Opened 3 years ago

Closed 3 years ago

#5244 closed defect (fixed)

mjpeg encoder assertion failure/abort on fuzzed file

Reported by: MarkZV Owned by:
Priority: important Component: avcodec
Version: git-master Keywords: crash abort mjpeg
Cc: Blocked By:
Blocking: Reproduced by developer: yes
Analyzed by developer: no

Description

In a git master build with --assert-level=2, an assertion failure and abort occurs when encoding a fuzzed input file using the FFmpeg native mjpeg encoder, causing the application to crash.

This occurs because avctx->sample_aspect_ratio.num on libavcodec/mjpegenc_common.c line 134 is too large for 16 bits.

-> 134          put_bits(p, 16, avctx->sample_aspect_ratio.num);
(lldb) p avctx->sample_aspect_ratio
(AVRational) $1 = (num = 279616, den = 11685)
Assertion n <= 31 && value < (1U << n) failed at libavcodec/put_bits.h:157
$ ./ffmpeg_g -v 9 -loglevel 99 -i in.mpg -y out.jpg
ffmpeg version N-78590-g5590ab4 Copyright (c) 2000-2016 the FFmpeg developers
  built with clang version 3.7.1 (tags/RELEASE_371/final)
  configuration: --enable-debug --assert-level=2 --cc=/opt/local/bin/clang --disable-stripping
  libavutil      55. 18.100 / 55. 18.100
  libavcodec     57. 24.103 / 57. 24.103
  libavformat    57. 25.100 / 57. 25.100
  libavdevice    57.  0.101 / 57.  0.101
  libavfilter     6. 32.100 /  6. 32.100
  libswscale      4.  0.100 /  4.  0.100
  libswresample   2.  0.101 /  2.  0.101
Splitting the commandline.
Reading option '-v' ... matched as option 'v' (set logging level) with argument '9'.
Reading option '-loglevel' ... matched as option 'loglevel' (set logging level) with argument '99'.
Reading option '-i' ... matched as input file with argument 'in.mpg'.
Reading option '-y' ... matched as option 'y' (overwrite output files) with argument '1'.
Reading option 'out.jpg' ... matched as output file.
Finished splitting the commandline.
Parsing a group of options: global .
Applying option v (set logging level) with argument 9.
Applying option y (overwrite output files) with argument 1.
Successfully parsed a group of options.
Parsing a group of options: input file in.mpg.
Successfully parsed a group of options.
Opening an input file: in.mpg.
[file @ 0x7f952a500200] Setting default whitelist 'file'
Probing mpegvideo score:51 size:43
[mpegvideo @ 0x7f952b000000] Format mpegvideo probed with size=2048 and score=51
[mpegvideo @ 0x7f952b000000] Before avformat_find_stream_info() pos: 0 bytes read:43 seeks:0
[mpeg1video @ 0x7f952b008600] frame_rate_index 0 is invalid
    Last message repeated 1 times
[mpeg1video @ 0x7f952b008600] sequence header damaged
[mpegvideo @ 0x7f952b000000] Estimating duration from bitrate, this may be inaccurate
[mpegvideo @ 0x7f952b000000] 0: start_time: -9223372036854.775 duration: 0.000
[mpegvideo @ 0x7f952b000000] stream: start_time: -9223372036854.775 duration: 0.000 bitrate=19111 kb/s
[mpegvideo @ 0x7f952b000000] After avformat_find_stream_info() pos: 43 bytes read:43 seeks:0 frames:2
Input #0, mpegvideo, from 'in.mpg':
  Duration: 00:00:00.00, bitrate: 19111 kb/s
    Stream #0:0, 2, 1/1200000: Video: mpeg1video, 1 reference frame, yuv420p(tv, center), 779x816 [SAR 64:45 DAR 3116:2295], 1001/24000, 19737 kb/s, 23.98 tbr, 1200k tbn, 23.98 tbc
Successfully opened the file.
Parsing a group of options: output file out.jpg.
Successfully parsed a group of options.
Opening an output file: out.jpg.
Successfully opened the file.
detected 8 logical cores
[graph 0 input from stream 0:0 @ 0x7f952a600380] Setting 'video_size' to value '779x816'
[graph 0 input from stream 0:0 @ 0x7f952a600380] Setting 'pix_fmt' to value '0'
[graph 0 input from stream 0:0 @ 0x7f952a600380] Setting 'time_base' to value '1/1200000'
[graph 0 input from stream 0:0 @ 0x7f952a600380] Setting 'pixel_aspect' to value '64/45'
[graph 0 input from stream 0:0 @ 0x7f952a600380] Setting 'sws_param' to value 'flags=2'
[graph 0 input from stream 0:0 @ 0x7f952a600380] Setting 'frame_rate' to value '24000/1001'
[graph 0 input from stream 0:0 @ 0x7f952a600380] w:779 h:816 pixfmt:yuv420p tb:1/1200000 fr:24000/1001 sar:64/45 sws_param:flags=2
[format @ 0x7f952a6009a0] compat: called with args=[yuvj420p|yuvj422p|yuvj444p]
[format @ 0x7f952a6009a0] Setting 'pix_fmts' to value 'yuvj420p|yuvj422p|yuvj444p'
[auto-inserted scaler 0 @ 0x7f952a501de0] Setting 'flags' to value 'bicubic'
[auto-inserted scaler 0 @ 0x7f952a501de0] w:iw h:ih flags:'bicubic' interl:0
[format @ 0x7f952a6009a0] auto-inserting filter 'auto-inserted scaler 0' between the filter 'Parsed_null_0' and the filter 'format'
[AVFilterGraph @ 0x7f952a5015e0] query_formats: 4 queried, 2 merged, 1 already done, 0 delayed
[auto-inserted scaler 0 @ 0x7f952a501de0] picking yuvj420p out of 3 ref:yuv420p alpha:0
[swscaler @ 0x7f952b01c800] deprecated pixel format used, make sure you did set range correctly
[auto-inserted scaler 0 @ 0x7f952a501de0] w:779 h:816 fmt:yuv420p sar:64/45 -> w:779 h:816 fmt:yuvj420p sar:64/45 flags:0x4
[mjpeg @ 0x7f952b003e00] Forcing thread count to 1 for MJPEG encoding, use -thread_type slice or a constant quantizer if you want to use multiple cpu cores
[mjpeg @ 0x7f952b003e00] intra_quant_bias = 96 inter_quant_bias = 0
Output #0, image2, to 'out.jpg':
  Metadata:
    encoder         : Lavf57.25.100
    Stream #0:0, 0, 1001/24000: Video: mjpeg, 1 reference frame, yuvj420p(pc, center), 779x816 [SAR 64:45 DAR 3116:2295], 1001/24000, q=2-31, 200 kb/s, 23.98 fps, 23.98 tbn, 23.98 tbc
    Metadata:
      encoder         : Lavc57.24.103 mjpeg
    Side data:
      cpb: bitrate max/min/avg: 0/0/200000 buffer size: 0 vbv_delay: -1
Stream mapping:
  Stream #0:0 -> #0:0 (mpeg1video (native) -> mjpeg (native))
Press [q] to stop, [?] for help
cur_dts is invalid (this is harmless if it occurs once at the start per stream)
[mpeg1video @ 0x7f952b000600] frame_rate_index 0 is invalid
    Last message repeated 1 times
[mpeg1video @ 0x7f952b000600] sequence header damaged
cur_dts is invalid (this is harmless if it occurs once at the start per stream)
[mpeg1video @ 0x7f952b000600] frame_rate_index 0 is invalid
[mpeg1video @ 0x7f952b000600] too many threads/slices (9), reducing to 3
[mpeg1video @ 0x7f952b000600] invalid mb type in I Frame at 8 0
[mpeg1video @ 0x7f952b000600] Warning MVs not available
[mpeg1video @ 0x7f952b000600] concealing 147 DC, 147 AC, 147 MV errors in I frame
cur_dts is invalid (this is harmless if it occurs once at the start per stream)
Input stream #0:0 frame changed from size:779x816 fmt:yuv420p to size:771x48 fmt:yuv420p
[graph 0 input from stream 0:0 @ 0x7f952c000380] Setting 'video_size' to value '771x48'
[graph 0 input from stream 0:0 @ 0x7f952c000380] Setting 'pix_fmt' to value '0'
[graph 0 input from stream 0:0 @ 0x7f952c000380] Setting 'time_base' to value '1/1200000'
[graph 0 input from stream 0:0 @ 0x7f952c000380] Setting 'pixel_aspect' to value '64/45'
[graph 0 input from stream 0:0 @ 0x7f952c000380] Setting 'sws_param' to value 'flags=2'
[graph 0 input from stream 0:0 @ 0x7f952c000380] Setting 'frame_rate' to value '24000/1001'
[graph 0 input from stream 0:0 @ 0x7f952c000380] w:771 h:48 pixfmt:yuv420p tb:1/1200000 fr:24000/1001 sar:64/45 sws_param:flags=2
[scaler for output stream 0:0 @ 0x7f952c000880] Setting 'w' to value '779'
[scaler for output stream 0:0 @ 0x7f952c000880] Setting 'h' to value '816'
[scaler for output stream 0:0 @ 0x7f952c000880] Setting 'flags' to value 'bicubic'
[scaler for output stream 0:0 @ 0x7f952c000880] w:779 h:816 flags:'bicubic' interl:0
[format @ 0x7f952a7003e0] compat: called with args=[yuvj420p]
[format @ 0x7f952a7003e0] Setting 'pix_fmts' to value 'yuvj420p'
[AVFilterGraph @ 0x7f952a700000] query_formats: 5 queried, 4 merged, 0 already done, 0 delayed
[swscaler @ 0x7f952d000000] deprecated pixel format used, make sure you did set range correctly
[scaler for output stream 0:0 @ 0x7f952c000880] w:771 h:48 fmt:yuv420p sar:64/45 -> w:779 h:816 fmt:yuvj420p sar:279616/11685 flags:0x4
Not duplicating 1 initial frames
Assertion n <= 31 && value < (1U << n) failed at libavcodec/put_bits.h:157
Abort trap: 6
$

Attachments (1)

in.mpg (43 bytes) - added by MarkZV 3 years ago.
input file

Download all attachments as: .zip

Change History (3)

Changed 3 years ago by MarkZV

input file

comment:1 Changed 3 years ago by cehoyos

  • Component changed from undetermined to avcodec
  • Keywords crash abort mjpeg added
  • Priority changed from normal to important
  • Reproduced by developer set
  • Status changed from new to open
  • Version changed from unspecified to git-master

This is reproducible since around 2011 if I apply 0f8908aa1b66fbc8d62939ce8ee1ee04b856528f (#4073)

comment:2 Changed 3 years ago by michael

  • Resolution set to fixed
  • Status changed from open to closed
Note: See TracTickets for help on using tickets.