[FFmpeg-trac] #5244(undetermined:new): mjpeg encoder assertion failure/abort on fuzzed file
FFmpeg
trac at avcodec.org
Thu Feb 18 06:23:05 CET 2016
#5244: mjpeg encoder assertion failure/abort on fuzzed file
-------------------------------------+-------------------------------------
Reporter: MarkZV | Type: defect
Status: new | Priority: normal
Component: | Version:
undetermined | unspecified
Keywords: | Blocked By:
Blocking: | Reproduced by developer: 0
Analyzed by developer: 0 |
-------------------------------------+-------------------------------------
In a git master build with --assert-level=2, an assertion failure and
abort occurs when encoding a fuzzed input file using the FFmpeg native
mjpeg encoder, causing the application to crash.
This occurs because `avctx->sample_aspect_ratio.num` on
libavcodec/mjpegenc_common.c line 134 is too large for 16 bits.
{{{
-> 134 put_bits(p, 16, avctx->sample_aspect_ratio.num);
(lldb) p avctx->sample_aspect_ratio
(AVRational) $1 = (num = 279616, den = 11685)
}}}
{{{
Assertion n <= 31 && value < (1U << n) failed at libavcodec/put_bits.h:157
}}}
{{{
$ ./ffmpeg_g -v 9 -loglevel 99 -i in.mpg -y out.jpg
ffmpeg version N-78590-g5590ab4 Copyright (c) 2000-2016 the FFmpeg
developers
built with clang version 3.7.1 (tags/RELEASE_371/final)
configuration: --enable-debug --assert-level=2 --cc=/opt/local/bin/clang
--disable-stripping
libavutil 55. 18.100 / 55. 18.100
libavcodec 57. 24.103 / 57. 24.103
libavformat 57. 25.100 / 57. 25.100
libavdevice 57. 0.101 / 57. 0.101
libavfilter 6. 32.100 / 6. 32.100
libswscale 4. 0.100 / 4. 0.100
libswresample 2. 0.101 / 2. 0.101
Splitting the commandline.
Reading option '-v' ... matched as option 'v' (set logging level) with
argument '9'.
Reading option '-loglevel' ... matched as option 'loglevel' (set logging
level) with argument '99'.
Reading option '-i' ... matched as input file with argument 'in.mpg'.
Reading option '-y' ... matched as option 'y' (overwrite output files)
with argument '1'.
Reading option 'out.jpg' ... matched as output file.
Finished splitting the commandline.
Parsing a group of options: global .
Applying option v (set logging level) with argument 9.
Applying option y (overwrite output files) with argument 1.
Successfully parsed a group of options.
Parsing a group of options: input file in.mpg.
Successfully parsed a group of options.
Opening an input file: in.mpg.
[file @ 0x7f952a500200] Setting default whitelist 'file'
Probing mpegvideo score:51 size:43
[mpegvideo @ 0x7f952b000000] Format mpegvideo probed with size=2048 and
score=51
[mpegvideo @ 0x7f952b000000] Before avformat_find_stream_info() pos: 0
bytes read:43 seeks:0
[mpeg1video @ 0x7f952b008600] frame_rate_index 0 is invalid
Last message repeated 1 times
[mpeg1video @ 0x7f952b008600] sequence header damaged
[mpegvideo @ 0x7f952b000000] Estimating duration from bitrate, this may be
inaccurate
[mpegvideo @ 0x7f952b000000] 0: start_time: -9223372036854.775 duration:
0.000
[mpegvideo @ 0x7f952b000000] stream: start_time: -9223372036854.775
duration: 0.000 bitrate=19111 kb/s
[mpegvideo @ 0x7f952b000000] After avformat_find_stream_info() pos: 43
bytes read:43 seeks:0 frames:2
Input #0, mpegvideo, from 'in.mpg':
Duration: 00:00:00.00, bitrate: 19111 kb/s
Stream #0:0, 2, 1/1200000: Video: mpeg1video, 1 reference frame,
yuv420p(tv, center), 779x816 [SAR 64:45 DAR 3116:2295], 1001/24000, 19737
kb/s, 23.98 tbr, 1200k tbn, 23.98 tbc
Successfully opened the file.
Parsing a group of options: output file out.jpg.
Successfully parsed a group of options.
Opening an output file: out.jpg.
Successfully opened the file.
detected 8 logical cores
[graph 0 input from stream 0:0 @ 0x7f952a600380] Setting 'video_size' to
value '779x816'
[graph 0 input from stream 0:0 @ 0x7f952a600380] Setting 'pix_fmt' to
value '0'
[graph 0 input from stream 0:0 @ 0x7f952a600380] Setting 'time_base' to
value '1/1200000'
[graph 0 input from stream 0:0 @ 0x7f952a600380] Setting 'pixel_aspect' to
value '64/45'
[graph 0 input from stream 0:0 @ 0x7f952a600380] Setting 'sws_param' to
value 'flags=2'
[graph 0 input from stream 0:0 @ 0x7f952a600380] Setting 'frame_rate' to
value '24000/1001'
[graph 0 input from stream 0:0 @ 0x7f952a600380] w:779 h:816
pixfmt:yuv420p tb:1/1200000 fr:24000/1001 sar:64/45 sws_param:flags=2
[format @ 0x7f952a6009a0] compat: called with
args=[yuvj420p|yuvj422p|yuvj444p]
[format @ 0x7f952a6009a0] Setting 'pix_fmts' to value
'yuvj420p|yuvj422p|yuvj444p'
[auto-inserted scaler 0 @ 0x7f952a501de0] Setting 'flags' to value
'bicubic'
[auto-inserted scaler 0 @ 0x7f952a501de0] w:iw h:ih flags:'bicubic'
interl:0
[format @ 0x7f952a6009a0] auto-inserting filter 'auto-inserted scaler 0'
between the filter 'Parsed_null_0' and the filter 'format'
[AVFilterGraph @ 0x7f952a5015e0] query_formats: 4 queried, 2 merged, 1
already done, 0 delayed
[auto-inserted scaler 0 @ 0x7f952a501de0] picking yuvj420p out of 3
ref:yuv420p alpha:0
[swscaler @ 0x7f952b01c800] deprecated pixel format used, make sure you
did set range correctly
[auto-inserted scaler 0 @ 0x7f952a501de0] w:779 h:816 fmt:yuv420p
sar:64/45 -> w:779 h:816 fmt:yuvj420p sar:64/45 flags:0x4
[mjpeg @ 0x7f952b003e00] Forcing thread count to 1 for MJPEG encoding, use
-thread_type slice or a constant quantizer if you want to use multiple cpu
cores
[mjpeg @ 0x7f952b003e00] intra_quant_bias = 96 inter_quant_bias = 0
Output #0, image2, to 'out.jpg':
Metadata:
encoder : Lavf57.25.100
Stream #0:0, 0, 1001/24000: Video: mjpeg, 1 reference frame,
yuvj420p(pc, center), 779x816 [SAR 64:45 DAR 3116:2295], 1001/24000,
q=2-31, 200 kb/s, 23.98 fps, 23.98 tbn, 23.98 tbc
Metadata:
encoder : Lavc57.24.103 mjpeg
Side data:
cpb: bitrate max/min/avg: 0/0/200000 buffer size: 0 vbv_delay: -1
Stream mapping:
Stream #0:0 -> #0:0 (mpeg1video (native) -> mjpeg (native))
Press [q] to stop, [?] for help
cur_dts is invalid (this is harmless if it occurs once at the start per
stream)
[mpeg1video @ 0x7f952b000600] frame_rate_index 0 is invalid
Last message repeated 1 times
[mpeg1video @ 0x7f952b000600] sequence header damaged
cur_dts is invalid (this is harmless if it occurs once at the start per
stream)
[mpeg1video @ 0x7f952b000600] frame_rate_index 0 is invalid
[mpeg1video @ 0x7f952b000600] too many threads/slices (9), reducing to 3
[mpeg1video @ 0x7f952b000600] invalid mb type in I Frame at 8 0
[mpeg1video @ 0x7f952b000600] Warning MVs not available
[mpeg1video @ 0x7f952b000600] concealing 147 DC, 147 AC, 147 MV errors in
I frame
cur_dts is invalid (this is harmless if it occurs once at the start per
stream)
Input stream #0:0 frame changed from size:779x816 fmt:yuv420p to
size:771x48 fmt:yuv420p
[graph 0 input from stream 0:0 @ 0x7f952c000380] Setting 'video_size' to
value '771x48'
[graph 0 input from stream 0:0 @ 0x7f952c000380] Setting 'pix_fmt' to
value '0'
[graph 0 input from stream 0:0 @ 0x7f952c000380] Setting 'time_base' to
value '1/1200000'
[graph 0 input from stream 0:0 @ 0x7f952c000380] Setting 'pixel_aspect' to
value '64/45'
[graph 0 input from stream 0:0 @ 0x7f952c000380] Setting 'sws_param' to
value 'flags=2'
[graph 0 input from stream 0:0 @ 0x7f952c000380] Setting 'frame_rate' to
value '24000/1001'
[graph 0 input from stream 0:0 @ 0x7f952c000380] w:771 h:48 pixfmt:yuv420p
tb:1/1200000 fr:24000/1001 sar:64/45 sws_param:flags=2
[scaler for output stream 0:0 @ 0x7f952c000880] Setting 'w' to value '779'
[scaler for output stream 0:0 @ 0x7f952c000880] Setting 'h' to value '816'
[scaler for output stream 0:0 @ 0x7f952c000880] Setting 'flags' to value
'bicubic'
[scaler for output stream 0:0 @ 0x7f952c000880] w:779 h:816
flags:'bicubic' interl:0
[format @ 0x7f952a7003e0] compat: called with args=[yuvj420p]
[format @ 0x7f952a7003e0] Setting 'pix_fmts' to value 'yuvj420p'
[AVFilterGraph @ 0x7f952a700000] query_formats: 5 queried, 4 merged, 0
already done, 0 delayed
[swscaler @ 0x7f952d000000] deprecated pixel format used, make sure you
did set range correctly
[scaler for output stream 0:0 @ 0x7f952c000880] w:771 h:48 fmt:yuv420p
sar:64/45 -> w:779 h:816 fmt:yuvj420p sar:279616/11685 flags:0x4
Not duplicating 1 initial frames
Assertion n <= 31 && value < (1U << n) failed at libavcodec/put_bits.h:157
Abort trap: 6
$
}}}
--
Ticket URL: <https://trac.ffmpeg.org/ticket/5244>
FFmpeg <https://ffmpeg.org>
FFmpeg issue tracker
More information about the FFmpeg-trac
mailing list