Opened 14 years ago
Closed 12 years ago
#123 closed defect (fixed)
Fuzzed sample crashes ffplay
| Reported by: | Carl Eugen Hoyos | Owned by: | Michael Niedermayer |
|---|---|---|---|
| Priority: | normal | Component: | ffplay |
| Version: | git | Keywords: | leak |
| Cc: | Blocked By: | ||
| Blocking: | Reproduced by developer: | no | |
| Analyzed by developer: | no |
Description
The sample from ticket #74 now crashes ffplay, no useful backtrace, valgrind shows some invalid reads.
$ valgrind ./ffplay_g crash_pirateszz_2_s25_r003.fuzz.sample
==14017== Memcheck, a memory error detector
==14017== Copyright (C) 2002-2009, and GNU GPL'd, by Julian Seward et al.
==14017== Using Valgrind-3.5.0 and LibVEX; rerun with -h for copyright info
==14017== Command: ./ffplay_g crash_pirateszz_2_s25_r003.fuzz.sample
==14017==
ffplay version git-N-29391-gd84f191, Copyright (c) 2003-2011 the FFmpeg developers
built on Apr 26 2011 20:33:16 with gcc 4.5.2
configuration: --cc='/usr/local/gcc-4.5.2/bin/gcc -m32' --enable-gpl
libavutil 51. 0. 0 / 51. 0. 0
libavcodec 53. 1. 0 / 53. 1. 0
libavformat 53. 0. 3 / 53. 0. 3
libavdevice 53. 0. 0 / 53. 0. 0
libavfilter 2. 0. 0 / 2. 0. 0
libswscale 0. 13. 0 / 0. 13. 0
...
Input #0, mpegvideo, from 'crash_pirateszz_2_s25_r003.fuzz.sample':
Duration: 00:00:08.35, bitrate: 9800 kb/s
Stream #0.0: Video: mpeg2video (4:2:2), yuv420p, 720x4576 [PAR 4576:405 DAR 16:9], 9800 kb/s, 17.53 fps, 3.33 tbr, 1200k tbn, 6.66 tbc
...
==14017== Invalid read of size 1
==14017== at 0x644C138: memcpy (in /usr/lib64/valgrind/vgpreload_memcheck-x86-linux.so)
==14017== by 0x85BC128: av_image_copy (imgutils.c:230)
==14017== Address 0xf02292f is not stack'd, malloc'd or (recently) free'd
==14017==
==14017== Invalid read of size 1
==14017== at 0x644C142: memcpy (in /usr/lib64/valgrind/vgpreload_memcheck-x86-linux.so)
==14017== by 0x85BC128: av_image_copy (imgutils.c:230)
==14017== Address 0xf02292e is not stack'd, malloc'd or (recently) free'd
==14017==
==14017== Invalid read of size 1
==14017== at 0x644C14B: memcpy (in /usr/lib64/valgrind/vgpreload_memcheck-x86-linux.so)
==14017== by 0x85BC128: av_image_copy (imgutils.c:230)
==14017== Address 0xf02292d is not stack'd, malloc'd or (recently) free'd
==14017==
==14017== Invalid read of size 1
==14017== at 0x644C154: memcpy (in /usr/lib64/valgrind/vgpreload_memcheck-x86-linux.so)
==14017== by 0x85BC128: av_image_copy (imgutils.c:230)
==14017== Address 0xf02292c is not stack'd, malloc'd or (recently) free'd
==14017==
Attachments (1)
Change History (9)
comment:1 by , 13 years ago
| Status: | new → open |
|---|
comment:2 by , 13 years ago
mplayer -vo sdl does not crash for me, but I was able to produce a backtrace with ffplay:
(gdb) r crash_pirateszz_2_s25_r003.fuzz.sample
ffplay version git-N-30584-gd58ed64, Copyright (c) 2003-2011 the FFmpeg developers
built on Jun 7 2011 01:57:06 with gcc 4.5.3
configuration: --cc=/usr/local/gcc-4.5.3/bin/gcc --enable-gpl
libavutil 51. 6. 1 / 51. 6. 1
libavcodec 53. 6. 1 / 53. 6. 1
libavformat 53. 2. 0 / 53. 2. 0
libavdevice 53. 1. 1 / 53. 1. 1
libavfilter 2. 14. 0 / 2. 14. 0
libswscale 0. 14. 1 / 0. 14. 1
libpostproc 51. 2. 0 / 51. 2. 0
...
[mpeg2video @ 0x13286c0] slice below image (57 >= 30)
[mpeg2video @ 0x13286c0] ignoring pic cod ext after 0
[mpeg2video @ 0x13286c0] slice below image (67 >= 30)
[mpeg2video @ 0x13286c0] warning: first frame is no keyframe
[mpeg2video @ 0x13286c0] slice mismatch
[mpeg2video @ 0x13286c0] invalid mb type in P Frame at 51 2
[mpeg2video @ 0x13286c0] ac-tex damaged at 0 3
[mpeg2video @ 0x13286c0] ac-tex damaged at 0 5
[mpeg2video @ 0x13286c0] ac-tex damaged at 0 8
[mpeg2video @ 0x13286c0] ac-tex damaged at 14 9
[mpeg2video @ 0x13286c0] ac-tex damaged at 0 16
[mpeg2video @ 0x13286c0] ac-tex damaged at 1 18
[mpeg2video @ 0x13286c0] ac-tex damaged at 0 20
[mpeg2video @ 0x13286c0] slice below image (53 >= 30)
[mpeg2video @ 0x13286c0] slice mismatch
[mpeg2video @ 0x13286c0] slice below image (70 >= 30)
[mpeg2video @ 0x13286c0] matrix damaged
[mpeg2video @ 0x13286c0] sequence header damaged
[mpeg2video @ 0x13286c0] Warning MVs not available
[mpeg2video @ 0x13286c0] concealing 9030 DC, 9030 AC, 9030 MV errors
3.19 A-V: 0.000 s:0.2 aq= 0KB vq= 69KB sq= 0B f=0/8
Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7ffff43f4910 (LWP 8473)]
0x00007ffff6ae4722 in memcpy () from /lib64/libc.so.6
(gdb) bt
#0 0x00007ffff6ae4722 in memcpy () from /lib64/libc.so.6
#1 0x0000000000970e6f in av_image_copy_plane (height=151, bytewidth=720, src_linesize=4816,
src=<value optimized out>, dst_linesize=720, dst=<value optimized out>) at libavutil/imgutils.c:238
#2 av_image_copy (height=151, bytewidth=720, src_linesize=4816, src=<value optimized out>,
dst_linesize=720, dst=<value optimized out>) at libavutil/imgutils.c:271
#3 0x000000000066b931 in av_picture_copy (dst=<value optimized out>, src=<value optimized out>,
pix_fmt=<value optimized out>, width=<value optimized out>, height=<value optimized out>)
at libavcodec/imgconvert.c:669
#4 0x000000000040961b in queue_picture (pos=-1, pts1=3.7198833333333332, src_frame=0x1327840,
is=0x7ffff4bf6040) at ffplay.c:1403
#5 video_thread (pos=-1, pts1=3.7198833333333332, src_frame=0x1327840, is=0x7ffff4bf6040)
at ffplay.c:1790
#6 0x00007ffff766a3b5 in ?? () from /usr/lib64/libSDL-1.2.so.0
#7 0x00007ffff76ad539 in ?? () from /usr/lib64/libSDL-1.2.so.0
#8 0x00007ffff744065d in start_thread () from /lib64/libpthread.so.0
#9 0x00007ffff6b35ecd in clone () from /lib64/libc.so.6
#10 0x0000000000000000 in ?? ()
(gdb) disass $pc-32 $pc+32
Dump of assembler code from 0x7ffff6ae4702 to 0x7ffff6ae4742:
0x00007ffff6ae4702 <memcpy+178>: nopw %cs:0x0(%rax,%rax,1)
0x00007ffff6ae4710 <memcpy+192>: cmp $0x400,%rdx
0x00007ffff6ae4717 <memcpy+199>: ja 0x7ffff6ae4790 <memcpy+320>
0x00007ffff6ae4719 <memcpy+201>: mov %edx,%ecx
0x00007ffff6ae471b <memcpy+203>: shr $0x5,%ecx
0x00007ffff6ae471e <memcpy+206>: je 0x7ffff6ae4780 <memcpy+304>
0x00007ffff6ae4720 <memcpy+208>: dec %ecx
0x00007ffff6ae4722 <memcpy+210>: mov (%rsi),%rax
0x00007ffff6ae4725 <memcpy+213>: mov 0x8(%rsi),%r8
0x00007ffff6ae4729 <memcpy+217>: mov 0x10(%rsi),%r9
0x00007ffff6ae472d <memcpy+221>: mov 0x18(%rsi),%r10
0x00007ffff6ae4731 <memcpy+225>: mov %rax,(%rdi)
0x00007ffff6ae4734 <memcpy+228>: mov %r8,0x8(%rdi)
0x00007ffff6ae4738 <memcpy+232>: mov %r9,0x10(%rdi)
0x00007ffff6ae473c <memcpy+236>: mov %r10,0x18(%rdi)
0x00007ffff6ae4740 <memcpy+240>: lea 0x20(%rsi),%rsi
End of assembler dump.
(gdb) info register
rax 0x7ffff1c00d50 140737249283408
rbx 0x2d0 720
rcx 0x15 21
rdx 0x2d0 720
rsi 0x7fffec1f3d90 140737154858384
rdi 0x7ffff1c00d50 140737249283408
rbp 0x96 0x96
rsp 0x7ffff43f3e88 0x7ffff43f3e88
r8 0x0 0
r9 0x0 0
r10 0x0 0
r11 0x2d0 720
r12 0x7fffec1f5060 140737154863200
r13 0x7ffff1c01020 140737249284128
r14 0x12d0 4816
r15 0x2d0 720
rip 0x7ffff6ae4722 0x7ffff6ae4722 <memcpy+210>
eflags 0x10203 [ CF IF RF ]
cs 0x33 51
ss 0x2b 43
ds 0x0 0
es 0x0 0
fs 0x0 0
gs 0x0 0
fctrl 0x37f 895
fstat 0x0 0
ftag 0xffff 65535
fiseg 0x0 0
fioff 0x0 0
foseg 0x0 0
fooff 0x0 0
fop 0x0 0
mxcsr 0x1fa0 [ PE IM DM ZM OM UM PM ]
comment:3 by , 12 years ago
| Resolution: | → fixed |
|---|---|
| Status: | open → closed |
Fixed in latest git master. Crash was caused by changing resolution and pixel format.
comment:4 by , 12 years ago
| Resolution: | fixed |
|---|---|
| Status: | closed → reopened |
I still get a crash with ffplay with current git master (but no invalid access with ffmpeg -f null), unfortunately without a useful backtrace...
==18325== Invalid write of size 1 ==18325== at 0x40245A7: memcpy (in /usr/lib/valgrind/x86-linux/vgpreload_memcheck.so) ==18325== by 0x8747A68: av_image_copy_plane (imgutils.c:239) ==18325== by 0x8747C22: av_image_copy (imgutils.c:273) ==18325== by 0x838356B: av_picture_copy (imgconvert.c:524) ==18325== by 0x804F8EE: queue_picture (ffplay.c:1446) ==18325== by 0x80506EF: video_thread (ffplay.c:1749) ==18325== by 0x40543DA: (within /usr/lib/libSDL-1.2.so.0.11.1) ==18325== by 0x40A22DC: (within /usr/lib/libSDL-1.2.so.0.11.1) ==18325== by 0x40DE191: start_thread (in /lib/libpthread-2.6.1.so) ==18325== by 0x420502D: clone (in /lib/libc-2.6.1.so) ==18325== Address 0xA5460CF is not stack'd, malloc'd or (recently) free'd
comment:6 by , 12 years ago
| Keywords: | leak added |
|---|
I still get invalid reads and memleaks with this sample.
by , 12 years ago
| Attachment: | valgrind.log added |
|---|
comment:8 by , 12 years ago
| Resolution: | → fixed |
|---|---|
| Status: | reopened → closed |
The invalid memory accesses with the fuzzed sample appear to be fixed, the memleaks are not reproducible with FFmpeg.
Note:
See TracTickets
for help on using tickets.
Id guess SDL bug, but i could be wrong
mplayer crashes too
==21084== Invalid write of size 8
==21084== at 0x4C2A33A: memcpy (mc_replace_strmem.c:635)
==21084== by 0x974550: av_image_copy (string3.h:52)
==21084== by 0x68E640: av_picture_copy (imgconvert.c:669)
==21084== by 0x437E2B: video_thread (ffplay.c:1404)
==21084== by 0x5129874: ??? (in /usr/lib/libSDL-1.2.so.0.11.3)
==21084== by 0x516C048: ??? (in /usr/lib/libSDL-1.2.so.0.11.3)
==21084== by 0x66E9D8B: start_thread (pthread_create.c:304)
==21084== by 0x69E704C: clone (clone.S:112)
==21084== Address 0xe618108 is not stack'd, malloc'd or (recently) free'd