[FFmpeg-trac] #11393(avcodec:new): SEGV on libavcodec/jpeg2000dec.c:1491:59

FFmpeg trac at avcodec.org
Thu Jan 2 03:42:50 EET 2025 

#11393: SEGV on libavcodec/jpeg2000dec.c:1491:59
---------------------------------+--------------------------------------
             Reporter:  0x20z    |                     Type:  defect
               Status:  new      |                 Priority:  important
            Component:  avcodec  |                  Version:  git-master
             Keywords:           |               Blocked By:
             Blocking:           |  Reproduced by developer:  0
Analyzed by developer:  0        |
---------------------------------+--------------------------------------
 Summary of the bug:
 Dear developers,
 I have discovered a Segmentation Fault vulnerability. The POC file is
 attached to the session, and the version of ffmpeg is
 N-118197-gbb85423142, the main branch. Please confirm.

 How to reproduce:
 {{{
 git clone https://github.com/FFmpeg/FFmpeg.git
 cd FFmpeg
 ./configure --cc=clang --cxx=clang++ --toolchain=clang-asan --extra-
 cflags="-I$HOME/ffmpeg_build/include -O0 -fno-omit-frame-pointer -g"
 --extra-cxxflags="-O0 -fno-omit-frame-pointer -g" --extra-
 ldflags="-L$HOME/ffmpeg_build/include -fsanitize=address
 -fsanitize=undefined -lubsan" --disable-optimizations --disable-stripping
 --enable-cross-compile
 make -j30
 ./ffmpeg -y -i poc tmp.mp4
 }}}

 ASAN log:
 {{{
 AddressSanitizer:DEADLYSIGNAL
 =================================================================
 ==4155776==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000
 (pc 0x5c833916beed bp 0x707b21dfe040 sp 0x707b21dfd150 T1)
 ==4155776==The signal is caused by a READ memory access.
 ==4155776==Hint: address points to the zero page.
     #0 0x5c833916beed in jpeg2000_decode_packet
 FFmpeg/libavcodec/jpeg2000dec.c:1491:59
     #1 0x5c83391635ae in jpeg2000_decode_packets_po_iteration
 FFmpeg/libavcodec/jpeg2000dec.c:1595:40
     #2 0x5c8339162ae6 in jpeg2000_decode_packets
 FFmpeg/libavcodec/jpeg2000dec.c:1856:15
     #3 0x5c833914e32b in jpeg2000_read_bitstream_packets
 FFmpeg/libavcodec/jpeg2000dec.c:2651:20
     #4 0x5c8339143d46 in jpeg2000_decode_frame
 FFmpeg/libavcodec/jpeg2000dec.c:2880:15
     #5 0x5c8338ac27f5 in decode_simple_internal
 FFmpeg/libavcodec/decode.c:443:16
     #6 0x5c8338ab04f4 in decode_simple_receive_frame
 FFmpeg/libavcodec/decode.c:613:15
     #7 0x5c8338aadd59 in ff_decode_receive_frame_internal
 FFmpeg/libavcodec/decode.c:649:15
     #8 0x5c83396b21ff in frame_worker_thread
 FFmpeg/libavcodec/pthread_frame.c:295:19
     #9 0x707b24694ac2 in start_thread nptl/./nptl/pthread_create.c:442:8
     #10 0x707b2472684f  misc/../sysdeps/unix/sysv/linux/x86_64/clone3.S:81

 AddressSanitizer can not provide additional info.
 SUMMARY: AddressSanitizer: SEGV FFmpeg/libavcodec/jpeg2000dec.c:1491:59 in
 jpeg2000_decode_packet
 Thread T1 (av:jpeg200:df0) created by T0 here:
     #0 0x5c8336dd625c in __interceptor_pthread_create
 (FFmpeg/ffmpeg+0x7b725c) (BuildId:
 e9074a31dadd6ca9f015fa496c6951e0bb7210b0)
     #1 0x5c83396afe91 in init_thread
 FFmpeg/libavcodec/pthread_frame.c:913:11
     #2 0x5c83396aeb2f in ff_frame_thread_init
 FFmpeg/libavcodec/pthread_frame.c:972:15
     #3 0x5c83396a7678 in ff_thread_init /FFmpeg/libavcodec/pthread.c:79:16
     #4 0x5c833868ebbd in avcodec_open2 FFmpeg/libavcodec/avcodec.c:323:15
     #5 0x5c8336e2aed4 in dec_open FFmpeg/fftools/ffmpeg_dec.c:1602:16
     #6 0x5c8336e2915b in dec_init FFmpeg/fftools/ffmpeg_dec.c:1662:11
     #7 0x5c8336e3e474 in ist_use FFmpeg/fftools/ffmpeg_demux.c:950:15
     #8 0x5c8336e3f272 in ist_filter_add
 FFmpeg/fftools/ffmpeg_demux.c:986:11
     #9 0x5c8336e6d919 in ifilter_bind_ist
 FFmpeg/fftools/ffmpeg_filter.c:690:11
     #10 0x5c8336e6ceeb in fg_create_simple
 FFmpeg/fftools/ffmpeg_filter.c:1230:11
     #11 0x5c8336eb21ff in ost_bind_filter
 FFmpeg/fftools/ffmpeg_mux_init.c:999:15
     #12 0x5c8336ea67ad in ost_add FFmpeg/fftools/ffmpeg_mux_init.c:1536:15
     #13 0x5c8336ea09be in map_auto_video
 FFmpeg/fftools/ffmpeg_mux_init.c:1640:16
     #14 0x5c8336e99724 in create_streams
 FFmpeg/fftools/ffmpeg_mux_init.c:1969:19
     #15 0x5c8336e97b55 in of_open FFmpeg/fftools/ffmpeg_mux_init.c:3335:11
     #16 0x5c8336ec4512 in open_files FFmpeg/fftools/ffmpeg_opt.c:1363:15
     #17 0x5c8336ec3e38 in ffmpeg_parse_options
 FFmpeg/fftools/ffmpeg_opt.c:1419:11
     #18 0x5c8336f0cfad in main FFmpeg/fftools/ffmpeg.c:974:11
     #19 0x707b24629d8f in __libc_start_call_main
 csu/../sysdeps/nptl/libc_start_call_main.h:58:16

 ==4155776==ABORTING
 }}}
 ffmpeg version:
 {{{
 # ./ffmpeg -version
 ffmpeg version N-118197-gbb85423142 Copyright (c) 2000-2024 the FFmpeg
 developers
 built with Ubuntu clang version 14.0.0-1ubuntu1.1
 configuration: --cc=clang --cxx=clang++ --ld=clang --enable-debug
 --toolchain=clang-asan --enable-cross-compile
 libavutil      59. 53.100 / 59. 53.100
 libavcodec     61. 28.100 / 61. 28.100
 libavformat    61.  9.102 / 61.  9.102
 libavdevice    61.  4.100 / 61.  4.100
 libavfilter    10.  6.101 / 10.  6.101
 libswscale      8. 13.100 /  8. 13.100
 libswresample   5.  4.100 /  5.  4.100
 }}}

 Found by:
 {{{
 Found by 0x20z
 }}}
 Thank you for your time and attention
-- 
Ticket URL: <https://trac.ffmpeg.org/ticket/11393>
FFmpeg <https://ffmpeg.org>
FFmpeg issue tracker

More information about the FFmpeg-trac mailing list