id summary reporter owner description type status priority component version resolution keywords cc blockedby blocking reproduced analyzed 71 Segmentation fault with interlaced MPEG2 sample cehoyos "(issue 2367) Attached interlaced MPEG2 sample from Optelecom Siqura C-60 E-MC crashes FFmpeg {{{ (gdb) r -i exploit.bin FFmpeg version git-N-29196-ge61b83d, Copyright (c) 2000-2011 the FFmpeg developers built on Apr 19 2011 19:44:16 with gcc 4.4.5 configuration: --cc='/usr/local/gcc-4.4.5/bin/gcc -m32' --disable-asm libavutil 50. 40. 1 / 50. 40. 1 libavcodec 52.120. 0 / 52.120. 0 libavformat 52.108. 0 / 52.108. 0 libavdevice 52. 4. 0 / 52. 4. 0 libavfilter 1. 79. 1 / 1. 79. 1 libswscale 0. 13. 0 / 0. 13. 0 Program received signal SIGSEGV, Segmentation fault. 0x081781e0 in put_pixels8_8_c (h=, line_size=, pixels=, block=) at libavcodec/dsputil_internal.h:756 756 PIXOP2(put, op_put) (gdb) bt #0 0x081781e0 in put_pixels8_8_c (h=, line_size=, pixels=, block=) at libavcodec/dsputil_internal.h:756 #1 put_pixels16_8_c (h=, line_size=, pixels=, block=) at libavcodec/dsputil_internal.h:756 #2 0x083a6ace in mpeg_motion_internal (mb_y=, is_mpeg12=, h=, motion_y=, motion_x=, pix_op=, ref_picture=, field_select=, bottom_field=, field_based=, dest_cr=, dest_cb=, dest_y=, s=) at libavcodec/mpegvideo_common.h:352 #3 mpeg_motion (mb_y=, is_mpeg12=, h=, motion_y=, motion_x=, pix_op=, ref_picture=, field_select=, bottom_field=, field_based=, dest_cr=, dest_cb=, dest_y=, s=) at libavcodec/mpegvideo_common.h:375 #4 MPV_motion_internal (mb_y=, is_mpeg12=, h=, motion_y=, motion_x=, pix_op=, ref_picture=, field_select=, bottom_field=, field_based=, dest_cr=, dest_cb=, dest_y=, s=) at libavcodec/mpegvideo_common.h:823 #5 MPV_motion (mb_y=, is_mpeg12=, h=, motion_y=, motion_x=, pix_op=, ref_picture=, field_select=, bottom_field=, field_based=, dest_cr=, dest_cb=, dest_y=, s=) at libavcodec/mpegvideo_common.h:892 #6 0x083afec1 in MPV_decode_mb_internal (is_mpeg12=, lowres_flag=, block=, s=) at libavcodec/mpegvideo.c:2117 #7 MPV_decode_mb (is_mpeg12=, lowres_flag=, block=, s=) at libavcodec/mpegvideo.c:2253 #8 0x0836070b in mpeg_decode_slice (s1=0x8c69c50, mb_y=, buf=, buf_size=501) at libavcodec/mpeg12.c:1843 #9 0x08366d18 in decode_chunks (avctx=, picture=, data_size=, buf=0x8c77e60 """", buf_size=11505) at libavcodec/mpeg12.c:2535 #10 0x08367240 in mpeg_decode_frame (avctx=0x8c69690, data=0xffffcbc4, data_size=0xffffcd8c, avpkt=0x8c6f880) at libavcodec/mpeg12.c:2323 #11 0x08479077 in avcodec_decode_video2 (avctx=0x8c69690, picture=0xffffcbc4, got_picture_ptr=0xffffcd8c, avpkt=0x8c6f880) at libavcodec/utils.c:719 #12 0x08119231 in try_decode_frame (avpkt=, st=) at libavformat/utils.c:2127 #13 av_find_stream_info (avpkt=, st=) at libavformat/utils.c:2417 #14 0x0804d7d6 in opt_input_file (filename=0xffffd28b ""exploit.bin"") at ffmpeg.c:3303 #15 0x08059e85 in parse_options (argc=3, argv=0xffffd024, options=0x85c7800, parse_arg_function=0x8056790 ) at cmdutils.c:222 #16 0x08055c51 in main (argc=3, argv=0xffffd024) at ffmpeg.c:4443 (gdb) disass $pc-12 $pc+32 Dump of assembler code from 0x81781d4 to 0x8178200: 0x081781d4 : test %esi,%esi 0x081781d6 : jle 0x8178219 0x081781d8 : xor %eax,%eax 0x081781da : xor %ebx,%ebx 0x081781dc : lea 0x0(%esi,%eiz,1),%esi 0x081781e0 : mov (%ecx,%eax,1),%ebp 0x081781e3 : add $0x1,%ebx 0x081781e6 : mov %ebp,(%edx,%eax,1) 0x081781e9 : mov 0x4(%ecx,%eax,1),%ebp 0x081781ed : mov %ebp,0x4(%edx,%eax,1) 0x081781f1 : add %edi,%eax 0x081781f3 : cmp %esi,%ebx 0x081781f5 : jne 0x81781e0 0x081781f7 : xor %eax,%eax 0x081781f9 : xor %ebx,%ebx 0x081781fb : nop 0x081781fc : lea 0x0(%esi,%eiz,1),%esi End of assembler dump. (gdb) info register eax 0x0 0 ecx 0x2f0 752 edx 0xf7c9c220 -137772512 ebx 0x0 0 esp 0xffffc67c 0xffffc67c ebp 0x10 0x10 esi 0x10 16 edi 0x5e0 1504 eip 0x81781e0 0x81781e0 eflags 0x10246 [ PF ZF IF RF ] cs 0x23 35 ss 0x2b 43 ds 0x2b 43 es 0x2b 43 fs 0x0 0 gs 0x63 99 }}} " defect closed important avcodec git-master fixed mpeg2 interlaced crash SIGSEGV roundup 1 0