Opened 4 months ago

Closed 4 months ago

Last modified 4 months ago

#6184 closed defect (fixed)

scpr: crash with fuzzed file 2

Reported by: ami_stuff Owned by:
Priority: important Component: avcodec
Version: git-master Keywords: scpr crash
Cc: Blocked By:
Blocking: Reproduced by developer: yes
Analyzed by developer: no

Description

aaa@aaa-VirtualBox /media/sdb1 $ valgrind --leak-check=full ffmpeg/ffmpeg_g -i sp_24bit_q50_fuzz.avi -f null -
==2894== Memcheck, a memory error detector
==2894== Copyright (C) 2002-2013, and GNU GPL'd, by Julian Seward et al.
==2894== Using Valgrind-3.10.1 and LibVEX; rerun with -h for copyright info
==2894== Command: ffmpeg/ffmpeg_g -i sp_24bit_q50_fuzz.avi -f null -
==2894== 
ffmpeg version 3.2.git Copyright (c) 2000-2017 the FFmpeg developers
  built with gcc 5.3.0 (Ubuntu 5.3.0-3ubuntu1~14.04) 20151204
  configuration: --disable-ffprobe --disable-ffserver --disable-ffplay --enable-gpl
  libavutil      55. 47.100 / 55. 47.100
  libavcodec     57. 81.100 / 57. 81.100
  libavformat    57. 66.102 / 57. 66.102
  libavdevice    57.  2.100 / 57.  2.100
  libavfilter     6. 73.100 /  6. 73.100
  libswscale      4.  3.101 /  4.  3.101
  libswresample   2.  4.100 /  2.  4.100
  libpostproc    54.  2.100 / 54.  2.100
Input #0, avi, from 'sp_24bit_q50_fuzz.avi':
  Metadata:
    encoder         : Lavf57.36.100
  Duration: 00:00:04.44, start: 0.000000, bitrate: 392 kb/s
    Stream #0:0: Video: scpr (SCPR / 0x52504353), bgr0, 320x200, 25 fps, 25 tbr, 25 tbn, 25 tbc
Output #0, null, to 'pipe:':
  Metadata:
    encoder         : Lavf57.66.102
    Stream #0:0: Video: wrapped_avframe, bgr0, 320x200, q=2-31, 200 kb/s, 25 fps, 25 tbn, 25 tbc
    Metadata:
      encoder         : Lavc57.81.100 wrapped_avframe
Stream mapping:
  Stream #0:0 -> #0:0 (scpr (native) -> wrapped_avframe (native))
Press [q] to stop, [?] for help
==2894== Invalid write of size 4
==2894==    at 0x86ADC82: decompress_i (scpr.c:398)
==2894==    by 0x86ADC82: decode_frame (scpr.c:686)
==2894==    by 0x8729A58: avcodec_decode_video2 (utils.c:2263)
==2894==    by 0x872A9DC: do_decode (utils.c:2796)
==2894==    by 0x872B7AF: avcodec_send_packet (utils.c:2885)
==2894==    by 0x80E8446: decode (ffmpeg.c:2052)
==2894==    by 0x80E8446: decode_video (ffmpeg.c:2248)
==2894==    by 0x80E9805: process_input_packet (ffmpeg.c:2491)
==2894==    by 0x80C78D5: process_input (ffmpeg.c:4251)
==2894==    by 0x80C78D5: transcode_step (ffmpeg.c:4339)
==2894==    by 0x80C78D5: transcode (ffmpeg.c:4393)
==2894==    by 0x80C78D5: main (ffmpeg.c:4598)
==2894==  Address 0x4b2c68c is 256,044 bytes inside a block of size 256,047 alloc'd
==2894==    at 0x402C580: memalign (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
==2894==    by 0x402C6AE: posix_memalign (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
==2894==    by 0x8C3600F: av_malloc (mem.c:97)
==2894==    by 0x8C190D7: av_buffer_alloc (buffer.c:71)
==2894==    by 0x8C190D7: av_buffer_allocz (buffer.c:84)
==2894==    by 0x8C19928: pool_alloc_buffer (buffer.c:353)
==2894==    by 0x8C19928: av_buffer_pool_get (buffer.c:418)
==2894==    by 0x87279D6: video_get_buffer (utils.c:682)
==2894==    by 0x87279D6: avcodec_default_get_buffer2 (utils.c:740)
==2894==    by 0x87282C2: get_buffer_internal (utils.c:940)
==2894==    by 0x87282C2: ff_get_buffer (utils.c:955)
==2894==    by 0x872863B: reget_buffer_internal (utils.c:979)
==2894==    by 0x872863B: ff_reget_buffer (utils.c:1004)
==2894==    by 0x86ACA41: decode_frame (scpr.c:677)
==2894==    by 0x8729A58: avcodec_decode_video2 (utils.c:2263)
==2894==    by 0x872A9DC: do_decode (utils.c:2796)
==2894==    by 0x872B7AF: avcodec_send_packet (utils.c:2885)
==2894== 

valgrind: m_mallocfree.c:304 (get_bszB_as_is): Assertion 'bszB_lo == bszB_hi' failed.
valgrind: Heap block lo/hi size mismatch: lo = 10283824, hi = 0.
This is probably caused by your program erroneously writing past the
end of a heap block and corrupting heap metadata.  If you fix any
invalid writes reported by Memcheck, this assertion failure will
probably go away.  Please try that before reporting this as a bug.


host stacktrace:
==2894==    at 0x3805A504: ??? (in /usr/lib/valgrind/memcheck-x86-linux)
==2894==    by 0x3805A656: ??? (in /usr/lib/valgrind/memcheck-x86-linux)
==2894==    by 0x3805A7B9: ??? (in /usr/lib/valgrind/memcheck-x86-linux)
==2894==    by 0x3806939D: ??? (in /usr/lib/valgrind/memcheck-x86-linux)
==2894==    by 0x380699B5: ??? (in /usr/lib/valgrind/memcheck-x86-linux)
==2894==    by 0x380B21FB: ??? (in /usr/lib/valgrind/memcheck-x86-linux)
==2894==    by 0x3802C888: ??? (in /usr/lib/valgrind/memcheck-x86-linux)
==2894==    by 0x3802CC15: ??? (in /usr/lib/valgrind/memcheck-x86-linux)
==2894==    by 0x380B5293: ??? (in /usr/lib/valgrind/memcheck-x86-linux)
==2894==    by 0x380C70E7: ??? (in /usr/lib/valgrind/memcheck-x86-linux)

sched status:
  running_tid=1

Thread 1: status = VgTs_Runnable
==2894==    at 0x402C580: memalign (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
==2894==    by 0x402C6AE: posix_memalign (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
==2894==    by 0x8C362EF: av_malloc (mem.c:97)
==2894==    by 0x8C362EF: av_mallocz (mem.c:254)
==2894==    by 0x8C1918E: av_buffer_ref (buffer.c:94)
==2894==    by 0x8C2E383: av_frame_ref (frame.c:427)
==2894==    by 0x86ACB4F: decode_frame (scpr.c:730)
==2894==    by 0x8729A58: avcodec_decode_video2 (utils.c:2263)
==2894==    by 0x872A9DC: do_decode (utils.c:2796)
==2894==    by 0x872B7AF: avcodec_send_packet (utils.c:2885)
==2894==    by 0x80E8446: decode (ffmpeg.c:2052)
==2894==    by 0x80E8446: decode_video (ffmpeg.c:2248)
==2894==    by 0x80E9805: process_input_packet (ffmpeg.c:2491)
==2894==    by 0x80C78D5: process_input (ffmpeg.c:4251)
==2894==    by 0x80C78D5: transcode_step (ffmpeg.c:4339)
==2894==    by 0x80C78D5: transcode (ffmpeg.c:4393)
==2894==    by 0x80C78D5: main (ffmpeg.c:4598)

Thread 2: status = VgTs_WaitSys
==2894==    at 0x444DD4B: pthread_cond_wait@@GLIBC_2.3.2 (pthread_cond_wait.S:188)
==2894==    by 0x811A3E1: worker (pthread.c:73)
==2894==    by 0x4449F6F: start_thread (pthread_create.c:312)
==2894==    by 0x454ABED: clone (clone.S:129)

Thread 3: status = VgTs_WaitSys
==2894==    at 0x444DD4B: pthread_cond_wait@@GLIBC_2.3.2 (pthread_cond_wait.S:188)
==2894==    by 0x811A3E1: worker (pthread.c:73)
==2894==    by 0x4449F6F: start_thread (pthread_create.c:312)
==2894==    by 0x454ABED: clone (clone.S:129)

Thread 4: status = VgTs_WaitSys
==2894==    at 0x444DD4B: pthread_cond_wait@@GLIBC_2.3.2 (pthread_cond_wait.S:188)
==2894==    by 0x811A3E1: worker (pthread.c:73)
==2894==    by 0x4449F6F: start_thread (pthread_create.c:312)
==2894==    by 0x454ABED: clone (clone.S:129)

Thread 5: status = VgTs_WaitSys
==2894==    at 0x444DD4B: pthread_cond_wait@@GLIBC_2.3.2 (pthread_cond_wait.S:188)
==2894==    by 0x811A3E1: worker (pthread.c:73)
==2894==    by 0x4449F6F: start_thread (pthread_create.c:312)
==2894==    by 0x454ABED: clone (clone.S:129)

Thread 6: status = VgTs_WaitSys
==2894==    at 0x444DD4B: pthread_cond_wait@@GLIBC_2.3.2 (pthread_cond_wait.S:188)
==2894==    by 0x811A3E1: worker (pthread.c:73)
==2894==    by 0x4449F6F: start_thread (pthread_create.c:312)
==2894==    by 0x454ABED: clone (clone.S:129)

Thread 7: status = VgTs_WaitSys
==2894==    at 0x444DD4B: pthread_cond_wait@@GLIBC_2.3.2 (pthread_cond_wait.S:188)
==2894==    by 0x811A3E1: worker (pthread.c:73)
==2894==    by 0x4449F6F: start_thread (pthread_create.c:312)
==2894==    by 0x454ABED: clone (clone.S:129)

Thread 8: status = VgTs_WaitSys
==2894==    at 0x444DD4B: pthread_cond_wait@@GLIBC_2.3.2 (pthread_cond_wait.S:188)
==2894==    by 0x811A3E1: worker (pthread.c:73)
==2894==    by 0x4449F6F: start_thread (pthread_create.c:312)
==2894==    by 0x454ABED: clone (clone.S:129)

Thread 9: status = VgTs_WaitSys
==2894==    at 0x444DD4B: pthread_cond_wait@@GLIBC_2.3.2 (pthread_cond_wait.S:188)
==2894==    by 0x811A3E1: worker (pthread.c:73)
==2894==    by 0x4449F6F: start_thread (pthread_create.c:312)
==2894==    by 0x454ABED: clone (clone.S:129)

Thread 10: status = VgTs_WaitSys
==2894==    at 0x444DD4B: pthread_cond_wait@@GLIBC_2.3.2 (pthread_cond_wait.S:188)
==2894==    by 0x811A3E1: worker (pthread.c:73)
==2894==    by 0x4449F6F: start_thread (pthread_create.c:312)
==2894==    by 0x454ABED: clone (clone.S:129)


Note: see also the FAQ in the source distribution.
It contains workarounds to several common problems.
In particular, if Valgrind aborted or crashed after
identifying problems in your program, there's a good chance
that fixing those problems will prevent Valgrind aborting or
crashing, especially if it happened in m_mallocfree.c.

If that doesn't help, please report this bug to: www.valgrind.org

In the bug report, send all the above text, the valgrind
version, and what OS and version you are using.  Thanks.
(gdb) r -i sp_24bit_q50_fuzz.avi -f null -
Starting program: /media/sdb1/ffmpeg/ffmpeg_g -i sp_24bit_q50_fuzz.avi -f null -
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/i386-linux-gnu/libthread_db.so.1".
ffmpeg version 3.2.git Copyright (c) 2000-2017 the FFmpeg developers
  built with gcc 5.3.0 (Ubuntu 5.3.0-3ubuntu1~14.04) 20151204
  configuration: --disable-ffprobe --disable-ffserver --disable-ffplay --enable-gpl
  libavutil      55. 47.100 / 55. 47.100
  libavcodec     57. 81.100 / 57. 81.100
  libavformat    57. 66.102 / 57. 66.102
  libavdevice    57.  2.100 / 57.  2.100
  libavfilter     6. 73.100 /  6. 73.100
  libswscale      4.  3.101 /  4.  3.101
  libswresample   2.  4.100 /  2.  4.100
  libpostproc    54.  2.100 / 54.  2.100
Input #0, avi, from 'sp_24bit_q50_fuzz.avi':
  Metadata:
    encoder         : Lavf57.36.100
  Duration: 00:00:04.44, start: 0.000000, bitrate: 392 kb/s
    Stream #0:0: Video: scpr (SCPR / 0x52504353), bgr0, 320x200, 25 fps, 25 tbr, 25 tbn, 25 tbc
[New Thread 0xb68c6b40 (LWP 2995)]
[New Thread 0xb60c5b40 (LWP 2996)]
[New Thread 0xb58c4b40 (LWP 2997)]
[New Thread 0xb50c3b40 (LWP 2998)]
[New Thread 0xb48c2b40 (LWP 2999)]
[New Thread 0xb40c1b40 (LWP 3000)]
[New Thread 0xb38c0b40 (LWP 3001)]
[New Thread 0xb30bfb40 (LWP 3002)]
[New Thread 0xb28beb40 (LWP 3003)]
Output #0, null, to 'pipe:':
  Metadata:
    encoder         : Lavf57.66.102
    Stream #0:0: Video: wrapped_avframe, bgr0, 320x200, q=2-31, 200 kb/s, 25 fps, 25 tbn, 25 tbc
    Metadata:
      encoder         : Lavc57.81.100 wrapped_avframe
Stream mapping:
  Stream #0:0 -> #0:0 (scpr (native) -> wrapped_avframe (native))
Press [q] to stop, [?] for help
Error while decoding stream #0:0: Invalid data found when processing input
    Last message repeated 6 times
Error while decoding stream #0:0: Not yet implemented in FFmpeg, patches welcome
Error while decoding stream #0:0: Invalid data found when processing input
    Last message repeated 52 times
Program received signal SIGSEGV, Segmentation fault.
decompress_p (plinesize=<optimized out>, prev=0xb207f020, 
    linesize=<optimized out>, dst=0xb2040020, avctx=0x9a29940)
    at libavcodec/scpr.c:496
496	                        dst[(by + i + sy1) * linesize + bx + sx1 + j] = prev[(by + mvy + sy1 + i) * plinesize + bx + sx1 + mvx + j];
(gdb) bt
#0  decompress_p (plinesize=<optimized out>, prev=0xb207f020, 
    linesize=<optimized out>, dst=0xb2040020, avctx=0x9a29940)
    at libavcodec/scpr.c:496
#1  decode_frame (avctx=0x9a29940, data=0x9a2bee0, got_frame=0xbfffe83c, 
    avpkt=0xbfffe7ac) at libavcodec/scpr.c:718
#2  0x08729a59 in avcodec_decode_video2 (avctx=0x9a29940, picture=0x9a2bee0, 
    got_picture_ptr=0xbfffe83c, avpkt=0xbfffe938) at libavcodec/utils.c:2263
#3  0x0872a9dd in do_decode (avctx=avctx@entry=0x9a29940, 
    pkt=pkt@entry=0xbfffe938) at libavcodec/utils.c:2796
#4  0x0872b7b0 in avcodec_send_packet (avctx=0x9a29940, avpkt=<optimized out>)
    at libavcodec/utils.c:2885
#5  0x080e8447 in decode (pkt=0xbfffe938, got_frame=0xbfffead4, 
    frame=<optimized out>, avctx=0x9a29940) at ffmpeg.c:2052
#6  decode_video (ist=ist@entry=0x9a29780, pkt=pkt@entry=0xbfffeb14, 
    got_output=got_output@entry=0xbfffead4, eof=0) at ffmpeg.c:2248
#7  0x080e9806 in process_input_packet (ist=0x9a29780, pkt=0xbfffed44, 
    no_eof=0) at ffmpeg.c:2491
#8  0x080c78d6 in process_input (file_index=<optimized out>) at ffmpeg.c:4251
#9  transcode_step () at ffmpeg.c:4339
#10 transcode () at ffmpeg.c:4393
#11 main (argc=<optimized out>, argv=<optimized out>) at ffmpeg.c:4598
(gdb) 

Attachments (1)

sp_24bit_q50_fuzz.avi (213.0 KB) - added by ami_stuff 4 months ago.

Download all attachments as: .zip

Change History (4)

Changed 4 months ago by ami_stuff

comment:1 Changed 4 months ago by richardpl

  • Resolution set to fixed
  • Status changed from new to closed

comment:2 Changed 4 months ago by richardpl

  • Component changed from undetermined to avcodec
  • Reproduced by developer set
  • Version changed from unspecified to git-master

comment:3 Changed 4 months ago by cehoyos

  • Keywords scpr crash added
  • Priority changed from normal to important
Note: See TracTickets for help on using tickets.