[FFmpeg-trac] #9049(avfilter:new): astats crash on float pcm having peaks much greater than 1.0

FFmpeg trac at avcodec.org
Sat Jan 2 02:53:18 EET 2021 

#9049: astats crash on float pcm having peaks much greater than 1.0
----------------------------------+--------------------------------------
             Reporter:  danadam   |                     Type:  defect
               Status:  new       |                 Priority:  normal
            Component:  avfilter  |                  Version:  git-master
             Keywords:            |               Blocked By:
             Blocking:            |  Reproduced by developer:  0
Analyzed by developer:  0         |
----------------------------------+--------------------------------------
 **Summary of the bug: **

 A float pcm (e.g. f32le) with samples greater than about 262176.004 causes
 segmentation fault in `astats` filter.

 (that sample value is about 108 dB higher than 1.0, so admittedly it's not
 your typical file)

 **How to reproduce: **

 Generate full scale sine:
 {{{
 ]$ ffmpeg -f lavfi -i aevalsrc="sin(261*2*PI*t):s=44100:d=3" -c pcm_f32le
 sin.wav
 }}}

 Increase volume by 108dB and run through `astats` (still works):
 {{{
 ]$ ffmpeg -i sin.wav -af volume=108dB -c pcm_f32le loud1.wav
 ]$ ffmpeg -i loud1.wav -af astats -f null /dev/null
 ...
 }}}

 Increase volume by 109dB and run through `astats` (crashes):
 {{{
 ]$ ffmpeg -i sin.wav -af volume=108dB -c pcm_f32le loud2.wav
 ]$ ffmpeg -i loud2.wav -af astats -f null /dev/null
 ffmpeg version N-100545-g15baa0c Copyright (c) 2000-2021 the FFmpeg
 developers
   built with gcc 10 (Debian 10.2.1-1)
   configuration: --prefix=/tmp/ffmpeg_build --extra-
 cflags=-I/tmp/ffmpeg_build/include --extra-ldflags=-L/tmp/ffmpeg_build/lib
 --extra-libs='-lpthread -lm' --bindir=/home/danadam/bin --enable-gpl
 --enable-gnutls --enable-libass --enable-libfreetype --enable-libvorbis
 --enable-nonfree
   libavutil      56. 63.100 / 56. 63.100
   libavcodec     58.115.102 / 58.115.102
   libavformat    58. 65.100 / 58. 65.100
   libavdevice    58. 11.103 / 58. 11.103
   libavfilter     7. 95.100 /  7. 95.100
   libswscale      5.  8.100 /  5.  8.100
   libswresample   3.  8.100 /  3.  8.100
   libpostproc    55.  8.100 / 55.  8.100
 Input #0, wav, from 'loud2.wav':
   Metadata:
     encoder         : Lavf58.65.100
   Duration: 00:00:03.00, bitrate: 1411 kb/s
     Stream #0:0: Audio: pcm_f32le ([3][0][0][0] / 0x0003), 44100 Hz, mono,
 flt, 1411 kb/s
 Stream mapping:
   Stream #0:0 -> #0:0 (pcm_f32le (native) -> pcm_s16le (native))
 Press [q] to stop, [?] for help
 Segmentation fault
 }}}

 The crash happens in libavfilter/af_astats.c:334
 {{{
 p->histogram[index]++;
 }}}
 because `index` has value -2147483648:
 {{{
 index = av_clip(FFABS(nd) * HISTOGRAM_MAX, 0, HISTOGRAM_MAX);
 }}}
 Here `nd * HISTOGRAM_MAX` is converted to int and overflows and this is
 undefined behavior.

--
Ticket URL: <https://trac.ffmpeg.org/ticket/9049>
FFmpeg <https://ffmpeg.org>
FFmpeg issue tracker

More information about the FFmpeg-trac mailing list