Opened 9 years ago
Closed 9 years ago
#5244 closed defect (fixed)
mjpeg encoder assertion failure/abort on fuzzed file
Reported by: | MarkZV | Owned by: | |
---|---|---|---|
Priority: | important | Component: | avcodec |
Version: | git-master | Keywords: | crash abort mjpeg |
Cc: | Blocked By: | ||
Blocking: | Reproduced by developer: | yes | |
Analyzed by developer: | no |
Description
In a git master build with --assert-level=2, an assertion failure and abort occurs when encoding a fuzzed input file using the FFmpeg native mjpeg encoder, causing the application to crash.
This occurs because avctx->sample_aspect_ratio.num
on libavcodec/mjpegenc_common.c line 134 is too large for 16 bits.
-> 134 put_bits(p, 16, avctx->sample_aspect_ratio.num); (lldb) p avctx->sample_aspect_ratio (AVRational) $1 = (num = 279616, den = 11685)
Assertion n <= 31 && value < (1U << n) failed at libavcodec/put_bits.h:157
$ ./ffmpeg_g -v 9 -loglevel 99 -i in.mpg -y out.jpg ffmpeg version N-78590-g5590ab4 Copyright (c) 2000-2016 the FFmpeg developers built with clang version 3.7.1 (tags/RELEASE_371/final) configuration: --enable-debug --assert-level=2 --cc=/opt/local/bin/clang --disable-stripping libavutil 55. 18.100 / 55. 18.100 libavcodec 57. 24.103 / 57. 24.103 libavformat 57. 25.100 / 57. 25.100 libavdevice 57. 0.101 / 57. 0.101 libavfilter 6. 32.100 / 6. 32.100 libswscale 4. 0.100 / 4. 0.100 libswresample 2. 0.101 / 2. 0.101 Splitting the commandline. Reading option '-v' ... matched as option 'v' (set logging level) with argument '9'. Reading option '-loglevel' ... matched as option 'loglevel' (set logging level) with argument '99'. Reading option '-i' ... matched as input file with argument 'in.mpg'. Reading option '-y' ... matched as option 'y' (overwrite output files) with argument '1'. Reading option 'out.jpg' ... matched as output file. Finished splitting the commandline. Parsing a group of options: global . Applying option v (set logging level) with argument 9. Applying option y (overwrite output files) with argument 1. Successfully parsed a group of options. Parsing a group of options: input file in.mpg. Successfully parsed a group of options. Opening an input file: in.mpg. [file @ 0x7f952a500200] Setting default whitelist 'file' Probing mpegvideo score:51 size:43 [mpegvideo @ 0x7f952b000000] Format mpegvideo probed with size=2048 and score=51 [mpegvideo @ 0x7f952b000000] Before avformat_find_stream_info() pos: 0 bytes read:43 seeks:0 [mpeg1video @ 0x7f952b008600] frame_rate_index 0 is invalid Last message repeated 1 times [mpeg1video @ 0x7f952b008600] sequence header damaged [mpegvideo @ 0x7f952b000000] Estimating duration from bitrate, this may be inaccurate [mpegvideo @ 0x7f952b000000] 0: start_time: -9223372036854.775 duration: 0.000 [mpegvideo @ 0x7f952b000000] stream: start_time: -9223372036854.775 duration: 0.000 bitrate=19111 kb/s [mpegvideo @ 0x7f952b000000] After avformat_find_stream_info() pos: 43 bytes read:43 seeks:0 frames:2 Input #0, mpegvideo, from 'in.mpg': Duration: 00:00:00.00, bitrate: 19111 kb/s Stream #0:0, 2, 1/1200000: Video: mpeg1video, 1 reference frame, yuv420p(tv, center), 779x816 [SAR 64:45 DAR 3116:2295], 1001/24000, 19737 kb/s, 23.98 tbr, 1200k tbn, 23.98 tbc Successfully opened the file. Parsing a group of options: output file out.jpg. Successfully parsed a group of options. Opening an output file: out.jpg. Successfully opened the file. detected 8 logical cores [graph 0 input from stream 0:0 @ 0x7f952a600380] Setting 'video_size' to value '779x816' [graph 0 input from stream 0:0 @ 0x7f952a600380] Setting 'pix_fmt' to value '0' [graph 0 input from stream 0:0 @ 0x7f952a600380] Setting 'time_base' to value '1/1200000' [graph 0 input from stream 0:0 @ 0x7f952a600380] Setting 'pixel_aspect' to value '64/45' [graph 0 input from stream 0:0 @ 0x7f952a600380] Setting 'sws_param' to value 'flags=2' [graph 0 input from stream 0:0 @ 0x7f952a600380] Setting 'frame_rate' to value '24000/1001' [graph 0 input from stream 0:0 @ 0x7f952a600380] w:779 h:816 pixfmt:yuv420p tb:1/1200000 fr:24000/1001 sar:64/45 sws_param:flags=2 [format @ 0x7f952a6009a0] compat: called with args=[yuvj420p|yuvj422p|yuvj444p] [format @ 0x7f952a6009a0] Setting 'pix_fmts' to value 'yuvj420p|yuvj422p|yuvj444p' [auto-inserted scaler 0 @ 0x7f952a501de0] Setting 'flags' to value 'bicubic' [auto-inserted scaler 0 @ 0x7f952a501de0] w:iw h:ih flags:'bicubic' interl:0 [format @ 0x7f952a6009a0] auto-inserting filter 'auto-inserted scaler 0' between the filter 'Parsed_null_0' and the filter 'format' [AVFilterGraph @ 0x7f952a5015e0] query_formats: 4 queried, 2 merged, 1 already done, 0 delayed [auto-inserted scaler 0 @ 0x7f952a501de0] picking yuvj420p out of 3 ref:yuv420p alpha:0 [swscaler @ 0x7f952b01c800] deprecated pixel format used, make sure you did set range correctly [auto-inserted scaler 0 @ 0x7f952a501de0] w:779 h:816 fmt:yuv420p sar:64/45 -> w:779 h:816 fmt:yuvj420p sar:64/45 flags:0x4 [mjpeg @ 0x7f952b003e00] Forcing thread count to 1 for MJPEG encoding, use -thread_type slice or a constant quantizer if you want to use multiple cpu cores [mjpeg @ 0x7f952b003e00] intra_quant_bias = 96 inter_quant_bias = 0 Output #0, image2, to 'out.jpg': Metadata: encoder : Lavf57.25.100 Stream #0:0, 0, 1001/24000: Video: mjpeg, 1 reference frame, yuvj420p(pc, center), 779x816 [SAR 64:45 DAR 3116:2295], 1001/24000, q=2-31, 200 kb/s, 23.98 fps, 23.98 tbn, 23.98 tbc Metadata: encoder : Lavc57.24.103 mjpeg Side data: cpb: bitrate max/min/avg: 0/0/200000 buffer size: 0 vbv_delay: -1 Stream mapping: Stream #0:0 -> #0:0 (mpeg1video (native) -> mjpeg (native)) Press [q] to stop, [?] for help cur_dts is invalid (this is harmless if it occurs once at the start per stream) [mpeg1video @ 0x7f952b000600] frame_rate_index 0 is invalid Last message repeated 1 times [mpeg1video @ 0x7f952b000600] sequence header damaged cur_dts is invalid (this is harmless if it occurs once at the start per stream) [mpeg1video @ 0x7f952b000600] frame_rate_index 0 is invalid [mpeg1video @ 0x7f952b000600] too many threads/slices (9), reducing to 3 [mpeg1video @ 0x7f952b000600] invalid mb type in I Frame at 8 0 [mpeg1video @ 0x7f952b000600] Warning MVs not available [mpeg1video @ 0x7f952b000600] concealing 147 DC, 147 AC, 147 MV errors in I frame cur_dts is invalid (this is harmless if it occurs once at the start per stream) Input stream #0:0 frame changed from size:779x816 fmt:yuv420p to size:771x48 fmt:yuv420p [graph 0 input from stream 0:0 @ 0x7f952c000380] Setting 'video_size' to value '771x48' [graph 0 input from stream 0:0 @ 0x7f952c000380] Setting 'pix_fmt' to value '0' [graph 0 input from stream 0:0 @ 0x7f952c000380] Setting 'time_base' to value '1/1200000' [graph 0 input from stream 0:0 @ 0x7f952c000380] Setting 'pixel_aspect' to value '64/45' [graph 0 input from stream 0:0 @ 0x7f952c000380] Setting 'sws_param' to value 'flags=2' [graph 0 input from stream 0:0 @ 0x7f952c000380] Setting 'frame_rate' to value '24000/1001' [graph 0 input from stream 0:0 @ 0x7f952c000380] w:771 h:48 pixfmt:yuv420p tb:1/1200000 fr:24000/1001 sar:64/45 sws_param:flags=2 [scaler for output stream 0:0 @ 0x7f952c000880] Setting 'w' to value '779' [scaler for output stream 0:0 @ 0x7f952c000880] Setting 'h' to value '816' [scaler for output stream 0:0 @ 0x7f952c000880] Setting 'flags' to value 'bicubic' [scaler for output stream 0:0 @ 0x7f952c000880] w:779 h:816 flags:'bicubic' interl:0 [format @ 0x7f952a7003e0] compat: called with args=[yuvj420p] [format @ 0x7f952a7003e0] Setting 'pix_fmts' to value 'yuvj420p' [AVFilterGraph @ 0x7f952a700000] query_formats: 5 queried, 4 merged, 0 already done, 0 delayed [swscaler @ 0x7f952d000000] deprecated pixel format used, make sure you did set range correctly [scaler for output stream 0:0 @ 0x7f952c000880] w:771 h:48 fmt:yuv420p sar:64/45 -> w:779 h:816 fmt:yuvj420p sar:279616/11685 flags:0x4 Not duplicating 1 initial frames Assertion n <= 31 && value < (1U << n) failed at libavcodec/put_bits.h:157 Abort trap: 6 $
Attachments (1)
Change History (3)
by , 9 years ago
comment:1 by , 9 years ago
Component: | undetermined → avcodec |
---|---|
Keywords: | crash abort mjpeg added |
Priority: | normal → important |
Reproduced by developer: | set |
Status: | new → open |
Version: | unspecified → git-master |
This is reproducible since around 2011 if I apply 0f8908aa1b66fbc8d62939ce8ee1ee04b856528f (#4073)
comment:2 by , 9 years ago
Resolution: | → fixed |
---|---|
Status: | open → closed |
Note:
See TracTickets
for help on using tickets.
input file