[FFmpeg-trac] #6277(avcodec:new): Use of uninitialized memory in do_decode (utils.c)
FFmpeg
trac at avcodec.org
Thu Mar 30 20:00:59 EEST 2017
#6277: Use of uninitialized memory in do_decode (utils.c)
---------------------------------+--------------------------------------
Reporter: Fusl | Type: defect
Status: new | Priority: normal
Component: avcodec | Version: git-master
Keywords: | Blocked By:
Blocking: | Reproduced by developer: 0
Analyzed by developer: 0 |
---------------------------------+--------------------------------------
The file "afl2_24" is attached as corrupt.webm, not minimized (pulled from
running AFL fuzzer instance).
Tested with git commit 50bbb674723e84c8733a447dcb0139c53a2705a7
valgrind --track-origins=yes /afl/testcases/ffmpeg/bin/ffmpeg -v 9
-loglevel 99 -i ./afl2_24 -f null -
Valgrind output:
{{{
==554833== Conditional jump or move depends on uninitialised
value(s)d=0.00136x
==554833== at 0x1F8180C: do_decode (utils.c:2824)
==554833== by 0x1F856C3: avcodec_receive_frame (utils.c:2949)
==554833== by 0x5F459E: decode (ffmpeg.c:2256)
==554833== by 0x5F459E: decode_video (ffmpeg.c:2393)
==554833== by 0x5FF076: process_input_packet.constprop.21
(ffmpeg.c:2628)
==554833== by 0x5755AE: process_input (ffmpeg.c:4171)
==554833== by 0x5755AE: transcode_step (ffmpeg.c:4481)
==554833== by 0x5755AE: transcode (ffmpeg.c:4535)
==554833== by 0x5755AE: main (ffmpeg.c:4740)
==554833== Uninitialised value was created by a stack allocation
==554833== at 0x1C57FE0: ff_thread_decode_frame (pthread_frame.c:446)
==554833==
}}}
Full output:
{{{
==554833== Memcheck, a memory error detector
==554833== Copyright (C) 2002-2013, and GNU GPL'd, by Julian Seward et al.
==554833== Using Valgrind-3.10.0 and LibVEX; rerun with -h for copyright
info
==554833== Command: /afl/testcases/ffmpeg/bin/ffmpeg -v 9 -loglevel 99 -i
./afl2_24 -f null -
==554833==
ffmpeg version N-84505-g50bbb67 Copyright (c) 2000-2017 the FFmpeg
developers
built with gcc 4.9.2 (Debian 4.9.2-10)
configuration: --disable-yasm --cc=/usr/local/bin/afl-gcc
--cxx=/usr/local/bin/afl-g++ --disable-shared --enable-static --disable-
optimizations --disable-mmx --disable-stripping
libavutil 55. 50.100 / 55. 50.100
libavcodec 57. 85.101 / 57. 85.101
libavformat 57. 67.100 / 57. 67.100
libavdevice 57. 3.101 / 57. 3.101
libavfilter 6. 78.100 / 6. 78.100
libswscale 4. 3.101 / 4. 3.101
libswresample 2. 4.100 / 2. 4.100
Splitting the commandline.
Reading option '-v' ... matched as option 'v' (set logging level) with
argument '9'.
Reading option '-loglevel' ... matched as option 'loglevel' (set logging
level) with argument '99'.
Reading option '-i' ... matched as input url with argument './afl2_24'.
Reading option '-f' ... matched as option 'f' (force format) with argument
'null'.
Reading option '-' ... matched as output url.
Finished splitting the commandline.
Parsing a group of options: global .
Applying option v (set logging level) with argument 9.
Successfully parsed a group of options.
Parsing a group of options: input url ./afl2_24.
Successfully parsed a group of options.
Opening an input file: ./afl2_24.
[file @ 0x59032e0] Setting default whitelist 'file,crypto'
Probing matroska,webm score:100 size:2048
[matroska,webm @ 0x59026c0] Format matroska,webm probed with size=2048 and
score=100
st:0 removing common factor 1000000 from timebase
st:1 removing common factor 1000000 from timebase
[matroska,webm @ 0x59026c0] Before avformat_find_stream_info() pos: 3886
bytes read:5022 seeks:0 nb_streams:2
[matroska,webm @ 0x59026c0] All info found
[matroska,webm @ 0x59026c0] stream 0: start_time: 0.252 duration:
-9223372036854776.000
[matroska,webm @ 0x59026c0] stream 1: start_time: 0.000 duration:
-9223372036854776.000
[matroska,webm @ 0x59026c0] format: start_time: 0.000 duration: 1.263
bitrate=31 kb/s
[matroska,webm @ 0x59026c0] After avformat_find_stream_info() pos: 3997
bytes read:5022 seeks:0 frames:10
Input #0, matroska,webm, from './afl2_24':
Metadata:
encoder : Lavf56.40.101
Duration: 00:00:01.26, start: 0.000000, bitrate: 31 kb/s
Stream #0:0(eng), 1, 1/1000: Video: vp9 (Profile 0), 1 reference
frame, yuv420p(tv), 96x65521, 0/1, SAR 9:10 DAR 432:327605, 29.67 fps,
29.67 tbr, 1k tbn, 1k tbc (default)
Stream #0:1(eng), 9, 1/1000: Audio: vorbis, 16000 Hz, mono, fltp
(default)
Successfully opened the file.
Parsing a group of options: output url -.
Applying option f (force format) with argument null.
Successfully parsed a group of options.
Opening an output file: -.
Successfully opened the file.
detected 24 logical cores
Stream mapping:
Stream #0:0 -> #0:0 (vp9 (native) -> wrapped_avframe (native))
Stream #0:1 -> #0:1 (vorbis (native) -> pcm_s16le (native))
Press [q] to stop, [?] for help
cur_dts is invalid (this is harmless if it occurs once at the start per
stream)
Last message repeated 1 times
[graph_1_in_0_1 @ 0xe797e10] Setting 'time_base' to value '1/16000'
[graph_1_in_0_1 @ 0xe797e10] Setting 'sample_rate' to value '16000'
[graph_1_in_0_1 @ 0xe797e10] Setting 'sample_fmt' to value 'fltp'
[graph_1_in_0_1 @ 0xe797e10] Setting 'channel_layout' to value '0x4'
[graph_1_in_0_1 @ 0xe797e10] tb:1/16000 samplefmt:fltp samplerate:16000
chlayout:0x4
[format_out_0_1 @ 0xe799c70] Setting 'sample_fmts' to value 's16'
[format_out_0_1 @ 0xe799c70] auto-inserting filter 'auto_resampler_0'
between the filter 'Parsed_anull_0' and the filter 'format_out_0_1'
[AVFilterGraph @ 0xe795520] query_formats: 4 queried, 6 merged, 3 already
done, 0 delayed
[auto_resampler_0 @ 0xe79d750] [SWR @ 0xe79db80] Using fltp internally
between filters
[auto_resampler_0 @ 0xe79d750] ch:1 chl:mono fmt:fltp r:16000Hz -> ch:1
chl:mono fmt:s16 r:16000Hz
cur_dts is invalid (this is harmless if it occurs once at the start per
stream)
cur_dts is invalid (this is harmless if it occurs once at the start per
stream)
Last message repeated 8 times
[matroska,webm @ 0x59026c0] first_dts 252 not matching first dts 285 (pts
285, duration 33) in the queue
cur_dts is invalid (this is harmless if it occurs once at the start per
stream)
cur_dts is invalid (this is harmless if it occurs once at the start per
stream)
cur_dts is invalid (this is harmless if it occurs once at the start per
stream)
cur_dts is invalid (this is harmless if it occurs once at the start per
stream)
cur_dts is invalid (this is harmless if it occurs once at the start per
stream)
cur_dts is invalid (this is harmless if it occurs once at the start per
stream)
cur_dts is invalid (this is harmless if it occurs once at the start per
stream)
cur_dts is invalid (this is harmless if it occurs once at the start per
stream)
cur_dts is invalid (this is harmless if it occurs once at the start per
stream)
cur_dts is invalid (this is harmless if it occurs once at the start per
stream)
cur_dts is invalid (this is harmless if it occurs once at the start per
stream)
cur_dts is invalid (this is harmless if it occurs once at the start per
stream)
cur_dts is invalid (this is harmless if it occurs once at the start per
stream)
cur_dts is invalid (this is harmless if it occurs once at the start per
stream)
cur_dts is invalid (this is harmless if it occurs once at the start per
stream)
cur_dts is invalid (this is harmless if it occurs once at the start per
stream)
cur_dts is invalid (this is harmless if it occurs once at the start per
stream)
cur_dts is invalid (this is harmless if it occurs once at the start per
stream)
cur_dts is invalid (this is harmless if it occurs once at the start per
stream)
cur_dts is invalid (this is harmless if it occurs once at the start per
stream)
cur_dts is invalid (this is harmless if it occurs once at the start per
stream)
cur_dts is invalid (this is harmless if it occurs once at the start per
stream)
cur_dts is invalid (this is harmless if it occurs once at the start per
stream)
cur_dts is invalid (this is harmless if it occurs once at the start per
stream)
cur_dts is invalid (this is harmless if it occurs once at the start per
stream)
cur_dts is invalid (this is harmless if it occurs once at the start per
stream)
cur_dts is invalid (this is harmless if it occurs once at the start per
stream)
[graph 0 input from stream 0:0 @ 0xeaf6fe0] Setting 'video_size' to value
'96x65521'
[graph 0 input from stream 0:0 @ 0xeaf6fe0] Setting 'pix_fmt' to value '0'
[graph 0 input from stream 0:0 @ 0xeaf6fe0] Setting 'time_base' to value
'1/1000'
[graph 0 input from stream 0:0 @ 0xeaf6fe0] Setting 'pixel_aspect' to
value '9/10'
[graph 0 input from stream 0:0 @ 0xeaf6fe0] Setting 'sws_param' to value
'flags=2'
[graph 0 input from stream 0:0 @ 0xeaf6fe0] Setting 'frame_rate' to value
'89/3'
[graph 0 input from stream 0:0 @ 0xeaf6fe0] w:96 h:65521 pixfmt:yuv420p
tb:1/1000 fr:89/3 sar:9/10 sws_param:flags=2
[AVFilterGraph @ 0xeaf2be0] query_formats: 3 queried, 2 merged, 0 already
done, 0 delayed
Output #0, null, to 'pipe:':
Metadata:
encoder : Lavf57.67.100
Stream #0:0(eng), 0, 3/89: Video: wrapped_avframe, 1 reference frame,
yuv420p, 96x65521 [SAR 9:10 DAR 432:327605], 0/1, q=2-31, 200 kb/s, 29.67
fps, 29.67 tbn, 29.67 tbc (default)
Metadata:
encoder : Lavc57.85.101 wrapped_avframe
Stream #0:1(eng), 0, 1/16000: Audio: pcm_s16le, 16000 Hz, mono, s16,
256 kb/s (default)
Metadata:
encoder : Lavc57.85.101 pcm_s16le
==554833== Conditional jump or move depends on uninitialised
value(s)d=0.00136x
==554833== at 0x1F8180C: do_decode (utils.c:2824)
==554833== by 0x1F856C3: avcodec_receive_frame (utils.c:2949)
==554833== by 0x5F459E: decode (ffmpeg.c:2256)
==554833== by 0x5F459E: decode_video (ffmpeg.c:2393)
==554833== by 0x5FF076: process_input_packet.constprop.21
(ffmpeg.c:2628)
==554833== by 0x5755AE: process_input (ffmpeg.c:4171)
==554833== by 0x5755AE: transcode_step (ffmpeg.c:4481)
==554833== by 0x5755AE: transcode (ffmpeg.c:4535)
==554833== by 0x5755AE: main (ffmpeg.c:4740)
==554833== Uninitialised value was created by a stack allocation
==554833== at 0x1C57FE0: ff_thread_decode_frame (pthread_frame.c:446)
==554833==
No more output streams to write to, finishing.
frame= 30 fps=0.0 q=-0.0 Lsize=N/A time=00:00:01.24 bitrate=N/A
speed=0.00144x
video:15kB audio:32kB subtitle:0kB other streams:0kB global headers:0kB
muxing overhead: unknown
Input file #0 (./afl2_24):
Input stream #0:0 (video): 32 packets read (677 bytes); 30 frames
decoded;
Input stream #0:1 (audio): 33 packets read (33 bytes); 32 frames decoded
(16256 samples);
Total: 65 packets (710 bytes) demuxed
Output file #0 (pipe:):
Output stream #0:0 (video): 30 frames encoded; 30 packets muxed (14880
bytes);
Output stream #0:1 (audio): 32 frames encoded (16256 samples); 32
packets muxed (32512 bytes);
Total: 62 packets (47392 bytes) muxed
62 frames successfully decoded, 0 decoding errors
[AVIOContext @ 0x590bb80] Statistics: 5022 bytes read, 0 seeks
==554833==
==554833== HEAP SUMMARY:
==554833== in use at exit: 40 bytes in 1 blocks
==554833== total heap usage: 8,406 allocs, 8,405 frees, 292,112,110
bytes allocated
==554833==
==554833== LEAK SUMMARY:
==554833== definitely lost: 0 bytes in 0 blocks
==554833== indirectly lost: 0 bytes in 0 blocks
==554833== possibly lost: 0 bytes in 0 blocks
==554833== still reachable: 40 bytes in 1 blocks
==554833== suppressed: 0 bytes in 0 blocks
==554833== Rerun with --leak-check=full to see details of leaked memory
==554833==
==554833== For counts of detected and suppressed errors, rerun with: -v
==554833== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)
}}}
--
Ticket URL: <https://trac.ffmpeg.org/ticket/6277>
FFmpeg <https://ffmpeg.org>
FFmpeg issue tracker
More information about the FFmpeg-trac
mailing list