Opened 10 years ago

Closed 9 years ago

#123 closed defect (fixed)

Fuzzed sample crashes ffplay

Reported by: Carl Eugen Hoyos Owned by: Michael Niedermayer
Priority: normal Component: ffplay
Version: git Keywords: leak
Cc: Blocked By:
Blocking: Reproduced by developer: no
Analyzed by developer: no

Description

The sample from ticket #74 now crashes ffplay, no useful backtrace, valgrind shows some invalid reads.

$ valgrind ./ffplay_g crash_pirateszz_2_s25_r003.fuzz.sample
==14017== Memcheck, a memory error detector
==14017== Copyright (C) 2002-2009, and GNU GPL'd, by Julian Seward et al.
==14017== Using Valgrind-3.5.0 and LibVEX; rerun with -h for copyright info
==14017== Command: ./ffplay_g crash_pirateszz_2_s25_r003.fuzz.sample
==14017==
ffplay version git-N-29391-gd84f191, Copyright (c) 2003-2011 the FFmpeg developers
  built on Apr 26 2011 20:33:16 with gcc 4.5.2
  configuration: --cc='/usr/local/gcc-4.5.2/bin/gcc -m32' --enable-gpl
  libavutil    51.  0. 0 / 51.  0. 0
  libavcodec   53.  1. 0 / 53.  1. 0
  libavformat  53.  0. 3 / 53.  0. 3
  libavdevice  53.  0. 0 / 53.  0. 0
  libavfilter   2.  0. 0 /  2.  0. 0
  libswscale    0. 13. 0 /  0. 13. 0

...

Input #0, mpegvideo, from 'crash_pirateszz_2_s25_r003.fuzz.sample':
  Duration: 00:00:08.35, bitrate: 9800 kb/s
    Stream #0.0: Video: mpeg2video (4:2:2), yuv420p, 720x4576 [PAR 4576:405 DAR 16:9], 9800 kb/s, 17.53 fps, 3.33 tbr, 1200k tbn, 6.66 tbc

...

==14017== Invalid read of size 1
==14017==    at 0x644C138: memcpy (in /usr/lib64/valgrind/vgpreload_memcheck-x86-linux.so)
==14017==    by 0x85BC128: av_image_copy (imgutils.c:230)
==14017==  Address 0xf02292f is not stack'd, malloc'd or (recently) free'd
==14017==
==14017== Invalid read of size 1
==14017==    at 0x644C142: memcpy (in /usr/lib64/valgrind/vgpreload_memcheck-x86-linux.so)
==14017==    by 0x85BC128: av_image_copy (imgutils.c:230)
==14017==  Address 0xf02292e is not stack'd, malloc'd or (recently) free'd
==14017==
==14017== Invalid read of size 1
==14017==    at 0x644C14B: memcpy (in /usr/lib64/valgrind/vgpreload_memcheck-x86-linux.so)
==14017==    by 0x85BC128: av_image_copy (imgutils.c:230)
==14017==  Address 0xf02292d is not stack'd, malloc'd or (recently) free'd
==14017==
==14017== Invalid read of size 1
==14017==    at 0x644C154: memcpy (in /usr/lib64/valgrind/vgpreload_memcheck-x86-linux.so)
==14017==    by 0x85BC128: av_image_copy (imgutils.c:230)
==14017==  Address 0xf02292c is not stack'd, malloc'd or (recently) free'd
==14017==

Attachments (1)

valgrind.log (26.8 KB ) - added by Carl Eugen Hoyos 9 years ago.

Download all attachments as: .zip

Change History (9)

comment:1 by Michael Niedermayer, 10 years ago

Status: newopen

Id guess SDL bug, but i could be wrong
mplayer crashes too

==21084== Invalid write of size 8
==21084== at 0x4C2A33A: memcpy (mc_replace_strmem.c:635)
==21084== by 0x974550: av_image_copy (string3.h:52)
==21084== by 0x68E640: av_picture_copy (imgconvert.c:669)
==21084== by 0x437E2B: video_thread (ffplay.c:1404)
==21084== by 0x5129874: ??? (in /usr/lib/libSDL-1.2.so.0.11.3)
==21084== by 0x516C048: ??? (in /usr/lib/libSDL-1.2.so.0.11.3)
==21084== by 0x66E9D8B: start_thread (pthread_create.c:304)
==21084== by 0x69E704C: clone (clone.S:112)
==21084== Address 0xe618108 is not stack'd, malloc'd or (recently) free'd

comment:2 by Carl Eugen Hoyos, 10 years ago

mplayer -vo sdl does not crash for me, but I was able to produce a backtrace with ffplay:

(gdb) r crash_pirateszz_2_s25_r003.fuzz.sample
ffplay version git-N-30584-gd58ed64, Copyright (c) 2003-2011 the FFmpeg developers
  built on Jun  7 2011 01:57:06 with gcc 4.5.3
  configuration: --cc=/usr/local/gcc-4.5.3/bin/gcc --enable-gpl
  libavutil    51.  6. 1 / 51.  6. 1
  libavcodec   53.  6. 1 / 53.  6. 1
  libavformat  53.  2. 0 / 53.  2. 0
  libavdevice  53.  1. 1 / 53.  1. 1
  libavfilter   2. 14. 0 /  2. 14. 0
  libswscale    0. 14. 1 /  0. 14. 1
  libpostproc  51.  2. 0 / 51.  2. 0

...

[mpeg2video @ 0x13286c0] slice below image (57 >= 30)
[mpeg2video @ 0x13286c0] ignoring pic cod ext after 0
[mpeg2video @ 0x13286c0] slice below image (67 >= 30)
[mpeg2video @ 0x13286c0] warning: first frame is no keyframe
[mpeg2video @ 0x13286c0] slice mismatch
[mpeg2video @ 0x13286c0] invalid mb type in P Frame at 51 2
[mpeg2video @ 0x13286c0] ac-tex damaged at 0 3
[mpeg2video @ 0x13286c0] ac-tex damaged at 0 5
[mpeg2video @ 0x13286c0] ac-tex damaged at 0 8
[mpeg2video @ 0x13286c0] ac-tex damaged at 14 9
[mpeg2video @ 0x13286c0] ac-tex damaged at 0 16
[mpeg2video @ 0x13286c0] ac-tex damaged at 1 18
[mpeg2video @ 0x13286c0] ac-tex damaged at 0 20
[mpeg2video @ 0x13286c0] slice below image (53 >= 30)
[mpeg2video @ 0x13286c0] slice mismatch
[mpeg2video @ 0x13286c0] slice below image (70 >= 30)
[mpeg2video @ 0x13286c0] matrix damaged
[mpeg2video @ 0x13286c0] sequence header damaged
[mpeg2video @ 0x13286c0] Warning MVs not available
[mpeg2video @ 0x13286c0] concealing 9030 DC, 9030 AC, 9030 MV errors
   3.19 A-V:  0.000 s:0.2 aq=    0KB vq=   69KB sq=    0B f=0/8
Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7ffff43f4910 (LWP 8473)]
0x00007ffff6ae4722 in memcpy () from /lib64/libc.so.6
(gdb) bt
#0  0x00007ffff6ae4722 in memcpy () from /lib64/libc.so.6
#1  0x0000000000970e6f in av_image_copy_plane (height=151, bytewidth=720, src_linesize=4816,
    src=<value optimized out>, dst_linesize=720, dst=<value optimized out>) at libavutil/imgutils.c:238
#2  av_image_copy (height=151, bytewidth=720, src_linesize=4816, src=<value optimized out>,
    dst_linesize=720, dst=<value optimized out>) at libavutil/imgutils.c:271
#3  0x000000000066b931 in av_picture_copy (dst=<value optimized out>, src=<value optimized out>,
    pix_fmt=<value optimized out>, width=<value optimized out>, height=<value optimized out>)
    at libavcodec/imgconvert.c:669
#4  0x000000000040961b in queue_picture (pos=-1, pts1=3.7198833333333332, src_frame=0x1327840,
    is=0x7ffff4bf6040) at ffplay.c:1403
#5  video_thread (pos=-1, pts1=3.7198833333333332, src_frame=0x1327840, is=0x7ffff4bf6040)
    at ffplay.c:1790
#6  0x00007ffff766a3b5 in ?? () from /usr/lib64/libSDL-1.2.so.0
#7  0x00007ffff76ad539 in ?? () from /usr/lib64/libSDL-1.2.so.0
#8  0x00007ffff744065d in start_thread () from /lib64/libpthread.so.0
#9  0x00007ffff6b35ecd in clone () from /lib64/libc.so.6
#10 0x0000000000000000 in ?? ()
(gdb) disass $pc-32 $pc+32
Dump of assembler code from 0x7ffff6ae4702 to 0x7ffff6ae4742:
0x00007ffff6ae4702 <memcpy+178>:        nopw   %cs:0x0(%rax,%rax,1)
0x00007ffff6ae4710 <memcpy+192>:        cmp    $0x400,%rdx
0x00007ffff6ae4717 <memcpy+199>:        ja     0x7ffff6ae4790 <memcpy+320>
0x00007ffff6ae4719 <memcpy+201>:        mov    %edx,%ecx
0x00007ffff6ae471b <memcpy+203>:        shr    $0x5,%ecx
0x00007ffff6ae471e <memcpy+206>:        je     0x7ffff6ae4780 <memcpy+304>
0x00007ffff6ae4720 <memcpy+208>:        dec    %ecx
0x00007ffff6ae4722 <memcpy+210>:        mov    (%rsi),%rax
0x00007ffff6ae4725 <memcpy+213>:        mov    0x8(%rsi),%r8
0x00007ffff6ae4729 <memcpy+217>:        mov    0x10(%rsi),%r9
0x00007ffff6ae472d <memcpy+221>:        mov    0x18(%rsi),%r10
0x00007ffff6ae4731 <memcpy+225>:        mov    %rax,(%rdi)
0x00007ffff6ae4734 <memcpy+228>:        mov    %r8,0x8(%rdi)
0x00007ffff6ae4738 <memcpy+232>:        mov    %r9,0x10(%rdi)
0x00007ffff6ae473c <memcpy+236>:        mov    %r10,0x18(%rdi)
0x00007ffff6ae4740 <memcpy+240>:        lea    0x20(%rsi),%rsi
End of assembler dump.
(gdb) info register
rax            0x7ffff1c00d50   140737249283408
rbx            0x2d0    720
rcx            0x15     21
rdx            0x2d0    720
rsi            0x7fffec1f3d90   140737154858384
rdi            0x7ffff1c00d50   140737249283408
rbp            0x96     0x96
rsp            0x7ffff43f3e88   0x7ffff43f3e88
r8             0x0      0
r9             0x0      0
r10            0x0      0
r11            0x2d0    720
r12            0x7fffec1f5060   140737154863200
r13            0x7ffff1c01020   140737249284128
r14            0x12d0   4816
r15            0x2d0    720
rip            0x7ffff6ae4722   0x7ffff6ae4722 <memcpy+210>
eflags         0x10203  [ CF IF RF ]
cs             0x33     51
ss             0x2b     43
ds             0x0      0
es             0x0      0
fs             0x0      0
gs             0x0      0
fctrl          0x37f    895
fstat          0x0      0
ftag           0xffff   65535
fiseg          0x0      0
fioff          0x0      0
foseg          0x0      0
fooff          0x0      0
fop            0x0      0
mxcsr          0x1fa0   [ PE IM DM ZM OM UM PM ]

comment:3 by Marton Balint, 9 years ago

Resolution: fixed
Status: openclosed

Fixed in latest git master. Crash was caused by changing resolution and pixel format.

comment:4 by Carl Eugen Hoyos, 9 years ago

Resolution: fixed
Status: closedreopened

I still get a crash with ffplay with current git master (but no invalid access with ffmpeg -f null), unfortunately without a useful backtrace...

==18325== Invalid write of size 1
==18325==    at 0x40245A7: memcpy (in /usr/lib/valgrind/x86-linux/vgpreload_memcheck.so)
==18325==    by 0x8747A68: av_image_copy_plane (imgutils.c:239)
==18325==    by 0x8747C22: av_image_copy (imgutils.c:273)
==18325==    by 0x838356B: av_picture_copy (imgconvert.c:524)
==18325==    by 0x804F8EE: queue_picture (ffplay.c:1446)
==18325==    by 0x80506EF: video_thread (ffplay.c:1749)
==18325==    by 0x40543DA: (within /usr/lib/libSDL-1.2.so.0.11.1)
==18325==    by 0x40A22DC: (within /usr/lib/libSDL-1.2.so.0.11.1)
==18325==    by 0x40DE191: start_thread (in /lib/libpthread-2.6.1.so)
==18325==    by 0x420502D: clone (in /lib/libc-2.6.1.so)
==18325==  Address 0xA5460CF is not stack'd, malloc'd or (recently) free'd

comment:5 by Michael Niedermayer, 9 years ago

cant reproduce any crash

comment:6 by Carl Eugen Hoyos, 9 years ago

Keywords: leak added

I still get invalid reads and memleaks with this sample.

by Carl Eugen Hoyos, 9 years ago

Attachment: valgrind.log added

comment:7 by Michael Niedermayer, 9 years ago

The invalid reads look like valgrind bugs

comment:8 by Carl Eugen Hoyos, 9 years ago

Resolution: fixed
Status: reopenedclosed

The invalid memory accesses with the fuzzed sample appear to be fixed, the memleaks are not reproducible with FFmpeg.

Note: See TracTickets for help on using tickets.