[FFmpeg-trac] #6183(undetermined:closed): scpr: crash with fuzzed file

FFmpeg trac at avcodec.org
Thu Feb 23 20:27:49 EET 2017


#6183: scpr: crash with fuzzed file
-------------------------------------+-------------------------------------
             Reporter:  ami_stuff    |                    Owner:
                 Type:  defect       |                   Status:  closed
             Priority:  normal       |                Component:
              Version:  unspecified  |  undetermined
             Keywords:               |               Resolution:  duplicate
             Blocking:               |               Blocked By:
Analyzed by developer:  0            |  Reproduced by developer:  0
-------------------------------------+-------------------------------------

Comment (by ami_stuff):

 Are you sure that this is fixed? See new attached fuzzed file.

 {{{
 (gdb) r -i sp_16bit_q50_fuzz2.avi -f null -
 Starting program: /media/sdb1/ffmpeg/ffmpeg_g -i sp_16bit_q50_fuzz2.avi -f
 null -
 [Thread debugging using libthread_db enabled]
 Using host libthread_db library "/lib/i386-linux-gnu/libthread_db.so.1".
 ffmpeg version 3.2.git Copyright (c) 2000-2017 the FFmpeg developers
   built with gcc 5.3.0 (Ubuntu 5.3.0-3ubuntu1~14.04) 20151204
   configuration: --disable-ffprobe --disable-ffserver --disable-ffplay
 --enable-gpl
   libavutil      55. 47.100 / 55. 47.100
   libavcodec     57. 81.100 / 57. 81.100
   libavformat    57. 66.102 / 57. 66.102
   libavdevice    57.  2.100 / 57.  2.100
   libavfilter     6. 73.100 /  6. 73.100
   libswscale      4.  3.101 /  4.  3.101
   libswresample   2.  4.100 /  2.  4.100
   libpostproc    54.  2.100 / 54.  2.100
 Input #0, avi, from 'sp_16bit_q50_fuzz2.avi':
   Metadata:
     encoder         : Lavf57.36.10
   Duration: 00:00:04.44, start: 0.000000, bitrate: 79 kb/s
     Stream #0:0: Video: scpr (SCPR / 0x52504353), rgb0, 320x200, 25 fps,
 25 tbr, 25 tbn, 25 tbc
 [New Thread 0xb68c6b40 (LWP 4049)]
 [New Thread 0xb60c5b40 (LWP 4050)]
 [New Thread 0xb58c4b40 (LWP 4051)]
 [New Thread 0xb50c3b40 (LWP 4052)]
 [New Thread 0xb48c2b40 (LWP 4053)]
 [New Thread 0xb40c1b40 (LWP 4054)]
 [New Thread 0xb38c0b40 (LWP 4055)]
 [New Thread 0xb30bfb40 (LWP 4056)]
 [New Thread 0xb28beb40 (LWP 4057)]
 Output #0, null, to 'pipe:':
   Metadata:
     encoder         : Lavf57.66.102
     Stream #0:0: Video: wrapped_avframe, rgb0, 320x200, q=2-31, 200 kb/s,
 25 fps, 25 tbn, 25 tbc
     Metadata:
       encoder         : Lavc57.81.100 wrapped_avframe
 Stream mapping:
   Stream #0:0 -> #0:0 (scpr (native) -> wrapped_avframe (native))
 Press [q] to stop, [?] for help

 Program received signal SIGSEGV, Segmentation fault.
 decode_unit (s=s at entry=0xb68c7020, pixel=0xb759a368,
     rval=rval at entry=0xbfffe738, step=400) at libavcodec/scpr.c:224
 224         pixel->freq[c] = cnt_c + step;
 (gdb) bt
 #0  decode_unit (s=s at entry=0xb68c7020, pixel=0xb759a368,
     rval=rval at entry=0xbfffe738, step=400) at libavcodec/scpr.c:224
 #1  0x086ade93 in decompress_i (linesize=320, dst=0xb2040020,
 avctx=0x9a29cc0)
     at libavcodec/scpr.c:319
 #2  decode_frame (avctx=0x9a29cc0, data=0x9a2d1c0, got_frame=0xbfffe83c,
     avpkt=0xbfffe7ac) at libavcodec/scpr.c:702
 #3  0x08729a99 in avcodec_decode_video2 (avctx=0x9a29cc0,
 picture=0x9a2d1c0,
     got_picture_ptr=0xbfffe83c, avpkt=0xbfffe938) at
 libavcodec/utils.c:2263
 #4  0x0872aa1d in do_decode (avctx=avctx at entry=0x9a29cc0,
     pkt=pkt at entry=0xbfffe938) at libavcodec/utils.c:2796
 #5  0x0872b7f0 in avcodec_send_packet (avctx=0x9a29cc0, avpkt=<optimized
 out>)
     at libavcodec/utils.c:2885
 #6  0x080e8447 in decode (pkt=0xbfffe938, got_frame=0xbfffead4,
     frame=<optimized out>, avctx=0x9a29cc0) at ffmpeg.c:2052
 #7  decode_video (ist=ist at entry=0x9a29960, pkt=pkt at entry=0xbfffeb14,
     got_output=got_output at entry=0xbfffead4, eof=0) at ffmpeg.c:2248
 #8  0x080e9806 in process_input_packet (ist=0x9a29960, pkt=0xbfffed44,
     no_eof=0) at ffmpeg.c:2491
 #9  0x080c78d6 in process_input (file_index=<optimized out>) at
 ffmpeg.c:4251
 #10 transcode_step () at ffmpeg.c:4339
 #11 transcode () at ffmpeg.c:4393
 #12 main (argc=<optimized out>, argv=<optimized out>) at ffmpeg.c:4598
 (gdb)
 }}}

--
Ticket URL: <https://trac.ffmpeg.org/ticket/6183#comment:2>
FFmpeg <https://ffmpeg.org>
FFmpeg issue tracker


More information about the FFmpeg-trac mailing list