[FFmpeg-trac] #4502(undetermined:new): hq_hqa: crash with fuzzed file
FFmpeg
trac at avcodec.org
Mon Apr 20 20:20:21 CEST 2015
#4502: hq_hqa: crash with fuzzed file
-------------------------------------+-------------------------------------
Reporter: ami_stuff | Owner:
Type: defect | Status: new
Priority: normal | Component:
Version: | undetermined
unspecified | Keywords:
Blocked By: | Blocking:
Reproduced by developer: 0 | Analyzed by developer: 0
-------------------------------------+-------------------------------------
http://www.datafilehost.com/d/aaf1650e
{{{
knoppix at Microknoppix:/media/sdb1/ffmpeg$ valgrind --leak-check=full
ffmpeg/ffmpeg_g -i fuzz3.avi -f null -
==12490== Memcheck, a memory error detector
==12490== Copyright (C) 2002-2011, and GNU GPL'd, by Julian Seward et al.
==12490== Using Valgrind-3.7.0 and LibVEX; rerun with -h for copyright
info
==12490== Command: ffmpeg/ffmpeg_g -i fuzz3.avi -f null -
==12490==
ffmpeg version 2.6.git Copyright (c) 2000-2015 the FFmpeg developers
built with gcc 4.7 (Debian 4.7.2-4)
configuration: --disable-ffprobe --disable-ffserver --enable-gpl
libavutil 54. 23.100 / 54. 23.100
libavcodec 56. 35.101 / 56. 35.101
libavformat 56. 30.100 / 56. 30.100
libavdevice 56. 4.100 / 56. 4.100
libavfilter 5. 14.100 / 5. 14.100
libswscale 3. 1.101 / 3. 1.101
libswresample 1. 1.100 / 1. 1.100
libpostproc 53. 3.100 / 53. 3.100
[hq_hqa @ 0x4c3ef80] Not a HQ/HQA frame.
Last message repeated 2 times
Input #0, avi, from 'fuzz3.avi':
Duration: 00:00:24.80, start: 0.000000, bitrate: 3283 kb/s
Stream #0:0: Video: hq_hqa (CUVC / 0x43565543), yuv422p, 720x480 [SAR
9:10 DAR 27:20], 5 fps, 5 tbr, 5 tbn, 5 tbc
Output #0, null, to 'pipe:':
Metadata:
encoder : Lavf56.30.100
Stream #0:0: Video: rawvideo (Y42B / 0x42323459), yuv422p, 720x480
[SAR 9:10 DAR 27:20], q=2-31, 200 kb/s, 5 fps, 5 tbn, 5 tbc
Metadata:
encoder : Lavc56.35.101 rawvideo
Stream mapping:
Stream #0:0 -> #0:0 (hq_hqa (native) -> rawvideo (native))
Press [q] to stop, [?] for help
[hq_hqa @ 0x4d47d60] Not a HQ/HQA frame.
Error while decoding stream #0:0: Invalid data found when processing input
[hq_hqa @ 0x4d47d60] Not a HQ/HQA frame.
Error while decoding stream #0:0: Invalid data found when processing input
[hq_hqa @ 0x4d47d60] Not a HQ/HQA frame.
Error while decoding stream #0:0: Invalid data found when processing input
[hq_hqa @ 0x4d47d60] Not a HQ/HQA frame.
Error while decoding stream #0:0: Invalid data found when processing input
[hq_hqa @ 0x4d47d60] Invalid slice size 82190.
[hq_hqa @ 0x4d47d60] Not a HQ/HQA frame.
Error while decoding stream #0:0: Invalid data found when processing input
[hq_hqa @ 0x4d47d60] Not a HQ/HQA frame.
Error while decoding stream #0:0: Invalid data found when processing input
[hq_hqa @ 0x4d47d60] Not a HQ/HQA frame.
Error while decoding stream #0:0: Invalid data found when processing input
[hq_hqa @ 0x4d47d60] Not a HQ/HQA frame.
Error while decoding stream #0:0: Invalid data found when processing input
[hq_hqa @ 0x4d47d60] Invalid slice size 85052.
[hq_hqa @ 0x4d47d60] Not a HQ/HQA frame.
Error while decoding stream #0:0: Invalid data found when processing input
frame= 8 fps=0.0 q=0.0 size=N/A time=00:00:03.20 bitrate=N/A
[hq_hqa @ 0x4d47d60] Not a HQ/HQA frame.
Error while decoding stream #0:0: Invalid data found when processing input
[hq_hqa @ 0x4d47d60] Not a HQ/HQA frame.
Error while decoding stream #0:0: Invalid data found when processing input
==12490== Invalid write of size 1
==12490== at 0x85A4FEA: hq_idct_put (hq_hqadsp.c:122)
==12490== by 0x85A4326: hq_hqa_decode_frame (hq_hqa.c:55)
==12490== by 0x87A3FBD: avcodec_decode_video2 (utils.c:2376)
==12490== by 0x80D628B: decode_video (ffmpeg.c:1981)
==12490== Address 0x5313e00 is not stack'd, malloc'd or (recently) free'd
==12490==
==12490== Invalid write of size 1
==12490== at 0x85A5004: hq_idct_put (hq_hqadsp.c:122)
==12490== by 0x85A4326: hq_hqa_decode_frame (hq_hqa.c:55)
==12490== by 0x87A3FBD: avcodec_decode_video2 (utils.c:2376)
==12490== by 0x80D628B: decode_video (ffmpeg.c:1981)
==12490== Address 0x5313e01 is not stack'd, malloc'd or (recently) free'd
==12490==
==12490== Invalid write of size 1
==12490== at 0x85A501F: hq_idct_put (hq_hqadsp.c:122)
==12490== by 0x85A4326: hq_hqa_decode_frame (hq_hqa.c:55)
==12490== by 0x87A3FBD: avcodec_decode_video2 (utils.c:2376)
==12490== by 0x80D628B: decode_video (ffmpeg.c:1981)
==12490== Address 0x5313e02 is not stack'd, malloc'd or (recently) free'd
==12490==
==12490== Invalid write of size 1
==12490== at 0x85A503A: hq_idct_put (hq_hqadsp.c:122)
==12490== by 0x85A4326: hq_hqa_decode_frame (hq_hqa.c:55)
==12490== by 0x87A3FBD: avcodec_decode_video2 (utils.c:2376)
==12490== by 0x80D628B: decode_video (ffmpeg.c:1981)
==12490== Address 0x5313e03 is not stack'd, malloc'd or (recently) free'd
==12490==
==12490==
==12490== Invalid write of size 1
==12490== at 0x85A5070: hq_idct_put (hq_hqadsp.c:122)
==12490== by 0x85A42A7: hq_hqa_decode_frame (hq_hqa.c:55)
==12490== by 0x87A3FBD: avcodec_decode_video2 (utils.c:2376)
==12490== by 0x80D628B: decode_video (ffmpeg.c:1981)
==12490== Address 0x51b0ccd is not stack'd, malloc'd or (recently) free'd
==12490==
==12490== Invalid write of size 1
==12490== at 0x85A508B: hq_idct_put (hq_hqadsp.c:122)
==12490== by 0x85A42A7: hq_hqa_decode_frame (hq_hqa.c:55)
==12490== by 0x87A3FBD: avcodec_decode_video2 (utils.c:2376)
==12490== by 0x80D628B: decode_video (ffmpeg.c:1981)
==12490== Address 0x51b0cce is not stack'd, malloc'd or (recently) free'd
==12490==
==12490== Invalid write of size 1
==12490== at 0x85A50AA: hq_idct_put (hq_hqadsp.c:122)
==12490== by 0x85A42A7: hq_hqa_decode_frame (hq_hqa.c:55)
==12490== by 0x87A3FBD: avcodec_decode_video2 (utils.c:2376)
==12490== by 0x80D628B: decode_video (ffmpeg.c:1981)
==12490== Address 0x51b0ccf is not stack'd, malloc'd or (recently) free'd
==12490==
[hq_hqa @ 0x4d47d60] Invalid slice size 93184.
Input stream #0:0 frame changed from size:720x480 fmt:yuv422p to
size:1280x1024 fmt:yuv422p
--12490-- VALGRIND INTERNAL ERROR: Valgrind received a signal 11 (SIGSEGV)
- exiting
--12490-- si_code=1; Faulting address: 0xF0F0E12; sp: 0x629ecde0
valgrind: the 'impossible' happened:
Killed by fatal signal
==12490== at 0x38049B14: unlinkBlock (m_mallocfree.c:408)
==12490== by 0x3804A495: vgPlain_arena_malloc (m_mallocfree.c:1566)
==12490== by 0x380843FB: vgPlain_cli_malloc (replacemalloc_core.c:83)
==12490== by 0x38016112: vgMemCheck_new_block
(mc_malloc_wrappers.c:248)
==12490== by 0x380162F5: vgMemCheck_malloc (mc_malloc_wrappers.c:285)
==12490== by 0x38086C4F: vgPlain_scheduler (scheduler.c:1461)
==12490== by 0x38098C07: run_a_thread_NORETURN (syswrap-linux.c:98)
sched status:
running_tid=1
Thread 1: status = VgTs_Runnable
==12490== at 0x4028308: malloc (vg_replace_malloc.c:263)
==12490== by 0x402849F: realloc (vg_replace_malloc.c:632)
==12490== by 0x8B29DD6: av_strdup (mem.c:166)
==12490== by 0x8B2DF57: av_opt_set (opt.c:166)
==12490== by 0x80CF9AE: configure_filtergraph (ffmpeg_filter.c:886)
==12490== by 0x80D65E7: decode_video (ffmpeg.c:2076)
==12490== by 0x80DCF25: transcode (ffmpeg.c:2229)
==12490== by 0x80BCC05: main (ffmpeg.c:4067)
Note: see also the FAQ in the source distribution.
It contains workarounds to several common problems.
In particular, if Valgrind aborted or crashed after
identifying problems in your program, there's a good chance
that fixing those problems will prevent Valgrind aborting or
crashing, especially if it happened in m_mallocfree.c.
If that doesn't help, please report this bug to: www.valgrind.org
In the bug report, send all the above text, the valgrind
version, and what OS and version you are using. Thanks.
}}}
{{{
(gdb) r -i fuzz3.avi -f null -
Starting program: /media/sdb1/ffmpeg/ffmpeg_g -i fuzz3.avi -f null -
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/i386-linux-gnu/libthread_db.so.1".
ffmpeg version 2.6.git Copyright (c) 2000-2015 the FFmpeg developers
built with gcc 4.7 (Debian 4.7.2-4)
configuration: --disable-ffprobe --disable-ffserver --enable-gpl
libavutil 54. 23.100 / 54. 23.100
libavcodec 56. 35.101 / 56. 35.101
libavformat 56. 30.100 / 56. 30.100
libavdevice 56. 4.100 / 56. 4.100
libavfilter 5. 14.100 / 5. 14.100
libswscale 3. 1.101 / 3. 1.101
libswresample 1. 1.100 / 1. 1.100
libpostproc 53. 3.100 / 53. 3.100
[hq_hqa @ 0x95511a0] Not a HQ/HQA frame.
Last message repeated 2 times
Input #0, avi, from 'fuzz3.avi':
Duration: 00:00:24.80, start: 0.000000, bitrate: 3283 kb/s
Stream #0:0: Video: hq_hqa (CUVC / 0x43565543), yuv422p, 720x480 [SAR
9:10 DAR 27:20], 5 fps, 5 tbr, 5 tbn, 5 tbc
Output #0, null, to 'pipe:':
Metadata:
encoder : Lavf56.30.100
Stream #0:0: Video: rawvideo (Y42B / 0x42323459), yuv422p, 720x480
[SAR 9:10 DAR 27:20], q=2-31, 200 kb/s, 5 fps, 5 tbn, 5 tbc
Metadata:
encoder : Lavc56.35.101 rawvideo
Stream mapping:
Stream #0:0 -> #0:0 (hq_hqa (native) -> rawvideo (native))
Press [q] to stop, [?] for help
[hq_hqa @ 0x9552500] Not a HQ/HQA frame.
Error while decoding stream #0:0: Invalid data found when processing input
[hq_hqa @ 0x9552500] Not a HQ/HQA frame.
Error while decoding stream #0:0: Invalid data found when processing input
[hq_hqa @ 0x9552500] Not a HQ/HQA frame.
Error while decoding stream #0:0: Invalid data found when processing input
[hq_hqa @ 0x9552500] Not a HQ/HQA frame.
Error while decoding stream #0:0: Invalid data found when processing input
[hq_hqa @ 0x9552500] Invalid slice size 82190.
[hq_hqa @ 0x9552500] Not a HQ/HQA frame.
Error while decoding stream #0:0: Invalid data found when processing input
[hq_hqa @ 0x9552500] Not a HQ/HQA frame.
Error while decoding stream #0:0: Invalid data found when processing input
[hq_hqa @ 0x9552500] Not a HQ/HQA frame.
Error while decoding stream #0:0: Invalid data found when processing input
[hq_hqa @ 0x9552500] Not a HQ/HQA frame.
Error while decoding stream #0:0: Invalid data found when processing input
[hq_hqa @ 0x9552500] Invalid slice size 85052.
[hq_hqa @ 0x9552500] Not a HQ/HQA frame.
Error while decoding stream #0:0: Invalid data found when processing input
[hq_hqa @ 0x9552500] Not a HQ/HQA frame.
Error while decoding stream #0:0: Invalid data found when processing input
[hq_hqa @ 0x9552500] Not a HQ/HQA frame.
Error while decoding stream #0:0: Invalid data found when processing input
Program received signal SIGSEGV, Segmentation fault.
0x085a4fea in hq_idct_put (dst=0xb7442120 "", stride=2560,
block=0x95533e0)
at libavcodec/hq_hqadsp.c:122
warning: Source file is more recent than executable.
122 dst[j] = av_clip_uint8(block[j + i * 8]);
(gdb) bt
#0 0x085a4fea in hq_idct_put (dst=0xb7442120 "", stride=2560,
block=0x95533e0)
at libavcodec/hq_hqadsp.c:122
#1 0x085a421d in put_blocks (block1=<optimized out>, block0=0x95533e0,
ilace=1, y=1248, x=256, plane=0, pic=0x9557700, c=<optimized out>)
at libavcodec/hq_hqa.c:55
#2 hq_decode_mb (y=1248, x=256, gb=<synthetic pointer>, pic=0x9557700,
c=0x95533a0) at libavcodec/hq_hqa.c:104
#3 hq_decode_frame (data_size=93184, prof_num=<optimized out>,
pic=0x9557700,
ctx=0x95533a0) at libavcodec/hq_hqa.c:163
#4 hq_hqa_decode_frame (avctx=0x9552500, data=0x9557700,
got_frame=0xbffff594, avpkt=0xbffff308) at libavcodec/hq_hqa.c:332
#5 0x087a3fbe in avcodec_decode_video2 (avctx=0x9552500,
picture=picture at entry=0x9557700,
got_picture_ptr=got_picture_ptr at entry=0xbffff594,
avpkt=avpkt at entry=0xbffff840) at libavcodec/utils.c:2376
#6 0x080d628c in decode_video (ist=ist at entry=0x9552f40,
pkt=pkt at entry=0xbffff840, got_output=got_output at entry=0xbffff594)
at ffmpeg.c:1981
#7 0x080dcf26 in process_input_packet (pkt=0xbffff7e8, ist=0x9552f40)
at ffmpeg.c:2229
#8 process_input (file_index=20) at ffmpeg.c:3738
#9 transcode_step () at ffmpeg.c:3832
#10 transcode () at ffmpeg.c:3885
---Type <return> to continue, or q <return> to quit---
#11 0x080bcc06 in main (argc=<optimized out>, argv=<optimized out>)
at ffmpeg.c:4067
(gdb)
}}}
--
Ticket URL: <https://trac.ffmpeg.org/ticket/4502>
FFmpeg <https://ffmpeg.org>
FFmpeg issue tracker
More information about the FFmpeg-trac
mailing list