Opened 6 months ago

Closed 6 months ago

Last modified 6 months ago

#6250 closed defect (fixed)

xma: crash with fuzzed file

Reported by: ami_stuff Owned by:
Priority: important Component: avcodec
Version: git-master Keywords: wmapro crash SIGSEGV
Cc: Blocked By:
Blocking: Reproduced by developer: yes
Analyzed by developer: no

Description

https://files.fm/u/c8x6c9wk

==12833== Invalid write of size 4
==12833==    at 0x889B058: memcpy (string3.h:51)
==12833==    by 0x889B058: xma_decode_packet (wmaprodec.c:1760)
==12833==    by 0x872CA6C: avcodec_decode_audio4 (utils.c:2381)
==12833==    by 0x872D5BC: do_decode (utils.c:2814)
==12833==    by 0x872E5EC: avcodec_receive_frame (utils.c:2930)
==12833==    by 0x80E8031: decode (ffmpeg.c:2255)
==12833==    by 0x80E8031: decode_audio (ffmpeg.c:2304)
==12833==    by 0x80E9FD1: process_input_packet (ffmpeg.c:2614)
==12833==    by 0x80C7655: process_input (ffmpeg.c:4353)
==12833==    by 0x80C7655: transcode_step (ffmpeg.c:4464)
==12833==    by 0x80C7655: transcode (ffmpeg.c:4518)
==12833==    by 0x80C7655: main (ffmpeg.c:4723)
==12833==  Address 0x5140d20 is 0 bytes after a block of size 2,919,616 alloc'd
==12833==    at 0x402C580: memalign (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
==12833==    by 0x402C6AE: posix_memalign (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
==12833==    by 0x8C3B6AF: av_malloc (mem.c:97)
==12833==    by 0x8C3B6AF: av_mallocz (mem.c:254)
==12833==    by 0x862E326: init_context_defaults (options.c:128)
==12833==    by 0x862E3CF: avcodec_alloc_context3 (options.c:164)
==12833==    by 0x80D5075: add_input_streams (ffmpeg_opt.c:709)
==12833==    by 0x80D5075: open_input_file (ffmpeg_opt.c:1055)
==12833==    by 0x80D771E: open_files (ffmpeg_opt.c:3197)
==12833==    by 0x80D771E: ffmpeg_parse_options (ffmpeg_opt.c:3237)
==12833==    by 0x80C6627: main (ffmpeg.c:4696)
==12833== 
[xma1 @ 0x4e0f120] overflow (129 > 128) in spectral RLE, ignoring
[xma1 @ 0x4e0f120] num_vec_coeffs 204 is too large
Error while decoding stream #0:0: Invalid data found when processing input
==12833== Invalid read of size 4
==12833==    at 0x8247D2D: avio_seek (aviobuf.c:245)
==12833==    by 0x80C6911: avio_tell (avio.h:519)
==12833==    by 0x80C6911: need_output (ffmpeg.c:3723)
==12833==    by 0x80C6911: transcode (ffmpeg.c:4513)
==12833==    by 0x80C6911: main (ffmpeg.c:4723)
==12833==  Address 0x3dfd892c is not stack'd, malloc'd or (recently) free'd
==12833== 
==12833== 
==12833== Process terminating with default action of signal 11 (SIGSEGV)
==12833==  Access not within mapped region at address 0x3DFD892C
==12833==    at 0x8247D2D: avio_seek (aviobuf.c:245)
==12833==    by 0x80C6911: avio_tell (avio.h:519)
==12833==    by 0x80C6911: need_output (ffmpeg.c:3723)
==12833==    by 0x80C6911: transcode (ffmpeg.c:4513)
==12833==    by 0x80C6911: main (ffmpeg.c:4723)
==12833==  If you believe this happened as a result of a stack
==12833==  overflow in your program's main thread (unlikely but
==12833==  possible), you can try to increase the size of the
==12833==  main thread stack using the --main-stacksize= flag.
==12833==  The main thread stack size used in this run was 8388608.
==12833== 
==12833== HEAP SUMMARY:
==12833==     in use at exit: 3,447,037 bytes in 220 blocks
==12833==   total heap usage: 2,249 allocs, 2,029 frees, 8,652,797 bytes allocated
==12833== 
==12833== 4 bytes in 1 blocks are definitely lost in loss record 13 of 79
==12833==    at 0x402A17C: malloc (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
==12833==    by 0x402C3AF: realloc (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
==12833==    by 0x836FDA8: avformat_new_stream (utils.c:4244)
==12833==    by 0x80D254A: new_output_stream (ffmpeg_opt.c:1223)
==12833==    by 0x80D41D5: new_audio_stream (ffmpeg_opt.c:1717)
==12833==    by 0x80D955C: open_output_file (ffmpeg_opt.c:2174)
==12833==    by 0x80D955C: open_files (ffmpeg_opt.c:3197)
==12833==    by 0x80D955C: ffmpeg_parse_options (ffmpeg_opt.c:3251)
==12833==    by 0x80C6627: main (ffmpeg.c:4696)
==12833== 
==12833== 34,578 (1,348 direct, 33,230 indirect) bytes in 1 blocks are definitely lost in loss record 74 of 79
==12833==    at 0x402C580: memalign (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
==12833==    by 0x402C6AE: posix_memalign (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
==12833==    by 0x8C3B3CF: av_malloc (mem.c:97)
==12833==    by 0x8310101: avformat_alloc_context (options.c:135)
==12833==    by 0x80D4733: open_input_file (ffmpeg_opt.c:925)
==12833==    by 0x80D771E: open_files (ffmpeg_opt.c:3197)
==12833==    by 0x80D771E: ffmpeg_parse_options (ffmpeg_opt.c:3237)
==12833==    by 0x80C6627: main (ffmpeg.c:4696)
==12833== 
==12833== LEAK SUMMARY:
==12833==    definitely lost: 1,352 bytes in 2 blocks
==12833==    indirectly lost: 33,230 bytes in 12 blocks
==12833==      possibly lost: 0 bytes in 0 blocks
==12833==    still reachable: 3,412,455 bytes in 206 blocks
==12833==         suppressed: 0 bytes in 0 blocks
==12833== Reachable blocks (those to which a pointer was found) are not shown.
==12833== To see them, rerun with: --leak-check=full --show-leak-kinds=all
==12833== 
==12833== For counts of detected and suppressed errors, rerun with: -v
==12833== ERROR SUMMARY: 383 errors from 4 contexts (suppressed: 0 from 0)
Segmentation fault
Starting program: /media/sdb1/ffmpeg/ffmpeg_g -i m_fuzz.xma -f null -
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/i386-linux-gnu/libthread_db.so.1".
ffmpeg version 3.2.git Copyright (c) 2000-2017 the FFmpeg developers
  built with gcc 5.3.0 (Ubuntu 5.3.0-3ubuntu1~14.04) 20151204
  configuration: --disable-ffprobe --disable-ffserver --enable-gpl
  libavutil      55. 48.100 / 55. 48.100
  libavcodec     57. 83.100 / 57. 83.100
  libavformat    57. 66.104 / 57. 66.104
  libavdevice    57.  3.100 / 57.  3.100
  libavfilter     6. 76.100 /  6. 76.100
  libswscale      4.  3.101 /  4.  3.101
  libswresample   2.  4.100 /  2.  4.100
  libpostproc    54.  2.100 / 54.  2.100
Guessed Channel Layout for Input Stream #0.0 : 5.1
Input #0, wav, from 'm_fuzz.xma':
  Duration: N/A, bitrate: N/A
    Stream #0:0: Audio: xma1 (e[1][0][0] / 0x0165), 44100 Hz, 5.1, fltp





Program received signal SIGSEGV, Segmentation fault.
0x0889afd4 in memcpy (__len=2048, __src=0x9a5e700, __dest=0x10f9acb4)
    at /usr/include/i386-linux-gnu/bits/string3.h:51
51	  return __builtin___memcpy_chk (__dest, __src, __len, __bos0 (__dest));
(gdb) bt
#0  0x0889afd4 in memcpy (__len=2048, __src=0x9a5e700, __dest=0x10f9acb4)
    at /usr/include/i386-linux-gnu/bits/string3.h:51
#1  xma_decode_packet (avctx=0x9a36440, data=0x9a317a0, 
    got_frame_ptr=0xbfffe5fc, avpkt=0xbfffe56c) at libavcodec/wmaprodec.c:1757
#2  0x0872ca6d in avcodec_decode_audio4 (avctx=0x9a36440, frame=0x9a317a0, 
    got_frame_ptr=0xbfffe5fc, avpkt=0x9a31980) at libavcodec/utils.c:2381
#3  0x0872d5bd in do_decode (avctx=avctx@entry=0x9a36440, pkt=0x9a31980)
    at libavcodec/utils.c:2814
#4  0x0872e5ed in avcodec_receive_frame (avctx=0x9a36440, frame=0x9ae6ee0)
    at libavcodec/utils.c:2930
#5  0x080e8032 in decode (pkt=0xbfffe794, got_frame=0xbfffe754, 
    frame=<optimized out>, avctx=0x9a36440) at ffmpeg.c:2255
#6  decode_audio (ist=ist@entry=0x9a362e0, pkt=pkt@entry=0xbfffe794, 
    got_output=got_output@entry=0xbfffe754) at ffmpeg.c:2304
#7  0x080e9fd2 in process_input_packet (ist=0x9a362e0, pkt=0xbfffe9c4, 
    no_eof=0) at ffmpeg.c:2614
#8  0x080c7656 in process_input (file_index=<optimized out>) at ffmpeg.c:4353
#9  transcode_step () at ffmpeg.c:4464
#10 transcode () at ffmpeg.c:4518
#11 main (argc=<optimized out>, argv=<optimized out>) at ffmpeg.c:4723
(gdb) 

Change History (2)

comment:1 Changed 6 months ago by richardpl

  • Component changed from undetermined to avcodec
  • Priority changed from normal to important
  • Reproduced by developer set
  • Resolution set to fixed
  • Status changed from new to closed
  • Version changed from unspecified to git-master

comment:2 Changed 6 months ago by cehoyos

  • Keywords wmapro crash SIGSEGV added
Note: See TracTickets for help on using tickets.