mts2: invalid write with max_alloc

[ami_stuff]

knoppix@Microknoppix:/media/sdb1$ gdb ffmpeg-HEAD-a67dcd7/ffmpeg_gGNU gdb (GDB) 7.4.1-debian
Copyright (C) 2012 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "i486-linux-gnu".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>...
Reading symbols from /media/sdb1/ffmpeg-HEAD-a67dcd7/ffmpeg_g...done.
(gdb) r -max_alloc 600000 -i ./mts2_fuzz.wmv -f null -
Starting program: /media/sdb1/ffmpeg-HEAD-a67dcd7/ffmpeg_g -max_alloc 600000 -i ./mts2_fuzz.wmv -f null -
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/i386-linux-gnu/libthread_db.so.1".
ffmpeg version 2.0-a67dcd7 Copyright (c) 2000-2013 the FFmpeg developers
  built on Sep  5 2013 17:23:55 with gcc 4.7 (Debian 4.7.2-5)
  configuration: --disable-yasm --disable-ffprobe --disable-ffserver --enable-gpl
  libavutil      52. 43.100 / 52. 43.100
  libavcodec     55. 31.101 / 55. 31.101
  libavformat    55. 16.101 / 55. 16.101
  libavdevice    55.  3.100 / 55.  3.100
  libavfilter     3. 83.102 /  3. 83.102
  libswscale      2.  5.100 /  2.  5.100
  libswresample   0. 17.103 /  0. 17.103
  libpostproc    52.  3.100 / 52.  3.100
Truncating packet of size 16777216 to 608235

Program received signal SIGSEGV, Segmentation fault.
0xb7eaeb4f in *__GI_memcpy (dstpp=dstpp@entry=0x0, srcpp=0x910f73e, 
    len=len@entry=27850) at memcpy.c:55
55	memcpy.c: No such file or directory.
(gdb) bt
#0  0xb7eaeb4f in *__GI_memcpy (dstpp=dstpp@entry=0x0, srcpp=0x910f73e, 
    len=len@entry=27850) at memcpy.c:55
#1  0x08154e76 in avio_read (s=s@entry=0x910e380, buf=0x0, 
    size=<optimized out>) at libavformat/aviobuf.c:515
#2  0x08146016 in asf_read_stream_properties (size=129, s=0x9105d40)
    at libavformat/asfdec.c:468
#3  asf_read_header (s=0x9105d40) at libavformat/asfdec.c:753
#4  0x08240695 in avformat_open_input (ps=ps@entry=0xbffff420, 
    filename=filename@entry=0xbffffb63 "./mts2_fuzz.wmv", fmt=fmt@entry=0x0, 
    options=0x90f9f54) at libavformat/utils.c:527
#5  0x080a63f4 in open_input_file (o=o@entry=0xbffff51c, 
    filename=<optimized out>) at ffmpeg_opt.c:792
#6  0x080a4d57 in open_files (inout=inout@entry=0x88d831b "input", 
    open_file=open_file@entry=0x80a6150 <open_input_file>, 
    l=<error reading variable: Unhandled dwarf expression opcode 0xfa>, 
    l=<error reading variable: Unhandled dwarf expression opcode 0xfa>)
    at ffmpeg_opt.c:2494
#7  0x080acf69 in ffmpeg_parse_options (argc=argc@entry=8, 
    argv=argv@entry=0xbffff9a4) at ffmpeg_opt.c:2531
#8  0x080a245a in main (argc=8, argv=0xbffff9a4) at ffmpeg.c:3389
(gdb) 

knoppix@Microknoppix:/media/sdb1$ valgrind --leak-check=full ffmpeg-HEAD-a67dcd7/ffmpeg_g -max_alloc 600000 -i ./mts2_fuzz.wmv -f null -
==10423== Memcheck, a memory error detector
==10423== Copyright (C) 2002-2011, and GNU GPL'd, by Julian Seward et al.
==10423== Using Valgrind-3.7.0 and LibVEX; rerun with -h for copyright info
==10423== Command: ffmpeg-HEAD-a67dcd7/ffmpeg_g -max_alloc 600000 -i ./mts2_fuzz.wmv -f null -
==10423== 
ffmpeg version 2.0-a67dcd7 Copyright (c) 2000-2013 the FFmpeg developers
  built on Sep  5 2013 17:23:55 with gcc 4.7 (Debian 4.7.2-5)
  configuration: --disable-yasm --disable-ffprobe --disable-ffserver --enable-gpl
  libavutil      52. 43.100 / 52. 43.100
  libavcodec     55. 31.101 / 55. 31.101
  libavformat    55. 16.101 / 55. 16.101
  libavdevice    55.  3.100 / 55.  3.100
  libavfilter     3. 83.102 /  3. 83.102
  libswscale      2.  5.100 /  2.  5.100
  libswresample   0. 17.103 /  0. 17.103
  libpostproc    52.  3.100 / 52.  3.100
Truncating packet of size 16777216 to 608235
==10423== Invalid write of size 2
==10423==    at 0x4029CDB: memcpy (mc_replace_strmem.c:838)
==10423==    by 0x8154E75: avio_read (aviobuf.c:515)
==10423==    by 0x8146015: asf_read_header (asfdec.c:468)
==10423==    by 0x8240694: avformat_open_input (utils.c:527)
==10423==  Address 0x0 is not stack'd, malloc'd or (recently) free'd
==10423== 
==10423== 
==10423== Process terminating with default action of signal 11 (SIGSEGV)
==10423==  Access not within mapped region at address 0x0
==10423==    at 0x4029CDB: memcpy (mc_replace_strmem.c:838)
==10423==    by 0x8154E75: avio_read (aviobuf.c:515)
==10423==    by 0x8146015: asf_read_header (asfdec.c:468)
==10423==    by 0x8240694: avformat_open_input (utils.c:527)
==10423==  If you believe this happened as a result of a stack
==10423==  overflow in your program's main thread (unlikely but
==10423==  possible), you can try to increase the size of the
==10423==  main thread stack using the --main-stacksize= flag.
==10423==  The main thread stack size used in this run was 8388608.
==10423== 
==10423== HEAP SUMMARY:
==10423==     in use at exit: 264,082 bytes in 29 blocks
==10423==   total heap usage: 39 allocs, 10 frees, 299,170 bytes allocated
==10423== 
==10423== LEAK SUMMARY:
==10423==    definitely lost: 0 bytes in 0 blocks
==10423==    indirectly lost: 0 bytes in 0 blocks
==10423==      possibly lost: 0 bytes in 0 blocks
==10423==    still reachable: 264,082 bytes in 29 blocks
==10423==         suppressed: 0 bytes in 0 blocks
==10423== Reachable blocks (those to which a pointer was found) are not shown.
==10423== To see them, rerun with: --leak-check=full --show-reachable=yes
==10423== 
==10423== For counts of detected and suppressed errors, rerun with: -v
==10423== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 59 from 6)
Segmentation fault

[Elon Musk]

Fixed in 81f231b5c7c94c522561ae148adfda1ee29a2521.