(issue 2367)
Attached interlaced MPEG2 sample from Optelecom Siqura C-60 E-MC crashes FFmpeg
(gdb) r -i exploit.bin
FFmpeg version git-N-29196-ge61b83d, Copyright (c) 2000-2011 the FFmpeg developers
built on Apr 19 2011 19:44:16 with gcc 4.4.5
configuration: --cc='/usr/local/gcc-4.4.5/bin/gcc -m32' --disable-asm
libavutil 50. 40. 1 / 50. 40. 1
libavcodec 52.120. 0 / 52.120. 0
libavformat 52.108. 0 / 52.108. 0
libavdevice 52. 4. 0 / 52. 4. 0
libavfilter 1. 79. 1 / 1. 79. 1
libswscale 0. 13. 0 / 0. 13. 0
Program received signal SIGSEGV, Segmentation fault.
0x081781e0 in put_pixels8_8_c (h=<value optimized out>, line_size=<value optimized out>,
pixels=<value optimized out>, block=<value optimized out>) at libavcodec/dsputil_internal.h:756
756 PIXOP2(put, op_put)
(gdb) bt
#0 0x081781e0 in put_pixels8_8_c (h=<value optimized out>, line_size=<value optimized out>,
pixels=<value optimized out>, block=<value optimized out>) at libavcodec/dsputil_internal.h:756
#1 put_pixels16_8_c (h=<value optimized out>, line_size=<value optimized out>,
pixels=<value optimized out>, block=<value optimized out>) at libavcodec/dsputil_internal.h:756
#2 0x083a6ace in mpeg_motion_internal (mb_y=<value optimized out>, is_mpeg12=<value optimized out>,
h=<value optimized out>, motion_y=<value optimized out>, motion_x=<value optimized out>,
pix_op=<value optimized out>, ref_picture=<value optimized out>, field_select=<value optimized out>,
bottom_field=<value optimized out>, field_based=<value optimized out>, dest_cr=<value optimized out>,
dest_cb=<value optimized out>, dest_y=<value optimized out>, s=<value optimized out>)
at libavcodec/mpegvideo_common.h:352
#3 mpeg_motion (mb_y=<value optimized out>, is_mpeg12=<value optimized out>, h=<value optimized out>,
motion_y=<value optimized out>, motion_x=<value optimized out>, pix_op=<value optimized out>,
ref_picture=<value optimized out>, field_select=<value optimized out>,
bottom_field=<value optimized out>, field_based=<value optimized out>, dest_cr=<value optimized out>,
dest_cb=<value optimized out>, dest_y=<value optimized out>, s=<value optimized out>)
at libavcodec/mpegvideo_common.h:375
#4 MPV_motion_internal (mb_y=<value optimized out>, is_mpeg12=<value optimized out>,
h=<value optimized out>, motion_y=<value optimized out>, motion_x=<value optimized out>,
pix_op=<value optimized out>, ref_picture=<value optimized out>, field_select=<value optimized out>,
bottom_field=<value optimized out>, field_based=<value optimized out>, dest_cr=<value optimized out>,
dest_cb=<value optimized out>, dest_y=<value optimized out>, s=<value optimized out>)
at libavcodec/mpegvideo_common.h:823
#5 MPV_motion (mb_y=<value optimized out>, is_mpeg12=<value optimized out>, h=<value optimized out>,
motion_y=<value optimized out>, motion_x=<value optimized out>, pix_op=<value optimized out>,
ref_picture=<value optimized out>, field_select=<value optimized out>,
bottom_field=<value optimized out>, field_based=<value optimized out>, dest_cr=<value optimized out>,
dest_cb=<value optimized out>, dest_y=<value optimized out>, s=<value optimized out>)
at libavcodec/mpegvideo_common.h:892
#6 0x083afec1 in MPV_decode_mb_internal (is_mpeg12=<value optimized out>,
lowres_flag=<value optimized out>, block=<value optimized out>, s=<value optimized out>)
at libavcodec/mpegvideo.c:2117
#7 MPV_decode_mb (is_mpeg12=<value optimized out>, lowres_flag=<value optimized out>,
block=<value optimized out>, s=<value optimized out>) at libavcodec/mpegvideo.c:2253
#8 0x0836070b in mpeg_decode_slice (s1=0x8c69c50, mb_y=<value optimized out>, buf=<value optimized out>,
buf_size=501) at libavcodec/mpeg12.c:1843
#9 0x08366d18 in decode_chunks (avctx=<value optimized out>, picture=<value optimized out>,
data_size=<value optimized out>, buf=0x8c77e60 "", buf_size=11505) at libavcodec/mpeg12.c:2535
#10 0x08367240 in mpeg_decode_frame (avctx=0x8c69690, data=0xffffcbc4, data_size=0xffffcd8c,
avpkt=0x8c6f880) at libavcodec/mpeg12.c:2323
#11 0x08479077 in avcodec_decode_video2 (avctx=0x8c69690, picture=0xffffcbc4, got_picture_ptr=0xffffcd8c,
avpkt=0x8c6f880) at libavcodec/utils.c:719
#12 0x08119231 in try_decode_frame (avpkt=<value optimized out>, st=<value optimized out>)
at libavformat/utils.c:2127
#13 av_find_stream_info (avpkt=<value optimized out>, st=<value optimized out>)
at libavformat/utils.c:2417
#14 0x0804d7d6 in opt_input_file (filename=0xffffd28b "exploit.bin") at ffmpeg.c:3303
#15 0x08059e85 in parse_options (argc=3, argv=0xffffd024, options=0x85c7800,
parse_arg_function=0x8056790 <opt_output_file>) at cmdutils.c:222
#16 0x08055c51 in main (argc=3, argv=0xffffd024) at ffmpeg.c:4443
(gdb) disass $pc-12 $pc+32
Dump of assembler code from 0x81781d4 to 0x8178200:
0x081781d4 <put_pixels8_8_c+0>: test %esi,%esi
0x081781d6 <put_pixels8_8_c+2>: jle 0x8178219 <put_pixels16_8_c+89>
0x081781d8 <put_pixels8_8_c+4>: xor %eax,%eax
0x081781da <put_pixels8_8_c+6>: xor %ebx,%ebx
0x081781dc <put_pixels8_8_c+8>: lea 0x0(%esi,%eiz,1),%esi
0x081781e0 <put_pixels8_8_c+12>: mov (%ecx,%eax,1),%ebp
0x081781e3 <put_pixels8_8_c+15>: add $0x1,%ebx
0x081781e6 <put_pixels8_8_c+18>: mov %ebp,(%edx,%eax,1)
0x081781e9 <put_pixels8_8_c+21>: mov 0x4(%ecx,%eax,1),%ebp
0x081781ed <put_pixels8_8_c+25>: mov %ebp,0x4(%edx,%eax,1)
0x081781f1 <put_pixels8_8_c+29>: add %edi,%eax
0x081781f3 <put_pixels8_8_c+31>: cmp %esi,%ebx
0x081781f5 <put_pixels8_8_c+33>: jne 0x81781e0 <put_pixels8_8_c+12>
0x081781f7 <put_pixels8_8_c+35>: xor %eax,%eax
0x081781f9 <put_pixels8_8_c+37>: xor %ebx,%ebx
0x081781fb <put_pixels8_8_c+39>: nop
0x081781fc <put_pixels8_8_c+40>: lea 0x0(%esi,%eiz,1),%esi
End of assembler dump.
(gdb) info register
eax 0x0 0
ecx 0x2f0 752
edx 0xf7c9c220 -137772512
ebx 0x0 0
esp 0xffffc67c 0xffffc67c
ebp 0x10 0x10
esi 0x10 16
edi 0x5e0 1504
eip 0x81781e0 0x81781e0 <put_pixels8_8_c+12>
eflags 0x10246 [ PF ZF IF RF ]
cs 0x23 35
ss 0x2b 43
ds 0x2b 43
es 0x2b 43
fs 0x0 0
gs 0x63 99
Applied a (old and missed) patch by anatoly that fixes this