[FFmpeg-trac] #6250(undetermined:new): xma: crash with fuzzed file
FFmpeg
trac at avcodec.org
Mon Mar 20 15:05:06 EET 2017
#6250: xma: crash with fuzzed file
-------------------------------------+-------------------------------------
Reporter: ami_stuff | Owner:
Type: defect | Status: new
Priority: normal | Component:
Version: | undetermined
unspecified | Keywords:
Blocked By: | Blocking:
Reproduced by developer: 0 | Analyzed by developer: 0
-------------------------------------+-------------------------------------
https://files.fm/u/c8x6c9wk
{{{
==12833== Invalid write of size 4
==12833== at 0x889B058: memcpy (string3.h:51)
==12833== by 0x889B058: xma_decode_packet (wmaprodec.c:1760)
==12833== by 0x872CA6C: avcodec_decode_audio4 (utils.c:2381)
==12833== by 0x872D5BC: do_decode (utils.c:2814)
==12833== by 0x872E5EC: avcodec_receive_frame (utils.c:2930)
==12833== by 0x80E8031: decode (ffmpeg.c:2255)
==12833== by 0x80E8031: decode_audio (ffmpeg.c:2304)
==12833== by 0x80E9FD1: process_input_packet (ffmpeg.c:2614)
==12833== by 0x80C7655: process_input (ffmpeg.c:4353)
==12833== by 0x80C7655: transcode_step (ffmpeg.c:4464)
==12833== by 0x80C7655: transcode (ffmpeg.c:4518)
==12833== by 0x80C7655: main (ffmpeg.c:4723)
==12833== Address 0x5140d20 is 0 bytes after a block of size 2,919,616
alloc'd
==12833== at 0x402C580: memalign (in
/usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
==12833== by 0x402C6AE: posix_memalign (in
/usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
==12833== by 0x8C3B6AF: av_malloc (mem.c:97)
==12833== by 0x8C3B6AF: av_mallocz (mem.c:254)
==12833== by 0x862E326: init_context_defaults (options.c:128)
==12833== by 0x862E3CF: avcodec_alloc_context3 (options.c:164)
==12833== by 0x80D5075: add_input_streams (ffmpeg_opt.c:709)
==12833== by 0x80D5075: open_input_file (ffmpeg_opt.c:1055)
==12833== by 0x80D771E: open_files (ffmpeg_opt.c:3197)
==12833== by 0x80D771E: ffmpeg_parse_options (ffmpeg_opt.c:3237)
==12833== by 0x80C6627: main (ffmpeg.c:4696)
==12833==
[xma1 @ 0x4e0f120] overflow (129 > 128) in spectral RLE, ignoring
[xma1 @ 0x4e0f120] num_vec_coeffs 204 is too large
Error while decoding stream #0:0: Invalid data found when processing input
==12833== Invalid read of size 4
==12833== at 0x8247D2D: avio_seek (aviobuf.c:245)
==12833== by 0x80C6911: avio_tell (avio.h:519)
==12833== by 0x80C6911: need_output (ffmpeg.c:3723)
==12833== by 0x80C6911: transcode (ffmpeg.c:4513)
==12833== by 0x80C6911: main (ffmpeg.c:4723)
==12833== Address 0x3dfd892c is not stack'd, malloc'd or (recently)
free'd
==12833==
==12833==
==12833== Process terminating with default action of signal 11 (SIGSEGV)
==12833== Access not within mapped region at address 0x3DFD892C
==12833== at 0x8247D2D: avio_seek (aviobuf.c:245)
==12833== by 0x80C6911: avio_tell (avio.h:519)
==12833== by 0x80C6911: need_output (ffmpeg.c:3723)
==12833== by 0x80C6911: transcode (ffmpeg.c:4513)
==12833== by 0x80C6911: main (ffmpeg.c:4723)
==12833== If you believe this happened as a result of a stack
==12833== overflow in your program's main thread (unlikely but
==12833== possible), you can try to increase the size of the
==12833== main thread stack using the --main-stacksize= flag.
==12833== The main thread stack size used in this run was 8388608.
==12833==
==12833== HEAP SUMMARY:
==12833== in use at exit: 3,447,037 bytes in 220 blocks
==12833== total heap usage: 2,249 allocs, 2,029 frees, 8,652,797 bytes
allocated
==12833==
==12833== 4 bytes in 1 blocks are definitely lost in loss record 13 of 79
==12833== at 0x402A17C: malloc (in
/usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
==12833== by 0x402C3AF: realloc (in
/usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
==12833== by 0x836FDA8: avformat_new_stream (utils.c:4244)
==12833== by 0x80D254A: new_output_stream (ffmpeg_opt.c:1223)
==12833== by 0x80D41D5: new_audio_stream (ffmpeg_opt.c:1717)
==12833== by 0x80D955C: open_output_file (ffmpeg_opt.c:2174)
==12833== by 0x80D955C: open_files (ffmpeg_opt.c:3197)
==12833== by 0x80D955C: ffmpeg_parse_options (ffmpeg_opt.c:3251)
==12833== by 0x80C6627: main (ffmpeg.c:4696)
==12833==
==12833== 34,578 (1,348 direct, 33,230 indirect) bytes in 1 blocks are
definitely lost in loss record 74 of 79
==12833== at 0x402C580: memalign (in
/usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
==12833== by 0x402C6AE: posix_memalign (in
/usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
==12833== by 0x8C3B3CF: av_malloc (mem.c:97)
==12833== by 0x8310101: avformat_alloc_context (options.c:135)
==12833== by 0x80D4733: open_input_file (ffmpeg_opt.c:925)
==12833== by 0x80D771E: open_files (ffmpeg_opt.c:3197)
==12833== by 0x80D771E: ffmpeg_parse_options (ffmpeg_opt.c:3237)
==12833== by 0x80C6627: main (ffmpeg.c:4696)
==12833==
==12833== LEAK SUMMARY:
==12833== definitely lost: 1,352 bytes in 2 blocks
==12833== indirectly lost: 33,230 bytes in 12 blocks
==12833== possibly lost: 0 bytes in 0 blocks
==12833== still reachable: 3,412,455 bytes in 206 blocks
==12833== suppressed: 0 bytes in 0 blocks
==12833== Reachable blocks (those to which a pointer was found) are not
shown.
==12833== To see them, rerun with: --leak-check=full --show-leak-kinds=all
==12833==
==12833== For counts of detected and suppressed errors, rerun with: -v
==12833== ERROR SUMMARY: 383 errors from 4 contexts (suppressed: 0 from 0)
Segmentation fault
}}}
{{{
Starting program: /media/sdb1/ffmpeg/ffmpeg_g -i m_fuzz.xma -f null -
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/i386-linux-gnu/libthread_db.so.1".
ffmpeg version 3.2.git Copyright (c) 2000-2017 the FFmpeg developers
built with gcc 5.3.0 (Ubuntu 5.3.0-3ubuntu1~14.04) 20151204
configuration: --disable-ffprobe --disable-ffserver --enable-gpl
libavutil 55. 48.100 / 55. 48.100
libavcodec 57. 83.100 / 57. 83.100
libavformat 57. 66.104 / 57. 66.104
libavdevice 57. 3.100 / 57. 3.100
libavfilter 6. 76.100 / 6. 76.100
libswscale 4. 3.101 / 4. 3.101
libswresample 2. 4.100 / 2. 4.100
libpostproc 54. 2.100 / 54. 2.100
Guessed Channel Layout for Input Stream #0.0 : 5.1
Input #0, wav, from 'm_fuzz.xma':
Duration: N/A, bitrate: N/A
Stream #0:0: Audio: xma1 (e[1][0][0] / 0x0165), 44100 Hz, 5.1, fltp
Program received signal SIGSEGV, Segmentation fault.
0x0889afd4 in memcpy (__len=2048, __src=0x9a5e700, __dest=0x10f9acb4)
at /usr/include/i386-linux-gnu/bits/string3.h:51
51 return __builtin___memcpy_chk (__dest, __src, __len, __bos0
(__dest));
(gdb) bt
#0 0x0889afd4 in memcpy (__len=2048, __src=0x9a5e700, __dest=0x10f9acb4)
at /usr/include/i386-linux-gnu/bits/string3.h:51
#1 xma_decode_packet (avctx=0x9a36440, data=0x9a317a0,
got_frame_ptr=0xbfffe5fc, avpkt=0xbfffe56c) at
libavcodec/wmaprodec.c:1757
#2 0x0872ca6d in avcodec_decode_audio4 (avctx=0x9a36440, frame=0x9a317a0,
got_frame_ptr=0xbfffe5fc, avpkt=0x9a31980) at libavcodec/utils.c:2381
#3 0x0872d5bd in do_decode (avctx=avctx at entry=0x9a36440, pkt=0x9a31980)
at libavcodec/utils.c:2814
#4 0x0872e5ed in avcodec_receive_frame (avctx=0x9a36440, frame=0x9ae6ee0)
at libavcodec/utils.c:2930
#5 0x080e8032 in decode (pkt=0xbfffe794, got_frame=0xbfffe754,
frame=<optimized out>, avctx=0x9a36440) at ffmpeg.c:2255
#6 decode_audio (ist=ist at entry=0x9a362e0, pkt=pkt at entry=0xbfffe794,
got_output=got_output at entry=0xbfffe754) at ffmpeg.c:2304
#7 0x080e9fd2 in process_input_packet (ist=0x9a362e0, pkt=0xbfffe9c4,
no_eof=0) at ffmpeg.c:2614
#8 0x080c7656 in process_input (file_index=<optimized out>) at
ffmpeg.c:4353
#9 transcode_step () at ffmpeg.c:4464
#10 transcode () at ffmpeg.c:4518
#11 main (argc=<optimized out>, argv=<optimized out>) at ffmpeg.c:4723
(gdb)
}}}
--
Ticket URL: <https://trac.ffmpeg.org/ticket/6250>
FFmpeg <https://ffmpeg.org>
FFmpeg issue tracker
More information about the FFmpeg-trac
mailing list