Opened 7 years ago

Closed 6 years ago

#123 closed defect (fixed)

Fuzzed sample crashes ffplay

Reported by: cehoyos Owned by: michael
Priority: normal Component: ffplay
Version: git Keywords: leak
Cc: Blocked By:
Blocking: Reproduced by developer: no
Analyzed by developer: no

Description

The sample from ticket #74 now crashes ffplay, no useful backtrace, valgrind shows some invalid reads.

$ valgrind ./ffplay_g crash_pirateszz_2_s25_r003.fuzz.sample
==14017== Memcheck, a memory error detector
==14017== Copyright (C) 2002-2009, and GNU GPL'd, by Julian Seward et al.
==14017== Using Valgrind-3.5.0 and LibVEX; rerun with -h for copyright info
==14017== Command: ./ffplay_g crash_pirateszz_2_s25_r003.fuzz.sample
==14017==
ffplay version git-N-29391-gd84f191, Copyright (c) 2003-2011 the FFmpeg developers
  built on Apr 26 2011 20:33:16 with gcc 4.5.2
  configuration: --cc='/usr/local/gcc-4.5.2/bin/gcc -m32' --enable-gpl
  libavutil    51.  0. 0 / 51.  0. 0
  libavcodec   53.  1. 0 / 53.  1. 0
  libavformat  53.  0. 3 / 53.  0. 3
  libavdevice  53.  0. 0 / 53.  0. 0
  libavfilter   2.  0. 0 /  2.  0. 0
  libswscale    0. 13. 0 /  0. 13. 0

...

Input #0, mpegvideo, from 'crash_pirateszz_2_s25_r003.fuzz.sample':
  Duration: 00:00:08.35, bitrate: 9800 kb/s
    Stream #0.0: Video: mpeg2video (4:2:2), yuv420p, 720x4576 [PAR 4576:405 DAR 16:9], 9800 kb/s, 17.53 fps, 3.33 tbr, 1200k tbn, 6.66 tbc

...

==14017== Invalid read of size 1
==14017==    at 0x644C138: memcpy (in /usr/lib64/valgrind/vgpreload_memcheck-x86-linux.so)
==14017==    by 0x85BC128: av_image_copy (imgutils.c:230)
==14017==  Address 0xf02292f is not stack'd, malloc'd or (recently) free'd
==14017==
==14017== Invalid read of size 1
==14017==    at 0x644C142: memcpy (in /usr/lib64/valgrind/vgpreload_memcheck-x86-linux.so)
==14017==    by 0x85BC128: av_image_copy (imgutils.c:230)
==14017==  Address 0xf02292e is not stack'd, malloc'd or (recently) free'd
==14017==
==14017== Invalid read of size 1
==14017==    at 0x644C14B: memcpy (in /usr/lib64/valgrind/vgpreload_memcheck-x86-linux.so)
==14017==    by 0x85BC128: av_image_copy (imgutils.c:230)
==14017==  Address 0xf02292d is not stack'd, malloc'd or (recently) free'd
==14017==
==14017== Invalid read of size 1
==14017==    at 0x644C154: memcpy (in /usr/lib64/valgrind/vgpreload_memcheck-x86-linux.so)
==14017==    by 0x85BC128: av_image_copy (imgutils.c:230)
==14017==  Address 0xf02292c is not stack'd, malloc'd or (recently) free'd
==14017==

Attachments (1)

valgrind.log (26.8 KB) - added by cehoyos 6 years ago.

Download all attachments as: .zip

Change History (9)

comment:1 Changed 7 years ago by michael

  • Status changed from new to open

Id guess SDL bug, but i could be wrong
mplayer crashes too

==21084== Invalid write of size 8
==21084== at 0x4C2A33A: memcpy (mc_replace_strmem.c:635)
==21084== by 0x974550: av_image_copy (string3.h:52)
==21084== by 0x68E640: av_picture_copy (imgconvert.c:669)
==21084== by 0x437E2B: video_thread (ffplay.c:1404)
==21084== by 0x5129874: ??? (in /usr/lib/libSDL-1.2.so.0.11.3)
==21084== by 0x516C048: ??? (in /usr/lib/libSDL-1.2.so.0.11.3)
==21084== by 0x66E9D8B: start_thread (pthread_create.c:304)
==21084== by 0x69E704C: clone (clone.S:112)
==21084== Address 0xe618108 is not stack'd, malloc'd or (recently) free'd

comment:2 Changed 7 years ago by cehoyos

mplayer -vo sdl does not crash for me, but I was able to produce a backtrace with ffplay:

(gdb) r crash_pirateszz_2_s25_r003.fuzz.sample
ffplay version git-N-30584-gd58ed64, Copyright (c) 2003-2011 the FFmpeg developers
  built on Jun  7 2011 01:57:06 with gcc 4.5.3
  configuration: --cc=/usr/local/gcc-4.5.3/bin/gcc --enable-gpl
  libavutil    51.  6. 1 / 51.  6. 1
  libavcodec   53.  6. 1 / 53.  6. 1
  libavformat  53.  2. 0 / 53.  2. 0
  libavdevice  53.  1. 1 / 53.  1. 1
  libavfilter   2. 14. 0 /  2. 14. 0
  libswscale    0. 14. 1 /  0. 14. 1
  libpostproc  51.  2. 0 / 51.  2. 0

...

[mpeg2video @ 0x13286c0] slice below image (57 >= 30)
[mpeg2video @ 0x13286c0] ignoring pic cod ext after 0
[mpeg2video @ 0x13286c0] slice below image (67 >= 30)
[mpeg2video @ 0x13286c0] warning: first frame is no keyframe
[mpeg2video @ 0x13286c0] slice mismatch
[mpeg2video @ 0x13286c0] invalid mb type in P Frame at 51 2
[mpeg2video @ 0x13286c0] ac-tex damaged at 0 3
[mpeg2video @ 0x13286c0] ac-tex damaged at 0 5
[mpeg2video @ 0x13286c0] ac-tex damaged at 0 8
[mpeg2video @ 0x13286c0] ac-tex damaged at 14 9
[mpeg2video @ 0x13286c0] ac-tex damaged at 0 16
[mpeg2video @ 0x13286c0] ac-tex damaged at 1 18
[mpeg2video @ 0x13286c0] ac-tex damaged at 0 20
[mpeg2video @ 0x13286c0] slice below image (53 >= 30)
[mpeg2video @ 0x13286c0] slice mismatch
[mpeg2video @ 0x13286c0] slice below image (70 >= 30)
[mpeg2video @ 0x13286c0] matrix damaged
[mpeg2video @ 0x13286c0] sequence header damaged
[mpeg2video @ 0x13286c0] Warning MVs not available
[mpeg2video @ 0x13286c0] concealing 9030 DC, 9030 AC, 9030 MV errors
   3.19 A-V:  0.000 s:0.2 aq=    0KB vq=   69KB sq=    0B f=0/8
Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7ffff43f4910 (LWP 8473)]
0x00007ffff6ae4722 in memcpy () from /lib64/libc.so.6
(gdb) bt
#0  0x00007ffff6ae4722 in memcpy () from /lib64/libc.so.6
#1  0x0000000000970e6f in av_image_copy_plane (height=151, bytewidth=720, src_linesize=4816,
    src=<value optimized out>, dst_linesize=720, dst=<value optimized out>) at libavutil/imgutils.c:238
#2  av_image_copy (height=151, bytewidth=720, src_linesize=4816, src=<value optimized out>,
    dst_linesize=720, dst=<value optimized out>) at libavutil/imgutils.c:271
#3  0x000000000066b931 in av_picture_copy (dst=<value optimized out>, src=<value optimized out>,
    pix_fmt=<value optimized out>, width=<value optimized out>, height=<value optimized out>)
    at libavcodec/imgconvert.c:669
#4  0x000000000040961b in queue_picture (pos=-1, pts1=3.7198833333333332, src_frame=0x1327840,
    is=0x7ffff4bf6040) at ffplay.c:1403
#5  video_thread (pos=-1, pts1=3.7198833333333332, src_frame=0x1327840, is=0x7ffff4bf6040)
    at ffplay.c:1790
#6  0x00007ffff766a3b5 in ?? () from /usr/lib64/libSDL-1.2.so.0
#7  0x00007ffff76ad539 in ?? () from /usr/lib64/libSDL-1.2.so.0
#8  0x00007ffff744065d in start_thread () from /lib64/libpthread.so.0
#9  0x00007ffff6b35ecd in clone () from /lib64/libc.so.6
#10 0x0000000000000000 in ?? ()
(gdb) disass $pc-32 $pc+32
Dump of assembler code from 0x7ffff6ae4702 to 0x7ffff6ae4742:
0x00007ffff6ae4702 <memcpy+178>:        nopw   %cs:0x0(%rax,%rax,1)
0x00007ffff6ae4710 <memcpy+192>:        cmp    $0x400,%rdx
0x00007ffff6ae4717 <memcpy+199>:        ja     0x7ffff6ae4790 <memcpy+320>
0x00007ffff6ae4719 <memcpy+201>:        mov    %edx,%ecx
0x00007ffff6ae471b <memcpy+203>:        shr    $0x5,%ecx
0x00007ffff6ae471e <memcpy+206>:        je     0x7ffff6ae4780 <memcpy+304>
0x00007ffff6ae4720 <memcpy+208>:        dec    %ecx
0x00007ffff6ae4722 <memcpy+210>:        mov    (%rsi),%rax
0x00007ffff6ae4725 <memcpy+213>:        mov    0x8(%rsi),%r8
0x00007ffff6ae4729 <memcpy+217>:        mov    0x10(%rsi),%r9
0x00007ffff6ae472d <memcpy+221>:        mov    0x18(%rsi),%r10
0x00007ffff6ae4731 <memcpy+225>:        mov    %rax,(%rdi)
0x00007ffff6ae4734 <memcpy+228>:        mov    %r8,0x8(%rdi)
0x00007ffff6ae4738 <memcpy+232>:        mov    %r9,0x10(%rdi)
0x00007ffff6ae473c <memcpy+236>:        mov    %r10,0x18(%rdi)
0x00007ffff6ae4740 <memcpy+240>:        lea    0x20(%rsi),%rsi
End of assembler dump.
(gdb) info register
rax            0x7ffff1c00d50   140737249283408
rbx            0x2d0    720
rcx            0x15     21
rdx            0x2d0    720
rsi            0x7fffec1f3d90   140737154858384
rdi            0x7ffff1c00d50   140737249283408
rbp            0x96     0x96
rsp            0x7ffff43f3e88   0x7ffff43f3e88
r8             0x0      0
r9             0x0      0
r10            0x0      0
r11            0x2d0    720
r12            0x7fffec1f5060   140737154863200
r13            0x7ffff1c01020   140737249284128
r14            0x12d0   4816
r15            0x2d0    720
rip            0x7ffff6ae4722   0x7ffff6ae4722 <memcpy+210>
eflags         0x10203  [ CF IF RF ]
cs             0x33     51
ss             0x2b     43
ds             0x0      0
es             0x0      0
fs             0x0      0
gs             0x0      0
fctrl          0x37f    895
fstat          0x0      0
ftag           0xffff   65535
fiseg          0x0      0
fioff          0x0      0
foseg          0x0      0
fooff          0x0      0
fop            0x0      0
mxcsr          0x1fa0   [ PE IM DM ZM OM UM PM ]

comment:3 Changed 6 years ago by cus

  • Resolution set to fixed
  • Status changed from open to closed

Fixed in latest git master. Crash was caused by changing resolution and pixel format.

comment:4 Changed 6 years ago by cehoyos

  • Resolution fixed deleted
  • Status changed from closed to reopened

I still get a crash with ffplay with current git master (but no invalid access with ffmpeg -f null), unfortunately without a useful backtrace...

==18325== Invalid write of size 1
==18325==    at 0x40245A7: memcpy (in /usr/lib/valgrind/x86-linux/vgpreload_memcheck.so)
==18325==    by 0x8747A68: av_image_copy_plane (imgutils.c:239)
==18325==    by 0x8747C22: av_image_copy (imgutils.c:273)
==18325==    by 0x838356B: av_picture_copy (imgconvert.c:524)
==18325==    by 0x804F8EE: queue_picture (ffplay.c:1446)
==18325==    by 0x80506EF: video_thread (ffplay.c:1749)
==18325==    by 0x40543DA: (within /usr/lib/libSDL-1.2.so.0.11.1)
==18325==    by 0x40A22DC: (within /usr/lib/libSDL-1.2.so.0.11.1)
==18325==    by 0x40DE191: start_thread (in /lib/libpthread-2.6.1.so)
==18325==    by 0x420502D: clone (in /lib/libc-2.6.1.so)
==18325==  Address 0xA5460CF is not stack'd, malloc'd or (recently) free'd

comment:5 Changed 6 years ago by michael

cant reproduce any crash

comment:6 Changed 6 years ago by cehoyos

  • Keywords leak added

I still get invalid reads and memleaks with this sample.

Changed 6 years ago by cehoyos

comment:7 Changed 6 years ago by michael

The invalid reads look like valgrind bugs

comment:8 Changed 6 years ago by cehoyos

  • Resolution set to fixed
  • Status changed from reopened to closed

The invalid memory accesses with the fuzzed sample appear to be fixed, the memleaks are not reproducible with FFmpeg.

Note: See TracTickets for help on using tickets.