Opened 3 years ago

Closed 3 years ago

#2848 closed defect (fixed)

jpeg2000: invalid write

Reported by: ami_stuff Owned by:
Priority: important Component: avcodec
Version: git-master Keywords: j2k crash
Cc: Blocked By:
Blocking: Reproduced by developer: yes
Analyzed by developer: no

Description

root@Microknoppix:/media/sdb1# valgrind --leak-check=full ffmpeg/ffmpeg_g -i ./fuzzed4.avi -f null -
==4552== Memcheck, a memory error detector
==4552== Copyright (C) 2002-2011, and GNU GPL'd, by Julian Seward et al.
==4552== Using Valgrind-3.7.0 and LibVEX; rerun with -h for copyright info
==4552== Command: ffmpeg/ffmpeg_g -i ./fuzzed4.avi -f null -
==4552== 
ffmpeg version 2.0 Copyright (c) 2000-2013 the FFmpeg developers
  built on Aug  6 2013 21:17:38 with gcc 4.7 (Debian 4.7.2-4)
  configuration: --enable-gpl --disable-yasm --disable-ffprobe --disable-ffserver
  libavutil      52. 40.100 / 52. 40.100
  libavcodec     55. 20.100 / 55. 20.100
  libavformat    55. 13.101 / 55. 13.101
  libavdevice    55.  3.100 / 55.  3.100
  libavfilter     3. 82.100 /  3. 82.100
  libswscale      2.  4.100 /  2.  4.100
  libswresample   0. 17.103 /  0. 17.103
  libpostproc    52.  3.100 / 52.  3.100
Input #0, avi, from './fuzzed4.avi':
  Duration: 00:00:05.96, start: 0.000000, bitrate: 320 kb/s
    Stream #0:0: Video: jpeg2000 (JPEG 2000 codestream restriction 0) (MJ2C / 0x43324A4D), rgb24, 192x128, 24 fps, 24 tbr, 24 tbn, 24 tbc
    Stream #0:1: Audio: mp1 (U[0][0][0] / 0x0055), 11025 Hz, mono, s16p, 7 kb/s
Output #0, null, to 'pipe:':
  Metadata:
    encoder         : Lavf55.13.101
    Stream #0:0: Video: rawvideo (RGB[24] / 0x18424752), rgb24, 192x128, q=2-31, 200 kb/s, 90k tbn, 24 tbc
    Stream #0:1: Audio: pcm_s16le, 11025 Hz, mono, s16, 176 kb/s
Stream mapping:
  Stream #0:0 -> #0:0 (jpeg2000 -> rawvideo)
  Stream #0:1 -> #0:1 (mp1 -> pcm_s16le)
Press [q] to stop, [?] for help
[null @ 0x442bb00] Encoder did not produce proper pts, making some up.
[jpeg2000 @ 0x43144e0] unsupported marker 0xFF71 at pos 0x2
[jpeg2000 @ 0x43144e0] error during processing marker segment ff90
Error while decoding stream #0:0: Invalid data found when processing input
==4552== Conditional jump or move depends on uninitialised value(s)
==4552==    at 0x8506A84: jpeg2000_decode_tile (common.h:105)
==4552==    by 0x850929B: jpeg2000_decode_frame (jpeg2000dec.c:1626)
==4552==    by 0x8671B0D: avcodec_decode_video2 (utils.c:1986)
==4552==    by 0x80B2CDC: decode_video (ffmpeg.c:1653)
==4552==    by 0x44FFFFF: ???
==4552== 
==4552== Conditional jump or move depends on uninitialised value(s)
==4552==    at 0x8506A8C: jpeg2000_decode_tile (common.h:105)
==4552==    by 0x850929B: jpeg2000_decode_frame (jpeg2000dec.c:1626)
==4552==    by 0x8671B0D: avcodec_decode_video2 (utils.c:1986)
==4552==    by 0x80B2CDC: decode_video (ffmpeg.c:1653)
==4552==    by 0x44FFFFF: ???
==4552== 
    Last message repeated 1 times
Input stream #0:0 frame changed from size:192x128 fmt:rgb24 to size:190x128 fmt:rgb24
==4552== Conditional jump or move depends on uninitialised value(s)
==4552==    at 0x88086F2: hScale16To15_c (swscale.c:108)
==4552==    by 0x8809500: swScale (swscale.c:264)
==4552==    by 0x880B7BE: sws_scale (swscale.c:1074)
==4552==    by 0x8102631: filter_frame (vf_scale.c:389)
==4552==    by 0x80C8518: ff_filter_frame_framed (avfilter.c:1051)
==4552==    by 0x80C8938: default_filter_frame (avfilter.c:1125)
==4552==    by 0x80C8518: ff_filter_frame_framed (avfilter.c:1051)
==4552==    by 0x80CA6E0: ff_filter_frame (avfilter.c:1125)
==4552==    by 0x80CED4A: request_frame (buffersrc.c:491)
==4552==    by 0x80CEFB3: av_buffersrc_add_frame_internal (buffersrc.c:170)
==4552==    by 0x80CF1B4: av_buffersrc_add_frame_flags (buffersrc.c:107)
==4552==    by 0x80B3079: decode_video (ffmpeg.c:1729)
==4552== 
==4552== Conditional jump or move depends on uninitialised value(s)
==4552==    at 0x88086F2: hScale16To15_c (swscale.c:108)
==4552==    by 0x8809984: swScale (swscale.c:318)
==4552==    by 0x29F: ???
==4552== 
==4552== Conditional jump or move depends on uninitialised value(s)
==4552==    at 0x88086F2: hScale16To15_c (swscale.c:108)
==4552==    by 0x88099C9: swScale (swscale.c:319)
==4552==    by 0x29F: ???
==4552== 
==4552== Use of uninitialised value of size 4
==4552==    at 0x8826062: yuv2rgb24_1_c (output.c:1357)
==4552==    by 0x8809BF6: swScale (swscale.c:646)
==4552==    by 0x29F: ???
==4552== 
==4552== Use of uninitialised value of size 4
==4552==    at 0x882607B: yuv2rgb24_1_c (output.c:1358)
==4552==    by 0x8809BF6: swScale (swscale.c:646)
==4552==    by 0x29F: ???
==4552== 
==4552== Use of uninitialised value of size 4
==4552==    at 0x8826082: yuv2rgb24_1_c (output.c:1358)
==4552==    by 0x8809BF6: swScale (swscale.c:646)
==4552==    by 0x29F: ???
==4552== 
==4552== Use of uninitialised value of size 4
==4552==    at 0x88260AB: yuv2rgb24_1_c (output.c:1173)
==4552==    by 0x8809BF6: swScale (swscale.c:646)
==4552==    by 0x29F: ???
==4552== 
==4552== Use of uninitialised value of size 4
==4552==    at 0x88260B1: yuv2rgb24_1_c (output.c:1174)
==4552==    by 0x8809BF6: swScale (swscale.c:646)
==4552==    by 0x29F: ???
==4552== 
==4552== Use of uninitialised value of size 4
==4552==    at 0x88260B8: yuv2rgb24_1_c (output.c:1175)
==4552==    by 0x8809BF6: swScale (swscale.c:646)
==4552==    by 0x29F: ???
==4552== 
==4552== Use of uninitialised value of size 4
==4552==    at 0x88260C0: yuv2rgb24_1_c (output.c:1176)
==4552==    by 0x8809BF6: swScale (swscale.c:646)
==4552==    by 0x29F: ???
==4552== 
==4552== Use of uninitialised value of size 4
==4552==    at 0x88260C7: yuv2rgb24_1_c (output.c:1177)
==4552==    by 0x8809BF6: swScale (swscale.c:646)
==4552==    by 0x29F: ???
==4552== 
==4552== Use of uninitialised value of size 4
==4552==    at 0x88260CE: yuv2rgb24_1_c (output.c:1178)
==4552==    by 0x8809BF6: swScale (swscale.c:646)
==4552==    by 0x29F: ???
==4552== 
Input stream #0:0 frame changed from size:190x128 fmt:rgb24 to size:192x128 fmt:rgb24
[jpeg2000 @ 0x43144e0] Block with lengthinc greater than 8192 is not implemented. Update your FFmpeg version to the newest one from Git. If the problem still occurs, it means that your file has a feature which has not been implemented.
[jpeg2000 @ 0x43144e0] If you want to help, upload a sample of this file to ftp://upload.ffmpeg.org/MPlayer/incoming/ and contact the ffmpeg-devel mailing list.
Error while decoding stream #0:0: Not yet implemented in FFmpeg, patches welcome
[jpeg2000 @ 0x43144e0] cblk size invalid
[jpeg2000 @ 0x43144e0] error during processing marker segment ff52
Error while decoding stream #0:0: Invalid data found when processing input
[jpeg2000 @ 0x43144e0] cblk size invalid
[jpeg2000 @ 0x43144e0] error during processing marker segment ff52
Error while decoding stream #0:0: Invalid data found when processing input
[jpeg2000 @ 0x43144e0] error during processing marker segment ff5c
Error while decoding stream #0:0: Invalid data found when processing input
[jpeg2000 @ 0x43144e0] unsupported marker 0xBF5C at pos 0x41
[jpeg2000 @ 0x43144e0] error during processing marker segment ff51
Error while decoding stream #0:0: Invalid argument
Error while decoding stream #0:0: Invalid data found when processing input
[jpeg2000 @ 0x43144e0] Support for 8 components is not implemented. Update your FFmpeg version to the newest one from Git. If the problem still occurs, it means that your file has a feature which has not been implemented.
[jpeg2000 @ 0x43144e0] If you want to help, upload a sample of this file to ftp://upload.ffmpeg.org/MPlayer/incoming/ and contact the ffmpeg-devel mailing list.
[jpeg2000 @ 0x43144e0] error during processing marker segment ff90
Error while decoding stream #0:0: Not yet implemented in FFmpeg, patches welcome
Error while decoding stream #0:0: Invalid data found when processing input=0    
[jpeg2000 @ 0x43144e0] error during processing marker segment ff51
Error while decoding stream #0:0: Invalid argument
[jpeg2000 @ 0x43144e0] cblk size invalid
[jpeg2000 @ 0x43144e0] error during processing marker segment ff52
Error while decoding stream #0:0: Invalid data found when processing input
[mp1 @ 0x4315200] Header missing
Error while decoding stream #0:1: Invalid data found when processing input
[jpeg2000 @ 0x43144e0] [IMGUTILS @ 0xbe8dd2c4] Picture size 192x0 is invalid
[jpeg2000 @ 0x43144e0] video_get_buffer: image parameters invalid
[jpeg2000 @ 0x43144e0] get_buffer() failed
[jpeg2000 @ 0x43144e0] thread_get_buffer() failed
Error while decoding stream #0:0: Invalid argument
[jpeg2000 @ 0x43144e0] Support for 3 components is not implemented. Update your FFmpeg version to the newest one from Git. If the problem still occurs, it means that your file has a feature which has not been implemented.
[jpeg2000 @ 0x43144e0] If you want to help, upload a sample of this file to ftp://upload.ffmpeg.org/MPlayer/incoming/ and contact the ffmpeg-devel mailing list.
[jpeg2000 @ 0x43144e0] error during processing marker segment ff51
Error while decoding stream #0:0: Not yet implemented in FFmpeg, patches welcome
[jpeg2000 @ 0x43144e0] [IMGUTILS @ 0xbe8dd2c4] Picture size 192x2097280 is invalid
[jpeg2000 @ 0x43144e0] video_get_buffer: image parameters invalid
[jpeg2000 @ 0x43144e0] get_buffer() failed
[jpeg2000 @ 0x43144e0] thread_get_buffer() failed
Error while decoding stream #0:0: Invalid argument
Error while decoding stream #0:0: Invalid data found when processing input
==4552== Invalid write of size 1
==4552==    at 0x8506A99: jpeg2000_decode_tile (jpeg2000dec.c:1274)
==4552==    by 0x850929B: jpeg2000_decode_frame (jpeg2000dec.c:1626)
==4552==    by 0x8671B0D: avcodec_decode_video2 (utils.c:1986)
==4552==    by 0x80B2CDC: decode_video (ffmpeg.c:1653)
==4552==    by 0x44FFFFF: ???
==4552==  Address 0x4efed9f is 0 bytes after a block of size 17,951 alloc'd
==4552==    at 0x40268A4: memalign (vg_replace_malloc.c:694)
==4552==    by 0x402695E: posix_memalign (vg_replace_malloc.c:835)
==4552==    by 0x8858647: av_malloc (mem.c:93)
==4552==    by 0x884B122: av_buffer_allocz (buffer.c:70)
==4552==    by 0x884B708: av_buffer_pool_get (buffer.c:305)
==4552==    by 0x866DF54: video_get_buffer (utils.c:574)
==4552==    by 0x866F7D0: get_buffer_internal (utils.c:864)
==4552==    by 0x866FD63: ff_get_buffer (utils.c:876)
==4552==    by 0x85C89A1: ff_thread_get_buffer (pthread.c:934)
==4552==    by 0x850872B: jpeg2000_decode_frame (jpeg2000dec.c:1617)
==4552==    by 0x8671B0D: avcodec_decode_video2 (utils.c:1986)
==4552==    by 0x80B2CDC: decode_video (ffmpeg.c:1653)
==4552== 
==4552== Conditional jump or move depends on uninitialised value(s)
==4552==    at 0x8505252: ff_jpeg2000_cleanup (jpeg2000.c:509)
==4552==    by 0x85099DB: jpeg2000_decode_frame (jpeg2000dec.c:1351)
==4552==    by 0x8671B0D: avcodec_decode_video2 (utils.c:1986)
==4552==    by 0x80B2CDC: decode_video (ffmpeg.c:1653)
==4552==    by 0x44FFFFF: ???
==4552== 
==4552== Conditional jump or move depends on uninitialised value(s)
==4552==    at 0x8505274: ff_jpeg2000_cleanup (jpeg2000.c:511)
==4552==    by 0x85099DB: jpeg2000_decode_frame (jpeg2000dec.c:1351)
==4552==    by 0x8671B0D: avcodec_decode_video2 (utils.c:1986)
==4552==    by 0x80B2CDC: decode_video (ffmpeg.c:1653)
==4552==    by 0x44FFFFF: ???
==4552== 
==4552== Use of uninitialised value of size 4
==4552==    at 0x8505287: ff_jpeg2000_cleanup (jpeg2000.c:512)
==4552==    by 0x85099DB: jpeg2000_decode_frame (jpeg2000dec.c:1351)
==4552==    by 0x8671B0D: avcodec_decode_video2 (utils.c:1986)
==4552==    by 0x80B2CDC: decode_video (ffmpeg.c:1653)
==4552==    by 0x44FFFFF: ???
==4552== 
==4552== Invalid read of size 4
==4552==    at 0x8505287: ff_jpeg2000_cleanup (jpeg2000.c:512)
==4552==    by 0x85099DB: jpeg2000_decode_frame (jpeg2000dec.c:1351)
==4552==    by 0x8671B0D: avcodec_decode_video2 (utils.c:1986)
==4552==    by 0x80B2CDC: decode_video (ffmpeg.c:1653)
==4552==    by 0x44FFFFF: ???
==4552==  Address 0x80808094 is not stack'd, malloc'd or (recently) free'd
==4552== 
==4552== 
==4552== Process terminating with default action of signal 11 (SIGSEGV)
==4552==  Access not within mapped region at address 0x80808094
==4552==    at 0x8505287: ff_jpeg2000_cleanup (jpeg2000.c:512)
==4552==    by 0x85099DB: jpeg2000_decode_frame (jpeg2000dec.c:1351)
==4552==    by 0x8671B0D: avcodec_decode_video2 (utils.c:1986)
==4552==    by 0x80B2CDC: decode_video (ffmpeg.c:1653)
==4552==    by 0x44FFFFF: ???
==4552==  If you believe this happened as a result of a stack
==4552==  overflow in your program's main thread (unlikely but
==4552==  possible), you can try to increase the size of the
==4552==  main thread stack using the --main-stacksize= flag.
==4552==  The main thread stack size used in this run was 8388608.
==4552== 
==4552== HEAP SUMMARY:
==4552==     in use at exit: 1,005,797 bytes in 484 blocks
==4552==   total heap usage: 21,433 allocs, 20,949 frees, 40,442,607 bytes allocated
==4552== 
==4552== 8 bytes in 1 blocks are definitely lost in loss record 49 of 194
==4552==    at 0x40268A4: memalign (vg_replace_malloc.c:694)
==4552==    by 0x402695E: posix_memalign (vg_replace_malloc.c:835)
==4552==    by 0x88588B7: av_mallocz (mem.c:93)
==4552==    by 0x8503786: ff_jpeg2000_tag_tree_init (mem.h:197)
==4552==    by 0x8504902: ff_jpeg2000_init_component (jpeg2000.c:416)
==4552==    by 0x850890E: jpeg2000_decode_frame (jpeg2000dec.c:673)
==4552==    by 0x8671B0D: avcodec_decode_video2 (utils.c:1986)
==4552==    by 0x80B2CDC: decode_video (ffmpeg.c:1653)
==4552==    by 0x44FFFFF: ???
==4552== 
==4552== 8 bytes in 1 blocks are definitely lost in loss record 50 of 194
==4552==    at 0x40268A4: memalign (vg_replace_malloc.c:694)
==4552==    by 0x402695E: posix_memalign (vg_replace_malloc.c:835)
==4552==    by 0x88588B7: av_mallocz (mem.c:93)
==4552==    by 0x8503786: ff_jpeg2000_tag_tree_init (mem.h:197)
==4552==    by 0x850491A: ff_jpeg2000_init_component (jpeg2000.c:422)
==4552==    by 0x850890E: jpeg2000_decode_frame (jpeg2000dec.c:673)
==4552==    by 0x8671B0D: avcodec_decode_video2 (utils.c:1986)
==4552==    by 0x80B2CDC: decode_video (ffmpeg.c:1653)
==4552==    by 0x44FFFFF: ???
==4552== 
==4552== 44 (24 direct, 20 indirect) bytes in 1 blocks are definitely lost in loss record 97 of 194
==4552==    at 0x40268A4: memalign (vg_replace_malloc.c:694)
==4552==    by 0x402695E: posix_memalign (vg_replace_malloc.c:835)
==4552==    by 0x88588B7: av_mallocz (mem.c:93)
==4552==    by 0x884B144: av_buffer_allocz (buffer.c:34)
==4552==    by 0x884B708: av_buffer_pool_get (buffer.c:305)
==4552==    by 0x866DFC4: video_get_buffer (utils.c:574)
==4552==    by 0x866F7D0: get_buffer_internal (utils.c:864)
==4552==    by 0x866FD63: ff_get_buffer (utils.c:876)
==4552==    by 0x85C89A1: ff_thread_get_buffer (pthread.c:934)
==4552==    by 0x850872B: jpeg2000_decode_frame (jpeg2000dec.c:1617)
==4552==    by 0x8671B0D: avcodec_decode_video2 (utils.c:1986)
==4552==    by 0x80B2CDC: decode_video (ffmpeg.c:1653)
==4552== 
==4552== 9,412 bytes in 1 blocks are definitely lost in loss record 182 of 194
==4552==    at 0x40268A4: memalign (vg_replace_malloc.c:694)
==4552==    by 0x402695E: posix_memalign (vg_replace_malloc.c:835)
==4552==    by 0x88588B7: av_mallocz (mem.c:93)
==4552==    by 0x8504949: ff_jpeg2000_init_component (mem.h:197)
==4552==    by 0x850890E: jpeg2000_decode_frame (jpeg2000dec.c:673)
==4552==    by 0x8671B0D: avcodec_decode_video2 (utils.c:1986)
==4552==    by 0x80B2CDC: decode_video (ffmpeg.c:1653)
==4552==    by 0x44FFFFF: ???
==4552== 
==4552== 9,452 (24 direct, 9,428 indirect) bytes in 1 blocks are definitely lost in loss record 183 of 194
==4552==    at 0x40268A4: memalign (vg_replace_malloc.c:694)
==4552==    by 0x402695E: posix_memalign (vg_replace_malloc.c:835)
==4552==    by 0x8858647: av_malloc (mem.c:93)
==4552==    by 0x85047A4: ff_jpeg2000_init_component (mem.h:98)
==4552==    by 0x850890E: jpeg2000_decode_frame (jpeg2000dec.c:673)
==4552==    by 0x8671B0D: avcodec_decode_video2 (utils.c:1986)
==4552==    by 0x80B2CDC: decode_video (ffmpeg.c:1653)
==4552==    by 0x44FFFFF: ???
==4552== 
==4552== 17,951 bytes in 1 blocks are possibly lost in loss record 186 of 194
==4552==    at 0x40268A4: memalign (vg_replace_malloc.c:694)
==4552==    by 0x402695E: posix_memalign (vg_replace_malloc.c:835)
==4552==    by 0x8858647: av_malloc (mem.c:93)
==4552==    by 0x884B122: av_buffer_allocz (buffer.c:70)
==4552==    by 0x884B708: av_buffer_pool_get (buffer.c:305)
==4552==    by 0x866DFC4: video_get_buffer (utils.c:574)
==4552==    by 0x866F7D0: get_buffer_internal (utils.c:864)
==4552==    by 0x866FD63: ff_get_buffer (utils.c:876)
==4552==    by 0x85C89A1: ff_thread_get_buffer (pthread.c:934)
==4552==    by 0x850872B: jpeg2000_decode_frame (jpeg2000dec.c:1617)
==4552==    by 0x8671B0D: avcodec_decode_video2 (utils.c:1986)
==4552==    by 0x80B2CDC: decode_video (ffmpeg.c:1653)
==4552== 
==4552== 28,236 bytes in 2 blocks are possibly lost in loss record 187 of 194
==4552==    at 0x40268A4: memalign (vg_replace_malloc.c:694)
==4552==    by 0x402695E: posix_memalign (vg_replace_malloc.c:835)
==4552==    by 0x88588B7: av_mallocz (mem.c:93)
==4552==    by 0x8504949: ff_jpeg2000_init_component (mem.h:197)
==4552==    by 0x850890E: jpeg2000_decode_frame (jpeg2000dec.c:673)
==4552==    by 0x8671B0D: avcodec_decode_video2 (utils.c:1986)
==4552==    by 0x80B2CDC: decode_video (ffmpeg.c:1653)
==4552==    by 0x44FFFFF: ???
==4552== 
==4552== 104,404 (312 direct, 104,092 indirect) bytes in 5 blocks are definitely lost in loss record 191 of 194
==4552==    at 0x40268A4: memalign (vg_replace_malloc.c:694)
==4552==    by 0x402695E: posix_memalign (vg_replace_malloc.c:835)
==4552==    by 0x8858647: av_malloc (mem.c:93)
==4552==    by 0x85044CC: ff_jpeg2000_init_component (mem.h:98)
==4552==    by 0x850890E: jpeg2000_decode_frame (jpeg2000dec.c:673)
==4552==    by 0x8671B0D: avcodec_decode_video2 (utils.c:1986)
==4552==    by 0x80B2CDC: decode_video (ffmpeg.c:1653)
==4552==    by 0x44FFFFF: ???
==4552== 
==4552== LEAK SUMMARY:
==4552==    definitely lost: 9,788 bytes in 10 blocks
==4552==    indirectly lost: 113,540 bytes in 47 blocks
==4552==      possibly lost: 46,187 bytes in 3 blocks
==4552==    still reachable: 836,282 bytes in 424 blocks
==4552==         suppressed: 0 bytes in 0 blocks
==4552== Reachable blocks (those to which a pointer was found) are not shown.
==4552== To see them, rerun with: --leak-check=full --show-reachable=yes
==4552== 
==4552== For counts of detected and suppressed errors, rerun with: -v
==4552== Use --track-origins=yes to see where uninitialised values come from
==4552== ERROR SUMMARY: 72157 errors from 27 contexts (suppressed: 23 from 6)
Segmentation fault

Attachments (1)

fuzzed4.avi (233.0 KB) - added by ami_stuff 3 years ago.

Download all attachments as: .zip

Change History (3)

Changed 3 years ago by ami_stuff

comment:1 Changed 3 years ago by cehoyos

  • Component changed from undetermined to avcodec
  • Keywords j2k crash added
  • Priority changed from normal to important
  • Reproduced by developer set
  • Status changed from new to open
  • Version changed from unspecified to git-master

comment:2 Changed 3 years ago by michael

  • Resolution set to fixed
  • Status changed from open to closed
Note: See TracTickets for help on using tickets.