#6277 closed defect (invalid)
Use of uninitialized memory in do_decode (utils.c)
| Reported by: | Katie Holly | Owned by: | |
|---|---|---|---|
| Priority: | normal | Component: | avcodec |
| Version: | git-master | Keywords: | ubsan regression |
| Cc: | Blocked By: | ||
| Blocking: | Reproduced by developer: | no | |
| Analyzed by developer: | no |
Description
The file "afl2_24" is attached as corrupt.webm, not minimized (pulled from running AFL fuzzer instance).
Tested with git commit 50bbb674723e84c8733a447dcb0139c53a2705a7
valgrind --track-origins=yes /afl/testcases/ffmpeg/bin/ffmpeg -v 9 -loglevel 99 -i ./afl2_24 -f null -
Valgrind output:
==554833== Conditional jump or move depends on uninitialised value(s)d=0.00136x ==554833== at 0x1F8180C: do_decode (utils.c:2824) ==554833== by 0x1F856C3: avcodec_receive_frame (utils.c:2949) ==554833== by 0x5F459E: decode (ffmpeg.c:2256) ==554833== by 0x5F459E: decode_video (ffmpeg.c:2393) ==554833== by 0x5FF076: process_input_packet.constprop.21 (ffmpeg.c:2628) ==554833== by 0x5755AE: process_input (ffmpeg.c:4171) ==554833== by 0x5755AE: transcode_step (ffmpeg.c:4481) ==554833== by 0x5755AE: transcode (ffmpeg.c:4535) ==554833== by 0x5755AE: main (ffmpeg.c:4740) ==554833== Uninitialised value was created by a stack allocation ==554833== at 0x1C57FE0: ff_thread_decode_frame (pthread_frame.c:446) ==554833==
Full output:
==554833== Memcheck, a memory error detector
==554833== Copyright (C) 2002-2013, and GNU GPL'd, by Julian Seward et al.
==554833== Using Valgrind-3.10.0 and LibVEX; rerun with -h for copyright info
==554833== Command: /afl/testcases/ffmpeg/bin/ffmpeg -v 9 -loglevel 99 -i ./afl2_24 -f null -
==554833==
ffmpeg version N-84505-g50bbb67 Copyright (c) 2000-2017 the FFmpeg developers
built with gcc 4.9.2 (Debian 4.9.2-10)
configuration: --disable-yasm --cc=/usr/local/bin/afl-gcc --cxx=/usr/local/bin/afl-g++ --disable-shared --enable-static --disable-optimizations --disable-mmx --disable-stripping
libavutil 55. 50.100 / 55. 50.100
libavcodec 57. 85.101 / 57. 85.101
libavformat 57. 67.100 / 57. 67.100
libavdevice 57. 3.101 / 57. 3.101
libavfilter 6. 78.100 / 6. 78.100
libswscale 4. 3.101 / 4. 3.101
libswresample 2. 4.100 / 2. 4.100
Splitting the commandline.
Reading option '-v' ... matched as option 'v' (set logging level) with argument '9'.
Reading option '-loglevel' ... matched as option 'loglevel' (set logging level) with argument '99'.
Reading option '-i' ... matched as input url with argument './afl2_24'.
Reading option '-f' ... matched as option 'f' (force format) with argument 'null'.
Reading option '-' ... matched as output url.
Finished splitting the commandline.
Parsing a group of options: global .
Applying option v (set logging level) with argument 9.
Successfully parsed a group of options.
Parsing a group of options: input url ./afl2_24.
Successfully parsed a group of options.
Opening an input file: ./afl2_24.
[file @ 0x59032e0] Setting default whitelist 'file,crypto'
Probing matroska,webm score:100 size:2048
[matroska,webm @ 0x59026c0] Format matroska,webm probed with size=2048 and score=100
st:0 removing common factor 1000000 from timebase
st:1 removing common factor 1000000 from timebase
[matroska,webm @ 0x59026c0] Before avformat_find_stream_info() pos: 3886 bytes read:5022 seeks:0 nb_streams:2
[matroska,webm @ 0x59026c0] All info found
[matroska,webm @ 0x59026c0] stream 0: start_time: 0.252 duration: -9223372036854776.000
[matroska,webm @ 0x59026c0] stream 1: start_time: 0.000 duration: -9223372036854776.000
[matroska,webm @ 0x59026c0] format: start_time: 0.000 duration: 1.263 bitrate=31 kb/s
[matroska,webm @ 0x59026c0] After avformat_find_stream_info() pos: 3997 bytes read:5022 seeks:0 frames:10
Input #0, matroska,webm, from './afl2_24':
Metadata:
encoder : Lavf56.40.101
Duration: 00:00:01.26, start: 0.000000, bitrate: 31 kb/s
Stream #0:0(eng), 1, 1/1000: Video: vp9 (Profile 0), 1 reference frame, yuv420p(tv), 96x65521, 0/1, SAR 9:10 DAR 432:327605, 29.67 fps, 29.67 tbr, 1k tbn, 1k tbc (default)
Stream #0:1(eng), 9, 1/1000: Audio: vorbis, 16000 Hz, mono, fltp (default)
Successfully opened the file.
Parsing a group of options: output url -.
Applying option f (force format) with argument null.
Successfully parsed a group of options.
Opening an output file: -.
Successfully opened the file.
detected 24 logical cores
Stream mapping:
Stream #0:0 -> #0:0 (vp9 (native) -> wrapped_avframe (native))
Stream #0:1 -> #0:1 (vorbis (native) -> pcm_s16le (native))
Press [q] to stop, [?] for help
cur_dts is invalid (this is harmless if it occurs once at the start per stream)
Last message repeated 1 times
[graph_1_in_0_1 @ 0xe797e10] Setting 'time_base' to value '1/16000'
[graph_1_in_0_1 @ 0xe797e10] Setting 'sample_rate' to value '16000'
[graph_1_in_0_1 @ 0xe797e10] Setting 'sample_fmt' to value 'fltp'
[graph_1_in_0_1 @ 0xe797e10] Setting 'channel_layout' to value '0x4'
[graph_1_in_0_1 @ 0xe797e10] tb:1/16000 samplefmt:fltp samplerate:16000 chlayout:0x4
[format_out_0_1 @ 0xe799c70] Setting 'sample_fmts' to value 's16'
[format_out_0_1 @ 0xe799c70] auto-inserting filter 'auto_resampler_0' between the filter 'Parsed_anull_0' and the filter 'format_out_0_1'
[AVFilterGraph @ 0xe795520] query_formats: 4 queried, 6 merged, 3 already done, 0 delayed
[auto_resampler_0 @ 0xe79d750] [SWR @ 0xe79db80] Using fltp internally between filters
[auto_resampler_0 @ 0xe79d750] ch:1 chl:mono fmt:fltp r:16000Hz -> ch:1 chl:mono fmt:s16 r:16000Hz
cur_dts is invalid (this is harmless if it occurs once at the start per stream)
cur_dts is invalid (this is harmless if it occurs once at the start per stream)
Last message repeated 8 times
[matroska,webm @ 0x59026c0] first_dts 252 not matching first dts 285 (pts 285, duration 33) in the queue
cur_dts is invalid (this is harmless if it occurs once at the start per stream)
cur_dts is invalid (this is harmless if it occurs once at the start per stream)
cur_dts is invalid (this is harmless if it occurs once at the start per stream)
cur_dts is invalid (this is harmless if it occurs once at the start per stream)
cur_dts is invalid (this is harmless if it occurs once at the start per stream)
cur_dts is invalid (this is harmless if it occurs once at the start per stream)
cur_dts is invalid (this is harmless if it occurs once at the start per stream)
cur_dts is invalid (this is harmless if it occurs once at the start per stream)
cur_dts is invalid (this is harmless if it occurs once at the start per stream)
cur_dts is invalid (this is harmless if it occurs once at the start per stream)
cur_dts is invalid (this is harmless if it occurs once at the start per stream)
cur_dts is invalid (this is harmless if it occurs once at the start per stream)
cur_dts is invalid (this is harmless if it occurs once at the start per stream)
cur_dts is invalid (this is harmless if it occurs once at the start per stream)
cur_dts is invalid (this is harmless if it occurs once at the start per stream)
cur_dts is invalid (this is harmless if it occurs once at the start per stream)
cur_dts is invalid (this is harmless if it occurs once at the start per stream)
cur_dts is invalid (this is harmless if it occurs once at the start per stream)
cur_dts is invalid (this is harmless if it occurs once at the start per stream)
cur_dts is invalid (this is harmless if it occurs once at the start per stream)
cur_dts is invalid (this is harmless if it occurs once at the start per stream)
cur_dts is invalid (this is harmless if it occurs once at the start per stream)
cur_dts is invalid (this is harmless if it occurs once at the start per stream)
cur_dts is invalid (this is harmless if it occurs once at the start per stream)
cur_dts is invalid (this is harmless if it occurs once at the start per stream)
cur_dts is invalid (this is harmless if it occurs once at the start per stream)
cur_dts is invalid (this is harmless if it occurs once at the start per stream)
[graph 0 input from stream 0:0 @ 0xeaf6fe0] Setting 'video_size' to value '96x65521'
[graph 0 input from stream 0:0 @ 0xeaf6fe0] Setting 'pix_fmt' to value '0'
[graph 0 input from stream 0:0 @ 0xeaf6fe0] Setting 'time_base' to value '1/1000'
[graph 0 input from stream 0:0 @ 0xeaf6fe0] Setting 'pixel_aspect' to value '9/10'
[graph 0 input from stream 0:0 @ 0xeaf6fe0] Setting 'sws_param' to value 'flags=2'
[graph 0 input from stream 0:0 @ 0xeaf6fe0] Setting 'frame_rate' to value '89/3'
[graph 0 input from stream 0:0 @ 0xeaf6fe0] w:96 h:65521 pixfmt:yuv420p tb:1/1000 fr:89/3 sar:9/10 sws_param:flags=2
[AVFilterGraph @ 0xeaf2be0] query_formats: 3 queried, 2 merged, 0 already done, 0 delayed
Output #0, null, to 'pipe:':
Metadata:
encoder : Lavf57.67.100
Stream #0:0(eng), 0, 3/89: Video: wrapped_avframe, 1 reference frame, yuv420p, 96x65521 [SAR 9:10 DAR 432:327605], 0/1, q=2-31, 200 kb/s, 29.67 fps, 29.67 tbn, 29.67 tbc (default)
Metadata:
encoder : Lavc57.85.101 wrapped_avframe
Stream #0:1(eng), 0, 1/16000: Audio: pcm_s16le, 16000 Hz, mono, s16, 256 kb/s (default)
Metadata:
encoder : Lavc57.85.101 pcm_s16le
==554833== Conditional jump or move depends on uninitialised value(s)d=0.00136x
==554833== at 0x1F8180C: do_decode (utils.c:2824)
==554833== by 0x1F856C3: avcodec_receive_frame (utils.c:2949)
==554833== by 0x5F459E: decode (ffmpeg.c:2256)
==554833== by 0x5F459E: decode_video (ffmpeg.c:2393)
==554833== by 0x5FF076: process_input_packet.constprop.21 (ffmpeg.c:2628)
==554833== by 0x5755AE: process_input (ffmpeg.c:4171)
==554833== by 0x5755AE: transcode_step (ffmpeg.c:4481)
==554833== by 0x5755AE: transcode (ffmpeg.c:4535)
==554833== by 0x5755AE: main (ffmpeg.c:4740)
==554833== Uninitialised value was created by a stack allocation
==554833== at 0x1C57FE0: ff_thread_decode_frame (pthread_frame.c:446)
==554833==
No more output streams to write to, finishing.
frame= 30 fps=0.0 q=-0.0 Lsize=N/A time=00:00:01.24 bitrate=N/A speed=0.00144x
video:15kB audio:32kB subtitle:0kB other streams:0kB global headers:0kB muxing overhead: unknown
Input file #0 (./afl2_24):
Input stream #0:0 (video): 32 packets read (677 bytes); 30 frames decoded;
Input stream #0:1 (audio): 33 packets read (33 bytes); 32 frames decoded (16256 samples);
Total: 65 packets (710 bytes) demuxed
Output file #0 (pipe:):
Output stream #0:0 (video): 30 frames encoded; 30 packets muxed (14880 bytes);
Output stream #0:1 (audio): 32 frames encoded (16256 samples); 32 packets muxed (32512 bytes);
Total: 62 packets (47392 bytes) muxed
62 frames successfully decoded, 0 decoding errors
[AVIOContext @ 0x590bb80] Statistics: 5022 bytes read, 0 seeks
==554833==
==554833== HEAP SUMMARY:
==554833== in use at exit: 40 bytes in 1 blocks
==554833== total heap usage: 8,406 allocs, 8,405 frees, 292,112,110 bytes allocated
==554833==
==554833== LEAK SUMMARY:
==554833== definitely lost: 0 bytes in 0 blocks
==554833== indirectly lost: 0 bytes in 0 blocks
==554833== possibly lost: 0 bytes in 0 blocks
==554833== still reachable: 40 bytes in 1 blocks
==554833== suppressed: 0 bytes in 0 blocks
==554833== Rerun with --leak-check=full to see details of leaked memory
==554833==
==554833== For counts of detected and suppressed errors, rerun with: -v
==554833== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)
Attachments (1)
Change History (4)
by , 7 years ago
| Attachment: | corrupt.webm added |
|---|
comment:1 by , 7 years ago
comment:2 by , 7 years ago
| Keywords: | ubsan added |
|---|---|
| Resolution: | → invalid |
| Status: | new → closed |
The issue was already fixed in d7896e9b4228e5b7ffc7ef0d0f1cf145f518c819, needed --disable-optimizations and threads > 1.
Note:
See TracTickets
for help on using tickets.
I can't reproduce it with git head.
[jamrial@ArchVM build]$ valgrind --track-origins=yes ./ffmpeg -i ../corrupt.webm -f null - ==24120== Memcheck, a memory error detector ==24120== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al. ==24120== Using Valgrind-3.12.0 and LibVEX; rerun with -h for copyright info ==24120== Command: ./ffmpeg -i ../corrupt.webm -f null - ==24120== ffmpeg version N-84863-g59b8c2a4e6 Copyright (c) 2000-2017 the FFmpeg developers built with gcc 6.3.1 (GCC) 20170306 configuration: --disable-yasm --disable-shared --enable-static --disable-optimizations --disable-mmx --disable-stripping --prefix=/usr libavutil 55. 53.100 / 55. 53.100 libavcodec 57. 86.103 / 57. 86.103 libavformat 57. 68.100 / 57. 68.100 libavdevice 57. 3.101 / 57. 3.101 libavfilter 6. 79.100 / 6. 79.100 libswscale 4. 3.101 / 4. 3.101 libswresample 2. 4.100 / 2. 4.100 Input #0, matroska,webm, from '../corrupt.webm': Metadata: encoder : Lavf56.40.101 Duration: 00:00:01.26, start: 0.000000, bitrate: 31 kb/s Stream #0:0(eng): Video: vp9 (Profile 0), yuv420p(tv), 96x65521, SAR 9:10 DAR 432:327605, 29.67 fps, 29.67 tbr, 1k tbn, 1k tbc (default) Stream #0:1(eng): Audio: vorbis, 16000 Hz, mono, fltp (default) Stream mapping: Stream #0:0 -> #0:0 (vp9 (native) -> wrapped_avframe (native)) Stream #0:1 -> #0:1 (vorbis (native) -> pcm_s16le (native)) Press [q] to stop, [?] for help Output #0, null, to 'pipe:':ze=N/A time=-577014:32:22.77 bitrate=N/A speed=N/A Metadata: encoder : Lavf57.68.100 Stream #0:0(eng): Video: wrapped_avframe, yuv420p, 96x65521 [SAR 9:10 DAR 432:327605], q=2-31, 200 kb/s, 29.67 fps, 29.67 tbn, 29.67 tbc (default) Metadata: encoder : Lavc57.86.103 wrapped_avframe Stream #0:1(eng): Audio: pcm_s16le, 16000 Hz, mono, s16, 256 kb/s (default) Metadata: encoder : Lavc57.86.103 pcm_s16le ==24120== at 0x1397F26: VALGRIND_PRINTF_BACKTRACE (valgrind.h:6818)=0.0126x ==24120== by 0x13989C5: av_log_default_callback (log.c:355) ==24120== by 0x1398B4D: av_vlog (log.c:383) ==24120== by 0x1398B0C: av_log (log.c:375) ==24120== by 0x41C1ED: term_exit (ffmpeg.c:316) ==24120== by 0x42BD6E: transcode (ffmpeg.c:4596) ==24120== by 0x42C360: main (ffmpeg.c:4776) frame= 30 fps=0.3 q=-0.0 Lsize=N/A time=00:00:01.24 bitrate=N/A speed=0.0133x video:15kB audio:32kB subtitle:0kB other streams:0kB global headers:0kB muxing overhead: unknown ==24120== at 0x1397F26: VALGRIND_PRINTF_BACKTRACE (valgrind.h:6818) ==24120== by 0x13989C5: av_log_default_callback (log.c:355) ==24120== by 0x1398B4D: av_vlog (log.c:383) ==24120== by 0x1398B0C: av_log (log.c:375) ==24120== by 0x41C1ED: term_exit (ffmpeg.c:316) ==24120== by 0x41CD28: ffmpeg_cleanup (ffmpeg.c:618) ==24120== by 0x4049B2: exit_program (cmdutils.c:138) ==24120== by 0x42C444: main (ffmpeg.c:4787) ==24120== ==24120== HEAP SUMMARY: ==24120== in use at exit: 40 bytes in 1 blocks ==24120== total heap usage: 7,972 allocs, 7,971 frees, 196,384,632 bytes allocated ==24120== ==24120== LEAK SUMMARY: ==24120== definitely lost: 0 bytes in 0 blocks ==24120== indirectly lost: 0 bytes in 0 blocks ==24120== possibly lost: 0 bytes in 0 blocks ==24120== still reachable: 40 bytes in 1 blocks ==24120== suppressed: 0 bytes in 0 blocks ==24120== Rerun with --leak-check=full to see details of leaked memory ==24120== ==24120== For counts of detected and suppressed errors, rerun with: -v ==24120== ERROR SUMMARY: 0 errors from 0 contexts (suppressed: 0 from 0)There have been some extra patches to ff_thread_decode_frame() between the commit you report as faulty and current git head, so maybe one of them fixed it.
Could you retest using current git head and confirm that?