[FFmpeg-trac] #8863(undetermined:new): null pointer reference
FFmpeg
trac at avcodec.org
Mon Aug 24 12:39:08 EEST 2020
#8863: null pointer reference
-------------------------------------+-------------------------------------
Reporter: lys404 | Type: defect
Status: new | Priority: normal
Component: | Version:
undetermined | unspecified
Keywords: | Blocked By:
Blocking: | Reproduced by developer: 0
Analyzed by developer: 0 |
-------------------------------------+-------------------------------------
Summary of the bug:
There're null pointer in libavutil/mem.c
How to reproduce:
{{{
% ffmpeg -i $PoC output
ffmpeg version
built on ffmpeg version N-98759-g1c7e55d Copyright (c) 2000-2020 the
FFmpeg developers
built with gcc 5.4.0 (Ubuntu 5.4.0-6ubuntu1~16.04.12) 20160609
configuration: --prefix=./out --disable-stripping --enable-debug --cc
=afl-gcc --cxx=afl-g++
}}}
Error information
{{{
Program received signal SIGSEGV, Segmentation fault.
}}}
Here's debugging information
{{{
gdb-peda$ bt
#0 0x00000000038aaf2b in av_freep (arg=arg at entry=0x433f08b2c82f1376) at
libavutil/mem.c:229
#1 0x00000000004cde0d in ff_mdct_end (s=s at entry=0x433f08b2c82f1356) at
libavcodec/mdct_template.c:211
#2 0x000000000055def8 in ff_aac_sbr_ctx_close (sbr=0x433f08b2c8291c26) at
libavcodec/aacsbr_template.c:117
#3 0x0000000002cf2f90 in che_configure (channels=<synthetic pointer>,
id=0x0, type=0xff, che_pos=<optimized out>, ac=<optimized out>)
at libavcodec/aacdec_template.c:152
#4 output_configure (ac=0x49bb200, layout_map=<optimized out>, tags=0x10,
oc_type=OC_TRIAL_PCE, get_new_frame=<optimized out>)
at libavcodec/aacdec_template.c:543
#5 0x0000000002cfef22 in aac_decode_frame_int
(avctx=avctx at entry=0x49b8a00, data=data at entry=0x49baac0,
got_frame_ptr=got_frame_ptr at entry=0x7fffffffd860,
gb=gb at entry=0x7fffffffd7d0, avpkt=<optimized out>) at
libavcodec/aacdec_template.c:3312
#6 0x0000000002d046b5 in aac_decode_frame (avctx=0x49b8a00,
data=0x49baac0, got_frame_ptr=0x7fffffffd860, avpkt=<optimized out>)
at libavcodec/aacdec_template.c:3457
#7 0x0000000001818f01 in decode_simple_internal (frame=<optimized out>,
avctx=<optimized out>) at libavcodec/decode.c:342
#8 decode_simple_receive_frame (frame=<optimized out>, avctx=<optimized
out>) at libavcodec/decode.c:538
#9 decode_receive_frame_internal (avctx=avctx at entry=0x49b8a00,
frame=0x49baac0) at libavcodec/decode.c:556
#10 0x000000000181bde8 in avcodec_send_packet
(avctx=avctx at entry=0x49b8a00, avpkt=avpkt at entry=0x7fffffffd930) at
libavcodec/decode.c:614
#11 0x00000000014ff73d in try_decode_frame (s=s at entry=0x49b7480,
st=st at entry=0x49b8140, avpkt=avpkt at entry=0x4a4cd40, options=<optimized
out>)
at libavformat/utils.c:3111
#12 0x0000000001526a5f in avformat_find_stream_info (ic=0x49b7480,
options=0x49b8080) at libavformat/utils.c:3954
#13 0x00000000005f9e4d in open_input_file (o=o at entry=0x7fffffffdf00,
filename=<optimized out>) at fftools/ffmpeg_opt.c:1186
#14 0x000000000060420f in open_files (l=0x49b7058, l=0x49b7058,
open_file=0x5f2730 <open_input_file>, inout=0x3a55879 "input")
at fftools/ffmpeg_opt.c:3303
#15 ffmpeg_parse_options (argc=argc at entry=0x4,
argv=argv at entry=0x7fffffffe4a8) at fftools/ffmpeg_opt.c:3343
#16 0x00000000005dbbb7 in main (argc=argc at entry=0x4,
argv=argv at entry=0x7fffffffe4a8) at fftools/ffmpeg.c:4850
#17 0x00007ffff72ed840 in __libc_start_main (main=0x5dba40 <main>,
argc=0x4, argv=0x7fffffffe4a8, init=<optimized out>,
fini=<optimized out>, rtld_fini=<optimized out>,
stack_end=0x7fffffffe498) at ../csu/libc-start.c:291
#18 0x00000000005dd119 in _start ()
}}}
{{{
gdb-peda$ disass $pc-32,$pc+32
Dump of assembler code from 0x38aaf0b to 0x38aaf4b:
0x00000000038aaf0b <av_freep+27>: add BYTE PTR [rax],al
0x00000000038aaf0d <av_freep+29>: call 0x38af730 <__afl_maybe_log>
0x00000000038aaf12 <av_freep+34>: mov rax,QWORD PTR [rsp+0x10]
0x00000000038aaf17 <av_freep+39>: mov rcx,QWORD PTR [rsp+0x8]
0x00000000038aaf1c <av_freep+44>: mov rdx,QWORD PTR [rsp]
0x00000000038aaf20 <av_freep+48>: lea rsp,[rsp+0x98]
0x00000000038aaf28 <av_freep+56>: mov rax,rdi
=> 0x00000000038aaf2b <av_freep+59>: mov rdi,QWORD PTR [rdi]
0x00000000038aaf2e <av_freep+62>: mov QWORD PTR [rax],0x0
0x00000000038aaf35 <av_freep+69>: jmp 0x404140 <free at plt>
0x00000000038aaf3a: nop WORD PTR [rax+rax*1+0x0]
0x00000000038aaf40 <av_mallocz+0>: lea rsp,[rsp-0x98]
0x00000000038aaf48 <av_mallocz+8>: mov QWORD PTR [rsp],rdx
End of assembler dump.
}}}
{{{
gdb-peda$ info all-registers
rax 0x433f08b2c82f1376 0x433f08b2c82f1376
rbx 0x433f08b2c82f1356 0x433f08b2c82f1356
rcx 0x7ffff7247040 0x7ffff7247040
rdx 0x3 0x3
rsi 0x0 0x0
rdi 0x433f08b2c82f1376 0x433f08b2c82f1376
rbp 0x10 0x10
rsp 0x7fffffffd318 0x7fffffffd318
r8 0x102e 0x102e
r9 0x0 0x0
r10 0x0 0x0
r11 0x433f08b2c826b8c6 0x433f08b2c826b8c6
r12 0xff 0xff
r13 0x0 0x0
r14 0xd 0xd
r15 0x49bb200 0x49bb200
rip 0x38aaf2b 0x38aaf2b <av_freep+59>
eflags 0x10206 [ PF IF RF ]
cs 0x33 0x33
ss 0x2b 0x2b
ds 0x0 0x0
es 0x0 0x0
fs 0x0 0x0
gs 0x0 0x0
st0 0 (raw 0x00000000000000000000)
st1 0 (raw 0x00000000000000000000)
st2 0 (raw 0x00000000000000000000)
st3 0 (raw 0x00000000000000000000)
st4 0 (raw 0x00000000000000000000)
st5 0 (raw 0x00000000000000000000)
st6 0 (raw 0x00000000000000000000)
st7 0 (raw 0x00000000000000000000)
fctrl 0x37f 0x37f
fstat 0x0 0x0
ftag 0xffff 0xffff
fiseg 0x0 0x0
fioff 0x0 0x0
foseg 0x0 0x0
fooff 0x0 0x0
fop 0x0 0x0
mxcsr 0x1fa0 [ PE IM DM ZM OM UM PM ]
}}}
Please confirm.
Thanks
--
Ticket URL: <https://trac.ffmpeg.org/ticket/8863>
FFmpeg <https://ffmpeg.org>
FFmpeg issue tracker
More information about the FFmpeg-trac
mailing list