Opened 6 years ago

Closed 6 years ago

#2843 closed defect (fixed)

jpeg2000: crash with fuzzed file 2

Reported by: ami_stuff Owned by:
Priority: important Component: avcodec
Version: git-master Keywords: j2k crash SIGSEGV regression
Cc: Blocked By:
Blocking: Reproduced by developer: yes
Analyzed by developer: no

Description

knoppix@Microknoppix:/media/sdb1/ffmpeg$ ./ffmpeg_g -i ../fuzzed3.avi -f null -
ffmpeg version 2.0 Copyright (c) 2000-2013 the FFmpeg developers
  built on Aug  6 2013 21:17:38 with gcc 4.7 (Debian 4.7.2-4)
  configuration: --enable-gpl --disable-yasm --disable-ffprobe --disable-ffserver
  libavutil      52. 40.100 / 52. 40.100
  libavcodec     55. 20.100 / 55. 20.100
  libavformat    55. 13.101 / 55. 13.101
  libavdevice    55.  3.100 / 55.  3.100
  libavfilter     3. 82.100 /  3. 82.100
  libswscale      2.  4.100 /  2.  4.100
  libswresample   0. 17.103 /  0. 17.103
  libpostproc    52.  3.100 / 52.  3.100
Input #0, avi, from '../fuzzed3.avi':
  Duration: 00:00:05.96, start: 0.000000, bitrate: 320 kb/s
    Stream #0:0: Video: jpeg2000 (JPEG 2000 codestream restriction 0) (MJ2C / 0x43324A4D), rgb24, 192x128, 24 fps, 24 tbr, 24 tbn, 24 tbc
    Stream #0:1: Audio: mp3 (U[0][0][0] / 0x0055), 11025 Hz, mono, s16p, 7 kb/s
Output #0, null, to 'pipe:':
  Metadata:
    encoder         : Lavf55.13.101
    Stream #0:0: Video: rawvideo (RGB[24] / 0x18424752), rgb24, 192x128, q=2-31, 200 kb/s, 90k tbn, 24 tbc
    Stream #0:1: Audio: pcm_s16le, 11025 Hz, mono, s16, 176 kb/s
Stream mapping:
  Stream #0:0 -> #0:0 (jpeg2000 -> rawvideo)
  Stream #0:1 -> #0:1 (mp3 -> pcm_s16le)
Press [q] to stop, [?] for help
[null @ 0x90d7580] Encoder did not produce proper pts, making some up.
Error while decoding stream #0:0: Invalid data found when processing input
[jpeg2000 @ 0x90d4620] error during processing marker segment ff90
Error while decoding stream #0:0: Invalid data found when processing input
[jpeg2000 @ 0x90d4620] extra cblk styles C0
[jpeg2000 @ 0x90d4620] error during processing marker segment ff53
Error while decoding stream #0:0: Operation not permitted
[jpeg2000 @ 0x90d4620] error during processing marker segment ff51
Error while decoding stream #0:0: Invalid argument
[jpeg2000 @ 0x90d4620] [IMGUTILS @ 0xbfd7cbb4] Picture size 192x4294967168 is invalid
[jpeg2000 @ 0x90d4620] video_get_buffer: image parameters invalid
[jpeg2000 @ 0x90d4620] get_buffer() failed
[jpeg2000 @ 0x90d4620] thread_get_buffer() failed
Error while decoding stream #0:0: Invalid argument
Segmentation fault (core dumped)
knoppix@Microknoppix:/media/sdb1/ffmpeg$ gdb -c core ffmpeg_g
GNU gdb (GDB) 7.4.1-debian
Copyright (C) 2012 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "i486-linux-gnu".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>...
Reading symbols from /media/sdb1/ffmpeg/ffmpeg_g...done.
[New LWP 8801]

warning: Can't read pathname for load map: Input/output error.
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/i386-linux-gnu/libthread_db.so.1".
Failed to read a valid object file image from memory.
Core was generated by `./ffmpeg_g -i ../fuzzed3.avi -f null -'.
Program terminated with signal 11, Segmentation fault.
#0  0x08506cc0 in mct_decode (s=<optimized out>, tile=<optimized out>)
    at libavcodec/jpeg2000dec.c:1164
1164	            i1 = *src[0] - (*src[2] + *src[1] >> 2);
(gdb) bt
#0  0x08506cc0 in mct_decode (s=<optimized out>, tile=<optimized out>)
    at libavcodec/jpeg2000dec.c:1164
#1  jpeg2000_decode_tile (s=s@entry=0x90c4d00, tile=0x90d93c0, 
    picture=picture@entry=0x90c43c0) at libavcodec/jpeg2000dec.c:1236
#2  0x0850929c in jpeg2000_decode_frame (avctx=0x90d4620, data=0x90c43c0, 
    got_frame=0xbfd7d064, avpkt=0xbfd7ce08) at libavcodec/jpeg2000dec.c:1626
#3  0x08671b0e in avcodec_decode_video2 (avctx=0x90d4620, 
    picture=picture@entry=0x90c43c0, 
    got_picture_ptr=got_picture_ptr@entry=0xbfd7d064, 
    avpkt=avpkt@entry=0xbfd7d2b0) at libavcodec/utils.c:1986
#4  0x080b2cdd in decode_video (ist=ist@entry=0x910e6a0, 
    pkt=pkt@entry=0xbfd7d2b0, got_output=got_output@entry=0xbfd7d064)
    at ffmpeg.c:1653
#5  0x080b6422 in output_packet (pkt=0xbfd7d248, ist=0x910e6a0)
    at ffmpeg.c:1851
#6  process_input (file_index=2) at ffmpeg.c:3063
#7  0x080a1fc3 in transcode_step () at ffmpeg.c:3159
#8  transcode () at ffmpeg.c:3211
#9  main (argc=<optimized out>, argv=<optimized out>) at ffmpeg.c:3389
(gdb) 

Attachments (1)

fuzzed3.avi (233.0 KB) - added by ami_stuff 6 years ago.

Download all attachments as: .zip

Change History (4)

Changed 6 years ago by ami_stuff

comment:1 Changed 6 years ago by ami_stuff

invalid read

knoppix@Microknoppix:/media/sdb1$ valgrind --leak-check=full ffmpeg/ffmpeg_g -i ./fuzzed3.avi -f null -
==2436== Memcheck, a memory error detector
==2436== Copyright (C) 2002-2011, and GNU GPL'd, by Julian Seward et al.
==2436== Using Valgrind-3.7.0 and LibVEX; rerun with -h for copyright info
==2436== Command: ffmpeg/ffmpeg_g -i ./fuzzed3.avi -f null -
==2436== 
ffmpeg version 2.0 Copyright (c) 2000-2013 the FFmpeg developers
  built on Aug  6 2013 21:17:38 with gcc 4.7 (Debian 4.7.2-4)
  configuration: --enable-gpl --disable-yasm --disable-ffprobe --disable-ffserver
  libavutil      52. 40.100 / 52. 40.100
  libavcodec     55. 20.100 / 55. 20.100
  libavformat    55. 13.101 / 55. 13.101
  libavdevice    55.  3.100 / 55.  3.100
  libavfilter     3. 82.100 /  3. 82.100
  libswscale      2.  4.100 /  2.  4.100
  libswresample   0. 17.103 /  0. 17.103
  libpostproc    52.  3.100 / 52.  3.100
Input #0, avi, from './fuzzed3.avi':
  Duration: 00:00:05.96, start: 0.000000, bitrate: 320 kb/s
    Stream #0:0: Video: jpeg2000 (JPEG 2000 codestream restriction 0) (MJ2C / 0x43324A4D), rgb24, 192x128, 24 fps, 24 tbr, 24 tbn, 24 tbc
    Stream #0:1: Audio: mp3 (U[0][0][0] / 0x0055), 11025 Hz, mono, s16p, 7 kb/s
Output #0, null, to 'pipe:':
  Metadata:
    encoder         : Lavf55.13.101
    Stream #0:0: Video: rawvideo (RGB[24] / 0x18424752), rgb24, 192x128, q=2-31, 200 kb/s, 90k tbn, 24 tbc
    Stream #0:1: Audio: pcm_s16le, 11025 Hz, mono, s16, 176 kb/s
Stream mapping:
  Stream #0:0 -> #0:0 (jpeg2000 -> rawvideo)
  Stream #0:1 -> #0:1 (mp3 -> pcm_s16le)
Press [q] to stop, [?] for help
[null @ 0x442d8a0] Encoder did not produce proper pts, making some up.
Error while decoding stream #0:0: Invalid data found when processing input
[jpeg2000 @ 0x43144e0] error during processing marker segment ff90
Error while decoding stream #0:0: Invalid data found when processing input
[jpeg2000 @ 0x43144e0] extra cblk styles C0
[jpeg2000 @ 0x43144e0] error during processing marker segment ff53
Error while decoding stream #0:0: Operation not permitted
[jpeg2000 @ 0x43144e0] error during processing marker segment ff51
Error while decoding stream #0:0: Invalid argument
[jpeg2000 @ 0x43144e0] [IMGUTILS @ 0xbefe0004] Picture size 192x4294967168 is invalid
[jpeg2000 @ 0x43144e0] video_get_buffer: image parameters invalid
[jpeg2000 @ 0x43144e0] get_buffer() failed
[jpeg2000 @ 0x43144e0] thread_get_buffer() failed
Error while decoding stream #0:0: Invalid argument
==2436== Invalid read of size 4
==2436==    at 0x8506CC0: jpeg2000_decode_tile (jpeg2000dec.c:1164)
==2436==    by 0x850929B: jpeg2000_decode_frame (jpeg2000dec.c:1626)
==2436==    by 0x8671B0D: avcodec_decode_video2 (utils.c:1986)
==2436==    by 0x80B2CDC: decode_video (ffmpeg.c:1653)
==2436==    by 0x3171987: ???
==2436==  Address 0x0 is not stack'd, malloc'd or (recently) free'd
==2436== 
==2436== 
==2436== Process terminating with default action of signal 11 (SIGSEGV)
==2436==  Access not within mapped region at address 0x0
==2436==    at 0x8506CC0: jpeg2000_decode_tile (jpeg2000dec.c:1164)
==2436==    by 0x850929B: jpeg2000_decode_frame (jpeg2000dec.c:1626)
==2436==    by 0x8671B0D: avcodec_decode_video2 (utils.c:1986)
==2436==    by 0x80B2CDC: decode_video (ffmpeg.c:1653)
==2436==    by 0x3171987: ???
==2436==  If you believe this happened as a result of a stack
==2436==  overflow in your program's main thread (unlikely but
==2436==  possible), you can try to increase the size of the
==2436==  main thread stack using the --main-stacksize= flag.
==2436==  The main thread stack size used in this run was 8388608.
==2436== 
==2436== HEAP SUMMARY:
==2436==     in use at exit: 15,377,228 bytes in 350 blocks
==2436==   total heap usage: 31,821 allocs, 31,471 frees, 119,720,893 bytes allocated
==2436== 
==2436== LEAK SUMMARY:
==2436==    definitely lost: 0 bytes in 0 blocks
==2436==    indirectly lost: 0 bytes in 0 blocks
==2436==      possibly lost: 0 bytes in 0 blocks
==2436==    still reachable: 15,377,228 bytes in 350 blocks
==2436==         suppressed: 0 bytes in 0 blocks
==2436== Reachable blocks (those to which a pointer was found) are not shown.
==2436== To see them, rerun with: --leak-check=full --show-reachable=yes
==2436== 
==2436== For counts of detected and suppressed errors, rerun with: -v
==2436== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 23 from 6)
Segmentation fault

comment:2 Changed 6 years ago by cehoyos

  • Component changed from undetermined to avcodec
  • Keywords j2k crash SIGSEGV regression added
  • Priority changed from normal to important
  • Reproduced by developer set
  • Status changed from new to open
  • Version changed from unspecified to git-master

comment:3 Changed 6 years ago by michael

  • Resolution set to fixed
  • Status changed from open to closed
Note: See TracTickets for help on using tickets.