Opened 7 years ago

Closed 7 years ago

Last modified 7 years ago

#6503 closed defect (fixed)

interplayvideo: crash with fuzzed file

Reported by: ami_stuff Owned by:
Priority: important Component: avcodec
Version: git-master Keywords: interplay crash
Cc: Blocked By:
Blocking: Reproduced by developer: no
Analyzed by developer: no

Description

https://files.fm/u/rrw5bzz8

aaa@aaa-VirtualBox /media/sdb1 $ valgrind --leak-check=full ffmpeg/ffmpeg_g -i f/news19_fuzz.mve -f null -
==28921== Memcheck, a memory error detector
==28921== Copyright (C) 2002-2013, and GNU GPL'd, by Julian Seward et al.
==28921== Using Valgrind-3.10.1 and LibVEX; rerun with -h for copyright info
==28921== Command: ffmpeg/ffmpeg_g -i f/news19_fuzz.mve -f null -
==28921== 
ffmpeg version 3.3.git Copyright (c) 2000-2017 the FFmpeg developers
  built with gcc 5.3.0 (Ubuntu 5.3.0-3ubuntu1~14.04) 20151204
  configuration: --disable-ffprobe --disable-ffserver --enable-gpl
  libavutil      55. 67.100 / 55. 67.100
  libavcodec     57.100.102 / 57.100.102
  libavformat    57. 75.100 / 57. 75.100
  libavdevice    57.  7.100 / 57.  7.100
  libavfilter     6. 94.100 /  6. 94.100
  libswscale      4.  7.101 /  4.  7.101
  libswresample   2.  8.100 /  2.  8.100
  libpostproc    54.  6.100 / 54.  6.100
[ipmovie @ 0x4a784a0] Estimating duration from bitrate, this may be inaccurate
Input #0, ipmovie, from 'f/news19_fuzz.mve':
  Duration: 00:05:12.52, start: 0.000000, bitrate: 88 kb/s
    Stream #0:0: Video: interplayvideo, pal8, 288x224, 1000k tbr, 1000k tbn, 1000k tbc
    Stream #0:1: Audio: pcm_u8, 11025 Hz, mono, u8, 88 kb/s
Stream mapping:
  Stream #0:0 -> #0:0 (interplayvideo (native) -> wrapped_avframe (native))
  Stream #0:1 -> #0:1 (pcm_u8 (native) -> pcm_s16le (native))
Press [q] to stop, [?] for help
==28921== Invalid write of size 4
==28921==    at 0x8563292: memcpy (string3.h:51)
==28921==    by 0x8563292: bytestream2_get_buffer (bytestream.h:268)
==28921==    by 0x8563292: ipvideo_format_10_firstpass (interplayvideo.c:993)
==28921==    by 0x85649E3: ipvideo_decode_format_10_opcodes (interplayvideo.c:1050)
==28921==    by 0x85649E3: ipvideo_decode_frame (interplayvideo.c:1321)
==28921==    by 0x84100B5: decode_simple_internal (decode.c:417)
==28921==    by 0x8410BC0: decode_simple_receive_frame (decode.c:620)
==28921==    by 0x8410BC0: decode_receive_frame_internal (decode.c:638)
==28921==    by 0x8410BC0: avcodec_send_packet (decode.c:678)
==28921==    by 0x80E5662: decode (ffmpeg.c:2265)
==28921==    by 0x80E5662: decode_video (ffmpeg.c:2409)
==28921==    by 0x80E7319: process_input_packet (ffmpeg.c:2644)
==28921==    by 0x80E8F8A: process_input (ffmpeg.c:4432)
==28921==    by 0x80E8F8A: transcode_step (ffmpeg.c:4543)
==28921==    by 0x80E8F8A: transcode (ffmpeg.c:4597)
==28921==    by 0x80C5348: main (ffmpeg.c:4803)
==28921==  Address 0x4ad0198 is 9 bytes after a block of size 64,559 alloc'd
==28921==    at 0x402C580: memalign (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
==28921==    by 0x402C6AE: posix_memalign (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
==28921==    by 0x8C742CF: av_malloc (mem.c:87)
==28921==    by 0x8C56627: av_buffer_alloc (buffer.c:72)
==28921==    by 0x8C56627: av_buffer_allocz (buffer.c:85)
==28921==    by 0x8C56E88: pool_alloc_buffer (buffer.c:312)
==28921==    by 0x8C56E88: av_buffer_pool_get (buffer.c:349)
==28921==    by 0x8412C66: video_get_buffer (decode.c:1504)
==28921==    by 0x8412C66: avcodec_default_get_buffer2 (decode.c:1543)
==28921==    by 0x84134DA: get_buffer_internal (decode.c:1734)
==28921==    by 0x84134DA: ff_get_buffer (decode.c:1750)
==28921==    by 0x807747B: ipvideo_decode_init (interplayvideo.c:1184)
==28921==    by 0x8747692: avcodec_open2 (utils.c:1020)
==28921==    by 0x80DFC5C: init_input_stream (ffmpeg.c:2915)
==28921==    by 0x80DFC5C: transcode_init (ffmpeg.c:3653)
==28921==    by 0x80E834D: transcode (ffmpeg.c:4568)
==28921==    by 0x80C5348: main (ffmpeg.c:4803)
==28921== 
==28921== Invalid write of size 4
==28921==    at 0x8563298: memcpy (string3.h:51)
==28921==    by 0x8563298: bytestream2_get_buffer (bytestream.h:268)
==28921==    by 0x8563298: ipvideo_format_10_firstpass (interplayvideo.c:993)
==28921==    by 0x85649E3: ipvideo_decode_format_10_opcodes (interplayvideo.c:1050)
==28921==    by 0x85649E3: ipvideo_decode_frame (interplayvideo.c:1321)
==28921==    by 0x84100B5: decode_simple_internal (decode.c:417)
==28921==    by 0x8410BC0: decode_simple_receive_frame (decode.c:620)
==28921==    by 0x8410BC0: decode_receive_frame_internal (decode.c:638)
==28921==    by 0x8410BC0: avcodec_send_packet (decode.c:678)
==28921==    by 0x80E5662: decode (ffmpeg.c:2265)
==28921==    by 0x80E5662: decode_video (ffmpeg.c:2409)
==28921==    by 0x80E7319: process_input_packet (ffmpeg.c:2644)
==28921==    by 0x80E8F8A: process_input (ffmpeg.c:4432)
==28921==    by 0x80E8F8A: transcode_step (ffmpeg.c:4543)
==28921==    by 0x80E8F8A: transcode (ffmpeg.c:4597)
==28921==    by 0x80C5348: main (ffmpeg.c:4803)
==28921==  Address 0x4ad019c is 13 bytes after a block of size 64,559 alloc'd
==28921==    at 0x402C580: memalign (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
==28921==    by 0x402C6AE: posix_memalign (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
==28921==    by 0x8C742CF: av_malloc (mem.c:87)
==28921==    by 0x8C56627: av_buffer_alloc (buffer.c:72)
==28921==    by 0x8C56627: av_buffer_allocz (buffer.c:85)
==28921==    by 0x8C56E88: pool_alloc_buffer (buffer.c:312)
==28921==    by 0x8C56E88: av_buffer_pool_get (buffer.c:349)
==28921==    by 0x8412C66: video_get_buffer (decode.c:1504)
==28921==    by 0x8412C66: avcodec_default_get_buffer2 (decode.c:1543)
==28921==    by 0x84134DA: get_buffer_internal (decode.c:1734)
==28921==    by 0x84134DA: ff_get_buffer (decode.c:1750)
==28921==    by 0x807747B: ipvideo_decode_init (interplayvideo.c:1184)
==28921==    by 0x8747692: avcodec_open2 (utils.c:1020)
==28921==    by 0x80DFC5C: init_input_stream (ffmpeg.c:2915)
==28921==    by 0x80DFC5C: transcode_init (ffmpeg.c:3653)
==28921==    by 0x80E834D: transcode (ffmpeg.c:4568)
==28921==    by 0x80C5348: main (ffmpeg.c:4803)
==28921== 
==28921== Invalid write of size 4
==28921==    at 0x85632BF: memcpy (string3.h:51)
==28921==    by 0x85632BF: bytestream2_get_buffer (bytestream.h:268)
==28921==    by 0x85632BF: ipvideo_format_10_firstpass (interplayvideo.c:993)
==28921==    by 0x85649E3: ipvideo_decode_format_10_opcodes (interplayvideo.c:1050)
==28921==    by 0x85649E3: ipvideo_decode_frame (interplayvideo.c:1321)
==28921==    by 0x84100B5: decode_simple_internal (decode.c:417)
==28921==    by 0x8410BC0: decode_simple_receive_frame (decode.c:620)
==28921==    by 0x8410BC0: decode_receive_frame_internal (decode.c:638)
==28921==    by 0x8410BC0: avcodec_send_packet (decode.c:678)
==28921==    by 0x80E5662: decode (ffmpeg.c:2265)
==28921==    by 0x80E5662: decode_video (ffmpeg.c:2409)
==28921==    by 0x80E7319: process_input_packet (ffmpeg.c:2644)
==28921==    by 0x80E8F8A: process_input (ffmpeg.c:4432)
==28921==    by 0x80E8F8A: transcode_step (ffmpeg.c:4543)
==28921==    by 0x80E8F8A: transcode (ffmpeg.c:4597)
==28921==    by 0x80C5348: main (ffmpeg.c:4803)
==28921==  Address 0x4ad019c is 13 bytes after a block of size 64,559 alloc'd
==28921==    at 0x402C580: memalign (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
==28921==    by 0x402C6AE: posix_memalign (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
==28921==    by 0x8C742CF: av_malloc (mem.c:87)
==28921==    by 0x8C56627: av_buffer_alloc (buffer.c:72)
==28921==    by 0x8C56627: av_buffer_allocz (buffer.c:85)
==28921==    by 0x8C56E88: pool_alloc_buffer (buffer.c:312)
==28921==    by 0x8C56E88: av_buffer_pool_get (buffer.c:349)
==28921==    by 0x8412C66: video_get_buffer (decode.c:1504)
==28921==    by 0x8412C66: avcodec_default_get_buffer2 (decode.c:1543)
==28921==    by 0x84134DA: get_buffer_internal (decode.c:1734)
==28921==    by 0x84134DA: ff_get_buffer (decode.c:1750)
==28921==    by 0x807747B: ipvideo_decode_init (interplayvideo.c:1184)
==28921==    by 0x8747692: avcodec_open2 (utils.c:1020)
==28921==    by 0x80DFC5C: init_input_stream (ffmpeg.c:2915)
==28921==    by 0x80DFC5C: transcode_init (ffmpeg.c:3653)
==28921==    by 0x80E834D: transcode (ffmpeg.c:4568)
==28921==    by 0x80C5348: main (ffmpeg.c:4803)
==28921== 
==28921== Invalid read of size 8
==28921==    at 0x88C49F5: ff_put_pixels8_mmx (in /media/sdb1/ffmpeg/ffmpeg_g)
==28921==  Address 0x4ad02b8 is 12 bytes after a block of size 12 alloc'd
==28921==    at 0x402C580: memalign (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
==28921==    by 0x402C6AE: posix_memalign (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
==28921==    by 0x8C745AF: av_malloc (mem.c:87)
==28921==    by 0x8C745AF: av_mallocz (mem.c:224)
==28921==    by 0x8C5667A: av_buffer_create (buffer.c:49)
==28921==    by 0x8C5667A: av_buffer_alloc (buffer.c:76)
==28921==    by 0x8C5667A: av_buffer_allocz (buffer.c:85)
==28921==    by 0x8C56E88: pool_alloc_buffer (buffer.c:312)
==28921==    by 0x8C56E88: av_buffer_pool_get (buffer.c:349)
==28921==    by 0x8412C66: video_get_buffer (decode.c:1504)
==28921==    by 0x8412C66: avcodec_default_get_buffer2 (decode.c:1543)
==28921==    by 0x84134DA: get_buffer_internal (decode.c:1734)
==28921==    by 0x84134DA: ff_get_buffer (decode.c:1750)
==28921==    by 0x807747B: ipvideo_decode_init (interplayvideo.c:1184)
==28921==    by 0x8747692: avcodec_open2 (utils.c:1020)
==28921==    by 0x80DFC5C: init_input_stream (ffmpeg.c:2915)
==28921==    by 0x80DFC5C: transcode_init (ffmpeg.c:3653)
==28921==    by 0x80E834D: transcode (ffmpeg.c:4568)
==28921==    by 0x80C5348: main (ffmpeg.c:4803)
==28921== 
==28921== Invalid read of size 8
==28921==    at 0x88C49F8: ff_put_pixels8_mmx (in /media/sdb1/ffmpeg/ffmpeg_g)
==28921==  Address 0x4ad0858 is 12 bytes after a block of size 12 free'd
==28921==    at 0x402C324: realloc (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
==28921==    by 0x81167D2: ff_add_format (formats.c:339)
==28921==    by 0x81167D2: ff_all_formats (formats.c:363)
==28921==    by 0x8109D62: filter_query_formats (avfiltergraph.c:331)
==28921==    by 0x810A602: query_formats (avfiltergraph.c:447)
==28921==    by 0x810B28B: graph_config_formats (avfiltergraph.c:1161)
==28921==    by 0x810B28B: avfilter_graph_config (avfiltergraph.c:1272)
==28921==    by 0x80D89B5: configure_filtergraph (ffmpeg_filter.c:1099)
==28921==    by 0x80E5126: ifilter_send_frame (ffmpeg.c:2209)
==28921==    by 0x80E5126: send_frame_to_filters (ffmpeg.c:2295)
==28921==    by 0x80E541F: decode_audio (ffmpeg.c:2364)
==28921==    by 0x80E72F0: process_input_packet (ffmpeg.c:2640)
==28921==    by 0x80E8F8A: process_input (ffmpeg.c:4432)
==28921==    by 0x80E8F8A: transcode_step (ffmpeg.c:4543)
==28921==    by 0x80E8F8A: transcode (ffmpeg.c:4597)
==28921==    by 0x80C5348: main (ffmpeg.c:4803)
==28921== 
==28921== Invalid read of size 8
==28921==    at 0x88C49FC: ff_put_pixels8_mmx (in /media/sdb1/ffmpeg/ffmpeg_g)
==28921==  Address 0x4ad0978 is 8 bytes after a block of size 8 free'd
==28921==    at 0x402B3D8: free (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
==28921==    by 0x8C5A91E: av_dict_free (dict.c:209)
==28921==    by 0x8C7B0BB: av_opt_set_dict2 (opt.c:1584)
==28921==    by 0x8C7B1C1: av_opt_set_dict (opt.c:1591)
==28921==    by 0x8746E37: avcodec_open2 (utils.c:725)
==28921==    by 0x80DFC5C: init_input_stream (ffmpeg.c:2915)
==28921==    by 0x80DFC5C: transcode_init (ffmpeg.c:3653)
==28921==    by 0x80E834D: transcode (ffmpeg.c:4568)
==28921==    by 0x80C5348: main (ffmpeg.c:4803)
==28921== 
==28921== Invalid read of size 8
==28921==    at 0x88C4A00: ff_put_pixels8_mmx (in /media/sdb1/ffmpeg/ffmpeg_g)
==28921==  Address 0x4ad03b0 is 16 bytes before a block of size 1,071 alloc'd
==28921==    at 0x402C580: memalign (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
==28921==    by 0x402C6AE: posix_memalign (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
==28921==    by 0x8C742CF: av_malloc (mem.c:87)
==28921==    by 0x8C56627: av_buffer_alloc (buffer.c:72)
==28921==    by 0x8C56627: av_buffer_allocz (buffer.c:85)
==28921==    by 0x8C56E88: pool_alloc_buffer (buffer.c:312)
==28921==    by 0x8C56E88: av_buffer_pool_get (buffer.c:349)
==28921==    by 0x8412C66: video_get_buffer (decode.c:1504)
==28921==    by 0x8412C66: avcodec_default_get_buffer2 (decode.c:1543)
==28921==    by 0x84134DA: get_buffer_internal (decode.c:1734)
==28921==    by 0x84134DA: ff_get_buffer (decode.c:1750)
==28921==    by 0x807747B: ipvideo_decode_init (interplayvideo.c:1184)
==28921==    by 0x8747692: avcodec_open2 (utils.c:1020)
==28921==    by 0x80DFC5C: init_input_stream (ffmpeg.c:2915)
==28921==    by 0x80DFC5C: transcode_init (ffmpeg.c:3653)
==28921==    by 0x80E834D: transcode (ffmpeg.c:4568)
==28921==    by 0x80C5348: main (ffmpeg.c:4803)
==28921== 
==28921== Invalid write of size 8
==28921==    at 0x88C4A07: ff_put_pixels8_mmx (in /media/sdb1/ffmpeg/ffmpeg_g)
==28921==  Address 0x4ad0280 is 16 bytes after a block of size 8 free'd
==28921==    at 0x402C324: realloc (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
==28921==    by 0x8C5AC38: av_dict_set (dict.c:106)
==28921==    by 0x8C5AC38: av_dict_copy (dict.c:222)
==28921==    by 0x8746CF2: avcodec_open2 (utils.c:652)
==28921==    by 0x80DFC5C: init_input_stream (ffmpeg.c:2915)
==28921==    by 0x80DFC5C: transcode_init (ffmpeg.c:3653)
==28921==    by 0x80E834D: transcode (ffmpeg.c:4568)
==28921==    by 0x80C5348: main (ffmpeg.c:4803)
==28921== 

valgrind: m_mallocfree.c:304 (get_bszB_as_is): Assertion 'bszB_lo == bszB_hi' failed.
valgrind: Heap block lo/hi size mismatch: lo = 49, hi = 2273082256.
This is probably caused by your program erroneously writing past the
end of a heap block and corrupting heap metadata.  If you fix any
invalid writes reported by Memcheck, this assertion failure will
probably go away.  Please try that before reporting this as a bug.

(gdb) r -i f/news19_fuzz.mve -f null -
Starting program: /media/sdb1/ffmpeg/ffmpeg_g -i f/news19_fuzz.mve -f null -
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/i386-linux-gnu/libthread_db.so.1".
ffmpeg version 3.3.git Copyright (c) 2000-2017 the FFmpeg developers
  built with gcc 5.3.0 (Ubuntu 5.3.0-3ubuntu1~14.04) 20151204
  configuration: --disable-ffprobe --disable-ffserver --enable-gpl
  libavutil      55. 67.100 / 55. 67.100
  libavcodec     57.100.102 / 57.100.102
  libavformat    57. 75.100 / 57. 75.100
  libavdevice    57.  7.100 / 57.  7.100
  libavfilter     6. 94.100 /  6. 94.100
  libswscale      4.  7.101 /  4.  7.101
  libswresample   2.  8.100 /  2.  8.100
  libpostproc    54.  6.100 / 54.  6.100
[ipmovie @ 0x9a7c200] Estimating duration from bitrate, this may be inaccurate
Input #0, ipmovie, from 'f/news19_fuzz.mve':
  Duration: 00:05:12.52, start: 0.000000, bitrate: 88 kb/s
    Stream #0:0: Video: interplayvideo, pal8, 288x224, 1000k tbr, 1000k tbn, 1000k tbc
    Stream #0:1: Audio: pcm_u8, 11025 Hz, mono, u8, 88 kb/s
Stream mapping:
  Stream #0:0 -> #0:0 (interplayvideo (native) -> wrapped_avframe (native))
  Stream #0:1 -> #0:1 (pcm_u8 (native) -> pcm_s16le (native))
Press [q] to stop, [?] for help
[New Thread 0xb7596b40 (LWP 28855)]
[New Thread 0xb6d95b40 (LWP 28856)]
[New Thread 0xb6594b40 (LWP 28857)]
[New Thread 0xb5d93b40 (LWP 28858)]
[New Thread 0xb5592b40 (LWP 28859)]
[New Thread 0xb4d91b40 (LWP 28860)]
[New Thread 0xb4590b40 (LWP 28861)]
[New Thread 0xb3d8fb40 (LWP 28862)]
[New Thread 0xb358eb40 (LWP 28863)]

Program received signal SIGSEGV, Segmentation fault.
0xb7a76dd4 in _int_malloc (av=av@entry=0xb7bac420 <main_arena>, 
    bytes=bytes@entry=64) at malloc.c:3700
3700	malloc.c: No such file or directory.
(gdb) bt
#0  0xb7a76dd4 in _int_malloc (av=av@entry=0xb7bac420 <main_arena>, 
    bytes=bytes@entry=64) at malloc.c:3700
#1  0xb7a77945 in _int_memalign (av=av@entry=0xb7bac420 <main_arena>, 
    alignment=alignment@entry=32, bytes=bytes@entry=12) at malloc.c:4403
#2  0xb7a78b20 in _mid_memalign (alignment=alignment@entry=32, 
    bytes=bytes@entry=12, address=0x8c745b0 <av_mallocz+96>) at malloc.c:3106
#3  0xb7a7a6da in __posix_memalign (memptr=0xbfffe2c8, alignment=32, size=12)
    at malloc.c:5018
#4  0x08c745b0 in av_malloc (size=12) at libavutil/mem.c:87
#5  av_mallocz (size=12) at libavutil/mem.c:224
#6  0x08c566ef in av_buffer_ref (buf=0x9aa2200) at libavutil/buffer.c:95
#7  0x08c6b9bc in av_frame_ref (dst=0x9a8f200, src=0x9a8ece0)
    at libavutil/frame.c:427
#8  0x085641fc in ipvideo_decode_frame (avctx=0x9a80be0, data=0x9a8ece0, 
    got_frame=0xbfffe424, avpkt=0xbfffe42c) at libavcodec/interplayvideo.c:1333
#9  0x084100b6 in decode_simple_internal (avctx=avctx@entry=0x9a80be0, 
    frame=frame@entry=0x9a8ece0) at libavcodec/decode.c:417
#10 0x08410bc1 in decode_simple_receive_frame (frame=<optimized out>, 
    avctx=<optimized out>) at libavcodec/decode.c:620
#11 decode_receive_frame_internal (frame=0x9a8ece0, avctx=0x9a80be0)
    at libavcodec/decode.c:638
#12 avcodec_send_packet (avctx=0x9a80be0, avpkt=0xbfffe518)
    at libavcodec/decode.c:678
---Type <return> to continue, or q <return> to quit---
#13 0x080e5663 in decode (pkt=0xbfffe518, got_frame=0xbfffe680, 
    frame=<optimized out>, avctx=0x9a80be0) at ffmpeg.c:2265
#14 decode_video (ist=ist@entry=0x9a809a0, pkt=pkt@entry=0xbfffe6c4, 
    got_output=got_output@entry=0xbfffe680, eof=0, decode_failed=0xbfffe684)
    at ffmpeg.c:2409
#15 0x080e731a in process_input_packet (ist=0x9a809a0, pkt=0xbfffe8e4, 
    no_eof=0) at ffmpeg.c:2644
#16 0x080e8f8b in process_input (file_index=<optimized out>) at ffmpeg.c:4432
#17 transcode_step () at ffmpeg.c:4543
#18 transcode () at ffmpeg.c:4597
#19 0x080c5349 in main (argc=<optimized out>, argv=<optimized out>)
    at ffmpeg.c:4803
(gdb)

Change History (5)

comment:1 by Hein-Pieter van Braam, 7 years ago

The linked file seems to no longer be available. Could you send it to my email address or reupload it here? Thanks!

comment:3 by Hein-Pieter van Braam, 7 years ago

Thanks! Found the problem.

comment:4 by ami_stuff, 7 years ago

Priority: normalimportant
Resolution: fixed
Status: newclosed

fixed by something

comment:5 by Carl Eugen Hoyos, 7 years ago

Component: undeterminedavcodec
Keywords: interplay crash added
Version: unspecifiedgit-master

Maybe f1baafac7129c3bb8d4abaaa899988c7a51ca5cd?

Note: See TracTickets for help on using tickets.