[FFmpeg-trac] #6183(undetermined:closed): scpr: crash with fuzzed file

FFmpeg trac at avcodec.org
Thu Feb 23 23:17:11 EET 2017


#6183: scpr: crash with fuzzed file
-------------------------------------+-------------------------------------
             Reporter:  ami_stuff    |                    Owner:
                 Type:  defect       |                   Status:  closed
             Priority:  normal       |                Component:
              Version:  unspecified  |  undetermined
             Keywords:               |               Resolution:  duplicate
             Blocking:               |               Blocked By:
Analyzed by developer:  0            |  Reproduced by developer:  0
-------------------------------------+-------------------------------------

Comment (by jamrial):

 I'm getting a different backtrace with this file using a mingw-w64
 (x86_64) build.

 {{{
 (gdb) r -i sp_16bit_q50_fuzz2.avi -f null -
 Starting program: F:\msys\ffmpeg\build\ffmpeg_g.exe -i
 sp_16bit_q50_fuzz2.avi -f null -
 [New Thread 3128.0x1ff4]
 [New Thread 3128.0x1fd8]
 [New Thread 3128.0x6c8]
 [New Thread 3128.0x125c]
 ffmpeg version N-83627-gf5fa12d6ee Copyright (c) 2000-2017 the FFmpeg
 developers
   built with gcc 6.3.0 (Rev1, Built by MSYS2 project)
   configuration: --enable-gpl --enable-nonfree --enable-libx264 --enable-
 libfdk_aac --enable-libvpx --enable-libopus --target-os=mingw32
 --arch=x86_64 --cpu=haswell --extra-cflags='-D_WIN32_WINNT=0x0602'
 --cc='ccache gcc' --samples=../samples --prefix=/mingw64
   libavutil      55. 47.100 / 55. 47.100
   libavcodec     57. 81.100 / 57. 81.100
   libavformat    57. 66.102 / 57. 66.102
   libavdevice    57.  2.100 / 57.  2.100
   libavfilter     6. 73.100 /  6. 73.100
   libswscale      4.  3.101 /  4.  3.101
   libswresample   2.  4.100 /  2.  4.100
   libpostproc    54.  2.100 / 54.  2.100
 Input #0, avi, from 'sp_16bit_q50_fuzz2.avi':
   Metadata:
     encoder         : Lavf57.36.10
   Duration: 00:00:04.44, start: 0.000000, bitrate: 79 kb/s
     Stream #0:0: Video: scpr (SCPR / 0x52504353), rgb0, 320x200, 25 fps,
 25 tbr, 25 tbn, 25 tbc
 [New Thread 3128.0x1e4c]
 [New Thread 3128.0x4fc]
 [New Thread 3128.0xf98]
 [New Thread 3128.0x2258]
 [New Thread 3128.0x114c]
 Output #0, null, to 'pipe:':
   Metadata:
     encoder         : Lavf57.66.102
     Stream #0:0: Video: wrapped_avframe, rgb0, 320x200, q=2-31, 200 kb/s,
 25 fps, 25 tbn, 25 tbc
     Metadata:
       encoder         : Lavc57.81.100 wrapped_avframe
 Stream mapping:
   Stream #0:0 -> #0:0 (scpr (native) -> wrapped_avframe (native))
 Press [q] to stop, [?] for help

 Thread 1 received signal SIGSEGV, Segmentation fault.
 decode_unit (s=s at entry=0x258b060, pixel=0x325e3bc,
 rval=rval at entry=0x5ff438,
     step=400) at F:/msys/ffmpeg/src/libavcodec/scpr.c:197
 197         unsigned totfr = pixel->total_freq;
 (gdb) bt
 #0  decode_unit (s=s at entry=0x258b060, pixel=0x325e3bc,
     rval=rval at entry=0x5ff438, step=400)
     at F:/msys/ffmpeg/src/libavcodec/scpr.c:197
 #1  0x000000014066e99c in decompress_i (linesize=<optimized out>,
     dst=0x24d19e0, avctx=0x2491f20)
     at F:/msys/ffmpeg/src/libavcodec/scpr.c:319
 #2  decode_frame (avctx=0x2491f20, data=0x2483540, got_frame=0x5ff5ac,
     avpkt=0x5ff4c0) at F:/msys/ffmpeg/src/libavcodec/scpr.c:703
 #3  0x00000001406f1840 in avcodec_decode_video2
 (avctx=avctx at entry=0x2491f20,
     picture=0x2483540, got_picture_ptr=got_picture_ptr at entry=0x5ff5ac,
     avpkt=avpkt at entry=0x5ff7a0) at
 F:/msys/ffmpeg/src/libavcodec/utils.c:2263
 #4  0x00000001406f24c2 in do_decode (avctx=avctx at entry=0x2491f20,
     pkt=0x5ff7a0) at F:/msys/ffmpeg/src/libavcodec/utils.c:2796
 #5  0x00000001406f346c in avcodec_send_packet
 (avctx=avctx at entry=0x2491f20,
     avpkt=<optimized out>, avpkt at entry=0x5ff7a0)
     at F:/msys/ffmpeg/src/libavcodec/utils.c:2885
 #6  0x000000014001f700 in decode (pkt=0x5ff7a0, got_frame=0x5ffcf0,
     frame=<optimized out>, avctx=0x2491f20)
     at F:/msys/ffmpeg/src/ffmpeg.c:2052
 #7  decode_video (ist=ist at entry=0x2491d00, pkt=pkt at entry=0x5ffc30,
     got_output=got_output at entry=0x5ffcf0, eof=eof at entry=0)
     at F:/msys/ffmpeg/src/ffmpeg.c:2248
 #8  0x00000001400211d7 in process_input_packet (no_eof=0, pkt=0x5ffbd0,
     ist=0x2491d00) at F:/msys/ffmpeg/src/ffmpeg.c:2491
 #9  process_input (file_index=<optimized out>)
     at F:/msys/ffmpeg/src/ffmpeg.c:4251
 #10 transcode_step () at F:/msys/ffmpeg/src/ffmpeg.c:4339
 #11 transcode () at F:/msys/ffmpeg/src/ffmpeg.c:4393
 #12 0xq000000140e38d04 in main (argc=<optimized out>, argv=0xd54e90)
 }}}

 The following patch

 {{{
 diff --git a/libavcodec/scpr.c b/libavcodec/scpr.c
 index 5555d812e8..58fc7009bd 100644
 --- a/libavcodec/scpr.c
 +++ b/libavcodec/scpr.c
 @@ -316,6 +316,8 @@ static int decompress_i(AVCodecContext *avctx,
 uint32_t *dst, int linesize)

              cx1 = (cx << 6) & 0xFC0;
              cx = g >> cxshift;
 +            av_log(avctx, AV_LOG_INFO, "%d (cx) + %d (cx1) = %d\n", cx,
 cx1, cx + cx1);
 +            av_assert0(cx + cx1 < 4096);
              ret = decode_unit(s, &s->pixel_model[2][cx + cx1], 400, &b);
              if (ret < 0)
                  return ret;
 }}}

 Gives this output

 {{{
 [scpr @ 0000000000e02440] 219 (cx) + 3904 (cx1) = 4123
 Assertion cx + cx1 < 4096 failed at
 F:/msys/ffmpeg/src/libavcodec/scpr.c:320
 }}}

--
Ticket URL: <https://trac.ffmpeg.org/ticket/6183#comment:6>
FFmpeg <https://ffmpeg.org>
FFmpeg issue tracker


More information about the FFmpeg-trac mailing list