Opened 9 years ago

Closed 9 years ago

#5208 closed defect (fixed)

cfhd: crash with fuzzed file

Reported by: ami_stuff Owned by:
Priority: important Component: avcodec
Version: git-master Keywords: cfhd crash SIGSEGV
Cc: Blocked By:
Blocking: Reproduced by developer: yes
Analyzed by developer: no

Description

http://www.datafilehost.com/d/1a7e163c

ffmpeg version 2.8.git Copyright (c) 2000-2016 the FFmpeg developers
  built with gcc 4.8 (Ubuntu 4.8.4-2ubuntu1~14.04)
  configuration: --disable-ffprobe --disable-ffplay --disable-ffserver --enable-gpl
  libavutil      55. 16.101 / 55. 16.101
  libavcodec     57. 24.100 / 57. 24.100
  libavformat    57. 23.101 / 57. 23.101
  libavdevice    57.  0.101 / 57.  0.101
  libavfilter     6. 27.100 /  6. 27.100
  libswscale      4.  0.100 /  4.  0.100
  libswresample   2.  0.101 /  2.  0.101
  libpostproc    54.  0.100 / 54.  0.100
Hyper fast Audio and Video encoder
usage: ffmpeg [options] [[infile options] -i infile]... {[outfile options] outfile}...

Use -h to get full help or, even better, run 'man ffmpeg'
[cfhd @ 0x4403c20] ==13833== Thread 9:
==13833== Invalid write of size 2
==13833==    at 0x837DD95: filter (cfhd.c:91)
==13833==    by 0x837DD95: horiz_filter_clip (cfhd.c:130)
==13833==    by 0x837DD95: cfhd_decode (cfhd.c:708)
==13833==    by 0x8666551: frame_worker_thread (pthread_frame.c:147)
==13833==    by 0x409BF6F: start_thread (pthread_create.c:312)
==13833==    by 0x419CBED: clone (clone.S:129)
==13833==  Address 0x0 is not stack'd, malloc'd or (recently) free'd
==13833== 
==13833== 
==13833== Process terminating with default action of signal 11 (SIGSEGV)
==13833==  Access not within mapped region at address 0x0
==13833==    at 0x837DD95: filter (cfhd.c:91)
==13833==    by 0x837DD95: horiz_filter_clip (cfhd.c:130)
==13833==    by 0x837DD95: cfhd_decode (cfhd.c:708)
==13833==    by 0x8666551: frame_worker_thread (pthread_frame.c:147)
==13833==    by 0x409BF6F: start_thread (pthread_create.c:312)
==13833==    by 0x419CBED: clone (clone.S:129)
==13833==  If you believe this happened as a result of a stack
==13833==  overflow in your program's main thread (unlikely but
==13833==  possible), you can try to increase the size of the
==13833==  main thread stack using the --main-stacksize= flag.
==13833==  The main thread stack size used in this run was 8388608.
==13833== 
==13833== HEAP SUMMARY:
==13833==     in use at exit: 5,840,129 bytes in 240 blocks
==13833==   total heap usage: 4,307 allocs, 4,067 frees, 25,357,183 bytes allocated
==13833== 
==13833== Thread 1:
==13833== 680 bytes in 5 blocks are possibly lost in loss record 103 of 126
==13833==    at 0x402C109: calloc (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
==13833==    by 0x401117E: allocate_dtv (dl-tls.c:296)
==13833==    by 0x40118EB: _dl_allocate_tls (dl-tls.c:460)
==13833==    by 0x409C7A2: allocate_stack (allocatestack.c:589)
==13833==    by 0x409C7A2: pthread_create@@GLIBC_2.1 (pthread_create.c:500)
==13833==    by 0x810BCA9: thread_init_internal (pthread.c:180)
==13833==    by 0x810BCA9: ff_graph_thread_init (pthread.c:211)
==13833==    by 0x80FEEA7: avfilter_graph_alloc_filter (avfiltergraph.c:182)
==13833==    by 0x8109F35: create_filter (graphparser.c:114)
==13833==    by 0x8109F35: parse_filter (graphparser.c:176)
==13833==    by 0x810A99C: avfilter_graph_parse2 (graphparser.c:411)
==13833==    by 0x80D495E: configure_filtergraph (ffmpeg_filter.c:1002)
==13833==    by 0x80DDCFA: transcode_init (ffmpeg.c:3042)
==13833==    by 0x80E1EED: transcode (ffmpeg.c:4099)
==13833==    by 0x80C0144: main (ffmpeg.c:4319)
==13833== 
==13833== 680 bytes in 5 blocks are possibly lost in loss record 104 of 126
==13833==    at 0x402C109: calloc (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
==13833==    by 0x401117E: allocate_dtv (dl-tls.c:296)
==13833==    by 0x40118EB: _dl_allocate_tls (dl-tls.c:460)
==13833==    by 0x409C7A2: allocate_stack (allocatestack.c:589)
==13833==    by 0x409C7A2: pthread_create@@GLIBC_2.1 (pthread_create.c:500)
==13833==    by 0x8667683: ff_frame_thread_init (pthread_frame.c:706)
==13833==    by 0x87209DE: avcodec_open2 (utils.c:1330)
==13833==    by 0x80DC6F4: init_input_stream (ffmpeg.c:2548)
==13833==    by 0x80DC6F4: transcode_init (ffmpeg.c:3206)
==13833==    by 0x80E1EED: transcode (ffmpeg.c:4099)
==13833==    by 0x80C0144: main (ffmpeg.c:4319)
==13833== 
==13833== LEAK SUMMARY:
==13833==    definitely lost: 0 bytes in 0 blocks
==13833==    indirectly lost: 0 bytes in 0 blocks
==13833==      possibly lost: 1,360 bytes in 10 blocks
==13833==    still reachable: 5,838,769 bytes in 230 blocks
==13833==         suppressed: 0 bytes in 0 blocks
==13833== Reachable blocks (those to which a pointer was found) are not shown.
==13833== To see them, rerun with: --leak-check=full --show-leak-kinds=all
==13833== 
==13833== For counts of detected and suppressed errors, rerun with: -v
==13833== Use --track-origins=yes to see where uninitialised values come from
==13833== ERROR SUMMARY: 77084 errors from 9 contexts (suppressed: 0 from 0)
Killed
(gdb) r -loglevel -1 -i cfhd_q_filmscan2_fuzz.avi -f null -
Starting program: /media/sdb1/ffmpeg/ffmpeg_g -loglevel -1 -i cfhd_q_filmscan2_fuzz.avi -f null -
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/i386-linux-gnu/libthread_db.so.1".
[New Thread 0xb7daeb40 (LWP 13873)]
[New Thread 0xb75adb40 (LWP 13874)]
[New Thread 0xb6dacb40 (LWP 13875)]
[New Thread 0xb65abb40 (LWP 13876)]
[New Thread 0xb5daab40 (LWP 13877)]
[New Thread 0xb55a9b40 (LWP 13878)]
[New Thread 0xb4da8b40 (LWP 13879)]
[New Thread 0xb45a7b40 (LWP 13880)]
[New Thread 0xb3da6b40 (LWP 13881)]
[New Thread 0xb35a5b40 (LWP 13882)]

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0xb45a7b40 (LWP 13880)]
filter (out_stride=1, low_stride=1, high_stride=1, clip=10 '\n', len=160, 
    high=0xb2b388a0, low=0xb2b25ca0, output=0x0) at libavcodec/cfhd.c:91
91	            output[(2*i+0)*out_stride] = (tmp + high[0*high_stride]) >> 1;
(gdb) bt
#0  filter (out_stride=1, low_stride=1, high_stride=1, clip=10 '\n', len=160, 
    high=0xb2b388a0, low=0xb2b25ca0, output=0x0) at libavcodec/cfhd.c:91
#1  horiz_filter_clip (clip=<optimized out>, width=160, high=0xb2b388a0, 
    low=0xb2b25ca0, output=0x0) at libavcodec/cfhd.c:130
#2  cfhd_decode (avctx=0x965edc0, data=0x965f1c0, got_frame=0x965e178, 
    avpkt=0x965e130) at libavcodec/cfhd.c:708
#3  0x08666552 in frame_worker_thread (arg=0x965e060)
    at libavcodec/pthread_frame.c:147
#4  0xb7f65f70 in start_thread (arg=0xb45a7b40) at pthread_create.c:312
#5  0xb7e9bbee in clone () at ../sysdeps/unix/sysv/linux/i386/clone.S:129
(gdb) 

Change History (2)

comment:1 by Carl Eugen Hoyos, 9 years ago

Component: undeterminedavcodec
Keywords: cfhd crash SIGSEGV added
Priority: normalimportant
Reproduced by developer: set
Status: newopen
Version: unspecifiedgit-master

comment:2 by Carl Eugen Hoyos, 9 years ago

Resolution: fixed
Status: openclosed
Note: See TracTickets for help on using tickets.