[FFmpeg-trac] #5557(undetermined:new): IFF ANIM: crash with fuzzed ANIM-J
FFmpeg
trac at avcodec.org
Sat May 14 13:44:14 CEST 2016
#5557: IFF ANIM: crash with fuzzed ANIM-J
-------------------------------------+-------------------------------------
Reporter: ami_stuff | Owner:
Type: defect | Status: new
Priority: normal | Component:
Version: | undetermined
unspecified | Keywords:
Blocked By: | Blocking:
Reproduced by developer: 0 | Analyzed by developer: 0
-------------------------------------+-------------------------------------
{{{
aaa at aaa-VirtualBox /media/sdb1 $ valgrind --leak-check=full
ffmpeg/ffmpeg_g -i animj_ham6_fuzz.anim -f null -
==2493== Memcheck, a memory error detector
==2493== Copyright (C) 2002-2013, and GNU GPL'd, by Julian Seward et al.
==2493== Using Valgrind-3.10.1 and LibVEX; rerun with -h for copyright
info
==2493== Command: ffmpeg/ffmpeg_g -i animj_ham6_fuzz.anim -f null -
==2493==
ffmpeg version 3.0.git Copyright (c) 2000-2016 the FFmpeg developers
built with gcc 5.3.0 (Ubuntu 5.3.0-3ubuntu1~14.04) 20151204
configuration: --disable-ffprobe --disable-ffserver --enable-gpl
libavutil 55. 24.100 / 55. 24.100
libavcodec 57. 41.102 / 57. 41.102
libavformat 57. 36.100 / 57. 36.100
libavdevice 57. 0.101 / 57. 0.101
libavfilter 6. 45.100 / 6. 45.100
libswscale 4. 1.100 / 4. 1.100
libswresample 2. 0.101 / 2. 0.101
libpostproc 54. 0.100 / 54. 0.100
Input #0, iff, from 'animj_ham6_fuzz.anim':
Duration: N/A, bitrate: N/A
Stream #0:0: Video: iff_ilbm (ANIM / 0x4D494E41), rgb0, 160x100, SAR
6:7 DAR 48:35, 30 fps, 60 tbr, 60 tbn
[null @ 0x43aafa0] Using AVStream.codec to pass codec parameters to muxers
is deprecated, use AVStream.codecpar instead.
Output #0, null, to 'pipe:':
Metadata:
encoder : Lavf57.36.100
Stream #0:0: Video: wrapped_avframe, rgb0, 160x100 [SAR 6:7 DAR
48:35], q=2-31, 200 kb/s, 60 fps, 60 tbn
Metadata:
encoder : Lavc57.41.102 wrapped_avframe
Stream mapping:
Stream #0:0 -> #0:0 (iff_ilbm (iff) -> wrapped_avframe (native))
Press [q] to stop, [?] for help
decode_byterun ended before plane size
==2493== Invalid write of size 1s
==2493== at 0x8576A3C: bytestream_get_byte (bytestream.h:95)
==2493== by 0x8576A3C: bytestream2_get_byteu (bytestream.h:95)
==2493== by 0x8576A3C: bytestream2_get_byte (bytestream.h:95)
==2493== by 0x8576A3C: decode_delta_j (iff.c:848)
==2493== by 0x8576A3C: decode_frame (iff.c:1481)
==2493== by 0x874014D: avcodec_decode_video2 (utils.c:2217)
==2493== by 0x80DBF40: decode_video (ffmpeg.c:2087)
==2493== by 0x80DE93F: process_input_packet (ffmpeg.c:2340)
==2493== by 0x80BDE45: process_input (ffmpeg.c:4014)
==2493== by 0x80BDE45: transcode_step (ffmpeg.c:4102)
==2493== by 0x80BDE45: transcode (ffmpeg.c:4156)
==2493== by 0x80BDE45: main (ffmpeg.c:4349)
==2493== Address 0x43f4d77 is 9 bytes before a block of size 384,000
alloc'd
==2493== at 0x402C580: memalign (in
/usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
==2493== by 0x402C6AE: posix_memalign (in
/usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
==2493== by 0x8BAED9F: av_malloc (mem.c:97)
==2493== by 0x8BAED9F: av_mallocz (mem.c:254)
==2493== by 0x8BAED9F: av_calloc (mem.c:264)
==2493== by 0x8074545: decode_init (iff.c:419)
==2493== by 0x8745B48: avcodec_open2 (utils.c:1564)
==2493== by 0x80D63F8: init_input_stream (ffmpeg.c:2566)
==2493== by 0x80D63F8: transcode_init (ffmpeg.c:3227)
==2493== by 0x80BCD1F: transcode (ffmpeg.c:4127)
==2493== by 0x80BCD1F: main (ffmpeg.c:4349)
==2493==
Last message repeated 4 times
frame= 18 fps=0.0 q=-0.0 Lsize=N/A time=00:00:00.71 bitrate=N/A
speed=1.22x
video:7kB audio:0kB subtitle:0kB other streams:0kB global headers:0kB
muxing overhead: unknown
==2493==
==2493== HEAP SUMMARY:
==2493== in use at exit: 24 bytes in 1 blocks
==2493== total heap usage: 1,368 allocs, 1,367 frees, 2,138,915 bytes
allocated
==2493==
==2493== LEAK SUMMARY:
==2493== definitely lost: 0 bytes in 0 blocks
==2493== indirectly lost: 0 bytes in 0 blocks
==2493== possibly lost: 0 bytes in 0 blocks
==2493== still reachable: 24 bytes in 1 blocks
==2493== suppressed: 0 bytes in 0 blocks
==2493== Reachable blocks (those to which a pointer was found) are not
shown.
==2493== To see them, rerun with: --leak-check=full --show-leak-kinds=all
==2493==
==2493== For counts of detected and suppressed errors, rerun with: -v
==2493== ERROR SUMMARY: 16 errors from 1 contexts (suppressed: 0 from 0)
}}}
{{{
(gdb) r -i animJ_ham6_fuzz.anim -f null -
Starting program: /media/sdb1/ffmpeg/ffmpeg_g -i animJ_ham6_fuzz.anim -f
null -
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/i386-linux-gnu/libthread_db.so.1".
ffmpeg version 3.0.git Copyright (c) 2000-2016 the FFmpeg developers
built with gcc 5.3.0 (Ubuntu 5.3.0-3ubuntu1~14.04) 20151204
configuration: --disable-ffprobe --disable-ffserver --enable-gpl
libavutil 55. 24.100 / 55. 24.100
libavcodec 57. 41.102 / 57. 41.102
libavformat 57. 36.100 / 57. 36.100
libavdevice 57. 0.101 / 57. 0.101
libavfilter 6. 45.100 / 6. 45.100
libswscale 4. 1.100 / 4. 1.100
libswresample 2. 0.101 / 2. 0.101
libpostproc 54. 0.100 / 54. 0.100
Input #0, iff, from 'animJ_ham6_fuzz.anim':
Duration: N/A, bitrate: N/A
Stream #0:0: Video: iff_ilbm (ANIM / 0x4D494E41), rgb0, 160x100, SAR
6:7 DAR 48:35, 30 fps, 60 tbr, 60 tbn
[null @ 0x9858480] Using AVStream.codec to pass codec parameters to muxers
is deprecated, use AVStream.codecpar instead.
Output #0, null, to 'pipe:':
Metadata:
encoder : Lavf57.36.100
Stream #0:0: Video: wrapped_avframe, rgb0, 160x100 [SAR 6:7 DAR
48:35], q=2-31, 200 kb/s, 60 fps, 60 tbn
Metadata:
encoder : Lavc57.41.102 wrapped_avframe
Stream mapping:
Stream #0:0 -> #0:0 (iff_ilbm (iff) -> wrapped_avframe (native))
Press [q] to stop, [?] for help
decode_byterun ended before plane size
*** Error in `/media/sdb1/ffmpeg/ffmpeg_g': double free or corruption
(!prev): 0x098791a0 ***
Program received signal SIGABRT, Aborted.
0xb7fdccb0 in ?? ()
(gdb) bt
#0 0xb7fdccb0 in ?? ()
#1 0xb7dd233a in malloc_printerr (action=<optimized out>,
str=0xb7ec4fd0 "double free or corruption (!prev)", ptr=0x98791a0)
at malloc.c:4996
#2 0xb7dd2fad in _int_free (av=0xb7f09420 <main_arena>, p=<optimized
out>,
have_lock=0) at malloc.c:3840
#3 0x083180b2 in read_from_packet_buffer (pkt=<optimized out>,
pkt_buffer_end=<optimized out>, pkt_buffer=<optimized out>)
at libavformat/utils.c:1436
#4 av_read_frame (s=<optimized out>, pkt=0xbfffed44)
at libavformat/utils.c:1688
#5 0x080d2f1f in get_input_packet (f=f at entry=0x9857cc0,
pkt=pkt at entry=0xbfffed44) at ffmpeg.c:3672
#6 0x080bd447 in process_input (file_index=0) at ffmpeg.c:3792
#7 transcode_step () at ffmpeg.c:4102
#8 transcode () at ffmpeg.c:4156
#9 main (argc=<optimized out>, argv=<optimized out>) at ffmpeg.c:4349
(gdb)
}}}
--
Ticket URL: <https://trac.ffmpeg.org/ticket/5557>
FFmpeg <https://ffmpeg.org>
FFmpeg issue tracker
More information about the FFmpeg-trac
mailing list