Opened 16 months ago

Last modified 16 months ago

#9989 new defect

Assertion diff >= 0 && diff <= 120 failed at libavcodec/aacenc.c:684

Reported by: Ex Owned by:
Priority: important Component: avcodec
Version: git-master Keywords: aac crash abort
Cc: Ex Blocked By:
Blocking: Reproduced by developer: no
Analyzed by developer: no

Description

$ xxd -i new_poc
unsigned char new_poc[] = {

0xc5, 0xff, 0xff, 0x00, 0x10, 0x04, 0x52, 0x64, 0x6f, 0x76, 0x00, 0xe0,
0x00, 0xff, 0xfb, 0x90, 0xff, 0xca, 0x84, 0x84, 0x84, 0x6f, 0xc1, 0x84,
0x84, 0x84, 0x84, 0x01, 0x84, 0x84, 0x84, 0x84, 0x84, 0x00, 0x2d, 0x61,
0x00, 0x5d, 0x22, 0xff, 0x00, 0x00, 0x00, 0xee, 0xf6, 0xf6, 0xf6, 0xf6,
0xf6, 0xf6, 0xf6, 0xf6, 0xf6, 0xf6, 0x7f, 0x00, 0x00, 0x00, 0x0d, 0x84,
0x84, 0x0d, 0x1c, 0xf7, 0x0d, 0x0d, 0x84, 0x84, 0x84, 0x84, 0x84, 0x84,
0xa2, 0x65, 0x09, 0xcb, 0xc3, 0xcb, 0x22, 0xff, 0x01, 0x00, 0x00, 0x05,
0xff, 0xff, 0x05, 0x90, 0x37, 0xfd, 0xff, 0x1a, 0x40, 0xcb, 0x07, 0x04,
0xdf, 0x00, 0x00, 0xe9, 0xff, 0x00, 0x00, 0x01, 0xe5, 0x00, 0xb1, 0x9e,
0x12, 0x00, 0xff, 0xfc, 0xb1, 0x7f, 0xfa, 0xcf, 0x09, 0x1f, 0xd4, 0xde,
0x74, 0x70, 0x40, 0xff, 0xff, 0x0c, 0x6b, 0x00, 0xb5, 0xad, 0xb5, 0xb5,
0xb5, 0xb0, 0xb5, 0xb5, 0x80, 0x00, 0xb5, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xdf, 0xff, 0xff, 0xff, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0xb5, 0xb5, 0xb5, 0xb5, 0xb9, 0x00, 0x80, 0xff,
0xda, 0xda, 0xe9, 0xda, 0xda, 0xe0, 0xe4, 0xda, 0xdf, 0xdf, 0xdf, 0xdf,
0xdf, 0xdf, 0xdf, 0xdf, 0xdf, 0xdf, 0xdf, 0x9f, 0xdf, 0xdf, 0xdf, 0xdf,
0xdf, 0xdf, 0xdf, 0xdf, 0xdf, 0xdf, 0x10, 0x84, 0x84, 0x61, 0xb3, 0x00,
0x00, 0xff, 0xff, 0xca, 0x63, 0x00, 0x14, 0xf7, 0xed, 0x2f, 0x53, 0x41,
0x03, 0x00, 0x00, 0x36, 0x58, 0xd2, 0xd2, 0xd2, 0xd2, 0xd2, 0xd2, 0xe3,
0xd2, 0xd2, 0xd2, 0xd2, 0xd2, 0xd2, 0xd2, 0xd2, 0xd2, 0xd6, 0xe0, 0xd2,
0xd2, 0xd2, 0xd2, 0xd2, 0xd2, 0xd2, 0xd2, 0xcb, 0x00, 0x00, 0x00, 0x00,
0x00, 0x10, 0x04, 0x00, 0x13, 0x1c, 0x00, 0x00, 0x00, 0x03, 0xe8, 0xc3,
0xcb, 0xcb, 0xcb, 0x01, 0x00, 0x00, 0x00, 0xa1, 0xfb, 0xe8, 0x90, 0x17,
0xfd, 0xff, 0x1a, 0x40, 0xcb, 0x07, 0xe7, 0x69, 0x00, 0x00, 0x02, 0x00,
0x00, 0xff, 0xda, 0xda, 0xe9, 0xda, 0xda, 0x62, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0xe4, 0xcd, 0x2c, 0xaa, 0x40, 0x20, 0x01, 0xcb, 0x10, 0x00, 0x1c,
0x1c, 0x1c, 0x1c, 0xf1, 0x20, 0x00, 0x84, 0x84, 0x84, 0x84, 0x65, 0x50,
0x85, 0xff, 0x10, 0x00, 0x00, 0x04, 0xdf, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x01, 0xd8, 0x00, 0xb1, 0x9e, 0x00, 0x00, 0x20, 0xfc, 0x00, 0xff,
0xa1, 0x00, 0x00, 0xa1, 0xa1, 0xf3, 0x04, 0x08, 0x00, 0x00, 0xea, 0x10,
0x74, 0x10

};
unsigned int new_poc_len = 518;

pwndbg> r
Starting program: /home/ex/ffmpeg_poc/ffmpeg_g -i new_poc -y out.mp4
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
ffmpeg version N-107884-g76cb899f8a Copyright (c) 2000-2022 the FFmpeg developers

built with gcc 9 (Ubuntu 9.4.0-1ubuntu1~20.04.1)
configuration: --enable-debug --disable-stripping --disable-optimizations
libavutil 57. 33.101 / 57. 33.101
libavcodec 59. 42.102 / 59. 42.102
libavformat 59. 30.100 / 59. 30.100
libavdevice 59. 8.101 / 59. 8.101
libavfilter 8. 46.103 / 8. 46.103
libswscale 6. 8.103 / 6. 8.103
libswresample 4. 8.100 / 4. 8.100

[mpeg @ 0x555557922440] Format mpeg detected only with low score of 25, misdetection possible!
[mpeg @ 0x555557922440] Further flags set but no bytes left
[mpeg @ 0x555557922440] Packet corrupt (stream = 1, dts = NOPTS).
[mp2 @ 0x555557924500] Header missing
[mpeg @ 0x555557922440] start time for stream 0 is not set in estimate_timings_from_pts
[mpeg @ 0x555557922440] start time for stream 1 is not set in estimate_timings_from_pts
[mpeg @ 0x555557922440] Further flags set but no bytes left
[mpeg @ 0x555557922440] Packet corrupt (stream = 1, dts = NOPTS).
[mpeg @ 0x555557922440] stream 0 : no TS found at start of file, duration not set
[mpeg @ 0x555557922440] stream 1 : no TS found at start of file, duration not set
[mpeg @ 0x555557922440] Could not find codec parameters for stream 1 (Audio: mp2, 0 channels, s16p): unspecified frame size
Consider increasing the value for the 'analyzeduration' (0) and 'probesize' (5000000) options
Input #0, mpeg, from 'new_poc':

Duration: N/A, bitrate: N/A
Stream #0:0[0x1e5]: Audio: mp3, 44100 Hz, stereo, fltp, 224 kb/s
Stream #0:1[0x1d8]: Audio: mp2, 0 channels, s16p

Stream mapping:

Stream #0:0 -> #0:0 (mp3 (mp3float) -> aac (native))

Press [q] to stop, ? for help
[New Thread 0x7ffff7ba6640 (LWP 111703)]
[mpeg @ 0x555557922440] Further flags set but no bytes left
[Thread 0x7ffff7ba6640 (LWP 111703) exited]
[New Thread 0x7ffff73a5640 (LWP 111704)]
[New Thread 0x7ffff6ba4640 (LWP 111705)]
[New Thread 0x7ffff63a3640 (LWP 111706)]
[New Thread 0x7ffff5ba2640 (LWP 111707)]
[New Thread 0x7ffff53a1640 (LWP 111708)]
[New Thread 0x7ffff4ba0640 (LWP 111709)]
[New Thread 0x7fffeffff640 (LWP 111710)]
[New Thread 0x7fffef7fe640 (LWP 111711)]
[New Thread 0x7fffeeffd640 (LWP 111712)]
[New Thread 0x7fffee7fc640 (LWP 111713)]
[New Thread 0x7fffedffb640 (LWP 111714)]
[New Thread 0x7fffed7fa640 (LWP 111715)]
[New Thread 0x7fffecff9640 (LWP 111716)]
[New Thread 0x7fffec7f8640 (LWP 111717)]
[New Thread 0x7fffebff7640 (LWP 111718)]
[New Thread 0x7fffeb7f6640 (LWP 111719)]
Output #0, mp4, to 'out.mp4':

Metadata:

encoder : Lavf59.30.100

Stream #0:0: Audio: aac (LC) (mp4a / 0x6134706D), 44100 Hz, stereo, fltp, 128 kb/s

Metadata:

encoder : Lavc59.42.102 aac

[New Thread 0x7fffeaff5640 (LWP 111720)]
Assertion diff >= 0 && diff <= 120 failed at libavcodec/aacenc.c:684A

Thread 1 "ffmpeg_g" received signal SIGABRT, Aborted.
pthread_kill_implementation (no_tid=0, signo=6, threadid=140737350418432) at ./nptl/pthread_kill.c:44
44 ./nptl/pthread_kill.c: No such file or directory.
LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
───────────────────────────────────────────────────────────────────────────────────────────────[ REGISTERS ]───────────────────────────────────────────────────────────────────────────────────────────────

RAX 0x0
RBX 0x7ffff7c74000 ◂— 0x7ffff7c74000
RCX 0x7ffff7d0ba7c (pthread_kill+300) ◂— mov r13d, eax
RDX 0x6
RDI 0x1b454
RSI 0x1b454
R8 0x7fffffffd020 ◂— 0x20 /* ' ' */
R9 0x7fffffff
R10 0x8
R11 0x246
R12 0x6
R13 0x16
R14 0x0
R15 0x7ffff7ffd040 (_rtld_global) —▸ 0x7ffff7ffe2e0 —▸ 0x555555554000 ◂— 0x10102464c457f
RBP 0x1b454
RSP 0x7fffffffcf50 ◂— 0x1ffffcf80
RIP 0x7ffff7d0ba7c (pthread_kill+300) ◂— mov r13d, eax

────────────────────────────────────────────────────────────────────────────────────────────────[ DISASM ]─────────────────────────────────────────────────────────────────────────────────────────────────

► 0x7ffff7d0ba7c <pthread_kill+300> mov r13d, eax

0x7ffff7d0ba7f <pthread_kill+303> neg r13d
0x7ffff7d0ba82 <pthread_kill+306> cmp eax, 0xfffff000
0x7ffff7d0ba87 <pthread_kill+311> mov eax, 0
0x7ffff7d0ba8c <pthread_kill+316> cmovbe r13d, eax
0x7ffff7d0ba90 <pthread_kill+320> jmp pthread_kill+178 <pthread_kill+178>


0x7ffff7d0ba02 <pthread_kill+178> mov rax, qword ptr [rsp + 0x88]
0x7ffff7d0ba0a <pthread_kill+186> sub rax, qword ptr fs:[0x28]
0x7ffff7d0ba13 <pthread_kill+195> jne pthread_kill+357 <pthread_kill+357>


0x7ffff7d0bab5 <pthread_kill+357> call stack_chk_fail <stack_chk_fail>


0x7ffff7d0baba nop word ptr [rax + rax]

─────────────────────────────────────────────────────────────────────────────────────────────────[ STACK ]─────────────────────────────────────────────────────────────────────────────────────────────────
00:0000│ rsp 0x7fffffffcf50 ◂— 0x1ffffcf80
01:0008│ 0x7fffffffcf58 —▸ 0x7ffff7be8068 ◂— 0x3f6bdfffceba
02:0010│ 0x7fffffffcf60 ◂— 0xf0000009b
03:0018│ 0x7fffffffcf68 ◂— 0xfc74f295660b00
04:0020│ 0x7fffffffcf70 ◂— 0x5ffffcff4
05:0028│ 0x7fffffffcf78 ◂— 0x2
06:0030│ 0x7fffffffcf80 —▸ 0x7fffffffcfb0 —▸ 0x7fffffffd100 ◂— 0x13ffffd160
07:0038│ 0x7fffffffcf88 —▸ 0x5555569e56be (put_bits+40) ◂— nop
───────────────────────────────────────────────────────────────────────────────────────────────[ BACKTRACE ]───────────────────────────────────────────────────────────────────────────────────────────────

► f 0 0x7ffff7d0ba7c pthread_kill+300

f 1 0x7ffff7d0ba7c pthread_kill+300
f 2 0x7ffff7d0ba7c pthread_kill+300
f 3 0x7ffff7cb7476 raise+22
f 4 0x7ffff7c9d7f3 abort+211
f 5 0x5555566fffd5 encode_scale_factors+573
f 6 0x555556700523 encode_individual_channel+238
f 7 0x55555670230a aac_encode_frame+6848

───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
pwndbg> bt
#0 pthread_kill_implementation (no_tid=0, signo=6, threadid=140737350418432) at ./nptl/pthread_kill.c:44
#1
pthread_kill_internal (signo=6, threadid=140737350418432) at ./nptl/pthread_kill.c:78
#2 GI_pthread_kill (threadid=140737350418432, signo=signo@entry=6) at ./nptl/pthread_kill.c:89
#3 0x00007ffff7cb7476 in GI_raise (sig=sig@entry=6) at ../sysdeps/posix/raise.c:26
#4 0x00007ffff7c9d7f3 in
GI_abort () at ./stdlib/abort.c:79
#5 0x00005555566fffd5 in encode_scale_factors (avctx=0x5555579435c0, s=0x7ffff7be8040, sce=0x7ffff432c340) at libavcodec/aacenc.c:684
#6 0x0000555556700523 in encode_individual_channel (avctx=0x5555579435c0, s=0x7ffff7be8040, sce=0x7ffff432c340, common_window=1) at libavcodec/aacenc.c:774
#7 0x000055555670230a in aac_encode_frame (avctx=0x5555579435c0, avpkt=0x55555794c1c0, frame=0x0, got_packet_ptr=0x7fffffffd990) at libavcodec/aacenc.c:1088
#8 0x0000555555e74a68 in encode_simple_internal (avctx=0x5555579435c0, avpkt=0x55555794c1c0) at libavcodec/encode.c:214
#9 0x0000555555e74d40 in encode_simple_receive_packet (avctx=0x5555579435c0, avpkt=0x55555794c1c0) at libavcodec/encode.c:269
#10 0x0000555555e74f34 in encode_receive_packet_internal (avctx=0x5555579435c0, avpkt=0x55555794c1c0) at libavcodec/encode.c:303
#11 0x0000555555e752c3 in avcodec_send_frame (avctx=0x5555579435c0, frame=0x0) at libavcodec/encode.c:442
#12 0x0000555555685022 in encode_frame (of=0x555557924b80, ost=0x555557928d00, frame=0x0) at fftools/ffmpeg.c:933
#13 0x0000555555685720 in submit_encode_frame (of=0x555557924b80, ost=0x555557928d00, frame=0x0) at fftools/ffmpeg.c:999
#14 0x0000555555688e59 in flush_encoders () at fftools/ffmpeg.c:1837
#15 0x00005555556918ad in transcode () at fftools/ffmpeg.c:4090
#16 0x0000555555691f0b in main (argc=5, argv=0x7fffffffdec8) at fftools/ffmpeg.c:4243
#17 0x00007ffff7c9ed90 in libc_start_call_main (main=main@entry=0x555555691d9d <main>, argc=argc@entry=5, argv=argv@entry=0x7fffffffdec8) at ../sysdeps/nptl/libc_start_call_main.h:58
#18 0x00007ffff7c9ee40 in
libc_start_main_impl (main=0x555555691d9d <main>, argc=5, argv=0x7fffffffdec8, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffdeb8) at ../csu/libc-start.c:392
#19 0x0000555555658e8e in _start ()
pwndbg> disass $pc-32,$pc+32
Dump of assembler code from 0x7ffff7d0ba5c to 0x7ffff7d0ba9c:

0x00007ffff7d0ba5c <GI_pthread_kill+268>: (bad)
0x00007ffff7d0ba5d <GI_pthread_kill+269>: add BYTE PTR [rax],r8b
0x00007ffff7d0ba60 <GI_pthread_kill+272>: mov eax,0xba
0x00007ffff7d0ba65 <GI_pthread_kill+277>: syscall
0x00007ffff7d0ba67 <GI_pthread_kill+279>: mov ebp,eax
0x00007ffff7d0ba69 <GI_pthread_kill+281>: call 0x7ffff7d610b0 <getpid>
0x00007ffff7d0ba6e <GI_pthread_kill+286>: mov edx,r12d
0x00007ffff7d0ba71 <GI_pthread_kill+289>: mov esi,ebp
0x00007ffff7d0ba73 <GI_pthread_kill+291>: mov edi,eax
0x00007ffff7d0ba75 <GI_pthread_kill+293>: mov eax,0xea
0x00007ffff7d0ba7a <GI_pthread_kill+298>: syscall

=> 0x00007ffff7d0ba7c <GI_pthread_kill+300>: mov r13d,eax

0x00007ffff7d0ba7f <GI_pthread_kill+303>: neg r13d
0x00007ffff7d0ba82 <GI_pthread_kill+306>: cmp eax,0xfffff000
0x00007ffff7d0ba87 <GI_pthread_kill+311>: mov eax,0x0
0x00007ffff7d0ba8c <GI_pthread_kill+316>: cmovbe r13d,eax
0x00007ffff7d0ba90 <GI_pthread_kill+320>: jmp 0x7ffff7d0ba02 <GI_pthread_kill+178>
0x00007ffff7d0ba95 <GI_pthread_kill+325>: nop DWORD PTR [rax]
0x00007ffff7d0ba98 <GI_pthread_kill+328>: mov rdi,rbp
0x00007ffff7d0ba9b <GI_pthread_kill+331>: call 0x7ffff7d062b0 <GI_lll_lock_wait_private>

End of assembler dump.
pwndbg> info all-registers
rax 0x0 0
rbx 0x7ffff7c74000 140737350418432
rcx 0x7ffff7d0ba7c 140737351039612
rdx 0x6 6
rsi 0x1b454 111700
rdi 0x1b454 111700
rbp 0x1b454 0x1b454
rsp 0x7fffffffcf50 0x7fffffffcf50
r8 0x7fffffffd020 140737488343072
r9 0x7fffffff 2147483647
r10 0x8 8
r11 0x246 582
r12 0x6 6
r13 0x16 22
r14 0x0 0
r15 0x7ffff7ffd040 140737354125376
rip 0x7ffff7d0ba7c 0x7ffff7d0ba7c <GI_pthread_kill+300>
eflags 0x246 [ PF ZF IF ]
cs 0x33 51
ss 0x2b 43
ds 0x0 0
es 0x0 0
fs 0x0 0
gs 0x0 0
st0 0 (raw 0x00000000000000000000)
st1 0 (raw 0x00000000000000000000)
st2 0 (raw 0x00000000000000000000)
st3 0 (raw 0x00000000000000000000)
st4 0 (raw 0x00000000000000000000)
st5 0 (raw 0x00000000000000000000)
st6 0 (raw 0x00000000000000000000)
st7 0 (raw 0x00000000000000000000)
fctrl 0x37f 895
fstat 0x0 0
ftag 0xffff 65535
fiseg 0x0 0
fioff 0x0 0
foseg 0x0 0
fooff 0x0 0
fop 0x0 0
mxcsr 0x1fb6 [ DE ZE UE PE IM DM ZM OM UM PM ]
pkru 0x0 0
ymm0 {

v16_bfloat16 = {0xf723, 0xf7e8, 0x7fff, 0x0, 0xf723, 0xf7e8, 0x7fff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0},
v16_half = {0xf723, 0xf7e8, 0x7fff, 0x0, 0xf723, 0xf7e8, 0x7fff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0},
v8_float = {0xf7e8f723, 0x7fff, 0xf7e8f723, 0x7fff, 0x0, 0x0, 0x0, 0x0},
v4_double = {0x7ffff7e8f723, 0x7ffff7e8f723, 0x0, 0x0},
v32_int8 = {0x23, 0xf7, 0xe8, 0xf7, 0xff, 0x7f, 0x0, 0x0, 0x23, 0xf7, 0xe8, 0xf7, 0xff, 0x7f, 0x0 <repeats 18 times>},
v16_int16 = {0xf723, 0xf7e8, 0x7fff, 0x0, 0xf723, 0xf7e8, 0x7fff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0},
v8_int32 = {0xf7e8f723, 0x7fff, 0xf7e8f723, 0x7fff, 0x0, 0x0, 0x0, 0x0},
v4_int64 = {0x7ffff7e8f723, 0x7ffff7e8f723, 0x0, 0x0},
v2_int128 = {0x7ffff7e8f72300007ffff7e8f723, 0x0}

}
ymm1 {

v16_bfloat16 = {0x0, 0x0, 0xff, 0x0, 0x0, 0xff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0},
v16_half = {0x0, 0x0, 0xff, 0x0, 0x0, 0xff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0},
v8_float = {0x0, 0xff, 0xff0000, 0x0, 0x0, 0x0, 0x0, 0x0},
v4_double = {0xff00000000, 0xff0000, 0x0, 0x0},
v32_int8 = {0x0, 0x0, 0x0, 0x0, 0xff, 0x0, 0x0, 0x0, 0x0, 0x0, 0xff, 0x0 <repeats 21 times>},
v16_int16 = {0x0, 0x0, 0xff, 0x0, 0x0, 0xff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0},
v8_int32 = {0x0, 0xff, 0xff0000, 0x0, 0x0, 0x0, 0x0, 0x0},
v4_int64 = {0xff00000000, 0xff0000, 0x0, 0x0},
v2_int128 = {0xff0000000000ff00000000, 0x0}

}
ymm2 {

v16_bfloat16 = {0x0, 0x0, 0xff, 0x0, 0x0, 0xff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0},
v16_half = {0x0, 0x0, 0xff, 0x0, 0x0, 0xff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0},
v8_float = {0x0, 0xff, 0xff0000, 0x0, 0x0, 0x0, 0x0, 0x0},
v4_double = {0xff00000000, 0xff0000, 0x0, 0x0},
v32_int8 = {0x0, 0x0, 0x0, 0x0, 0xff, 0x0, 0x0, 0x0, 0x0, 0x0, 0xff, 0x0 <repeats 21 times>},
v16_int16 = {0x0, 0x0, 0xff, 0x0, 0x0, 0xff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0},
v8_int32 = {0x0, 0xff, 0xff0000, 0x0, 0x0, 0x0, 0x0, 0x0},
v4_int64 = {0xff00000000, 0xff0000, 0x0, 0x0},
v2_int128 = {0xff0000000000ff00000000, 0x0}

}
ymm3 {

v16_bfloat16 = {0x6974, 0x6e6f, 0x6420, 0x6669, 0x2066, 0x3d3e, 0x3020, 0x2620, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0},
v16_half = {0x6974, 0x6e6f, 0x6420, 0x6669, 0x2066, 0x3d3e, 0x3020, 0x2620, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0},
v8_float = {0x6e6f6974, 0x66696420, 0x3d3e2066, 0x26203020, 0x0, 0x0, 0x0, 0x0},
v4_double = {0x666964206e6f6974, 0x262030203d3e2066, 0x0, 0x0},
v32_int8 = {0x74, 0x69, 0x6f, 0x6e, 0x20, 0x64, 0x69, 0x66, 0x66, 0x20, 0x3e, 0x3d, 0x20, 0x30, 0x20, 0x26, 0x0 <repeats 16 times>},
v16_int16 = {0x6974, 0x6e6f, 0x6420, 0x6669, 0x2066, 0x3d3e, 0x3020, 0x2620, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0},
v8_int32 = {0x6e6f6974, 0x66696420, 0x3d3e2066, 0x26203020, 0x0, 0x0, 0x0, 0x0},
v4_int64 = {0x666964206e6f6974, 0x262030203d3e2066, 0x0, 0x0},
v2_int128 = {0x262030203d3e2066666964206e6f6974, 0x0}

}
ymm4 {

v16_bfloat16 = {0xcfff, 0xffff, 0x7fff, 0x0 <repeats 13 times>},
v16_half = {0xcfff, 0xffff, 0x7fff, 0x0 <repeats 13 times>},
v8_float = {0xffffcfff, 0x7fff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0},
v4_double = {0x7fffffffcfff, 0x0, 0x0, 0x0},
v32_int8 = {0xff, 0xcf, 0xff, 0xff, 0xff, 0x7f, 0x0 <repeats 26 times>},
v16_int16 = {0xcfff, 0xffff, 0x7fff, 0x0 <repeats 13 times>},
v8_int32 = {0xffffcfff, 0x7fff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0},
v4_int64 = {0x7fffffffcfff, 0x0, 0x0, 0x0},
v2_int128 = {0x7fffffffcfff, 0x0}

}
ymm5 {

v16_bfloat16 = {0x0 <repeats 16 times>},
v16_half = {0x0 <repeats 16 times>},
v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0},
v4_double = {0x0, 0x0, 0x0, 0x0},
v32_int8 = {0x0 <repeats 32 times>},
v16_int16 = {0x0 <repeats 16 times>},
v8_int32 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0},
v4_int64 = {0x0, 0x0, 0x0, 0x0},
v2_int128 = {0x0, 0x0}

}
ymm6 {

v16_bfloat16 = {0x0 <repeats 16 times>},
v16_half = {0x0 <repeats 16 times>},
v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0},
v4_double = {0x0, 0x0, 0x0, 0x0},
v32_int8 = {0x0 <repeats 32 times>},
v16_int16 = {0x0 <repeats 16 times>},
v8_int32 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0},
v4_int64 = {0x0, 0x0, 0x0, 0x0},
v2_int128 = {0x0, 0x0}

}
ymm7 {

v16_bfloat16 = {0x0 <repeats 16 times>},
v16_half = {0x0 <repeats 16 times>},
v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0},
v4_double = {0x0, 0x0, 0x0, 0x0},
v32_int8 = {0x0 <repeats 32 times>},
v16_int16 = {0x0 <repeats 16 times>},
v8_int32 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0},
v4_int64 = {0x0, 0x0, 0x0, 0x0},
v2_int128 = {0x0, 0x0}

}
ymm8 {

v16_bfloat16 = {0x5b1b, 0x6d30, 0x7100, 0x6975, 0x7465, 0x6400, 0x6265, 0x6775, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0},
v16_half = {0x5b1b, 0x6d30, 0x7100, 0x6975, 0x7465, 0x6400, 0x6265, 0x6775, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0},
v8_float = {0x6d305b1b, 0x69757100, 0x64007465, 0x67756265, 0x0, 0x0, 0x0, 0x0},
v4_double = {0x697571006d305b1b, 0x6775626564007465, 0x0, 0x0},
v32_int8 = {0x1b, 0x5b, 0x30, 0x6d, 0x0, 0x71, 0x75, 0x69, 0x65, 0x74, 0x0, 0x64, 0x65, 0x62, 0x75, 0x67, 0x0 <repeats 16 times>},
v16_int16 = {0x5b1b, 0x6d30, 0x7100, 0x6975, 0x7465, 0x6400, 0x6265, 0x6775, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0},
v8_int32 = {0x6d305b1b, 0x69757100, 0x64007465, 0x67756265, 0x0, 0x0, 0x0, 0x0},
v4_int64 = {0x697571006d305b1b, 0x6775626564007465, 0x0, 0x0},
v2_int128 = {0x6775626564007465697571006d305b1b, 0x0}

}
ymm9 {

v16_bfloat16 = {0x0 <repeats 16 times>},
v16_half = {0x0 <repeats 16 times>},
v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0},
v4_double = {0x0, 0x0, 0x0, 0x0},
v32_int8 = {0x0 <repeats 32 times>},
v16_int16 = {0x0 <repeats 16 times>},
v8_int32 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0},
v4_int64 = {0x0, 0x0, 0x0, 0x0},
v2_int128 = {0x0, 0x0}

}
ymm10 {

v16_bfloat16 = {0x5560, 0x6595, 0x5a32, 0xbfe5, 0x0 <repeats 12 times>},
v16_half = {0x5560, 0x6595, 0x5a32, 0xbfe5, 0x0 <repeats 12 times>},
v8_float = {0x65955560, 0xbfe55a32, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0},
v4_double = {0xbfe55a3265955560, 0x0, 0x0, 0x0},
v32_int8 = {0x60, 0x55, 0x95, 0x65, 0x32, 0x5a, 0xe5, 0xbf, 0x0 <repeats 24 times>},
v16_int16 = {0x5560, 0x6595, 0x5a32, 0xbfe5, 0x0 <repeats 12 times>},
v8_int32 = {0x65955560, 0xbfe55a32, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0},
v4_int64 = {0xbfe55a3265955560, 0x0, 0x0, 0x0},
v2_int128 = {0xbfe55a3265955560, 0x0}

}
ymm11 {

v16_bfloat16 = {0xf2b1, 0xaf03, 0xa015, 0x3fe9, 0x0 <repeats 12 times>},
v16_half = {0xf2b1, 0xaf03, 0xa015, 0x3fe9, 0x0 <repeats 12 times>},
v8_float = {0xaf03f2b1, 0x3fe9a015, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0},
v4_double = {0x3fe9a015af03f2b1, 0x0, 0x0, 0x0},
v32_int8 = {0xb1, 0xf2, 0x3, 0xaf, 0x15, 0xa0, 0xe9, 0x3f, 0x0 <repeats 24 times>},
v16_int16 = {0xf2b1, 0xaf03, 0xa015, 0x3fe9, 0x0 <repeats 12 times>},
v8_int32 = {0xaf03f2b1, 0x3fe9a015, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0},
v4_int64 = {0x3fe9a015af03f2b1, 0x0, 0x0, 0x0},
v2_int128 = {0x3fe9a015af03f2b1, 0x0}

}
ymm12 {

v16_bfloat16 = {0x45e9, 0x9b48, 0x495b, 0xbff2, 0x0 <repeats 12 times>},
v16_half = {0x45e9, 0x9b48, 0x495b, 0xbff2, 0x0 <repeats 12 times>},
v8_float = {0x9b4845e9, 0xbff2495b, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0},
v4_double = {0xbff2495b9b4845e9, 0x0, 0x0, 0x0},
v32_int8 = {0xe9, 0x45, 0x48, 0x9b, 0x5b, 0x49, 0xf2, 0xbf, 0x0 <repeats 24 times>},
v16_int16 = {0x45e9, 0x9b48, 0x495b, 0xbff2, 0x0 <repeats 12 times>},
v8_int32 = {0x9b4845e9, 0xbff2495b, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0},
v4_int64 = {0xbff2495b9b4845e9, 0x0, 0x0, 0x0},
v2_int128 = {0xbff2495b9b4845e9, 0x0}

}
ymm13 {

v16_bfloat16 = {0x0 <repeats 16 times>},
v16_half = {0x0 <repeats 16 times>},
v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0},
v4_double = {0x0, 0x0, 0x0, 0x0},
v32_int8 = {0x0 <repeats 32 times>},
v16_int16 = {0x0 <repeats 16 times>},
v8_int32 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0},
v4_int64 = {0x0, 0x0, 0x0, 0x0},
v2_int128 = {0x0, 0x0}

}
ymm14 {

v16_bfloat16 = {0x0 <repeats 16 times>},
v16_half = {0x0 <repeats 16 times>},
v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0},
v4_double = {0x0, 0x0, 0x0, 0x0},
v32_int8 = {0x0 <repeats 32 times>},
v16_int16 = {0x0 <repeats 16 times>},
v8_int32 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0},
v4_int64 = {0x0, 0x0, 0x0, 0x0},
v2_int128 = {0x0, 0x0}

}
ymm15 {

v16_bfloat16 = {0x0 <repeats 16 times>},
v16_half = {0x0 <repeats 16 times>},
v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0},
v4_double = {0x0, 0x0, 0x0, 0x0},
v32_int8 = {0x0 <repeats 32 times>},
v16_int16 = {0x0 <repeats 16 times>},
v8_int32 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0},
v4_int64 = {0x0, 0x0, 0x0, 0x0},
v2_int128 = {0x0, 0x0}

}
pwndbg>

Attachments (1)

new_poc (518 bytes ) - added by Ex 16 months ago.

Download all attachments as: .zip

Change History (2)

by Ex, 16 months ago

Attachment: new_poc added

comment:1 by Carl Eugen Hoyos, 16 months ago

Component: undeterminedavcodec
Keywords: aac crash abort added; Assertion diff >= 0 && diff <= 120 failed at libavcodec/aacenc.c:684 removed
Priority: normalimportant
Note: See TracTickets for help on using tickets.