[FFmpeg-trac] #3080(undetermined:new): jpeg2000: invalid write 4
FFmpeg
trac at avcodec.org
Fri Oct 25 01:28:05 CEST 2013
#3080: jpeg2000: invalid write 4
-------------------------------------+-------------------------------------
Reporter: ami_stuff | Owner:
Type: defect | Status: new
Priority: normal | Component:
Version: | undetermined
unspecified | Keywords:
Blocked By: | Blocking:
Reproduced by developer: 0 | Analyzed by developer: 0
-------------------------------------+-------------------------------------
fuzzed file
http://www1.datafilehost.com/d/d0bba6d3
{{{
(gdb) r -i ./flossless.avi
Starting program: /media/sdb1/ffmpeg-HEAD-da30d0c/ffmpeg_g -i
./flossless.avi
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/i386-linux-gnu/libthread_db.so.1".
ffmpeg version 2.0-da30d0c Copyright (c) 2000-2013 the FFmpeg developers
built on Oct 22 2013 14:57:21 with gcc 4.7 (Debian 4.7.2-5)
configuration: --disable-yasm --disable-ffprobe --disable-ffserver
--enable-gpl
libavutil 52. 47.101 / 52. 47.101
libavcodec 55. 37.102 / 55. 37.102
libavformat 55. 19.103 / 55. 19.103
libavdevice 55. 4.100 / 55. 4.100
libavfilter 3. 89.100 / 3. 89.100
libswscale 2. 5.101 / 2. 5.101
libswresample 0. 17.104 / 0. 17.104
libpostproc 52. 3.100 / 52. 3.100
[avi @ 0x91aee60] Something went wrong during header parsing, I will
ignore it and try to continue anyway.
[avi @ 0x91aee60] non-interleaved AVI
[jpeg2000 @ 0x91b2700] unsupported marker 0xCD76 at pos 0x385
Program received signal SIGSEGV, Segmentation fault.
jpeg2000_decode_tile (s=s at entry=0x91b43e0, tile=0x91f1bc0,
picture=picture at entry=0x91f1a00) at libavcodec/jpeg2000dec.c:1309
1309 *dst = val << (8 - cbps);
(gdb) bt
#0 jpeg2000_decode_tile (s=s at entry=0x91b43e0, tile=0x91f1bc0,
picture=picture at entry=0x91f1a00) at libavcodec/jpeg2000dec.c:1309
#1 0x0855c1de in jpeg2000_decode_frame (avctx=0x91b2700, data=0x91f1a00,
got_frame=0xbffff060, avpkt=0xbfffefd8) at
libavcodec/jpeg2000dec.c:1663
#2 0x086c8026 in avcodec_decode_video2 (avctx=0x91b2700,
picture=0x91f1a00,
got_picture_ptr=got_picture_ptr at entry=0xbffff060,
avpkt=avpkt at entry=0xbffff088) at libavcodec/utils.c:2007
#3 0x08238490 in try_decode_frame (s=s at entry=0x91aee60,
st=st at entry=0x91b24a0, avpkt=avpkt at entry=0x91b73e0, options=0x0)
at libavformat/utils.c:2508
#4 0x08241dae in avformat_find_stream_info (ic=0x91aee60,
options=0x91b3ca0)
at libavformat/utils.c:2970
#5 0x080a9255 in open_input_file (o=o at entry=0xbffff55c,
filename=<optimized out>) at ffmpeg_opt.c:818
#6 0x080a7a17 in open_files (inout=inout at entry=0x897641b "input",
open_file=open_file at entry=0x80a8e10 <open_input_file>,
l=<error reading variable: Unhandled dwarf expression opcode 0xfa>,
l=<error reading variable: Unhandled dwarf expression opcode 0xfa>)
at ffmpeg_opt.c:2505
#7 0x080afc99 in ffmpeg_parse_options (argc=argc at entry=3,
argv=argv at entry=0xbffff9e4) at ffmpeg_opt.c:2542
#8 0x080a50fa in main (argc=3, argv=0xbffff9e4) at ffmpeg.c:3408
(gdb)
}}}
{{{
knoppix at Microknoppix:/media/sdb1$ valgrind --leak-check=full ffmpeg-HEAD-
da30d0c/ffmpeg_g -i ./flossless.avi
==28778== Memcheck, a memory error detector
==28778== Copyright (C) 2002-2011, and GNU GPL'd, by Julian Seward et al.
==28778== Using Valgrind-3.7.0 and LibVEX; rerun with -h for copyright
info
==28778== Command: ffmpeg-HEAD-da30d0c/ffmpeg_g -i ./flossless.avi
==28778==
ffmpeg version 2.0-da30d0c Copyright (c) 2000-2013 the FFmpeg developers
built on Oct 22 2013 14:57:21 with gcc 4.7 (Debian 4.7.2-5)
configuration: --disable-yasm --disable-ffprobe --disable-ffserver
--enable-gpl
libavutil 52. 47.101 / 52. 47.101
libavcodec 55. 37.102 / 55. 37.102
libavformat 55. 19.103 / 55. 19.103
libavdevice 55. 4.100 / 55. 4.100
libavfilter 3. 89.100 / 3. 89.100
libswscale 2. 5.101 / 2. 5.101
libswresample 0. 17.104 / 0. 17.104
libpostproc 52. 3.100 / 52. 3.100
[avi @ 0x4223060] Something went wrong during header parsing, I will
ignore it and try to continue anyway.
[avi @ 0x4223060] non-interleaved AVI
[jpeg2000 @ 0x4255460] unsupported marker 0xCD76 at pos 0x385
==28778== Invalid write of size 1
==28778== at 0x8558D9D: jpeg2000_decode_tile (jpeg2000dec.c:1309)
==28778== by 0x855C1DD: jpeg2000_decode_frame (jpeg2000dec.c:1663)
==28778== by 0x86C8025: avcodec_decode_video2 (utils.c:2007)
==28778== by 0x823848F: try_decode_frame (utils.c:2508)
==28778== Address 0xe42971c0 is not stack'd, malloc'd or (recently)
free'd
==28778==
==28778==
==28778== Process terminating with default action of signal 11 (SIGSEGV)
==28778== Access not within mapped region at address 0xE42971C0
==28778== at 0x8558D9D: jpeg2000_decode_tile (jpeg2000dec.c:1309)
==28778== by 0x855C1DD: jpeg2000_decode_frame (jpeg2000dec.c:1663)
==28778== by 0x86C8025: avcodec_decode_video2 (utils.c:2007)
==28778== by 0x823848F: try_decode_frame (utils.c:2508)
==28778== If you believe this happened as a result of a stack
==28778== overflow in your program's main thread (unlikely but
==28778== possible), you can try to increase the size of the
==28778== main thread stack using the --main-stacksize= flag.
==28778== The main thread stack size used in this run was 8388608.
==28778==
==28778== HEAP SUMMARY:
==28778== in use at exit: 2,640,278 bytes in 289 blocks
==28778== total heap usage: 395 allocs, 106 frees, 2,828,868 bytes
allocated
==28778==
==28778== LEAK SUMMARY:
==28778== definitely lost: 0 bytes in 0 blocks
==28778== indirectly lost: 0 bytes in 0 blocks
==28778== possibly lost: 0 bytes in 0 blocks
==28778== still reachable: 2,640,278 bytes in 289 blocks
==28778== suppressed: 0 bytes in 0 blocks
==28778== Reachable blocks (those to which a pointer was found) are not
shown.
==28778== To see them, rerun with: --leak-check=full --show-reachable=yes
==28778==
==28778== For counts of detected and suppressed errors, rerun with: -v
==28778== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 59 from 6)
Segmentation fault
}}}
--
Ticket URL: <https://ffmpeg.org/trac/ffmpeg/ticket/3080>
FFmpeg <http://ffmpeg.org>
FFmpeg issue tracker
More information about the FFmpeg-trac
mailing list