Opened 7 years ago

Closed 7 years ago

#6153 closed defect (fixed)

Use of uninitialized memory in av_packet_unpack_dictionary()

Reported by: tsmith Owned by:
Priority: minor Component: avcodec
Version: git-master Keywords: ubsan
Cc: Blocked By:
Blocking: Reproduced by developer: no
Analyzed by developer: no

Description

How to reproduce:

% ffmpeg -f ivf -i test_case.ivf -frames 5 -f null -

ffmpeg version N-83533-gada281d Copyright (c) 2000-2017 the FFmpeg developers
  built with clang version 3.8.0-2ubuntu4 (tags/RELEASE_380/final)
  configuration: --cc=clang --cxx=clang++ --disable-libxcb --disable-xlib --disable-logging --disable-ffprobe --disable-ffplay --disable-sdl2 --disable-ffserver --disable-doc --disable-pthreads --disable-network --disable-d3d11va --disable-dxva2 --disable-vaapi --disable-vda --disable-vdpau --disable-stripping --disable-runtime-cpudetect --disable-postproc --disable-securetransport --disable-iconv --disable-swscale --disable-avdevice --disable-videotoolbox --disable-everything --enable-encoder=wrapped_avframe --disable-lzma --enable-protocol='file,pipe' --enable-muxer=null --enable-demuxer=ivf --enable-parser=vp9 --enable-decoder=vp9 --disable-pic
  libavutil      55. 47.100 / 55. 47.100
  libavcodec     57. 80.100 / 57. 80.100
  libavformat    57. 66.102 / 57. 66.102
  libavfilter     6. 73.100 /  6. 73.100
  libswresample   2.  4.100 /  2.  4.100
[NULL @ 0x5719e80] [IMGUTILS @ 0xffeffffb0] Picture size 20486x51463 is invalid
[ivf @ 0x570f840] Failed to open codec in avformat_find_stream_info
[vp9 @ 0x5719e80] Warning: not compiled with thread support, using thread emulation
==57750== Conditional jump or move depends on uninitialised value(s)
==57750==    at 0x4B21FA: av_packet_unpack_dictionary (avpacket.c:501)
==57750==    by 0x4BE62C: add_metadata_from_side_data (utils.c:757)
==57750==    by 0x4BE62C: ff_init_buffer_info (utils.c:800)
==57750==    by 0x4BEF45: ff_decode_frame_props (utils.c:878)
==57750==    by 0x4BEF45: get_buffer_internal (utils.c:928)
==57750==    by 0x4BEF45: ff_get_buffer (utils.c:955)
==57750==    by 0x4D0CDE: vp9_alloc_frame (vp9.c:191)
==57750==    by 0x4D0CDE: vp9_decode_frame (vp9.c:4048)
==57750==    by 0x4C5D0D: avcodec_decode_video2 (utils.c:2263)
==57750==    by 0x4C9302: do_decode (utils.c:2796)
==57750==    by 0x4C9190: avcodec_send_packet (utils.c:2885)
==57750==    by 0x4A0B42: try_decode_frame (utils.c:2997)
==57750==    by 0x49B868: avformat_find_stream_info (utils.c:3698)
==57750==    by 0x4117A1: open_input_file (ffmpeg_opt.c:1022)
==57750==    by 0x40FEDC: open_files (ffmpeg_opt.c:3234)
==57750==    by 0x40F82E: ffmpeg_parse_options (ffmpeg_opt.c:3274)
==57750==  Uninitialised value was created by a stack allocation
==57750==    at 0x4BE1A0: ff_init_buffer_info (utils.c:761)
==57750== 

Attachments (2)

test_case.ivf (29.9 KB ) - added by tsmith 7 years ago.
patchsize.diff (365 bytes ) - added by Carl Eugen Hoyos 7 years ago.

Download all attachments as: .zip

Change History (6)

by tsmith, 7 years ago

Attachment: test_case.ivf added

by Carl Eugen Hoyos, 7 years ago

Attachment: patchsize.diff added

comment:1 by Carl Eugen Hoyos, 7 years ago

Component: undeterminedavcodec
Version: unspecifiedgit-master

I cannot reproduce with valgrind, please test if attached patch fixes the issue for you.

comment:2 by Carl Eugen Hoyos, 7 years ago

Keywords: ubsan added

comment:3 by tsmith, 7 years ago

Yes this patch fixes the issue, thank you.

comment:4 by Carl Eugen Hoyos, 7 years ago

Priority: normalminor
Resolution: fixed
Status: newclosed

Fixed in 1d54be215309b8aa71a51826e4b0a1660fef9f93, thank you for the report and the testing.

Note: See TracTickets for help on using tickets.