#10545 closed defect (fixed)

osq: crash with fuzzed file

Reported by: ami_stuff Owned by:
Priority: normal Component: undetermined
Version: unspecified Keywords:
Cc: Blocked By:
Blocking: Reproduced by developer: no
Analyzed by developer: no

Description

(gdb) r -i 8s_fuzz.osq -f null -
Starting program: ffmpeg_g -i 8s_fuzz.osq -f null -
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
ffmpeg version N-111893-gbef151d1ce Copyright (c) 2000-2023 the FFmpeg developers
  built with gcc 11 (Ubuntu 11.4.0-1ubuntu1~22.04)
  configuration: 
  libavutil      58. 19.100 / 58. 19.100
  libavcodec     60. 25.100 / 60. 25.100
  libavformat    60. 11.100 / 60. 11.100
  libavdevice    60.  2.101 / 60.  2.101
  libavfilter     9. 11.100 /  9. 11.100
  libswscale      7.  3.100 /  7.  3.100
  libswresample   4. 11.100 /  4. 11.100
[aist#0:0/osq @ 0x5555580e2f80] Guessed Channel Layout: stereo
Input #0, osq, from '8s_fuzz.osq':
  Duration: 00:00:10.87, start: 0.000000, bitrate: 270 kb/s
  Stream #0:0: Audio: osq, 44100 Hz, 2 channels, u8p
[New Thread 0x7ffff6fdc640 (LWP 32456)]
Stream mapping:
  Stream #0:0 -> #0:0 (osq (native) -> pcm_s16le (native))
Press [q] to stop, [?] for help
[New Thread 0x7ffff67db640 (LWP 32457)]
[osq @ 0x5555580e02c0] overread!
[aist#0:0/osq @ 0x5555580e2f80] Error submitting packet to decoder: Invalid data found when processing input
munmap_chunk(): invalid pointer

Thread 2 "dec0:0:osq" received signal SIGABRT, Aborted.
[Switching to Thread 0x7ffff6fdc640 (LWP 32456)]
__pthread_kill_implementation (no_tid=0, signo=6, threadid=140737337214528) at ./nptl/pthread_kill.c:44
(gdb) bt
#0  __pthread_kill_implementation (no_tid=0, signo=6, 
    threadid=140737337214528) at ./nptl/pthread_kill.c:44
#1  __pthread_kill_internal (signo=6, threadid=140737337214528)
    at ./nptl/pthread_kill.c:78
#2  __GI___pthread_kill (threadid=140737337214528, signo=signo@entry=6)
    at ./nptl/pthread_kill.c:89
#3  0x00007ffff783c476 in __GI_raise (sig=sig@entry=6)
    at ../sysdeps/posix/raise.c:26
#4  0x00007ffff78227f3 in __GI_abort () at ./stdlib/abort.c:79
#5  0x00007ffff78836f6 in __libc_message (action=action@entry=do_abort, 
    fmt=fmt@entry=0x7ffff79d5b8c "%s\n") at ../sysdeps/posix/libc_fatal.c:155
#6  0x00007ffff789ad7c in malloc_printerr (
    str=str@entry=0x7ffff79d8230 "munmap_chunk(): invalid pointer")
    at ./malloc/malloc.c:5664
#7  0x00007ffff789b05c in munmap_chunk (p=<optimized out>)
    at ./malloc/malloc.c:3060
#8  0x00007ffff789f51a in __GI___libc_free (mem=<optimized out>)
    at ./malloc/malloc.c:3381
#9  0x0000555556529a49 in av_free (ptr=<optimized out>)
    at libavutil/mem.c:241
#10 0x0000555556529b16 in av_freep (arg=arg@entry=0x7ffff0000b40)
    at libavutil/mem.c:251
#11 0x0000555556511adf in buffer_replace (src=0x0, dst=0x7ffff0000b40)
--Type <RET> for more, q to quit, c to continue without paging--
    at libavutil/buffer.c:127
#12 av_buffer_unref (buf=buf@entry=0x7ffff0000b40) at libavutil/buffer.c:144
#13 0x0000555555b6454e in av_packet_unref (pkt=0x7ffff0000b40)
    at libavcodec/avpacket.c:426
#14 0x000055555570830d in decoder_thread (arg=0x5555580e2f80)
    at fftools/ffmpeg_dec.c:704
#15 0x00007ffff788eb43 in start_thread (arg=<optimized out>)
    at ./nptl/pthread_create.c:442
#16 0x00007ffff7920a00 in clone3 ()
    at ../sysdeps/unix/sysv/linux/x86_64/clone3.S:81
==32540== Invalid write of size 4
==32540==    at 0xA0B13F: get_srice (get_bits.h:395)
==32540==    by 0xA0B13F: do_decode (osq.c:250)
==32540==    by 0xA0B13F: osq_decode_block (osq.c:357)
==32540==    by 0xA0B13F: osq_receive_frame (osq.c:435)
==32540==    by 0x7B2B71: decode_receive_frame_internal (decode.c:623)
==32540==    by 0x7B34F9: avcodec_send_packet (decode.c:731)
==32540==    by 0x2BB715: packet_decode (ffmpeg_dec.c:555)
==32540==    by 0x2BB715: decoder_thread (ffmpeg_dec.c:702)
==32540==    by 0x4E88B42: start_thread (pthread_create.c:442)
==32540==    by 0x4F19BB3: clone (clone.S:100)
==32540==  Address 0x5858f94 is 0 bytes after a block of size 1,044 alloc'd
==32540==    at 0x484DE30: memalign (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==32540==    by 0x484DF92: posix_memalign (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==32540==    by 0x10DD9A4: av_malloc (mem.c:105)
==32540==    by 0x10DDB6D: av_mallocz (mem.c:256)
==32540==    by 0x26922B: osq_init (osq.c:119)
==32540==    by 0x7172FC: avcodec_open2 (avcodec.c:334)
==32540==    by 0x2BD1BF: dec_open (ffmpeg_dec.c:1117)
==32540==    by 0x2C2B87: ist_use (ffmpeg_demux.c:867)
==32540==    by 0x2C2B87: ist_filter_add (ffmpeg_demux.c:896)
==32540==    by 0x2CA7BD: ifilter_bind_ist (ffmpeg_filter.c:575)
==32540==    by 0x2CA7BD: init_simple_filtergraph (ffmpeg_filter.c:926)
==32540==    by 0x2D55EE: ost_add (ffmpeg_mux_init.c:1424)
==32540==    by 0x2D70EB: create_streams (ffmpeg_mux_init.c:1814)
==32540==    by 0x2D70EB: of_open (ffmpeg_mux_init.c:2683)
==32540==    by 0x2D9869: open_files (ffmpeg_opt.c:1284)
==32540== 
==32540== Invalid write of size 4
==32540==    at 0xA0ADD1: do_decode (osq.c:271)
==32540==    by 0xA0ADD1: osq_decode_block (osq.c:357)
==32540==    by 0xA0ADD1: osq_receive_frame (osq.c:435)
==32540==    by 0x7B2B71: decode_receive_frame_internal (decode.c:623)
==32540==    by 0x7B34F9: avcodec_send_packet (decode.c:731)
==32540==    by 0x2BB715: packet_decode (ffmpeg_dec.c:555)
==32540==    by 0x2BB715: decoder_thread (ffmpeg_dec.c:702)
==32540==    by 0x4E88B42: start_thread (pthread_create.c:442)
==32540==    by 0x4F19BB3: clone (clone.S:100)
==32540==  Address 0x5858f94 is 0 bytes after a block of size 1,044 alloc'd
==32540==    at 0x484DE30: memalign (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==32540==    by 0x484DF92: posix_memalign (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==32540==    by 0x10DD9A4: av_malloc (mem.c:105)
==32540==    by 0x10DDB6D: av_mallocz (mem.c:256)
==32540==    by 0x26922B: osq_init (osq.c:119)
==32540==    by 0x7172FC: avcodec_open2 (avcodec.c:334)
==32540==    by 0x2BD1BF: dec_open (ffmpeg_dec.c:1117)
==32540==    by 0x2C2B87: ist_use (ffmpeg_demux.c:867)
==32540==    by 0x2C2B87: ist_filter_add (ffmpeg_demux.c:896)
==32540==    by 0x2CA7BD: ifilter_bind_ist (ffmpeg_filter.c:575)
==32540==    by 0x2CA7BD: init_simple_filtergraph (ffmpeg_filter.c:926)
==32540==    by 0x2D55EE: ost_add (ffmpeg_mux_init.c:1424)
==32540==    by 0x2D70EB: create_streams (ffmpeg_mux_init.c:1814)
==32540==    by 0x2D70EB: of_open (ffmpeg_mux_init.c:2683)
==32540==    by 0x2D9869: open_files (ffmpeg_opt.c:1284)
==32540== 
==32540== Invalid read of size 4
==32540==    at 0xA0AC0B: do_decode (osq.c:319)
==32540==    by 0xA0AC0B: osq_decode_block (osq.c:357)
==32540==    by 0xA0AC0B: osq_receive_frame (osq.c:435)
==32540==    by 0x7B2B71: decode_receive_frame_internal (decode.c:623)
==32540==    by 0x7B34F9: avcodec_send_packet (decode.c:731)
==32540==    by 0x2BB715: packet_decode (ffmpeg_dec.c:555)
==32540==    by 0x2BB715: decoder_thread (ffmpeg_dec.c:702)
==32540==    by 0x4E88B42: start_thread (pthread_create.c:442)
==32540==    by 0x4F19BB3: clone (clone.S:100)
==32540==  Address 0x5858f94 is 0 bytes after a block of size 1,044 alloc'd
==32540==    at 0x484DE30: memalign (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==32540==    by 0x484DF92: posix_memalign (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==32540==    by 0x10DD9A4: av_malloc (mem.c:105)
==32540==    by 0x10DDB6D: av_mallocz (mem.c:256)
==32540==    by 0x26922B: osq_init (osq.c:119)
==32540==    by 0x7172FC: avcodec_open2 (avcodec.c:334)
==32540==    by 0x2BD1BF: dec_open (ffmpeg_dec.c:1117)
==32540==    by 0x2C2B87: ist_use (ffmpeg_demux.c:867)
==32540==    by 0x2C2B87: ist_filter_add (ffmpeg_demux.c:896)
==32540==    by 0x2CA7BD: ifilter_bind_ist (ffmpeg_filter.c:575)
==32540==    by 0x2CA7BD: init_simple_filtergraph (ffmpeg_filter.c:926)
==32540==    by 0x2D55EE: ost_add (ffmpeg_mux_init.c:1424)
==32540==    by 0x2D70EB: create_streams (ffmpeg_mux_init.c:1814)
==32540==    by 0x2D70EB: of_open (ffmpeg_mux_init.c:2683)
==32540==    by 0x2D9869: open_files (ffmpeg_opt.c:1284)
==32540== 
==32540== Invalid write of size 4
==32540==    at 0xA0AB90: do_decode (osq.c:246)
==32540==    by 0xA0AB90: osq_decode_block (osq.c:357)
==32540==    by 0xA0AB90: osq_receive_frame (osq.c:435)
==32540==    by 0x7B2B71: decode_receive_frame_internal (decode.c:623)
==32540==    by 0x7B34F9: avcodec_send_packet (decode.c:731)
==32540==    by 0x2BB715: packet_decode (ffmpeg_dec.c:555)
==32540==    by 0x2BB715: decoder_thread (ffmpeg_dec.c:702)
==32540==    by 0x4E88B42: start_thread (pthread_create.c:442)
==32540==    by 0x4F19BB3: clone (clone.S:100)
==32540==  Address 0x5859454 is 0 bytes after a block of size 1,044 alloc'd
==32540==    at 0x484DE30: memalign (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==32540==    by 0x484DF92: posix_memalign (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==32540==    by 0x10DD9A4: av_malloc (mem.c:105)
==32540==    by 0x10DDB6D: av_mallocz (mem.c:256)
==32540==    by 0x26922B: osq_init (osq.c:119)
==32540==    by 0x7172FC: avcodec_open2 (avcodec.c:334)
==32540==    by 0x2BD1BF: dec_open (ffmpeg_dec.c:1117)
==32540==    by 0x2C2B87: ist_use (ffmpeg_demux.c:867)
==32540==    by 0x2C2B87: ist_filter_add (ffmpeg_demux.c:896)
==32540==    by 0x2CA7BD: ifilter_bind_ist (ffmpeg_filter.c:575)
==32540==    by 0x2CA7BD: init_simple_filtergraph (ffmpeg_filter.c:926)
==32540==    by 0x2D55EE: ost_add (ffmpeg_mux_init.c:1424)
==32540==    by 0x2D70EB: create_streams (ffmpeg_mux_init.c:1814)
==32540==    by 0x2D70EB: of_open (ffmpeg_mux_init.c:2683)
==32540==    by 0x2D9869: open_files (ffmpeg_opt.c:1284)
==32540== 
==32540== Invalid write of size 4
==32540==    at 0xA0ADEB: do_decode (osq.c:265)
==32540==    by 0xA0ADEB: osq_decode_block (osq.c:357)
==32540==    by 0xA0ADEB: osq_receive_frame (osq.c:435)
==32540==    by 0x7B2B71: decode_receive_frame_internal (decode.c:623)
==32540==    by 0x7B34F9: avcodec_send_packet (decode.c:731)
==32540==    by 0x2BB715: packet_decode (ffmpeg_dec.c:555)
==32540==    by 0x2BB715: decoder_thread (ffmpeg_dec.c:702)
==32540==    by 0x4E88B42: start_thread (pthread_create.c:442)
==32540==    by 0x4F19BB3: clone (clone.S:100)
==32540==  Address 0x5859454 is 0 bytes after a block of size 1,044 alloc'd
==32540==    at 0x484DE30: memalign (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==32540==    by 0x484DF92: posix_memalign (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==32540==    by 0x10DD9A4: av_malloc (mem.c:105)
==32540==    by 0x10DDB6D: av_mallocz (mem.c:256)
==32540==    by 0x26922B: osq_init (osq.c:119)
==32540==    by 0x7172FC: avcodec_open2 (avcodec.c:334)
==32540==    by 0x2BD1BF: dec_open (ffmpeg_dec.c:1117)
==32540==    by 0x2C2B87: ist_use (ffmpeg_demux.c:867)
==32540==    by 0x2C2B87: ist_filter_add (ffmpeg_demux.c:896)
==32540==    by 0x2CA7BD: ifilter_bind_ist (ffmpeg_filter.c:575)
==32540==    by 0x2CA7BD: init_simple_filtergraph (ffmpeg_filter.c:926)
==32540==    by 0x2D55EE: ost_add (ffmpeg_mux_init.c:1424)
==32540==    by 0x2D70EB: create_streams (ffmpeg_mux_init.c:1814)
==32540==    by 0x2D70EB: of_open (ffmpeg_mux_init.c:2683)
==32540==    by 0x2D9869: open_files (ffmpeg_opt.c:1284)
==32540== 
==32540== Invalid read of size 4
==32540==    at 0xA0AE15: do_decode (osq.c:328)
==32540==    by 0xA0AE15: osq_decode_block (osq.c:357)
==32540==    by 0xA0AE15: osq_receive_frame (osq.c:435)
==32540==    by 0x7B2B71: decode_receive_frame_internal (decode.c:623)
==32540==    by 0x7B34F9: avcodec_send_packet (decode.c:731)
==32540==    by 0x2BB715: packet_decode (ffmpeg_dec.c:555)
==32540==    by 0x2BB715: decoder_thread (ffmpeg_dec.c:702)
==32540==    by 0x4E88B42: start_thread (pthread_create.c:442)
==32540==    by 0x4F19BB3: clone (clone.S:100)
==32540==  Address 0x5858f94 is 0 bytes after a block of size 1,044 alloc'd
==32540==    at 0x484DE30: memalign (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==32540==    by 0x484DF92: posix_memalign (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==32540==    by 0x10DD9A4: av_malloc (mem.c:105)
==32540==    by 0x10DDB6D: av_mallocz (mem.c:256)
==32540==    by 0x26922B: osq_init (osq.c:119)
==32540==    by 0x7172FC: avcodec_open2 (avcodec.c:334)
==32540==    by 0x2BD1BF: dec_open (ffmpeg_dec.c:1117)
==32540==    by 0x2C2B87: ist_use (ffmpeg_demux.c:867)
==32540==    by 0x2C2B87: ist_filter_add (ffmpeg_demux.c:896)
==32540==    by 0x2CA7BD: ifilter_bind_ist (ffmpeg_filter.c:575)
==32540==    by 0x2CA7BD: init_simple_filtergraph (ffmpeg_filter.c:926)
==32540==    by 0x2D55EE: ost_add (ffmpeg_mux_init.c:1424)
==32540==    by 0x2D70EB: create_streams (ffmpeg_mux_init.c:1814)
==32540==    by 0x2D70EB: of_open (ffmpeg_mux_init.c:2683)
==32540==    by 0x2D9869: open_files (ffmpeg_opt.c:1284)
==32540== 
==32540== Invalid read of size 4
==32540==    at 0xA0AE19: do_decode (osq.c:328)
==32540==    by 0xA0AE19: osq_decode_block (osq.c:357)
==32540==    by 0xA0AE19: osq_receive_frame (osq.c:435)
==32540==    by 0x7B2B71: decode_receive_frame_internal (decode.c:623)
==32540==    by 0x7B34F9: avcodec_send_packet (decode.c:731)
==32540==    by 0x2BB715: packet_decode (ffmpeg_dec.c:555)
==32540==    by 0x2BB715: decoder_thread (ffmpeg_dec.c:702)
==32540==    by 0x4E88B42: start_thread (pthread_create.c:442)
==32540==    by 0x4F19BB3: clone (clone.S:100)
==32540==  Address 0x5859454 is 0 bytes after a block of size 1,044 alloc'd
==32540==    at 0x484DE30: memalign (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==32540==    by 0x484DF92: posix_memalign (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==32540==    by 0x10DD9A4: av_malloc (mem.c:105)
==32540==    by 0x10DDB6D: av_mallocz (mem.c:256)
==32540==    by 0x26922B: osq_init (osq.c:119)
==32540==    by 0x7172FC: avcodec_open2 (avcodec.c:334)
==32540==    by 0x2BD1BF: dec_open (ffmpeg_dec.c:1117)
==32540==    by 0x2C2B87: ist_use (ffmpeg_demux.c:867)
==32540==    by 0x2C2B87: ist_filter_add (ffmpeg_demux.c:896)
==32540==    by 0x2CA7BD: ifilter_bind_ist (ffmpeg_filter.c:575)
==32540==    by 0x2CA7BD: init_simple_filtergraph (ffmpeg_filter.c:926)
==32540==    by 0x2D55EE: ost_add (ffmpeg_mux_init.c:1424)
==32540==    by 0x2D70EB: create_streams (ffmpeg_mux_init.c:1814)
==32540==    by 0x2D70EB: of_open (ffmpeg_mux_init.c:2683)
==32540==    by 0x2D9869: open_files (ffmpeg_opt.c:1284)
==32540== 
[osq @ 0x5850440] overread!
[aist#0:0/osq @ 0x5850240] Error submitting packet to decoder: Invalid data found when processing input
==32540== Invalid free() / delete / delete[] / realloc()
==32540==    at 0x484B27F: free (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==32540==    by 0x717E52: av_packet_free_side_data (avpacket.c:192)
==32540==    by 0x71853C: av_packet_unref (avpacket.c:424)
==32540==    by 0x2BC30C: decoder_thread (ffmpeg_dec.c:704)
==32540==    by 0x4E88B42: start_thread (pthread_create.c:442)
==32540==    by 0x4F19BB3: clone (clone.S:100)
==32540==  Address 0xfff5d923fff5ddbf is not stack'd, malloc'd or (recently) free'd
==32540== 
==32540== Invalid read of size 8
==32540==    at 0x10C5AD7: buffer_replace (buffer.c:121)
==32540==    by 0x10C5AD7: av_buffer_unref (buffer.c:144)
==32540==    by 0x718545: av_packet_unref (avpacket.c:425)
==32540==    by 0x2BC30C: decoder_thread (ffmpeg_dec.c:704)
==32540==    by 0x4E88B42: start_thread (pthread_create.c:442)
==32540==    by 0x4F19BB3: clone (clone.S:100)
==32540==  Address 0xfff5aaf9fff5af86 is not stack'd, malloc'd or (recently) free'd
==32540== 
==32540== 
==32540== Process terminating with default action of signal 11 (SIGSEGV)
==32540==  General Protection Fault
==32540==    at 0x10C5AD7: buffer_replace (buffer.c:121)
==32540==    by 0x10C5AD7: av_buffer_unref (buffer.c:144)
==32540==    by 0x718545: av_packet_unref (avpacket.c:425)
==32540==    by 0x2BC30C: decoder_thread (ffmpeg_dec.c:704)
==32540==    by 0x4E88B42: start_thread (pthread_create.c:442)
==32540==    by 0x4F19BB3: clone (clone.S:100)
==32540== 

Attachments (1)

8s_fuzz.osq (359.1 KB ) - added by ami_stuff 15 months ago.

Download all attachments as: .zip

Change History (3)

by ami_stuff, 15 months ago

Attachment: 8s_fuzz.osq added

comment:1 by ami_stuff, 15 months ago

Summary: osq: crash with fizzed fileosq: crash with fuzzed file

comment:2 by Elon Musk, 15 months ago

Resolution: fixed
Status: newclosed
Note: See TracTickets for help on using tickets.