[FFmpeg-trac] #4969(avcodec:closed): Opus fuzzing crash

FFmpeg trac at avcodec.org
Wed Oct 28 07:58:13 CET 2015


#4969: Opus fuzzing crash
-------------------------------------+-------------------------------------
             Reporter:  kierank      |                    Owner:
                 Type:  defect       |                   Status:  closed
             Priority:  important    |                Component:  avcodec
              Version:  git-master   |               Resolution:  fixed
             Keywords:  crash opus   |               Blocked By:
  SIGSEGV                            |  Reproduced by developer:  1
             Blocking:               |
Analyzed by developer:  0            |
-------------------------------------+-------------------------------------
Changes (by cehoyos):

 * keywords:   => crash opus SIGSEGV
 * priority:  normal => important
 * version:  unspecified => git-master
 * reproduced:  0 => 1


Comment:

 {{{
 (gdb) r -i fuzz11.opus -f null -
 Starting program: ffmpeg_g -i fuzz11.opus -f null -
 [Thread debugging using libthread_db enabled]
 Using host libthread_db library "/lib64/libthread_db.so.1".
 ffmpeg version N-76274-gdcb95ef Copyright (c) 2000-2015 the FFmpeg
 developers
   built with gcc 4.7 (SUSE Linux)
   configuration: --enable-gpl
   libavutil      55.  4.100 / 55.  4.100
   libavcodec     57. 10.100 / 57. 10.100
   libavformat    57. 11.100 / 57. 11.100
   libavdevice    57.  0.100 / 57.  0.100
   libavfilter     6. 14.100 /  6. 14.100
   libswscale      4.  0.100 /  4.  0.100
   libswresample   2.  0.100 /  2.  0.100
   libpostproc    54.  0.100 / 54.  0.100
 [opus @ 0x1cbe0a0] Mapping type 200 is not implemented. Update your FFmpeg
 version to the newest one from Git. If the problem still occurs, it means
 that your file has a feature which has not been implemented.
 [opus @ 0x1cbe0a0] If you want to help, upload a sample of this file to
 ftp://upload.ffmpeg.org/incoming/ and contact the ffmpeg-devel mailing
 list. (ffmpeg-devel at ffmpeg.org)
 [ogg @ 0x1cbc3c0] Failed to open codec in av_find_stream_info
 Guessed Channel Layout for  Input Stream #0.0 : 6.1
 Guessed Channel Layout for  Input Stream #0.1 : stereo
 Input #0, ogg, from 'fuzz11.opus':
   Duration: 559936:28:37.59, start: 0.000000, bitrate: N/A
     Stream #0:0: Audio: opus, 48000 Hz, 7 channels, fltp
     Stream #0:1: Audio: opus, 48000 Hz, 2 channels, fltp
 [New Thread 0x7ffff14f0700 (LWP 21896)]
 [New Thread 0x7ffff0cef700 (LWP 21897)]
 [New Thread 0x7ffff04ee700 (LWP 21898)]
 [New Thread 0x7fffefced700 (LWP 21899)]
 [New Thread 0x7fffef4ec700 (LWP 21900)]
 [New Thread 0x7fffeeceb700 (LWP 21901)]
 [New Thread 0x7fffee4ea700 (LWP 21902)]
 [New Thread 0x7fffedce9700 (LWP 21903)]
 [New Thread 0x7fffed4e8700 (LWP 21904)]
 Output #0, null, to 'pipe:':
   Metadata:
     encoder         : Lavf57.11.100
     Stream #0:0: Audio: pcm_s16le, 48000 Hz, 6.1, s16, 5376 kb/s
     Metadata:
       encoder         : Lavc57.10.100 pcm_s16le
 Stream mapping:
   Stream #0:0 -> #0:0 (opus (native) -> pcm_s16le (native))
 Press [q] to stop, [?] for help
 [opus @ 0x1cbee40] Error parsing the packet header.
 Error while decoding stream #0:0: Invalid data found when processing input
 [opus @ 0x1cbee40] Error parsing the packet header.
 Error while decoding stream #0:0: Invalid data found when processing input
 [opus @ 0x1cbee40] Error parsing the packet header.
 Error while decoding stream #0:0: Invalid data found when processing input
 [opus @ 0x1cbee40] Error parsing the packet header.
 Error while decoding stream #0:0: Invalid data found when processing input
 [opus @ 0x1cbee40] Error parsing the packet header.
 Error while decoding stream #0:0: Invalid data found when processing input
 [opus @ 0x1cbee40] Error parsing the packet header.
 Error while decoding stream #0:0: Invalid data found when processing input
 [opus @ 0x1cbee40] Error parsing the packet header.
 Error while decoding stream #0:0: Invalid data found when processing input
 [opus @ 0x1cbee40] Error parsing the packet header.
 Error while decoding stream #0:0: Invalid data found when processing input
 [opus @ 0x1cbee40] Error parsing the packet header.
 Error while decoding stream #0:0: Invalid data found when processing input
 [opus @ 0x1cbee40] Error parsing the packet header.
 Error while decoding stream #0:0: Invalid data found when processing input

 Program received signal SIGSEGV, Segmentation fault.
 ff_vector_fmul_scalar_sse.loop () at libavutil/x86/float_dsp.asm:149
 149     VECTOR_FMUL_SCALAR
 (gdb) bt
 #0  ff_vector_fmul_scalar_sse.loop () at libavutil/x86/float_dsp.asm:149
 #1  0x0000000000a42303 in opus_decode_packet (avctx=0x1cbee40,
 data=0x242b060, got_frame_ptr=0x7fffffffd63c, avpkt=0x7fffffffd3a0) at
 libavcodec/opusdec.c:589
 #2  0x0000000000b47f61 in avcodec_decode_audio4
 (avctx=avctx at entry=0x1cbee40, frame=frame at entry=0x242b060,
 got_frame_ptr=got_frame_ptr at entry=0x7fffffffd63c,
 avpkt=avpkt at entry=0x7fffffffd680)
     at libavcodec/utils.c:2197
 #3  0x00000000004938c4 in decode_audio (ist=ist at entry=0x1cbec40,
 pkt=pkt at entry=0x7fffffffd680, got_output=got_output at entry=0x7fffffffd63c)
 at ffmpeg.c:1958
 #4  0x00000000004947a2 in process_input_packet (ist=0x1cbec40, no_eof=0,
 no_eof at entry=30148000, pkt=0x0) at ffmpeg.c:2330
 #5  0x0000000000496167 in process_input (file_index=0) at ffmpeg.c:3745
 #6  transcode_step () at ffmpeg.c:4034
 #7  transcode () at ffmpeg.c:4088
 #8  0x0000000000478abb in main (argc=<optimized out>, argv=0x7fffffffdd28)
 at ffmpeg.c:4281
 (gdb) disass $pc-32,$pc+32
 Dump of assembler code from 0x1010c2d to 0x1010c6d:
    0x0000000001010c2d <ff_vector_fmac_scalar_fma3.loop+41>:     vzeroupper
    0x0000000001010c30 <ff_vector_fmac_scalar_fma3.loop+44>:     retq
    0x0000000001010c31 <ff_vector_fmac_scalar_fma3.loop+45>:     nopl
 0x0(%rax)
    0x0000000001010c38 <ff_vector_fmac_scalar_fma3.loop+52>:     nopl
 0x0(%rax,%rax,1)
    0x0000000001010c40 <ff_vector_fmul_scalar_sse+0>:    shufps
 $0x0,%xmm0,%xmm0
    0x0000000001010c44 <ff_vector_fmul_scalar_sse+4>:    lea
 -0x10(,%edx,4),%rdx
 => 0x0000000001010c4d <ff_vector_fmul_scalar_sse.loop+0>:       movaps
 (%rsi,%rdx,1),%xmm1
    0x0000000001010c51 <ff_vector_fmul_scalar_sse.loop+4>:       mulps
 %xmm0,%xmm1
    0x0000000001010c54 <ff_vector_fmul_scalar_sse.loop+7>:       movaps
 %xmm1,(%rdi,%rdx,1)
    0x0000000001010c58 <ff_vector_fmul_scalar_sse.loop+11>:      sub
 $0x10,%rdx
    0x0000000001010c5c <ff_vector_fmul_scalar_sse.loop+15>:      jge
 0x1010c4d <ff_vector_fmul_scalar_sse.loop>
    0x0000000001010c5e <ff_vector_fmul_scalar_sse.loop+17>:      repz retq
    0x0000000001010c60 <ff_vector_dmul_scalar_sse2+0>:   movlhps
 %xmm0,%xmm0
    0x0000000001010c63 <ff_vector_dmul_scalar_sse2+3>:   lea
 -0x20(,%edx,8),%rdx
    0x0000000001010c6c <ff_vector_dmul_scalar_sse2.loop+0>:      movaps
 (%rsi,%rdx,1),%xmm1
 End of assembler dump.
 (gdb) info all-register
 rax            0x1cc32a0        30159520
 rbx            0x0      0
 rcx            0x0      0
 rdx            0xfffffff0       4294967280
 rsi            0x2353ee0        37043936
 rdi            0x2353ee0        37043936
 rbp            0x0      0x0
 rsp            0x7fffffffd1a8   0x7fffffffd1a8
 r8             0x0      0
 r9             0x60     96
 r10            0x0      0
 r11            0x7ffff52deb20   140737306815264
 r12            0x0      0
 r13            0x0      0
 r14            0x242b060        37924960
 r15            0x1cbcfc0        30134208
 rip            0x1010c4d        0x1010c4d <ff_vector_fmul_scalar_sse.loop>
 eflags         0x10282  [ SF IF RF ]
 cs             0x33     51
 ss             0x2b     43
 ds             0x0      0
 es             0x0      0
 fs             0x0      0
 gs             0x0      0
 st0            0        (raw 0x00000000000000000000)
 st1            0        (raw 0x00000000000000000000)
 st2            0        (raw 0x00000000000000000000)
 st3            0        (raw 0x00000000000000000000)
 st4            0        (raw 0x00000000000000000000)
 st5            0        (raw 0x00000000000000000000)
 st6            0.99991432757400702807529593862945205    (raw
 0x3ffefffa62a7bb70e201)
 st7            -0.013089595571344758588806973537838063  (raw
 0xbff8d675be39650aff75)
 fctrl          0x37f    895
 fstat          0x220    544
 ftag           0xffff   65535
 fiseg          0x7fff   32767
 fioff          0xf5f964a7       -168205145
 foseg          0x7fff   32767
 fooff          0xffffce78       -12680
 fop            0x0      0
 mxcsr          0x1fa0   [ PE IM DM ZM OM UM PM ]
 ymm0           {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0},
 v4_double = {0x0, 0x0, 0x0, 0x0}, v32_int8 = {0xf9, 0xad, 0x71, 0x3f,
 0xf9, 0xad, 0x71, 0x3f, 0xf9, 0xad, 0x71, 0x3f, 0xf9, 0xad, 0x71,
     0x3f, 0x0 <repeats 16 times>}, v16_int16 = {0xadf9, 0x3f71, 0xadf9,
 0x3f71, 0xadf9, 0x3f71, 0xadf9, 0x3f71, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0,
 0x0}, v8_int32 = {0x3f71adf9, 0x3f71adf9, 0x3f71adf9,
     0x3f71adf9, 0x0, 0x0, 0x0, 0x0}, v4_int64 = {0x3f71adf93f71adf9,
 0x3f71adf93f71adf9, 0x0, 0x0}, v2_int128 =
 {0x3f71adf93f71adf93f71adf93f71adf9, 0x00000000000000000000000000000000}}
 ymm1           {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0},
 v4_double = {0x0, 0x0, 0x0, 0x0}, v32_int8 = {0xa1, 0x85, 0xba, 0xb7,
 0x10, 0x9b, 0x8f, 0x37, 0x10, 0x9b, 0x8f, 0x37, 0x10, 0x9b, 0x8f,
     0x37, 0x0 <repeats 16 times>}, v16_int16 = {0x85a1, 0xb7ba, 0x9b10,
 0x378f, 0x9b10, 0x378f, 0x9b10, 0x378f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0,
 0x0}, v8_int32 = {0xb7ba85a1, 0x378f9b10, 0x378f9b10,
     0x378f9b10, 0x0, 0x0, 0x0, 0x0}, v4_int64 = {0x378f9b10b7ba85a1,
 0x378f9b10378f9b10, 0x0, 0x0}, v2_int128 =
 {0x378f9b10378f9b10378f9b10b7ba85a1, 0x00000000000000000000000000000000}}
 }}}
 {{{
 ==21911== Invalid read of size 8
 ==21911==    at 0x4C2C476: memcpy@@GLIBC_2.14 (in /usr/lib64/valgrind
 /vgpreload_memcheck-amd64-linux.so)
 ==21911==    by 0xFEE75E: av_fifo_generic_write (fifo.c:136)
 ==21911==    by 0xFE5D97: av_audio_fifo_write (audio_fifo.c:130)
 ==21911==    by 0xA423D3: opus_decode_packet (opusdec.c:570)
 ==21911==    by 0xB47F60: avcodec_decode_audio4 (utils.c:2197)
 ==21911==    by 0x4938C3: decode_audio (ffmpeg.c:1958)
 ==21911==    by 0x4947A1: process_input_packet.constprop.20
 (ffmpeg.c:2330)
 ==21911==    by 0x496166: transcode (ffmpeg.c:3745)
 ==21911==    by 0x478ABA: main (ffmpeg.c:4281)
 ==21911==  Address 0x10e85060 is 0 bytes after a block of size 128 alloc'd
 ==21911==    at 0x4C290FE: memalign (in /usr/lib64/valgrind
 /vgpreload_memcheck-amd64-linux.so)
 ==21911==    by 0x4C291A7: posix_memalign (in /usr/lib64/valgrind
 /vgpreload_memcheck-amd64-linux.so)
 ==21911==    by 0xFF67D9: av_malloc (mem.c:97)
 ==21911==    by 0xFE8267: av_buffer_alloc (buffer.c:71)
 ==21911==    by 0xFE8B15: av_buffer_pool_get (buffer.c:329)
 ==21911==    by 0xB45D55: avcodec_default_get_buffer2 (utils.c:632)
 ==21911==    by 0xB4648A: get_buffer_internal (utils.c:877)
 ==21911==    by 0xB46565: ff_get_buffer (utils.c:890)
 ==21911==    by 0xA40E9A: opus_decode_packet (opusdec.c:489)
 ==21911==    by 0xB47F60: avcodec_decode_audio4 (utils.c:2197)
 ==21911==    by 0x4938C3: decode_audio (ffmpeg.c:1958)
 ==21911==    by 0x4947A1: process_input_packet.constprop.20
 (ffmpeg.c:2330)
 }}}

--
Ticket URL: <https://trac.ffmpeg.org/ticket/4969#comment:3>
FFmpeg <https://ffmpeg.org>
FFmpeg issue tracker


More information about the FFmpeg-trac mailing list