[FFmpeg-trac] #5557(undetermined:new): IFF ANIM: crash with fuzzed ANIM-J

FFmpeg trac at avcodec.org
Sat May 14 13:44:14 CEST 2016 

#5557: IFF ANIM: crash with fuzzed ANIM-J
-------------------------------------+-------------------------------------
               Reporter:  ami_stuff  |                  Owner:
                   Type:  defect     |                 Status:  new
               Priority:  normal     |              Component:
                Version:             |  undetermined
  unspecified                        |               Keywords:
             Blocked By:             |               Blocking:
Reproduced by developer:  0          |  Analyzed by developer:  0
-------------------------------------+-------------------------------------
 {{{
 aaa at aaa-VirtualBox /media/sdb1 $ valgrind --leak-check=full
 ffmpeg/ffmpeg_g -i animj_ham6_fuzz.anim -f null -
 ==2493== Memcheck, a memory error detector
 ==2493== Copyright (C) 2002-2013, and GNU GPL'd, by Julian Seward et al.
 ==2493== Using Valgrind-3.10.1 and LibVEX; rerun with -h for copyright
 info
 ==2493== Command: ffmpeg/ffmpeg_g -i animj_ham6_fuzz.anim -f null -
 ==2493==
 ffmpeg version 3.0.git Copyright (c) 2000-2016 the FFmpeg developers
   built with gcc 5.3.0 (Ubuntu 5.3.0-3ubuntu1~14.04) 20151204
   configuration: --disable-ffprobe --disable-ffserver --enable-gpl
   libavutil      55. 24.100 / 55. 24.100
   libavcodec     57. 41.102 / 57. 41.102
   libavformat    57. 36.100 / 57. 36.100
   libavdevice    57.  0.101 / 57.  0.101
   libavfilter     6. 45.100 /  6. 45.100
   libswscale      4.  1.100 /  4.  1.100
   libswresample   2.  0.101 /  2.  0.101
   libpostproc    54.  0.100 / 54.  0.100
 Input #0, iff, from 'animj_ham6_fuzz.anim':
   Duration: N/A, bitrate: N/A
     Stream #0:0: Video: iff_ilbm (ANIM / 0x4D494E41), rgb0, 160x100, SAR
 6:7 DAR 48:35, 30 fps, 60 tbr, 60 tbn
 [null @ 0x43aafa0] Using AVStream.codec to pass codec parameters to muxers
 is deprecated, use AVStream.codecpar instead.
 Output #0, null, to 'pipe:':
   Metadata:
     encoder         : Lavf57.36.100
     Stream #0:0: Video: wrapped_avframe, rgb0, 160x100 [SAR 6:7 DAR
 48:35], q=2-31, 200 kb/s, 60 fps, 60 tbn
     Metadata:
       encoder         : Lavc57.41.102 wrapped_avframe
 Stream mapping:
   Stream #0:0 -> #0:0 (iff_ilbm (iff) -> wrapped_avframe (native))
 Press [q] to stop, [?] for help
 decode_byterun ended before plane size
 ==2493== Invalid write of size 1s
 ==2493==    at 0x8576A3C: bytestream_get_byte (bytestream.h:95)
 ==2493==    by 0x8576A3C: bytestream2_get_byteu (bytestream.h:95)
 ==2493==    by 0x8576A3C: bytestream2_get_byte (bytestream.h:95)
 ==2493==    by 0x8576A3C: decode_delta_j (iff.c:848)
 ==2493==    by 0x8576A3C: decode_frame (iff.c:1481)
 ==2493==    by 0x874014D: avcodec_decode_video2 (utils.c:2217)
 ==2493==    by 0x80DBF40: decode_video (ffmpeg.c:2087)
 ==2493==    by 0x80DE93F: process_input_packet (ffmpeg.c:2340)
 ==2493==    by 0x80BDE45: process_input (ffmpeg.c:4014)
 ==2493==    by 0x80BDE45: transcode_step (ffmpeg.c:4102)
 ==2493==    by 0x80BDE45: transcode (ffmpeg.c:4156)
 ==2493==    by 0x80BDE45: main (ffmpeg.c:4349)
 ==2493==  Address 0x43f4d77 is 9 bytes before a block of size 384,000
 alloc'd
 ==2493==    at 0x402C580: memalign (in
 /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
 ==2493==    by 0x402C6AE: posix_memalign (in
 /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
 ==2493==    by 0x8BAED9F: av_malloc (mem.c:97)
 ==2493==    by 0x8BAED9F: av_mallocz (mem.c:254)
 ==2493==    by 0x8BAED9F: av_calloc (mem.c:264)
 ==2493==    by 0x8074545: decode_init (iff.c:419)
 ==2493==    by 0x8745B48: avcodec_open2 (utils.c:1564)
 ==2493==    by 0x80D63F8: init_input_stream (ffmpeg.c:2566)
 ==2493==    by 0x80D63F8: transcode_init (ffmpeg.c:3227)
 ==2493==    by 0x80BCD1F: transcode (ffmpeg.c:4127)
 ==2493==    by 0x80BCD1F: main (ffmpeg.c:4349)
 ==2493==
     Last message repeated 4 times
 frame=   18 fps=0.0 q=-0.0 Lsize=N/A time=00:00:00.71 bitrate=N/A
 speed=1.22x
 video:7kB audio:0kB subtitle:0kB other streams:0kB global headers:0kB
 muxing overhead: unknown
 ==2493==
 ==2493== HEAP SUMMARY:
 ==2493==     in use at exit: 24 bytes in 1 blocks
 ==2493==   total heap usage: 1,368 allocs, 1,367 frees, 2,138,915 bytes
 allocated
 ==2493==
 ==2493== LEAK SUMMARY:
 ==2493==    definitely lost: 0 bytes in 0 blocks
 ==2493==    indirectly lost: 0 bytes in 0 blocks
 ==2493==      possibly lost: 0 bytes in 0 blocks
 ==2493==    still reachable: 24 bytes in 1 blocks
 ==2493==         suppressed: 0 bytes in 0 blocks
 ==2493== Reachable blocks (those to which a pointer was found) are not
 shown.
 ==2493== To see them, rerun with: --leak-check=full --show-leak-kinds=all
 ==2493==
 ==2493== For counts of detected and suppressed errors, rerun with: -v
 ==2493== ERROR SUMMARY: 16 errors from 1 contexts (suppressed: 0 from 0)
 }}}

 {{{
 (gdb) r -i animJ_ham6_fuzz.anim -f null -
 Starting program: /media/sdb1/ffmpeg/ffmpeg_g -i animJ_ham6_fuzz.anim -f
 null -
 [Thread debugging using libthread_db enabled]
 Using host libthread_db library "/lib/i386-linux-gnu/libthread_db.so.1".
 ffmpeg version 3.0.git Copyright (c) 2000-2016 the FFmpeg developers
   built with gcc 5.3.0 (Ubuntu 5.3.0-3ubuntu1~14.04) 20151204
   configuration: --disable-ffprobe --disable-ffserver --enable-gpl
   libavutil      55. 24.100 / 55. 24.100
   libavcodec     57. 41.102 / 57. 41.102
   libavformat    57. 36.100 / 57. 36.100
   libavdevice    57.  0.101 / 57.  0.101
   libavfilter     6. 45.100 /  6. 45.100
   libswscale      4.  1.100 /  4.  1.100
   libswresample   2.  0.101 /  2.  0.101
   libpostproc    54.  0.100 / 54.  0.100
 Input #0, iff, from 'animJ_ham6_fuzz.anim':
   Duration: N/A, bitrate: N/A
     Stream #0:0: Video: iff_ilbm (ANIM / 0x4D494E41), rgb0, 160x100, SAR
 6:7 DAR 48:35, 30 fps, 60 tbr, 60 tbn
 [null @ 0x9858480] Using AVStream.codec to pass codec parameters to muxers
 is deprecated, use AVStream.codecpar instead.
 Output #0, null, to 'pipe:':
   Metadata:
     encoder         : Lavf57.36.100
     Stream #0:0: Video: wrapped_avframe, rgb0, 160x100 [SAR 6:7 DAR
 48:35], q=2-31, 200 kb/s, 60 fps, 60 tbn
     Metadata:
       encoder         : Lavc57.41.102 wrapped_avframe
 Stream mapping:
   Stream #0:0 -> #0:0 (iff_ilbm (iff) -> wrapped_avframe (native))
 Press [q] to stop, [?] for help
 decode_byterun ended before plane size
 *** Error in `/media/sdb1/ffmpeg/ffmpeg_g': double free or corruption
 (!prev): 0x098791a0 ***

 Program received signal SIGABRT, Aborted.
 0xb7fdccb0 in ?? ()
 (gdb) bt
 #0  0xb7fdccb0 in ?? ()
 #1  0xb7dd233a in malloc_printerr (action=<optimized out>,
     str=0xb7ec4fd0 "double free or corruption (!prev)", ptr=0x98791a0)
     at malloc.c:4996
 #2  0xb7dd2fad in _int_free (av=0xb7f09420 <main_arena>, p=<optimized
 out>,
     have_lock=0) at malloc.c:3840
 #3  0x083180b2 in read_from_packet_buffer (pkt=<optimized out>,
     pkt_buffer_end=<optimized out>, pkt_buffer=<optimized out>)
     at libavformat/utils.c:1436
 #4  av_read_frame (s=<optimized out>, pkt=0xbfffed44)
     at libavformat/utils.c:1688
 #5  0x080d2f1f in get_input_packet (f=f at entry=0x9857cc0,
     pkt=pkt at entry=0xbfffed44) at ffmpeg.c:3672
 #6  0x080bd447 in process_input (file_index=0) at ffmpeg.c:3792
 #7  transcode_step () at ffmpeg.c:4102
 #8  transcode () at ffmpeg.c:4156
 #9  main (argc=<optimized out>, argv=<optimized out>) at ffmpeg.c:4349
 (gdb)
 }}}

--
Ticket URL: <https://trac.ffmpeg.org/ticket/5557>
FFmpeg <https://ffmpeg.org>
FFmpeg issue tracker

More information about the FFmpeg-trac mailing list