Opened 9 years ago
Closed 9 years ago
#5208 closed defect (fixed)
cfhd: crash with fuzzed file
Reported by: | ami_stuff | Owned by: | |
---|---|---|---|
Priority: | important | Component: | avcodec |
Version: | git-master | Keywords: | cfhd crash SIGSEGV |
Cc: | Blocked By: | ||
Blocking: | Reproduced by developer: | yes | |
Analyzed by developer: | no |
Description
http://www.datafilehost.com/d/1a7e163c
ffmpeg version 2.8.git Copyright (c) 2000-2016 the FFmpeg developers built with gcc 4.8 (Ubuntu 4.8.4-2ubuntu1~14.04) configuration: --disable-ffprobe --disable-ffplay --disable-ffserver --enable-gpl libavutil 55. 16.101 / 55. 16.101 libavcodec 57. 24.100 / 57. 24.100 libavformat 57. 23.101 / 57. 23.101 libavdevice 57. 0.101 / 57. 0.101 libavfilter 6. 27.100 / 6. 27.100 libswscale 4. 0.100 / 4. 0.100 libswresample 2. 0.101 / 2. 0.101 libpostproc 54. 0.100 / 54. 0.100 Hyper fast Audio and Video encoder usage: ffmpeg [options] [[infile options] -i infile]... {[outfile options] outfile}... Use -h to get full help or, even better, run 'man ffmpeg'
[cfhd @ 0x4403c20] ==13833== Thread 9: ==13833== Invalid write of size 2 ==13833== at 0x837DD95: filter (cfhd.c:91) ==13833== by 0x837DD95: horiz_filter_clip (cfhd.c:130) ==13833== by 0x837DD95: cfhd_decode (cfhd.c:708) ==13833== by 0x8666551: frame_worker_thread (pthread_frame.c:147) ==13833== by 0x409BF6F: start_thread (pthread_create.c:312) ==13833== by 0x419CBED: clone (clone.S:129) ==13833== Address 0x0 is not stack'd, malloc'd or (recently) free'd ==13833== ==13833== ==13833== Process terminating with default action of signal 11 (SIGSEGV) ==13833== Access not within mapped region at address 0x0 ==13833== at 0x837DD95: filter (cfhd.c:91) ==13833== by 0x837DD95: horiz_filter_clip (cfhd.c:130) ==13833== by 0x837DD95: cfhd_decode (cfhd.c:708) ==13833== by 0x8666551: frame_worker_thread (pthread_frame.c:147) ==13833== by 0x409BF6F: start_thread (pthread_create.c:312) ==13833== by 0x419CBED: clone (clone.S:129) ==13833== If you believe this happened as a result of a stack ==13833== overflow in your program's main thread (unlikely but ==13833== possible), you can try to increase the size of the ==13833== main thread stack using the --main-stacksize= flag. ==13833== The main thread stack size used in this run was 8388608. ==13833== ==13833== HEAP SUMMARY: ==13833== in use at exit: 5,840,129 bytes in 240 blocks ==13833== total heap usage: 4,307 allocs, 4,067 frees, 25,357,183 bytes allocated ==13833== ==13833== Thread 1: ==13833== 680 bytes in 5 blocks are possibly lost in loss record 103 of 126 ==13833== at 0x402C109: calloc (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so) ==13833== by 0x401117E: allocate_dtv (dl-tls.c:296) ==13833== by 0x40118EB: _dl_allocate_tls (dl-tls.c:460) ==13833== by 0x409C7A2: allocate_stack (allocatestack.c:589) ==13833== by 0x409C7A2: pthread_create@@GLIBC_2.1 (pthread_create.c:500) ==13833== by 0x810BCA9: thread_init_internal (pthread.c:180) ==13833== by 0x810BCA9: ff_graph_thread_init (pthread.c:211) ==13833== by 0x80FEEA7: avfilter_graph_alloc_filter (avfiltergraph.c:182) ==13833== by 0x8109F35: create_filter (graphparser.c:114) ==13833== by 0x8109F35: parse_filter (graphparser.c:176) ==13833== by 0x810A99C: avfilter_graph_parse2 (graphparser.c:411) ==13833== by 0x80D495E: configure_filtergraph (ffmpeg_filter.c:1002) ==13833== by 0x80DDCFA: transcode_init (ffmpeg.c:3042) ==13833== by 0x80E1EED: transcode (ffmpeg.c:4099) ==13833== by 0x80C0144: main (ffmpeg.c:4319) ==13833== ==13833== 680 bytes in 5 blocks are possibly lost in loss record 104 of 126 ==13833== at 0x402C109: calloc (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so) ==13833== by 0x401117E: allocate_dtv (dl-tls.c:296) ==13833== by 0x40118EB: _dl_allocate_tls (dl-tls.c:460) ==13833== by 0x409C7A2: allocate_stack (allocatestack.c:589) ==13833== by 0x409C7A2: pthread_create@@GLIBC_2.1 (pthread_create.c:500) ==13833== by 0x8667683: ff_frame_thread_init (pthread_frame.c:706) ==13833== by 0x87209DE: avcodec_open2 (utils.c:1330) ==13833== by 0x80DC6F4: init_input_stream (ffmpeg.c:2548) ==13833== by 0x80DC6F4: transcode_init (ffmpeg.c:3206) ==13833== by 0x80E1EED: transcode (ffmpeg.c:4099) ==13833== by 0x80C0144: main (ffmpeg.c:4319) ==13833== ==13833== LEAK SUMMARY: ==13833== definitely lost: 0 bytes in 0 blocks ==13833== indirectly lost: 0 bytes in 0 blocks ==13833== possibly lost: 1,360 bytes in 10 blocks ==13833== still reachable: 5,838,769 bytes in 230 blocks ==13833== suppressed: 0 bytes in 0 blocks ==13833== Reachable blocks (those to which a pointer was found) are not shown. ==13833== To see them, rerun with: --leak-check=full --show-leak-kinds=all ==13833== ==13833== For counts of detected and suppressed errors, rerun with: -v ==13833== Use --track-origins=yes to see where uninitialised values come from ==13833== ERROR SUMMARY: 77084 errors from 9 contexts (suppressed: 0 from 0) Killed
(gdb) r -loglevel -1 -i cfhd_q_filmscan2_fuzz.avi -f null - Starting program: /media/sdb1/ffmpeg/ffmpeg_g -loglevel -1 -i cfhd_q_filmscan2_fuzz.avi -f null - [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib/i386-linux-gnu/libthread_db.so.1". [New Thread 0xb7daeb40 (LWP 13873)] [New Thread 0xb75adb40 (LWP 13874)] [New Thread 0xb6dacb40 (LWP 13875)] [New Thread 0xb65abb40 (LWP 13876)] [New Thread 0xb5daab40 (LWP 13877)] [New Thread 0xb55a9b40 (LWP 13878)] [New Thread 0xb4da8b40 (LWP 13879)] [New Thread 0xb45a7b40 (LWP 13880)] [New Thread 0xb3da6b40 (LWP 13881)] [New Thread 0xb35a5b40 (LWP 13882)] Program received signal SIGSEGV, Segmentation fault. [Switching to Thread 0xb45a7b40 (LWP 13880)] filter (out_stride=1, low_stride=1, high_stride=1, clip=10 '\n', len=160, high=0xb2b388a0, low=0xb2b25ca0, output=0x0) at libavcodec/cfhd.c:91 91 output[(2*i+0)*out_stride] = (tmp + high[0*high_stride]) >> 1; (gdb) bt #0 filter (out_stride=1, low_stride=1, high_stride=1, clip=10 '\n', len=160, high=0xb2b388a0, low=0xb2b25ca0, output=0x0) at libavcodec/cfhd.c:91 #1 horiz_filter_clip (clip=<optimized out>, width=160, high=0xb2b388a0, low=0xb2b25ca0, output=0x0) at libavcodec/cfhd.c:130 #2 cfhd_decode (avctx=0x965edc0, data=0x965f1c0, got_frame=0x965e178, avpkt=0x965e130) at libavcodec/cfhd.c:708 #3 0x08666552 in frame_worker_thread (arg=0x965e060) at libavcodec/pthread_frame.c:147 #4 0xb7f65f70 in start_thread (arg=0xb45a7b40) at pthread_create.c:312 #5 0xb7e9bbee in clone () at ../sysdeps/unix/sysv/linux/i386/clone.S:129 (gdb)
Change History (2)
comment:1 by , 9 years ago
Component: | undetermined → avcodec |
---|---|
Keywords: | cfhd crash SIGSEGV added |
Priority: | normal → important |
Reproduced by developer: | set |
Status: | new → open |
Version: | unspecified → git-master |
comment:2 by , 9 years ago
Resolution: | → fixed |
---|---|
Status: | open → closed |
Note:
See TracTickets
for help on using tickets.
Fixed by Kieran in bdd8e02b72e79478eb1c4e04d9a8efa100900878