Opened 4 years ago

Closed 4 years ago

Last modified 4 years ago

#4502 closed defect (fixed)

hq_hqa: crash with fuzzed file

Reported by: ami_stuff Owned by:
Priority: important Component: avcodec
Version: git-master Keywords: hqa crash SIGSEGV
Cc: Blocked By:
Blocking: Reproduced by developer: no
Analyzed by developer: no

Description

http://www.datafilehost.com/d/aaf1650e

knoppix@Microknoppix:/media/sdb1/ffmpeg$ valgrind --leak-check=full ffmpeg/ffmpeg_g -i fuzz3.avi -f null -
==12490== Memcheck, a memory error detector
==12490== Copyright (C) 2002-2011, and GNU GPL'd, by Julian Seward et al.
==12490== Using Valgrind-3.7.0 and LibVEX; rerun with -h for copyright info
==12490== Command: ffmpeg/ffmpeg_g -i fuzz3.avi -f null -
==12490== 
ffmpeg version 2.6.git Copyright (c) 2000-2015 the FFmpeg developers
  built with gcc 4.7 (Debian 4.7.2-4)
  configuration: --disable-ffprobe --disable-ffserver --enable-gpl
  libavutil      54. 23.100 / 54. 23.100
  libavcodec     56. 35.101 / 56. 35.101
  libavformat    56. 30.100 / 56. 30.100
  libavdevice    56.  4.100 / 56.  4.100
  libavfilter     5. 14.100 /  5. 14.100
  libswscale      3.  1.101 /  3.  1.101
  libswresample   1.  1.100 /  1.  1.100
  libpostproc    53.  3.100 / 53.  3.100
[hq_hqa @ 0x4c3ef80] Not a HQ/HQA frame.
    Last message repeated 2 times
Input #0, avi, from 'fuzz3.avi':
  Duration: 00:00:24.80, start: 0.000000, bitrate: 3283 kb/s
    Stream #0:0: Video: hq_hqa (CUVC / 0x43565543), yuv422p, 720x480 [SAR 9:10 DAR 27:20], 5 fps, 5 tbr, 5 tbn, 5 tbc
Output #0, null, to 'pipe:':
  Metadata:
    encoder         : Lavf56.30.100
    Stream #0:0: Video: rawvideo (Y42B / 0x42323459), yuv422p, 720x480 [SAR 9:10 DAR 27:20], q=2-31, 200 kb/s, 5 fps, 5 tbn, 5 tbc
    Metadata:
      encoder         : Lavc56.35.101 rawvideo
Stream mapping:
  Stream #0:0 -> #0:0 (hq_hqa (native) -> rawvideo (native))
Press [q] to stop, [?] for help
[hq_hqa @ 0x4d47d60] Not a HQ/HQA frame.
Error while decoding stream #0:0: Invalid data found when processing input
[hq_hqa @ 0x4d47d60] Not a HQ/HQA frame.
Error while decoding stream #0:0: Invalid data found when processing input
[hq_hqa @ 0x4d47d60] Not a HQ/HQA frame.
Error while decoding stream #0:0: Invalid data found when processing input
[hq_hqa @ 0x4d47d60] Not a HQ/HQA frame.
Error while decoding stream #0:0: Invalid data found when processing input
[hq_hqa @ 0x4d47d60] Invalid slice size 82190.
[hq_hqa @ 0x4d47d60] Not a HQ/HQA frame.
Error while decoding stream #0:0: Invalid data found when processing input
[hq_hqa @ 0x4d47d60] Not a HQ/HQA frame.
Error while decoding stream #0:0: Invalid data found when processing input
[hq_hqa @ 0x4d47d60] Not a HQ/HQA frame.
Error while decoding stream #0:0: Invalid data found when processing input
[hq_hqa @ 0x4d47d60] Not a HQ/HQA frame.
Error while decoding stream #0:0: Invalid data found when processing input
[hq_hqa @ 0x4d47d60] Invalid slice size 85052.
[hq_hqa @ 0x4d47d60] Not a HQ/HQA frame.
Error while decoding stream #0:0: Invalid data found when processing input
frame=    8 fps=0.0 q=0.0 size=N/A time=00:00:03.20 bitrate=N/A    
[hq_hqa @ 0x4d47d60] Not a HQ/HQA frame.
Error while decoding stream #0:0: Invalid data found when processing input
[hq_hqa @ 0x4d47d60] Not a HQ/HQA frame.
Error while decoding stream #0:0: Invalid data found when processing input
==12490== Invalid write of size 1
==12490==    at 0x85A4FEA: hq_idct_put (hq_hqadsp.c:122)
==12490==    by 0x85A4326: hq_hqa_decode_frame (hq_hqa.c:55)
==12490==    by 0x87A3FBD: avcodec_decode_video2 (utils.c:2376)
==12490==    by 0x80D628B: decode_video (ffmpeg.c:1981)
==12490==  Address 0x5313e00 is not stack'd, malloc'd or (recently) free'd
==12490== 
==12490== Invalid write of size 1
==12490==    at 0x85A5004: hq_idct_put (hq_hqadsp.c:122)
==12490==    by 0x85A4326: hq_hqa_decode_frame (hq_hqa.c:55)
==12490==    by 0x87A3FBD: avcodec_decode_video2 (utils.c:2376)
==12490==    by 0x80D628B: decode_video (ffmpeg.c:1981)
==12490==  Address 0x5313e01 is not stack'd, malloc'd or (recently) free'd
==12490== 
==12490== Invalid write of size 1
==12490==    at 0x85A501F: hq_idct_put (hq_hqadsp.c:122)
==12490==    by 0x85A4326: hq_hqa_decode_frame (hq_hqa.c:55)
==12490==    by 0x87A3FBD: avcodec_decode_video2 (utils.c:2376)
==12490==    by 0x80D628B: decode_video (ffmpeg.c:1981)
==12490==  Address 0x5313e02 is not stack'd, malloc'd or (recently) free'd
==12490== 
==12490== Invalid write of size 1
==12490==    at 0x85A503A: hq_idct_put (hq_hqadsp.c:122)
==12490==    by 0x85A4326: hq_hqa_decode_frame (hq_hqa.c:55)
==12490==    by 0x87A3FBD: avcodec_decode_video2 (utils.c:2376)
==12490==    by 0x80D628B: decode_video (ffmpeg.c:1981)
==12490==  Address 0x5313e03 is not stack'd, malloc'd or (recently) free'd
==12490== 


==12490== 
==12490== Invalid write of size 1
==12490==    at 0x85A5070: hq_idct_put (hq_hqadsp.c:122)
==12490==    by 0x85A42A7: hq_hqa_decode_frame (hq_hqa.c:55)
==12490==    by 0x87A3FBD: avcodec_decode_video2 (utils.c:2376)
==12490==    by 0x80D628B: decode_video (ffmpeg.c:1981)
==12490==  Address 0x51b0ccd is not stack'd, malloc'd or (recently) free'd
==12490== 
==12490== Invalid write of size 1
==12490==    at 0x85A508B: hq_idct_put (hq_hqadsp.c:122)
==12490==    by 0x85A42A7: hq_hqa_decode_frame (hq_hqa.c:55)
==12490==    by 0x87A3FBD: avcodec_decode_video2 (utils.c:2376)
==12490==    by 0x80D628B: decode_video (ffmpeg.c:1981)
==12490==  Address 0x51b0cce is not stack'd, malloc'd or (recently) free'd
==12490== 
==12490== Invalid write of size 1
==12490==    at 0x85A50AA: hq_idct_put (hq_hqadsp.c:122)
==12490==    by 0x85A42A7: hq_hqa_decode_frame (hq_hqa.c:55)
==12490==    by 0x87A3FBD: avcodec_decode_video2 (utils.c:2376)
==12490==    by 0x80D628B: decode_video (ffmpeg.c:1981)
==12490==  Address 0x51b0ccf is not stack'd, malloc'd or (recently) free'd
==12490== 
[hq_hqa @ 0x4d47d60] Invalid slice size 93184.
Input stream #0:0 frame changed from size:720x480 fmt:yuv422p to size:1280x1024 fmt:yuv422p
--12490-- VALGRIND INTERNAL ERROR: Valgrind received a signal 11 (SIGSEGV) - exiting
--12490-- si_code=1;  Faulting address: 0xF0F0E12;  sp: 0x629ecde0

valgrind: the 'impossible' happened:
   Killed by fatal signal
==12490==    at 0x38049B14: unlinkBlock (m_mallocfree.c:408)
==12490==    by 0x3804A495: vgPlain_arena_malloc (m_mallocfree.c:1566)
==12490==    by 0x380843FB: vgPlain_cli_malloc (replacemalloc_core.c:83)
==12490==    by 0x38016112: vgMemCheck_new_block (mc_malloc_wrappers.c:248)
==12490==    by 0x380162F5: vgMemCheck_malloc (mc_malloc_wrappers.c:285)
==12490==    by 0x38086C4F: vgPlain_scheduler (scheduler.c:1461)
==12490==    by 0x38098C07: run_a_thread_NORETURN (syswrap-linux.c:98)

sched status:
  running_tid=1

Thread 1: status = VgTs_Runnable
==12490==    at 0x4028308: malloc (vg_replace_malloc.c:263)
==12490==    by 0x402849F: realloc (vg_replace_malloc.c:632)
==12490==    by 0x8B29DD6: av_strdup (mem.c:166)
==12490==    by 0x8B2DF57: av_opt_set (opt.c:166)
==12490==    by 0x80CF9AE: configure_filtergraph (ffmpeg_filter.c:886)
==12490==    by 0x80D65E7: decode_video (ffmpeg.c:2076)
==12490==    by 0x80DCF25: transcode (ffmpeg.c:2229)
==12490==    by 0x80BCC05: main (ffmpeg.c:4067)


Note: see also the FAQ in the source distribution.
It contains workarounds to several common problems.
In particular, if Valgrind aborted or crashed after
identifying problems in your program, there's a good chance
that fixing those problems will prevent Valgrind aborting or
crashing, especially if it happened in m_mallocfree.c.

If that doesn't help, please report this bug to: www.valgrind.org

In the bug report, send all the above text, the valgrind
version, and what OS and version you are using.  Thanks.
(gdb) r -i fuzz3.avi -f null -
Starting program: /media/sdb1/ffmpeg/ffmpeg_g -i fuzz3.avi -f null -
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/i386-linux-gnu/libthread_db.so.1".
ffmpeg version 2.6.git Copyright (c) 2000-2015 the FFmpeg developers
  built with gcc 4.7 (Debian 4.7.2-4)
  configuration: --disable-ffprobe --disable-ffserver --enable-gpl
  libavutil      54. 23.100 / 54. 23.100
  libavcodec     56. 35.101 / 56. 35.101
  libavformat    56. 30.100 / 56. 30.100
  libavdevice    56.  4.100 / 56.  4.100
  libavfilter     5. 14.100 /  5. 14.100
  libswscale      3.  1.101 /  3.  1.101
  libswresample   1.  1.100 /  1.  1.100
  libpostproc    53.  3.100 / 53.  3.100
[hq_hqa @ 0x95511a0] Not a HQ/HQA frame.
    Last message repeated 2 times
Input #0, avi, from 'fuzz3.avi':
  Duration: 00:00:24.80, start: 0.000000, bitrate: 3283 kb/s
    Stream #0:0: Video: hq_hqa (CUVC / 0x43565543), yuv422p, 720x480 [SAR 9:10 DAR 27:20], 5 fps, 5 tbr, 5 tbn, 5 tbc
Output #0, null, to 'pipe:':
  Metadata:
    encoder         : Lavf56.30.100
    Stream #0:0: Video: rawvideo (Y42B / 0x42323459), yuv422p, 720x480 [SAR 9:10 DAR 27:20], q=2-31, 200 kb/s, 5 fps, 5 tbn, 5 tbc
    Metadata:
      encoder         : Lavc56.35.101 rawvideo
Stream mapping:
  Stream #0:0 -> #0:0 (hq_hqa (native) -> rawvideo (native))
Press [q] to stop, [?] for help
[hq_hqa @ 0x9552500] Not a HQ/HQA frame.
Error while decoding stream #0:0: Invalid data found when processing input
[hq_hqa @ 0x9552500] Not a HQ/HQA frame.
Error while decoding stream #0:0: Invalid data found when processing input
[hq_hqa @ 0x9552500] Not a HQ/HQA frame.
Error while decoding stream #0:0: Invalid data found when processing input
[hq_hqa @ 0x9552500] Not a HQ/HQA frame.
Error while decoding stream #0:0: Invalid data found when processing input
[hq_hqa @ 0x9552500] Invalid slice size 82190.
[hq_hqa @ 0x9552500] Not a HQ/HQA frame.
Error while decoding stream #0:0: Invalid data found when processing input
[hq_hqa @ 0x9552500] Not a HQ/HQA frame.
Error while decoding stream #0:0: Invalid data found when processing input
[hq_hqa @ 0x9552500] Not a HQ/HQA frame.
Error while decoding stream #0:0: Invalid data found when processing input
[hq_hqa @ 0x9552500] Not a HQ/HQA frame.
Error while decoding stream #0:0: Invalid data found when processing input
[hq_hqa @ 0x9552500] Invalid slice size 85052.
[hq_hqa @ 0x9552500] Not a HQ/HQA frame.
Error while decoding stream #0:0: Invalid data found when processing input
[hq_hqa @ 0x9552500] Not a HQ/HQA frame.
Error while decoding stream #0:0: Invalid data found when processing input
[hq_hqa @ 0x9552500] Not a HQ/HQA frame.
Error while decoding stream #0:0: Invalid data found when processing input

Program received signal SIGSEGV, Segmentation fault.
0x085a4fea in hq_idct_put (dst=0xb7442120 "", stride=2560, block=0x95533e0)
    at libavcodec/hq_hqadsp.c:122
warning: Source file is more recent than executable.
122	            dst[j] = av_clip_uint8(block[j + i * 8]);
(gdb) bt
#0  0x085a4fea in hq_idct_put (dst=0xb7442120 "", stride=2560, block=0x95533e0)
    at libavcodec/hq_hqadsp.c:122
#1  0x085a421d in put_blocks (block1=<optimized out>, block0=0x95533e0, 
    ilace=1, y=1248, x=256, plane=0, pic=0x9557700, c=<optimized out>)
    at libavcodec/hq_hqa.c:55
#2  hq_decode_mb (y=1248, x=256, gb=<synthetic pointer>, pic=0x9557700, 
    c=0x95533a0) at libavcodec/hq_hqa.c:104
#3  hq_decode_frame (data_size=93184, prof_num=<optimized out>, pic=0x9557700, 
    ctx=0x95533a0) at libavcodec/hq_hqa.c:163
#4  hq_hqa_decode_frame (avctx=0x9552500, data=0x9557700, 
    got_frame=0xbffff594, avpkt=0xbffff308) at libavcodec/hq_hqa.c:332
#5  0x087a3fbe in avcodec_decode_video2 (avctx=0x9552500, 
    picture=picture@entry=0x9557700, 
    got_picture_ptr=got_picture_ptr@entry=0xbffff594, 
    avpkt=avpkt@entry=0xbffff840) at libavcodec/utils.c:2376
#6  0x080d628c in decode_video (ist=ist@entry=0x9552f40, 
    pkt=pkt@entry=0xbffff840, got_output=got_output@entry=0xbffff594)
    at ffmpeg.c:1981
#7  0x080dcf26 in process_input_packet (pkt=0xbffff7e8, ist=0x9552f40)
    at ffmpeg.c:2229
#8  process_input (file_index=20) at ffmpeg.c:3738
#9  transcode_step () at ffmpeg.c:3832
#10 transcode () at ffmpeg.c:3885
---Type <return> to continue, or q <return> to quit---
#11 0x080bcc06 in main (argc=<optimized out>, argv=<optimized out>)
    at ffmpeg.c:4067
(gdb) 

Change History (2)

comment:1 Changed 4 years ago by projectsymphony

  • Resolution set to fixed
  • Status changed from new to closed

comment:2 Changed 4 years ago by cehoyos

  • Component changed from undetermined to avcodec
  • Keywords hqa crash SIGSEGV added
  • Priority changed from normal to important
  • Version changed from unspecified to git-master
Note: See TracTickets for help on using tickets.