[FFmpeg-trac] #5208(undetermined:new): cfhd: crash with fuzzed file
FFmpeg
trac at avcodec.org
Sun Jan 31 15:13:21 CET 2016
#5208: cfhd: crash with fuzzed file
-------------------------------------+-------------------------------------
Reporter: ami_stuff | Owner:
Type: defect | Status: new
Priority: normal | Component:
Version: | undetermined
unspecified | Keywords:
Blocked By: | Blocking:
Reproduced by developer: 0 | Analyzed by developer: 0
-------------------------------------+-------------------------------------
http://www.datafilehost.com/d/1a7e163c
{{{
ffmpeg version 2.8.git Copyright (c) 2000-2016 the FFmpeg developers
built with gcc 4.8 (Ubuntu 4.8.4-2ubuntu1~14.04)
configuration: --disable-ffprobe --disable-ffplay --disable-ffserver
--enable-gpl
libavutil 55. 16.101 / 55. 16.101
libavcodec 57. 24.100 / 57. 24.100
libavformat 57. 23.101 / 57. 23.101
libavdevice 57. 0.101 / 57. 0.101
libavfilter 6. 27.100 / 6. 27.100
libswscale 4. 0.100 / 4. 0.100
libswresample 2. 0.101 / 2. 0.101
libpostproc 54. 0.100 / 54. 0.100
Hyper fast Audio and Video encoder
usage: ffmpeg [options] [[infile options] -i infile]... {[outfile options]
outfile}...
Use -h to get full help or, even better, run 'man ffmpeg'
}}}
{{{
[cfhd @ 0x4403c20] ==13833== Thread 9:
==13833== Invalid write of size 2
==13833== at 0x837DD95: filter (cfhd.c:91)
==13833== by 0x837DD95: horiz_filter_clip (cfhd.c:130)
==13833== by 0x837DD95: cfhd_decode (cfhd.c:708)
==13833== by 0x8666551: frame_worker_thread (pthread_frame.c:147)
==13833== by 0x409BF6F: start_thread (pthread_create.c:312)
==13833== by 0x419CBED: clone (clone.S:129)
==13833== Address 0x0 is not stack'd, malloc'd or (recently) free'd
==13833==
==13833==
==13833== Process terminating with default action of signal 11 (SIGSEGV)
==13833== Access not within mapped region at address 0x0
==13833== at 0x837DD95: filter (cfhd.c:91)
==13833== by 0x837DD95: horiz_filter_clip (cfhd.c:130)
==13833== by 0x837DD95: cfhd_decode (cfhd.c:708)
==13833== by 0x8666551: frame_worker_thread (pthread_frame.c:147)
==13833== by 0x409BF6F: start_thread (pthread_create.c:312)
==13833== by 0x419CBED: clone (clone.S:129)
==13833== If you believe this happened as a result of a stack
==13833== overflow in your program's main thread (unlikely but
==13833== possible), you can try to increase the size of the
==13833== main thread stack using the --main-stacksize= flag.
==13833== The main thread stack size used in this run was 8388608.
==13833==
==13833== HEAP SUMMARY:
==13833== in use at exit: 5,840,129 bytes in 240 blocks
==13833== total heap usage: 4,307 allocs, 4,067 frees, 25,357,183 bytes
allocated
==13833==
==13833== Thread 1:
==13833== 680 bytes in 5 blocks are possibly lost in loss record 103 of
126
==13833== at 0x402C109: calloc (in
/usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
==13833== by 0x401117E: allocate_dtv (dl-tls.c:296)
==13833== by 0x40118EB: _dl_allocate_tls (dl-tls.c:460)
==13833== by 0x409C7A2: allocate_stack (allocatestack.c:589)
==13833== by 0x409C7A2: pthread_create@@GLIBC_2.1
(pthread_create.c:500)
==13833== by 0x810BCA9: thread_init_internal (pthread.c:180)
==13833== by 0x810BCA9: ff_graph_thread_init (pthread.c:211)
==13833== by 0x80FEEA7: avfilter_graph_alloc_filter
(avfiltergraph.c:182)
==13833== by 0x8109F35: create_filter (graphparser.c:114)
==13833== by 0x8109F35: parse_filter (graphparser.c:176)
==13833== by 0x810A99C: avfilter_graph_parse2 (graphparser.c:411)
==13833== by 0x80D495E: configure_filtergraph (ffmpeg_filter.c:1002)
==13833== by 0x80DDCFA: transcode_init (ffmpeg.c:3042)
==13833== by 0x80E1EED: transcode (ffmpeg.c:4099)
==13833== by 0x80C0144: main (ffmpeg.c:4319)
==13833==
==13833== 680 bytes in 5 blocks are possibly lost in loss record 104 of
126
==13833== at 0x402C109: calloc (in
/usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
==13833== by 0x401117E: allocate_dtv (dl-tls.c:296)
==13833== by 0x40118EB: _dl_allocate_tls (dl-tls.c:460)
==13833== by 0x409C7A2: allocate_stack (allocatestack.c:589)
==13833== by 0x409C7A2: pthread_create@@GLIBC_2.1
(pthread_create.c:500)
==13833== by 0x8667683: ff_frame_thread_init (pthread_frame.c:706)
==13833== by 0x87209DE: avcodec_open2 (utils.c:1330)
==13833== by 0x80DC6F4: init_input_stream (ffmpeg.c:2548)
==13833== by 0x80DC6F4: transcode_init (ffmpeg.c:3206)
==13833== by 0x80E1EED: transcode (ffmpeg.c:4099)
==13833== by 0x80C0144: main (ffmpeg.c:4319)
==13833==
==13833== LEAK SUMMARY:
==13833== definitely lost: 0 bytes in 0 blocks
==13833== indirectly lost: 0 bytes in 0 blocks
==13833== possibly lost: 1,360 bytes in 10 blocks
==13833== still reachable: 5,838,769 bytes in 230 blocks
==13833== suppressed: 0 bytes in 0 blocks
==13833== Reachable blocks (those to which a pointer was found) are not
shown.
==13833== To see them, rerun with: --leak-check=full --show-leak-kinds=all
==13833==
==13833== For counts of detected and suppressed errors, rerun with: -v
==13833== Use --track-origins=yes to see where uninitialised values come
from
==13833== ERROR SUMMARY: 77084 errors from 9 contexts (suppressed: 0 from
0)
Killed
}}}
{{{
(gdb) r -loglevel -1 -i cfhd_q_filmscan2_fuzz.avi -f null -
Starting program: /media/sdb1/ffmpeg/ffmpeg_g -loglevel -1 -i
cfhd_q_filmscan2_fuzz.avi -f null -
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/i386-linux-gnu/libthread_db.so.1".
[New Thread 0xb7daeb40 (LWP 13873)]
[New Thread 0xb75adb40 (LWP 13874)]
[New Thread 0xb6dacb40 (LWP 13875)]
[New Thread 0xb65abb40 (LWP 13876)]
[New Thread 0xb5daab40 (LWP 13877)]
[New Thread 0xb55a9b40 (LWP 13878)]
[New Thread 0xb4da8b40 (LWP 13879)]
[New Thread 0xb45a7b40 (LWP 13880)]
[New Thread 0xb3da6b40 (LWP 13881)]
[New Thread 0xb35a5b40 (LWP 13882)]
Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0xb45a7b40 (LWP 13880)]
filter (out_stride=1, low_stride=1, high_stride=1, clip=10 '\n', len=160,
high=0xb2b388a0, low=0xb2b25ca0, output=0x0) at libavcodec/cfhd.c:91
91 output[(2*i+0)*out_stride] = (tmp +
high[0*high_stride]) >> 1;
(gdb) bt
#0 filter (out_stride=1, low_stride=1, high_stride=1, clip=10 '\n',
len=160,
high=0xb2b388a0, low=0xb2b25ca0, output=0x0) at libavcodec/cfhd.c:91
#1 horiz_filter_clip (clip=<optimized out>, width=160, high=0xb2b388a0,
low=0xb2b25ca0, output=0x0) at libavcodec/cfhd.c:130
#2 cfhd_decode (avctx=0x965edc0, data=0x965f1c0, got_frame=0x965e178,
avpkt=0x965e130) at libavcodec/cfhd.c:708
#3 0x08666552 in frame_worker_thread (arg=0x965e060)
at libavcodec/pthread_frame.c:147
#4 0xb7f65f70 in start_thread (arg=0xb45a7b40) at pthread_create.c:312
#5 0xb7e9bbee in clone () at ../sysdeps/unix/sysv/linux/i386/clone.S:129
(gdb)
}}}
--
Ticket URL: <https://trac.ffmpeg.org/ticket/5208>
FFmpeg <https://ffmpeg.org>
FFmpeg issue tracker
More information about the FFmpeg-trac
mailing list