Context Navigation

#4294 closed defect (fixed)

tta: crash with fuzzed file

Reported by:	tholin	Owned by:
Priority:	important	Component:	avformat
Version:	git-master	Keywords:
Cc:		Blocked By:
Blocking:		Reproduced by developer:	no
Analyzed by developer:	no

Description

The attached file segfaults.
I had to manually edit the file to make the seek table crc match. It would be nice if the tta code could honor the avctx->err_recognition & AV_EF_CRCCHECK flag. It's easier to fuzz that way.

$ gdb --args ./ffmpeg -i ~/fuzz/ffmpeg_tta_crash.tta 
GNU gdb (Gentoo 7.7.1 p1) 7.7.1
Copyright (C) 2014 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-pc-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<http://bugs.gentoo.org/>.
Find the GDB manual and other documentation resources online at:
<http://www.gnu.org/software/gdb/documentation/>.
For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from ./ffmpeg...done.
(gdb) r
Starting program: /home/cocobo/repository/mpv-build_ffmpeg_vanilla/ffmpeg_build/ffmpeg -i /home/cocobo/fuzz/ffmpeg_tta_crash.tta
warning: Could not load shared library symbols for linux-vdso.so.1.
Do you need "set solib-search-path" or "set sysroot"?
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib64/libthread_db.so.1".
ffmpeg version N-69499-gfc35df8 Copyright (c) 2000-2015 the FFmpeg developers
  built with gcc 4.8.3 (Gentoo 4.8.3 p1.1, pie-0.5.9)
  configuration: --prefix=/home/cocobo/repository/mpv-build_ffmpeg_vanilla/build_libs --enable-static --disable-shared --enable-gpl --enable-avresample --enable-debug=gdb --disable-doc --disable-optimizations --disable-stripping
  libavutil      54. 18.100 / 54. 18.100
  libavcodec     56. 21.102 / 56. 21.102
  libavformat    56. 19.100 / 56. 19.100
  libavdevice    56.  4.100 / 56.  4.100
  libavfilter     5.  9.103 /  5.  9.103
  libavresample   2.  1.  0 /  2.  1.  0
  libswscale      3.  1.101 /  3.  1.101
  libswresample   1.  1.100 /  1.  1.100
  libpostproc    53.  3.100 / 53.  3.100

Program received signal SIGSEGV, Segmentation fault.
0x00000000006c17d8 in tta_read_packet (s=0x1e83360, pkt=0x7fffffffce80)
    at /home/cocobo/repository/mpv-build_ffmpeg_vanilla/ffmpeg/libavformat/tta.c:156
156         size = st->index_entries[c->currentframe].size;
(gdb) bt
#0  0x00000000006c17d8 in tta_read_packet (s=0x1e83360, pkt=0x7fffffffce80)
    at /home/cocobo/repository/mpv-build_ffmpeg_vanilla/ffmpeg/libavformat/tta.c:156
#1  0x00000000006c76d1 in ff_read_packet (s=0x1e83360, pkt=0x7fffffffce80)
    at /home/cocobo/repository/mpv-build_ffmpeg_vanilla/ffmpeg/libavformat/utils.c:665
#2  0x00000000006ca0b3 in read_frame_internal (s=0x1e83360, pkt=0x7fffffffd120)
    at /home/cocobo/repository/mpv-build_ffmpeg_vanilla/ffmpeg/libavformat/utils.c:1317
#3  0x00000000006d0573 in avformat_find_stream_info (ic=0x1e83360, options=0x1e829e0)
    at /home/cocobo/repository/mpv-build_ffmpeg_vanilla/ffmpeg/libavformat/utils.c:3171
#4  0x0000000000411202 in open_input_file (o=0x7fffffffd440, 
    filename=0x7fffffffde2b "/home/cocobo/fuzz/ffmpeg_tta_crash.tta")
    at /home/cocobo/repository/mpv-build_ffmpeg_vanilla/ffmpeg/ffmpeg_opt.c:908
#5  0x000000000041931a in open_files (l=0x1e6f0d8, inout=0x1238af7 "input", 
    open_file=0x410953 <open_input_file>)
    at /home/cocobo/repository/mpv-build_ffmpeg_vanilla/ffmpeg/ffmpeg_opt.c:2718
#6  0x00000000004194a7 in ffmpeg_parse_options (argc=3, argv=0x7fffffffd9e8)
    at /home/cocobo/repository/mpv-build_ffmpeg_vanilla/ffmpeg/ffmpeg_opt.c:2755
#7  0x000000000042ce83 in main (argc=3, argv=0x7fffffffd9e8)
    at /home/cocobo/repository/mpv-build_ffmpeg_vanilla/ffmpeg/ffmpeg.c:3996