Opened 8 years ago

Closed 8 years ago

Last modified 8 years ago

#5412 closed defect (fixed)

Invalid read in avcodec_string with fuzzed file

Reported by: qiubit Owned by:
Priority: important Component: avformat
Version: git-master Keywords: ffm SIGSEGV crash regression
Cc: Blocked By:
Blocking: Reproduced by developer: yes
Analyzed by developer: no

Description

Summary of the bug:

FFmpeg segfaults when probing fuzzed file (actually 2 different files, but it seems the reason of crash is the same in both cases).

How to reproduce:

$ ffmpeg -i fuzz1 -acodec copy -vcodec copy fuzzOut
OR
$ ffmpeg -i fuzz2 -acodec copy -vcodec copy fuzzOut

Backtrace (fuzz2):

gdb

pgolinski@pgolinski-VirtualBox:~/Documents/fuzzes$ gdb -q ../git/ffmpeg/build/ffmpeg_g
Reading symbols from ../git/ffmpeg/build/ffmpeg_g...done.
(gdb) r -v 9 -loglevel 99 -i fuzz2 -acodec copy -vcodec copy fuzzOut
Starting program: /home/pgolinski/Documents/git/ffmpeg/build/ffmpeg_g -v 9 -loglevel 99 -i fuzz2 -acodec copy -vcodec copy fuzzOut
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
ffmpeg version N-79255-g6d7f566 Copyright (c) 2000-2016 the FFmpeg developers
  built with gcc 5.2.1 (Ubuntu 5.2.1-22ubuntu2) 20151010
  configuration: --enable-debug
  libavutil      55. 20.100 / 55. 20.100
  libavcodec     57. 34.100 / 57. 34.100
  libavformat    57. 30.100 / 57. 30.100
  libavdevice    57.  0.101 / 57.  0.101
  libavfilter     6. 40.102 /  6. 40.102
  libswscale      4.  1.100 /  4.  1.100
  libswresample   2.  0.101 /  2.  0.101
Splitting the commandline.
Reading option '-v' ... matched as option 'v' (set logging level) with argument '9'.
Reading option '-loglevel' ... matched as option 'loglevel' (set logging level) with argument '99'.
Reading option '-i' ... matched as input file with argument 'fuzz2'.
Reading option '-acodec' ... matched as option 'acodec' (force audio codec ('copy' to copy stream)) with argument 'copy'.
Reading option '-vcodec' ... matched as option 'vcodec' (force video codec ('copy' to copy stream)) with argument 'copy'.
Reading option 'fuzzOut' ... matched as output file.
Finished splitting the commandline.
Parsing a group of options: global .
Applying option v (set logging level) with argument 9.
Successfully parsed a group of options.
Parsing a group of options: input file fuzz2.
Successfully parsed a group of options.
Opening an input file: fuzz2.
[file @ 0x1f8ab80] Setting default whitelist 'file,crypto'
Probing ffm score:101 size:1297
Probing mp3 score:1 size:1297
[ffm @ 0x1f8a3e0] Format ffm probed with size=2048 and score=101
[ffm @ 0x1f8a3e0] Before avformat_find_stream_info() pos: 1297 bytes read:1297 seeks:0
[NULL @ 0x1f8c320] [IMGUTILS @ 0x7fffffffd120] Picture size 0x0 is invalid
[NULL @ 0x1f8c320] Ignoring invalid width/height values
[NULL @ 0x1f8c320] [IMGUTILS @ 0x7fffffffd120] Picture size 0x0 is invalid
[ffm @ 0x1f8a3e0] 0: start_time: -9223372036854.775 duration: -9223372036854.775
[ffm @ 0x1f8a3e0] stream: start_time: -9223372036854.775 duration: -9223372036854.775 bitrate=8388 kb/s

Program received signal SIGSEGV, Segmentation fault.
avcodec_string (buf=buf@entry=0x7fffffffd540 "Video: prores, 6619250 reference frames ([142]u[197][38] / 0x26C5758E), (null)", 
    buf_size=buf_size@entry=256, enc=0x1f8c320, encode=encode@entry=0) at src/libavcodec/utils.c:2868
2868	            if (enc->bits_per_raw_sample && enc->pix_fmt != AV_PIX_FMT_NONE &&
(gdb) bt
#0  avcodec_string (buf=buf@entry=0x7fffffffd540 "Video: prores, 6619250 reference frames ([142]u[197][38] / 0x26C5758E), (null)", 
    buf_size=buf_size@entry=256, enc=0x1f8c320, encode=encode@entry=0) at src/libavcodec/utils.c:2868
#1  0x00000000006b9bd8 in avformat_find_stream_info (ic=0x1f8a3e0, options=<optimized out>) at src/libavformat/utils.c:3628
#2  0x000000000047a464 in open_input_file (o=o@entry=0x7fffffffd880, filename=<optimized out>) at src/ffmpeg_opt.c:969
#3  0x000000000047d351 in open_files (l=0x1f8a058, l=0x1f8a058, open_file=0x479f90 <open_input_file>, inout=0x1277f46 "input")
    at src/ffmpeg_opt.c:3003
#4  ffmpeg_parse_options (argc=argc@entry=12, argv=argv@entry=0x7fffffffde38) at src/ffmpeg_opt.c:3040
#5  0x000000000046fc62 in main (argc=12, argv=0x7fffffffde38) at src/ffmpeg.c:4312
(gdb) disass $pc-32,$pc+32
Dump of assembler code from 0xc4d2fc to 0xc4d33c:
   0x0000000000c4d2fc <avcodec_string+2348>:	incl   -0x75(%rcx)
   0x0000000000c4d2ff <avcodec_string+2351>:	mov    $0xb0,%edi
   0x0000000000c4d304 <avcodec_string+2356>:	lea    0x40(%rsp),%rax
   0x0000000000c4d309 <avcodec_string+2361>:	mov    %rax,0x18(%rsp)
   0x0000000000c4d30e <avcodec_string+2366>:	cmp    $0xffffffff,%edi
   0x0000000000c4d311 <avcodec_string+2369>:	je     0xc4cc97 <avcodec_string+711>
   0x0000000000c4d317 <avcodec_string+2375>:	callq  0x11c8fa0 <av_pix_fmt_desc_get>
=> 0x0000000000c4d31c <avcodec_string+2380>:	cmp    0x28(%rax),%r12d
   0x0000000000c4d320 <avcodec_string+2384>:	jge    0xc4cc97 <avcodec_string+711>
   0x0000000000c4d326 <avcodec_string+2390>:	mov    0x36c(%r15),%ecx
   0x0000000000c4d32d <avcodec_string+2397>:	mov    0x18(%rsp),%rdi
   0x0000000000c4d332 <avcodec_string+2402>:	mov    $0x143b9ad,%edx
   0x0000000000c4d337 <avcodec_string+2407>:	mov    $0x100,%esi
End of assembler dump.
(gdb) info all-registers
rax            0x0	0
rbx            0x7fffffffd540	140737488344384
rcx            0x7ffffff9	2147483641
rdx            0x7fffffffd58e	140737488344462
rsi            0x11e738c	18772876
rdi            0x14c0ff20	348192544
rbp            0x1275ad8	0x1275ad8
rsp            0x7fffffffd230	0x7fffffffd230
r8             0x7ffff76754a2	140737344132258
r9             0x6	6
r10            0x883	2179
r11            0x7ffff753dc50	140737342856272
r12            0xa	10
r13            0x11	17
r14            0x0	0
r15            0x1f8c320	33080096
rip            0xc4d31c	0xc4d31c <avcodec_string+2380>
eflags         0x10246	[ PF ZF IF RF ]
cs             0x33	51
ss             0x2b	43
ds             0x0	0
es             0x0	0
fs             0x0	0
gs             0x0	0
st0            0	(raw 0x00000000000000000000)
st1            0	(raw 0x00000000000000000000)
st2            0	(raw 0x00000000000000000000)
st3            0	(raw 0x00000000000000000000)
st4            0	(raw 0x00000000000000000000)
st5            0	(raw 0x00000000000000000000)
st6            0	(raw 0x00000000000000000000)
st7            0	(raw 0x00000000000000000000)
fctrl          0x37f	895
fstat          0x0	0
ftag           0xffff	65535
fiseg          0x0	0
fioff          0x0	0
foseg          0x0	0
fooff          0x0	0
fop            0x0	0
mxcsr          0x1fba	[ DE OE UE PE IM DM ZM OM UM PM ]
ymm0           {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_double = {0x0, 0x0, 0x0, 0x0}, v32_int8 = {0xff, 0x0, 0x0, 0x0, 0x0, 0x0, 
    0x0, 0x0, 0xff, 0x0, 0x0, 0x0, 0x0, 0xff, 0x0 <repeats 18 times>}, v16_int16 = {0xff, 0x0, 0x0, 0x0, 0xff, 0x0, 0xff00, 0x0, 0x0, 0x0, 0x0, 0x0, 
    0x0, 0x0, 0x0, 0x0}, v8_int32 = {0xff, 0x0, 0xff, 0xff00, 0x0, 0x0, 0x0, 0x0}, v4_int64 = {0xff, 0xff00000000ff, 0x0, 0x0}, v2_int128 = {
    0x0000ff00000000ff00000000000000ff, 0x00000000000000000000000000000000}}
ymm1           {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_double = {0x0, 0x0, 0x0, 0x0}, v32_int8 = {0x25 <repeats 16 times>, 
    0x0 <repeats 16 times>}, v16_int16 = {0x2525, 0x2525, 0x2525, 0x2525, 0x2525, 0x2525, 0x2525, 0x2525, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 
  v8_int32 = {0x25252525, 0x25252525, 0x25252525, 0x25252525, 0x0, 0x0, 0x0, 0x0}, v4_int64 = {0x2525252525252525, 0x2525252525252525, 0x0, 0x0}, 
  v2_int128 = {0x25252525252525252525252525252525, 0x00000000000000000000000000000000}}
ymm2           {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_double = {0x8000000000000000, 0x8000000000000000, 0x0, 0x0}, v32_int8 = {
    0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x0, 0xff, 0x0, 0xff, 0xff, 0xff, 0xff, 0xff, 0x0 <repeats 16 times>}, v16_int16 = {0xffff, 
    0xffff, 0xffff, 0xffff, 0xff00, 0xff00, 0xffff, 0xffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v8_int32 = {0xffffffff, 0xffffffff, 0xff00ff00, 
    0xffffffff, 0x0, 0x0, 0x0, 0x0}, v4_int64 = {0xffffffffffffffff, 0xffffffffff00ff00, 0x0, 0x0}, v2_int128 = {0xffffffffff00ff00ffffffffffffffff, 
    0x00000000000000000000000000000000}}
ymm3           {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_double = {0x0, 0x0, 0x0, 0x0}, v32_int8 = {0x0 <repeats 32 times>}, 
  v16_int16 = {0x0 <repeats 16 times>}, v8_int32 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_int64 = {0x0, 0x0, 0x0, 0x0}, v2_int128 = {
    0x00000000000000000000000000000000, 0x00000000000000000000000000000000}}
ymm4           {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_double = {0x0, 0x0, 0x0, 0x0}, v32_int8 = {0xff, 0x0 <repeats 31 times>}, 
  v16_int16 = {0xff, 0x0 <repeats 15 times>}, v8_int32 = {0xff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_int64 = {0xff, 0x0, 0x0, 0x0}, v2_int128 = {
    0x000000000000000000000000000000ff, 0x00000000000000000000000000000000}}
ymm5           {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_double = {0x0, 0x0, 0x0, 0x0}, v32_int8 = {0x74, 0x69, 0x6d, 0x65, 0x3a, 
    0x20, 0x2d, 0x39, 0x32, 0x32, 0x33, 0x33, 0x37, 0x32, 0x30, 0x33, 0x0 <repeats 16 times>}, v16_int16 = {0x6974, 0x656d, 0x203a, 0x392d, 0x3232, 
    0x3333, 0x3237, 0x3330, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v8_int32 = {0x656d6974, 0x392d203a, 0x33333232, 0x33303237, 0x0, 0x0, 0x0, 0x0}, 
  v4_int64 = {0x392d203a656d6974, 0x3330323733333232, 0x0, 0x0}, v2_int128 = {0x3330323733333232392d203a656d6974, 0x00000000000000000000000000000000}}
ymm6           {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_double = {0x8000000000000000, 0x8000000000000000, 0x0, 0x0}, v32_int8 = {
    0x5d, 0x20, 0x73, 0x74, 0x72, 0x65, 0x61, 0x6d, 0x3a, 0x20, 0x73, 0x74, 0x61, 0x72, 0x74, 0x5f, 0x0 <repeats 16 times>}, v16_int16 = {0x205d, 
    0x7473, 0x6572, 0x6d61, 0x203a, 0x7473, 0x7261, 0x5f74, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v8_int32 = {0x7473205d, 0x6d616572, 0x7473203a, 
    0x5f747261, 0x0, 0x0, 0x0, 0x0}, v4_int64 = {0x6d6165727473205d, 0x5f7472617473203a, 0x0, 0x0}, v2_int128 = {0x5f7472617473203a6d6165727473205d, 
    0x00000000000000000000000000000000}}
ymm7           {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_double = {0x0, 0x0, 0x0, 0x0}, v32_int8 = {0x0 <repeats 32 times>}, 
  v16_int16 = {0x0 <repeats 16 times>}, v8_int32 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_int64 = {0x0, 0x0, 0x0, 0x0}, v2_int128 = {
    0x00000000000000000000000000000000, 0x00000000000000000000000000000000}}
ymm8           {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_double = {0x0, 0x8000000000000000, 0x0, 0x0}, v32_int8 = {0x0, 0x0, 0x0, 0x0, 
    0x0, 0x0, 0x0, 0x0, 0xff, 0x0, 0x0, 0x0, 0x0, 0x0, 0xff, 0xff, 0x0 <repeats 16 times>}, v16_int16 = {0x0, 0x0, 0x0, 0x0, 0xff, 0x0, 0x0, 0xffff, 
    0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v8_int32 = {0x0, 0x0, 0xff, 0xffff0000, 0x0, 0x0, 0x0, 0x0}, v4_int64 = {0x0, 0xffff0000000000ff, 0x0, 
    0x0}, v2_int128 = {0xffff0000000000ff0000000000000000, 0x00000000000000000000000000000000}}
ymm9           {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_double = {0x8000000000000000, 0x8000000000000000, 0x0, 0x0}, v32_int8 = {0x0, 
    0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x0, 0x0, 0x0, 0x0, 0xff, 0xff, 0xff, 0xff, 0x0 <repeats 16 times>}, v16_int16 = {0xff00, 0xffff, 
    0xffff, 0xffff, 0x0, 0x0, 0xffff, 0xffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v8_int32 = {0xffffff00, 0xffffffff, 0x0, 0xffffffff, 0x0, 0x0, 
    0x0, 0x0}, v4_int64 = {0xffffffffffffff00, 0xffffffff00000000, 0x0, 0x0}, v2_int128 = {0xffffffff00000000ffffffffffffff00, 
    0x00000000000000000000000000000000}}
ymm10          {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_double = {0x8000000000000000, 0x8000000000000000, 0x0, 0x0}, v32_int8 = {0x0, 
    0x0, 0x0, 0x0, 0xff <repeats 12 times>, 0x0 <repeats 16 times>}, v16_int16 = {0x0, 0x0, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0x0, 0x0, 
    0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v8_int32 = {0x0, 0xffffffff, 0xffffffff, 0xffffffff, 0x0, 0x0, 0x0, 0x0}, v4_int64 = {0xffffffff00000000, 
    0xffffffffffffffff, 0x0, 0x0}, v2_int128 = {0xffffffffffffffffffffffff00000000, 0x00000000000000000000000000000000}}
ymm11          {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_double = {0x8000000000000000, 0x8000000000000000, 0x0, 0x0}, v32_int8 = {0x0, 
    0x0, 0x0, 0x0, 0x0, 0x0, 0xff, 0xff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xff, 0xff, 0x0 <repeats 16 times>}, v16_int16 = {0x0, 0x0, 0x0, 0xffff, 0x0, 
    0x0, 0x0, 0xffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v8_int32 = {0x0, 0xffff0000, 0x0, 0xffff0000, 0x0, 0x0, 0x0, 0x0}, v4_int64 = {
    0xffff000000000000, 0xffff000000000000, 0x0, 0x0}, v2_int128 = {0xffff000000000000ffff000000000000, 0x00000000000000000000000000000000}}
ymm12          {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_double = {0x0, 0x0, 0x0, 0x0}, v32_int8 = {0x0 <repeats 32 times>}, 
  v16_int16 = {0x0 <repeats 16 times>}, v8_int32 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_int64 = {0x0, 0x0, 0x0, 0x0}, v2_int128 = {
    0x00000000000000000000000000000000, 0x00000000000000000000000000000000}}
ymm13          {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_double = {0x0, 0x0, 0x0, 0x0}, v32_int8 = {0x0 <repeats 32 times>}, 
  v16_int16 = {0x0 <repeats 16 times>}, v8_int32 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_int64 = {0x0, 0x0, 0x0, 0x0}, v2_int128 = {
    0x00000000000000000000000000000000, 0x00000000000000000000000000000000}}
ymm14          {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_double = {0x0, 0x0, 0x0, 0x0}, v32_int8 = {0x0 <repeats 32 times>}, 
  v16_int16 = {0x0 <repeats 16 times>}, v8_int32 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_int64 = {0x0, 0x0, 0x0, 0x0}, v2_int128 = {
    0x00000000000000000000000000000000, 0x00000000000000000000000000000000}}
ymm15          {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_double = {0x0, 0x0, 0x0, 0x0}, v32_int8 = {0x0 <repeats 32 times>}, 
  v16_int16 = {0x0 <repeats 16 times>}, v8_int32 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_int64 = {0x0, 0x0, 0x0, 0x0}, v2_int128 = {
    0x00000000000000000000000000000000, 0x00000000000000000000000000000000}}

valgrind

pgolinski@pgolinski-VirtualBox:~/Documents/fuzzes$ valgrind ../git/ffmpeg/build/ffmpeg_g -v 9 -loglevel 99 -i fuzz2 -acodec copy -vcodec copy fuzzOut
==4956== Memcheck, a memory error detector
==4956== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al.
==4956== Using Valgrind-3.11.0 and LibVEX; rerun with -h for copyright info
==4956== Command: ../git/ffmpeg/build/ffmpeg_g -v 9 -loglevel 99 -i fuzz2 -acodec copy -vcodec copy fuzzOut
==4956== 
ffmpeg version N-79255-g6d7f566 Copyright (c) 2000-2016 the FFmpeg developers
  built with gcc 5.2.1 (Ubuntu 5.2.1-22ubuntu2) 20151010
  configuration: --enable-debug
  libavutil      55. 20.100 / 55. 20.100
  libavcodec     57. 34.100 / 57. 34.100
  libavformat    57. 30.100 / 57. 30.100
  libavdevice    57.  0.101 / 57.  0.101
  libavfilter     6. 40.102 /  6. 40.102
  libswscale      4.  1.100 /  4.  1.100
  libswresample   2.  0.101 /  2.  0.101
Splitting the commandline.
Reading option '-v' ... matched as option 'v' (set logging level) with argument '9'.
Reading option '-loglevel' ... matched as option 'loglevel' (set logging level) with argument '99'.
Reading option '-i' ... matched as input file with argument 'fuzz2'.
Reading option '-acodec' ... matched as option 'acodec' (force audio codec ('copy' to copy stream)) with argument 'copy'.
Reading option '-vcodec' ... matched as option 'vcodec' (force video codec ('copy' to copy stream)) with argument 'copy'.
Reading option 'fuzzOut' ... matched as output file.
Finished splitting the commandline.
Parsing a group of options: global .
Applying option v (set logging level) with argument 9.
Successfully parsed a group of options.
Parsing a group of options: input file fuzz2.
Successfully parsed a group of options.
Opening an input file: fuzz2.
[file @ 0x5729680] Setting default whitelist 'file,crypto'
Probing ffm score:101 size:1297
Probing mp3 score:1 size:1297
[ffm @ 0x57288a0] Format ffm probed with size=2048 and score=101
[ffm @ 0x57288a0] Before avformat_find_stream_info() pos: 1297 bytes read:1297 seeks:0
[NULL @ 0x573c360] [IMGUTILS @ 0xffefff070] Picture size 0x0 is invalid
[NULL @ 0x573c360] Ignoring invalid width/height values
[NULL @ 0x573c360] [IMGUTILS @ 0xffefff070] Picture size 0x0 is invalid
[ffm @ 0x57288a0] 0: start_time: -9223372036854.775 duration: -9223372036854.775
[ffm @ 0x57288a0] stream: start_time: -9223372036854.775 duration: -9223372036854.775 bitrate=8388 kb/s
==4956== Invalid read of size 4
==4956==    at 0xC4D31C: avcodec_string (utils.c:2868)
==4956==    by 0x6B9BD7: avformat_find_stream_info (utils.c:3628)
==4956==    by 0x47A463: open_input_file (ffmpeg_opt.c:969)
==4956==    by 0x47D350: open_files (ffmpeg_opt.c:3003)
==4956==    by 0x47D350: ffmpeg_parse_options (ffmpeg_opt.c:3040)
==4956==    by 0x46FC61: main (ffmpeg.c:4312)
==4956==  Address 0x28 is not stack'd, malloc'd or (recently) free'd
==4956== 
==4956== 
==4956== Process terminating with default action of signal 11 (SIGSEGV)
==4956==  Access not within mapped region at address 0x28
==4956==    at 0xC4D31C: avcodec_string (utils.c:2868)
==4956==    by 0x6B9BD7: avformat_find_stream_info (utils.c:3628)
==4956==    by 0x47A463: open_input_file (ffmpeg_opt.c:969)
==4956==    by 0x47D350: open_files (ffmpeg_opt.c:3003)
==4956==    by 0x47D350: ffmpeg_parse_options (ffmpeg_opt.c:3040)
==4956==    by 0x46FC61: main (ffmpeg.c:4312)
==4956==  If you believe this happened as a result of a stack
==4956==  overflow in your program's main thread (unlikely but
==4956==  possible), you can try to increase the size of the
==4956==  main thread stack using the --main-stacksize= flag.
==4956==  The main thread stack size used in this run was 8388608.
==4956== 
==4956== HEAP SUMMARY:
==4956==     in use at exit: 41,463 bytes in 36 blocks
==4956==   total heap usage: 92 allocs, 56 frees, 78,475 bytes allocated
==4956== 
==4956== LEAK SUMMARY:
==4956==    definitely lost: 0 bytes in 0 blocks
==4956==    indirectly lost: 0 bytes in 0 blocks
==4956==      possibly lost: 0 bytes in 0 blocks
==4956==    still reachable: 41,463 bytes in 36 blocks
==4956==         suppressed: 0 bytes in 0 blocks
==4956== Rerun with --leak-check=full to see details of leaked memory
==4956== 
==4956== For counts of detected and suppressed errors, rerun with: -v
==4956== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)
Segmentation fault (core dumped)

Attachments (2)

fuzz1 (11.5 KB ) - added by qiubit 8 years ago.
fuzz2 (1.3 KB ) - added by qiubit 8 years ago.

Download all attachments as: .zip

Change History (5)

by qiubit, 8 years ago

Attachment: fuzz1 added

by qiubit, 8 years ago

Attachment: fuzz2 added

comment:1 by Carl Eugen Hoyos, 8 years ago

Keywords: regression added
Priority: normalimportant
Reproduced by developer: set
Status: newopen

comment:2 by Michael Niedermayer, 8 years ago

Resolution: fixed
Status: openclosed

comment:3 by Carl Eugen Hoyos, 8 years ago

Component: undeterminedavformat
Keywords: ffm added
Note: See TracTickets for help on using tickets.