[FFmpeg-trac] #10952(avcodec:new): negative-size-param bug at libavcodec/mpegvideo_enc.c:1216:21 in load_input_picture in FFmpeg7.0
FFmpeg
trac at avcodec.org
Sat Apr 6 05:29:50 EEST 2024
#10952: negative-size-param bug at libavcodec/mpegvideo_enc.c:1216:21 in
load_input_picture in FFmpeg7.0
-------------------------------------+-------------------------------------
Reporter: | Type: defect
ZengYunxiang |
Status: new | Priority: important
Component: avcodec | Version: 7.0
Keywords: bugs | Blocked By:
Blocking: | Reproduced by developer: 0
Analyzed by developer: 0 |
-------------------------------------+-------------------------------------
Summary of the bug:
Dear developers,
I found the following negative-size-param bug on FFmpeg7.0, please
confirm.
The poc file(poc21ffmpeg) will be attached to this ticket.
How to reproduce:
{{{
tar -xvf ffmpeg-7.0.tar.xz
cd ffmpeg-7.0
./configure --cc=clang --cxx=clang++ --ld=clang --enable-debug --toolchain
=clang-asan
make -j30
./ffmpeg_g -y -i poc21ffmpeg tmp.mp4
}}}
ASAN Log:
{{{
=================================================================
==2083195==ERROR: AddressSanitizer: negative-size-param: (size=-40)
#0 0x555633abd3b4 in __asan_memcpy (/ffmpeg-7.0/ffmpeg_g+0x9a23b4)
(BuildId: 545ccc2062eaee7e775c86df925c8f1fb97035e3)
#1 0x555635cd8547 in load_input_picture
/ffmpeg-7.0/libavcodec/mpegvideo_enc.c:1216:21
#2 0x555635cd8547 in ff_mpv_encode_picture
/ffmpeg-7.0/libavcodec/mpegvideo_enc.c:1765:9
#3 0x555635398c73 in ff_encode_encode_cb
/ffmpeg-7.0/libavcodec/encode.c:253:11
#4 0x55563539a3a8 in encode_simple_internal
/ffmpeg-7.0/libavcodec/encode.c:339:15
#5 0x55563539a3a8 in encode_simple_receive_packet
/ffmpeg-7.0/libavcodec/encode.c:353:15
#6 0x55563539a3a8 in encode_receive_packet_internal
/ffmpeg-7.0/libavcodec/encode.c:387:15
#7 0x555635399a81 in avcodec_send_frame
/ffmpeg-7.0/libavcodec/encode.c:530:15
#8 0x555633b207f0 in encode_frame
/ffmpeg-7.0/fftools/ffmpeg_enc.c:675:11
#9 0x555633b207f0 in frame_encode
/ffmpeg-7.0/fftools/ffmpeg_enc.c:843:12
#10 0x555633b1f229 in encoder_thread
/ffmpeg-7.0/fftools/ffmpeg_enc.c:929:15
#11 0x555633b897d2 in task_wrapper
/ffmpeg-7.0/fftools/ffmpeg_sched.c:2447:11
#12 0x7f3427401ac2 (/lib/x86_64-linux-gnu/libc.so.6+0x94ac2)
(BuildId: a43bfc8428df6623cd498c9c0caeb91aec9be4f9)
#13 0x7f3427493a3f (/lib/x86_64-linux-gnu/libc.so.6+0x126a3f)
(BuildId: a43bfc8428df6623cd498c9c0caeb91aec9be4f9)
0x611000040780 is located 0 bytes inside of 192-byte region
[0x611000040780,0x611000040840)
allocated by thread T18 (fc0) here:
#0 0x555633abec67 in __interceptor_posix_memalign
(/ffmpeg-7.0/ffmpeg_g+0x9a3c67) (BuildId:
545ccc2062eaee7e775c86df925c8f1fb97035e3)
#1 0x5556380269d1 in av_malloc /ffmpeg-7.0/libavutil/mem.c:105:9
#2 0x555637fc0b6c in av_buffer_alloc
/ffmpeg-7.0/libavutil/buffer.c:82:12
#3 0x555637fc0b6c in av_buffer_allocz
/ffmpeg-7.0/libavutil/buffer.c:95:24
#4 0x555637fc35d6 in pool_alloc_buffer
/ffmpeg-7.0/libavutil/buffer.c:363:26
#5 0x555637fc35d6 in av_buffer_pool_get
/ffmpeg-7.0/libavutil/buffer.c:401:15
#6 0x555633cd8ca5 in ff_frame_pool_get
/ffmpeg-7.0/libavfilter/framepool.c:217:29
#7 0x555634431dfe in ff_default_get_video_buffer2
/ffmpeg-7.0/libavfilter/video.c:96:13
#8 0x5556344317cc in ff_get_video_buffer
/ffmpeg-7.0/libavfilter/video.c:119:15
Thread T17 (enc0:0:mpeg4) created by T0 here:
#0 0x555633aa756c in __interceptor_pthread_create
(/ffmpeg-7.0/ffmpeg_g+0x98c56c) (BuildId:
545ccc2062eaee7e775c86df925c8f1fb97035e3)
#1 0x555633b81d23 in task_start
/ffmpeg-7.0/fftools/ffmpeg_sched.c:416:11
Thread T18 (fc0) created by T0 here:
#0 0x555633aa756c in __interceptor_pthread_create
(/ffmpeg-7.0/ffmpeg_g+0x98c56c) (BuildId:
545ccc2062eaee7e775c86df925c8f1fb97035e3)
#1 0x555633b81d23 in task_start
/ffmpeg-7.0/fftools/ffmpeg_sched.c:416:11
SUMMARY: AddressSanitizer: negative-size-param
(/ffmpeg-7.0/ffmpeg_g+0x9a23b4) (BuildId:
545ccc2062eaee7e775c86df925c8f1fb97035e3) in __asan_memcpy
==2083195==ABORTING
}}}
ffmpeg version:
{{{
# ./ffmpeg -version
ffmpeg version 7.0 Copyright (c) 2000-2024 the FFmpeg developers
built with Ubuntu clang version 14.0.0-1ubuntu1.1
configuration: --cc=afl-clang-fast --cxx=afl-clang-fast++ --disable-shared
libavutil 59. 8.100 / 59. 8.100
libavcodec 61. 3.100 / 61. 3.100
libavformat 61. 1.100 / 61. 1.100
libavdevice 61. 1.100 / 61. 1.100
libavfilter 10. 1.100 / 10. 1.100
libswscale 8. 1.100 / 8. 1.100
libswresample 5. 1.100 / 5. 1.100
}}}
Credit:
{{{
Discovered by Zeng Yunxiang.
}}}
Thanks for your time!
--
Ticket URL: <https://trac.ffmpeg.org/ticket/10952>
FFmpeg <https://ffmpeg.org>
FFmpeg issue tracker
More information about the FFmpeg-trac
mailing list