[FFmpeg-trac] #9551(avfilter:new): Crash in palettegen filter

FFmpeg trac at avcodec.org
Sun Dec 12 04:57:54 EET 2021


#9551: Crash in palettegen filter
-----------------------------------+----------------------------------
             Reporter:  byteslice  |                     Type:  defect
               Status:  new        |                 Priority:  normal
            Component:  avfilter   |                  Version:  4.4.1
             Keywords:             |               Blocked By:
             Blocking:             |  Reproduced by developer:  0
Analyzed by developer:  0          |
-----------------------------------+----------------------------------
 Summary of the bug:
 FFmpeg, when filtering a video using palettegen, crashes on exit when
 linked against the latest musl libc due to an out-of-bounds heap write.

 {{{
 Thread 1 "ffmpeg" received signal SIGSEGV, Segmentation fault.
 get_nominal_size (end=0x7f738bd41ffc, p=0x7f738b72780) at
 src/malloc/mallocng/free.c:110
 169     src/malloc/mallocng/meta.h: No such file or directory.
 (gdb) bt
 #0  get_nominal_size (end=0x7f738bd41ffc, p=0x7f738b72780) at
 src/malloc/mallocng/meta.h:169
 #1  __libc_free (p=0x7f738b727280) at src/malloc/mallocng/free.c:110
 #2  0x00007f73921a79df in av_buffer_pool_uninit () from
 /usr/lib/libavutil.so.56
 #3  0x00007f7393bff6f8 in avfilter_link_free () from
 /usr/lib/libavfilter.so.7
 #4  0x00007f7393c006f1 in avfilter_free () from /usr/lib/libavfilter.so.7
 #5  0x00007f7393c027cc in avfilter_graph_free () from
 /usr/lib/libavfilter.so.7
 }}}

 How to reproduce:
 {{{
 % ffmpeg -y -i test.webm -vf palettegen test.png
 }}}

 The out-of-bounds writes can be observed when linked against glibc as well
 when running with valgrind. Example traceback:
 {{{
 ==11185== Invalid write of size 8
 ==11185==    at 0x62C8118: ff_yuv_420_rgb32_ssse3 (yuv_2_rgb.asm:378)
 ==11185==    by 0x90DF07F: ???
 ==11185==    by 0x91431BF: ???
 ==11185==  Address 0xb359898 is 6,400,024 bytes inside a block of size
 6,400,031 alloc'd
 ==11185==    at 0x48A709E: memalign (vg_replace_malloc.c:1267)
 ==11185==    by 0x48A7195: posix_memalign (vg_replace_malloc.c:1432)
 ==11185==    by 0x6317B14: av_malloc (mem.c:86)
 ==11185==    by 0x6304F08: av_buffer_alloc (buffer.c:72)
 ==11185==    by 0x6304F7D: av_buffer_allocz (buffer.c:85)
 ==11185==    by 0x6305724: pool_alloc_buffer (buffer.c:352)
 ==11185==    by 0x6305724: av_buffer_pool_get (buffer.c:388)
 ==11185==    by 0x49EBB28: ff_frame_pool_get (framepool.c:222)
 ==11185==    by 0x4B6DA5F: ff_default_get_video_buffer (video.c:90)
 ==11185==    by 0x4AF9201: scale_frame (vf_scale.c:731)
 ==11185==    by 0x4AF98D5: filter_frame (vf_scale.c:820)
 ==11185==    by 0x49C8A88: ff_filter_frame_framed (avfilter.c:1085)
 ==11185==    by 0x49C8A88: ff_filter_frame_to_filter (avfilter.c:1233)
 ==11185==    by 0x49C8A88: ff_filter_activate_default (avfilter.c:1282)
 ==11185==    by 0x49C8A88: ff_filter_activate (avfilter.c:1441)
 ==11185==    by 0x49CD1DF: push_frame (buffersrc.c:157)
 ==11185==    by 0x49CD1DF: av_buffersrc_add_frame_flags (buffersrc.c:225)
 }}}

 This crash may be fixed by removing an off-by-one adjustment in
 libavfilter/framepool.c:
 {{{
 -        pool->pools[i] = av_buffer_pool_init(pool->linesize[i] * h + 16 +
 16 - 1,
 +        pool->pools[i] = av_buffer_pool_init(pool->linesize[i] * h + 16 +
 16,
 }}}
-- 
Ticket URL: <https://trac.ffmpeg.org/ticket/9551>
FFmpeg <https://ffmpeg.org>
FFmpeg issue tracker


More information about the FFmpeg-trac mailing list