Opened 5 years ago

Closed 5 years ago

#3278 closed defect (fixed)

mxf: deadlock with fuzzed file

Reported by: ami_stuff Owned by:
Priority: important Component: avformat
Version: git-master Keywords: mxf deadlock regression
Cc: Blocked By:
Blocking: Reproduced by developer: yes
Analyzed by developer: no

Description (last modified by cehoyos)

(gdb) r -threads 1 -i deadlock2.mxf
The program being debugged has been started already.
Start it from the beginning? (y or n) y

Starting program: /media/sdb1/ffmpeg-HEAD-8a0d446/ffmpeg_g -threads 1 -i deadlock2.mxf
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/i386-linux-gnu/libthread_db.so.1".
ffmpeg version 2.1.git-8a0d446 Copyright (c) 2000-2013 the FFmpeg developers
  built on Dec 29 2013 20:43:02 with gcc 4.7 (Debian 4.7.2-5)
  configuration: --disable-yasm --enable-gpl --disable-ffprobe --disable-ffserver
  libavutil      52. 59.100 / 52. 59.100
  libavcodec     55. 47.100 / 55. 47.100
  libavformat    55. 22.100 / 55. 22.100
  libavdevice    55.  5.102 / 55.  5.102
  libavfilter     4.  0.103 /  4.  0.103
  libswscale      2.  5.101 /  2.  5.101
  libswresample   0. 17.104 /  0. 17.104
  libpostproc    52.  3.100 / 52.  3.100
[mxf @ 0x9298ee0] invalid KAGSize 0 - guessing 512
[mxf @ 0x9298ee0] local tag 0000 with 0 size
    Last message repeated 6 times
[mxf @ 0x9298ee0] local tag 0x8000 with 0 size
[mxf @ 0x9298ee0] local tag 0000 with 0 size
    Last message repeated 10 times
[mxf @ 0x9298ee0] local tag 0x08 with 0 size
[mxf @ 0x9298ee0] local tag 0000 with 0 size
    Last message repeated 1 times
[mxf @ 0x9298ee0] local tag 0x04 with 0 size
[mxf @ 0x9298ee0] local tag 0000 with 0 size
    Last message repeated 3 times
[mxf @ 0x9298ee0] local tag 0x4000 with 0 size
[mxf @ 0x9298ee0] local tag 0000 with 0 size
    Last message repeated 22 times
[mxf @ 0x9298ee0] local tag 0x20 with 0 size
[mxf @ 0x9298ee0] local tag 0000 with 0 size
    Last message repeated 50 times
[mxf @ 0x9298ee0] local tag 0x02 with 0 size
    Last message repeated 1 times
[mxf @ 0x9298ee0] local tag 0000 with 0 size
[mxf @ 0x9298ee0] invalid KAGSize 0 - guessing 512
[mxf @ 0x9298ee0] invalid KAGSize 0 - guessing 512
[mxf @ 0x9298ee0] invalid KAGSize 0 - guessing 512

[...]

[mxf @ 0x9298ee0] invalid KAGSize 0 - guessing 512
[mxf @ 0x9298ee0] invalid KAGSize 0 - guessing 512
[mxf @ 0x9298ee0] invalid KAGSize 0 - guessing 512

Program received signal SIGINT, Interrupt.
0x0815f94d in avio_r8 (s=s@entry=0x92a1520) at libavformat/aviobuf.c:485
485	}
(gdb) bt
#0  0x0815f94d in avio_r8 (s=s@entry=0x92a1520) at libavformat/aviobuf.c:485
#1  0x081df414 in mxf_read_sync (size=4, 
    key=0x89819d4 "\006\016+4\006\016+4\002\005\001\001\r\001\002\001\001\002\006\016+4\002\005\001\001\r\001\003\001\004", pb=0x92a1520)
    at libavformat/mxfdec.c:285
#2  klv_read_packet (pb=0x92a1520, klv=0xbffff300) at libavformat/mxfdec.c:296
#3  mxf_read_header (s=0x9298ee0) at libavformat/mxfdec.c:2032
#4  0x08250b75 in avformat_open_input (ps=ps@entry=0xbffff430, 
    filename=filename@entry=0xbffffb6f "deadlock2.mxf", fmt=fmt@entry=0x0, 
    options=0x9292fdc) at libavformat/utils.c:551
#5  0x080b45fd in open_input_file (o=o@entry=0xbffff52c, 
    filename=<optimized out>) at ffmpeg_opt.c:844
#6  0x080b2387 in open_files (inout=inout@entry=0x898dc9b "input", 
    open_file=open_file@entry=0x80b4300 <open_input_file>, 
    l=<error reading variable: Unhandled dwarf expression opcode 0xfa>, 
    l=<error reading variable: Unhandled dwarf expression opcode 0xfa>)
    at ffmpeg_opt.c:2582
#7  0x080bad09 in ffmpeg_parse_options (argc=argc@entry=5, 
    argv=argv@entry=0xbffff9c4) at ffmpeg_opt.c:2619
#8  0x080a9dba in main (argc=5, argv=0xbffff9c4) at ffmpeg.c:3522
(gdb) 

Attachments (1)

deadlock2.mxf (1.1 MB) - added by ami_stuff 5 years ago.

Download all attachments as: .zip

Change History (4)

Changed 5 years ago by ami_stuff

comment:1 Changed 5 years ago by cehoyos

  • Component changed from undetermined to avformat
  • Description modified (diff)
  • Keywords mxf deadlock added
  • Priority changed from normal to important
  • Reproduced by developer set
  • Status changed from new to open
  • Version changed from unspecified to git-master

Regression since dcd30b83

comment:2 Changed 5 years ago by cehoyos

  • Keywords regression added

comment:3 Changed 5 years ago by michael

  • Resolution set to fixed
  • Status changed from open to closed
Note: See TracTickets for help on using tickets.