output at entry=0xbfffeb20)
     at ffmpeg.c:2087
 #3  0x080ddee0 in process_input_packet (ist=0x983eea0, pkt=0xbfffed94,
     no_eof=0) at ffmpeg.c:2340
 #4  0x080bd5b6 in process_input (file_index=<optimized out>) at
 ffmpeg.c:4010
 #5  transcode_step () at ffmpeg.c:4098
 #6  transcode () at ffmpeg.c:4152
 #7  main (argc=<optimized out>, argv=<optimized out>) at ffmpeg.c:4343
 }}}

--
Ticket URL: <https://trac.ffmpeg.org/ticket/5520>
FFmpeg <https://ffmpeg.org>
FFmpeg issue tracker

More information about the FFmpeg-trac mailing list