[FFmpeg-trac] #10545(undetermined:new): osq: crash with fizzed file
FFmpeg
trac at avcodec.org
Mon Sep 4 12:53:41 EEST 2023
#10545: osq: crash with fizzed file
-------------------------------------+-------------------------------------
Reporter: ami_stuff | Type: defect
Status: new | Priority: normal
Component: | Version:
undetermined | unspecified
Keywords: | Blocked By:
Blocking: | Reproduced by developer: 0
Analyzed by developer: 0 |
-------------------------------------+-------------------------------------
{{{
(gdb) r -i 8s_fuzz.osq -f null -
Starting program: ffmpeg_g -i 8s_fuzz.osq -f null -
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
ffmpeg version N-111893-gbef151d1ce Copyright (c) 2000-2023 the FFmpeg
developers
built with gcc 11 (Ubuntu 11.4.0-1ubuntu1~22.04)
configuration:
libavutil 58. 19.100 / 58. 19.100
libavcodec 60. 25.100 / 60. 25.100
libavformat 60. 11.100 / 60. 11.100
libavdevice 60. 2.101 / 60. 2.101
libavfilter 9. 11.100 / 9. 11.100
libswscale 7. 3.100 / 7. 3.100
libswresample 4. 11.100 / 4. 11.100
[aist#0:0/osq @ 0x5555580e2f80] Guessed Channel Layout: stereo
Input #0, osq, from '8s_fuzz.osq':
Duration: 00:00:10.87, start: 0.000000, bitrate: 270 kb/s
Stream #0:0: Audio: osq, 44100 Hz, 2 channels, u8p
[New Thread 0x7ffff6fdc640 (LWP 32456)]
Stream mapping:
Stream #0:0 -> #0:0 (osq (native) -> pcm_s16le (native))
Press [q] to stop, [?] for help
[New Thread 0x7ffff67db640 (LWP 32457)]
[osq @ 0x5555580e02c0] overread!
[aist#0:0/osq @ 0x5555580e2f80] Error submitting packet to decoder:
Invalid data found when processing input
munmap_chunk(): invalid pointer
Thread 2 "dec0:0:osq" received signal SIGABRT, Aborted.
[Switching to Thread 0x7ffff6fdc640 (LWP 32456)]
__pthread_kill_implementation (no_tid=0, signo=6,
threadid=140737337214528) at ./nptl/pthread_kill.c:44
(gdb) bt
#0 __pthread_kill_implementation (no_tid=0, signo=6,
threadid=140737337214528) at ./nptl/pthread_kill.c:44
#1 __pthread_kill_internal (signo=6, threadid=140737337214528)
at ./nptl/pthread_kill.c:78
#2 __GI___pthread_kill (threadid=140737337214528, signo=signo at entry=6)
at ./nptl/pthread_kill.c:89
#3 0x00007ffff783c476 in __GI_raise (sig=sig at entry=6)
at ../sysdeps/posix/raise.c:26
#4 0x00007ffff78227f3 in __GI_abort () at ./stdlib/abort.c:79
#5 0x00007ffff78836f6 in __libc_message (action=action at entry=do_abort,
fmt=fmt at entry=0x7ffff79d5b8c "%s\n") at
../sysdeps/posix/libc_fatal.c:155
#6 0x00007ffff789ad7c in malloc_printerr (
str=str at entry=0x7ffff79d8230 "munmap_chunk(): invalid pointer")
at ./malloc/malloc.c:5664
#7 0x00007ffff789b05c in munmap_chunk (p=<optimized out>)
at ./malloc/malloc.c:3060
#8 0x00007ffff789f51a in __GI___libc_free (mem=<optimized out>)
at ./malloc/malloc.c:3381
#9 0x0000555556529a49 in av_free (ptr=<optimized out>)
at libavutil/mem.c:241
#10 0x0000555556529b16 in av_freep (arg=arg at entry=0x7ffff0000b40)
at libavutil/mem.c:251
#11 0x0000555556511adf in buffer_replace (src=0x0, dst=0x7ffff0000b40)
--Type <RET> for more, q to quit, c to continue without paging--
at libavutil/buffer.c:127
#12 av_buffer_unref (buf=buf at entry=0x7ffff0000b40) at
libavutil/buffer.c:144
#13 0x0000555555b6454e in av_packet_unref (pkt=0x7ffff0000b40)
at libavcodec/avpacket.c:426
#14 0x000055555570830d in decoder_thread (arg=0x5555580e2f80)
at fftools/ffmpeg_dec.c:704
#15 0x00007ffff788eb43 in start_thread (arg=<optimized out>)
at ./nptl/pthread_create.c:442
#16 0x00007ffff7920a00 in clone3 ()
at ../sysdeps/unix/sysv/linux/x86_64/clone3.S:81
}}}
{{{
==32540== Invalid write of size 4
==32540== at 0xA0B13F: get_srice (get_bits.h:395)
==32540== by 0xA0B13F: do_decode (osq.c:250)
==32540== by 0xA0B13F: osq_decode_block (osq.c:357)
==32540== by 0xA0B13F: osq_receive_frame (osq.c:435)
==32540== by 0x7B2B71: decode_receive_frame_internal (decode.c:623)
==32540== by 0x7B34F9: avcodec_send_packet (decode.c:731)
==32540== by 0x2BB715: packet_decode (ffmpeg_dec.c:555)
==32540== by 0x2BB715: decoder_thread (ffmpeg_dec.c:702)
==32540== by 0x4E88B42: start_thread (pthread_create.c:442)
==32540== by 0x4F19BB3: clone (clone.S:100)
==32540== Address 0x5858f94 is 0 bytes after a block of size 1,044
alloc'd
==32540== at 0x484DE30: memalign (in /usr/libexec/valgrind
/vgpreload_memcheck-amd64-linux.so)
==32540== by 0x484DF92: posix_memalign (in /usr/libexec/valgrind
/vgpreload_memcheck-amd64-linux.so)
==32540== by 0x10DD9A4: av_malloc (mem.c:105)
==32540== by 0x10DDB6D: av_mallocz (mem.c:256)
==32540== by 0x26922B: osq_init (osq.c:119)
==32540== by 0x7172FC: avcodec_open2 (avcodec.c:334)
==32540== by 0x2BD1BF: dec_open (ffmpeg_dec.c:1117)
==32540== by 0x2C2B87: ist_use (ffmpeg_demux.c:867)
==32540== by 0x2C2B87: ist_filter_add (ffmpeg_demux.c:896)
==32540== by 0x2CA7BD: ifilter_bind_ist (ffmpeg_filter.c:575)
==32540== by 0x2CA7BD: init_simple_filtergraph (ffmpeg_filter.c:926)
==32540== by 0x2D55EE: ost_add (ffmpeg_mux_init.c:1424)
==32540== by 0x2D70EB: create_streams (ffmpeg_mux_init.c:1814)
==32540== by 0x2D70EB: of_open (ffmpeg_mux_init.c:2683)
==32540== by 0x2D9869: open_files (ffmpeg_opt.c:1284)
==32540==
==32540== Invalid write of size 4
==32540== at 0xA0ADD1: do_decode (osq.c:271)
==32540== by 0xA0ADD1: osq_decode_block (osq.c:357)
==32540== by 0xA0ADD1: osq_receive_frame (osq.c:435)
==32540== by 0x7B2B71: decode_receive_frame_internal (decode.c:623)
==32540== by 0x7B34F9: avcodec_send_packet (decode.c:731)
==32540== by 0x2BB715: packet_decode (ffmpeg_dec.c:555)
==32540== by 0x2BB715: decoder_thread (ffmpeg_dec.c:702)
==32540== by 0x4E88B42: start_thread (pthread_create.c:442)
==32540== by 0x4F19BB3: clone (clone.S:100)
==32540== Address 0x5858f94 is 0 bytes after a block of size 1,044
alloc'd
==32540== at 0x484DE30: memalign (in /usr/libexec/valgrind
/vgpreload_memcheck-amd64-linux.so)
==32540== by 0x484DF92: posix_memalign (in /usr/libexec/valgrind
/vgpreload_memcheck-amd64-linux.so)
==32540== by 0x10DD9A4: av_malloc (mem.c:105)
==32540== by 0x10DDB6D: av_mallocz (mem.c:256)
==32540== by 0x26922B: osq_init (osq.c:119)
==32540== by 0x7172FC: avcodec_open2 (avcodec.c:334)
==32540== by 0x2BD1BF: dec_open (ffmpeg_dec.c:1117)
==32540== by 0x2C2B87: ist_use (ffmpeg_demux.c:867)
==32540== by 0x2C2B87: ist_filter_add (ffmpeg_demux.c:896)
==32540== by 0x2CA7BD: ifilter_bind_ist (ffmpeg_filter.c:575)
==32540== by 0x2CA7BD: init_simple_filtergraph (ffmpeg_filter.c:926)
==32540== by 0x2D55EE: ost_add (ffmpeg_mux_init.c:1424)
==32540== by 0x2D70EB: create_streams (ffmpeg_mux_init.c:1814)
==32540== by 0x2D70EB: of_open (ffmpeg_mux_init.c:2683)
==32540== by 0x2D9869: open_files (ffmpeg_opt.c:1284)
==32540==
==32540== Invalid read of size 4
==32540== at 0xA0AC0B: do_decode (osq.c:319)
==32540== by 0xA0AC0B: osq_decode_block (osq.c:357)
==32540== by 0xA0AC0B: osq_receive_frame (osq.c:435)
==32540== by 0x7B2B71: decode_receive_frame_internal (decode.c:623)
==32540== by 0x7B34F9: avcodec_send_packet (decode.c:731)
==32540== by 0x2BB715: packet_decode (ffmpeg_dec.c:555)
==32540== by 0x2BB715: decoder_thread (ffmpeg_dec.c:702)
==32540== by 0x4E88B42: start_thread (pthread_create.c:442)
==32540== by 0x4F19BB3: clone (clone.S:100)
==32540== Address 0x5858f94 is 0 bytes after a block of size 1,044
alloc'd
==32540== at 0x484DE30: memalign (in /usr/libexec/valgrind
/vgpreload_memcheck-amd64-linux.so)
==32540== by 0x484DF92: posix_memalign (in /usr/libexec/valgrind
/vgpreload_memcheck-amd64-linux.so)
==32540== by 0x10DD9A4: av_malloc (mem.c:105)
==32540== by 0x10DDB6D: av_mallocz (mem.c:256)
==32540== by 0x26922B: osq_init (osq.c:119)
==32540== by 0x7172FC: avcodec_open2 (avcodec.c:334)
==32540== by 0x2BD1BF: dec_open (ffmpeg_dec.c:1117)
==32540== by 0x2C2B87: ist_use (ffmpeg_demux.c:867)
==32540== by 0x2C2B87: ist_filter_add (ffmpeg_demux.c:896)
==32540== by 0x2CA7BD: ifilter_bind_ist (ffmpeg_filter.c:575)
==32540== by 0x2CA7BD: init_simple_filtergraph (ffmpeg_filter.c:926)
==32540== by 0x2D55EE: ost_add (ffmpeg_mux_init.c:1424)
==32540== by 0x2D70EB: create_streams (ffmpeg_mux_init.c:1814)
==32540== by 0x2D70EB: of_open (ffmpeg_mux_init.c:2683)
==32540== by 0x2D9869: open_files (ffmpeg_opt.c:1284)
==32540==
==32540== Invalid write of size 4
==32540== at 0xA0AB90: do_decode (osq.c:246)
==32540== by 0xA0AB90: osq_decode_block (osq.c:357)
==32540== by 0xA0AB90: osq_receive_frame (osq.c:435)
==32540== by 0x7B2B71: decode_receive_frame_internal (decode.c:623)
==32540== by 0x7B34F9: avcodec_send_packet (decode.c:731)
==32540== by 0x2BB715: packet_decode (ffmpeg_dec.c:555)
==32540== by 0x2BB715: decoder_thread (ffmpeg_dec.c:702)
==32540== by 0x4E88B42: start_thread (pthread_create.c:442)
==32540== by 0x4F19BB3: clone (clone.S:100)
==32540== Address 0x5859454 is 0 bytes after a block of size 1,044
alloc'd
==32540== at 0x484DE30: memalign (in /usr/libexec/valgrind
/vgpreload_memcheck-amd64-linux.so)
==32540== by 0x484DF92: posix_memalign (in /usr/libexec/valgrind
/vgpreload_memcheck-amd64-linux.so)
==32540== by 0x10DD9A4: av_malloc (mem.c:105)
==32540== by 0x10DDB6D: av_mallocz (mem.c:256)
==32540== by 0x26922B: osq_init (osq.c:119)
==32540== by 0x7172FC: avcodec_open2 (avcodec.c:334)
==32540== by 0x2BD1BF: dec_open (ffmpeg_dec.c:1117)
==32540== by 0x2C2B87: ist_use (ffmpeg_demux.c:867)
==32540== by 0x2C2B87: ist_filter_add (ffmpeg_demux.c:896)
==32540== by 0x2CA7BD: ifilter_bind_ist (ffmpeg_filter.c:575)
==32540== by 0x2CA7BD: init_simple_filtergraph (ffmpeg_filter.c:926)
==32540== by 0x2D55EE: ost_add (ffmpeg_mux_init.c:1424)
==32540== by 0x2D70EB: create_streams (ffmpeg_mux_init.c:1814)
==32540== by 0x2D70EB: of_open (ffmpeg_mux_init.c:2683)
==32540== by 0x2D9869: open_files (ffmpeg_opt.c:1284)
==32540==
==32540== Invalid write of size 4
==32540== at 0xA0ADEB: do_decode (osq.c:265)
==32540== by 0xA0ADEB: osq_decode_block (osq.c:357)
==32540== by 0xA0ADEB: osq_receive_frame (osq.c:435)
==32540== by 0x7B2B71: decode_receive_frame_internal (decode.c:623)
==32540== by 0x7B34F9: avcodec_send_packet (decode.c:731)
==32540== by 0x2BB715: packet_decode (ffmpeg_dec.c:555)
==32540== by 0x2BB715: decoder_thread (ffmpeg_dec.c:702)
==32540== by 0x4E88B42: start_thread (pthread_create.c:442)
==32540== by 0x4F19BB3: clone (clone.S:100)
==32540== Address 0x5859454 is 0 bytes after a block of size 1,044
alloc'd
==32540== at 0x484DE30: memalign (in /usr/libexec/valgrind
/vgpreload_memcheck-amd64-linux.so)
==32540== by 0x484DF92: posix_memalign (in /usr/libexec/valgrind
/vgpreload_memcheck-amd64-linux.so)
==32540== by 0x10DD9A4: av_malloc (mem.c:105)
==32540== by 0x10DDB6D: av_mallocz (mem.c:256)
==32540== by 0x26922B: osq_init (osq.c:119)
==32540== by 0x7172FC: avcodec_open2 (avcodec.c:334)
==32540== by 0x2BD1BF: dec_open (ffmpeg_dec.c:1117)
==32540== by 0x2C2B87: ist_use (ffmpeg_demux.c:867)
==32540== by 0x2C2B87: ist_filter_add (ffmpeg_demux.c:896)
==32540== by 0x2CA7BD: ifilter_bind_ist (ffmpeg_filter.c:575)
==32540== by 0x2CA7BD: init_simple_filtergraph (ffmpeg_filter.c:926)
==32540== by 0x2D55EE: ost_add (ffmpeg_mux_init.c:1424)
==32540== by 0x2D70EB: create_streams (ffmpeg_mux_init.c:1814)
==32540== by 0x2D70EB: of_open (ffmpeg_mux_init.c:2683)
==32540== by 0x2D9869: open_files (ffmpeg_opt.c:1284)
==32540==
==32540== Invalid read of size 4
==32540== at 0xA0AE15: do_decode (osq.c:328)
==32540== by 0xA0AE15: osq_decode_block (osq.c:357)
==32540== by 0xA0AE15: osq_receive_frame (osq.c:435)
==32540== by 0x7B2B71: decode_receive_frame_internal (decode.c:623)
==32540== by 0x7B34F9: avcodec_send_packet (decode.c:731)
==32540== by 0x2BB715: packet_decode (ffmpeg_dec.c:555)
==32540== by 0x2BB715: decoder_thread (ffmpeg_dec.c:702)
==32540== by 0x4E88B42: start_thread (pthread_create.c:442)
==32540== by 0x4F19BB3: clone (clone.S:100)
==32540== Address 0x5858f94 is 0 bytes after a block of size 1,044
alloc'd
==32540== at 0x484DE30: memalign (in /usr/libexec/valgrind
/vgpreload_memcheck-amd64-linux.so)
==32540== by 0x484DF92: posix_memalign (in /usr/libexec/valgrind
/vgpreload_memcheck-amd64-linux.so)
==32540== by 0x10DD9A4: av_malloc (mem.c:105)
==32540== by 0x10DDB6D: av_mallocz (mem.c:256)
==32540== by 0x26922B: osq_init (osq.c:119)
==32540== by 0x7172FC: avcodec_open2 (avcodec.c:334)
==32540== by 0x2BD1BF: dec_open (ffmpeg_dec.c:1117)
==32540== by 0x2C2B87: ist_use (ffmpeg_demux.c:867)
==32540== by 0x2C2B87: ist_filter_add (ffmpeg_demux.c:896)
==32540== by 0x2CA7BD: ifilter_bind_ist (ffmpeg_filter.c:575)
==32540== by 0x2CA7BD: init_simple_filtergraph (ffmpeg_filter.c:926)
==32540== by 0x2D55EE: ost_add (ffmpeg_mux_init.c:1424)
==32540== by 0x2D70EB: create_streams (ffmpeg_mux_init.c:1814)
==32540== by 0x2D70EB: of_open (ffmpeg_mux_init.c:2683)
==32540== by 0x2D9869: open_files (ffmpeg_opt.c:1284)
==32540==
==32540== Invalid read of size 4
==32540== at 0xA0AE19: do_decode (osq.c:328)
==32540== by 0xA0AE19: osq_decode_block (osq.c:357)
==32540== by 0xA0AE19: osq_receive_frame (osq.c:435)
==32540== by 0x7B2B71: decode_receive_frame_internal (decode.c:623)
==32540== by 0x7B34F9: avcodec_send_packet (decode.c:731)
==32540== by 0x2BB715: packet_decode (ffmpeg_dec.c:555)
==32540== by 0x2BB715: decoder_thread (ffmpeg_dec.c:702)
==32540== by 0x4E88B42: start_thread (pthread_create.c:442)
==32540== by 0x4F19BB3: clone (clone.S:100)
==32540== Address 0x5859454 is 0 bytes after a block of size 1,044
alloc'd
==32540== at 0x484DE30: memalign (in /usr/libexec/valgrind
/vgpreload_memcheck-amd64-linux.so)
==32540== by 0x484DF92: posix_memalign (in /usr/libexec/valgrind
/vgpreload_memcheck-amd64-linux.so)
==32540== by 0x10DD9A4: av_malloc (mem.c:105)
==32540== by 0x10DDB6D: av_mallocz (mem.c:256)
==32540== by 0x26922B: osq_init (osq.c:119)
==32540== by 0x7172FC: avcodec_open2 (avcodec.c:334)
==32540== by 0x2BD1BF: dec_open (ffmpeg_dec.c:1117)
==32540== by 0x2C2B87: ist_use (ffmpeg_demux.c:867)
==32540== by 0x2C2B87: ist_filter_add (ffmpeg_demux.c:896)
==32540== by 0x2CA7BD: ifilter_bind_ist (ffmpeg_filter.c:575)
==32540== by 0x2CA7BD: init_simple_filtergraph (ffmpeg_filter.c:926)
==32540== by 0x2D55EE: ost_add (ffmpeg_mux_init.c:1424)
==32540== by 0x2D70EB: create_streams (ffmpeg_mux_init.c:1814)
==32540== by 0x2D70EB: of_open (ffmpeg_mux_init.c:2683)
==32540== by 0x2D9869: open_files (ffmpeg_opt.c:1284)
==32540==
[osq @ 0x5850440] overread!
[aist#0:0/osq @ 0x5850240] Error submitting packet to decoder: Invalid
data found when processing input
==32540== Invalid free() / delete / delete[] / realloc()
==32540== at 0x484B27F: free (in /usr/libexec/valgrind
/vgpreload_memcheck-amd64-linux.so)
==32540== by 0x717E52: av_packet_free_side_data (avpacket.c:192)
==32540== by 0x71853C: av_packet_unref (avpacket.c:424)
==32540== by 0x2BC30C: decoder_thread (ffmpeg_dec.c:704)
==32540== by 0x4E88B42: start_thread (pthread_create.c:442)
==32540== by 0x4F19BB3: clone (clone.S:100)
==32540== Address 0xfff5d923fff5ddbf is not stack'd, malloc'd or
(recently) free'd
==32540==
==32540== Invalid read of size 8
==32540== at 0x10C5AD7: buffer_replace (buffer.c:121)
==32540== by 0x10C5AD7: av_buffer_unref (buffer.c:144)
==32540== by 0x718545: av_packet_unref (avpacket.c:425)
==32540== by 0x2BC30C: decoder_thread (ffmpeg_dec.c:704)
==32540== by 0x4E88B42: start_thread (pthread_create.c:442)
==32540== by 0x4F19BB3: clone (clone.S:100)
==32540== Address 0xfff5aaf9fff5af86 is not stack'd, malloc'd or
(recently) free'd
==32540==
==32540==
==32540== Process terminating with default action of signal 11 (SIGSEGV)
==32540== General Protection Fault
==32540== at 0x10C5AD7: buffer_replace (buffer.c:121)
==32540== by 0x10C5AD7: av_buffer_unref (buffer.c:144)
==32540== by 0x718545: av_packet_unref (avpacket.c:425)
==32540== by 0x2BC30C: decoder_thread (ffmpeg_dec.c:704)
==32540== by 0x4E88B42: start_thread (pthread_create.c:442)
==32540== by 0x4F19BB3: clone (clone.S:100)
==32540==
}}}
--
Ticket URL: <https://trac.ffmpeg.org/ticket/10545>
FFmpeg <https://ffmpeg.org>
FFmpeg issue tracker
More information about the FFmpeg-trac
mailing list