Opened 9 years ago
Closed 9 years ago
#5441 closed defect (fixed)
rm: crash with fuzzed file
Reported by: | ami_stuff | Owned by: | |
---|---|---|---|
Priority: | important | Component: | avformat |
Version: | git-master | Keywords: | real crash SIGSEGV regression |
Cc: | Blocked By: | ||
Blocking: | Reproduced by developer: | yes | |
Analyzed by developer: | no |
Description
aaa@aaa-VirtualBox /media/sdb1 $ valgrind --leak-check=full ffmpeg/ffmpeg_g -i lossless_32khz_stereo_fuzz.ra -f null - ==3232== Memcheck, a memory error detector ==3232== Copyright (C) 2002-2013, and GNU GPL'd, by Julian Seward et al. ==3232== Using Valgrind-3.10.1 and LibVEX; rerun with -h for copyright info ==3232== Command: ffmpeg/ffmpeg_g -i lossless_32khz_stereo_fuzz.ra -f null - ==3232== ffmpeg version 3.0.git Copyright (c) 2000-2016 the FFmpeg developers built with gcc 4.8 (Ubuntu 4.8.4-2ubuntu1~14.04.1) configuration: --disable-ffprobe --disable-ffserver --disable-ffplay --enable-gpl libavutil 55. 20.100 / 55. 20.100 libavcodec 57. 34.100 / 57. 34.100 libavformat 57. 34.100 / 57. 34.100 libavdevice 57. 0.101 / 57. 0.101 libavfilter 6. 41.101 / 6. 41.101 libswscale 4. 1.100 / 4. 1.100 libswresample 2. 0.101 / 2. 0.101 libpostproc 54. 0.100 / 54. 0.100 ==3232== Invalid read of size 4 ==3232== at 0x8BAA83A: av_log (log.c:363) ==3232== by 0x83417FF: ff_get_extradata (utils.c:3129) ==3232== by 0x82EBA1D: rm_read_extradata (rmdec.c:96) ==3232== by 0x82EBA1D: ff_rm_read_mdpr_codecdata.part.4 (rmdec.c:337) ==3232== by 0x82EC177: ff_rm_read_mdpr_codecdata (rmdec.c:324) ==3232== by 0x82EC177: rm_read_header (rmdec.c:630) ==3232== by 0x8346DDC: avformat_open_input (utils.c:552) ==3232== by 0x80D5F04: open_input_file (ffmpeg_opt.c:949) ==3232== by 0x80DA1CA: open_files (ffmpeg_opt.c:3003) ==3232== by 0x80DA1CA: ffmpeg_parse_options (ffmpeg_opt.c:3040) ==3232== by 0x80C87B9: main (ffmpeg.c:4321) ==3232== Address 0xe is not stack'd, malloc'd or (recently) free'd ==3232== ==3232== ==3232== Process terminating with default action of signal 11 (SIGSEGV) ==3232== Access not within mapped region at address 0xE ==3232== at 0x8BAA83A: av_log (log.c:363) ==3232== by 0x83417FF: ff_get_extradata (utils.c:3129) ==3232== by 0x82EBA1D: rm_read_extradata (rmdec.c:96) ==3232== by 0x82EBA1D: ff_rm_read_mdpr_codecdata.part.4 (rmdec.c:337) ==3232== by 0x82EC177: ff_rm_read_mdpr_codecdata (rmdec.c:324) ==3232== by 0x82EC177: rm_read_header (rmdec.c:630) ==3232== by 0x8346DDC: avformat_open_input (utils.c:552) ==3232== by 0x80D5F04: open_input_file (ffmpeg_opt.c:949) ==3232== by 0x80DA1CA: open_files (ffmpeg_opt.c:3003) ==3232== by 0x80DA1CA: ffmpeg_parse_options (ffmpeg_opt.c:3040) ==3232== by 0x80C87B9: main (ffmpeg.c:4321) ==3232== If you believe this happened as a result of a stack ==3232== overflow in your program's main thread (unlikely but ==3232== possible), you can try to increase the size of the ==3232== main thread stack using the --main-stacksize= flag. ==3232== The main thread stack size used in this run was 8388608. ==3232== ==3232== HEAP SUMMARY: ==3232== in use at exit: 37,902 bytes in 54 blocks ==3232== total heap usage: 83 allocs, 29 frees, 4,267,608 bytes allocated ==3232== ==3232== LEAK SUMMARY: ==3232== definitely lost: 0 bytes in 0 blocks ==3232== indirectly lost: 0 bytes in 0 blocks ==3232== possibly lost: 0 bytes in 0 blocks ==3232== still reachable: 37,902 bytes in 54 blocks ==3232== suppressed: 0 bytes in 0 blocks ==3232== Reachable blocks (those to which a pointer was found) are not shown. ==3232== To see them, rerun with: --leak-check=full --show-leak-kinds=all ==3232== ==3232== For counts of detected and suppressed errors, rerun with: -v ==3232== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0) Segmentation fault
(gdb) r -i lossless_32khz_stereo_fuzz.ra -f null - Starting program: /media/sdb1/ffmpeg/ffmpeg_g -i lossless_32khz_stereo_fuzz.ra -f null - [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib/i386-linux-gnu/libthread_db.so.1". ffmpeg version 3.0.git Copyright (c) 2000-2016 the FFmpeg developers built with gcc 4.8 (Ubuntu 4.8.4-2ubuntu1~14.04.1) configuration: --disable-ffprobe --disable-ffserver --disable-ffplay --enable-gpl libavutil 55. 20.100 / 55. 20.100 libavcodec 57. 34.100 / 57. 34.100 libavformat 57. 34.100 / 57. 34.100 libavdevice 57. 0.101 / 57. 0.101 libavfilter 6. 41.101 / 6. 41.101 libswscale 4. 1.100 / 4. 1.100 libswresample 2. 0.101 / 2. 0.101 libpostproc 54. 0.100 / 54. 0.100 Program received signal SIGSEGV, Segmentation fault. 0x08baa83a in av_log (avcl=avcl@entry=0x9729200, level=level@entry=16, fmt=fmt@entry=0x8c662b4 "Failed to read extradata of size %d\n") at libavutil/log.c:363 363 if (avc && avc->version >= (50 << 16 | 15 << 8 | 2) && (gdb) bt #0 0x08baa83a in av_log (avcl=avcl@entry=0x9729200, level=level@entry=16, fmt=fmt@entry=0x8c662b4 "Failed to read extradata of size %d\n") at libavutil/log.c:363 #1 0x08341800 in ff_get_extradata (par=0x9729200, pb=pb@entry=0x9730ae0, size=size@entry=4194328) at libavformat/utils.c:3129 #2 0x082eba1e in rm_read_extradata (size=4194328, par=<optimized out>, pb=0x9730ae0, s=0x9728200) at libavformat/rmdec.c:96 #3 ff_rm_read_mdpr_codecdata (s=s@entry=0x9728200, pb=0x9730ae0, st=st@entry=0x9728aa0, rst=0x97296a0, codec_data_size=codec_data_size@entry=4194328, mime=mime@entry=0xbfffe73c "audio/x-ralf-mpeg4-generic") at libavformat/rmdec.c:337 #4 0x082ec178 in ff_rm_read_mdpr_codecdata ( mime=0xbfffe73c "audio/x-ralf-mpeg4-generic", codec_data_size=4194328, rst=<optimized out>, st=0x9728aa0, pb=<optimized out>, s=0x9728200) at libavformat/rmdec.c:324 #5 rm_read_header (s=0x9728200) at libavformat/rmdec.c:630 #6 0x08346ddd in avformat_open_input (ps=ps@entry=0xbfffecac, filename=filename@entry=0xbffff32b "lossless_32khz_stereo_fuzz.ra", fmt=fmt@entry=0x0, options=0x97280ec) at libavformat/utils.c:552 #7 0x080d5f05 in open_input_file (o=o@entry=0xbfffed5c, filename=<optimized out>) at ffmpeg_opt.c:949 #8 0x080da1cb in open_files (inout=0x8c60022 "input", ---Type <return> to continue, or q <return> to quit--- open_file=0x80d45e0 <open_input_file>, l=<optimized out>, l=<optimized out>) at ffmpeg_opt.c:3003 #9 ffmpeg_parse_options (argc=argc@entry=6, argv=argv@entry=0xbffff124) at ffmpeg_opt.c:3040 #10 0x080c87ba in main (argc=6, argv=0xbffff124) at ffmpeg.c:4321 (gdb)
Attachments (1)
Change History (3)
by , 9 years ago
Attachment: | lossless_32khz_stereo_fuzz.ra added |
---|
comment:1 by , 9 years ago
Component: | undetermined → avformat |
---|---|
Keywords: | real crash SIGSEGV regression added |
Priority: | normal → important |
Reproduced by developer: | set |
Status: | new → open |
Version: | unspecified → git-master |
comment:2 by , 9 years ago
Resolution: | → fixed |
---|---|
Status: | open → closed |
Fixed in 323b8c95e41094b90ed2a9bdd9a06d22d2f74856.
Note:
See TracTickets
for help on using tickets.
Regression since 6f69f7a8bf6a0d013985578df2ef42ee6b1c7994