[FFmpeg-trac] #5520(undetermined:new): m101: crash with fuzzed file
FFmpeg
trac at avcodec.org
Sat May 7 14:06:22 CEST 2016
#5520: m101: crash with fuzzed file
-------------------------------------+-------------------------------------
Reporter: ami_stuff | Owner:
Type: defect | Status: new
Priority: normal | Component:
Version: | undetermined
unspecified | Keywords:
Blocked By: | Blocking:
Reproduced by developer: 0 | Analyzed by developer: 0
-------------------------------------+-------------------------------------
https://www.datafilehost.com/d/da60db26
{{{
aaa at aaa-VirtualBox /media/sdb1 $ valgrind ffmpeg/ffmpeg_g -i
m102_1280_720_10bit_i_fuzz.avi -f null -
==2421== Memcheck, a memory error detector
==2421== Copyright (C) 2002-2013, and GNU GPL'd, by Julian Seward et al.
==2421== Using Valgrind-3.10.1 and LibVEX; rerun with -h for copyright
info
==2421== Command: ffmpeg/ffmpeg_g -i m102_1280_720_10bit_i_fuzz.avi -f
null -
==2421==
ffmpeg version 3.0.git Copyright (c) 2000-2016 the FFmpeg developers
built with gcc 5.3.0 (Ubuntu 5.3.0-3ubuntu1~14.04) 20151204
configuration: --disable-ffprobe --disable-ffserver --enable-gpl
libavutil 55. 24.100 / 55. 24.100
libavcodec 57. 39.100 / 57. 39.100
libavformat 57. 36.100 / 57. 36.100
libavdevice 57. 0.101 / 57. 0.101
libavfilter 6. 45.100 / 6. 45.100
libswscale 4. 1.100 / 4. 1.100
libswresample 2. 0.101 / 2. 0.101
libpostproc 54. 0.100 / 54. 0.100
[avi @ 0x42bd4a0] Something went wrong during header parsing, I will
ignore it and try to continue anyway.
Input #0, avi, from 'm102_1280_720_10bit_i_fuzz.avi':
Duration: 00:12:14.70, start: 0.000000, bitrate: 527 kb/s
Stream #0:0: Video: m101 (M102 / 0x3230314D), yuyv422, 1280x720, 0.03
fps, 0.03 tbr, 0.03 tbn
[null @ 0x4504dc0] Using AVStream.codec to pass codec parameters to muxers
is deprecated, use AVStream.codecpar instead.
Output #0, null, to 'pipe:':
Metadata:
encoder : Lavf57.36.100
Stream #0:0: Video: wrapped_avframe, yuyv422, 1280x720, q=2-31, 200
kb/s, 0.03 fps, 0.03 tbn
Metadata:
encoder : Lavc57.39.100 wrapped_avframe
Stream mapping:
Stream #0:0 -> #0:0 (m101 (native) -> wrapped_avframe (native))
Press [q] to stop, [?] for help
==2421== Invalid write of size 2
==2421== at 0x85B00FB: m101_decode_frame (m101.c:91)
==2421== by 0x87382ED: avcodec_decode_video2 (utils.c:2217)
==2421== by 0x80DB4E0: decode_video (ffmpeg.c:2087)
==2421== by 0x80DDEDF: process_input_packet (ffmpeg.c:2340)
==2421== by 0x80BD5B5: process_input (ffmpeg.c:4010)
==2421== by 0x80BD5B5: transcode_step (ffmpeg.c:4098)
==2421== by 0x80BD5B5: transcode (ffmpeg.c:4152)
==2421== by 0x80BD5B5: main (ffmpeg.c:4343)
==2421== Address 0x0 is not stack'd, malloc'd or (recently) free'd
==2421==
==2421==
==2421== Process terminating with default action of signal 11 (SIGSEGV)
==2421== Access not within mapped region at address 0x0
==2421== at 0x85B00FB: m101_decode_frame (m101.c:91)
==2421== by 0x87382ED: avcodec_decode_video2 (utils.c:2217)
==2421== by 0x80DB4E0: decode_video (ffmpeg.c:2087)
==2421== by 0x80DDEDF: process_input_packet (ffmpeg.c:2340)
==2421== by 0x80BD5B5: process_input (ffmpeg.c:4010)
==2421== by 0x80BD5B5: transcode_step (ffmpeg.c:4098)
==2421== by 0x80BD5B5: transcode (ffmpeg.c:4152)
==2421== by 0x80BD5B5: main (ffmpeg.c:4343)
==2421== If you believe this happened as a result of a stack
==2421== overflow in your program's main thread (unlikely but
==2421== possible), you can try to increase the size of the
==2421== main thread stack using the --main-stacksize= flag.
==2421== The main thread stack size used in this run was 8388608.
==2421==
==2421== HEAP SUMMARY:
==2421== in use at exit: 8,847,180 bytes in 130 blocks
==2421== total heap usage: 1,043 allocs, 913 frees, 9,149,355 bytes
allocated
==2421==
==2421== LEAK SUMMARY:
==2421== definitely lost: 0 bytes in 0 blocks
==2421== indirectly lost: 0 bytes in 0 blocks
==2421== possibly lost: 0 bytes in 0 blocks
==2421== still reachable: 8,847,180 bytes in 130 blocks
==2421== suppressed: 0 bytes in 0 blocks
==2421== Rerun with --leak-check=full to see details of leaked memory
==2421==
==2421== For counts of detected and suppressed errors, rerun with: -v
==2421== ERROR SUMMARY: 2 errors from 1 contexts (suppressed: 0 from 0)
Segmentation fault
}}}
{{{
(gdb) r -i m102_1280_720_10bit_i_fuzz.avi -f null -
Starting program: /media/sdb1/ffmpeg/ffmpeg_g -i
m102_1280_720_10bit_i_fuzz.avi -f null -
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/i386-linux-gnu/libthread_db.so.1".
ffmpeg version 3.0.git Copyright (c) 2000-2016 the FFmpeg developers
built with gcc 5.3.0 (Ubuntu 5.3.0-3ubuntu1~14.04) 20151204
configuration: --disable-ffprobe --disable-ffserver --enable-gpl
libavutil 55. 24.100 / 55. 24.100
libavcodec 57. 39.100 / 57. 39.100
libavformat 57. 36.100 / 57. 36.100
libavdevice 57. 0.101 / 57. 0.101
libavfilter 6. 45.100 / 6. 45.100
libswscale 4. 1.100 / 4. 1.100
libswresample 2. 0.101 / 2. 0.101
libpostproc 54. 0.100 / 54. 0.100
[avi @ 0x983d200] Something went wrong during header parsing, I will
ignore it and try to continue anyway.
Input #0, avi, from 'm102_1280_720_10bit_i_fuzz.avi':
Duration: 00:12:14.70, start: 0.000000, bitrate: 527 kb/s
Stream #0:0: Video: m101 (M102 / 0x3230314D), yuyv422, 1280x720, 0.03
fps, 0.03 tbr, 0.03 tbn
[null @ 0x983f520] Using AVStream.codec to pass codec parameters to muxers
is deprecated, use AVStream.codecpar instead.
Output #0, null, to 'pipe:':
Metadata:
encoder : Lavf57.36.100
Stream #0:0: Video: wrapped_avframe, yuyv422, 1280x720, q=2-31, 200
kb/s, 0.03 fps, 0.03 tbn
Metadata:
encoder : Lavc57.39.100 wrapped_avframe
Stream mapping:
Stream #0:0 -> #0:0 (m101 (native) -> wrapped_avframe (native))
Press [q] to stop, [?] for help
Program received signal SIGSEGV, Segmentation fault.
0x085b00fb in m101_decode_frame (avctx=0x983f100, data=0x98425a0,
got_frame=0xbfffeb20, avpkt=0xbfffe8fc) at libavcodec/m101.c:91
91 cb[xd>>1] = (4*buf_src[2*x + 1]) +
((buf_src[32 + (x>>1)]>>2)&3);
(gdb) bt
#0 0x085b00fb in m101_decode_frame (avctx=0x983f100, data=0x98425a0,
got_frame=0xbfffeb20, avpkt=0xbfffe8fc) at libavcodec/m101.c:91
#1 0x087382ee in avcodec_decode_video2 (avctx=0x983f100,
picture=0x98425a0,
got_picture_ptr=0xbfffeb20, avpkt=0xbfffeb64) at
libavcodec/utils.c:2217
#2 0x080db4e1 in decode_video (ist=ist at entry=0x983eea0,
pkt=pkt at entry=0xbfffeb64, got_output=got_output at entry=0xbfffeb20)
at ffmpeg.c:2087
#3 0x080ddee0 in process_input_packet (ist=0x983eea0, pkt=0xbfffed94,
no_eof=0) at ffmpeg.c:2340
#4 0x080bd5b6 in process_input (file_index=<optimized out>) at
ffmpeg.c:4010
#5 transcode_step () at ffmpeg.c:4098
#6 transcode () at ffmpeg.c:4152
#7 main (argc=<optimized out>, argv=<optimized out>) at ffmpeg.c:4343
}}}
--
Ticket URL: <https://trac.ffmpeg.org/ticket/5520>
FFmpeg <https://ffmpeg.org>
FFmpeg issue tracker
More information about the FFmpeg-trac
mailing list