Opened 8 years ago
Closed 8 years ago
#5957 closed defect (fixed)
ffprobe: crash with null "-of" option
Reported by: | Bo Chen | Owned by: | Alexander Strasser |
---|---|---|---|
Priority: | normal | Component: | ffprobe |
Version: | git-master | Keywords: | regression |
Cc: | Blocked By: | ||
Blocking: | Reproduced by developer: | yes | |
Analyzed by developer: | yes |
Description
Summary of the bug:
A segmentation fault will occur when launch ffprobe with the following pattern:
$ ffprobe -of x (where "x" is "\x00")
How to reproduce:
As "\x00" is normally parsed as string terminator, we can't input it through command-line. I use function "execv()" to launch ffprobe to reproduce the defect. Compile and run the following stub program will reproduce the segmentation fault being reported here.
#include <sys/types.h> #include <unistd.h> #include <stdio.h> main() { char *parmList[] = {"./ffprobe_g", "-of", "compact", NULL}; char crash_input[8] = {0}; parmList[2] = crash_input; execv("./ffprobe_g", parmList); printf("Return not expected. Must be an execv error.\n"); }
GDB Output:
chenbo@svl13:~/tools/FFmpeg/crash$ gdb a.out GNU gdb (Ubuntu/Linaro 7.4-2012.04-0ubuntu2.1) 7.4-2012.04 Copyright (C) 2012 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html> This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Type "show copying" and "show warranty" for details. This GDB was configured as "x86_64-linux-gnu". For bug reporting instructions, please see: <http://bugs.launchpad.net/gdb-linaro/>... Reading symbols from /home/chenbo/tools/FFmpeg/crash/a.out...done. (gdb) list 1 #include <sys/types.h> 2 #include <unistd.h> 3 #include <stdio.h> 4 5 main() 6 { 7 char *parmList[] = {"./ffprobe_g", "-of", "compact", NULL}; 8 9 char crash_input[1] = {0}; 10 parmList[2] = crash_input; 11 12 execv("../ffprobe_g", parmList); 13 printf("Return not expected. Must be an execv error.\n"); 14 } (gdb) r Starting program: /home/chenbo/tools/FFmpeg/crash/a.out warning: no loadable sections found in added symbol-file system-supplied DSO at 0x2aaaaaacd000 process 12800 is executing new program: /home/chenbo/tools/FFmpeg/ffprobe_g [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1". ffprobe version N-82487-g1546d48 Copyright (c) 2007-2016 the FFmpeg developers built with gcc 4.8 (Ubuntu 4.8.1-2ubuntu1~12.04) configuration: libavutil 55. 40.100 / 55. 40.100 libavcodec 57. 66.103 / 57. 66.103 libavformat 57. 57.100 / 57. 57.100 libavdevice 57. 2.100 / 57. 2.100 libavfilter 6. 67.100 / 6. 67.100 libswscale 4. 3.101 / 4. 3.101 libswresample 2. 4.100 / 2. 4.100 Program received signal SIGSEGV, Segmentation fault. __strcmp_sse42 () at ../sysdeps/x86_64/multiarch/strcmp-sse42.S:164 164 ../sysdeps/x86_64/multiarch/strcmp-sse42.S: No such file or directory. (gdb) bt #0 __strcmp_sse42 () at ../sysdeps/x86_64/multiarch/strcmp-sse42.S:164 #1 0x000000000047c72d in main () at ffprobe.c:805 (gdb) disass $pc-32,$pc+32 Dump of assembler code from 0x2aaaac98f1aa to 0x2aaaac98f1ea: 0x00002aaaac98f1aa: add %al,(%rax) 0x00002aaaac98f1ac: add %al,(%rax) 0x00002aaaac98f1ae: add %al,(%rax) 0x00002aaaac98f1b0 <__strcmp_sse42+0>: mov %esi,%ecx 0x00002aaaac98f1b2 <__strcmp_sse42+2>: mov %edi,%eax 0x00002aaaac98f1b4 <__strcmp_sse42+4>: and $0x3f,%rcx 0x00002aaaac98f1b8 <__strcmp_sse42+8>: and $0x3f,%rax 0x00002aaaac98f1bc <__strcmp_sse42+12>: cmp $0x30,%ecx 0x00002aaaac98f1bf <__strcmp_sse42+15>: ja 0x2aaaac98f200 <__strcmp_sse42+80> 0x00002aaaac98f1c1 <__strcmp_sse42+17>: cmp $0x30,%eax 0x00002aaaac98f1c4 <__strcmp_sse42+20>: ja 0x2aaaac98f200 <__strcmp_sse42+80> 0x00002aaaac98f1c6 <__strcmp_sse42+22>: movdqu (%rdi),%xmm1 => 0x00002aaaac98f1ca <__strcmp_sse42+26>: movdqu (%rsi),%xmm2 0x00002aaaac98f1ce <__strcmp_sse42+30>: pxor %xmm0,%xmm0 0x00002aaaac98f1d2 <__strcmp_sse42+34>: pcmpeqb %xmm1,%xmm0 0x00002aaaac98f1d6 <__strcmp_sse42+38>: pcmpeqb %xmm2,%xmm1 0x00002aaaac98f1da <__strcmp_sse42+42>: psubb %xmm0,%xmm1 0x00002aaaac98f1de <__strcmp_sse42+46>: pmovmskb %xmm1,%edx 0x00002aaaac98f1e2 <__strcmp_sse42+50>: sub $0xffff,%edx 0x00002aaaac98f1e8 <__strcmp_sse42+56>: jne 0x2aaaac98ff30 <__strcmp_sse42+3456> End of assembler dump. (gdb) info all-registers rax 0x2f 47 rbx 0xf57fc0 16089024 rcx 0x0 0 rdx 0x0 0 rsi 0x0 0 rdi 0xf52f2f 16068399 rbp 0x15cf448 0x15cf448 rsp 0x7fffffffe268 0x7fffffffe268 r8 0x10087b0 16811952 r9 0x0 0 r10 0x7fffffffdfd0 140737488347088 r11 0x2aaaac997910 46912528546064 r12 0x0 0 r13 0x0 0 r14 0x0 0 r15 0x0 0 rip 0x2aaaac98f1ca 0x2aaaac98f1ca <__strcmp_sse42+26> eflags 0x10287 [ CF PF SF IF RF ] cs 0x33 51 ss 0x2b 43 ds 0x0 0 es 0x0 0 fs 0x0 0 gs 0x0 0 st0 0 (raw 0x00000000000000000000) st1 0 (raw 0x00000000000000000000) st2 0 (raw 0x00000000000000000000) st3 0 (raw 0x00000000000000000000) st4 0 (raw 0x00000000000000000000) st5 0 (raw 0x00000000000000000000) st6 0 (raw 0x00000000000000000000) st7 0 (raw 0x00000000000000000000) fctrl 0x37f 895 fstat 0x0 0 ftag 0xffff 65535 fiseg 0x0 0 fioff 0x0 0 foseg 0x0 0 fooff 0x0 0 fop 0x0 0 ---Type <return> to continue, or q <return> to quit---mxcsr 0x1f80 [ IM DM ZM OM UM PM ] ymm0 {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_double = {0x0, 0x8000000000000000, 0x0, 0x0}, v32_int8 = {0x8, 0x9, 0xa, 0xb, 0xc, 0xd, 0xe, 0xf, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x0 <repeats 16 times>}, v16_int16 = {0x908, 0xb0a, 0xd0c, 0xf0e, 0xffff, 0xffff, 0xffff, 0xffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v8_int32 = {0xb0a0908, 0xf0e0d0c, 0xffffffff, 0xffffffff, 0x0, 0x0, 0x0, 0x0}, v4_int64 = {0xf0e0d0c0b0a0908, 0xffffffffffffffff, 0x0, 0x0}, v2_int128 = {0xffffffffffffffff0f0e0d0c0b0a0908, 0x00000000000000000000000000000000}} ymm1 {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_double = {0x0, 0x8000000000000000, 0x0, 0x0}, v32_int8 = {0x64, 0x65, 0x66, 0x61, 0x75, 0x6c, 0x74, 0x0, 0x55, 0x6e, 0x72, 0x65, 0x63, 0x6f, 0x67, 0x6e, 0x0 <repeats 16 times>}, v16_int16 = {0x6564, 0x6166, 0x6c75, 0x74, 0x6e55, 0x6572, 0x6f63, 0x6e67, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v8_int32 = {0x61666564, 0x746c75, 0x65726e55, 0x6e676f63, 0x0, 0x0, 0x0, 0x0}, v4_int64 = {0x746c7561666564, 0x6e676f6365726e55, 0x0, 0x0}, v2_int128 = { 0x6e676f6365726e5500746c7561666564, 0x00000000000000000000000000000000}} ymm2 {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_double = {0x0, 0x0, 0x0, 0x0}, v32_int8 = {0x0 <repeats 32 times>}, v16_int16 = {0x0 <repeats 16 times>}, v8_int32 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_int64 = {0x0, 0x0, 0x0, 0x0}, v2_int128 = { 0x00000000000000000000000000000000, 0x00000000000000000000000000000000}} ymm3 {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_double = {0x0, 0x0, 0x0, 0x0}, v32_int8 = {0x0 <repeats 32 times>}, v16_int16 = {0x0 <repeats 16 times>}, v8_int32 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_int64 = {0x0, 0x0, 0x0, 0x0}, v2_int128 = { 0x00000000000000000000000000000000, 0x00000000000000000000000000000000}} ymm4 {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_double = {0x8000000000000000, 0x0, 0x0, 0x0}, v32_int8 = {0x32, 0x35, 0x36, 0x63, 0x6f, 0x6c, 0x6f, 0x72, 0x0, 0x1b, 0x5b, 0x25, 0x64, 0x3b, 0x33, 0x25, 0x0 <repeats 16 times>}, v16_int16 = {0x3532, 0x6336, 0x6c6f, 0x726f, 0x1b00, 0x255b, 0x3b64, 0x2533, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v8_int32 = {0x63363532, 0x726f6c6f, 0x255b1b00, 0x25333b64, 0x0, 0x0, 0x0, 0x0}, v4_int64 = {0x726f6c6f63363532, 0x25333b64255b1b00, 0x0, 0x0}, v2_int128 = { 0x25333b64255b1b00726f6c6f63363532, 0x00000000000000000000000000000000}} ymm5 {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_double = {0x0, 0x0, 0x0, 0x0}, v32_int8 = {0x0 <repeats 32 times>}, v16_int16 = {0x0 <repeats 16 times>}, v8_int32 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_int64 = {0x0, 0x0, 0x0, 0x0}, v2_int128 = { 0x00000000000000000000000000000000, 0x00000000000000000000000000000000}} ymm6 {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_double = {0x0, 0x0, 0x0, 0x0}, v32_int8 = {0x0 <repeats 32 times>}, v16_int16 = {0x0 <repeats 16 times>}, v8_int32 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_int64 = {0x0, 0x0, 0x0, 0x0}, v2_int128 = { 0x00000000000000000000000000000000, 0x00000000000000000000000000000000}} ymm7 {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_double = {0x0, 0x0, 0x0, 0x0}, v32_int8 = {0x0 <repeats 32 times>}, v16_int16 = {0x0 <repeats 16 times>}, v8_int32 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_int64 = {0x0, 0x0, 0x0, 0x0}, v2_int128 = { 0x00000000000000000000000000000000, 0x00000000000000000000000000000000}} ymm8 {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_double = {0x0, 0x0, 0x0, 0x0}, v32_int8 = {0x0 <repeats 32 times>}, v16_int16 = {0x0 <repeats 16 times>}, v8_int32 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_int64 = {0x0, 0x0, 0x0, 0x0}, v2_int128 = { 0x00000000000000000000000000000000, 0x00000000000000000000000000000000}} ymm9 {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_double = {0x0, 0x0, 0x0, 0x0}, v32_int8 = {0x0 <repeats 32 times>}, v16_int16 = {0x0 <repeats 16 times>}, v8_int32 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_int64 = {0x0, 0x0, 0x0, 0x0}, v2_int128 = { 0x00000000000000000000000000000000, 0x00000000000000000000000000000000}} ymm10 {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_double = {0x0, 0x0, 0x0, 0x0}, v32_int8 = {0x0 <repeats 32 times>}, v16_int16 = {0x0 <repeats 16 times>}, v8_int32 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_int64 = {0x0, 0x0, 0x0, 0x0}, v2_int128 = { 0x00000000000000000000000000000000, 0x00000000000000000000000000000000}} ymm11 {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_double = {0x0, 0x0, 0x0, 0x0}, v32_int8 = {0x0 <repeats 32 times>}, v16_int16 = {0x0 <repeats 16 times>}, v8_int32 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_int64 = {0x0, 0x0, 0x0, 0x0}, v2_int128 = { 0x00000000000000000000000000000000, 0x00000000000000000000000000000000}} ymm12 {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_double = {0x0, 0x0, 0x0, 0x0}, v32_int8 = {0x0 <repeats 32 times>}, v16_int16 = {0x0 <repeats 16 times>}, v8_int32 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_int64 = {0x0, 0x0, 0x0, 0x0}, v2_int128 = { 0x00000000000000000000000000000000, 0x00000000000000000000000000000000}} ymm13 {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_double = {0x0, 0x0, 0x0, 0x0}, v32_int8 = {0x0 <repeats 32 times>}, v16_int16 = {0x0 <repeats 16 times>}, v8_int32 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_int64 = {0x0, 0x0, 0x0, 0x0}, v2_int128 = { 0x00000000000000000000000000000000, 0x00000000000000000000000000000000}} ymm14 {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_double = {0x0, 0x0, 0x0, 0x0}, v32_int8 = {0x0 <repeats 32 times>}, v16_int16 = {0x0 <repeats 16 times>}, v8_int32 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_int64 = {0x0, 0x0, 0x0, 0x0}, v2_int128 = { 0x00000000000000000000000000000000, 0x00000000000000000000000000000000}} ymm15 {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_double = {0x0, 0x0, 0x0, 0x0}, v32_int8 = {0x0 <repeats 32 times>}, v16_int16 = {0x0 <repeats 16 times>}, v8_int32 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_int64 = {0x0, 0x0, 0x0, 0x0}, v2_int128 = { 0x00000000000000000000000000000000, 0x00000000000000000000000000000000}} (gdb)
Patches should be submitted to the ffmpeg-devel mailing list and not this bug tracker.
Change History (3)
comment:1 by , 8 years ago
Owner: | set to |
---|---|
Reproduced by developer: | set |
Status: | new → open |
comment:3 by , 8 years ago
Analyzed by developer: | set |
---|---|
Resolution: | → fixed |
Status: | open → closed |
Fixed in commit:
commit 427a47abcddab15e10ce26d971f712d90c53884b Author: Stefano Sabatini <stefasab@gmail.com> Date: Thu Nov 17 12:11:13 2016 +0100 ffprobe: fix crash in case -of is specified with an empty string Fix trac issue #5957.
Note:
See TracTickets
for help on using tickets.
You should be able to reproduce this by simply passing -of with an empty argument.
E.g. on the a shell with:
I believe I have identified the culprit in ffprobe.c source file. Will try to come up with a patch tomorrow.