Opened 3 years ago
Closed 3 years ago
#10317 closed defect (fixed)
Segmentation violation in ffmpeg (lame_window_init libavcodec/aacpsy.c:270)
| Reported by: | Youngseok Choi | Owned by: | |
|---|---|---|---|
| Priority: | important | Component: | avcodec |
| Version: | git-master | Keywords: | fuzzing, SIGSEGV |
| Cc: | Blocked By: | ||
| Blocking: | Reproduced by developer: | yes | |
| Analyzed by developer: | yes |
Description
Hi, our fuzzer found a new SEGV bug in ffmpeg.
Command Input
ffmpeg -i poc_file -q 8M .mpd
poc_file is attached!
Command Output
ffmpeg version N-110167-g97c95961f0 Copyright (c) 2000-2023 the FFmpeg developers built with gcc 7 (Ubuntu 7.5.0-3ubuntu1~18.04) configuration: --prefix=/home/youngseok/subjects/latest_asan_install/ffmpeg --extra-cflags='-fsanitize=address -g -O0' --extra-cxxflags='-fsanitize=address -g -O0' --extra-ldflags='-fsanitize=address -g -O0' --disable-optimizations --disable-stripping libavutil 58. 5.100 / 58. 5.100 libavcodec 60. 9.100 / 60. 9.100 libavformat 60. 4.101 / 60. 4.101 libavdevice 60. 2.100 / 60. 2.100 libavfilter 9. 5.100 / 9. 5.100 libswscale 7. 2.100 / 7. 2.100 libswresample 4. 11.100 / 4. 11.100 [ea_cdata @ 0x617000000080] Format ea_cdata detected only with low score of 12, misdetection possible! [aist#0:0/adpcm_ea_xas @ 0x616000000980] Guessed Channel Layout: stereo Input #0, ea_cdata, from '/home/youngseok/data/230411/asan_inter_30_30_shrink5_1_230308/ffmpeg/1_id:000033/poc_file': Duration: N/A, start: 0.000000, bitrate: N/A Stream #0:0: Audio: adpcm_ea_xas, 108 Hz, 2 channels, s16p Stream mapping: Stream #0:0 -> #0:0 (adpcm_ea_xas (native) -> aac (native)) Press [q] to stop, [?] for help [ea_cdata @ 0x617000000080] Packet corrupt (stream = 0, dts = NOPTS). [in#0/ea_cdata @ 0x612000000040] corrupt input packet in stream 0 [aac @ 0x619000001e80] Too many bits 17832.925170 > 12288 per frame requested, clamping to max
Stack Trace (Asan)
==14366==ERROR: AddressSanitizer: SEGV on unknown address 0x55555d125164 (pc 0x55555883bf4a bp 0x7fffffffd150 sp 0x7fffffffd130 T0)
==14366==The signal is caused by a READ memory access.
#0 0x55555883bf49 in lame_window_init libavcodec/aacpsy.c:270
#1 0x55555883db76 in psy_3gpp_init libavcodec/aacpsy.c:379
#2 0x555558731ce5 in ff_psy_init libavcodec/psymodel.c:69
#3 0x555558183116 in aac_encode_init libavcodec/aacenc.c:1365
#4 0x555556b4b313 in avcodec_open2 libavcodec/avcodec.c:322
#5 0x555555b10810 in init_output_stream fftools/ffmpeg.c:3238
#6 0x555555af527c in init_output_stream_wrapper fftools/ffmpeg.c:739
#7 0x555555afc26f in reap_filters fftools/ffmpeg.c:1391
#8 0x555555b1887c in transcode_step fftools/ffmpeg.c:4007
#9 0x555555b18a9e in transcode fftools/ffmpeg.c:4044
#10 0x555555b196f8 in main fftools/ffmpeg.c:4182
#11 0x7ffff5601c86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21c86)
#12 0x555555a84499 in _start (/home/youngseok/subjects/latest_asan_install/ffmpeg/bin/ffmpeg+0x530499)
Environment
Built with address sanitizer.
ffmpeg version N-110167-g97c95961f0 Copyright (c) 2000-2023 the FFmpeg developers built with gcc 7 (Ubuntu 7.5.0-3ubuntu1~18.04) configuration: --prefix=/home/youngseok/subjects/latest_asan_install/ffmpeg --extra-cflags='-fsanitize=address -g -O0' --extra-cxxflags='-fsanitize=address -g -O0' --extra-ldflags='-fsanitize=address -g -O0' --disable-optimizations --disable-stripping
Attachments (1)
Change History (2)
by , 3 years ago
comment:1 by , 3 years ago
| Analyzed by developer: | set |
|---|---|
| Component: | ffmpeg → avcodec |
| Priority: | normal → important |
| Reproduced by developer: | set |
| Resolution: | → fixed |
| Status: | new → closed |
Fixed in 5cda6b94f45c347805cbd5a0c7ed1d712b5722d7.
Note:
See TracTickets
for help on using tickets.
poc_file used in command input