Opened 7 years ago

Closed 7 years ago

Last modified 7 years ago

#6183 closed defect (fixed)

scpr: crash with fuzzed file

Reported by: ami_stuff Owned by:
Priority: important Component: avcodec
Version: git-master Keywords: scpr crash
Cc: Blocked By:
Blocking: Reproduced by developer: no
Analyzed by developer: no

Description

(gdb) r -i sp_16bit_q50_fuzz.avi -f null -
Starting program: /media/sdb1/ffmpeg/ffmpeg_g -i sp_16bit_q50_fuzz.avi -f null -
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/i386-linux-gnu/libthread_db.so.1".
ffmpeg version 3.2.git Copyright (c) 2000-2017 the FFmpeg developers
  built with gcc 5.3.0 (Ubuntu 5.3.0-3ubuntu1~14.04) 20151204
  configuration: --disable-ffprobe --disable-ffserver --disable-ffplay --enable-gpl
  libavutil      55. 47.100 / 55. 47.100
  libavcodec     57. 81.100 / 57. 81.100
  libavformat    57. 66.102 / 57. 66.102
  libavdevice    57.  2.100 / 57.  2.100
  libavfilter     6. 73.100 /  6. 73.100
  libswscale      4.  3.101 /  4.  3.101
  libswresample   2.  4.100 /  2.  4.100
  libpostproc    54.  2.100 / 54.  2.100
Input #0, avi, from 'sp_16bit_q50_fuzz.avi':
  Metadata:
    encoder         : Lavf57.36.10 
  Duration: 00:00:04.44, start: 0.000000, bitrate: 79 kb/s
    Stream #0:0: Video: scpr (SCPR / 0x52504353), rgb0, 320x200, 25 fps, 25 tbr, 25 tbn, 25 tbc
[New Thread 0xb68c6b40 (LWP 3041)]
[New Thread 0xb60c5b40 (LWP 3042)]
[New Thread 0xb58c4b40 (LWP 3043)]
[New Thread 0xb50c3b40 (LWP 3044)]
[New Thread 0xb48c2b40 (LWP 3045)]
[New Thread 0xb40c1b40 (LWP 3046)]
[New Thread 0xb38c0b40 (LWP 3047)]
[New Thread 0xb30bfb40 (LWP 3048)]
[New Thread 0xb28beb40 (LWP 3049)]
Output #0, null, to 'pipe:':
  Metadata:
    encoder         : Lavf57.66.102
    Stream #0:0: Video: wrapped_avframe, rgb0, 320x200, q=2-31, 200 kb/s, 25 fps, 25 tbn, 25 tbc
    Metadata:
      encoder         : Lavc57.81.100 wrapped_avframe
Stream mapping:
  Stream #0:0 -> #0:0 (scpr (native) -> wrapped_avframe (native))
Press [q] to stop, [?] for help

Program received signal SIGSEGV, Segmentation fault.
decode_unit (s=s@entry=0xb68c7020, pixel=0xb759a368, 
    rval=rval@entry=0xbfffe738, step=400) at libavcodec/scpr.c:224
224	    pixel->freq[c] = cnt_c + step;
(gdb) bt
#0  decode_unit (s=s@entry=0xb68c7020, pixel=0xb759a368, 
    rval=rval@entry=0xbfffe738, step=400) at libavcodec/scpr.c:224
#1  0x086ade03 in decompress_i (linesize=320, dst=0xb2040020, avctx=0x9a29cc0)
    at libavcodec/scpr.c:319
#2  decode_frame (avctx=0x9a29cc0, data=0x9a2d1c0, got_frame=0xbfffe83c, 
    avpkt=0xbfffe7ac) at libavcodec/scpr.c:686
#3  0x08729a59 in avcodec_decode_video2 (avctx=0x9a29cc0, picture=0x9a2d1c0, 
    got_picture_ptr=0xbfffe83c, avpkt=0xbfffe938) at libavcodec/utils.c:2263
#4  0x0872a9dd in do_decode (avctx=avctx@entry=0x9a29cc0, 
    pkt=pkt@entry=0xbfffe938) at libavcodec/utils.c:2796
#5  0x0872b7b0 in avcodec_send_packet (avctx=0x9a29cc0, avpkt=<optimized out>)
    at libavcodec/utils.c:2885
#6  0x080e8447 in decode (pkt=0xbfffe938, got_frame=0xbfffead4, 
    frame=<optimized out>, avctx=0x9a29cc0) at ffmpeg.c:2052
#7  decode_video (ist=ist@entry=0x9a29960, pkt=pkt@entry=0xbfffeb14, 
    got_output=got_output@entry=0xbfffead4, eof=0) at ffmpeg.c:2248
#8  0x080e9806 in process_input_packet (ist=0x9a29960, pkt=0xbfffed44, 
    no_eof=0) at ffmpeg.c:2491
#9  0x080c78d6 in process_input (file_index=<optimized out>) at ffmpeg.c:4251
#10 transcode_step () at ffmpeg.c:4339
#11 transcode () at ffmpeg.c:4393
#12 main (argc=<optimized out>, argv=<optimized out>) at ffmpeg.c:4598
(gdb) 

Attachments (2)

sp_16bit_q50_fuzz.avi (43.3 KB ) - added by ami_stuff 7 years ago.
sp_16bit_q50_fuzz2.avi (43.3 KB ) - added by ami_stuff 7 years ago.

Download all attachments as: .zip

Change History (10)

by ami_stuff, 7 years ago

Attachment: sp_16bit_q50_fuzz.avi added

comment:1 by Elon Musk, 7 years ago

Resolution: duplicate
Status: newclosed

Duplicate of #6182.

comment:2 by ami_stuff, 7 years ago

Are you sure that this is fixed? See new attached fuzzed file.

(gdb) r -i sp_16bit_q50_fuzz2.avi -f null -
Starting program: /media/sdb1/ffmpeg/ffmpeg_g -i sp_16bit_q50_fuzz2.avi -f null -
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/i386-linux-gnu/libthread_db.so.1".
ffmpeg version 3.2.git Copyright (c) 2000-2017 the FFmpeg developers
  built with gcc 5.3.0 (Ubuntu 5.3.0-3ubuntu1~14.04) 20151204
  configuration: --disable-ffprobe --disable-ffserver --disable-ffplay --enable-gpl
  libavutil      55. 47.100 / 55. 47.100
  libavcodec     57. 81.100 / 57. 81.100
  libavformat    57. 66.102 / 57. 66.102
  libavdevice    57.  2.100 / 57.  2.100
  libavfilter     6. 73.100 /  6. 73.100
  libswscale      4.  3.101 /  4.  3.101
  libswresample   2.  4.100 /  2.  4.100
  libpostproc    54.  2.100 / 54.  2.100
Input #0, avi, from 'sp_16bit_q50_fuzz2.avi':
  Metadata:
    encoder         : Lavf57.36.10 
  Duration: 00:00:04.44, start: 0.000000, bitrate: 79 kb/s
    Stream #0:0: Video: scpr (SCPR / 0x52504353), rgb0, 320x200, 25 fps, 25 tbr, 25 tbn, 25 tbc
[New Thread 0xb68c6b40 (LWP 4049)]
[New Thread 0xb60c5b40 (LWP 4050)]
[New Thread 0xb58c4b40 (LWP 4051)]
[New Thread 0xb50c3b40 (LWP 4052)]
[New Thread 0xb48c2b40 (LWP 4053)]
[New Thread 0xb40c1b40 (LWP 4054)]
[New Thread 0xb38c0b40 (LWP 4055)]
[New Thread 0xb30bfb40 (LWP 4056)]
[New Thread 0xb28beb40 (LWP 4057)]
Output #0, null, to 'pipe:':
  Metadata:
    encoder         : Lavf57.66.102
    Stream #0:0: Video: wrapped_avframe, rgb0, 320x200, q=2-31, 200 kb/s, 25 fps, 25 tbn, 25 tbc
    Metadata:
      encoder         : Lavc57.81.100 wrapped_avframe
Stream mapping:
  Stream #0:0 -> #0:0 (scpr (native) -> wrapped_avframe (native))
Press [q] to stop, [?] for help

Program received signal SIGSEGV, Segmentation fault.
decode_unit (s=s@entry=0xb68c7020, pixel=0xb759a368, 
    rval=rval@entry=0xbfffe738, step=400) at libavcodec/scpr.c:224
224	    pixel->freq[c] = cnt_c + step;
(gdb) bt
#0  decode_unit (s=s@entry=0xb68c7020, pixel=0xb759a368, 
    rval=rval@entry=0xbfffe738, step=400) at libavcodec/scpr.c:224
#1  0x086ade93 in decompress_i (linesize=320, dst=0xb2040020, avctx=0x9a29cc0)
    at libavcodec/scpr.c:319
#2  decode_frame (avctx=0x9a29cc0, data=0x9a2d1c0, got_frame=0xbfffe83c, 
    avpkt=0xbfffe7ac) at libavcodec/scpr.c:702
#3  0x08729a99 in avcodec_decode_video2 (avctx=0x9a29cc0, picture=0x9a2d1c0, 
    got_picture_ptr=0xbfffe83c, avpkt=0xbfffe938) at libavcodec/utils.c:2263
#4  0x0872aa1d in do_decode (avctx=avctx@entry=0x9a29cc0,
    pkt=pkt@entry=0xbfffe938) at libavcodec/utils.c:2796
#5  0x0872b7f0 in avcodec_send_packet (avctx=0x9a29cc0, avpkt=<optimized out>)
    at libavcodec/utils.c:2885
#6  0x080e8447 in decode (pkt=0xbfffe938, got_frame=0xbfffead4, 
    frame=<optimized out>, avctx=0x9a29cc0) at ffmpeg.c:2052
#7  decode_video (ist=ist@entry=0x9a29960, pkt=pkt@entry=0xbfffeb14, 
    got_output=got_output@entry=0xbfffead4, eof=0) at ffmpeg.c:2248
#8  0x080e9806 in process_input_packet (ist=0x9a29960, pkt=0xbfffed44,
    no_eof=0) at ffmpeg.c:2491
#9  0x080c78d6 in process_input (file_index=<optimized out>) at ffmpeg.c:4251
#10 transcode_step () at ffmpeg.c:4339
#11 transcode () at ffmpeg.c:4393
#12 main (argc=<optimized out>, argv=<optimized out>) at ffmpeg.c:4598
(gdb) 

by ami_stuff, 7 years ago

Attachment: sp_16bit_q50_fuzz2.avi added

comment:3 by Elon Musk, 7 years ago

I can not reproduce crash, have you tried latest master?

comment:4 by ami_stuff, 7 years ago

Yes, it still happens here - 32bit build.

comment:5 by ami_stuff, 7 years ago

Also what is strange the crash does not happen under valgrind (there are no errors).

Last edited 7 years ago by ami_stuff (previous) (diff)

comment:6 by James, 7 years ago

I'm getting a different backtrace with this file using a mingw-w64 (x86_64) build.

(gdb) r -i sp_16bit_q50_fuzz2.avi -f null -
Starting program: F:\msys\ffmpeg\build\ffmpeg_g.exe -i sp_16bit_q50_fuzz2.avi -f null -
[New Thread 3128.0x1ff4]
[New Thread 3128.0x1fd8]
[New Thread 3128.0x6c8]
[New Thread 3128.0x125c]
ffmpeg version N-83627-gf5fa12d6ee Copyright (c) 2000-2017 the FFmpeg developers
  built with gcc 6.3.0 (Rev1, Built by MSYS2 project)
  configuration: --enable-gpl --enable-nonfree --enable-libx264 --enable-libfdk_aac --enable-libvpx --enable-libopus --target-os=mingw32 --arch=x86_64 --cpu=haswell --extra-cflags='-D_WIN32_WINNT=0x0602' --cc='ccache gcc' --samples=../samples --prefix=/mingw64
  libavutil      55. 47.100 / 55. 47.100
  libavcodec     57. 81.100 / 57. 81.100
  libavformat    57. 66.102 / 57. 66.102
  libavdevice    57.  2.100 / 57.  2.100
  libavfilter     6. 73.100 /  6. 73.100
  libswscale      4.  3.101 /  4.  3.101
  libswresample   2.  4.100 /  2.  4.100
  libpostproc    54.  2.100 / 54.  2.100
Input #0, avi, from 'sp_16bit_q50_fuzz2.avi':
  Metadata:
    encoder         : Lavf57.36.10
  Duration: 00:00:04.44, start: 0.000000, bitrate: 79 kb/s
    Stream #0:0: Video: scpr (SCPR / 0x52504353), rgb0, 320x200, 25 fps, 25 tbr, 25 tbn, 25 tbc
[New Thread 3128.0x1e4c]
[New Thread 3128.0x4fc]
[New Thread 3128.0xf98]
[New Thread 3128.0x2258]
[New Thread 3128.0x114c]
Output #0, null, to 'pipe:':
  Metadata:
    encoder         : Lavf57.66.102
    Stream #0:0: Video: wrapped_avframe, rgb0, 320x200, q=2-31, 200 kb/s, 25 fps, 25 tbn, 25 tbc
    Metadata:
      encoder         : Lavc57.81.100 wrapped_avframe
Stream mapping:
  Stream #0:0 -> #0:0 (scpr (native) -> wrapped_avframe (native))
Press [q] to stop, [?] for help

Thread 1 received signal SIGSEGV, Segmentation fault.
decode_unit (s=s@entry=0x258b060, pixel=0x325e3bc, rval=rval@entry=0x5ff438,
    step=400) at F:/msys/ffmpeg/src/libavcodec/scpr.c:197
197         unsigned totfr = pixel->total_freq;
(gdb) bt
#0  decode_unit (s=s@entry=0x258b060, pixel=0x325e3bc,
    rval=rval@entry=0x5ff438, step=400)
    at F:/msys/ffmpeg/src/libavcodec/scpr.c:197
#1  0x000000014066e99c in decompress_i (linesize=<optimized out>,
    dst=0x24d19e0, avctx=0x2491f20)
    at F:/msys/ffmpeg/src/libavcodec/scpr.c:319
#2  decode_frame (avctx=0x2491f20, data=0x2483540, got_frame=0x5ff5ac,
    avpkt=0x5ff4c0) at F:/msys/ffmpeg/src/libavcodec/scpr.c:703
#3  0x00000001406f1840 in avcodec_decode_video2 (avctx=avctx@entry=0x2491f20,
    picture=0x2483540, got_picture_ptr=got_picture_ptr@entry=0x5ff5ac,
    avpkt=avpkt@entry=0x5ff7a0) at F:/msys/ffmpeg/src/libavcodec/utils.c:2263
#4  0x00000001406f24c2 in do_decode (avctx=avctx@entry=0x2491f20,
    pkt=0x5ff7a0) at F:/msys/ffmpeg/src/libavcodec/utils.c:2796
#5  0x00000001406f346c in avcodec_send_packet (avctx=avctx@entry=0x2491f20,
    avpkt=<optimized out>, avpkt@entry=0x5ff7a0)
    at F:/msys/ffmpeg/src/libavcodec/utils.c:2885
#6  0x000000014001f700 in decode (pkt=0x5ff7a0, got_frame=0x5ffcf0,
    frame=<optimized out>, avctx=0x2491f20)
    at F:/msys/ffmpeg/src/ffmpeg.c:2052
#7  decode_video (ist=ist@entry=0x2491d00, pkt=pkt@entry=0x5ffc30,
    got_output=got_output@entry=0x5ffcf0, eof=eof@entry=0)
    at F:/msys/ffmpeg/src/ffmpeg.c:2248
#8  0x00000001400211d7 in process_input_packet (no_eof=0, pkt=0x5ffbd0,
    ist=0x2491d00) at F:/msys/ffmpeg/src/ffmpeg.c:2491
#9  process_input (file_index=<optimized out>)
    at F:/msys/ffmpeg/src/ffmpeg.c:4251
#10 transcode_step () at F:/msys/ffmpeg/src/ffmpeg.c:4339
#11 transcode () at F:/msys/ffmpeg/src/ffmpeg.c:4393
#12 0xq000000140e38d04 in main (argc=<optimized out>, argv=0xd54e90)

The following patch

diff --git a/libavcodec/scpr.c b/libavcodec/scpr.c
index 5555d812e8..58fc7009bd 100644
--- a/libavcodec/scpr.c
+++ b/libavcodec/scpr.c
@@ -316,6 +316,8 @@ static int decompress_i(AVCodecContext *avctx, uint32_t *dst, int linesize)

             cx1 = (cx << 6) & 0xFC0;
             cx = g >> cxshift;
+            av_log(avctx, AV_LOG_INFO, "%d (cx) + %d (cx1) = %d\n", cx, cx1, cx + cx1);
+            av_assert0(cx + cx1 < 4096);
             ret = decode_unit(s, &s->pixel_model[2][cx + cx1], 400, &b);
             if (ret < 0)
                 return ret;

Gives this output

[scpr @ 0000000000e02440] 219 (cx) + 3904 (cx1) = 4123
Assertion cx + cx1 < 4096 failed at F:/msys/ffmpeg/src/libavcodec/scpr.c:320

comment:7 by Carl Eugen Hoyos, 7 years ago

Component: undeterminedavcodec
Keywords: scpr crash added
Priority: normalimportant
Version: unspecifiedgit-master

I cannot reproduce an issue on Linux x86-32 and x86-64.

comment:8 by Elon Musk, 7 years ago

Resolution: duplicatefixed
Note: See TracTickets for help on using tickets.