[FFmpeg-trac] #10318(ffmpeg:new): Null pointer dereference in ffmpeg (avpriv_slicethread_create libavutil/slicethread.c:151)

FFmpeg trac at avcodec.org
Wed Apr 12 13:32:28 EEST 2023 

#10318: Null pointer dereference in ffmpeg (avpriv_slicethread_create
libavutil/slicethread.c:151)
-------------------------------------+-------------------------------------
             Reporter:  Youngseok    |                     Type:  defect
  Choi                               |
               Status:  new          |                 Priority:  normal
            Component:  ffmpeg       |                  Version:  git-
             Keywords:  fuzzing      |  master
  SIGSEGV                            |               Blocked By:
             Blocking:               |  Reproduced by developer:  0
Analyzed by developer:  0            |
-------------------------------------+-------------------------------------
 Hi, our fuzzer found a new SEGV bug in ffmpeg.

 **Command Input**

 {{{
 ffmpeg -lowres 1 -i poc_file -subcmp 41 .mpG
 }}}

 poc_file is attached.

 **Command Output**
 {{{
 ffmpeg version N-110167-g97c95961f0 Copyright (c) 2000-2023 the FFmpeg
 developers
   built with gcc 7 (Ubuntu 7.5.0-3ubuntu1~18.04)
   configuration:
 --prefix=/home/youngseok/subjects/latest_asan_install/ffmpeg --extra-
 cflags='-fsanitize=address -g -O0' --extra-cxxflags='-fsanitize=address -g
 -O0' --extra-ldflags='-fsanitize=address -g -O0' --disable-optimizations
 --disable-stripping
   libavutil      58.  5.100 / 58.  5.100
   libavcodec     60.  9.100 / 60.  9.100
   libavformat    60.  4.101 / 60.  4.101
   libavdevice    60.  2.100 / 60.  2.100
   libavfilter     9.  5.100 /  9.  5.100
   libswscale      7.  2.100 /  7.  2.100
   libswresample   4. 11.100 /  4. 11.100
 [h263 @ 0x617000000080] Format h263 detected only with low score of 25,
 misdetection possible!
 Input #0, h263, from
 '/home/youngseok/data/230411/asan_inter_30_30_shrink5_1_230308/ffmpeg/1_id:000014/poc_file':
   Duration: N/A, bitrate: N/A
   Stream #0:0: Video: h263, yuv420p, 128x96 [SAR 12:11 DAR 16:11], 29.97
 fps, 29.97 tbr, 1200k tbn
 Stream mapping:
   Stream #0:0 -> #0:0 (h263 (native) -> mpeg1video (native))
 Press [q] to stop, [?] for help
 [h263 @ 0x619000002380] warning: first frame is no keyframe
 [h263 @ 0x619000002380] run overflow at 4x0 i:0
 [h263 @ 0x619000002380] Error at MB: 4
 [mpeg1video @ 0x619000003780] too many threads/slices (4), reducing to 3
 [mpeg @ 0x617000000b00] VBV buffer size not set, using default size of
 230KB
 If you want the mpeg file to be compliant to some specification
 Like DVD, VCD or others, make sure you set the correct buffer size
 Output #0, mpeg, to '.mpG':
   Metadata:
     encoder         : Lavf60.4.101
   Stream #0:0: Video: mpeg1video, yuv420p(progressive), 64x48 [SAR 12:11
 DAR 16:11], q=2-31, 200 kb/s, 29.97 fps, 90k tbn
     Metadata:
       encoder         : Lavc60.9.100 mpeg1video
     Side data:
       cpb: bitrate max/min/avg: 0/0/200000 buffer size: 0 vbv_delay: N/A
 [h263 @ 0x619000002380] Reverting picture dimensions change due to header
 decoding failured=N/A
 [h263 @ 0x619000002380] header damaged
 Error while decoding stream #0:0: Invalid data found when processing input
 [h263 @ 0x619000002380] warning: first frame is no keyframe
 [h263 @ 0x619000002380] run overflow at 3x0 i:0
 [h263 @ 0x619000002380] Error at MB: 3
 internal error in cmp function selection
 }}}

 **Stack Trace** (Asan)
 {{{
 ==17389==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000
 (pc 0x000000000000 bp 0x7fffe94eda30 sp 0x7fffe94ed8d8 T18)
 ==17389==Hint: pc points to the zero page.
 ==17389==The signal is caused by a READ memory access.
 ==17389==Hint: address points to the zero page.

 AddressSanitizer can not provide additional info.
 SUMMARY: AddressSanitizer: SEGV (<unknown module>)
 Thread T18 created by T0 here:
     #0 0x7ffff6e4fd2f in __interceptor_pthread_create (/usr/lib/x86_64
 -linux-gnu/libasan.so.4+0x37d2f)
     #1 0x555558d989bf in avpriv_slicethread_create
 libavutil/slicethread.c:151
     #2 0x55555762a527 in ff_slice_thread_init
 libavcodec/pthread_slice.c:164
     #3 0x555557620b2f in ff_thread_init libavcodec/pthread.c:76
     #4 0x555556b4b1f4 in avcodec_open2 libavcodec/avcodec.c:309
     #5 0x555555b10810 in init_output_stream fftools/ffmpeg.c:3238
     #6 0x555555af527c in init_output_stream_wrapper fftools/ffmpeg.c:739
     #7 0x555555afab20 in do_video_out fftools/ffmpeg.c:1270
     #8 0x555555afc9d6 in reap_filters fftools/ffmpeg.c:1431
     #9 0x555555b1887c in transcode_step fftools/ffmpeg.c:4007
     #10 0x555555b18a9e in transcode fftools/ffmpeg.c:4044
     #11 0x555555b196f8 in main fftools/ffmpeg.c:4182
     #12 0x7ffff5601c86 in __libc_start_main (/lib/x86_64-linux-
 gnu/libc.so.6+0x21c86)
 }}}

 **Environment**

 Built with address sanitizer.
 {{{
 ffmpeg version N-110167-g97c95961f0 Copyright (c) 2000-2023 the FFmpeg
 developers
   built with gcc 7 (Ubuntu 7.5.0-3ubuntu1~18.04)
   configuration:
 --prefix=/home/youngseok/subjects/latest_asan_install/ffmpeg --extra-
 cflags='-fsanitize=address -g -O0' --extra-cxxflags='-fsanitize=address -g
 -O0' --extra-ldflags='-fsanitize=address -g -O0' --disable-optimizations
 --disable-stripping
 }}}
-- 
Ticket URL: <https://trac.ffmpeg.org/ticket/10318>
FFmpeg <https://ffmpeg.org>
FFmpeg issue tracker

More information about the FFmpeg-trac mailing list