[FFmpeg-trac] #6185(undetermined:new): scpr: crash with fuzzed file 3
FFmpeg
trac at avcodec.org
Thu Feb 23 20:24:59 EET 2017
#6185: scpr: crash with fuzzed file 3
-------------------------------------+-------------------------------------
Reporter: ami_stuff | Owner:
Type: defect | Status: new
Priority: normal | Component:
Version: | undetermined
unspecified | Keywords:
Blocked By: | Blocking:
Reproduced by developer: 0 | Analyzed by developer: 0
-------------------------------------+-------------------------------------
{{{
aaa at aaa-VirtualBox /media/sdb1 $ valgrind --leak-check=full
ffmpeg/ffmpeg_g -i f/sp/sp_24bit_q50_fuzz2.avi -f null -
==17052== Memcheck, a memory error detector
==17052== Copyright (C) 2002-2013, and GNU GPL'd, by Julian Seward et al.
==17052== Using Valgrind-3.10.1 and LibVEX; rerun with -h for copyright
info
==17052== Command: ffmpeg/ffmpeg_g -i f/sp/sp_24bit_q50_fuzz2.avi -f null
-
==17052==
ffmpeg version 3.2.git Copyright (c) 2000-2017 the FFmpeg developers
built with gcc 5.3.0 (Ubuntu 5.3.0-3ubuntu1~14.04) 20151204
configuration: --disable-ffprobe --disable-ffserver --disable-ffplay
--enable-gpl
libavutil 55. 47.100 / 55. 47.100
libavcodec 57. 81.100 / 57. 81.100
libavformat 57. 66.102 / 57. 66.102
libavdevice 57. 2.100 / 57. 2.100
libavfilter 6. 73.100 / 6. 73.100
libswscale 4. 3.101 / 4. 3.101
libswresample 2. 4.100 / 2. 4.100
libpostproc 54. 2.100 / 54. 2.100
[avi @ 0x4a784a0] too big INFO subchunk
Input #0, avi, from 'f/sp/sp_24bit_q50_fuzz2.avi':
Duration: 00:00:04.44, start: 0.000000, bitrate: 392 kb/s
Stream #0:0: Video: scpr (SCPR / 0x52504353), bgr0, 320x200, 25 fps,
25 tbr, 25 tbn, 25 tbc
Output #0, null, to 'pipe:':
Metadata:
encoder : Lavf57.66.102
Stream #0:0: Video: wrapped_avframe, bgr0, 320x200, q=2-31, 200 kb/s,
25 fps, 25 tbn, 25 tbc
Metadata:
encoder : Lavc57.81.100 wrapped_avframe
Stream mapping:
Stream #0:0 -> #0:0 (scpr (native) -> wrapped_avframe (native))
Press [q] to stop, [?] for help
Error while decoding stream #0:0: Invalid data found when processing input
==17052== Invalid read of size 4s
==17052== at 0x86AF448: decompress_p (scpr.c:512)
==17052== by 0x86AF448: decode_frame (scpr.c:734)
==17052== by 0x8729A98: avcodec_decode_video2 (utils.c:2263)
==17052== by 0x872AA1C: do_decode (utils.c:2796)
==17052== by 0x872B7EF: avcodec_send_packet (utils.c:2885)
==17052== by 0x80E8446: decode (ffmpeg.c:2052)
==17052== by 0x80E8446: decode_video (ffmpeg.c:2248)
==17052== by 0x80E9805: process_input_packet (ffmpeg.c:2491)
==17052== by 0x80C78D5: process_input (ffmpeg.c:4251)
==17052== by 0x80C78D5: transcode_step (ffmpeg.c:4339)
==17052== by 0x80C78D5: transcode (ffmpeg.c:4393)
==17052== by 0x80C78D5: main (ffmpeg.c:4598)
==17052== Address 0x4b2cba0 is 8 bytes after a block of size 408 free'd
==17052== at 0x402B3D8: free (in
/usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
==17052== by 0x88A2694: wrapped_avframe_release_buffer
(wrapped_avframe.c:39)
==17052== by 0x8C1923E: buffer_replace (buffer.c:119)
==17052== by 0x8C1923E: av_buffer_unref (buffer.c:129)
==17052== by 0x83C232E: av_packet_unref (avpacket.c:574)
==17052== by 0x82E77BA: av_interleaved_write_frame (mux.c:1282)
==17052== by 0x80E4435: write_packet.isra.10 (ffmpeg.c:769)
==17052== by 0x80E5031: output_packet (ffmpeg.c:841)
==17052== by 0x80E59CC: do_video_out (ffmpeg.c:1293)
==17052== by 0x80E6EF6: reap_filters (ffmpeg.c:1467)
==17052== by 0x80C78EE: transcode_step (ffmpeg.c:4349)
==17052== by 0x80C78EE: transcode (ffmpeg.c:4393)
==17052== by 0x80C78EE: main (ffmpeg.c:4598)
==17052==
Last message repeated 32 times
Error while decoding stream #0:0: Not yet implemented in FFmpeg, patches
welcome
Error while decoding stream #0:0: Invalid data found when processing input
Last message repeated 15 times
Error while decoding stream #0:0: Not yet implemented in FFmpeg, patches
welcome
Error while decoding stream #0:0: Invalid data found when processing input
Last message repeated 25 times
frame= 24 fps=0.0 q=-0.0 Lsize=N/A time=00:00:03.96 bitrate=N/A
speed=8.02x
video:9kB audio:0kB subtitle:0kB other streams:0kB global headers:0kB
muxing overhead: unknown
Conversion failed!
==17052==
==17052== HEAP SUMMARY:
==17052== in use at exit: 0 bytes in 0 blocks
==17052== total heap usage: 1,650 allocs, 1,650 frees, 28,005,497 bytes
allocated
==17052==
==17052== All heap blocks were freed -- no leaks are possible
==17052==
==17052== For counts of detected and suppressed errors, rerun with: -v
==17052== ERROR SUMMARY: 9 errors from 1 contexts (suppressed: 0 from 0)
}}}
{{{
(gdb) r -i f/sp/sp_24bit_q50_fuzz2.avi -f null -
Starting program: /media/sdb1/ffmpeg/ffmpeg_g -i
f/sp/sp_24bit_q50_fuzz2.avi -f null -
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/i386-linux-gnu/libthread_db.so.1".
ffmpeg version 3.2.git Copyright (c) 2000-2017 the FFmpeg developers
built with gcc 5.3.0 (Ubuntu 5.3.0-3ubuntu1~14.04) 20151204
configuration: --disable-ffprobe --disable-ffserver --disable-ffplay
--enable-gpl
libavutil 55. 47.100 / 55. 47.100
libavcodec 57. 81.100 / 57. 81.100
libavformat 57. 66.102 / 57. 66.102
libavdevice 57. 2.100 / 57. 2.100
libavfilter 6. 73.100 / 6. 73.100
libswscale 4. 3.101 / 4. 3.101
libswresample 2. 4.100 / 2. 4.100
libpostproc 54. 2.100 / 54. 2.100
[avi @ 0x9a27200] too big INFO subchunk
Input #0, avi, from 'f/sp/sp_24bit_q50_fuzz2.avi':
Duration: 00:00:04.44, start: 0.000000, bitrate: 392 kb/s
Stream #0:0: Video: scpr (SCPR / 0x52504353), bgr0, 320x200, 25 fps,
25 tbr, 25 tbn, 25 tbc
[New Thread 0xb68c6b40 (LWP 17110)]
[New Thread 0xb60c5b40 (LWP 17111)]
[New Thread 0xb58c4b40 (LWP 17112)]
[New Thread 0xb50c3b40 (LWP 17113)]
[New Thread 0xb48c2b40 (LWP 17114)]
[New Thread 0xb40c1b40 (LWP 17115)]
[New Thread 0xb38c0b40 (LWP 17116)]
[New Thread 0xb30bfb40 (LWP 17117)]
[New Thread 0xb28beb40 (LWP 17118)]
Output #0, null, to 'pipe:':
Metadata:
encoder : Lavf57.66.102
Stream #0:0: Video: wrapped_avframe, bgr0, 320x200, q=2-31, 200 kb/s,
25 fps, 25 tbn, 25 tbc
Metadata:
encoder : Lavc57.81.100 wrapped_avframe
Stream mapping:
Stream #0:0 -> #0:0 (scpr (native) -> wrapped_avframe (native))
Press [q] to stop, [?] for help
Error while decoding stream #0:0: Invalid data found when processing input
Last message repeated 3 times
Program received signal SIGSEGV, Segmentation fault.
decompress_p (plinesize=<optimized out>, prev=0xb207f020,
linesize=<optimized out>, dst=0xb2040020, avctx=0x9a29b80)
at libavcodec/scpr.c:512
512 dst[(by + i + sy1) * linesize + bx + sx1 +
j] = prev[(by + mvy + sy1 + i) * plinesize + bx + sx1 + mvx + j];
(gdb) bt
#0 decompress_p (plinesize=<optimized out>, prev=0xb207f020,
linesize=<optimized out>, dst=0xb2040020, avctx=0x9a29b80)
at libavcodec/scpr.c:512
#1 decode_frame (avctx=0x9a29b80, data=0x9a2be60, got_frame=0xbfffe82c,
avpkt=0xbfffe79c) at libavcodec/scpr.c:734
#2 0x08729a99 in avcodec_decode_video2 (avctx=0x9a29b80,
picture=0x9a2be60,
got_picture_ptr=0xbfffe82c, avpkt=0xbfffe928) at
libavcodec/utils.c:2263
#3 0x0872aa1d in do_decode (avctx=avctx at entry=0x9a29b80,
pkt=pkt at entry=0xbfffe928) at libavcodec/utils.c:2796
#4 0x0872b7f0 in avcodec_send_packet (avctx=0x9a29b80, avpkt=<optimized
out>)
at libavcodec/utils.c:2885
#5 0x080e8447 in decode (pkt=0xbfffe928, got_frame=0xbfffeac4,
frame=<optimized out>, avctx=0x9a29b80) at ffmpeg.c:2052
#6 decode_video (ist=ist at entry=0x9a29720, pkt=pkt at entry=0xbfffeb04,
got_output=got_output at entry=0xbfffeac4, eof=0) at ffmpeg.c:2248
#7 0x080e9806 in process_input_packet (ist=0x9a29720, pkt=0xbfffed34,
no_eof=0) at ffmpeg.c:2491
#8 0x080c78d6 in process_input (file_index=<optimized out>) at
ffmpeg.c:4251
#9 transcode_step () at ffmpeg.c:4339
#10 transcode () at ffmpeg.c:4393
#11 main (argc=<optimized out>, argv=<optimized out>) at ffmpeg.c:4598
}}}
--
Ticket URL: <https://trac.ffmpeg.org/ticket/6185>
FFmpeg <https://ffmpeg.org>
FFmpeg issue tracker
More information about the FFmpeg-trac
mailing list