Opened 3 weeks ago

Closed 3 weeks ago

#6805 closed defect (fixed)

deadlock with fuzzed file

Reported by: ami_stuff Owned by:
Priority: important Component: avformat
Version: git-master Keywords: mvdec deadlock regression
Cc: Blocked By:
Blocking: Reproduced by developer: yes
Analyzed by developer: no

Description

attached fuzzed file deadlocks ffmpeg for some longer time

(gdb) r -i ../deadlock_fuzz.mov
Starting program: /media/sdb1/ffmpeg/ffmpeg_g -i ../deadlock_fuzz.mov
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/i386-linux-gnu/libthread_db.so.1".
ffmpeg version 3.4.git Copyright (c) 2000-2017 the FFmpeg developers
  built with gcc 5.3.0 (Ubuntu 5.3.0-3ubuntu1~14.04) 20151204
  configuration: --enable-gpl --disable-ffprobe --disable-ffserver
  libavutil      56.  0.100 / 56.  0.100
  libavcodec     58.  1.100 / 58.  1.100
  libavformat    58.  0.102 / 58.  0.102
  libavdevice    58.  0.100 / 58.  0.100
  libavfilter     7.  0.101 /  7.  0.101
  libswscale      5.  0.101 /  5.  0.101
  libswresample   3.  0.101 /  3.  0.101
  libpostproc    55.  0.100 / 55.  0.100

Program received signal SIGINT, Interrupt.
0xb7fdccb0 in ?? ()
(gdb) bt
Python Exception <class 'gdb.MemoryError'> Cannot access memory at address 0x8004: 
#0  0xb7fdccb0 in ?? ()
Cannot access memory at address 0x8004
(gdb) 

Attachments (1)

deadlock_fuzz.mov (762.2 KB) - added by ami_stuff 3 weeks ago.

Download all attachments as: .zip

Change History (4)

Changed 3 weeks ago by ami_stuff

comment:1 Changed 3 weeks ago by cehoyos

  • Component changed from undetermined to avformat
  • Keywords mvdec deadlock regression added
  • Priority changed from normal to important
  • Reproduced by developer set
  • Status changed from new to open
  • Version changed from unspecified to git-master

It seems that the code should terminate at some point but I gave up before.

Regression since 6fb40779cd3457a819e20d6db91a142c47cad3c2

(gdb) bt
#0  0x00007ffff636e2d0 in __read_nocancel () from /lib64/libpthread.so.0
#1  0x00000000007565e7 in file_read (h=<optimized out>, buf=<optimized out>, size=<optimized out>)
    at libavformat/file.c:112
#2  0x000000000061551b in retry_transfer_wrapper (transfer_func=0x7565d0 <file_read>, size_min=1, size=32768,
    buf=0x205de70 "MOVI", h=0x2055a40) at libavformat/avio.c:376
#3  ffurl_read (h=0x2055a40, buf=0x205de70 "MOVI", size=32768) at libavformat/avio.c:411
#4  0x0000000000617736 in read_packet_wrapper (size=32768, buf=<optimized out>, s=0x205dd60) at libavformat/aviobuf.c:533
#5  fill_buffer (s=0x205dd60) at libavformat/aviobuf.c:583
#6  0x000000000061b852 in avio_feof (s=0x205dd60) at libavformat/aviobuf.c:362
#7  avio_read (s=s@entry=0x205dd60, buf=<optimized out>, buf@entry=0x7fffffffce80 "__NUM_I_TRACKS", size=size@entry=16)
    at libavformat/aviobuf.c:690
#8  0x00000000006b5d50 in read_table (st=0x0, parse=<optimized out>, avctx=0x2055240) at libavformat/mvdec.c:238
#9  mv_read_header (avctx=0x2055240) at libavformat/mvdec.c:355
#10 0x0000000000737456 in avformat_open_input (ps=ps@entry=0x7fffffffcfc0,
    filename=filename@entry=0x7fffffffe1d8 "deadlock_fuzz.mov", fmt=fmt@entry=0x0, options=0x2055128)
    at libavformat/utils.c:599
#11 0x0000000000488c0d in open_input_file (o=o@entry=0x7fffffffd160, filename=<optimized out>) at fftools/ffmpeg_opt.c:1052
#12 0x000000000048a42f in open_files (l=0x2055058, l=0x2055058, open_file=0x4872d0 <open_input_file>,
    inout=0x117f5f1 "input") at fftools/ffmpeg_opt.c:3277
#13 ffmpeg_parse_options (argc=argc@entry=3, argv=argv@entry=0x7fffffffdd38) at fftools/ffmpeg_opt.c:3317
#14 0x0000000000480287 in main (argc=3, argv=0x7fffffffdd38) at fftools/ffmpeg.c:4769

comment:2 Changed 3 weeks ago by cehoyos

Terminates after less than five minutes here.

comment:3 Changed 3 weeks ago by richardpl

  • Resolution set to fixed
  • Status changed from open to closed
Note: See TracTickets for help on using tickets.