[FFmpeg-trac] #4969(avcodec:closed): Opus fuzzing crash
FFmpeg
trac at avcodec.org
Wed Oct 28 07:58:13 CET 2015
#4969: Opus fuzzing crash
-------------------------------------+-------------------------------------
Reporter: kierank | Owner:
Type: defect | Status: closed
Priority: important | Component: avcodec
Version: git-master | Resolution: fixed
Keywords: crash opus | Blocked By:
SIGSEGV | Reproduced by developer: 1
Blocking: |
Analyzed by developer: 0 |
-------------------------------------+-------------------------------------
Changes (by cehoyos):
* keywords: => crash opus SIGSEGV
* priority: normal => important
* version: unspecified => git-master
* reproduced: 0 => 1
Comment:
{{{
(gdb) r -i fuzz11.opus -f null -
Starting program: ffmpeg_g -i fuzz11.opus -f null -
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib64/libthread_db.so.1".
ffmpeg version N-76274-gdcb95ef Copyright (c) 2000-2015 the FFmpeg
developers
built with gcc 4.7 (SUSE Linux)
configuration: --enable-gpl
libavutil 55. 4.100 / 55. 4.100
libavcodec 57. 10.100 / 57. 10.100
libavformat 57. 11.100 / 57. 11.100
libavdevice 57. 0.100 / 57. 0.100
libavfilter 6. 14.100 / 6. 14.100
libswscale 4. 0.100 / 4. 0.100
libswresample 2. 0.100 / 2. 0.100
libpostproc 54. 0.100 / 54. 0.100
[opus @ 0x1cbe0a0] Mapping type 200 is not implemented. Update your FFmpeg
version to the newest one from Git. If the problem still occurs, it means
that your file has a feature which has not been implemented.
[opus @ 0x1cbe0a0] If you want to help, upload a sample of this file to
ftp://upload.ffmpeg.org/incoming/ and contact the ffmpeg-devel mailing
list. (ffmpeg-devel at ffmpeg.org)
[ogg @ 0x1cbc3c0] Failed to open codec in av_find_stream_info
Guessed Channel Layout for Input Stream #0.0 : 6.1
Guessed Channel Layout for Input Stream #0.1 : stereo
Input #0, ogg, from 'fuzz11.opus':
Duration: 559936:28:37.59, start: 0.000000, bitrate: N/A
Stream #0:0: Audio: opus, 48000 Hz, 7 channels, fltp
Stream #0:1: Audio: opus, 48000 Hz, 2 channels, fltp
[New Thread 0x7ffff14f0700 (LWP 21896)]
[New Thread 0x7ffff0cef700 (LWP 21897)]
[New Thread 0x7ffff04ee700 (LWP 21898)]
[New Thread 0x7fffefced700 (LWP 21899)]
[New Thread 0x7fffef4ec700 (LWP 21900)]
[New Thread 0x7fffeeceb700 (LWP 21901)]
[New Thread 0x7fffee4ea700 (LWP 21902)]
[New Thread 0x7fffedce9700 (LWP 21903)]
[New Thread 0x7fffed4e8700 (LWP 21904)]
Output #0, null, to 'pipe:':
Metadata:
encoder : Lavf57.11.100
Stream #0:0: Audio: pcm_s16le, 48000 Hz, 6.1, s16, 5376 kb/s
Metadata:
encoder : Lavc57.10.100 pcm_s16le
Stream mapping:
Stream #0:0 -> #0:0 (opus (native) -> pcm_s16le (native))
Press [q] to stop, [?] for help
[opus @ 0x1cbee40] Error parsing the packet header.
Error while decoding stream #0:0: Invalid data found when processing input
[opus @ 0x1cbee40] Error parsing the packet header.
Error while decoding stream #0:0: Invalid data found when processing input
[opus @ 0x1cbee40] Error parsing the packet header.
Error while decoding stream #0:0: Invalid data found when processing input
[opus @ 0x1cbee40] Error parsing the packet header.
Error while decoding stream #0:0: Invalid data found when processing input
[opus @ 0x1cbee40] Error parsing the packet header.
Error while decoding stream #0:0: Invalid data found when processing input
[opus @ 0x1cbee40] Error parsing the packet header.
Error while decoding stream #0:0: Invalid data found when processing input
[opus @ 0x1cbee40] Error parsing the packet header.
Error while decoding stream #0:0: Invalid data found when processing input
[opus @ 0x1cbee40] Error parsing the packet header.
Error while decoding stream #0:0: Invalid data found when processing input
[opus @ 0x1cbee40] Error parsing the packet header.
Error while decoding stream #0:0: Invalid data found when processing input
[opus @ 0x1cbee40] Error parsing the packet header.
Error while decoding stream #0:0: Invalid data found when processing input
Program received signal SIGSEGV, Segmentation fault.
ff_vector_fmul_scalar_sse.loop () at libavutil/x86/float_dsp.asm:149
149 VECTOR_FMUL_SCALAR
(gdb) bt
#0 ff_vector_fmul_scalar_sse.loop () at libavutil/x86/float_dsp.asm:149
#1 0x0000000000a42303 in opus_decode_packet (avctx=0x1cbee40,
data=0x242b060, got_frame_ptr=0x7fffffffd63c, avpkt=0x7fffffffd3a0) at
libavcodec/opusdec.c:589
#2 0x0000000000b47f61 in avcodec_decode_audio4
(avctx=avctx at entry=0x1cbee40, frame=frame at entry=0x242b060,
got_frame_ptr=got_frame_ptr at entry=0x7fffffffd63c,
avpkt=avpkt at entry=0x7fffffffd680)
at libavcodec/utils.c:2197
#3 0x00000000004938c4 in decode_audio (ist=ist at entry=0x1cbec40,
pkt=pkt at entry=0x7fffffffd680, got_output=got_output at entry=0x7fffffffd63c)
at ffmpeg.c:1958
#4 0x00000000004947a2 in process_input_packet (ist=0x1cbec40, no_eof=0,
no_eof at entry=30148000, pkt=0x0) at ffmpeg.c:2330
#5 0x0000000000496167 in process_input (file_index=0) at ffmpeg.c:3745
#6 transcode_step () at ffmpeg.c:4034
#7 transcode () at ffmpeg.c:4088
#8 0x0000000000478abb in main (argc=<optimized out>, argv=0x7fffffffdd28)
at ffmpeg.c:4281
(gdb) disass $pc-32,$pc+32
Dump of assembler code from 0x1010c2d to 0x1010c6d:
0x0000000001010c2d <ff_vector_fmac_scalar_fma3.loop+41>: vzeroupper
0x0000000001010c30 <ff_vector_fmac_scalar_fma3.loop+44>: retq
0x0000000001010c31 <ff_vector_fmac_scalar_fma3.loop+45>: nopl
0x0(%rax)
0x0000000001010c38 <ff_vector_fmac_scalar_fma3.loop+52>: nopl
0x0(%rax,%rax,1)
0x0000000001010c40 <ff_vector_fmul_scalar_sse+0>: shufps
$0x0,%xmm0,%xmm0
0x0000000001010c44 <ff_vector_fmul_scalar_sse+4>: lea
-0x10(,%edx,4),%rdx
=> 0x0000000001010c4d <ff_vector_fmul_scalar_sse.loop+0>: movaps
(%rsi,%rdx,1),%xmm1
0x0000000001010c51 <ff_vector_fmul_scalar_sse.loop+4>: mulps
%xmm0,%xmm1
0x0000000001010c54 <ff_vector_fmul_scalar_sse.loop+7>: movaps
%xmm1,(%rdi,%rdx,1)
0x0000000001010c58 <ff_vector_fmul_scalar_sse.loop+11>: sub
$0x10,%rdx
0x0000000001010c5c <ff_vector_fmul_scalar_sse.loop+15>: jge
0x1010c4d <ff_vector_fmul_scalar_sse.loop>
0x0000000001010c5e <ff_vector_fmul_scalar_sse.loop+17>: repz retq
0x0000000001010c60 <ff_vector_dmul_scalar_sse2+0>: movlhps
%xmm0,%xmm0
0x0000000001010c63 <ff_vector_dmul_scalar_sse2+3>: lea
-0x20(,%edx,8),%rdx
0x0000000001010c6c <ff_vector_dmul_scalar_sse2.loop+0>: movaps
(%rsi,%rdx,1),%xmm1
End of assembler dump.
(gdb) info all-register
rax 0x1cc32a0 30159520
rbx 0x0 0
rcx 0x0 0
rdx 0xfffffff0 4294967280
rsi 0x2353ee0 37043936
rdi 0x2353ee0 37043936
rbp 0x0 0x0
rsp 0x7fffffffd1a8 0x7fffffffd1a8
r8 0x0 0
r9 0x60 96
r10 0x0 0
r11 0x7ffff52deb20 140737306815264
r12 0x0 0
r13 0x0 0
r14 0x242b060 37924960
r15 0x1cbcfc0 30134208
rip 0x1010c4d 0x1010c4d <ff_vector_fmul_scalar_sse.loop>
eflags 0x10282 [ SF IF RF ]
cs 0x33 51
ss 0x2b 43
ds 0x0 0
es 0x0 0
fs 0x0 0
gs 0x0 0
st0 0 (raw 0x00000000000000000000)
st1 0 (raw 0x00000000000000000000)
st2 0 (raw 0x00000000000000000000)
st3 0 (raw 0x00000000000000000000)
st4 0 (raw 0x00000000000000000000)
st5 0 (raw 0x00000000000000000000)
st6 0.99991432757400702807529593862945205 (raw
0x3ffefffa62a7bb70e201)
st7 -0.013089595571344758588806973537838063 (raw
0xbff8d675be39650aff75)
fctrl 0x37f 895
fstat 0x220 544
ftag 0xffff 65535
fiseg 0x7fff 32767
fioff 0xf5f964a7 -168205145
foseg 0x7fff 32767
fooff 0xffffce78 -12680
fop 0x0 0
mxcsr 0x1fa0 [ PE IM DM ZM OM UM PM ]
ymm0 {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0},
v4_double = {0x0, 0x0, 0x0, 0x0}, v32_int8 = {0xf9, 0xad, 0x71, 0x3f,
0xf9, 0xad, 0x71, 0x3f, 0xf9, 0xad, 0x71, 0x3f, 0xf9, 0xad, 0x71,
0x3f, 0x0 <repeats 16 times>}, v16_int16 = {0xadf9, 0x3f71, 0xadf9,
0x3f71, 0xadf9, 0x3f71, 0xadf9, 0x3f71, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0,
0x0}, v8_int32 = {0x3f71adf9, 0x3f71adf9, 0x3f71adf9,
0x3f71adf9, 0x0, 0x0, 0x0, 0x0}, v4_int64 = {0x3f71adf93f71adf9,
0x3f71adf93f71adf9, 0x0, 0x0}, v2_int128 =
{0x3f71adf93f71adf93f71adf93f71adf9, 0x00000000000000000000000000000000}}
ymm1 {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0},
v4_double = {0x0, 0x0, 0x0, 0x0}, v32_int8 = {0xa1, 0x85, 0xba, 0xb7,
0x10, 0x9b, 0x8f, 0x37, 0x10, 0x9b, 0x8f, 0x37, 0x10, 0x9b, 0x8f,
0x37, 0x0 <repeats 16 times>}, v16_int16 = {0x85a1, 0xb7ba, 0x9b10,
0x378f, 0x9b10, 0x378f, 0x9b10, 0x378f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0,
0x0}, v8_int32 = {0xb7ba85a1, 0x378f9b10, 0x378f9b10,
0x378f9b10, 0x0, 0x0, 0x0, 0x0}, v4_int64 = {0x378f9b10b7ba85a1,
0x378f9b10378f9b10, 0x0, 0x0}, v2_int128 =
{0x378f9b10378f9b10378f9b10b7ba85a1, 0x00000000000000000000000000000000}}
}}}
{{{
==21911== Invalid read of size 8
==21911== at 0x4C2C476: memcpy@@GLIBC_2.14 (in /usr/lib64/valgrind
/vgpreload_memcheck-amd64-linux.so)
==21911== by 0xFEE75E: av_fifo_generic_write (fifo.c:136)
==21911== by 0xFE5D97: av_audio_fifo_write (audio_fifo.c:130)
==21911== by 0xA423D3: opus_decode_packet (opusdec.c:570)
==21911== by 0xB47F60: avcodec_decode_audio4 (utils.c:2197)
==21911== by 0x4938C3: decode_audio (ffmpeg.c:1958)
==21911== by 0x4947A1: process_input_packet.constprop.20
(ffmpeg.c:2330)
==21911== by 0x496166: transcode (ffmpeg.c:3745)
==21911== by 0x478ABA: main (ffmpeg.c:4281)
==21911== Address 0x10e85060 is 0 bytes after a block of size 128 alloc'd
==21911== at 0x4C290FE: memalign (in /usr/lib64/valgrind
/vgpreload_memcheck-amd64-linux.so)
==21911== by 0x4C291A7: posix_memalign (in /usr/lib64/valgrind
/vgpreload_memcheck-amd64-linux.so)
==21911== by 0xFF67D9: av_malloc (mem.c:97)
==21911== by 0xFE8267: av_buffer_alloc (buffer.c:71)
==21911== by 0xFE8B15: av_buffer_pool_get (buffer.c:329)
==21911== by 0xB45D55: avcodec_default_get_buffer2 (utils.c:632)
==21911== by 0xB4648A: get_buffer_internal (utils.c:877)
==21911== by 0xB46565: ff_get_buffer (utils.c:890)
==21911== by 0xA40E9A: opus_decode_packet (opusdec.c:489)
==21911== by 0xB47F60: avcodec_decode_audio4 (utils.c:2197)
==21911== by 0x4938C3: decode_audio (ffmpeg.c:1958)
==21911== by 0x4947A1: process_input_packet.constprop.20
(ffmpeg.c:2330)
}}}
--
Ticket URL: <https://trac.ffmpeg.org/ticket/4969#comment:3>
FFmpeg <https://ffmpeg.org>
FFmpeg issue tracker
More information about the FFmpeg-trac
mailing list