[FFmpeg-trac] #9121(avformat:open): heap buffer overflow read when extracting frames from the video
FFmpeg
trac at avcodec.org
Thu Feb 25 00:30:28 EET 2021
#9121: heap buffer overflow read when extracting frames from the video
-------------------------------------+-------------------------------------
Reporter: bird | Owner:
Type: defect | Status: open
Priority: important | Component: avformat
Version: git-master | Resolution:
Keywords: vividas | Blocked By:
crash |
Blocking: | Reproduced by developer: 1
Analyzed by developer: 0 |
-------------------------------------+-------------------------------------
Changes (by cehoyos):
* keywords: => vividas crash
* priority: normal => important
* status: new => open
* component: ffmpeg => avformat
* reproduced: 0 => 1
Comment:
{{{
$ valgrind ffmpeg_g -ss 0 -i 2
==31689== Memcheck, a memory error detector
==31689== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
==31689== Using Valgrind-3.16.1 and LibVEX; rerun with -h for copyright
info
==31689== Command: ffmpeg_g -ss 0 -i 2
==31689==
ffmpeg version N-101291-gd3d99a0a06 Copyright (c) 2000-2021 the FFmpeg
developers
built with gcc 10 (SUSE Linux)
configuration: --enable-gpl
libavutil 56. 66.100 / 56. 66.100
libavcodec 58.125.100 / 58.125.100
libavformat 58. 68.100 / 58. 68.100
libavdevice 58. 12.100 / 58. 12.100
libavfilter 7.107.100 / 7.107.100
libswscale 5. 8.100 / 5. 8.100
libswresample 3. 8.100 / 3. 8.100
libpostproc 55. 8.100 / 55. 8.100
Ignoring attempt to set invalid timebase 0/0 for st:0
[vividas @ 0x5082540] number of audio tracks 0 is not 1
[vividas @ 0x5082540] Could not find codec parameters for stream 0 (Video:
vp6, yuv420p): unspecified size
Consider increasing the value for the 'analyzeduration' (0) and
'probesize' (5000000) options
==31689== Invalid read of size 8
==31689== at 0x83FFEE: viv_read_seek (vividas.c:769)
==31689== by 0x8375F0: seek_frame_internal (utils.c:2449)
==31689== by 0x8375F0: av_seek_frame (utils.c:2481)
==31689== by 0x8373F9: avformat_seek_file (utils.c:2533)
==31689== by 0x49C7A0: open_input_file (ffmpeg_opt.c:1252)
==31689== by 0x4A0117: open_files (ffmpeg_opt.c:3335)
==31689== by 0x4A0117: ffmpeg_parse_options (ffmpeg_opt.c:3375)
==31689== by 0x494C97: main (ffmpeg.c:4964)
==31689== Address 0x5094d58 is 0 bytes after a block of size 8 alloc'd
==31689== at 0x48396AF: malloc (in /usr/lib64/valgrind
/vgpreload_memcheck-amd64-linux.so)
==31689== by 0x83D502: avformat_new_stream (utils.c:4492)
==31689== by 0x840735: track_header (vividas.c:322)
==31689== by 0x840735: viv_read_header (vividas.c:605)
==31689== by 0x83C987: avformat_open_input (utils.c:599)
==31689== by 0x49C973: open_input_file (ffmpeg_opt.c:1174)
==31689== by 0x4A0117: open_files (ffmpeg_opt.c:3335)
==31689== by 0x4A0117: ffmpeg_parse_options (ffmpeg_opt.c:3375)
==31689== by 0x494C97: main (ffmpeg.c:4964)
==31689==
==31689== Invalid read of size 8
==31689== at 0x83FFF2: viv_read_seek (vividas.c:769)
==31689== by 0x8375F0: seek_frame_internal (utils.c:2449)
==31689== by 0x8375F0: av_seek_frame (utils.c:2481)
==31689== by 0x8373F9: avformat_seek_file (utils.c:2533)
==31689== by 0x49C7A0: open_input_file (ffmpeg_opt.c:1252)
==31689== by 0x4A0117: open_files (ffmpeg_opt.c:3335)
==31689== by 0x4A0117: ffmpeg_parse_options (ffmpeg_opt.c:3375)
==31689== by 0x494C97: main (ffmpeg.c:4964)
==31689== Address 0xd0 is not stack'd, malloc'd or (recently) free'd
==31689==
==31689==
==31689== Process terminating with default action of signal 11 (SIGSEGV):
dumping core
==31689== Access not within mapped region at address 0xD0
==31689== at 0x83FFF2: viv_read_seek (vividas.c:769)
==31689== by 0x8375F0: seek_frame_internal (utils.c:2449)
==31689== by 0x8375F0: av_seek_frame (utils.c:2481)
==31689== by 0x8373F9: avformat_seek_file (utils.c:2533)
==31689== by 0x49C7A0: open_input_file (ffmpeg_opt.c:1252)
==31689== by 0x4A0117: open_files (ffmpeg_opt.c:3335)
==31689== by 0x4A0117: ffmpeg_parse_options (ffmpeg_opt.c:3375)
==31689== by 0x494C97: main (ffmpeg.c:4964)
==31689== If you believe this happened as a result of a stack
==31689== overflow in your program's main thread (unlikely but
==31689== possible), you can try to increase the size of the
==31689== main thread stack using the --main-stacksize= flag.
==31689== The main thread stack size used in this run was 8388608.
==31689==
==31689== HEAP SUMMARY:
==31689== in use at exit: 39,614 bytes in 31 blocks
==31689== total heap usage: 114 allocs, 83 frees, 87,683 bytes allocated
==31689==
==31689== LEAK SUMMARY:
==31689== definitely lost: 0 bytes in 0 blocks
==31689== indirectly lost: 0 bytes in 0 blocks
==31689== possibly lost: 0 bytes in 0 blocks
==31689== still reachable: 39,614 bytes in 31 blocks
==31689== suppressed: 0 bytes in 0 blocks
==31689== Rerun with --leak-check=full to see details of leaked memory
==31689==
==31689== For lists of detected and suppressed errors, rerun with: -s
==31689== ERROR SUMMARY: 2 errors from 2 contexts (suppressed: 0 from 0)
Segmentation fault (core dumped)
}}}
--
Ticket URL: <https://trac.ffmpeg.org/ticket/9121#comment:1>
FFmpeg <https://ffmpeg.org>
FFmpeg issue tracker
More information about the FFmpeg-trac
mailing list