[FFmpeg-trac] #5557(undetermined:new): IFF ANIM: crash with fuzzed ANIM-J

FFmpeg trac at avcodec.org
Sat May 14 17:07:46 CEST 2016


#5557: IFF ANIM: crash with fuzzed ANIM-J
-------------------------------------+-------------------------------------
             Reporter:  ami_stuff    |                    Owner:
                 Type:  defect       |                   Status:  new
             Priority:  normal       |                Component:
              Version:  unspecified  |  undetermined
             Keywords:               |               Resolution:
             Blocking:               |               Blocked By:
Analyzed by developer:  0            |  Reproduced by developer:  0
-------------------------------------+-------------------------------------

Comment (by ami_stuff):

 with attached I get this, it's of cource still possible that something is
 wrong only on my side:

 {{{
 aaa at aaa-VirtualBox /media/sdb1 $ valgrind --leak-check=full
 ffmpeg/ffmpeg_g -i '/media/sdb1/f/old_animj_5bpp_2_fuzz.anim'  -f null -
 ==2340== Memcheck, a memory error detector
 ==2340== Copyright (C) 2002-2013, and GNU GPL'd, by Julian Seward et al.
 ==2340== Using Valgrind-3.10.1 and LibVEX; rerun with -h for copyright
 info
 ==2340== Command: ffmpeg/ffmpeg_g -i
 /media/sdb1/f/old_animj_5bpp_2_fuzz.anim -f null -
 ==2340==
 ffmpeg version 3.0.git Copyright (c) 2000-2016 the FFmpeg developers
   built with gcc 5.3.0 (Ubuntu 5.3.0-3ubuntu1~14.04) 20151204
   configuration: --enable-debug --disable-ffprobe --disable-ffserver
   libavutil      55. 24.100 / 55. 24.100
   libavcodec     57. 41.102 / 57. 41.102
   libavformat    57. 36.100 / 57. 36.100
   libavdevice    57.  0.101 / 57.  0.101
   libavfilter     6. 45.100 /  6. 45.100
   libswscale      4.  1.100 /  4.  1.100
   libswresample   2.  0.101 /  2.  0.101
 Input #0, iff, from '/media/sdb1/f/old_animj_5bpp_2_fuzz.anim':
   Duration: N/A, bitrate: N/A
     Stream #0:0: Video: iff_ilbm (ANIM / 0x4D494E41), pal8, 160x100, SAR
 6:7 DAR 48:35, 10 fps, 60 tbr, 60 tbn
 [null @ 0x43145e0] Using AVStream.codec to pass codec parameters to muxers
 is deprecated, use AVStream.codecpar instead.
 Output #0, null, to 'pipe:':
   Metadata:
     encoder         : Lavf57.36.100
     Stream #0:0: Video: wrapped_avframe, pal8, 160x100 [SAR 6:7 DAR
 48:35], q=2-31, 200 kb/s, 60 fps, 60 tbn
     Metadata:
       encoder         : Lavc57.41.102 wrapped_avframe
 Stream mapping:
   Stream #0:0 -> #0:0 (iff_ilbm (iff) -> wrapped_avframe (native))
 Press [q] to stop, [?] for help
 ==2340== Invalid write of size 1
 ==2340==    at 0x854F276: bytestream_get_byte (bytestream.h:95)
 ==2340==    by 0x854F276: bytestream2_get_byteu (bytestream.h:95)
 ==2340==    by 0x854F276: bytestream2_get_byte (bytestream.h:95)
 ==2340==    by 0x854F276: decode_delta_j (iff.c:864)
 ==2340==    by 0x854F276: decode_frame (iff.c:1538)
 ==2340==    by 0x87171AD: avcodec_decode_video2 (utils.c:2217)
 ==2340==    by 0x80D95C0: decode_video (ffmpeg.c:2087)
 ==2340==    by 0x80DBFBF: process_input_packet (ffmpeg.c:2340)
 ==2340==    by 0x80BB595: process_input (ffmpeg.c:4014)
 ==2340==    by 0x80BB595: transcode_step (ffmpeg.c:4102)
 ==2340==    by 0x80BB595: transcode (ffmpeg.c:4156)
 ==2340==    by 0x80BB595: main (ffmpeg.c:4349)
 ==2340==  Address 0x4371cd6 is 10 bytes before a block of size 80,000
 alloc'd
 ==2340==    at 0x402C580: memalign (in
 /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
 ==2340==    by 0x402C6AE: posix_memalign (in
 /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
 ==2340==    by 0x8B6F89F: av_malloc (mem.c:97)
 ==2340==    by 0x8B6F89F: av_mallocz (mem.c:254)
 ==2340==    by 0x8B6F89F: av_calloc (mem.c:264)
 ==2340==    by 0x8071E6F: decode_init (iff.c:420)
 ==2340==    by 0x871CBA8: avcodec_open2 (utils.c:1564)
 ==2340==    by 0x80D3A78: init_input_stream (ffmpeg.c:2566)
 ==2340==    by 0x80D3A78: transcode_init (ffmpeg.c:3227)
 ==2340==    by 0x80BA46F: transcode (ffmpeg.c:4127)
 ==2340==    by 0x80BA46F: main (ffmpeg.c:4349)
 ==2340==
 frame=   50 fps=0.0 q=-0.0 Lsize=N/A time=00:00:04.98 bitrate=N/A
 speed=20.5x
 video:18kB audio:0kB subtitle:0kB other streams:0kB global headers:0kB
 muxing overhead: unknown
 ==2340==
 ==2340== HEAP SUMMARY:
 ==2340==     in use at exit: 24 bytes in 1 blocks
 ==2340==   total heap usage: 2,144 allocs, 2,143 frees, 848,735 bytes
 allocated
 ==2340==
 ==2340== LEAK SUMMARY:
 ==2340==    definitely lost: 0 bytes in 0 blocks
 ==2340==    indirectly lost: 0 bytes in 0 blocks
 ==2340==      possibly lost: 0 bytes in 0 blocks
 ==2340==    still reachable: 24 bytes in 1 blocks
 ==2340==         suppressed: 0 bytes in 0 blocks
 ==2340== Reachable blocks (those to which a pointer was found) are not
 shown.
 ==2340== To see them, rerun with: --leak-check=full --show-leak-kinds=all
 ==2340==
 ==2340== For counts of detected and suppressed errors, rerun with: -v
 ==2340== ERROR SUMMARY: 2 errors from 1 contexts (suppressed: 0 from 0)
 }}}

 {{{
 (gdb) r -i '/media/sdb1/f/old_animj_5bpp_2_fuzz.anim'  -f null -
 Starting program: /media/sdb1/ffmpeg/ffmpeg_g -i
 '/media/sdb1/f/old_animj_5bpp_2_fuzz.anim'  -f null -
 [Thread debugging using libthread_db enabled]
 Using host libthread_db library "/lib/i386-linux-gnu/libthread_db.so.1".
 ffmpeg version 3.0.git Copyright (c) 2000-2016 the FFmpeg developers
   built with gcc 5.3.0 (Ubuntu 5.3.0-3ubuntu1~14.04) 20151204
   configuration: --enable-debug --disable-ffprobe --disable-ffserver
   libavutil      55. 24.100 / 55. 24.100
   libavcodec     57. 41.102 / 57. 41.102
   libavformat    57. 36.100 / 57. 36.100
   libavdevice    57.  0.101 / 57.  0.101
   libavfilter     6. 45.100 /  6. 45.100
   libswscale      4.  1.100 /  4.  1.100
   libswresample   2.  0.101 /  2.  0.101
 Input #0, iff, from '/media/sdb1/f/old_animj_5bpp_2_fuzz.anim':
   Duration: N/A, bitrate: N/A
     Stream #0:0: Video: iff_ilbm (ANIM / 0x4D494E41), pal8, 160x100, SAR
 6:7 DAR 48:35, 10 fps, 60 tbr, 60 tbn
 [null @ 0x98042a0] Using AVStream.codec to pass codec parameters to muxers
 is deprecated, use AVStream.codecpar instead.
 Output #0, null, to 'pipe:':
   Metadata:
     encoder         : Lavf57.36.100
     Stream #0:0: Video: wrapped_avframe, pal8, 160x100 [SAR 6:7 DAR
 48:35], q=2-31, 200 kb/s, 60 fps, 60 tbn
     Metadata:
       encoder         : Lavc57.41.102 wrapped_avframe
 Stream mapping:
   Stream #0:0 -> #0:0 (iff_ilbm (iff) -> wrapped_avframe (native))
 Press [q] to stop, [?] for help
 *** Error in `/media/sdb1/ffmpeg/ffmpeg_g': corrupted double-linked list:
 0x09842e88 ***

 Program received signal SIGABRT, Aborted.
 0xb7fdccb0 in ?? ()
 (gdb) bt
 #0  0xb7fdccb0 in ?? ()
 #1  0xb7dd233a in malloc_printerr (action=<optimized out>,
     str=0xb7ec09b3 "corrupted double-linked list", ptr=0x9842e88)
     at malloc.c:4996
 #2  0xb7dd31d7 in _int_free (av=0xb7f09420 <main_arena>, p=<optimized
 out>,
     have_lock=0) at malloc.c:3996
 #3  0x082ef5c2 in read_from_packet_buffer (pkt=<optimized out>,
     pkt_buffer_end=<optimized out>, pkt_buffer=<optimized out>)
     at libavformat/utils.c:1436
 #4  av_read_frame (s=<optimized out>, pkt=0xbfffed34)
     at libavformat/utils.c:1688
 #5  0x080d059f in get_input_packet (f=f at entry=0x9803880,
     pkt=pkt at entry=0xbfffed34) at ffmpeg.c:3672
 #6  0x080bab97 in process_input (file_index=0) at ffmpeg.c:3792
 #7  transcode_step () at ffmpeg.c:4102
 #8  transcode () at ffmpeg.c:4156
 #9  main (argc=<optimized out>, argv=<optimized out>) at ffmpeg.c:4349
 (gdb)
 }}}











 {{{
 aaa at aaa-VirtualBox /media/sdb1 $ valgrind --leak-check=full
 ffmpeg/ffmpeg_g -i '/media/sdb1/f/old_animj_ham6_fuzz.anim' -f null -
 ==2351== Memcheck, a memory error detector
 ==2351== Copyright (C) 2002-2013, and GNU GPL'd, by Julian Seward et al.
 ==2351== Using Valgrind-3.10.1 and LibVEX; rerun with -h for copyright
 info
 ==2351== Command: ffmpeg/ffmpeg_g -i
 /media/sdb1/f/old_animj_ham6_fuzz.anim -f null -
 ==2351==
 ffmpeg version 3.0.git Copyright (c) 2000-2016 the FFmpeg developers
   built with gcc 5.3.0 (Ubuntu 5.3.0-3ubuntu1~14.04) 20151204
   configuration: --enable-debug --disable-ffprobe --disable-ffserver
   libavutil      55. 24.100 / 55. 24.100
   libavcodec     57. 41.102 / 57. 41.102
   libavformat    57. 36.100 / 57. 36.100
   libavdevice    57.  0.101 / 57.  0.101
   libavfilter     6. 45.100 /  6. 45.100
   libswscale      4.  1.100 /  4.  1.100
   libswresample   2.  0.101 /  2.  0.101
 Input #0, iff, from '/media/sdb1/f/old_animj_ham6_fuzz.anim':
   Duration: N/A, bitrate: N/A
     Stream #0:0: Video: iff_ilbm (ANIM / 0x4D494E41), rgb0, 160x100, SAR
 6:7 DAR 48:35, 30 fps, 60 tbr, 60 tbn
 [null @ 0x43aafa0] Using AVStream.codec to pass codec parameters to muxers
 is deprecated, use AVStream.codecpar instead.
 Output #0, null, to 'pipe:':
   Metadata:
     encoder         : Lavf57.36.100
     Stream #0:0: Video: wrapped_avframe, rgb0, 160x100 [SAR 6:7 DAR
 48:35], q=2-31, 200 kb/s, 60 fps, 60 tbn
     Metadata:
       encoder         : Lavc57.41.102 wrapped_avframe
 Stream mapping:
   Stream #0:0 -> #0:0 (iff_ilbm (iff) -> wrapped_avframe (native))
 Press [q] to stop, [?] for help
 ==2351== Invalid write of size 1
 ==2351==    at 0x854E6C2: bytestream_get_byte (bytestream.h:95)
 ==2351==    by 0x854E6C2: bytestream2_get_byteu (bytestream.h:95)
 ==2351==    by 0x854E6C2: bytestream2_get_byte (bytestream.h:95)
 ==2351==    by 0x854E6C2: decode_delta_j (iff.c:901)
 ==2351==    by 0x854E6C2: decode_frame (iff.c:1538)
 ==2351==    by 0x87171AD: avcodec_decode_video2 (utils.c:2217)
 ==2351==    by 0x80D95C0: decode_video (ffmpeg.c:2087)
 ==2351==    by 0x80DBFBF: process_input_packet (ffmpeg.c:2340)
 ==2351==    by 0x80BB595: process_input (ffmpeg.c:4014)
 ==2351==    by 0x80BB595: transcode_step (ffmpeg.c:4102)
 ==2351==    by 0x80BB595: transcode (ffmpeg.c:4156)
 ==2351==    by 0x80BB595: main (ffmpeg.c:4349)
 ==2351==  Address 0x4452a18 is 8 bytes before a block of size 384,000
 alloc'd
 ==2351==    at 0x402C580: memalign (in
 /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
 ==2351==    by 0x402C6AE: posix_memalign (in
 /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
 ==2351==    by 0x8B6F89F: av_malloc (mem.c:97)
 ==2351==    by 0x8B6F89F: av_mallocz (mem.c:254)
 ==2351==    by 0x8B6F89F: av_calloc (mem.c:264)
 ==2351==    by 0x8071E6F: decode_init (iff.c:420)
 ==2351==    by 0x871CBA8: avcodec_open2 (utils.c:1564)
 ==2351==    by 0x80D3A78: init_input_stream (ffmpeg.c:2566)
 ==2351==    by 0x80D3A78: transcode_init (ffmpeg.c:3227)
 ==2351==    by 0x80BA46F: transcode (ffmpeg.c:4127)
 ==2351==    by 0x80BA46F: main (ffmpeg.c:4349)
 ==2351==
 frame=   18 fps=0.0 q=-0.0 Lsize=N/A time=00:00:00.71 bitrate=N/A
 speed=3.03x
 video:7kB audio:0kB subtitle:0kB other streams:0kB global headers:0kB
 muxing overhead: unknown
 ==2351==
 ==2351== HEAP SUMMARY:
 ==2351==     in use at exit: 24 bytes in 1 blocks
 ==2351==   total heap usage: 1,368 allocs, 1,367 frees, 2,138,933 bytes
 allocated
 ==2351==
 ==2351== LEAK SUMMARY:
 ==2351==    definitely lost: 0 bytes in 0 blocks
 ==2351==    indirectly lost: 0 bytes in 0 blocks
 ==2351==      possibly lost: 0 bytes in 0 blocks
 ==2351==    still reachable: 24 bytes in 1 blocks
 ==2351==         suppressed: 0 bytes in 0 blocks
 ==2351== Reachable blocks (those to which a pointer was found) are not
 shown.
 ==2351== To see them, rerun with: --leak-check=full --show-leak-kinds=all
 ==2351==
 ==2351== For counts of detected and suppressed errors, rerun with: -v
 ==2351== ERROR SUMMARY: 32 errors from 1 contexts (suppressed: 0 from 0)
 }}}

 {{{
 (gdb) r -i '/media/sdb1/f/old_animj_ham6_fuzz.anim'  -f null -
 Starting program: /media/sdb1/ffmpeg/ffmpeg_g -i
 '/media/sdb1/f/old_animj_ham6_fuzz.anim'  -f null -
 [Thread debugging using libthread_db enabled]
 Using host libthread_db library "/lib/i386-linux-gnu/libthread_db.so.1".
 ffmpeg version 3.0.git Copyright (c) 2000-2016 the FFmpeg developers
   built with gcc 5.3.0 (Ubuntu 5.3.0-3ubuntu1~14.04) 20151204
   configuration: --enable-debug --disable-ffprobe --disable-ffserver
   libavutil      55. 24.100 / 55. 24.100
   libavcodec     57. 41.102 / 57. 41.102
   libavformat    57. 36.100 / 57. 36.100
   libavdevice    57.  0.101 / 57.  0.101
   libavfilter     6. 45.100 /  6. 45.100
   libswscale      4.  1.100 /  4.  1.100
   libswresample   2.  0.101 /  2.  0.101
 Input #0, iff, from '/media/sdb1/f/old_animj_ham6_fuzz.anim':
   Duration: N/A, bitrate: N/A
     Stream #0:0: Video: iff_ilbm (ANIM / 0x4D494E41), rgb0, 160x100, SAR
 6:7 DAR 48:35, 30 fps, 60 tbr, 60 tbn
 [null @ 0x9803460] Using AVStream.codec to pass codec parameters to muxers
 is deprecated, use AVStream.codecpar instead.
 Output #0, null, to 'pipe:':
   Metadata:
     encoder         : Lavf57.36.100
     Stream #0:0: Video: wrapped_avframe, rgb0, 160x100 [SAR 6:7 DAR
 48:35], q=2-31, 200 kb/s, 60 fps, 60 tbn
     Metadata:
       encoder         : Lavc57.41.102 wrapped_avframe
 Stream mapping:
   Stream #0:0 -> #0:0 (iff_ilbm (iff) -> wrapped_avframe (native))
 Press [q] to stop, [?] for help
 frame=   18 fps=0.0 q=-0.0 Lsize=N/A time=00:00:00.71 bitrate=N/A
 speed=7.17e+05x
 video:7kB audio:0kB subtitle:0kB other streams:0kB global headers:0kB
 muxing overhead: unknown
 *** Error in `/media/sdb1/ffmpeg/ffmpeg_g': munmap_chunk(): invalid
 pointer: 0x09881e40 ***

 Program received signal SIGABRT, Aborted.
 0xb7fdccb0 in ?? ()
 (gdb) bt
 #0  0xb7fdccb0 in ?? ()
 #1  0xb7dd233a in malloc_printerr (action=<optimized out>,
     str=0xb7ec4f00 "munmap_chunk(): invalid pointer", ptr=0x9881e40)
     at malloc.c:4996
 #2  0xb7dd2408 in munmap_chunk (p=<optimized out>) at malloc.c:2816
 #3  0x08071ce6 in decode_end (avctx=0x9803080) at libavcodec/iff.c:368
 #4  0x08089176 in avcodec_close (avctx=0x9803080) at
 libavcodec/utils.c:2967
 #5  0x080bbd01 in transcode () at ffmpeg.c:4214
 #6  main (argc=<optimized out>, argv=<optimized out>) at ffmpeg.c:4349
 (gdb)
 }}}

--
Ticket URL: <https://trac.ffmpeg.org/ticket/5557#comment:4>
FFmpeg <https://ffmpeg.org>
FFmpeg issue tracker


More information about the FFmpeg-trac mailing list