[FFmpeg-trac] #2947(undetermined:new): mjpeg: invalid write with max_alloc
FFmpeg
trac at avcodec.org
Mon Sep 9 13:19:47 CEST 2013
#2947: mjpeg: invalid write with max_alloc
-------------------------------------+-------------------------------------
Reporter: ami_stuff | Owner:
Type: defect | Status: new
Priority: normal | Component:
Version: | undetermined
unspecified | Keywords:
Blocked By: | Blocking:
Reproduced by developer: 0 | Analyzed by developer: 0
-------------------------------------+-------------------------------------
{{{
(gdb) r -max_alloc 200000 -i ./avrn_fuzz.avi -f null -
Starting program: /media/sdb1/ffmpeg-HEAD-a67dcd7/ffmpeg_g -max_alloc
200000 -i ./avrn_fuzz.avi -f null -
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/i386-linux-gnu/libthread_db.so.1".
ffmpeg version 2.0-a67dcd7 Copyright (c) 2000-2013 the FFmpeg developers
built on Sep 5 2013 17:23:55 with gcc 4.7 (Debian 4.7.2-5)
configuration: --disable-yasm --disable-ffprobe --disable-ffserver
--enable-gpl
libavutil 52. 43.100 / 52. 43.100
libavcodec 55. 31.101 / 55. 31.101
libavformat 55. 16.101 / 55. 16.101
libavdevice 55. 3.100 / 55. 3.100
libavfilter 3. 83.102 / 3. 83.102
libswscale 2. 5.100 / 2. 5.100
libswresample 0. 17.103 / 0. 17.103
libpostproc 52. 3.100 / 52. 3.100
Invalid code in init_vlc
[avrn @ 0x9106640] huffman table decode error
[avrn @ 0x9106640] mjpeg_decode_dc: bad vlc: 0:0 (0x91093c8)
[avrn @ 0x9106640] error dc
[avrn @ 0x9106640] error y=36 x=6
Input #0, avi, from './avrn_fuzz.avi':
Duration: 00:00:12.64, start: 0.000000, bitrate: 1731 kb/s
Stream #0:0: Video: avrn (AVRn / 0x6E525641), yuvj422p(pc), 352x296,
23.97 tbr, 23.97 tbn, 23.97 tbc
[New Thread 0xb7df8b70 (LWP 32495)]
[New Thread 0xb75f8b70 (LWP 32496)]
[New Thread 0xb6df8b70 (LWP 32497)]
[New Thread 0xb65f8b70 (LWP 32498)]
[New Thread 0xb5df8b70 (LWP 32499)]
[New Thread 0xb55f8b70 (LWP 32500)]
[New Thread 0xb4df8b70 (LWP 32501)]
[New Thread 0xb45f8b70 (LWP 32502)]
[New Thread 0xb3df8b70 (LWP 32503)]
Output #0, null, to 'pipe:':
Metadata:
encoder : Lavf55.16.101
Stream #0:0: Video: rawvideo (Y42B / 0x42323459), yuvj422p, 352x296,
q=2-31, 200 kb/s, 90k tbn, 23.97 tbc
Stream mapping:
Stream #0:0 -> #0:0 (avrn -> rawvideo)
Press [q] to stop, [?] for help
Invalid code in init_vlc
[avrn @ 0x9106640] huffman table decode error
Error while decoding stream #0:0: Operation not permitted
[avrn @ 0x9106640] mjpeg_decode_dc: bad vlc: 0:0 (0x910bf08)
[avrn @ 0x9106640] error dc
[avrn @ 0x9106640] error y=36 x=6
[null @ 0x9108e80] Encoder did not produce proper pts, making some up.
[avrn @ 0x9106640] mjpeg_decode_dc: bad vlc: 0:0 (0x910bf08)
[avrn @ 0x9106640] error dc
[avrn @ 0x9106640] error y=35 x=12
Invalid code in init_vlc
[avrn @ 0x9106640] huffman table decode error
Error while decoding stream #0:0: Operation not permitted
Invalid code in init_vlc
[avrn @ 0x9106640] huffman table decode error
Error while decoding stream #0:0: Operation not permitted
Invalid code in init_vlc
[avrn @ 0x9106640] huffman table decode error
Error while decoding stream #0:0: Operation not permitted
[avrn @ 0x9106640] error count: 64
[avrn @ 0x9106640] error y=1 x=17
[avrn @ 0x9106640] mjpeg_decode_dc: bad vlc: 0:0 (0x910bf08)
[avrn @ 0x9106640] error dc
[avrn @ 0x9106640] error y=35 x=3
[avrn @ 0x9106640] error count: 268435457
[avrn @ 0x9106640] error y=18 x=0
[avrn @ 0x9106640] Found EOI before any SOF, ignoring
[avrn @ 0x9106640] No JPEG data found in image
Error while decoding stream #0:0: Invalid data found when processing input
[avrn @ 0x9106640] mjpeg_decode_dc: bad vlc: 0:0 (0x910bf08)
[avrn @ 0x9106640] error dc
[avrn @ 0x9106640] error y=36 x=13
[avrn @ 0x9106640] overread 8
[avrn @ 0x9106640] mjpeg_decode_dc: bad vlc: 0:0 (0x910bf08)
[avrn @ 0x9106640] error dc
[avrn @ 0x9106640] error y=36 x=12
[avrn @ 0x9106640] error count: 268435464
[avrn @ 0x9106640] error y=1 x=5
[avrn @ 0x9106640] error count: 268435479
[avrn @ 0x9106640] error y=0 x=14
[avrn @ 0x9106640] overread 8
[avrn @ 0x9106640] error count: 268435455
[avrn @ 0x9106640] error y=2 x=11
[avrn @ 0x9106640] error count: 64
[avrn @ 0x9106640] error y=1 x=20
[avrn @ 0x9106640] overread 8
[avrn @ 0x9106640] huffman table decode error
Error while decoding stream #0:0: Invalid data found when processing input
Invalid code in init_vlc
[avrn @ 0x9106640] huffman table decode error
Error while decoding stream #0:0: Operation not permitted
[avrn @ 0x9106640] error count: 268435470
[avrn @ 0x9106640] error y=1 x=13
[avrn @ 0x9106640] huffman table decode error
Error while decoding stream #0:0: Invalid data found when processing input
[avrn @ 0x9106640] error count: 268435460
[avrn @ 0x9106640] error y=4 x=17
Program received signal SIGSEGV, Segmentation fault.
0x0872d317 in ff_clear_block_sse (block=0x0)
at libavcodec/x86/dsputil_mmx.c:193
193 __asm__ volatile (
(gdb) bt
#0 0x0872d317 in ff_clear_block_sse (block=0x0)
at libavcodec/x86/dsputil_mmx.c:193
#1 0x0852c697 in decode_dc_progressive (Al=0, quant_matrix=0x910bd08,
dc_index=0, component=0, block=0x0, s=0x910bce0)
at libavcodec/mjpegdec.c:577
#2 mjpeg_decode_scan (reference=0x0, mb_bitmask=0x0, Al=0, Ah=0,
nb_components=3, s=0x910bce0) at libavcodec/mjpegdec.c:1132
#3 ff_mjpeg_decode_sos (s=s at entry=0x910bce0,
mb_bitmask=mb_bitmask at entry=0x0,
reference=reference at entry=0x0) at libavcodec/mjpegdec.c:1348
#4 0x0852e8dd in ff_mjpeg_decode_frame (avctx=0x9106640, data=0x9119c60,
got_frame=0xbffff4e4, avpkt=0xbffff288) at libavcodec/mjpegdec.c:1876
#5 0x086770ee in avcodec_decode_video2 (avctx=0x9106640,
picture=picture at entry=0x9119c60,
got_picture_ptr=got_picture_ptr at entry=0xbffff4e4,
avpkt=avpkt at entry=0xbffff730) at libavcodec/utils.c:1983
#6 0x080b36ed in decode_video (ist=ist at entry=0x910dc80,
pkt=pkt at entry=0xbffff730, got_output=got_output at entry=0xbffff4e4)
at ffmpeg.c:1668
#7 0x080b760a in output_packet (pkt=0xbffff6c8, ist=0x910dc80)
at ffmpeg.c:1866
#8 process_input (file_index=1) at ffmpeg.c:3085
#9 0x080a2eb3 in transcode_step () at ffmpeg.c:3181
#10 transcode () at ffmpeg.c:3233
---Type <return> to continue, or q <return> to quit---
#11 main (argc=<optimized out>, argv=<optimized out>) at ffmpeg.c:3411
(gdb)
}}}
{{{
knoppix at Microknoppix:/media/sdb1$ valgrind --leak-check=full ffmpeg-HEAD-
a67dcd7/ffmpeg_g -max_alloc 200000 -i ./avrn_fuzz.avi -f null -
==32477== Memcheck, a memory error detector
==32477== Copyright (C) 2002-2011, and GNU GPL'd, by Julian Seward et al.
==32477== Using Valgrind-3.7.0 and LibVEX; rerun with -h for copyright
info
==32477== Command: ffmpeg-HEAD-a67dcd7/ffmpeg_g -max_alloc 200000 -i
./avrn_fuzz.avi -f null -
==32477==
ffmpeg version 2.0-a67dcd7 Copyright (c) 2000-2013 the FFmpeg developers
built on Sep 5 2013 17:23:55 with gcc 4.7 (Debian 4.7.2-5)
configuration: --disable-yasm --disable-ffprobe --disable-ffserver
--enable-gpl
libavutil 52. 43.100 / 52. 43.100
libavcodec 55. 31.101 / 55. 31.101
libavformat 55. 16.101 / 55. 16.101
libavdevice 55. 3.100 / 55. 3.100
libavfilter 3. 83.102 / 3. 83.102
libswscale 2. 5.100 / 2. 5.100
libswresample 0. 17.103 / 0. 17.103
libpostproc 52. 3.100 / 52. 3.100
Invalid code in init_vlc
[avrn @ 0x423a4e0] huffman table decode error
[avrn @ 0x423a4e0] mjpeg_decode_dc: bad vlc: 0:0 (0x4255308)
[avrn @ 0x423a4e0] error dc
[avrn @ 0x423a4e0] error y=36 x=6
Input #0, avi, from './avrn_fuzz.avi':
Duration: 00:00:12.64, start: 0.000000, bitrate: 1731 kb/s
Stream #0:0: Video: avrn (AVRn / 0x6E525641), yuvj422p(pc), 352x296,
23.97 tbr, 23.97 tbn, 23.97 tbc
Output #0, null, to 'pipe:':
Metadata:
encoder : Lavf55.16.101
Stream #0:0: Video: rawvideo (Y42B / 0x42323459), yuvj422p, 352x296,
q=2-31, 200 kb/s, 90k tbn, 23.97 tbc
Stream mapping:
Stream #0:0 -> #0:0 (avrn -> rawvideo)
Press [q] to stop, [?] for help
Invalid code in init_vlc
[avrn @ 0x423a4e0] huffman table decode error
Error while decoding stream #0:0: Operation not permitted
[avrn @ 0x423a4e0] mjpeg_decode_dc: bad vlc: 0:0 (0x4399bc8)
[avrn @ 0x423a4e0] error dc
[avrn @ 0x423a4e0] error y=36 x=6
[null @ 0x42ba3c0] Encoder did not produce proper pts, making some up.
[avrn @ 0x423a4e0] mjpeg_decode_dc: bad vlc: 0:0 (0x4399bc8)
[avrn @ 0x423a4e0] error dc
[avrn @ 0x423a4e0] error y=35 x=12
Invalid code in init_vlc
[avrn @ 0x423a4e0] huffman table decode error
Error while decoding stream #0:0: Operation not permitted
Invalid code in init_vlc
[avrn @ 0x423a4e0] huffman table decode error
Error while decoding stream #0:0: Operation not permitted
Invalid code in init_vlc
[avrn @ 0x423a4e0] huffman table decode error
Error while decoding stream #0:0: Operation not permitted
[avrn @ 0x423a4e0] error count: 64
[avrn @ 0x423a4e0] error y=1 x=17
[avrn @ 0x423a4e0] mjpeg_decode_dc: bad vlc: 0:0 (0x4399bc8)
[avrn @ 0x423a4e0] error dc
[avrn @ 0x423a4e0] error y=35 x=3
[avrn @ 0x423a4e0] error count: 268435457
[avrn @ 0x423a4e0] error y=18 x=0
[avrn @ 0x423a4e0] Found EOI before any SOF, ignoring
[avrn @ 0x423a4e0] No JPEG data found in image
Error while decoding stream #0:0: Invalid data found when processing input
[avrn @ 0x423a4e0] mjpeg_decode_dc: bad vlc: 0:0 (0x4399bc8)
[avrn @ 0x423a4e0] error dc
[avrn @ 0x423a4e0] error y=36 x=13
[avrn @ 0x423a4e0] overread 8
[avrn @ 0x423a4e0] mjpeg_decode_dc: bad vlc: 0:0 (0x4399bc8)
[avrn @ 0x423a4e0] error dc
[avrn @ 0x423a4e0] error y=36 x=12
[avrn @ 0x423a4e0] error count: 268435464
[avrn @ 0x423a4e0] error y=1 x=5
[avrn @ 0x423a4e0] error count: 268435479
[avrn @ 0x423a4e0] error y=0 x=14
[avrn @ 0x423a4e0] overread 8
[avrn @ 0x423a4e0] error count: 268435455
[avrn @ 0x423a4e0] error y=2 x=11
[avrn @ 0x423a4e0] error count: 64
[avrn @ 0x423a4e0] error y=1 x=20
[avrn @ 0x423a4e0] overread 8
[avrn @ 0x423a4e0] huffman table decode error
Error while decoding stream #0:0: Invalid data found when processing input
Invalid code in init_vlc
[avrn @ 0x423a4e0] huffman table decode error
Error while decoding stream #0:0: Operation not permitted
[avrn @ 0x423a4e0] error count: 268435470
[avrn @ 0x423a4e0] error y=1 x=13
[avrn @ 0x423a4e0] huffman table decode error
Error while decoding stream #0:0: Invalid data found when processing input
[avrn @ 0x423a4e0] error count: 268435460
[avrn @ 0x423a4e0] error y=4 x=17
==32477== Invalid write of size 8
==32477== at 0x872D317: ff_clear_block_sse (dsputil_mmx.c:193)
==32477== by 0x852C696: ff_mjpeg_decode_sos (mjpegdec.c:577)
==32477== by 0x852E8DC: ff_mjpeg_decode_frame (mjpegdec.c:1876)
==32477== by 0x86770ED: avcodec_decode_video2 (utils.c:1983)
==32477== by 0x80B36EC: decode_video (ffmpeg.c:1668)
==32477== by 0xC56966D: ???
==32477== Address 0x0 is not stack'd, malloc'd or (recently) free'd
==32477==
==32477==
==32477== Process terminating with default action of signal 11 (SIGSEGV)
==32477== Access not within mapped region at address 0x0
==32477== at 0x872D317: ff_clear_block_sse (dsputil_mmx.c:193)
==32477== by 0x852C696: ff_mjpeg_decode_sos (mjpegdec.c:577)
==32477== by 0x852E8DC: ff_mjpeg_decode_frame (mjpegdec.c:1876)
==32477== by 0x86770ED: avcodec_decode_video2 (utils.c:1983)
==32477== by 0x80B36EC: decode_video (ffmpeg.c:1668)
==32477== by 0xC56966D: ???
==32477== If you believe this happened as a result of a stack
==32477== overflow in your program's main thread (unlikely but
==32477== possible), you can try to increase the size of the
==32477== main thread stack using the --main-stacksize= flag.
==32477== The main thread stack size used in this run was 8388608.
==32477==
==32477== HEAP SUMMARY:
==32477== in use at exit: 585,085 bytes in 122 blocks
==32477== total heap usage: 2,483 allocs, 2,361 frees, 3,119,954 bytes
allocated
==32477==
==32477== 1,296 bytes in 9 blocks are possibly lost in loss record 87 of
102
==32477== at 0x4026A68: calloc (vg_replace_malloc.c:566)
==32477== by 0x40111FB: _dl_allocate_tls (dl-tls.c:300)
==32477== by 0x407C2A8: pthread_create@@GLIBC_2.1 (allocatestack.c:580)
==32477== by 0x80D9641: ff_graph_thread_init (pthread.c:180)
==32477== by 0x80CD5B7: avfilter_graph_alloc_filter
(avfiltergraph.c:186)
==32477== by 0x80D81F4: create_filter (graphparser.c:112)
==32477== by 0x80D8C49: avfilter_graph_parse2 (graphparser.c:169)
==32477==
==32477== LEAK SUMMARY:
==32477== definitely lost: 0 bytes in 0 blocks
==32477== indirectly lost: 0 bytes in 0 blocks
==32477== possibly lost: 1,296 bytes in 9 blocks
==32477== still reachable: 583,789 bytes in 113 blocks
==32477== suppressed: 0 bytes in 0 blocks
==32477== Reachable blocks (those to which a pointer was found) are not
shown.
==32477== To see them, rerun with: --leak-check=full --show-reachable=yes
==32477==
==32477== For counts of detected and suppressed errors, rerun with: -v
==32477== ERROR SUMMARY: 3 errors from 2 contexts (suppressed: 59 from 6)
Killed
}}}
--
Ticket URL: <https://ffmpeg.org/trac/ffmpeg/ticket/2947>
FFmpeg <http://ffmpeg.org>
FFmpeg issue tracker
More information about the FFmpeg-trac
mailing list