[FFmpeg-trac] #5208(undetermined:new): cfhd: crash with fuzzed file

FFmpeg trac at avcodec.org
Sun Jan 31 15:13:21 CET 2016


#5208: cfhd: crash with fuzzed file
-------------------------------------+-------------------------------------
               Reporter:  ami_stuff  |                  Owner:
                   Type:  defect     |                 Status:  new
               Priority:  normal     |              Component:
                Version:             |  undetermined
  unspecified                        |               Keywords:
             Blocked By:             |               Blocking:
Reproduced by developer:  0          |  Analyzed by developer:  0
-------------------------------------+-------------------------------------
 http://www.datafilehost.com/d/1a7e163c

 {{{
 ffmpeg version 2.8.git Copyright (c) 2000-2016 the FFmpeg developers
   built with gcc 4.8 (Ubuntu 4.8.4-2ubuntu1~14.04)
   configuration: --disable-ffprobe --disable-ffplay --disable-ffserver
 --enable-gpl
   libavutil      55. 16.101 / 55. 16.101
   libavcodec     57. 24.100 / 57. 24.100
   libavformat    57. 23.101 / 57. 23.101
   libavdevice    57.  0.101 / 57.  0.101
   libavfilter     6. 27.100 /  6. 27.100
   libswscale      4.  0.100 /  4.  0.100
   libswresample   2.  0.101 /  2.  0.101
   libpostproc    54.  0.100 / 54.  0.100
 Hyper fast Audio and Video encoder
 usage: ffmpeg [options] [[infile options] -i infile]... {[outfile options]
 outfile}...

 Use -h to get full help or, even better, run 'man ffmpeg'
 }}}


 {{{
 [cfhd @ 0x4403c20] ==13833== Thread 9:
 ==13833== Invalid write of size 2
 ==13833==    at 0x837DD95: filter (cfhd.c:91)
 ==13833==    by 0x837DD95: horiz_filter_clip (cfhd.c:130)
 ==13833==    by 0x837DD95: cfhd_decode (cfhd.c:708)
 ==13833==    by 0x8666551: frame_worker_thread (pthread_frame.c:147)
 ==13833==    by 0x409BF6F: start_thread (pthread_create.c:312)
 ==13833==    by 0x419CBED: clone (clone.S:129)
 ==13833==  Address 0x0 is not stack'd, malloc'd or (recently) free'd
 ==13833==
 ==13833==
 ==13833== Process terminating with default action of signal 11 (SIGSEGV)
 ==13833==  Access not within mapped region at address 0x0
 ==13833==    at 0x837DD95: filter (cfhd.c:91)
 ==13833==    by 0x837DD95: horiz_filter_clip (cfhd.c:130)
 ==13833==    by 0x837DD95: cfhd_decode (cfhd.c:708)
 ==13833==    by 0x8666551: frame_worker_thread (pthread_frame.c:147)
 ==13833==    by 0x409BF6F: start_thread (pthread_create.c:312)
 ==13833==    by 0x419CBED: clone (clone.S:129)
 ==13833==  If you believe this happened as a result of a stack
 ==13833==  overflow in your program's main thread (unlikely but
 ==13833==  possible), you can try to increase the size of the
 ==13833==  main thread stack using the --main-stacksize= flag.
 ==13833==  The main thread stack size used in this run was 8388608.
 ==13833==
 ==13833== HEAP SUMMARY:
 ==13833==     in use at exit: 5,840,129 bytes in 240 blocks
 ==13833==   total heap usage: 4,307 allocs, 4,067 frees, 25,357,183 bytes
 allocated
 ==13833==
 ==13833== Thread 1:
 ==13833== 680 bytes in 5 blocks are possibly lost in loss record 103 of
 126
 ==13833==    at 0x402C109: calloc (in
 /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
 ==13833==    by 0x401117E: allocate_dtv (dl-tls.c:296)
 ==13833==    by 0x40118EB: _dl_allocate_tls (dl-tls.c:460)
 ==13833==    by 0x409C7A2: allocate_stack (allocatestack.c:589)
 ==13833==    by 0x409C7A2: pthread_create@@GLIBC_2.1
 (pthread_create.c:500)
 ==13833==    by 0x810BCA9: thread_init_internal (pthread.c:180)
 ==13833==    by 0x810BCA9: ff_graph_thread_init (pthread.c:211)
 ==13833==    by 0x80FEEA7: avfilter_graph_alloc_filter
 (avfiltergraph.c:182)
 ==13833==    by 0x8109F35: create_filter (graphparser.c:114)
 ==13833==    by 0x8109F35: parse_filter (graphparser.c:176)
 ==13833==    by 0x810A99C: avfilter_graph_parse2 (graphparser.c:411)
 ==13833==    by 0x80D495E: configure_filtergraph (ffmpeg_filter.c:1002)
 ==13833==    by 0x80DDCFA: transcode_init (ffmpeg.c:3042)
 ==13833==    by 0x80E1EED: transcode (ffmpeg.c:4099)
 ==13833==    by 0x80C0144: main (ffmpeg.c:4319)
 ==13833==
 ==13833== 680 bytes in 5 blocks are possibly lost in loss record 104 of
 126
 ==13833==    at 0x402C109: calloc (in
 /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
 ==13833==    by 0x401117E: allocate_dtv (dl-tls.c:296)
 ==13833==    by 0x40118EB: _dl_allocate_tls (dl-tls.c:460)
 ==13833==    by 0x409C7A2: allocate_stack (allocatestack.c:589)
 ==13833==    by 0x409C7A2: pthread_create@@GLIBC_2.1
 (pthread_create.c:500)
 ==13833==    by 0x8667683: ff_frame_thread_init (pthread_frame.c:706)
 ==13833==    by 0x87209DE: avcodec_open2 (utils.c:1330)
 ==13833==    by 0x80DC6F4: init_input_stream (ffmpeg.c:2548)
 ==13833==    by 0x80DC6F4: transcode_init (ffmpeg.c:3206)
 ==13833==    by 0x80E1EED: transcode (ffmpeg.c:4099)
 ==13833==    by 0x80C0144: main (ffmpeg.c:4319)
 ==13833==
 ==13833== LEAK SUMMARY:
 ==13833==    definitely lost: 0 bytes in 0 blocks
 ==13833==    indirectly lost: 0 bytes in 0 blocks
 ==13833==      possibly lost: 1,360 bytes in 10 blocks
 ==13833==    still reachable: 5,838,769 bytes in 230 blocks
 ==13833==         suppressed: 0 bytes in 0 blocks
 ==13833== Reachable blocks (those to which a pointer was found) are not
 shown.
 ==13833== To see them, rerun with: --leak-check=full --show-leak-kinds=all
 ==13833==
 ==13833== For counts of detected and suppressed errors, rerun with: -v
 ==13833== Use --track-origins=yes to see where uninitialised values come
 from
 ==13833== ERROR SUMMARY: 77084 errors from 9 contexts (suppressed: 0 from
 0)
 Killed
 }}}

 {{{
 (gdb) r -loglevel -1 -i cfhd_q_filmscan2_fuzz.avi -f null -
 Starting program: /media/sdb1/ffmpeg/ffmpeg_g -loglevel -1 -i
 cfhd_q_filmscan2_fuzz.avi -f null -
 [Thread debugging using libthread_db enabled]
 Using host libthread_db library "/lib/i386-linux-gnu/libthread_db.so.1".
 [New Thread 0xb7daeb40 (LWP 13873)]
 [New Thread 0xb75adb40 (LWP 13874)]
 [New Thread 0xb6dacb40 (LWP 13875)]
 [New Thread 0xb65abb40 (LWP 13876)]
 [New Thread 0xb5daab40 (LWP 13877)]
 [New Thread 0xb55a9b40 (LWP 13878)]
 [New Thread 0xb4da8b40 (LWP 13879)]
 [New Thread 0xb45a7b40 (LWP 13880)]
 [New Thread 0xb3da6b40 (LWP 13881)]
 [New Thread 0xb35a5b40 (LWP 13882)]

 Program received signal SIGSEGV, Segmentation fault.
 [Switching to Thread 0xb45a7b40 (LWP 13880)]
 filter (out_stride=1, low_stride=1, high_stride=1, clip=10 '\n', len=160,
     high=0xb2b388a0, low=0xb2b25ca0, output=0x0) at libavcodec/cfhd.c:91
 91                  output[(2*i+0)*out_stride] = (tmp +
 high[0*high_stride]) >> 1;
 (gdb) bt
 #0  filter (out_stride=1, low_stride=1, high_stride=1, clip=10 '\n',
 len=160,
     high=0xb2b388a0, low=0xb2b25ca0, output=0x0) at libavcodec/cfhd.c:91
 #1  horiz_filter_clip (clip=<optimized out>, width=160, high=0xb2b388a0,
     low=0xb2b25ca0, output=0x0) at libavcodec/cfhd.c:130
 #2  cfhd_decode (avctx=0x965edc0, data=0x965f1c0, got_frame=0x965e178,
     avpkt=0x965e130) at libavcodec/cfhd.c:708
 #3  0x08666552 in frame_worker_thread (arg=0x965e060)
     at libavcodec/pthread_frame.c:147
 #4  0xb7f65f70 in start_thread (arg=0xb45a7b40) at pthread_create.c:312
 #5  0xb7e9bbee in clone () at ../sysdeps/unix/sysv/linux/i386/clone.S:129
 (gdb)
 }}}

--
Ticket URL: <https://trac.ffmpeg.org/ticket/5208>
FFmpeg <https://ffmpeg.org>
FFmpeg issue tracker


More information about the FFmpeg-trac mailing list