Opened 3 years ago

Closed 3 years ago

#5333 closed defect (fixed)

dirac: crash during fuzzed file decode

Reported by: qiubit Owned by:
Priority: important Component: avcodec
Version: git-master Keywords: dirac crash SIGSEGV regression
Cc: Blocked By:
Blocking: Reproduced by developer: yes
Analyzed by developer: no

Description

Summary of the bug:
ffmpeg segfaults when decoding fuzzed dirac video.

How to reproduce:

ffmpeg -i fuzz.drc -vcodec copy -acodec copy fuzzOut.drc

Backtrace:

Valgrind

pgolinski@Ubuntu-y580:~/Dokumenty/Programowanie/git/fffuzz/successfulFuzzes$ valgrind ffmpeg_g -i fuzz.drc -acodec copy -vcodec copy fuzzOut.drc
==11059== Memcheck, a memory error detector
==11059== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al.
==11059== Using Valgrind-3.11.0 and LibVEX; rerun with -h for copyright info
==11059== Command: ffmpeg_g -i fuzz.drc -acodec copy -vcodec copy fuzzOut.drc
==11059== 
ffmpeg version N-79011-g9d4ab13 Copyright (c) 2000-2016 the FFmpeg developers
  built with Ubuntu clang version 3.6.2-1 (tags/RELEASE_362/final) (based on LLVM 3.6.2)
  configuration: --cc=clang --cxx=clang --enable-debug --enable-gpl --enable-libass --enable-libfreetype --enable-libmp3lame --enable-libopus --enable-libtheora --enable-libvorbis --enable-libx264 --enable-nonfree
  libavutil      55. 19.100 / 55. 19.100
  libavcodec     57. 28.101 / 57. 28.101
  libavformat    57. 28.101 / 57. 28.101
  libavdevice    57.  0.101 / 57.  0.101
  libavfilter     6. 39.102 /  6. 39.102
  libswscale      4.  0.100 /  4.  0.100
  libswresample   2.  0.101 /  2.  0.101
  libpostproc    54.  0.100 / 54.  0.100
[dirac @ 0xcfe8f20] error parsing sequence headerError in dirac_decode_data_unit
==11059== Conditional jump or move depends on uninitialised value(s)
==11059==    at 0x6774A6: av_packet_unpack_dictionary (avpacket.c:479)
==11059==    by 0xA42DD4: add_metadata_from_side_data (utils.c:749)
==11059==    by 0xA42DD4: ff_init_buffer_info (utils.c:786)
==11059==    by 0xA430EF: ff_decode_frame_props (utils.c:853)
==11059==    by 0xA430EF: get_buffer_internal (utils.c:903)
==11059==    by 0xA430EF: ff_get_buffer (utils.c:930)
==11059==    by 0x6A6DB3: get_buffer_with_edge (diracdec.c:1823)
==11059==    by 0x6A6DB3: dirac_decode_data_unit (diracdec.c:2075)
==11059==    by 0x6A6DB3: dirac_decode_frame (diracdec.c:2145)
==11059==    by 0xA457E8: avcodec_decode_video2 (utils.c:2172)
==11059==    by 0x62C626: try_decode_frame (utils.c:2791)
==11059==    by 0x62AF5C: avformat_find_stream_info (utils.c:3448)
==11059==    by 0x40FAE3: open_input_file (ffmpeg_opt.c:969)
==11059==    by 0x40F364: open_files (ffmpeg_opt.c:3003)
==11059==    by 0x40F103: ffmpeg_parse_options (ffmpeg_opt.c:3040)
==11059==    by 0x419F83: main (ffmpeg.c:4312)
==11059== 
==11059== Invalid read of size 1
==11059==    at 0x6A724A: decode_lowdelay (diracdec.c:873)
==11059==    by 0x6A724A: dirac_decode_frame_internal (diracdec.c:1735)
==11059==    by 0x6A724A: dirac_decode_data_unit (diracdec.c:2091)
==11059==    by 0x6A724A: dirac_decode_frame (diracdec.c:2145)
==11059==    by 0xA457E8: avcodec_decode_video2 (utils.c:2172)
==11059==    by 0x62C626: try_decode_frame (utils.c:2791)
==11059==    by 0x62AF5C: avformat_find_stream_info (utils.c:3448)
==11059==    by 0x40FAE3: open_input_file (ffmpeg_opt.c:969)
==11059==    by 0x40F364: open_files (ffmpeg_opt.c:3003)
==11059==    by 0x40F103: ffmpeg_parse_options (ffmpeg_opt.c:3040)
==11059==    by 0x419F83: main (ffmpeg.c:4312)
==11059==  Address 0xffffffffa23a231b is not stack'd, malloc'd or (recently) free'd
==11059== 
==11059== 
==11059== Process terminating with default action of signal 11 (SIGSEGV)
==11059==  Access not within mapped region at address 0xFFFFFFFFA23A231B
==11059==    at 0x6A724A: decode_lowdelay (diracdec.c:873)
==11059==    by 0x6A724A: dirac_decode_frame_internal (diracdec.c:1735)
==11059==    by 0x6A724A: dirac_decode_data_unit (diracdec.c:2091)
==11059==    by 0x6A724A: dirac_decode_frame (diracdec.c:2145)
==11059==    by 0xA457E8: avcodec_decode_video2 (utils.c:2172)
==11059==    by 0x62C626: try_decode_frame (utils.c:2791)
==11059==    by 0x62AF5C: avformat_find_stream_info (utils.c:3448)
==11059==    by 0x40FAE3: open_input_file (ffmpeg_opt.c:969)
==11059==    by 0x40F364: open_files (ffmpeg_opt.c:3003)
==11059==    by 0x40F103: ffmpeg_parse_options (ffmpeg_opt.c:3040)
==11059==    by 0x419F83: main (ffmpeg.c:4312)
==11059==  If you believe this happened as a result of a stack
==11059==  overflow in your program's main thread (unlikely but
==11059==  possible), you can try to increase the size of the
==11059==  main thread stack using the --main-stacksize= flag.
==11059==  The main thread stack size used in this run was 8388608.
==11059== 
==11059== HEAP SUMMARY:
==11059==     in use at exit: 822,577 bytes in 99 blocks
==11059==   total heap usage: 1,079 allocs, 980 frees, 4,007,204 bytes allocated
==11059== 
==11059== LEAK SUMMARY:
==11059==    definitely lost: 0 bytes in 0 blocks
==11059==    indirectly lost: 0 bytes in 0 blocks
==11059==      possibly lost: 144 bytes in 1 blocks
==11059==    still reachable: 822,433 bytes in 98 blocks
==11059==         suppressed: 0 bytes in 0 blocks
==11059== Rerun with --leak-check=full to see details of leaked memory
==11059== 
==11059== For counts of detected and suppressed errors, rerun with: -v
==11059== Use --track-origins=yes to see where uninitialised values come from
==11059== ERROR SUMMARY: 2 errors from 2 contexts (suppressed: 0 from 0)
Segmentation fault

GDB

pgolinski@Ubuntu-y580:~/Dokumenty/Programowanie/git/fffuzz/successfulFuzzes$ gdb ffmpeg_g
GNU gdb (Ubuntu 7.10-1ubuntu2) 7.10
Copyright (C) 2015 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
<http://www.gnu.org/software/gdb/documentation/>.
For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from ffmpeg_g...done.
(gdb) r -i fuzz.drc -vcodec copy -acodec copy fuzzOut.drc
Starting program: ffmpeg_g -i fuzz.drc -vcodec copy -acodec copy fuzzOut.drc
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
ffmpeg version N-79011-g9d4ab13 Copyright (c) 2000-2016 the FFmpeg developers
  built with Ubuntu clang version 3.6.2-1 (tags/RELEASE_362/final) (based on LLVM 3.6.2)
  configuration: --cc=clang --cxx=clang --enable-debug --enable-gpl --enable-libass --enable-libfreetype --enable-libmp3lame --enable-libopus --enable-libtheora --enable-libvorbis --enable-libx264 --enable-nonfree
  libavutil      55. 19.100 / 55. 19.100
  libavcodec     57. 28.101 / 57. 28.101
  libavformat    57. 28.101 / 57. 28.101
  libavdevice    57.  0.101 / 57.  0.101
  libavfilter     6. 39.102 /  6. 39.102
  libswscale      4.  0.100 /  4.  0.100
  libswresample   2.  0.101 /  2.  0.101
  libpostproc    54.  0.100 / 54.  0.100
[dirac @ 0x1ce1c00] error parsing sequence headerError in dirac_decode_data_unit

Program received signal SIGSEGV, Segmentation fault.
0x00000000006a724a in decode_lowdelay (s=<optimized out>) at src/libavcodec/diracdec.c:873
873                            bytes += buf[bytes] * s->highquality.size_scaler + 1;
(gdb) bt
#0  0x00000000006a724a in decode_lowdelay (s=<optimized out>) at src/libavcodec/diracdec.c:873
#1  dirac_decode_frame_internal (s=<optimized out>) at src/libavcodec/diracdec.c:1735
#2  dirac_decode_data_unit (avctx=<optimized out>, size=<optimized out>, buf=<optimized out>) at src/libavcodec/diracdec.c:2091
#3  dirac_decode_frame (avctx=0x1ce1c00, data=0x1ce73a0, got_frame=0x7fffffffd564, pkt=<optimized out>) at src/libavcodec/diracdec.c:2145
#4  0x0000000000a457e9 in avcodec_decode_video2 (avctx=0x1ce1c00, picture=0x1ce73a0, got_picture_ptr=0x7fffffffd564, avpkt=0x7fffffffd4e0)
    at src/libavcodec/utils.c:2172
#5  0x000000000062c627 in try_decode_frame (s=<optimized out>, st=0x1ce17a0, avpkt=<optimized out>, options=<optimized out>)
    at src/libavformat/utils.c:2791
#6  0x000000000062af5d in avformat_find_stream_info (ic=0x1ce09c0, options=0x1ce1ac0) at src/libavformat/utils.c:3448
#7  0x000000000040fae4 in open_input_file (o=0x7fffffffd8e8, filename=<optimized out>) at src/ffmpeg_opt.c:969
#8  0x000000000040f365 in open_files (l=<optimized out>, inout=<optimized out>, open_file=<optimized out>) at src/ffmpeg_opt.c:3003
#9  0x000000000040f104 in ffmpeg_parse_options (argc=<optimized out>, argv=<optimized out>) at src/ffmpeg_opt.c:3040
#10 0x0000000000419f84 in main (argc=<optimized out>, argv=<optimized out>) at src/ffmpeg.c:4312
(gdb) disass $pc-32,$pc+32
Dump of assembler code from 0x6a722a to 0x6a726a:
   0x00000000006a722a <dirac_decode_frame+3386>:    incl   (%rbx)
   0x00000000006a722c <dirac_decode_frame+3388>:    cmp    %edi,%eax
   0x00000000006a722e <dirac_decode_frame+3390>:    jg     0x6a7243 <dirac_decode_frame+3411>
   0x00000000006a7230 <dirac_decode_frame+3392>:    cltq   
   0x00000000006a7232 <dirac_decode_frame+3394>:    movzbl (%rsi,%rax,1),%eax
   0x00000000006a7236 <dirac_decode_frame+3398>:    imul   0x1274(%r13),%eax
   0x00000000006a723e <dirac_decode_frame+3406>:    lea    0x2(%r9,%rax,1),%eax
   0x00000000006a7243 <dirac_decode_frame+3411>:    cmp    %edi,%eax
   0x00000000006a7245 <dirac_decode_frame+3413>:    jg     0x6a725a <dirac_decode_frame+3434>
   0x00000000006a7247 <dirac_decode_frame+3415>:    movslq %eax,%rcx
=> 0x00000000006a724a <dirac_decode_frame+3418>:    movzbl (%rsi,%rcx,1),%ecx
   0x00000000006a724e <dirac_decode_frame+3422>:    imul   0x1274(%r13),%ecx
   0x00000000006a7256 <dirac_decode_frame+3430>:    lea    0x1(%rax,%rcx,1),%eax
   0x00000000006a725a <dirac_decode_frame+3434>:    mov    %ebx,%r9d
   0x00000000006a725d <dirac_decode_frame+3437>:    cmp    %edi,%eax
   0x00000000006a725f <dirac_decode_frame+3439>:    jg     0x6a7274 <dirac_decode_frame+3460>
   0x00000000006a7261 <dirac_decode_frame+3441>:    movslq %eax,%rcx
   0x00000000006a7264 <dirac_decode_frame+3444>:    movzbl (%rsi,%rcx,1),%ecx
   0x00000000006a7268 <dirac_decode_frame+3448>:    imul   0x1274(%r13),%ecx
End of assembler dump.
(gdb) info all-registers
rax            0x9504a76d    2500110189
rbx            0x18057    98391
rcx            0xffffffff9504a76d    -1794857107
rdx            0x1ce8008    30310408
rsi            0x1d0971e    30447390
rdi            0x18009    98313
rbp            0x1ce1c00    0x1ce1c00
rsp            0x7fffffffcf40    0x7fffffffcf40
r8             0x0    0
r9             0x0    0
r10            0xc0048    786504
r11            0x0    0
r12            0x0    0
r13            0x1ce27a0    30287776
r14            0x1ce7fe0    30310368
r15            0x1    1
rip            0x6a724a    0x6a724a <dirac_decode_frame+3418>
eflags         0x10282    [ SF IF RF ]
cs             0x33    51
ss             0x2b    43
ds             0x0    0
es             0x0    0
fs             0x0    0
gs             0x0    0
st0            0    (raw 0x00000000000000000000)
st1            0    (raw 0x00000000000000000000)
st2            0    (raw 0x00000000000000000000)
st3            0    (raw 0x00000000000000000000)
st4            0    (raw 0x00000000000000000000)
st5            0    (raw 0x00000000000000000000)
st6            0    (raw 0x00000000000000000000)
st7            0    (raw 0x00000000000000000000)
fctrl          0x37f    895
fstat          0x0    0
ftag           0xffff    65535
fiseg          0x0    0
fioff          0x0    0
foseg          0x0    0
fooff          0x0    0
fop            0x0    0
mxcsr          0x1fa0    [ PE IM DM ZM OM UM PM ]
ymm0           {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_double = {0x0, 0x0, 0x0, 0x0}, v32_int8 = {0x0 <repeats 32 times>}, 
  v16_int16 = {0x0 <repeats 16 times>}, v8_int32 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_int64 = {0x0, 0x0, 0x0, 0x0}, v2_int128 = {
    0x00000000000000000000000000000000, 0x00000000000000000000000000000000}}
ymm1           {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_double = {0x0, 0x0, 0x0, 0x0}, v32_int8 = {0x0, 0x0, 0x0, 0x0, 0x0, 
    0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x0, 0x1, 0x0 <repeats 19 times>}, v16_int16 = {0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x1, 0x0, 0x0, 0x0, 0x0, 
    0x0, 0x0, 0x0, 0x0, 0x0}, v8_int32 = {0x0, 0x0, 0x1, 0x1, 0x0, 0x0, 0x0, 0x0}, v4_int64 = {0x0, 0x100000001, 0x0, 0x0}, v2_int128 = {
    0x00000001000000010000000000000000, 0x00000000000000000000000000000000}}
ymm2           {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_double = {0x0, 0x0, 0x0, 0x0}, v32_int8 = {0x88, 0x0, 0x0, 0x0, 
    0xe8, 0x0 <repeats 27 times>}, v16_int16 = {0x88, 0x0, 0xe8, 0x0 <repeats 13 times>}, v8_int32 = {0x88, 0xe8, 0x0, 0x0, 0x0, 0x0, 0x0, 
    0x0}, v4_int64 = {0xe800000088, 0x0, 0x0, 0x0}, v2_int128 = {0x0000000000000000000000e800000088, 0x00000000000000000000000000000000}}
ymm3           {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_double = {0x0, 0x0, 0x0, 0x0}, v32_int8 = {0x0, 0x0, 0x0, 0x0, 0x1, 
    0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x0, 0x1, 0x0 <repeats 19 times>}, v16_int16 = {0x0, 0x0, 0x1, 0x0, 0x1, 0x0, 0x1, 0x0, 0x0, 0x0, 0x0, 
    0x0, 0x0, 0x0, 0x0, 0x0}, v8_int32 = {0x0, 0x1, 0x1, 0x1, 0x0, 0x0, 0x0, 0x0}, v4_int64 = {0x100000000, 0x100000001, 0x0, 0x0}, 
  v2_int128 = {0x00000001000000010000000100000000, 0x00000000000000000000000000000000}}
ymm4           {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_double = {0x0, 0x0, 0x0, 0x0}, v32_int8 = {0xff, 0x0, 0x0, 0x0, 0x0, 
    0x0, 0x0, 0x0, 0x0, 0xff, 0x0 <repeats 22 times>}, v16_int16 = {0xff, 0x0, 0x0, 0x0, 0xff00, 0x0 <repeats 11 times>}, v8_int32 = {0xff, 
    0x0, 0xff00, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_int64 = {0xff, 0xff00, 0x0, 0x0}, v2_int128 = {0x000000000000ff0000000000000000ff, 
    0x00000000000000000000000000000000}}
ymm5           {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_double = {0x0, 0x8000000000000000, 0x0, 0x0}, v32_int8 = {0x0, 0x0, 
    0x0, 0x0, 0x0, 0xff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xff, 0xff, 0x0 <repeats 16 times>}, v16_int16 = {0x0, 0x0, 0xff00, 0x0, 
    0x0, 0x0, 0x0, 0xffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v8_int32 = {0x0, 0xff00, 0x0, 0xffff0000, 0x0, 0x0, 0x0, 0x0}, 
  v4_int64 = {0xff0000000000, 0xffff000000000000, 0x0, 0x0}, v2_int128 = {0xffff0000000000000000ff0000000000, 
    0x00000000000000000000000000000000}}
ymm6           {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_double = {0x8000000000000000, 0x0, 0x0, 0x0}, v32_int8 = {0x0, 0x0, 
    0x0, 0x0, 0xff, 0xff, 0xff, 0xff, 0x0, 0xff, 0xff, 0xff, 0xff, 0x0 <repeats 19 times>}, v16_int16 = {0x0, 0x0, 0xffff, 0xffff, 0xff00, 
    0xffff, 0xff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v8_int32 = {0x0, 0xffffffff, 0xffffff00, 0xff, 0x0, 0x0, 0x0, 0x0}, 
  v4_int64 = {0xffffffff00000000, 0xffffffff00, 0x0, 0x0}, v2_int128 = {0x000000ffffffff00ffffffff00000000, 
    0x00000000000000000000000000000000}}
ymm7           {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_double = {0x0, 0x0, 0x0, 0x0}, v32_int8 = {0x0 <repeats 32 times>}, 
  v16_int16 = {0x0 <repeats 16 times>}, v8_int32 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_int64 = {0x0, 0x0, 0x0, 0x0}, v2_int128 = {
    0x00000000000000000000000000000000, 0x00000000000000000000000000000000}}
ymm8           {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_double = {0x0, 0x0, 0x0, 0x0}, v32_int8 = {0x0 <repeats 32 times>}, 
  v16_int16 = {0x0 <repeats 16 times>}, v8_int32 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_int64 = {0x0, 0x0, 0x0, 0x0}, v2_int128 = {
    0x00000000000000000000000000000000, 0x00000000000000000000000000000000}}
ymm9           {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_double = {0x0, 0x0, 0x0, 0x0}, v32_int8 = {0x0, 0x0, 0x0, 0x0, 0x0, 
    0x0, 0x0, 0x0, 0x0, 0x0, 0xff, 0x0 <repeats 21 times>}, v16_int16 = {0x0, 0x0, 0x0, 0x0, 0x0, 0xff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 
    0x0, 0x0, 0x0}, v8_int32 = {0x0, 0x0, 0xff0000, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_int64 = {0x0, 0xff0000, 0x0, 0x0}, v2_int128 = {
    0x0000000000ff00000000000000000000, 0x00000000000000000000000000000000}}
ymm10          {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_double = {0x0, 0x8000000000000000, 0x0, 0x0}, v32_int8 = {0x0, 0x0, 
    0x0, 0xff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xff, 0x0, 0x0, 0xff, 0x0 <repeats 16 times>}, v16_int16 = {0x0, 0xff00, 0x0, 0x0, 
    0x0, 0x0, 0xff, 0xff00, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v8_int32 = {0xff000000, 0x0, 0x0, 0xff0000ff, 0x0, 0x0, 0x0, 0x0}, 
  v4_int64 = {0xff000000, 0xff0000ff00000000, 0x0, 0x0}, v2_int128 = {0xff0000ff0000000000000000ff000000, 
    0x00000000000000000000000000000000}}
ymm11          {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_double = {0x0, 0x0, 0x0, 0x0}, v32_int8 = {0x0, 0x0, 0x0, 0x0, 0x0, 
    0x0, 0x0, 0x0, 0xff, 0x0, 0x0, 0x0, 0xff, 0x0 <repeats 19 times>}, v16_int16 = {0x0, 0x0, 0x0, 0x0, 0xff, 0x0, 0xff, 0x0, 0x0, 0x0, 0x0, 
    0x0, 0x0, 0x0, 0x0, 0x0}, v8_int32 = {0x0, 0x0, 0xff, 0xff, 0x0, 0x0, 0x0, 0x0}, v4_int64 = {0x0, 0xff000000ff, 0x0, 0x0}, v2_int128 = {
    0x000000ff000000ff0000000000000000, 0x00000000000000000000000000000000}}
ymm12          {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_double = {0x8000000000000000, 0x8000000000000000, 0x0, 0x0}, 
  v32_int8 = {0x0, 0xff, 0x0, 0x0, 0x0, 0x0, 0xff, 0xff, 0x0, 0x0, 0x0, 0x0, 0xff, 0xff, 0xff, 0xff, 0x0 <repeats 16 times>}, v16_int16 = {
    0xff00, 0x0, 0x0, 0xffff, 0x0, 0x0, 0xffff, 0xffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v8_int32 = {0xff00, 0xffff0000, 0x0, 
    0xffffffff, 0x0, 0x0, 0x0, 0x0}, v4_int64 = {0xffff00000000ff00, 0xffffffff00000000, 0x0, 0x0}, v2_int128 = {
    0xffffffff00000000ffff00000000ff00, 0x00000000000000000000000000000000}}
ymm13          {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_double = {0x0, 0x0, 0x0, 0x0}, v32_int8 = {0x0 <repeats 32 times>}, 
  v16_int16 = {0x0 <repeats 16 times>}, v8_int32 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_int64 = {0x0, 0x0, 0x0, 0x0}, v2_int128 = {
    0x00000000000000000000000000000000, 0x00000000000000000000000000000000}}
ymm14          {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_double = {0x0, 0x0, 0x0, 0x0}, v32_int8 = {0x0 <repeats 32 times>}, 
  v16_int16 = {0x0 <repeats 16 times>}, v8_int32 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_int64 = {0x0, 0x0, 0x0, 0x0}, v2_int128 = {
    0x00000000000000000000000000000000, 0x00000000000000000000000000000000}}
ymm15          {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_double = {0x0, 0x0, 0x0, 0x0}, v32_int8 = {0x0 <repeats 32 times>}, 
  v16_int16 = {0x0 <repeats 16 times>}, v8_int32 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_int64 = {0x0, 0x0, 0x0, 0x0}, v2_int128 = {
    0x00000000000000000000000000000000, 0x00000000000000000000000000000000}}

Attachments (1)

fuzz.drc (288.3 KB) - added by qiubit 3 years ago.
Fuzzed dirac file

Download all attachments as: .zip

Change History (3)

Changed 3 years ago by qiubit

Fuzzed dirac file

comment:1 Changed 3 years ago by cehoyos

  • Component changed from undetermined to avcodec
  • Keywords regression added
  • Priority changed from normal to important
  • Reproduced by developer set
  • Status changed from new to open

comment:2 Changed 3 years ago by michael

  • Resolution set to fixed
  • Status changed from open to closed
Note: See TracTickets for help on using tickets.