Context Navigation

#5520 closed defect (fixed)

m101: crash with fuzzed file

Reported by:	ami_stuff	Owned by:
Priority:	important	Component:	avcodec
Version:	git-master	Keywords:	m101 crash SIGSEGV
Cc:		Blocked By:
Blocking:		Reproduced by developer:	yes
Analyzed by developer:	no

Description

https://www.datafilehost.com/d/da60db26

aaa@aaa-VirtualBox /media/sdb1 $ valgrind ffmpeg/ffmpeg_g -i m102_1280_720_10bit_i_fuzz.avi -f null -
==2421== Memcheck, a memory error detector
==2421== Copyright (C) 2002-2013, and GNU GPL'd, by Julian Seward et al.
==2421== Using Valgrind-3.10.1 and LibVEX; rerun with -h for copyright info
==2421== Command: ffmpeg/ffmpeg_g -i m102_1280_720_10bit_i_fuzz.avi -f null -
==2421== 
ffmpeg version 3.0.git Copyright (c) 2000-2016 the FFmpeg developers
  built with gcc 5.3.0 (Ubuntu 5.3.0-3ubuntu1~14.04) 20151204
  configuration: --disable-ffprobe --disable-ffserver --enable-gpl
  libavutil      55. 24.100 / 55. 24.100
  libavcodec     57. 39.100 / 57. 39.100
  libavformat    57. 36.100 / 57. 36.100
  libavdevice    57.  0.101 / 57.  0.101
  libavfilter     6. 45.100 /  6. 45.100
  libswscale      4.  1.100 /  4.  1.100
  libswresample   2.  0.101 /  2.  0.101
  libpostproc    54.  0.100 / 54.  0.100
[avi @ 0x42bd4a0] Something went wrong during header parsing, I will ignore it and try to continue anyway.
Input #0, avi, from 'm102_1280_720_10bit_i_fuzz.avi':
  Duration: 00:12:14.70, start: 0.000000, bitrate: 527 kb/s
    Stream #0:0: Video: m101 (M102 / 0x3230314D), yuyv422, 1280x720, 0.03 fps, 0.03 tbr, 0.03 tbn
[null @ 0x4504dc0] Using AVStream.codec to pass codec parameters to muxers is deprecated, use AVStream.codecpar instead.
Output #0, null, to 'pipe:':
  Metadata:
    encoder         : Lavf57.36.100
    Stream #0:0: Video: wrapped_avframe, yuyv422, 1280x720, q=2-31, 200 kb/s, 0.03 fps, 0.03 tbn
    Metadata:
      encoder         : Lavc57.39.100 wrapped_avframe
Stream mapping:
  Stream #0:0 -> #0:0 (m101 (native) -> wrapped_avframe (native))
Press [q] to stop, [?] for help
==2421== Invalid write of size 2
==2421==    at 0x85B00FB: m101_decode_frame (m101.c:91)
==2421==    by 0x87382ED: avcodec_decode_video2 (utils.c:2217)
==2421==    by 0x80DB4E0: decode_video (ffmpeg.c:2087)
==2421==    by 0x80DDEDF: process_input_packet (ffmpeg.c:2340)
==2421==    by 0x80BD5B5: process_input (ffmpeg.c:4010)
==2421==    by 0x80BD5B5: transcode_step (ffmpeg.c:4098)
==2421==    by 0x80BD5B5: transcode (ffmpeg.c:4152)
==2421==    by 0x80BD5B5: main (ffmpeg.c:4343)
==2421==  Address 0x0 is not stack'd, malloc'd or (recently) free'd
==2421== 
==2421== 
==2421== Process terminating with default action of signal 11 (SIGSEGV)
==2421==  Access not within mapped region at address 0x0
==2421==    at 0x85B00FB: m101_decode_frame (m101.c:91)
==2421==    by 0x87382ED: avcodec_decode_video2 (utils.c:2217)
==2421==    by 0x80DB4E0: decode_video (ffmpeg.c:2087)
==2421==    by 0x80DDEDF: process_input_packet (ffmpeg.c:2340)
==2421==    by 0x80BD5B5: process_input (ffmpeg.c:4010)
==2421==    by 0x80BD5B5: transcode_step (ffmpeg.c:4098)
==2421==    by 0x80BD5B5: transcode (ffmpeg.c:4152)
==2421==    by 0x80BD5B5: main (ffmpeg.c:4343)
==2421==  If you believe this happened as a result of a stack
==2421==  overflow in your program's main thread (unlikely but
==2421==  possible), you can try to increase the size of the
==2421==  main thread stack using the --main-stacksize= flag.
==2421==  The main thread stack size used in this run was 8388608.
==2421== 
==2421== HEAP SUMMARY:
==2421==     in use at exit: 8,847,180 bytes in 130 blocks
==2421==   total heap usage: 1,043 allocs, 913 frees, 9,149,355 bytes allocated
==2421== 
==2421== LEAK SUMMARY:
==2421==    definitely lost: 0 bytes in 0 blocks
==2421==    indirectly lost: 0 bytes in 0 blocks
==2421==      possibly lost: 0 bytes in 0 blocks
==2421==    still reachable: 8,847,180 bytes in 130 blocks
==2421==         suppressed: 0 bytes in 0 blocks
==2421== Rerun with --leak-check=full to see details of leaked memory
==2421== 
==2421== For counts of detected and suppressed errors, rerun with: -v
==2421== ERROR SUMMARY: 2 errors from 1 contexts (suppressed: 0 from 0)
Segmentation fault

(gdb) r -i m102_1280_720_10bit_i_fuzz.avi -f null -
Starting program: /media/sdb1/ffmpeg/ffmpeg_g -i m102_1280_720_10bit_i_fuzz.avi -f null -
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/i386-linux-gnu/libthread_db.so.1".
ffmpeg version 3.0.git Copyright (c) 2000-2016 the FFmpeg developers
  built with gcc 5.3.0 (Ubuntu 5.3.0-3ubuntu1~14.04) 20151204
  configuration: --disable-ffprobe --disable-ffserver --enable-gpl
  libavutil      55. 24.100 / 55. 24.100
  libavcodec     57. 39.100 / 57. 39.100
  libavformat    57. 36.100 / 57. 36.100
  libavdevice    57.  0.101 / 57.  0.101
  libavfilter     6. 45.100 /  6. 45.100
  libswscale      4.  1.100 /  4.  1.100
  libswresample   2.  0.101 /  2.  0.101
  libpostproc    54.  0.100 / 54.  0.100
[avi @ 0x983d200] Something went wrong during header parsing, I will ignore it and try to continue anyway.
Input #0, avi, from 'm102_1280_720_10bit_i_fuzz.avi':
  Duration: 00:12:14.70, start: 0.000000, bitrate: 527 kb/s
    Stream #0:0: Video: m101 (M102 / 0x3230314D), yuyv422, 1280x720, 0.03 fps, 0.03 tbr, 0.03 tbn
[null @ 0x983f520] Using AVStream.codec to pass codec parameters to muxers is deprecated, use AVStream.codecpar instead.
Output #0, null, to 'pipe:':
  Metadata:
    encoder         : Lavf57.36.100
    Stream #0:0: Video: wrapped_avframe, yuyv422, 1280x720, q=2-31, 200 kb/s, 0.03 fps, 0.03 tbn
    Metadata:
      encoder         : Lavc57.39.100 wrapped_avframe
Stream mapping:
  Stream #0:0 -> #0:0 (m101 (native) -> wrapped_avframe (native))
Press [q] to stop, [?] for help

Program received signal SIGSEGV, Segmentation fault.
0x085b00fb in m101_decode_frame (avctx=0x983f100, data=0x98425a0, 
    got_frame=0xbfffeb20, avpkt=0xbfffe8fc) at libavcodec/m101.c:91
91	                        cb[xd>>1] = (4*buf_src[2*x + 1]) + ((buf_src[32 + (x>>1)]>>2)&3);
(gdb) bt
#0  0x085b00fb in m101_decode_frame (avctx=0x983f100, data=0x98425a0, 
    got_frame=0xbfffeb20, avpkt=0xbfffe8fc) at libavcodec/m101.c:91
#1  0x087382ee in avcodec_decode_video2 (avctx=0x983f100, picture=0x98425a0, 
    got_picture_ptr=0xbfffeb20, avpkt=0xbfffeb64) at libavcodec/utils.c:2217
#2  0x080db4e1 in decode_video (ist=ist@entry=0x983eea0, 
    pkt=pkt@entry=0xbfffeb64, got_output=got_output@entry=0xbfffeb20)
    at ffmpeg.c:2087
#3  0x080ddee0 in process_input_packet (ist=0x983eea0, pkt=0xbfffed94, 
    no_eof=0) at ffmpeg.c:2340
#4  0x080bd5b6 in process_input (file_index=<optimized out>) at ffmpeg.c:4010
#5  transcode_step () at ffmpeg.c:4098
#6  transcode () at ffmpeg.c:4152
#7  main (argc=<optimized out>, argv=<optimized out>) at ffmpeg.c:4343

Attachments (1)

m102_1280_720_10bit_i_fuzz_cut.avi (2.4 MB ) - added by Carl Eugen Hoyos 9 years ago.

Change History (3)

by Carl Eugen Hoyos, 9 years ago

Attachment:	m102_1280_720_10bit_i_fuzz_cut.avi added

comment:1 by Carl Eugen Hoyos, 9 years ago

Component:	undetermined → avcodec
Keywords:	m101 crash SIGSEGV added
Priority:	normal → important
Reproduced by developer:	set
Status:	new → open
Version:	unspecified → git-master

comment:2 by Michael Niedermayer, 8 years ago

Resolution:	→ fixed
Status:	open → closed

Fixed in 42ee137a0a7d025f77964e38b438d00095e6dd11

Note: See TracTickets for help on using tickets.

Download in other formats: