[FFmpeg-trac] #9099(avcodec:new): Undefined behaviour in the hevc decoder (was: FFmpeg/libavcodec: NULL Pointer Dereference)
FFmpeg
trac at avcodec.org
Wed Feb 10 22:36:03 EET 2021
#9099: Undefined behaviour in the hevc decoder
------------------------------------+-----------------------------------
Reporter: QiuhaoLi | Owner:
Type: defect | Status: new
Priority: normal | Component: avcodec
Version: git-master | Resolution:
Keywords: asan hevc | Blocked By:
Blocking: | Reproduced by developer: 0
Analyzed by developer: 0 |
------------------------------------+-----------------------------------
Changes (by cehoyos):
* keywords: NULL Pointer Dereference => asan hevc
* priority: important => normal
* reproduced: 1 => 0
Old description:
> -- [ Description
>
> During fuzzing, we found a null pointer dereference (CWE-476) in the
> latest FFmpeg/libavcodec.
>
> I sent a report to ffmpeg-security at ffmpeg.org, but didn't get a reply
> yet.
>
> -- [ Affected Version
>
> ubuntu at VM-0-6-ubuntu:~/ffmpeg_sources/FFmpeg$ git log | head -n 4
> commit 129978af6b6503109517777eba8890713a787cb5
> Author: Paul B Mahol <onemda at gmail.com>
> Date: Wed Feb 10 14:08:23 2021 +0100
>
> -- [ Reproduce with ASAN & Report
>
> ubuntu at VM-0-6-ubuntu:~$ FFREPORT=1 ./bin/ffmpeg -i PoC output.mp4 # sorry
> I didn't go deep to figure out the format of the PoC
> Report written to "ffmpeg-20210210-224350.log"
> Log level: 48
> ffmpeg version N-101043-g129978af6b Copyright (c) 2000-2021 the FFmpeg
> developers
> built with clang version 10.0.0-4ubuntu1
> configuration: --prefix=/home/ubuntu/ffmpeg_build --pkg-config-
> flags=--static --extra-cflags='-I/home/ubuntu/ffmpeg_build/include -ggdb
> -fsanitize=address -fsanitize=undefined' --extra-
> ldflags='-L/home/ubuntu/ffmpeg_build/lib -fsanitize=address
> -fsanitize=undefined' --extra-libs='-lpthread -lm'
> --bindir=/home/ubuntu/bin --cc=clang --cxx=clang++ --disable-ffplay
> --disable-ffprobe --disable-stripping --assert-level=2 --enable-gpl
> --enable-gnutls --enable-libaom --enable-libass --enable-libfdk-aac
> --enable-libfreetype --enable-libmp3lame --enable-libopus --enable-
> libvorbis --enable-libvpx --enable-libx264 --enable-libx265 --enable-
> nonfree
> libavutil 56. 65.100 / 56. 65.100
> libavcodec 58.122.100 / 58.122.100
> libavformat 58. 67.100 / 58. 67.100
> libavdevice 58. 11.103 / 58. 11.103
> libavfilter 7.103.100 / 7.103.100
> libswscale 5. 8.100 / 5. 8.100
> libswresample 3. 8.100 / 3. 8.100
> libpostproc 55. 8.100 / 55. 8.100
> [mov,mp4,m4a,3gp,3g2,mj2 @ 0x61b000000080] overread end of atom 'stsd' by
> 808464282 bytes
> [mov,mp4,m4a,3gp,3g2,mj2 @ 0x61b000000080] stream 0, timescale not set
> [hevc @ 0x619000000f80] Invalid NAL unit size in extradata.
> [mov,mp4,m4a,3gp,3g2,mj2 @ 0x61b000000080] Failed to open codec in
> avformat_find_stream_info
> [hevc @ 0x619000000f80] Invalid NAL unit size in extradata.
> [mov,mp4,m4a,3gp,3g2,mj2 @ 0x61b000000080] Failed to open codec in
> avformat_find_stream_info
> [mov,mp4,m4a,3gp,3g2,mj2 @ 0x61b000000080] Could not find codec
> parameters for stream 0 (Video: hevc (Hvc1 / 0x31637648), none,
> 12336x12336): unspecified pixel format
> Consider increasing the value for the 'analyzeduration' (0) and
> 'probesize' (5000000) options
> Input #0, mov,mp4,m4a,3gp,3g2,mj2, from 'PoC':
> Duration: N/A, bitrate: N/A
> Stream #0:0: Video: hevc (Hvc1 / 0x31637648), none, 12336x12336, 1 tbr,
> 1 tbn, 1 tbc
> Metadata:
> handler_name : 0000000000000
> vendor_id : 0000
> encoder : 0000000000000000000000000000000
> [hevc @ 0x619000002d80] Invalid NAL unit size in extradata.
> libavcodec/hevcdec.c:3427:22: runtime error: applying zero offset to null
> pointer
> SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior
> libavcodec/hevcdec.c:3427:22 in
> libavcodec/hevcdec.c:3427:22: runtime error: load of null pointer of type
> 'HEVCLocalContext *' (aka 'struct HEVCLocalContext *')
> SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior
> libavcodec/hevcdec.c:3427:22 in
> AddressSanitizer:DEADLYSIGNAL
> =================================================================
> ==23809==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000
> (pc 0x0000035bf9ad bp 0x0c4c00001224 sp 0x7ffef55e8e20 T0)
> ==23809==The signal is caused by a READ memory access.
> ==23809==Hint: address points to the zero page.
> #0 0x35bf9ad in hevc_decode_free
> /home/ubuntu/ffmpeg_sources/FFmpeg/libavcodec/hevcdec.c:3427:19
> #1 0x4688cde in ff_frame_thread_free
> /home/ubuntu/ffmpeg_sources/FFmpeg/libavcodec/pthread_frame.c:712:13
> #2 0x468d646 in ff_frame_thread_init
> /home/ubuntu/ffmpeg_sources/FFmpeg/libavcodec/pthread_frame.c:885:5
> #3 0x4e0ffa8 in avcodec_open2
> /home/ubuntu/ffmpeg_sources/FFmpeg/libavcodec/utils.c:759:15
> #4 0x57c0c4 in init_input_stream
> /home/ubuntu/ffmpeg_sources/FFmpeg/fftools/ffmpeg.c:2988:20
> #5 0x57c0c4 in transcode_init
> /home/ubuntu/ffmpeg_sources/FFmpeg/fftools/ffmpeg.c:3751:20
> #6 0x56f0d7 in transcode
> /home/ubuntu/ffmpeg_sources/FFmpeg/fftools/ffmpeg.c:4752:11
> #7 0x56c7b2 in main
> /home/ubuntu/ffmpeg_sources/FFmpeg/fftools/ffmpeg.c:4986:9
> #8 0x7fe2dcb100b2 in __libc_start_main /build/glibc-
> eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
> #9 0x4251ad in _start (/home/ubuntu/bin/ffmpeg+0x4251ad)
>
> AddressSanitizer can not provide additional info.
> SUMMARY: AddressSanitizer: SEGV
> /home/ubuntu/ffmpeg_sources/FFmpeg/libavcodec/hevcdec.c:3427:19 in
> hevc_decode_free
> ==23809==ABORTING
>
> ubuntu at VM-0-6-ubuntu:~$ cat ffmpeg-20210210-224350.log
> ffmpeg started on 2021-02-10 at 22:43:50
> Report written to "ffmpeg-20210210-224350.log"
> Log level: 48
> Command line:
> ./bin/ffmpeg -i PoC output.mp4
> ffmpeg version N-101043-g129978af6b Copyright (c) 2000-2021 the FFmpeg
> developers
> built with clang version 10.0.0-4ubuntu1
> configuration: --prefix=/home/ubuntu/ffmpeg_build --pkg-config-
> flags=--static --extra-cflags='-I/home/ubuntu/ffmpeg_build/include -ggdb
> -fsanitize=address -fsanitize=undefined' --extra-
> ldflags='-L/home/ubuntu/ffmpeg_build/lib -fsanitize=address
> -fsanitize=undefined' --extra-libs='-lpthread -lm'
> --bindir=/home/ubuntu/bin --cc=clang --cxx=clang++ --disable-ffplay
> --disable-ffprobe --disable-stripping --assert-level=2 --enable-gpl
> --enable-gnutls --enable-libaom --enable-libass --enable-libfdk-aac
> --enable-libfreetype --enable-libmp3lame --enable-libopus --enable-
> libvorbis --enable-libvpx --enable-libx264 --enable-libx265 --enable-
> nonfree
> libavutil 56. 65.100 / 56. 65.100
> libavcodec 58.122.100 / 58.122.100
> libavformat 58. 67.100 / 58. 67.100
> libavdevice 58. 11.103 / 58. 11.103
> libavfilter 7.103.100 / 7.103.100
> libswscale 5. 8.100 / 5. 8.100
> libswresample 3. 8.100 / 3. 8.100
> libpostproc 55. 8.100 / 55. 8.100
> Splitting the commandline.
> Reading option '-i' ... matched as input url with argument 'PoC'.
> Reading option 'output.mp4' ... matched as output url.
> Finished splitting the commandline.
> Parsing a group of options: global .
> Successfully parsed a group of options.
> Parsing a group of options: input url PoC.
> Successfully parsed a group of options.
> Opening an input file: PoC.
> [NULL @ 0x61b000000080] Opening 'PoC' for reading
> [file @ 0x610000000040] Setting default whitelist 'file,crypto,data'
> [mov,mp4,m4a,3gp,3g2,mj2 @ 0x61b000000080] Format mov,mp4,m4a,3gp,3g2,mj2
> probed with size=2048 and score=100
> [mov,mp4,m4a,3gp,3g2,mj2 @ 0x61b000000080] overread end of atom 'stsd' by
> 808464282 bytes
> [mov,mp4,m4a,3gp,3g2,mj2 @ 0x61b000000080] stream 0, timescale not set
> [mov,mp4,m4a,3gp,3g2,mj2 @ 0x61b000000080] Before
> avformat_find_stream_info() pos: 495 bytes read:495 seeks:2 nb_streams:1
> [hevc @ 0x619000000f80] Invalid NAL unit size in extradata.
> [mov,mp4,m4a,3gp,3g2,mj2 @ 0x61b000000080] Failed to open codec in
> avformat_find_stream_info
> [hevc @ 0x619000000f80] Invalid NAL unit size in extradata.
> [mov,mp4,m4a,3gp,3g2,mj2 @ 0x61b000000080] Failed to open codec in
> avformat_find_stream_info
> [mov,mp4,m4a,3gp,3g2,mj2 @ 0x61b000000080] Could not find codec
> parameters for stream 0 (Video: hevc (Hvc1 / 0x31637648), none,
> 12336x12336): unspecified pixel format
> Consider increasing the value for the 'analyzeduration' (0) and
> 'probesize' (5000000) options
> [mov,mp4,m4a,3gp,3g2,mj2 @ 0x61b000000080] After
> avformat_find_stream_info() pos: 495 bytes read:495 seeks:2 frames:0
> Input #0, mov,mp4,m4a,3gp,3g2,mj2, from 'PoC':
> Duration: N/A, bitrate: N/A
> Stream #0:0, 0, 1/1: Video: hevc (Hvc1 / 0x31637648), none,
> 12336x12336, 1 tbr, 1 tbn, 1 tbc
> Metadata:
> handler_name : 0000000000000
> vendor_id : 0000
> encoder : 0000000000000000000000000000000
> Successfully opened the file.
> Parsing a group of options: output url output.mp4.
> Successfully parsed a group of options.
> Opening an output file: output.mp4.
> [file @ 0x610000001640] Setting default whitelist 'file,crypto,data'
> Successfully opened the file.
> detected 16 logical cores
> [hevc @ 0x619000002d80] Invalid NAL unit size in extradata.
>
> -- [ GDB Report
>
> ubuntu at VM-0-6-ubuntu:~$ gdb --args ./bin/ffmpeg -i PoC output.mp4
> (gdb) run
> (gdb) bt
> #0 0x00000000035bf9ad in hevc_decode_free (avctx=<optimized out>) at
> libavcodec/hevcdec.c:3427
> #1 0x0000000004688cdf in ff_frame_thread_free (avctx=0x619000001480,
> thread_count=<optimized out>) at libavcodec/pthread_frame.c:712
> #2 0x000000000468d647 in ff_frame_thread_init (avctx=<optimized out>) at
> libavcodec/pthread_frame.c:885
> #3 0x00000000070a9b23 in ff_thread_init (avctx=<optimized out>) at
> libavcodec/pthread.c:77
> #4 0x0000000004e0ffa9 in avcodec_open2 (avctx=<optimized out>,
> codec=0x9aa5ec0 <ff_hevc_decoder>, options=<optimized out>) at
> libavcodec/utils.c:759
> #5 0x000000000057c0c5 in init_input_stream (ist_index=<optimized out>,
> error=0x7fffffffc660 "", error_len=1024) at fftools/ffmpeg.c:2988
> #6 transcode_init () at fftools/ffmpeg.c:3751
> #7 0x000000000056f0d8 in transcode () at fftools/ffmpeg.c:4752
> #8 0x000000000056c7b3 in main (argc=<optimized out>, argv=<optimized
> out>) at fftools/ffmpeg.c:4986
>
> (gdb) disass $pc-32,$pc+32
> Dump of assembler code from 0x35bf98d to 0x35bf9cd:
> 0x00000000035bf98d <hevc_decode_free+1317>: add (%rax),%al
> 0x00000000035bf98f <hevc_decode_free+1319>: add %cl,-0x7b(%rax)
> 0x00000000035bf992 <hevc_decode_free+1322>: fisttpl (%rdi)
> 0x00000000035bf994 <hevc_decode_free+1324>: test %ah,(%rbx)
> 0x00000000035bf996 <hevc_decode_free+1326>: add (%rax),%al
> 0x00000000035bf998 <hevc_decode_free+1328>: add %cl,-0x77(%rax)
> 0x00000000035bf99b <hevc_decode_free+1331>: fmuls -0x3f(%rax)
> 0x00000000035bf99e <hevc_decode_free+1334>: callq 0x41479a6
> <skip_bits_long+742>
> 0x00000000035bf9a3 <hevc_decode_free+1339>: cmp $0x7f,%bh
> 0x00000000035bf9a6 <hevc_decode_free+1342>: add %cl,(%rdi)
> 0x00000000035bf9a8 <hevc_decode_free+1344>: test %ebp,(%rdx)
> 0x00000000035bf9aa <hevc_decode_free+1346>: add (%rax),%eax
> 0x00000000035bf9ac <hevc_decode_free+1348>: add
> %cl,0x23(%rbx,%rdi,1)
> 0x00000000035bf9b0 <hevc_decode_free+1352>: mov 0x8(%rsp),%r12
> 0x00000000035bf9b5 <hevc_decode_free+1357>: jne 0x35bf9de
> <hevc_decode_free+1398>
> 0x00000000035bf9b7 <hevc_decode_free+1359>: test %r14b,%r14b
> 0x00000000035bf9ba <hevc_decode_free+1362>: je 0x35bfc69
> <hevc_decode_free+2049>
> 0x00000000035bf9c0 <hevc_decode_free+1368>: test $0x7,%r15b
> 0x00000000035bf9c4 <hevc_decode_free+1372>: jne 0x35bfc7f
> <hevc_decode_free+2071>
> 0x00000000035bf9ca <hevc_decode_free+1378>: cmpb
> $0x0,0x7fff8000(%rbp)
> End of assembler dump.
>
> (gdb) info all-registers
> rax 0x0 0
> rbx 0x0 0
> rcx 0x0 0
> rdx 0xc4c00001223 13520557052451
> rsi 0x0 0
> rdi 0x7fffffffb6a9 140737488336553
> rbp 0xc4c00001224 0xc4c00001224
> rsp 0x7fffffffb780 0x7fffffffb780
> r8 0x7fffffffaa70 140737488333424
> r9 0x2 2
> r10 0x7e98b73 132746099
> r11 0x206 518
> r12 0x0 0
> r13 0x626000009118 108164456419608
> r14 0x624000002101 108027017437441
> r15 0x626000009120 108164456419616
> rip 0x35bf9ad 0x35bf9ad <hevc_decode_free+1349>
> eflags 0x10246 [ PF ZF IF RF ]
> cs 0x33 51
> ss 0x2b 43
> ds 0x0 0
> es 0x0 0
> fs 0x0 0
> gs 0x0 0
> st0 0 (raw 0x00000000000000000000)
> st1 0 (raw 0x00000000000000000000)
> st2 0 (raw 0x00000000000000000000)
> st3 0 (raw 0x00000000000000000000)
> st4 0 (raw 0x00000000000000000000)
> st5 0 (raw 0x00000000000000000000)
> st6 0 (raw 0x00000000000000000000)
> st7 0 (raw 0x00000000000000000000)
> fctrl 0x37f 895
> fstat 0x0 0
> ftag 0xffff 65535
> fiseg 0x0 0
> fioff 0x0 0
> foseg 0x0 0
> fooff 0x0 0
> fop 0x0 0
> mxcsr 0x1fa0 [ PE IM DM ZM OM UM PM ]
> bndcfgu {raw = 0x0, config = {base = 0x0, reserved = 0x0,
> preserved = 0x0, enabled = 0x0}} {raw = 0x0, config = {base = 0, reserved
> = 0, preserved = 0, enabled = 0}}
> bndstatus {raw = 0x0, status = {bde = 0x0, error = 0x0}} {raw = 0x0,
> status = {bde = 0, error = 0}}
> k0 0x0 0
> k1 0x0 0
> k2 0x0 0
> k3 0x0 0
> k4 0x0 0
> k5 0x0 0
> k6 0x0 0
> k7 0x0 0
> /* ... */
>
> -- [ PoC base64 encoded
>
> ubuntu at VM-0-6-ubuntu:~$ base64 PoC
> MDAwMG1vb3YAAABsMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAw
> MDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAw
> MDAwMDAwdHJhawAAAFwwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAw
> MDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwAAAAHDAwMDAwMDAw
> MDAwMDAwMDAwMDAwMDAwMAAAAC1oZGxyMDAwMDAwMDB2aWRlMDAwMDAwMDAwMDAwMDAwMDAwMDAw
> MDAwMAAAAAEwMDAwAAAAAAAAABwwMDAwMDAwMDAwMDAAAAAMMDAwMDAwMDAwMDAwc3RzZDAwMDAA
> AAABMDAwMGVuY3YwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAw
> MDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAAAAA0YXZjQzAwMDAwMDAwMDAwMDAwMDAw
> MDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMGZybWFIdmMx
>
> Thank you.
> Qiuhao Li
New description:
-- [ Description
During fuzzing, we found a null pointer dereference (CWE-476) in the
latest FFmpeg/libavcodec.
I sent a report to ffmpeg-security at ffmpeg.org, but didn't get a reply yet.
-- [ Affected Version
ubuntu at VM-0-6-ubuntu:~/ffmpeg_sources/FFmpeg$ git log | head -n 4
commit 129978af6b6503109517777eba8890713a787cb5
Author: Paul B Mahol <onemda at gmail.com>
Date: Wed Feb 10 14:08:23 2021 +0100
-- [ Reproduce with ASAN & Report
{{{
ubuntu at VM-0-6-ubuntu:~$ FFREPORT=1 ./bin/ffmpeg -i PoC output.mp4 # sorry
I didn't go deep to figure out the format of the PoC
Report written to "ffmpeg-20210210-224350.log"
Log level: 48
ffmpeg version N-101043-g129978af6b Copyright (c) 2000-2021 the FFmpeg
developers
built with clang version 10.0.0-4ubuntu1
configuration: --prefix=/home/ubuntu/ffmpeg_build --pkg-config-
flags=--static --extra-cflags='-I/home/ubuntu/ffmpeg_build/include -ggdb
-fsanitize=address -fsanitize=undefined' --extra-
ldflags='-L/home/ubuntu/ffmpeg_build/lib -fsanitize=address
-fsanitize=undefined' --extra-libs='-lpthread -lm'
--bindir=/home/ubuntu/bin --cc=clang --cxx=clang++ --disable-ffplay
--disable-ffprobe --disable-stripping --assert-level=2 --enable-gpl
--enable-gnutls --enable-libaom --enable-libass --enable-libfdk-aac
--enable-libfreetype --enable-libmp3lame --enable-libopus --enable-
libvorbis --enable-libvpx --enable-libx264 --enable-libx265 --enable-
nonfree
libavutil 56. 65.100 / 56. 65.100
libavcodec 58.122.100 / 58.122.100
libavformat 58. 67.100 / 58. 67.100
libavdevice 58. 11.103 / 58. 11.103
libavfilter 7.103.100 / 7.103.100
libswscale 5. 8.100 / 5. 8.100
libswresample 3. 8.100 / 3. 8.100
libpostproc 55. 8.100 / 55. 8.100
[mov,mp4,m4a,3gp,3g2,mj2 @ 0x61b000000080] overread end of atom 'stsd' by
808464282 bytes
[mov,mp4,m4a,3gp,3g2,mj2 @ 0x61b000000080] stream 0, timescale not set
[hevc @ 0x619000000f80] Invalid NAL unit size in extradata.
[mov,mp4,m4a,3gp,3g2,mj2 @ 0x61b000000080] Failed to open codec in
avformat_find_stream_info
[hevc @ 0x619000000f80] Invalid NAL unit size in extradata.
[mov,mp4,m4a,3gp,3g2,mj2 @ 0x61b000000080] Failed to open codec in
avformat_find_stream_info
[mov,mp4,m4a,3gp,3g2,mj2 @ 0x61b000000080] Could not find codec parameters
for stream 0 (Video: hevc (Hvc1 / 0x31637648), none, 12336x12336):
unspecified pixel format
Consider increasing the value for the 'analyzeduration' (0) and
'probesize' (5000000) options
Input #0, mov,mp4,m4a,3gp,3g2,mj2, from 'PoC':
Duration: N/A, bitrate: N/A
Stream #0:0: Video: hevc (Hvc1 / 0x31637648), none, 12336x12336, 1 tbr,
1 tbn, 1 tbc
Metadata:
handler_name : 0000000000000
vendor_id : 0000
encoder : 0000000000000000000000000000000
[hevc @ 0x619000002d80] Invalid NAL unit size in extradata.
libavcodec/hevcdec.c:3427:22: runtime error: applying zero offset to null
pointer
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior
libavcodec/hevcdec.c:3427:22 in
libavcodec/hevcdec.c:3427:22: runtime error: load of null pointer of type
'HEVCLocalContext *' (aka 'struct HEVCLocalContext *')
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior
libavcodec/hevcdec.c:3427:22 in
AddressSanitizer:DEADLYSIGNAL
=================================================================
==23809==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000
(pc 0x0000035bf9ad bp 0x0c4c00001224 sp 0x7ffef55e8e20 T0)
==23809==The signal is caused by a READ memory access.
==23809==Hint: address points to the zero page.
#0 0x35bf9ad in hevc_decode_free
/home/ubuntu/ffmpeg_sources/FFmpeg/libavcodec/hevcdec.c:3427:19
#1 0x4688cde in ff_frame_thread_free
/home/ubuntu/ffmpeg_sources/FFmpeg/libavcodec/pthread_frame.c:712:13
#2 0x468d646 in ff_frame_thread_init
/home/ubuntu/ffmpeg_sources/FFmpeg/libavcodec/pthread_frame.c:885:5
#3 0x4e0ffa8 in avcodec_open2
/home/ubuntu/ffmpeg_sources/FFmpeg/libavcodec/utils.c:759:15
#4 0x57c0c4 in init_input_stream
/home/ubuntu/ffmpeg_sources/FFmpeg/fftools/ffmpeg.c:2988:20
#5 0x57c0c4 in transcode_init
/home/ubuntu/ffmpeg_sources/FFmpeg/fftools/ffmpeg.c:3751:20
#6 0x56f0d7 in transcode
/home/ubuntu/ffmpeg_sources/FFmpeg/fftools/ffmpeg.c:4752:11
#7 0x56c7b2 in main
/home/ubuntu/ffmpeg_sources/FFmpeg/fftools/ffmpeg.c:4986:9
#8 0x7fe2dcb100b2 in __libc_start_main /build/glibc-
eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
#9 0x4251ad in _start (/home/ubuntu/bin/ffmpeg+0x4251ad)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV
/home/ubuntu/ffmpeg_sources/FFmpeg/libavcodec/hevcdec.c:3427:19 in
hevc_decode_free
==23809==ABORTING
}}}
{{{
ubuntu at VM-0-6-ubuntu:~$ cat ffmpeg-20210210-224350.log
ffmpeg started on 2021-02-10 at 22:43:50
Report written to "ffmpeg-20210210-224350.log"
Log level: 48
Command line:
./bin/ffmpeg -i PoC output.mp4
ffmpeg version N-101043-g129978af6b Copyright (c) 2000-2021 the FFmpeg
developers
built with clang version 10.0.0-4ubuntu1
configuration: --prefix=/home/ubuntu/ffmpeg_build --pkg-config-
flags=--static --extra-cflags='-I/home/ubuntu/ffmpeg_build/include -ggdb
-fsanitize=address -fsanitize=undefined' --extra-
ldflags='-L/home/ubuntu/ffmpeg_build/lib -fsanitize=address
-fsanitize=undefined' --extra-libs='-lpthread -lm'
--bindir=/home/ubuntu/bin --cc=clang --cxx=clang++ --disable-ffplay
--disable-ffprobe --disable-stripping --assert-level=2 --enable-gpl
--enable-gnutls --enable-libaom --enable-libass --enable-libfdk-aac
--enable-libfreetype --enable-libmp3lame --enable-libopus --enable-
libvorbis --enable-libvpx --enable-libx264 --enable-libx265 --enable-
nonfree
libavutil 56. 65.100 / 56. 65.100
libavcodec 58.122.100 / 58.122.100
libavformat 58. 67.100 / 58. 67.100
libavdevice 58. 11.103 / 58. 11.103
libavfilter 7.103.100 / 7.103.100
libswscale 5. 8.100 / 5. 8.100
libswresample 3. 8.100 / 3. 8.100
libpostproc 55. 8.100 / 55. 8.100
Splitting the commandline.
Reading option '-i' ... matched as input url with argument 'PoC'.
Reading option 'output.mp4' ... matched as output url.
Finished splitting the commandline.
Parsing a group of options: global .
Successfully parsed a group of options.
Parsing a group of options: input url PoC.
Successfully parsed a group of options.
Opening an input file: PoC.
[NULL @ 0x61b000000080] Opening 'PoC' for reading
[file @ 0x610000000040] Setting default whitelist 'file,crypto,data'
[mov,mp4,m4a,3gp,3g2,mj2 @ 0x61b000000080] Format mov,mp4,m4a,3gp,3g2,mj2
probed with size=2048 and score=100
[mov,mp4,m4a,3gp,3g2,mj2 @ 0x61b000000080] overread end of atom 'stsd' by
808464282 bytes
[mov,mp4,m4a,3gp,3g2,mj2 @ 0x61b000000080] stream 0, timescale not set
[mov,mp4,m4a,3gp,3g2,mj2 @ 0x61b000000080] Before
avformat_find_stream_info() pos: 495 bytes read:495 seeks:2 nb_streams:1
[hevc @ 0x619000000f80] Invalid NAL unit size in extradata.
[mov,mp4,m4a,3gp,3g2,mj2 @ 0x61b000000080] Failed to open codec in
avformat_find_stream_info
[hevc @ 0x619000000f80] Invalid NAL unit size in extradata.
[mov,mp4,m4a,3gp,3g2,mj2 @ 0x61b000000080] Failed to open codec in
avformat_find_stream_info
[mov,mp4,m4a,3gp,3g2,mj2 @ 0x61b000000080] Could not find codec parameters
for stream 0 (Video: hevc (Hvc1 / 0x31637648), none, 12336x12336):
unspecified pixel format
Consider increasing the value for the 'analyzeduration' (0) and
'probesize' (5000000) options
[mov,mp4,m4a,3gp,3g2,mj2 @ 0x61b000000080] After
avformat_find_stream_info() pos: 495 bytes read:495 seeks:2 frames:0
Input #0, mov,mp4,m4a,3gp,3g2,mj2, from 'PoC':
Duration: N/A, bitrate: N/A
Stream #0:0, 0, 1/1: Video: hevc (Hvc1 / 0x31637648), none, 12336x12336,
1 tbr, 1 tbn, 1 tbc
Metadata:
handler_name : 0000000000000
vendor_id : 0000
encoder : 0000000000000000000000000000000
Successfully opened the file.
Parsing a group of options: output url output.mp4.
Successfully parsed a group of options.
Opening an output file: output.mp4.
[file @ 0x610000001640] Setting default whitelist 'file,crypto,data'
Successfully opened the file.
detected 16 logical cores
[hevc @ 0x619000002d80] Invalid NAL unit size in extradata.
}}}
-- [ GDB Report
{{{
ubuntu at VM-0-6-ubuntu:~$ gdb --args ./bin/ffmpeg -i PoC output.mp4
(gdb) run
(gdb) bt
#0 0x00000000035bf9ad in hevc_decode_free (avctx=<optimized out>) at
libavcodec/hevcdec.c:3427
#1 0x0000000004688cdf in ff_frame_thread_free (avctx=0x619000001480,
thread_count=<optimized out>) at libavcodec/pthread_frame.c:712
#2 0x000000000468d647 in ff_frame_thread_init (avctx=<optimized out>) at
libavcodec/pthread_frame.c:885
#3 0x00000000070a9b23 in ff_thread_init (avctx=<optimized out>) at
libavcodec/pthread.c:77
#4 0x0000000004e0ffa9 in avcodec_open2 (avctx=<optimized out>,
codec=0x9aa5ec0 <ff_hevc_decoder>, options=<optimized out>) at
libavcodec/utils.c:759
#5 0x000000000057c0c5 in init_input_stream (ist_index=<optimized out>,
error=0x7fffffffc660 "", error_len=1024) at fftools/ffmpeg.c:2988
#6 transcode_init () at fftools/ffmpeg.c:3751
#7 0x000000000056f0d8 in transcode () at fftools/ffmpeg.c:4752
#8 0x000000000056c7b3 in main (argc=<optimized out>, argv=<optimized
out>) at fftools/ffmpeg.c:4986
(gdb) disass $pc-32,$pc+32
Dump of assembler code from 0x35bf98d to 0x35bf9cd:
0x00000000035bf98d <hevc_decode_free+1317>: add (%rax),%al
0x00000000035bf98f <hevc_decode_free+1319>: add %cl,-0x7b(%rax)
0x00000000035bf992 <hevc_decode_free+1322>: fisttpl (%rdi)
0x00000000035bf994 <hevc_decode_free+1324>: test %ah,(%rbx)
0x00000000035bf996 <hevc_decode_free+1326>: add (%rax),%al
0x00000000035bf998 <hevc_decode_free+1328>: add %cl,-0x77(%rax)
0x00000000035bf99b <hevc_decode_free+1331>: fmuls -0x3f(%rax)
0x00000000035bf99e <hevc_decode_free+1334>: callq 0x41479a6
<skip_bits_long+742>
0x00000000035bf9a3 <hevc_decode_free+1339>: cmp $0x7f,%bh
0x00000000035bf9a6 <hevc_decode_free+1342>: add %cl,(%rdi)
0x00000000035bf9a8 <hevc_decode_free+1344>: test %ebp,(%rdx)
0x00000000035bf9aa <hevc_decode_free+1346>: add (%rax),%eax
0x00000000035bf9ac <hevc_decode_free+1348>: add
%cl,0x23(%rbx,%rdi,1)
0x00000000035bf9b0 <hevc_decode_free+1352>: mov 0x8(%rsp),%r12
0x00000000035bf9b5 <hevc_decode_free+1357>: jne 0x35bf9de
<hevc_decode_free+1398>
0x00000000035bf9b7 <hevc_decode_free+1359>: test %r14b,%r14b
0x00000000035bf9ba <hevc_decode_free+1362>: je 0x35bfc69
<hevc_decode_free+2049>
0x00000000035bf9c0 <hevc_decode_free+1368>: test $0x7,%r15b
0x00000000035bf9c4 <hevc_decode_free+1372>: jne 0x35bfc7f
<hevc_decode_free+2071>
0x00000000035bf9ca <hevc_decode_free+1378>: cmpb
$0x0,0x7fff8000(%rbp)
End of assembler dump.
(gdb) info all-registers
rax 0x0 0
rbx 0x0 0
rcx 0x0 0
rdx 0xc4c00001223 13520557052451
rsi 0x0 0
rdi 0x7fffffffb6a9 140737488336553
rbp 0xc4c00001224 0xc4c00001224
rsp 0x7fffffffb780 0x7fffffffb780
r8 0x7fffffffaa70 140737488333424
r9 0x2 2
r10 0x7e98b73 132746099
r11 0x206 518
r12 0x0 0
r13 0x626000009118 108164456419608
r14 0x624000002101 108027017437441
r15 0x626000009120 108164456419616
rip 0x35bf9ad 0x35bf9ad <hevc_decode_free+1349>
eflags 0x10246 [ PF ZF IF RF ]
cs 0x33 51
ss 0x2b 43
ds 0x0 0
es 0x0 0
fs 0x0 0
gs 0x0 0
st0 0 (raw 0x00000000000000000000)
st1 0 (raw 0x00000000000000000000)
st2 0 (raw 0x00000000000000000000)
st3 0 (raw 0x00000000000000000000)
st4 0 (raw 0x00000000000000000000)
st5 0 (raw 0x00000000000000000000)
st6 0 (raw 0x00000000000000000000)
st7 0 (raw 0x00000000000000000000)
fctrl 0x37f 895
fstat 0x0 0
ftag 0xffff 65535
fiseg 0x0 0
fioff 0x0 0
foseg 0x0 0
fooff 0x0 0
fop 0x0 0
mxcsr 0x1fa0 [ PE IM DM ZM OM UM PM ]
bndcfgu {raw = 0x0, config = {base = 0x0, reserved = 0x0, preserved
= 0x0, enabled = 0x0}} {raw = 0x0, config = {base = 0, reserved = 0,
preserved = 0, enabled = 0}}
bndstatus {raw = 0x0, status = {bde = 0x0, error = 0x0}} {raw = 0x0,
status = {bde = 0, error = 0}}
k0 0x0 0
k1 0x0 0
k2 0x0 0
k3 0x0 0
k4 0x0 0
k5 0x0 0
k6 0x0 0
k7 0x0 0
/* ... */
}}}
-- [ PoC base64 encoded
{{{
ubuntu at VM-0-6-ubuntu:~$ base64 PoC
MDAwMG1vb3YAAABsMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAw
MDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAw
MDAwMDAwdHJhawAAAFwwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAw
MDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwAAAAHDAwMDAwMDAw
MDAwMDAwMDAwMDAwMDAwMAAAAC1oZGxyMDAwMDAwMDB2aWRlMDAwMDAwMDAwMDAwMDAwMDAwMDAw
MDAwMAAAAAEwMDAwAAAAAAAAABwwMDAwMDAwMDAwMDAAAAAMMDAwMDAwMDAwMDAwc3RzZDAwMDAA
AAABMDAwMGVuY3YwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAw
MDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAAAAA0YXZjQzAwMDAwMDAwMDAwMDAwMDAw
MDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMGZybWFIdmMx
}}}
Thank you.
Qiuhao Li
--
Comment:
I cannot reproduce a crash.
--
Ticket URL: <https://trac.ffmpeg.org/ticket/9099#comment:2>
FFmpeg <https://ffmpeg.org>
FFmpeg issue tracker
More information about the FFmpeg-trac
mailing list