Context Navigation

#69 closed defect (fixed)

Crash on flic files with invalid frame size

Reported by:	Carl Eugen Hoyos	Owned by:
Priority:	important	Component:	avcodec
Version:	git	Keywords:	flic crash SIGSEGV roundup
Cc:		Blocked By:
Blocking:		Reproduced by developer:	yes
Analyzed by developer:	no

Description

(issue 2520)

(gdb) r -i fli_invalid_framesize.fli -f null -
FFmpeg version git-N-29196-ge61b83d, Copyright (c) 2000-2011 the FFmpeg developers
  built on Apr 19 2011 18:30:07 with gcc 4.5.2
  configuration: --enable-gpl --cc=/usr/local/gcc-4.5.2/bin/gcc
  libavutil    50. 40. 1 / 50. 40. 1
  libavcodec   52.120. 0 / 52.120. 0
  libavformat  52.108. 0 / 52.108. 0
  libavdevice  52.  4. 0 / 52.  4. 0
  libavfilter   1. 79. 1 /  1. 79. 1
  libswscale    0. 13. 0 /  0. 13. 0
[flic @ 0x128d660] Estimating duration from bitrate, this may be inaccurate
Input #0, flic, from 'fli_invalid_framesize.fli':
  Duration: N/A, start: 0.000000, bitrate: N/A
    Stream #0.0: Video: flic, pal8, 320x200, 35 tbr, 35 tbn, 35 tbc
[buffer @ 0x12955d0] w:320 h:200 pixfmt:pal8
Output #0, null, to 'pipe:':
  Metadata:
    encoder         : Lavf52.108.0
    Stream #0.0: Video: rawvideo, pal8, 320x200, q=2-31, 200 kb/s, 90k tbn, 35 tbc
Stream mapping:
  Stream #0.0 -> #0.0
Press [q] to stop encoding

Program received signal SIGSEGV, Segmentation fault.
0x00000000005dd327 in flic_decode_frame_8BPP (buf_size=13186, buf=0x1290af0 "\202\063",
    data_size=0x7fffffffccfc, data=0x7fffffffc9f0, avctx=0x1290040) at libavcodec/flicvideo.c:183
183             chunk_size = AV_RL32(&buf[stream_ptr]);
(gdb) bt
#0  0x00000000005dd327 in flic_decode_frame_8BPP (buf_size=13186, buf=0x1290af0 "\202\063",
    data_size=0x7fffffffccfc, data=0x7fffffffc9f0, avctx=0x1290040) at libavcodec/flicvideo.c:183
#1  flic_decode_frame (buf_size=13186, buf=0x1290af0 "\202\063", data_size=0x7fffffffccfc,
    data=0x7fffffffc9f0, avctx=0x1290040) at libavcodec/flicvideo.c:713
#2  0x00000000007adbb8 in avcodec_decode_video2 (avctx=0x1290040, picture=0x7fffffffc9f0,
    got_picture_ptr=0x7fffffffccfc, avpkt=0x7fffffffcba0) at libavcodec/utils.c:719
#3  0x00000000004089d4 in output_packet (ist=<value optimized out>, ist_index=0, ost_table=0x1290a80,
    nb_ostreams=1, pkt=<value optimized out>) at ffmpeg.c:1578
#4  0x000000000040b560 in transcode (nb_output_files=1, nb_input_files=1, stream_maps=0x0,
    nb_stream_maps=0, input_files=0xd1b3c0, output_files=0xd1b0a0) at ffmpeg.c:2719
#5  0x00000000004100ed in main (argc=6, argv=<value optimized out>) at ffmpeg.c:4463
(gdb) disass $pc-32 $pc+32
Dump of assembler code from 0x5dd307 to 0x5dd347:
0x00000000005dd307 <flic_decode_frame_8BPP+1887>:       rorb   %cl,(%rdi)
0x00000000005dd309 <flic_decode_frame_8BPP+1889>:       test   %ch,(%rax)
0x00000000005dd30b <flic_decode_frame_8BPP+1891>:       or     %eax,(%rax)
0x00000000005dd30d <flic_decode_frame_8BPP+1893>:       add    %cl,-0x73(%rcx)
0x00000000005dd310 <flic_decode_frame_8BPP+1896>:       pop    %rdi
0x00000000005dd311 <flic_decode_frame_8BPP+1897>:       add    %eax,-0x43befe16(%rbx)
0x00000000005dd317 <flic_decode_frame+2167>:    adc    %al,(%rax)
0x00000000005dd319 <flic_decode_frame+2169>:    add    %al,(%rax)
0x00000000005dd31b <flic_decode_frame_8BPP+1907>:       mov    %edx,0x4c(%rsp)
0x00000000005dd31f <flic_decode_frame_8BPP+1911>:       mov    %rbx,0x68(%rsp)
0x00000000005dd324 <flic_decode_frame_8BPP+1916>:       movslq %r12d,%rax
0x00000000005dd327 <flic_decode_frame_8BPP+1919>:       mov    (%r15,%rax,1),%eax
0x00000000005dd32b <flic_decode_frame_8BPP+1923>:       mov    %eax,0x40(%rsp)
0x00000000005dd32f <flic_decode_frame_8BPP+1927>:       lea    0x4(%r12),%eax
0x00000000005dd334 <flic_decode_frame_8BPP+1932>:       add    $0x6,%r12d
0x00000000005dd338 <flic_decode_frame_8BPP+1936>:       cltq
0x00000000005dd33a <flic_decode_frame_8BPP+1938>:       movzwl (%r15,%rax,1),%edx
0x00000000005dd33f <flic_decode_frame_8BPP+1943>:       movzwl %dx,%eax
0x00000000005dd342 <flic_decode_frame_8BPP+1946>:       sub    $0x4,%edx
0x00000000005dd345 <flic_decode_frame_8BPP+1949>:       cmp    $0xe,%dx
End of assembler dump.
(gdb) info register
rax            0x20031a 2097946
rbx            0x1      1
rcx            0x2      2
rdx            0x200301 2097921
rsi            0x100    256
rdi            0x100    256
rbp            0xff     0xff
rsp            0x7fffffffc680   0x7fffffffc680
r8             0x100    256
r9             0x1      1
r10            0x1      1
r11            0x20031a 2097946
r12            0x20031a 2097946
r13            0x7fffffffc9f0   140737488341488
r14            0x1295a60        19487328
r15            0x1290af0        19466992
rip            0x5dd327 0x5dd327 <flic_decode_frame_8BPP+1919>
eflags         0x10202  [ IF RF ]
cs             0x33     51
ss             0x2b     43
ds             0x0      0
es             0x0      0
fs             0x0      0
gs             0x0      0
fctrl          0x37f    895
fstat          0x0      0
ftag           0xffff   65535
fiseg          0x0      0
fioff          0x0      0
foseg          0x0      0
fooff          0x0      0
fop            0x0      0
mxcsr          0x1fa0   [ PE IM DM ZM OM UM PM ]

Attachments (1)

fli_invalid_framesize.fli (100.0 KB ) - added by Carl Eugen Hoyos 13 years ago.

Download all attachments as: .zip

Change History (3)

by Carl Eugen Hoyos, 13 years ago

Attachment:	fli_invalid_framesize.fli added

comment:1 by Carl Eugen Hoyos, 13 years ago

Resolution:	→ fixed
Status:	new → closed

Fixed by Stefano in efd6cbc5ddac2d4df7008733bfef1d6d6809cc3c.

comment:2 by Carl Eugen Hoyos, 12 years ago

Keywords:	crash SIGSEGV roundup added

Note: See TracTickets for help on using tickets.

Download in other formats: