[FFmpeg-trac] #10304(ffmpeg:new): Segmentation Violation in ffmpeg (libavformat/concat.c:142 in concat_read)
FFmpeg
trac at avcodec.org
Tue Apr 4 07:11:09 EEST 2023
#10304: Segmentation Violation in ffmpeg (libavformat/concat.c:142 in concat_read)
-------------------------------------+-------------------------------------
Reporter: Youngseok | Type: defect
Choi |
Status: new | Priority: normal
Component: ffmpeg | Version: git-
| master
Keywords: fuzzing | Blocked By:
Blocking: | Reproduced by developer: 0
Analyzed by developer: 0 |
-------------------------------------+-------------------------------------
Hi, our fuzzer found a new SEGV in ffmpeg.
**Command to Reproduce**
{{{
ffmpeg -i concatf:concatf:poc_file
}}}
poc_file is attached.
**Backtrace** (Address Sanitizer)
{{{
==5776==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000
(pc 0x555556a5ba8f bp 0x7fffffffc300 sp 0x7fffffffc2c0 T0)
==5776==The signal is caused by a READ memory access.
==5776==Hint: address points to the zero page.
#0 0x555556a5ba8e in concat_read libavformat/concat.c:142
#1 0x555556554f31 in retry_transfer_wrapper libavformat/avio.c:370
#2 0x555556555163 in ffurl_read libavformat/avio.c:405
#3 0x55555655a09f in read_packet_wrapper libavformat/aviobuf.c:525
#4 0x55555655a785 in fill_buffer libavformat/aviobuf.c:569
#5 0x55555655b25a in avio_read libavformat/aviobuf.c:664
#6 0x55555655fbba in avio_read_to_bprint libavformat/aviobuf.c:1352
#7 0x555556a5c340 in concatf_open libavformat/concat.c:236
#8 0x555556553dc0 in ffurl_connect libavformat/avio.c:209
#9 0x555556554e2d in ffurl_open_whitelist libavformat/avio.c:347
#10 0x55555655ef0a in ffio_open_whitelist libavformat/aviobuf.c:1230
#11 0x5555568b6280 in io_open_default libavformat/options.c:151
#12 0x5555565aae95 in init_input libavformat/demux.c:174
#13 0x5555565ab937 in avformat_open_input libavformat/demux.c:254
#14 0x555555a95532 in ifile_open fftools/ffmpeg_demux.c:1051
#15 0x555555adb403 in open_files fftools/ffmpeg_opt.c:1244
#16 0x555555adb778 in ffmpeg_parse_options fftools/ffmpeg_opt.c:1283
#17 0x555555b195ba in main fftools/ffmpeg.c:4165
#18 0x7ffff5601c86 in __libc_start_main (/lib/x86_64-linux-
gnu/libc.so.6+0x21c86)
#19 0x555555a84499 in _start
(/home/youngseok/subjects/latest_asan_sources/ffmpeg/ffmpeg_g+0x530499)
}}}
**Assembler code around pc** (gdb)
{{{
Dump of assembler code from 0x555556a5ba6f to 0x555556a5baaf:
0x0000555556a5ba6f <concat_read+191>: mov %rax,%rdx
0x0000555556a5ba72 <concat_read+194>: mov %rdx,%rcx
0x0000555556a5ba75 <concat_read+197>: shr $0x3,%rcx
0x0000555556a5ba79 <concat_read+201>: add $0x7fff8000,%rcx
0x0000555556a5ba80 <concat_read+208>: movzbl (%rcx),%ecx
0x0000555556a5ba83 <concat_read+211>: test %cl,%cl
0x0000555556a5ba85 <concat_read+213>: je 0x555556a5ba8f
<concat_read+223>
0x0000555556a5ba87 <concat_read+215>: mov %rdx,%rdi
0x0000555556a5ba8a <concat_read+218>: callq 0x555555a83ea0
<__asan_report_load8 at plt>
=> 0x0000555556a5ba8f <concat_read+223>: mov (%rax),%rax
0x0000555556a5ba92 <concat_read+226>: mov -0x34(%rbp),%edx
0x0000555556a5ba95 <concat_read+229>: mov -0x30(%rbp),%rcx
0x0000555556a5ba99 <concat_read+233>: mov %rcx,%rsi
0x0000555556a5ba9c <concat_read+236>: mov %rax,%rdi
0x0000555556a5ba9f <concat_read+239>: callq 0x55555655509c
<ffurl_read>
0x0000555556a5baa4 <concat_read+244>: mov %eax,-0x20(%rbp)
0x0000555556a5baa7 <concat_read+247>: cmpl
$0xdfb9b0bb,-0x20(%rbp)
0x0000555556a5baae <concat_read+254>: jne 0x555556a5bb4a
<concat_read+410>
}}}
**Registers Info**
{{{
rax 0x0 0
rbx 0x7fffffffc3f0 140737488339952
rcx 0x0 0
rdx 0x0 0
rsi 0x62d00000a400 108645492761600
rdi 0x612000000640 106790066849344
rbp 0x7fffffffc250 0x7fffffffc250
rsp 0x7fffffffc210 0x7fffffffc210
r8 0x0 0
r9 0x0 0
r10 0x7fffffffbe38 140737488338488
r11 0x0 0
r12 0xffffffff87e 17592186042494
r13 0x7fffffffc850 140737488341072
r14 0x7fffffffc3f0 140737488339952
r15 0x7fffffffd490 140737488344208
rip 0x555556a5ba8f 0x555556a5ba8f <concat_read+223>
eflags 0x10246 [ PF ZF IF RF ]
cs 0x33 51
ss 0x2b 43
ds 0x0 0
es 0x0 0
fs 0x0 0
gs 0x0 0
st0 0 (raw 0x00000000000000000000)
st1 0 (raw 0x00000000000000000000)
st2 0 (raw 0x00000000000000000000)
st3 0 (raw 0x00000000000000000000)
st4 0 (raw 0x00000000000000000000)
st5 0 (raw 0x00000000000000000000)
st6 0 (raw 0x00000000000000000000)
st7 0 (raw 0x00000000000000000000)
fctrl 0xffff 65535
fstat 0xffff 65535
ftag 0xaaaa 43690
fiseg 0x1 1
fioff 0x0 0
foseg 0x5555 21845
fooff 0xa 10
fop 0x7ff 2047
mxcsr 0x1f80 [ IM DM ZM OM UM PM ]
ymm0 {v8_float = {0xffffffff, 0x0, 0xffffffff, 0xffffffff, 0x0,
0x0, 0x0, 0x0}, v4_double = {0x0, 0x7fffffffffffffff, 0x0, 0x0}, v32_int8
= {
0x63, 0x6f, 0x6e, 0x63, 0x61, 0x74, 0x66, 0x2c, 0x63, 0x6f, 0x6e,
0x63, 0x61, 0x74, 0x2c, 0x66, 0x0 <repeats 16 times>}, v16_int16 =
{0x6f63,
0x636e, 0x7461, 0x2c66, 0x6f63, 0x636e, 0x7461, 0x662c, 0x0, 0x0, 0x0,
0x0, 0x0, 0x0, 0x0, 0x0}, v8_int32 = {0x636e6f63, 0x2c667461, 0x636e6f63,
0x662c7461, 0x0, 0x0, 0x0, 0x0}, v4_int64 = {0x2c667461636e6f63,
0x662c7461636e6f63, 0x0, 0x0}, v2_int128 =
{0x662c7461636e6f632c667461636e6f63,
0x0}}
ymm1 {v8_float = {0xffffffff, 0x0, 0xffffffff, 0x0, 0x0, 0x0,
0x0, 0x0}, v4_double = {0x0, 0x0, 0x0, 0x0}, v32_int8 = {0x61, 0x74, 0x2c,
0x66, 0x69, 0x6c, 0x65, 0x2c, 0x73, 0x75, 0x62, 0x66, 0x69, 0x6c,
0x65, 0x0 <repeats 17 times>}, v16_int16 = {0x7461, 0x662c, 0x6c69,
0x2c65,
0x7573, 0x6662, 0x6c69, 0x65, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0},
v8_int32 = {0x662c7461, 0x2c656c69, 0x66627573, 0x656c69, 0x0, 0x0, 0x0,
0x0}, v4_int64 = {0x2c656c69662c7461, 0x656c6966627573, 0x0, 0x0},
v2_int128 = {0x656c69666275732c656c69662c7461, 0x0}}
ymm2 {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0},
v4_double = {0x0, 0x0, 0x0, 0x0}, v32_int8 = {0x0, 0xff, 0xff, 0xff, 0xff,
0xff,
0xff, 0x0, 0x0, 0xff, 0xff, 0xff, 0x0, 0xff, 0xff, 0x0 <repeats 17
times>}, v16_int16 = {0xff00, 0xffff, 0xffff, 0xff, 0xff00, 0xffff,
0xff00,
0xff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v8_int32 = {0xffffff00,
0xffffff, 0xffffff00, 0xffff00, 0x0, 0x0, 0x0, 0x0}, v4_int64 = {
0xffffffffffff00, 0xffff00ffffff00, 0x0, 0x0}, v2_int128 =
{0xffff00ffffff0000ffffffffffff00, 0x0}}
---Type <return> to continue, or q <return> to quit---
ymm3 {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0},
v4_double = {0x0, 0x0, 0x0, 0x0}, v32_int8 = {0x0, 0xff, 0x0 <repeats 30
times>},
v16_int16 = {0xff00, 0x0 <repeats 15 times>}, v8_int32 = {0xff00, 0x0,
0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_int64 = {0xff00, 0x0, 0x0, 0x0},
v2_int128 = {0xff00, 0x0}}
ymm4 {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0},
v4_double = {0x0, 0x0, 0x0, 0x0}, v32_int8 = {0x0 <repeats 32 times>},
v16_int16 = {0x0 <repeats 16 times>}, v8_int32 = {0x0, 0x0, 0x0, 0x0,
0x0, 0x0, 0x0, 0x0}, v4_int64 = {0x0, 0x0, 0x0, 0x0}, v2_int128 = {0x0,
0x0}}
ymm5 {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0},
v4_double = {0x0, 0x0, 0x0, 0x0}, v32_int8 = {0x0 <repeats 32 times>},
v16_int16 = {0x0 <repeats 16 times>}, v8_int32 = {0x0, 0x0, 0x0, 0x0,
0x0, 0x0, 0x0, 0x0}, v4_int64 = {0x0, 0x0, 0x0, 0x0}, v2_int128 = {0x0,
0x0}}
ymm6 {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0},
v4_double = {0x0, 0x0, 0x0, 0x0}, v32_int8 = {0x0 <repeats 32 times>},
v16_int16 = {0x0 <repeats 16 times>}, v8_int32 = {0x0, 0x0, 0x0, 0x0,
0x0, 0x0, 0x0, 0x0}, v4_int64 = {0x0, 0x0, 0x0, 0x0}, v2_int128 = {0x0,
0x0}}
ymm7 {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0},
v4_double = {0x0, 0x0, 0x0, 0x0}, v32_int8 = {0x0 <repeats 32 times>},
v16_int16 = {0x0 <repeats 16 times>}, v8_int32 = {0x0, 0x0, 0x0, 0x0,
0x0, 0x0, 0x0, 0x0}, v4_int64 = {0x0, 0x0, 0x0, 0x0}, v2_int128 = {0x0,
0x0}}
ymm8 {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0},
v4_double = {0x0, 0x0, 0x0, 0x0}, v32_int8 = {0xd0, 0x23, 0xfd, 0xf7,
0xff, 0x7f,
0x0, 0x0, 0xc0, 0x28, 0xfd, 0xf7, 0xff, 0x7f, 0x0 <repeats 18 times>},
v16_int16 = {0x23d0, 0xf7fd, 0x7fff, 0x0, 0x28c0, 0xf7fd, 0x7fff, 0x0,
0x0,
0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v8_int32 = {0xf7fd23d0, 0x7fff,
0xf7fd28c0, 0x7fff, 0x0, 0x0, 0x0, 0x0}, v4_int64 = {0x7ffff7fd23d0,
0x7ffff7fd28c0, 0x0, 0x0}, v2_int128 =
{0x7ffff7fd28c000007ffff7fd23d0, 0x0}}
ymm9 {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0},
v4_double = {0x0, 0x0, 0x0, 0x0}, v32_int8 = {0x0 <repeats 32 times>},
v16_int16 = {0x0 <repeats 16 times>}, v8_int32 = {0x0, 0x0, 0x0, 0x0,
0x0, 0x0, 0x0, 0x0}, v4_int64 = {0x0, 0x0, 0x0, 0x0}, v2_int128 = {0x0,
0x0}}
ymm10 {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0},
v4_double = {0x0, 0x0, 0x0, 0x0}, v32_int8 = {0x0 <repeats 32 times>},
v16_int16 = {0x0 <repeats 16 times>}, v8_int32 = {0x0, 0x0, 0x0, 0x0,
0x0, 0x0, 0x0, 0x0}, v4_int64 = {0x0, 0x0, 0x0, 0x0}, v2_int128 = {0x0,
0x0}}
ymm11 {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0},
v4_double = {0x0, 0x0, 0x0, 0x0}, v32_int8 = {0x0 <repeats 32 times>},
v16_int16 = {0x0 <repeats 16 times>}, v8_int32 = {0x0, 0x0, 0x0, 0x0,
0x0, 0x0, 0x0, 0x0}, v4_int64 = {0x0, 0x0, 0x0, 0x0}, v2_int128 = {0x0,
0x0}}
ymm12 {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0},
v4_double = {0x0, 0x0, 0x0, 0x0}, v32_int8 = {0x0 <repeats 32 times>},
v16_int16 = {0x0 <repeats 16 times>}, v8_int32 = {0x0, 0x0, 0x0, 0x0,
0x0, 0x0, 0x0, 0x0}, v4_int64 = {0x0, 0x0, 0x0, 0x0}, v2_int128 = {0x0,
0x0}}
ymm13 {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0},
v4_double = {0x0, 0x0, 0x0, 0x0}, v32_int8 = {0x0 <repeats 32 times>},
v16_int16 = {0x0 <repeats 16 times>}, v8_int32 = {0x0, 0x0, 0x0, 0x0,
0x0, 0x0, 0x0, 0x0}, v4_int64 = {0x0, 0x0, 0x0, 0x0}, v2_int128 = {0x0,
0x0}}
ymm14 {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0},
v4_double = {0x0, 0x0, 0x0, 0x0}, v32_int8 = {0x0 <repeats 32 times>},
v16_int16 = {0x0 <repeats 16 times>}, v8_int32 = {0x0, 0x0, 0x0, 0x0,
0x0, 0x0, 0x0, 0x0}, v4_int64 = {0x0, 0x0, 0x0, 0x0}, v2_int128 = {0x0,
0x0}}
ymm15 {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0},
v4_double = {0x0, 0x0, 0x0, 0x0}, v32_int8 = {0x0 <repeats 32 times>},
v16_int16 = {0x0 <repeats 16 times>}, v8_int32 = {0x0, 0x0, 0x0, 0x0,
0x0, 0x0, 0x0, 0x0}, v4_int64 = {0x0, 0x0, 0x0, 0x0}, v2_int128 = {0x0,
0x0}}
}}}
**Environment**
Built with address sanitizer.
{{{
ffmpeg version N-110167-g97c95961f0 Copyright (c) 2000-2023 the FFmpeg
developers
built with gcc 7 (Ubuntu 7.5.0-3ubuntu1~18.04)
configuration:
--prefix=/home/youngseok/subjects/latest_asan_install/ffmpeg --extra-
cflags='-fsanitize=address -g -O0' --extra-cxxflags='-fsanitize=address -g
-O0' --extra-ldflags='-fsanitize=address -g -O0' --disable-optimizations
--disable-stripping
}}}
--
Ticket URL: <https://trac.ffmpeg.org/ticket/10304>
FFmpeg <https://ffmpeg.org>
FFmpeg issue tracker
More information about the FFmpeg-trac
mailing list