#6183 closed defect (fixed)
scpr: crash with fuzzed file
Reported by: | ami_stuff | Owned by: | |
---|---|---|---|
Priority: | important | Component: | avcodec |
Version: | git-master | Keywords: | scpr crash |
Cc: | Blocked By: | ||
Blocking: | Reproduced by developer: | no | |
Analyzed by developer: | no |
Description
(gdb) r -i sp_16bit_q50_fuzz.avi -f null - Starting program: /media/sdb1/ffmpeg/ffmpeg_g -i sp_16bit_q50_fuzz.avi -f null - [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib/i386-linux-gnu/libthread_db.so.1". ffmpeg version 3.2.git Copyright (c) 2000-2017 the FFmpeg developers built with gcc 5.3.0 (Ubuntu 5.3.0-3ubuntu1~14.04) 20151204 configuration: --disable-ffprobe --disable-ffserver --disable-ffplay --enable-gpl libavutil 55. 47.100 / 55. 47.100 libavcodec 57. 81.100 / 57. 81.100 libavformat 57. 66.102 / 57. 66.102 libavdevice 57. 2.100 / 57. 2.100 libavfilter 6. 73.100 / 6. 73.100 libswscale 4. 3.101 / 4. 3.101 libswresample 2. 4.100 / 2. 4.100 libpostproc 54. 2.100 / 54. 2.100 Input #0, avi, from 'sp_16bit_q50_fuzz.avi': Metadata: encoder : Lavf57.36.10 Duration: 00:00:04.44, start: 0.000000, bitrate: 79 kb/s Stream #0:0: Video: scpr (SCPR / 0x52504353), rgb0, 320x200, 25 fps, 25 tbr, 25 tbn, 25 tbc [New Thread 0xb68c6b40 (LWP 3041)] [New Thread 0xb60c5b40 (LWP 3042)] [New Thread 0xb58c4b40 (LWP 3043)] [New Thread 0xb50c3b40 (LWP 3044)] [New Thread 0xb48c2b40 (LWP 3045)] [New Thread 0xb40c1b40 (LWP 3046)] [New Thread 0xb38c0b40 (LWP 3047)] [New Thread 0xb30bfb40 (LWP 3048)] [New Thread 0xb28beb40 (LWP 3049)] Output #0, null, to 'pipe:': Metadata: encoder : Lavf57.66.102 Stream #0:0: Video: wrapped_avframe, rgb0, 320x200, q=2-31, 200 kb/s, 25 fps, 25 tbn, 25 tbc Metadata: encoder : Lavc57.81.100 wrapped_avframe Stream mapping: Stream #0:0 -> #0:0 (scpr (native) -> wrapped_avframe (native)) Press [q] to stop, [?] for help Program received signal SIGSEGV, Segmentation fault. decode_unit (s=s@entry=0xb68c7020, pixel=0xb759a368, rval=rval@entry=0xbfffe738, step=400) at libavcodec/scpr.c:224 224 pixel->freq[c] = cnt_c + step; (gdb) bt #0 decode_unit (s=s@entry=0xb68c7020, pixel=0xb759a368, rval=rval@entry=0xbfffe738, step=400) at libavcodec/scpr.c:224 #1 0x086ade03 in decompress_i (linesize=320, dst=0xb2040020, avctx=0x9a29cc0) at libavcodec/scpr.c:319 #2 decode_frame (avctx=0x9a29cc0, data=0x9a2d1c0, got_frame=0xbfffe83c, avpkt=0xbfffe7ac) at libavcodec/scpr.c:686 #3 0x08729a59 in avcodec_decode_video2 (avctx=0x9a29cc0, picture=0x9a2d1c0, got_picture_ptr=0xbfffe83c, avpkt=0xbfffe938) at libavcodec/utils.c:2263 #4 0x0872a9dd in do_decode (avctx=avctx@entry=0x9a29cc0, pkt=pkt@entry=0xbfffe938) at libavcodec/utils.c:2796 #5 0x0872b7b0 in avcodec_send_packet (avctx=0x9a29cc0, avpkt=<optimized out>) at libavcodec/utils.c:2885 #6 0x080e8447 in decode (pkt=0xbfffe938, got_frame=0xbfffead4, frame=<optimized out>, avctx=0x9a29cc0) at ffmpeg.c:2052 #7 decode_video (ist=ist@entry=0x9a29960, pkt=pkt@entry=0xbfffeb14, got_output=got_output@entry=0xbfffead4, eof=0) at ffmpeg.c:2248 #8 0x080e9806 in process_input_packet (ist=0x9a29960, pkt=0xbfffed44, no_eof=0) at ffmpeg.c:2491 #9 0x080c78d6 in process_input (file_index=<optimized out>) at ffmpeg.c:4251 #10 transcode_step () at ffmpeg.c:4339 #11 transcode () at ffmpeg.c:4393 #12 main (argc=<optimized out>, argv=<optimized out>) at ffmpeg.c:4598 (gdb)
Attachments (2)
Change History (10)
by , 7 years ago
Attachment: | sp_16bit_q50_fuzz.avi added |
---|
comment:1 by , 7 years ago
Resolution: | → duplicate |
---|---|
Status: | new → closed |
comment:2 by , 7 years ago
Are you sure that this is fixed? See new attached fuzzed file.
(gdb) r -i sp_16bit_q50_fuzz2.avi -f null - Starting program: /media/sdb1/ffmpeg/ffmpeg_g -i sp_16bit_q50_fuzz2.avi -f null - [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib/i386-linux-gnu/libthread_db.so.1". ffmpeg version 3.2.git Copyright (c) 2000-2017 the FFmpeg developers built with gcc 5.3.0 (Ubuntu 5.3.0-3ubuntu1~14.04) 20151204 configuration: --disable-ffprobe --disable-ffserver --disable-ffplay --enable-gpl libavutil 55. 47.100 / 55. 47.100 libavcodec 57. 81.100 / 57. 81.100 libavformat 57. 66.102 / 57. 66.102 libavdevice 57. 2.100 / 57. 2.100 libavfilter 6. 73.100 / 6. 73.100 libswscale 4. 3.101 / 4. 3.101 libswresample 2. 4.100 / 2. 4.100 libpostproc 54. 2.100 / 54. 2.100 Input #0, avi, from 'sp_16bit_q50_fuzz2.avi': Metadata: encoder : Lavf57.36.10 Duration: 00:00:04.44, start: 0.000000, bitrate: 79 kb/s Stream #0:0: Video: scpr (SCPR / 0x52504353), rgb0, 320x200, 25 fps, 25 tbr, 25 tbn, 25 tbc [New Thread 0xb68c6b40 (LWP 4049)] [New Thread 0xb60c5b40 (LWP 4050)] [New Thread 0xb58c4b40 (LWP 4051)] [New Thread 0xb50c3b40 (LWP 4052)] [New Thread 0xb48c2b40 (LWP 4053)] [New Thread 0xb40c1b40 (LWP 4054)] [New Thread 0xb38c0b40 (LWP 4055)] [New Thread 0xb30bfb40 (LWP 4056)] [New Thread 0xb28beb40 (LWP 4057)] Output #0, null, to 'pipe:': Metadata: encoder : Lavf57.66.102 Stream #0:0: Video: wrapped_avframe, rgb0, 320x200, q=2-31, 200 kb/s, 25 fps, 25 tbn, 25 tbc Metadata: encoder : Lavc57.81.100 wrapped_avframe Stream mapping: Stream #0:0 -> #0:0 (scpr (native) -> wrapped_avframe (native)) Press [q] to stop, [?] for help Program received signal SIGSEGV, Segmentation fault. decode_unit (s=s@entry=0xb68c7020, pixel=0xb759a368, rval=rval@entry=0xbfffe738, step=400) at libavcodec/scpr.c:224 224 pixel->freq[c] = cnt_c + step; (gdb) bt #0 decode_unit (s=s@entry=0xb68c7020, pixel=0xb759a368, rval=rval@entry=0xbfffe738, step=400) at libavcodec/scpr.c:224 #1 0x086ade93 in decompress_i (linesize=320, dst=0xb2040020, avctx=0x9a29cc0) at libavcodec/scpr.c:319 #2 decode_frame (avctx=0x9a29cc0, data=0x9a2d1c0, got_frame=0xbfffe83c, avpkt=0xbfffe7ac) at libavcodec/scpr.c:702 #3 0x08729a99 in avcodec_decode_video2 (avctx=0x9a29cc0, picture=0x9a2d1c0, got_picture_ptr=0xbfffe83c, avpkt=0xbfffe938) at libavcodec/utils.c:2263 #4 0x0872aa1d in do_decode (avctx=avctx@entry=0x9a29cc0, pkt=pkt@entry=0xbfffe938) at libavcodec/utils.c:2796 #5 0x0872b7f0 in avcodec_send_packet (avctx=0x9a29cc0, avpkt=<optimized out>) at libavcodec/utils.c:2885 #6 0x080e8447 in decode (pkt=0xbfffe938, got_frame=0xbfffead4, frame=<optimized out>, avctx=0x9a29cc0) at ffmpeg.c:2052 #7 decode_video (ist=ist@entry=0x9a29960, pkt=pkt@entry=0xbfffeb14, got_output=got_output@entry=0xbfffead4, eof=0) at ffmpeg.c:2248 #8 0x080e9806 in process_input_packet (ist=0x9a29960, pkt=0xbfffed44, no_eof=0) at ffmpeg.c:2491 #9 0x080c78d6 in process_input (file_index=<optimized out>) at ffmpeg.c:4251 #10 transcode_step () at ffmpeg.c:4339 #11 transcode () at ffmpeg.c:4393 #12 main (argc=<optimized out>, argv=<optimized out>) at ffmpeg.c:4598 (gdb)
by , 7 years ago
Attachment: | sp_16bit_q50_fuzz2.avi added |
---|
comment:5 by , 7 years ago
Also what is strange the crash does not happen under valgrind (there are no errors).
comment:6 by , 7 years ago
I'm getting a different backtrace with this file using a mingw-w64 (x86_64) build.
(gdb) r -i sp_16bit_q50_fuzz2.avi -f null - Starting program: F:\msys\ffmpeg\build\ffmpeg_g.exe -i sp_16bit_q50_fuzz2.avi -f null - [New Thread 3128.0x1ff4] [New Thread 3128.0x1fd8] [New Thread 3128.0x6c8] [New Thread 3128.0x125c] ffmpeg version N-83627-gf5fa12d6ee Copyright (c) 2000-2017 the FFmpeg developers built with gcc 6.3.0 (Rev1, Built by MSYS2 project) configuration: --enable-gpl --enable-nonfree --enable-libx264 --enable-libfdk_aac --enable-libvpx --enable-libopus --target-os=mingw32 --arch=x86_64 --cpu=haswell --extra-cflags='-D_WIN32_WINNT=0x0602' --cc='ccache gcc' --samples=../samples --prefix=/mingw64 libavutil 55. 47.100 / 55. 47.100 libavcodec 57. 81.100 / 57. 81.100 libavformat 57. 66.102 / 57. 66.102 libavdevice 57. 2.100 / 57. 2.100 libavfilter 6. 73.100 / 6. 73.100 libswscale 4. 3.101 / 4. 3.101 libswresample 2. 4.100 / 2. 4.100 libpostproc 54. 2.100 / 54. 2.100 Input #0, avi, from 'sp_16bit_q50_fuzz2.avi': Metadata: encoder : Lavf57.36.10 Duration: 00:00:04.44, start: 0.000000, bitrate: 79 kb/s Stream #0:0: Video: scpr (SCPR / 0x52504353), rgb0, 320x200, 25 fps, 25 tbr, 25 tbn, 25 tbc [New Thread 3128.0x1e4c] [New Thread 3128.0x4fc] [New Thread 3128.0xf98] [New Thread 3128.0x2258] [New Thread 3128.0x114c] Output #0, null, to 'pipe:': Metadata: encoder : Lavf57.66.102 Stream #0:0: Video: wrapped_avframe, rgb0, 320x200, q=2-31, 200 kb/s, 25 fps, 25 tbn, 25 tbc Metadata: encoder : Lavc57.81.100 wrapped_avframe Stream mapping: Stream #0:0 -> #0:0 (scpr (native) -> wrapped_avframe (native)) Press [q] to stop, [?] for help Thread 1 received signal SIGSEGV, Segmentation fault. decode_unit (s=s@entry=0x258b060, pixel=0x325e3bc, rval=rval@entry=0x5ff438, step=400) at F:/msys/ffmpeg/src/libavcodec/scpr.c:197 197 unsigned totfr = pixel->total_freq; (gdb) bt #0 decode_unit (s=s@entry=0x258b060, pixel=0x325e3bc, rval=rval@entry=0x5ff438, step=400) at F:/msys/ffmpeg/src/libavcodec/scpr.c:197 #1 0x000000014066e99c in decompress_i (linesize=<optimized out>, dst=0x24d19e0, avctx=0x2491f20) at F:/msys/ffmpeg/src/libavcodec/scpr.c:319 #2 decode_frame (avctx=0x2491f20, data=0x2483540, got_frame=0x5ff5ac, avpkt=0x5ff4c0) at F:/msys/ffmpeg/src/libavcodec/scpr.c:703 #3 0x00000001406f1840 in avcodec_decode_video2 (avctx=avctx@entry=0x2491f20, picture=0x2483540, got_picture_ptr=got_picture_ptr@entry=0x5ff5ac, avpkt=avpkt@entry=0x5ff7a0) at F:/msys/ffmpeg/src/libavcodec/utils.c:2263 #4 0x00000001406f24c2 in do_decode (avctx=avctx@entry=0x2491f20, pkt=0x5ff7a0) at F:/msys/ffmpeg/src/libavcodec/utils.c:2796 #5 0x00000001406f346c in avcodec_send_packet (avctx=avctx@entry=0x2491f20, avpkt=<optimized out>, avpkt@entry=0x5ff7a0) at F:/msys/ffmpeg/src/libavcodec/utils.c:2885 #6 0x000000014001f700 in decode (pkt=0x5ff7a0, got_frame=0x5ffcf0, frame=<optimized out>, avctx=0x2491f20) at F:/msys/ffmpeg/src/ffmpeg.c:2052 #7 decode_video (ist=ist@entry=0x2491d00, pkt=pkt@entry=0x5ffc30, got_output=got_output@entry=0x5ffcf0, eof=eof@entry=0) at F:/msys/ffmpeg/src/ffmpeg.c:2248 #8 0x00000001400211d7 in process_input_packet (no_eof=0, pkt=0x5ffbd0, ist=0x2491d00) at F:/msys/ffmpeg/src/ffmpeg.c:2491 #9 process_input (file_index=<optimized out>) at F:/msys/ffmpeg/src/ffmpeg.c:4251 #10 transcode_step () at F:/msys/ffmpeg/src/ffmpeg.c:4339 #11 transcode () at F:/msys/ffmpeg/src/ffmpeg.c:4393 #12 0xq000000140e38d04 in main (argc=<optimized out>, argv=0xd54e90)
The following patch
diff --git a/libavcodec/scpr.c b/libavcodec/scpr.c index 5555d812e8..58fc7009bd 100644 --- a/libavcodec/scpr.c +++ b/libavcodec/scpr.c @@ -316,6 +316,8 @@ static int decompress_i(AVCodecContext *avctx, uint32_t *dst, int linesize) cx1 = (cx << 6) & 0xFC0; cx = g >> cxshift; + av_log(avctx, AV_LOG_INFO, "%d (cx) + %d (cx1) = %d\n", cx, cx1, cx + cx1); + av_assert0(cx + cx1 < 4096); ret = decode_unit(s, &s->pixel_model[2][cx + cx1], 400, &b); if (ret < 0) return ret;
Gives this output
[scpr @ 0000000000e02440] 219 (cx) + 3904 (cx1) = 4123 Assertion cx + cx1 < 4096 failed at F:/msys/ffmpeg/src/libavcodec/scpr.c:320
comment:7 by , 7 years ago
Component: | undetermined → avcodec |
---|---|
Keywords: | scpr crash added |
Priority: | normal → important |
Version: | unspecified → git-master |
I cannot reproduce an issue on Linux x86-32 and x86-64.
comment:8 by , 7 years ago
Resolution: | duplicate → fixed |
---|
Fixed in 178cd50c47aa5b7db03f7ce7a3f2934857dbd35b.
Note:
See TracTickets
for help on using tickets.
Duplicate of #6182.