[FFmpeg-trac] #9651(avcodec:new): Assertion next >= 0 || pc->buffer failed at libavcodec/parser.c:240
FFmpeg
trac at avcodec.org
Thu Feb 17 17:41:03 EET 2022
#9651: Assertion next >= 0 || pc->buffer failed at libavcodec/parser.c:240
-------------------------------------+-------------------------------------
Reporter: | Owner: (none)
andreafioraldi |
Type: defect | Status: new
Priority: normal | Component: avcodec
Version: unspecified | Resolution:
Keywords: | Blocked By:
Blocking: | Reproduced by developer: 0
Analyzed by developer: 0 |
-------------------------------------+-------------------------------------
Description changed by andreafioraldi:
Old description:
> This bug was found by fuzzing, to reproduce it you have to build the OSS-
> Fuzz harness for FFmpeg with ASan and UBsan.
>
> You can use the scripts in https://github.com/google/oss-
> fuzz/tree/master/projects/ffmpeg with clang as compiler and the following
> flags:
>
> ```
> CFLAGS='-O1 -fsanitize=address -fsanitize=array-bounds,bool,builtin,enum
> ,float-divide-by-zero,function,integer-divide-by-zero,null,object-
> size,return,returns-nonnull-attribute,shift,signed-integer-
> overflow,unreachable,vla-bound,vptr'
> CXXFLAGS='-O1 -fsanitize=address -fsanitize=array-
> bounds,bool,builtin,enum,float-divide-by-zero,function,integer-divide-by-
> zero,null,object-size,return,returns-nonnull-attribute,shift,signed-
> integer-overflow,unreachable,vla-bound,vptr'
> ```
>
> The sanitizer report when executing the testcase is the following:
>
> ```
> INFO: Seed: 108531316
> INFO: Loaded 1 modules (436082 inline 8-bit counters): 436082
> [0x2f32583, 0x2f9ccf5),
> INFO: Loaded 1 PC tables (436082 PCs): 436082 [0x1d0bf68,0x23b3688),
> /out/ffmpeg_DEMUXER_fuzzer: Running 1 inputs 1 time(s) each.
> Running:
> crashes/ffmpeg_ffmpeg_demuxer_fuzzer/id:000169,sig:06,src:012185,time:73697278,op:havoc,rep:4,trial:1493913
> libavcodec/g729_parser.c:51:23: runtime error: signed integer overflow:
> 10 * 808464428 cannot be represented in type 'int'
> SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior
> libavcodec/g729_parser.c:51:23 in
> Assertion next >= 0 || pc->buffer failed at libavcodec/parser.c:240
> ==1324766== ERROR: libFuzzer: deadly signal
> #0 0x4a20f1 in __sanitizer_print_stack_trace
> (/out/ffmpeg_DEMUXER_fuzzer+0x4a20f1)
> #1 0x19f3828 in fuzzer::PrintStackTrace()
> (/out/ffmpeg_DEMUXER_fuzzer+0x19f3828)
> #2 0x19d8629 in fuzzer::Fuzzer::CrashCallback()
> (/out/ffmpeg_DEMUXER_fuzzer+0x19d8629)
> #3 0x7ffff7e033bf (/lib/x86_64-linux-gnu/libpthread.so.0+0x153bf)
> #4 0x7ffff7a3218a in __libc_signal_restore_set /build/glibc-
> eX1tMB/glibc-2.31/signal/../sysdeps/unix/sysv/linux/internal-
> signals.h:86:3
> #5 0x7ffff7a3218a in raise /build/glibc-
> eX1tMB/glibc-2.31/signal/../sysdeps/unix/sysv/linux/raise.c:48:3
> #6 0x7ffff7a11858 in abort /build/glibc-
> eX1tMB/glibc-2.31/stdlib/abort.c:79:7
> #7 0xa628d2 in ff_combine_frame /src/ffmpeg/libavcodec/parser.c:240:5
> #8 0xc9ca5f in g729_parse /src/ffmpeg/libavcodec/g729_parser.c:71:9
> #9 0xa5fdd3 in av_parser_parse2
> /src/ffmpeg/libavcodec/parser.c:164:13
> #10 0x502cca in parse_packet /src/ffmpeg/libavformat/demux.c:1126:15
> #11 0x4e8013 in read_frame_internal
> /src/ffmpeg/libavformat/demux.c:1240:21
> #12 0x4f343c in avformat_find_stream_info
> /src/ffmpeg/libavformat/demux.c:2586:15
> #13 0x4cba3e in LLVMFuzzerTestOneInput
> /src/ffmpeg/tools/target_dem_fuzzer.c:192:11
> #14 0x19d9d59 in fuzzer::Fuzzer::ExecuteCallback(unsigned char
> const*, unsigned long) (/out/ffmpeg_DEMUXER_fuzzer+0x19d9d59)
> #15 0x19c4c69 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*,
> unsigned long) (/out/ffmpeg_DEMUXER_fuzzer+0x19c4c69)
> #16 0x19c9b72 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned
> char const*, unsigned long)) (/out/ffmpeg_DEMUXER_fuzzer+0x19c9b72)
> #17 0x19c49f2 in main (/out/ffmpeg_DEMUXER_fuzzer+0x19c49f2)
> #18 0x7ffff7a130b2 in __libc_start_main /build/glibc-
> eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
> #19 0x420e7d in _start (/out/ffmpeg_DEMUXER_fuzzer+0x420e7d)
>
> NOTE: libFuzzer has rudimentary signal handlers.
> Combine libFuzzer with AddressSanitizer or similar for better crash
> reports.
> SUMMARY: libFuzzer: deadly signal
> ```
>
> There is an UBSan violation that is likely the root cause of the failed
> assertion.
> You find the crashing testcase attached, execute it with
> `./ffmpeg_DEMUXER_fuzzer ./testcase`
New description:
This bug was found by fuzzing the current master branch, to reproduce it
you have to build the OSS-Fuzz harness for FFmpeg with ASan and UBsan.
You can use the scripts in https://github.com/google/oss-
fuzz/tree/master/projects/ffmpeg with clang as compiler and the following
flags:
{{{
CFLAGS='-O1 -fsanitize=address -fsanitize=array-bounds,bool,builtin,enum
,float-divide-by-zero,function,integer-divide-by-zero,null,object-
size,return,returns-nonnull-attribute,shift,signed-integer-
overflow,unreachable,vla-bound,vptr'
CXXFLAGS='-O1 -fsanitize=address -fsanitize=array-bounds,bool,builtin,enum
,float-divide-by-zero,function,integer-divide-by-zero,null,object-
size,return,returns-nonnull-attribute,shift,signed-integer-
overflow,unreachable,vla-bound,vptr'
}}}
The sanitizer report when executing the testcase is the following:
{{{
INFO: Seed: 108531316
INFO: Loaded 1 modules (436082 inline 8-bit counters): 436082
[0x2f32583, 0x2f9ccf5),
INFO: Loaded 1 PC tables (436082 PCs): 436082 [0x1d0bf68,0x23b3688),
/out/ffmpeg_DEMUXER_fuzzer: Running 1 inputs 1 time(s) each.
Running:
crashes/ffmpeg_ffmpeg_demuxer_fuzzer/id:000169,sig:06,src:012185,time:73697278,op:havoc,rep:4,trial:1493913
libavcodec/g729_parser.c:51:23: runtime error: signed integer overflow: 10
* 808464428 cannot be represented in type 'int'
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior
libavcodec/g729_parser.c:51:23 in
Assertion next >= 0 || pc->buffer failed at libavcodec/parser.c:240
==1324766== ERROR: libFuzzer: deadly signal
#0 0x4a20f1 in __sanitizer_print_stack_trace
(/out/ffmpeg_DEMUXER_fuzzer+0x4a20f1)
#1 0x19f3828 in fuzzer::PrintStackTrace()
(/out/ffmpeg_DEMUXER_fuzzer+0x19f3828)
#2 0x19d8629 in fuzzer::Fuzzer::CrashCallback()
(/out/ffmpeg_DEMUXER_fuzzer+0x19d8629)
#3 0x7ffff7e033bf (/lib/x86_64-linux-gnu/libpthread.so.0+0x153bf)
#4 0x7ffff7a3218a in __libc_signal_restore_set /build/glibc-
eX1tMB/glibc-2.31/signal/../sysdeps/unix/sysv/linux/internal-
signals.h:86:3
#5 0x7ffff7a3218a in raise /build/glibc-
eX1tMB/glibc-2.31/signal/../sysdeps/unix/sysv/linux/raise.c:48:3
#6 0x7ffff7a11858 in abort /build/glibc-
eX1tMB/glibc-2.31/stdlib/abort.c:79:7
#7 0xa628d2 in ff_combine_frame /src/ffmpeg/libavcodec/parser.c:240:5
#8 0xc9ca5f in g729_parse /src/ffmpeg/libavcodec/g729_parser.c:71:9
#9 0xa5fdd3 in av_parser_parse2 /src/ffmpeg/libavcodec/parser.c:164:13
#10 0x502cca in parse_packet /src/ffmpeg/libavformat/demux.c:1126:15
#11 0x4e8013 in read_frame_internal
/src/ffmpeg/libavformat/demux.c:1240:21
#12 0x4f343c in avformat_find_stream_info
/src/ffmpeg/libavformat/demux.c:2586:15
#13 0x4cba3e in LLVMFuzzerTestOneInput
/src/ffmpeg/tools/target_dem_fuzzer.c:192:11
#14 0x19d9d59 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*,
unsigned long) (/out/ffmpeg_DEMUXER_fuzzer+0x19d9d59)
#15 0x19c4c69 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*,
unsigned long) (/out/ffmpeg_DEMUXER_fuzzer+0x19c4c69)
#16 0x19c9b72 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned
char const*, unsigned long)) (/out/ffmpeg_DEMUXER_fuzzer+0x19c9b72)
#17 0x19c49f2 in main (/out/ffmpeg_DEMUXER_fuzzer+0x19c49f2)
#18 0x7ffff7a130b2 in __libc_start_main /build/glibc-
eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
#19 0x420e7d in _start (/out/ffmpeg_DEMUXER_fuzzer+0x420e7d)
NOTE: libFuzzer has rudimentary signal handlers.
Combine libFuzzer with AddressSanitizer or similar for better crash
reports.
SUMMARY: libFuzzer: deadly signal
}}}
There is an UBSan violation that is likely the root cause of the failed
assertion.
You find the crashing testcase attached, execute it with
`./ffmpeg_DEMUXER_fuzzer ./testcase`
--
--
Ticket URL: <https://trac.ffmpeg.org/ticket/9651#comment:1>
FFmpeg <https://ffmpeg.org>
FFmpeg issue tracker
More information about the FFmpeg-trac
mailing list