[FFmpeg-trac] #69(avcodec:new): Crash on flic files with invalid frame size

FFmpeg trac at avcodec.org
Tue Apr 19 19:32:20 CEST 2011 

#69: Crash on flic files with invalid frame size
------------------------+---------------------
  Reporter:  cehoyos    |      Owner:
      Type:  defect     |     Status:  new
  Priority:  important  |  Component:  avcodec
   Version:  git        |   Keywords:  flic
Blocked By:             |   Blocking:
Reproduced:  1          |   Analyzed:  0
------------------------+---------------------
 (issue 2520)
 {{{
 (gdb) r -i fli_invalid_framesize.fli -f null -
 FFmpeg version git-N-29196-ge61b83d, Copyright (c) 2000-2011 the FFmpeg
 developers
   built on Apr 19 2011 18:30:07 with gcc 4.5.2
   configuration: --enable-gpl --cc=/usr/local/gcc-4.5.2/bin/gcc
   libavutil    50. 40. 1 / 50. 40. 1
   libavcodec   52.120. 0 / 52.120. 0
   libavformat  52.108. 0 / 52.108. 0
   libavdevice  52.  4. 0 / 52.  4. 0
   libavfilter   1. 79. 1 /  1. 79. 1
   libswscale    0. 13. 0 /  0. 13. 0
 [flic @ 0x128d660] Estimating duration from bitrate, this may be
 inaccurate
 Input #0, flic, from 'fli_invalid_framesize.fli':
   Duration: N/A, start: 0.000000, bitrate: N/A
     Stream #0.0: Video: flic, pal8, 320x200, 35 tbr, 35 tbn, 35 tbc
 [buffer @ 0x12955d0] w:320 h:200 pixfmt:pal8
 Output #0, null, to 'pipe:':
   Metadata:
     encoder         : Lavf52.108.0
     Stream #0.0: Video: rawvideo, pal8, 320x200, q=2-31, 200 kb/s, 90k
 tbn, 35 tbc
 Stream mapping:
   Stream #0.0 -> #0.0
 Press [q] to stop encoding

 Program received signal SIGSEGV, Segmentation fault.
 0x00000000005dd327 in flic_decode_frame_8BPP (buf_size=13186,
 buf=0x1290af0 "\202\063",
     data_size=0x7fffffffccfc, data=0x7fffffffc9f0, avctx=0x1290040) at
 libavcodec/flicvideo.c:183
 183             chunk_size = AV_RL32(&buf[stream_ptr]);
 (gdb) bt
 #0  0x00000000005dd327 in flic_decode_frame_8BPP (buf_size=13186,
 buf=0x1290af0 "\202\063",
     data_size=0x7fffffffccfc, data=0x7fffffffc9f0, avctx=0x1290040) at
 libavcodec/flicvideo.c:183
 #1  flic_decode_frame (buf_size=13186, buf=0x1290af0 "\202\063",
 data_size=0x7fffffffccfc,
     data=0x7fffffffc9f0, avctx=0x1290040) at libavcodec/flicvideo.c:713
 #2  0x00000000007adbb8 in avcodec_decode_video2 (avctx=0x1290040,
 picture=0x7fffffffc9f0,
     got_picture_ptr=0x7fffffffccfc, avpkt=0x7fffffffcba0) at
 libavcodec/utils.c:719
 #3  0x00000000004089d4 in output_packet (ist=<value optimized out>,
 ist_index=0, ost_table=0x1290a80,
     nb_ostreams=1, pkt=<value optimized out>) at ffmpeg.c:1578
 #4  0x000000000040b560 in transcode (nb_output_files=1, nb_input_files=1,
 stream_maps=0x0,
     nb_stream_maps=0, input_files=0xd1b3c0, output_files=0xd1b0a0) at
 ffmpeg.c:2719
 #5  0x00000000004100ed in main (argc=6, argv=<value optimized out>) at
 ffmpeg.c:4463
 (gdb) disass $pc-32 $pc+32
 Dump of assembler code from 0x5dd307 to 0x5dd347:
 0x00000000005dd307 <flic_decode_frame_8BPP+1887>:       rorb   %cl,(%rdi)
 0x00000000005dd309 <flic_decode_frame_8BPP+1889>:       test   %ch,(%rax)
 0x00000000005dd30b <flic_decode_frame_8BPP+1891>:       or     %eax,(%rax)
 0x00000000005dd30d <flic_decode_frame_8BPP+1893>:       add
 %cl,-0x73(%rcx)
 0x00000000005dd310 <flic_decode_frame_8BPP+1896>:       pop    %rdi
 0x00000000005dd311 <flic_decode_frame_8BPP+1897>:       add
 %eax,-0x43befe16(%rbx)
 0x00000000005dd317 <flic_decode_frame+2167>:    adc    %al,(%rax)
 0x00000000005dd319 <flic_decode_frame+2169>:    add    %al,(%rax)
 0x00000000005dd31b <flic_decode_frame_8BPP+1907>:       mov
 %edx,0x4c(%rsp)
 0x00000000005dd31f <flic_decode_frame_8BPP+1911>:       mov
 %rbx,0x68(%rsp)
 0x00000000005dd324 <flic_decode_frame_8BPP+1916>:       movslq %r12d,%rax
 0x00000000005dd327 <flic_decode_frame_8BPP+1919>:       mov
 (%r15,%rax,1),%eax
 0x00000000005dd32b <flic_decode_frame_8BPP+1923>:       mov
 %eax,0x40(%rsp)
 0x00000000005dd32f <flic_decode_frame_8BPP+1927>:       lea
 0x4(%r12),%eax
 0x00000000005dd334 <flic_decode_frame_8BPP+1932>:       add    $0x6,%r12d
 0x00000000005dd338 <flic_decode_frame_8BPP+1936>:       cltq
 0x00000000005dd33a <flic_decode_frame_8BPP+1938>:       movzwl
 (%r15,%rax,1),%edx
 0x00000000005dd33f <flic_decode_frame_8BPP+1943>:       movzwl %dx,%eax
 0x00000000005dd342 <flic_decode_frame_8BPP+1946>:       sub    $0x4,%edx
 0x00000000005dd345 <flic_decode_frame_8BPP+1949>:       cmp    $0xe,%dx
 End of assembler dump.
 (gdb) info register
 rax            0x20031a 2097946
 rbx            0x1      1
 rcx            0x2      2
 rdx            0x200301 2097921
 rsi            0x100    256
 rdi            0x100    256
 rbp            0xff     0xff
 rsp            0x7fffffffc680   0x7fffffffc680
 r8             0x100    256
 r9             0x1      1
 r10            0x1      1
 r11            0x20031a 2097946
 r12            0x20031a 2097946
 r13            0x7fffffffc9f0   140737488341488
 r14            0x1295a60        19487328
 r15            0x1290af0        19466992
 rip            0x5dd327 0x5dd327 <flic_decode_frame_8BPP+1919>
 eflags         0x10202  [ IF RF ]
 cs             0x33     51
 ss             0x2b     43
 ds             0x0      0
 es             0x0      0
 fs             0x0      0
 gs             0x0      0
 fctrl          0x37f    895
 fstat          0x0      0
 ftag           0xffff   65535
 fiseg          0x0      0
 fioff          0x0      0
 foseg          0x0      0
 fooff          0x0      0
 fop            0x0      0
 mxcsr          0x1fa0   [ PE IM DM ZM OM UM PM ]
 }}}

-- 
Ticket URL: <https://avcodec.org/trac/ffmpeg/ticket/69>
FFmpeg <http://ffmpeg.org>
FFmpeg issue tracker

More information about the FFmpeg-trac mailing list