Opened 13 years ago

Closed 13 years ago

Last modified 11 years ago

#114 closed defect (fixed)

Crash in indeo3 decoder

Reported by: Carl Eugen Hoyos Owned by:
Priority: important Component: avcodec
Version: git Keywords: indeo3 roundup
Cc: Blocked By:
Blocking: Reproduced by developer: yes
Analyzed by developer: yes

Description

(issue 1482)
No useful backtrace

$ valgrind ffmpeg_g -i smclocki32.avi.1.1 -f null -
ffmpeg version git-N-29369-g03a91c7, Copyright (c) 2000-2011 the FFmpeg developers
  built on Apr 25 2011 22:53:16 with gcc 4.5.2
  configuration: --cc='/usr/local/gcc-4.5.2/bin/gcc -m32' --disable-avfilter
  libavutil    51.  0. 0 / 51.  0. 0
  libavcodec   53.  1. 0 / 53.  1. 0
  libavformat  53.  0. 3 / 53.  0. 3
  libavdevice  53.  0. 0 / 53.  0. 0
  libswscale    0. 13. 0 /  0. 13. 0
[avi @ 0x7c06dc0] non-interleaved AVI
Input #0, avi, from 'smclocki32.avi.1.1':
  Duration: 00:00:00.10, start: 0.000000, bitrate: 920 kb/s
    Stream #0.0: Video: indeo3, yuv410p, 32x32, 30 tbr, 30 tbn, 30 tbc
    Stream #0.1: Audio: truespeech, 8000 Hz, 1 channels, s16, 8 kb/s
Output #0, null, to 'pipe:':
  Metadata:
    encoder         : Lavf53.0.3
    Stream #0.0: Video: rawvideo, yuv410p, 32x32, q=2-31, 200 kb/s, 90k tbn, 30 tbc
    Stream #0.1: Audio: pcm_s16le, 8000 Hz, 1 channels, s16, 128 kb/s
Stream mapping:
  Stream #0.0 -> #0.0
  Stream #0.1 -> #0.1
Press [q] to stop encoding
==6481== Invalid write of size 4
==6481==    at 0x8281FBC: iv_Decode_Chunk (indeo3.c:363)
==6481==  Address 0x7c66df0 is 0 bytes after a block of size 2,432 alloc'd
==6481==    at 0x6449E9E: memalign (in /usr/lib64/valgrind/vgpreload_memcheck-x86-linux.so)
==6481==    by 0x6449EFB: posix_memalign (in /usr/lib64/valgrind/vgpreload_memcheck-x86-linux.so)
==6481==    by 0x85770B0: av_malloc (mem.c:83)
==6481==
==6481== Invalid write of size 4
==6481==    at 0x8281EF8: iv_Decode_Chunk (indeo3.c:407)
==6481==  Address 0x7c66dfc is 12 bytes after a block of size 2,432 alloc'd
==6481==    at 0x6449E9E: memalign (in /usr/lib64/valgrind/vgpreload_memcheck-x86-linux.so)
==6481==    by 0x6449EFB: posix_memalign (in /usr/lib64/valgrind/vgpreload_memcheck-x86-linux.so)
==6481==    by 0x85770B0: av_malloc (mem.c:83)
==6481==
==6481== Conditional jump or move depends on uninitialised value(s)
==6481==    at 0x8575367: av_log_default_callback (log.c:120)
==6481==
frame=    3 fps=  0 q=0.0 Lsize=      -0kB time=0.09 bitrate=  -2.0kbits/s
video:0kB audio:1kB global headers:0kB muxing overhead -101.527778%
==6481== Conditional jump or move depends on uninitialised value(s)
==6481==    at 0x85753C0: av_log_default_callback (log.c:102)
==6481==
Found 1 unreleased buffers!
==6481==
==6481== HEAP SUMMARY:
==6481==     in use at exit: 0 bytes in 0 blocks
==6481==   total heap usage: 98 allocs, 98 frees, 720,471 bytes allocated
==6481==
==6481== All heap blocks were freed -- no leaks are possible
==6481==
==6481== For counts of detected and suppressed errors, rerun with: -v
==6481== Use --track-origins=yes to see where uninitialised values come from
==6481== ERROR SUMMARY: 9 errors from 4 contexts (suppressed: 3 from 3)

Attachments (1)

smclocki32.avi.1.1 (11.2 KB ) - added by Carl Eugen Hoyos 13 years ago.

Download all attachments as: .zip

Change History (4)

by Carl Eugen Hoyos, 13 years ago

Attachment: smclocki32.avi.1.1 added

comment:1 by Stefano Sabatini, 13 years ago

Analyzed by developer: set
Reproduced by developer: set
Resolution: fixed
Status: newclosed

Fixed in commit:

commit 48df6a241532f0702fc4fd10ddcbfac435e4027c
Author: Stefano Sabatini <stefano.sabatini-lala@poste.it>
Date:   Tue May 17 22:21:33 2011 +0200

    indeo3: add out-of-buffer write check
    
    Prevent out-of-buffer writes. In particular fix smclocki32.avi.1.1
    crash, trac issue #114, roundup issue #1482.

comment:2 by Carl Eugen Hoyos, 12 years ago

Keywords: indeo3 added

comment:3 by Carl Eugen Hoyos, 11 years ago

Keywords: roundup added
Note: See TracTickets for help on using tickets.