Opened 3 years ago

Closed 3 years ago

#2850 closed defect (fixed)

ffplay: invalid write with fuzzed rpza

Reported by: ami_stuff Owned by:
Priority: important Component: avcodec
Version: git-master Keywords: rpza
Cc: Blocked By:
Blocking: Reproduced by developer: yes
Analyzed by developer: no

Description

knoppix@Microknoppix:/media/sdb1$ gdb ffmpeg-HEAD-d4db7c3/ffplay_gGNU gdb (GDB) 7.4.1-debian
Copyright (C) 2012 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "i486-linux-gnu".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>...
Reading symbols from /media/sdb1/ffmpeg-HEAD-d4db7c3/ffplay_g...done.
(gdb) r -i fuzzed6.mov -an
Starting program: /media/sdb1/ffmpeg-HEAD-d4db7c3/ffplay_g -i fuzzed6.mov -an
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/i386-linux-gnu/libthread_db.so.1".
ffplay version 2.0-d4db7c3 Copyright (c) 2003-2013 the FFmpeg developers
  built on Aug 10 2013 08:08:58 with gcc 4.7 (Debian 4.7.2-4)
  configuration: --disable-yasm --disable-ffprobe --disable-ffserver --enable-gpl
  libavutil      52. 41.100 / 52. 41.100
  libavcodec     55. 24.100 / 55. 24.100
  libavformat    55. 13.102 / 55. 13.102
  libavdevice    55.  3.100 / 55.  3.100
  libavfilter     3. 82.100 /  3. 82.100
  libswscale      2.  4.100 /  2.  4.100
  libswresample   0. 17.103 /  0. 17.103
  libpostproc    52.  3.100 / 52.  3.100
[New Thread 0xb73fdb70 (LWP 2918)]
[New Thread 0xb67c1b70 (LWP 2919)]
[New Thread 0xb5ec0b70 (LWP 2920)]
Input #0, mov,mp4,m4a,3gp,3g2,mj2, from 'fuzzed6.mov':   0B f=0/0   
  Metadata:
    major_brand     : qt  
    minor_version   : 537199360
    compatible_brands: qt  
    creation_time   : 2012-03-24 21:02:22
  Duration: 00:00:05.96, start: 0.000000, bitrate: 903 kb/s
    Stream #0:0(eng): Video: rpza (rpza / 0x617A7072), rgb555le, 189x127, 901 kb/s, 24 fps, 24 tbr, 1000k tbn, 1000k tbc
    Metadata:
      creation_time   : 2012-03-24 21:02:22
      handler_name    : Procedura obs�ugi skr�t�w danych Apple
[New Thread 0xb56c0b70 (LWP 2921)]
[rpza @ 0x90f8f00] Unknown opcode 255 in rpza chunk. Skip remaining 1600 bytes of chunk data.
[rpza @ 0x90f8f00] warning: block counter just went negative (this should not happen)

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0xb56c0b70 (LWP 2921)]
0x080bbf73 in ff_request_frame (link=0x912afe0) at libavfilter/avfilter.c:335
335	        if (link->srcpad->request_frame)
(gdb) bt
#0  0x080bbf73 in ff_request_frame (link=0x912afe0)
    at libavfilter/avfilter.c:335
#1  0x080bbffb in ff_request_frame (link=0x9114fc0)
    at libavfilter/avfilter.c:338
#2  0x080bbffb in ff_request_frame (link=link@entry=0x912af00)
    at libavfilter/avfilter.c:338
#3  0x080c1066 in av_buffersink_get_frame_flags (ctx=ctx@entry=0x91160a0, 
    frame=0x9114720, flags=0, flags@entry=127) at libavfilter/buffersink.c:138
#4  0x080a9e08 in video_thread (arg=0xb5ec1020) at ffplay.c:1957
#5  0xb7e004c1 in ?? () from /usr/lib/i386-linux-gnu/libSDL-1.2.so.0
#6  0xb7e49d3b in ?? () from /usr/lib/i386-linux-gnu/libSDL-1.2.so.0
#7  0xb7dda954 in start_thread (arg=0xb56c0b70) at pthread_create.c:304
#8  0xb7d5b95e in clone () at ../sysdeps/unix/sysv/linux/i386/clone.S:130
(gdb) 
knoppix@Microknoppix:/media/sdb1$ valgrind --leak-check=full ffmpeg-HEAD-d4db7c3/ffplay_g fuzzed6.mov -t 10 -an -autoexit
==8682== Memcheck, a memory error detector
==8682== Copyright (C) 2002-2011, and GNU GPL'd, by Julian Seward et al.
==8682== Using Valgrind-3.7.0 and LibVEX; rerun with -h for copyright info
==8682== Command: ffmpeg-HEAD-d4db7c3/ffplay_g fuzzed6.mov -t 10 -an -autoexit
==8682== 
ffplay version 2.0-d4db7c3 Copyright (c) 2003-2013 the FFmpeg developers
  built on Aug 10 2013 08:08:58 with gcc 4.7 (Debian 4.7.2-4)
  configuration: --disable-yasm --disable-ffprobe --disable-ffserver --enable-gpl
  libavutil      52. 41.100 / 52. 41.100
  libavcodec     55. 24.100 / 55. 24.100
  libavformat    55. 13.102 / 55. 13.102
  libavdevice    55.  3.100 / 55.  3.100
  libavfilter     3. 82.100 /  3. 82.100
  libswscale      2.  4.100 /  2.  4.100
  libswresample   0. 17.103 /  0. 17.103
  libpostproc    52.  3.100 / 52.  3.100
Input #0, mov,mp4,m4a,3gp,3g2,mj2, from 'fuzzed6.mov':   0B f=0/0   
  Metadata:
    major_brand     : qt  
    minor_version   : 537199360
    compatible_brands: qt  
    creation_time   : 2012-03-24 21:02:22
  Duration: 00:00:05.96, start: 0.000000, bitrate: 903 kb/s
    Stream #0:0(eng): Video: rpza (rpza / 0x617A7072), rgb555le, 189x127, 901 kb, 24 fps, 24 tbr, 1000k tbn, 1000k tbcKB vq=    0KB sq=    0B f=0/0   
    Metadata:
      creation_time   : 2012-03-24 21:02:22
      handler_name    : Procedura obs�ugi skr�t�w danych Apple
[rpza @ 0x4ff0720] Unknown opcode 255 in rpza chunk. Skip remaining 1600 bytes of chunk data.
==8682== Thread 5:4 fd=   0 aq=    0KB vq=   12KB sq=    0B f=0/0   
==8682== Invalid write of size 2
==8682==    at 0x85E2F53: rpza_decode_frame (rpza.c:147)
==8682==    by 0x86661DD: avcodec_decode_video2 (utils.c:1982)
==8682==    by 0x80A9593: video_thread (ffplay.c:1675)
==8682==    by 0x41964C0: ??? (in /usr/lib/i386-linux-gnu/libSDL-1.2.so.0.11.4)
==8682==    by 0x41DFD3A: ??? (in /usr/lib/i386-linux-gnu/libSDL-1.2.so.0.11.4)
==8682==    by 0x431095D: clone (clone.S:130)
==8682==  Address 0x5005de0 is 8 bytes before a block of size 8 free'd
==8682==    at 0x40283EE: realloc (vg_replace_malloc.c:632)
==8682==    by 0x80C7A0F: ff_all_formats (formats.c:346)
==8682==    by 0x80BD70A: filter_query_formats (avfiltergraph.c:328)
==8682==    by 0x80BD8C2: query_formats (avfiltergraph.c:434)
==8682==    by 0x80BEB08: avfilter_graph_config (avfiltergraph.c:1063)
==8682==    by 0x80A4B6F: configure_filtergraph (ffplay.c:1755)
==8682== 
==8682== Invalid write of size 2
==8682==    at 0x85E2F57: rpza_decode_frame (rpza.c:147)
==8682==    by 0x86661DD: avcodec_decode_video2 (utils.c:1982)
==8682==    by 0x80A9593: video_thread (ffplay.c:1675)
==8682==    by 0x41964C0: ??? (in /usr/lib/i386-linux-gnu/libSDL-1.2.so.0.11.4)
==8682==    by 0x41DFD3A: ??? (in /usr/lib/i386-linux-gnu/libSDL-1.2.so.0.11.4)
==8682==    by 0x431095D: clone (clone.S:130)
==8682==  Address 0x5005de2 is 6 bytes before a block of size 8 free'd
==8682==    at 0x40283EE: realloc (vg_replace_malloc.c:632)
==8682==    by 0x80C7A0F: ff_all_formats (formats.c:346)
==8682==    by 0x80BD70A: filter_query_formats (avfiltergraph.c:328)
==8682==    by 0x80BD8C2: query_formats (avfiltergraph.c:434)
==8682==    by 0x80BEB08: avfilter_graph_config (avfiltergraph.c:1063)
==8682==    by 0x80A4B6F: configure_filtergraph (ffplay.c:1755)
==8682== 
==8682== Invalid write of size 2
==8682==    at 0x85E2F5C: rpza_decode_frame (rpza.c:147)
==8682==    by 0x86661DD: avcodec_decode_video2 (utils.c:1982)
==8682==    by 0x80A9593: video_thread (ffplay.c:1675)
==8682==    by 0x41964C0: ??? (in /usr/lib/i386-linux-gnu/libSDL-1.2.so.0.11.4)
==8682==    by 0x41DFD3A: ??? (in /usr/lib/i386-linux-gnu/libSDL-1.2.so.0.11.4)
==8682==    by 0x431095D: clone (clone.S:130)
==8682==  Address 0x5005de4 is 4 bytes before a block of size 8 free'd
==8682==    at 0x40283EE: realloc (vg_replace_malloc.c:632)
==8682==    by 0x80C7A0F: ff_all_formats (formats.c:346)
==8682==    by 0x80BD70A: filter_query_formats (avfiltergraph.c:328)
==8682==    by 0x80BD8C2: query_formats (avfiltergraph.c:434)
==8682==    by 0x80BEB08: avfilter_graph_config (avfiltergraph.c:1063)
==8682==    by 0x80A4B6F: configure_filtergraph (ffplay.c:1755)
==8682== 
==8682== Invalid write of size 2
==8682==    at 0x85E2F61: rpza_decode_frame (rpza.c:147)
==8682==    by 0x86661DD: avcodec_decode_video2 (utils.c:1982)
==8682==    by 0x80A9593: video_thread (ffplay.c:1675)
==8682==    by 0x41964C0: ??? (in /usr/lib/i386-linux-gnu/libSDL-1.2.so.0.11.4)
==8682==    by 0x41DFD3A: ??? (in /usr/lib/i386-linux-gnu/libSDL-1.2.so.0.11.4)
==8682==    by 0x431095D: clone (clone.S:130)
==8682==  Address 0x5005de6 is 2 bytes before a block of size 8 free'd
==8682==    at 0x40283EE: realloc (vg_replace_malloc.c:632)
==8682==    by 0x80C7A0F: ff_all_formats (formats.c:346)
==8682==    by 0x80BD70A: filter_query_formats (avfiltergraph.c:328)
==8682==    by 0x80BD8C2: query_formats (avfiltergraph.c:434)
==8682==    by 0x80BEB08: avfilter_graph_config (avfiltergraph.c:1063)
==8682==    by 0x80A4B6F: configure_filtergraph (ffplay.c:1755)
==8682== 
==8682== Invalid write of size 2
==8682==    at 0x85E2F81: rpza_decode_frame (rpza.c:147)
==8682==    by 0x86661DD: avcodec_decode_video2 (utils.c:1982)
==8682==    by 0x80A9593: video_thread (ffplay.c:1675)
==8682==    by 0x41964C0: ??? (in /usr/lib/i386-linux-gnu/libSDL-1.2.so.0.11.4)
==8682==    by 0x41DFD3A: ??? (in /usr/lib/i386-linux-gnu/libSDL-1.2.so.0.11.4)
==8682==    by 0x431095D: clone (clone.S:130)
==8682==  Address 0x50060e0 is 8 bytes inside a block of size 20 free'd
==8682==    at 0x402750C: free (vg_replace_malloc.c:427)
==8682==    by 0x4439D6A: ??? (in /usr/lib/i386-linux-gnu/libX11.so.6.3.0)
==8682==    by 0x41F6FF3: ??? (in /usr/lib/i386-linux-gnu/libSDL-1.2.so.0.11.4)
==8682== 
==8682== Invalid write of size 2
==8682==    at 0x85E2F85: rpza_decode_frame (rpza.c:147)
==8682==    by 0x86661DD: avcodec_decode_video2 (utils.c:1982)
==8682==    by 0x80A9593: video_thread (ffplay.c:1675)
==8682==    by 0x41964C0: ??? (in /usr/lib/i386-linux-gnu/libSDL-1.2.so.0.11.4)
==8682==    by 0x41DFD3A: ??? (in /usr/lib/i386-linux-gnu/libSDL-1.2.so.0.11.4)
==8682==    by 0x431095D: clone (clone.S:130)
==8682==  Address 0x50060e2 is 10 bytes inside a block of size 20 free'd
==8682==    at 0x402750C: free (vg_replace_malloc.c:427)
==8682==    by 0x4439D6A: ??? (in /usr/lib/i386-linux-gnu/libX11.so.6.3.0)
==8682==    by 0x41F6FF3: ??? (in /usr/lib/i386-linux-gnu/libSDL-1.2.so.0.11.4)
==8682== 
==8682== Invalid write of size 2
==8682==    at 0x85E2F8A: rpza_decode_frame (rpza.c:147)
==8682==    by 0x86661DD: avcodec_decode_video2 (utils.c:1982)
==8682==    by 0x80A9593: video_thread (ffplay.c:1675)
==8682==    by 0x41964C0: ??? (in /usr/lib/i386-linux-gnu/libSDL-1.2.so.0.11.4)
==8682==    by 0x41DFD3A: ??? (in /usr/lib/i386-linux-gnu/libSDL-1.2.so.0.11.4)
==8682==    by 0x431095D: clone (clone.S:130)
==8682==  Address 0x50060e4 is 12 bytes inside a block of size 20 free'd
==8682==    at 0x402750C: free (vg_replace_malloc.c:427)
==8682==    by 0x4439D6A: ??? (in /usr/lib/i386-linux-gnu/libX11.so.6.3.0)
==8682==    by 0x41F6FF3: ??? (in /usr/lib/i386-linux-gnu/libSDL-1.2.so.0.11.4)
==8682== 
==8682== Invalid write of size 2
==8682==    at 0x85E2F8F: rpza_decode_frame (rpza.c:147)
==8682==    by 0x86661DD: avcodec_decode_video2 (utils.c:1982)
==8682==    by 0x80A9593: video_thread (ffplay.c:1675)
==8682==    by 0x41964C0: ??? (in /usr/lib/i386-linux-gnu/libSDL-1.2.so.0.11.4)
==8682==    by 0x41DFD3A: ??? (in /usr/lib/i386-linux-gnu/libSDL-1.2.so.0.11.4)
==8682==    by 0x431095D: clone (clone.S:130)
==8682==  Address 0x50060e6 is 14 bytes inside a block of size 20 free'd
==8682==    at 0x402750C: free (vg_replace_malloc.c:427)
==8682==    by 0x4439D6A: ??? (in /usr/lib/i386-linux-gnu/libX11.so.6.3.0)
==8682==    by 0x41F6FF3: ??? (in /usr/lib/i386-linux-gnu/libSDL-1.2.so.0.11.4)
==8682== 
[rpza @ 0x4ff0720] warning: block counter just went negative (this should not happen)
[rpza @ 0x4ff0720] warning: block counter just went negative (this should not happen)
[rpza @ 0x4ff0720] warning: block counter just went negative (this should not happen)
[rpza @ 0x4ff0720] warning: block counter just went negative (this should not happen)
[rpza @ 0x4ff0720] warning: block counter just went negative (this should not happen)
[rpza @ 0x4ff0720] Unknown opcode 243 in rpza chunk. Skip remaining 1402 bytes of chunk data.
[rpza @ 0x4ff0720] warning: block counter just went negative (this should not happen)
[rpza @ 0x4ff0720] warning: block counter just went negative (this should not happen)
[rpza @ 0x4ff0720] Unknown opcode 228 in rpza chunk. Skip remaining 2511 bytes of chunk data.
[rpza @ 0x4ff0720] warning: block counter just went negative (this should not happen)
[rpza @ 0x4ff0720] Unknown opcode 240 in rpza chunk. Skip remaining 1633 bytes of chunk data.
[rpza @ 0x4ff0720] Unknown opcode 231 in rpza chunk. Skip remaining 2568 bytes of chunk data.
==8682== Invalid write of size 2   0KB vq=   23KB sq=    0B f=0/0   
==8682==    at 0x85E2CD9: rpza_decode_frame (rpza.c:196)
==8682==    by 0x86661DD: avcodec_decode_video2 (utils.c:1982)
==8682==    by 0x80A9593: video_thread (ffplay.c:1675)
==8682==    by 0x41964C0: ??? (in /usr/lib/i386-linux-gnu/libSDL-1.2.so.0.11.4)
==8682==    by 0x41DFD3A: ??? (in /usr/lib/i386-linux-gnu/libSDL-1.2.so.0.11.4)
==8682==    by 0x431095D: clone (clone.S:130)
==8682==  Address 0x5005de0 is 8 bytes before a block of size 8 free'd
==8682==    at 0x40283EE: realloc (vg_replace_malloc.c:632)
==8682==    by 0x80C7A0F: ff_all_formats (formats.c:346)
==8682==    by 0x80BD70A: filter_query_formats (avfiltergraph.c:328)
==8682==    by 0x80BD8C2: query_formats (avfiltergraph.c:434)
==8682==    by 0x80BEB08: avfilter_graph_config (avfiltergraph.c:1063)
==8682==    by 0x80A4B6F: configure_filtergraph (ffplay.c:1755)
==8682== 
==8682== Invalid write of size 2
==8682==    at 0x85E2CF3: rpza_decode_frame (rpza.c:196)
==8682==    by 0x86661DD: avcodec_decode_video2 (utils.c:1982)
==8682==    by 0x80A9593: video_thread (ffplay.c:1675)
==8682==    by 0x41964C0: ??? (in /usr/lib/i386-linux-gnu/libSDL-1.2.so.0.11.4)
==8682==    by 0x41DFD3A: ??? (in /usr/lib/i386-linux-gnu/libSDL-1.2.so.0.11.4)
==8682==    by 0x431095D: clone (clone.S:130)
==8682==  Address 0x5005de2 is 6 bytes before a block of size 8 free'd
==8682==    at 0x40283EE: realloc (vg_replace_malloc.c:632)
==8682==    by 0x80C7A0F: ff_all_formats (formats.c:346)
==8682==    by 0x80BD70A: filter_query_formats (avfiltergraph.c:328)
==8682==    by 0x80BD8C2: query_formats (avfiltergraph.c:434)
==8682==    by 0x80BEB08: avfilter_graph_config (avfiltergraph.c:1063)
==8682==    by 0x80A4B6F: configure_filtergraph (ffplay.c:1755)
==8682== 
==8682== Invalid write of size 2
==8682==    at 0x85E2D00: rpza_decode_frame (rpza.c:196)
==8682==    by 0x86661DD: avcodec_decode_video2 (utils.c:1982)
==8682==    by 0x80A9593: video_thread (ffplay.c:1675)
==8682==    by 0x41964C0: ??? (in /usr/lib/i386-linux-gnu/libSDL-1.2.so.0.11.4)
==8682==    by 0x41DFD3A: ??? (in /usr/lib/i386-linux-gnu/libSDL-1.2.so.0.11.4)
==8682==    by 0x431095D: clone (clone.S:130)
==8682==  Address 0x5005de4 is 4 bytes before a block of size 8 free'd
==8682==    at 0x40283EE: realloc (vg_replace_malloc.c:632)
==8682==    by 0x80C7A0F: ff_all_formats (formats.c:346)
==8682==    by 0x80BD70A: filter_query_formats (avfiltergraph.c:328)
==8682==    by 0x80BD8C2: query_formats (avfiltergraph.c:434)
==8682==    by 0x80BEB08: avfilter_graph_config (avfiltergraph.c:1063)
==8682==    by 0x80A4B6F: configure_filtergraph (ffplay.c:1755)
==8682== 
==8682== Invalid write of size 2
==8682==    at 0x85E2D0D: rpza_decode_frame (rpza.c:196)
==8682==    by 0x86661DD: avcodec_decode_video2 (utils.c:1982)
==8682==    by 0x80A9593: video_thread (ffplay.c:1675)
==8682==    by 0x41964C0: ??? (in /usr/lib/i386-linux-gnu/libSDL-1.2.so.0.11.4)
==8682==    by 0x41DFD3A: ??? (in /usr/lib/i386-linux-gnu/libSDL-1.2.so.0.11.4)
==8682==    by 0x431095D: clone (clone.S:130)
==8682==  Address 0x5005de6 is 2 bytes before a block of size 8 free'd
==8682==    at 0x40283EE: realloc (vg_replace_malloc.c:632)
==8682==    by 0x80C7A0F: ff_all_formats (formats.c:346)
==8682==    by 0x80BD70A: filter_query_formats (avfiltergraph.c:328)
==8682==    by 0x80BD8C2: query_formats (avfiltergraph.c:434)
==8682==    by 0x80BEB08: avfilter_graph_config (avfiltergraph.c:1063)
==8682==    by 0x80A4B6F: configure_filtergraph (ffplay.c:1755)
==8682== 
==8682== Invalid write of size 2
==8682==    at 0x85E2D97: rpza_decode_frame (rpza.c:196)
==8682==    by 0x86661DD: avcodec_decode_video2 (utils.c:1982)
==8682==    by 0x80A9593: video_thread (ffplay.c:1675)
==8682==    by 0x41964C0: ??? (in /usr/lib/i386-linux-gnu/libSDL-1.2.so.0.11.4)
==8682==    by 0x41DFD3A: ??? (in /usr/lib/i386-linux-gnu/libSDL-1.2.so.0.11.4)
==8682==    by 0x431095D: clone (clone.S:130)
==8682==  Address 0x50060e0 is 8 bytes inside a block of size 20 free'd
==8682==    at 0x402750C: free (vg_replace_malloc.c:427)
==8682==    by 0x4439D6A: ??? (in /usr/lib/i386-linux-gnu/libX11.so.6.3.0)
==8682==    by 0x41F6FF3: ??? (in /usr/lib/i386-linux-gnu/libSDL-1.2.so.0.11.4)
==8682== 
==8682== Invalid write of size 2
==8682==    at 0x85E2DB1: rpza_decode_frame (rpza.c:196)
==8682==    by 0x86661DD: avcodec_decode_video2 (utils.c:1982)
==8682==    by 0x80A9593: video_thread (ffplay.c:1675)
==8682==    by 0x41964C0: ??? (in /usr/lib/i386-linux-gnu/libSDL-1.2.so.0.11.4)
==8682==    by 0x41DFD3A: ??? (in /usr/lib/i386-linux-gnu/libSDL-1.2.so.0.11.4)
==8682==    by 0x431095D: clone (clone.S:130)
==8682==  Address 0x50060e2 is 10 bytes inside a block of size 20 free'd
==8682==    at 0x402750C: free (vg_replace_malloc.c:427)
==8682==    by 0x4439D6A: ??? (in /usr/lib/i386-linux-gnu/libX11.so.6.3.0)
==8682==    by 0x41F6FF3: ??? (in /usr/lib/i386-linux-gnu/libSDL-1.2.so.0.11.4)
==8682== 
==8682== Invalid write of size 2
==8682==    at 0x85E2DBE: rpza_decode_frame (rpza.c:196)
==8682==    by 0x86661DD: avcodec_decode_video2 (utils.c:1982)
==8682==    by 0x80A9593: video_thread (ffplay.c:1675)
==8682==    by 0x41964C0: ??? (in /usr/lib/i386-linux-gnu/libSDL-1.2.so.0.11.4)
==8682==    by 0x41DFD3A: ??? (in /usr/lib/i386-linux-gnu/libSDL-1.2.so.0.11.4)
==8682==    by 0x431095D: clone (clone.S:130)
==8682==  Address 0x50060e4 is 12 bytes inside a block of size 20 free'd
==8682==    at 0x402750C: free (vg_replace_malloc.c:427)
==8682==    by 0x4439D6A: ??? (in /usr/lib/i386-linux-gnu/libX11.so.6.3.0)
==8682==    by 0x41F6FF3: ??? (in /usr/lib/i386-linux-gnu/libSDL-1.2.so.0.11.4)
==8682== 
==8682== Invalid write of size 2
==8682==    at 0x85E2DCB: rpza_decode_frame (rpza.c:196)
==8682==    by 0x86661DD: avcodec_decode_video2 (utils.c:1982)
==8682==    by 0x80A9593: video_thread (ffplay.c:1675)
==8682==    by 0x41964C0: ??? (in /usr/lib/i386-linux-gnu/libSDL-1.2.so.0.11.4)
==8682==    by 0x41DFD3A: ??? (in /usr/lib/i386-linux-gnu/libSDL-1.2.so.0.11.4)
==8682==    by 0x431095D: clone (clone.S:130)
==8682==  Address 0x50060e6 is 14 bytes inside a block of size 20 free'd
==8682==    at 0x402750C: free (vg_replace_malloc.c:427)
==8682==    by 0x4439D6A: ??? (in /usr/lib/i386-linux-gnu/libX11.so.6.3.0)
==8682==    by 0x41F6FF3: ??? (in /usr/lib/i386-linux-gnu/libSDL-1.2.so.0.11.4)
==8682== 
[rpza @ 0x4ff0720] warning: block counter just went negative (this should not happen)
[rpza @ 0x4ff0720] warning: block counter just went negative (this should not happen)
[rpza @ 0x4ff0720] Unknown opcode 248 in rpza chunk. Skip remaining 560 bytes of chunk data.
[rpza @ 0x4ff0720] First chunk byte is 0xa1 instead of 0xe1 f=0/0   
[rpza @ 0x4ff0720] Unknown opcode 227 in rpza chunk. Skip remaining 3919 bytes of chunk data.
[rpza @ 0x4ff0720] Unknown opcode 228 in rpza chunk. Skip remaining 2215 bytes of chunk data.
[rpza @ 0x4ff0720] Unknown opcode 234 in rpza chunk. Skip remaining 3113 bytes of chunk data.
[rpza @ 0x4ff0720] MOV chunk size != encoded chunk size; using MOV chunk size
[rpza @ 0x4ff0720] Unknown opcode 250 in rpza chunk. Skip remaining 2752 bytes of chunk data.
==8682== Invalid read of size 4    0KB vq=    0KB sq=    0B f=0/0   
==8682==    at 0x422AE5D: pthread_mutex_lock (pthread_mutex_lock.c:50)
==8682==    by 0x80CAB77: ff_graph_thread_free (pthread.c:99)
==8682==    by 0x80BE5ED: avfilter_graph_free (avfiltergraph.c:116)
==8682==    by 0x80A94D4: video_thread (ffplay.c:1985)
==8682==    by 0x41964C0: ??? (in /usr/lib/i386-linux-gnu/libSDL-1.2.so.0.11.4)
==8682==    by 0x41DFD3A: ??? (in /usr/lib/i386-linux-gnu/libSDL-1.2.so.0.11.4)
==8682==    by 0x431095D: clone (clone.S:130)
==8682==  Address 0x144250c is not stack'd, malloc'd or (recently) free'd
==8682== 
[xcb] Unknown sequence number while processing queue
[xcb] Most likely this is a multi-threaded client and XInitThreads has not been called
[xcb] Aborting, sorry about that.
ffplay_g: ../../src/xcb_io.c:274: poll_for_event: Assertion `!xcb_xlib_threads_sequence_lost' failed.
==8682== 
==8682== HEAP SUMMARY:
==8682==     in use at exit: 1,496,408 bytes in 787 blocks
==8682==   total heap usage: 18,902 allocs, 18,115 frees, 11,428,777 bytes allocated
==8682== 
==8682== Thread 1:
==8682== 1 bytes in 1 blocks are definitely lost in loss record 1 of 304
==8682==    at 0x4028308: malloc (vg_replace_malloc.c:263)
==8682==    by 0x443D583: _XlcDefaultMapModifiers (in /usr/lib/i386-linux-gnu/libX11.so.6.3.0)
==8682==    by 0x443D9CA: XSetLocaleModifiers (in /usr/lib/i386-linux-gnu/libX11.so.6.3.0)
==8682==    by 0x41C844D: ??? (in /usr/lib/i386-linux-gnu/libSDL-1.2.so.0.11.4)
==8682==    by 0x41B620B: SDL_VideoInit (in /usr/lib/i386-linux-gnu/libSDL-1.2.so.0.11.4)
==8682==    by 0x418CF81: SDL_InitSubSystem (in /usr/lib/i386-linux-gnu/libSDL-1.2.so.0.11.4)
==8682==    by 0x4252E15: (below main) (libc-start.c:228)
==8682== 
==8682== 8 bytes in 1 blocks are definitely lost in loss record 33 of 304
==8682==    at 0x40268A4: memalign (vg_replace_malloc.c:694)
==8682==    by 0x402695E: posix_memalign (vg_replace_malloc.c:835)
==8682==    by 0x884D097: av_mallocz (mem.c:93)
==8682==    by 0x80BE515: avfilter_graph_alloc (avfiltergraph.c:83)
==8682==    by 0x80A983B: video_thread (ffplay.c:1930)
==8682==    by 0x41964C0: ??? (in /usr/lib/i386-linux-gnu/libSDL-1.2.so.0.11.4)
==8682==    by 0x41DFD3A: ??? (in /usr/lib/i386-linux-gnu/libSDL-1.2.so.0.11.4)
==8682==    by 0x431095D: clone (clone.S:130)
==8682== 
==8682== 18 bytes in 2 blocks are definitely lost in loss record 79 of 304
==8682==    at 0x4028308: malloc (vg_replace_malloc.c:263)
==8682==    by 0x42B49FF: strdup (strdup.c:43)
==8682==    by 0x444D069: ??? (in /usr/lib/i386-linux-gnu/libX11.so.6.3.0)
==8682==    by 0x444D64D: ??? (in /usr/lib/i386-linux-gnu/libX11.so.6.3.0)
==8682==    by 0x444E187: _XimSetICValueData (in /usr/lib/i386-linux-gnu/libX11.so.6.3.0)
==8682==    by 0x44491C1: _XimLocalCreateIC (in /usr/lib/i386-linux-gnu/libX11.so.6.3.0)
==8682==    by 0x442D754: XCreateIC (in /usr/lib/i386-linux-gnu/libX11.so.6.3.0)
==8682==    by 0x41C844D: ??? (in /usr/lib/i386-linux-gnu/libSDL-1.2.so.0.11.4)
==8682==    by 0x41B620B: SDL_VideoInit (in /usr/lib/i386-linux-gnu/libSDL-1.2.so.0.11.4)
==8682==    by 0x418CF81: SDL_InitSubSystem (in /usr/lib/i386-linux-gnu/libSDL-1.2.so.0.11.4)
==8682==    by 0x4252E15: (below main) (libc-start.c:228)
==8682== 
==8682== 112 (8 direct, 104 indirect) bytes in 1 blocks are definitely lost in loss record 235 of 304
==8682==    at 0x40283EE: realloc (vg_replace_malloc.c:632)
==8682==    by 0x4433131: ??? (in /usr/lib/i386-linux-gnu/libX11.so.6.3.0)
==8682==    by 0x4433604: ??? (in /usr/lib/i386-linux-gnu/libX11.so.6.3.0)
==8682==    by 0x443513D: ??? (in /usr/lib/i386-linux-gnu/libX11.so.6.3.0)
==8682==    by 0x4435A3B: _XlcCreateLC (in /usr/lib/i386-linux-gnu/libX11.so.6.3.0)
==8682==    by 0x4454679: _XlcDefaultLoader (in /usr/lib/i386-linux-gnu/libX11.so.6.3.0)
==8682==    by 0x443D7BC: _XOpenLC (in /usr/lib/i386-linux-gnu/libX11.so.6.3.0)
==8682==    by 0x443D921: _XlcCurrentLC (in /usr/lib/i386-linux-gnu/libX11.so.6.3.0)
==8682==    by 0x41C844D: ??? (in /usr/lib/i386-linux-gnu/libSDL-1.2.so.0.11.4)
==8682==    by 0x41B620B: SDL_VideoInit (in /usr/lib/i386-linux-gnu/libSDL-1.2.so.0.11.4)
==8682==    by 0x418CF81: SDL_InitSubSystem (in /usr/lib/i386-linux-gnu/libSDL-1.2.so.0.11.4)
==8682==    by 0x4252E15: (below main) (libc-start.c:228)
==8682== 
==8682== 144 bytes in 1 blocks are possibly lost in loss record 244 of 304
==8682==    at 0x4026A68: calloc (vg_replace_malloc.c:566)
==8682==    by 0x40111FB: _dl_allocate_tls (dl-tls.c:300)
==8682==    by 0x42292A8: pthread_create@@GLIBC_2.1 (allocatestack.c:580)
==8682==    by 0x41DFDBE: ??? (in /usr/lib/i386-linux-gnu/libSDL-1.2.so.0.11.4)
==8682==    by 0x41965B6: SDL_CreateThread (in /usr/lib/i386-linux-gnu/libSDL-1.2.so.0.11.4)
==8682==    by 0x41E264E: ??? (in /usr/lib/i386-linux-gnu/libSDL-1.2.so.0.11.4)
==8682==    by 0x4252E15: (below main) (libc-start.c:228)
==8682== 
==8682== 144 bytes in 1 blocks are possibly lost in loss record 245 of 304
==8682==    at 0x4026A68: calloc (vg_replace_malloc.c:566)
==8682==    by 0x40111FB: _dl_allocate_tls (dl-tls.c:300)
==8682==    by 0x42292A8: pthread_create@@GLIBC_2.1 (allocatestack.c:580)
==8682==    by 0x41DFDBE: ??? (in /usr/lib/i386-linux-gnu/libSDL-1.2.so.0.11.4)
==8682==    by 0x41965B6: SDL_CreateThread (in /usr/lib/i386-linux-gnu/libSDL-1.2.so.0.11.4)
==8682==    by 0x80A22AF: main (ffplay.c:3031)
==8682== 
==8682== 144 bytes in 1 blocks are possibly lost in loss record 246 of 304
==8682==    at 0x4026A68: calloc (vg_replace_malloc.c:566)
==8682==    by 0x40111FB: _dl_allocate_tls (dl-tls.c:300)
==8682==    by 0x42292A8: pthread_create@@GLIBC_2.1 (allocatestack.c:580)
==8682==    by 0x41DFDBE: ??? (in /usr/lib/i386-linux-gnu/libSDL-1.2.so.0.11.4)
==8682==    by 0x41965B6: SDL_CreateThread (in /usr/lib/i386-linux-gnu/libSDL-1.2.so.0.11.4)
==8682==    by 0x80AA6F0: stream_component_open (ffplay.c:2579)
==8682==    by 0x80AC546: read_thread (ffplay.c:2815)
==8682==    by 0x41964C0: ??? (in /usr/lib/i386-linux-gnu/libSDL-1.2.so.0.11.4)
==8682==    by 0x41DFD3A: ??? (in /usr/lib/i386-linux-gnu/libSDL-1.2.so.0.11.4)
==8682==    by 0x431095D: clone (clone.S:130)
==8682== 
==8682== 980 (68 direct, 912 indirect) bytes in 1 blocks are definitely lost in loss record 273 of 304
==8682==    at 0x40283EE: realloc (vg_replace_malloc.c:632)
==8682==    by 0x4433131: ??? (in /usr/lib/i386-linux-gnu/libX11.so.6.3.0)
==8682==    by 0x4433604: ??? (in /usr/lib/i386-linux-gnu/libX11.so.6.3.0)
==8682==    by 0x443513D: ??? (in /usr/lib/i386-linux-gnu/libX11.so.6.3.0)
==8682==    by 0x4435A3B: _XlcCreateLC (in /usr/lib/i386-linux-gnu/libX11.so.6.3.0)
==8682==    by 0x4458797: _XlcUtf8Loader (in /usr/lib/i386-linux-gnu/libX11.so.6.3.0)
==8682==    by 0x443D7BC: _XOpenLC (in /usr/lib/i386-linux-gnu/libX11.so.6.3.0)
==8682==    by 0x443D921: _XlcCurrentLC (in /usr/lib/i386-linux-gnu/libX11.so.6.3.0)
==8682==    by 0x41C844D: ??? (in /usr/lib/i386-linux-gnu/libSDL-1.2.so.0.11.4)
==8682==    by 0x41B620B: SDL_VideoInit (in /usr/lib/i386-linux-gnu/libSDL-1.2.so.0.11.4)
==8682==    by 0x418CF81: SDL_InitSubSystem (in /usr/lib/i386-linux-gnu/libSDL-1.2.so.0.11.4)
==8682==    by 0x4252E15: (below main) (libc-start.c:228)
==8682== 
==8682== LEAK SUMMARY:
==8682==    definitely lost: 103 bytes in 6 blocks
==8682==    indirectly lost: 1,016 bytes in 38 blocks
==8682==      possibly lost: 432 bytes in 3 blocks
==8682==    still reachable: 1,494,857 bytes in 740 blocks
==8682==         suppressed: 0 bytes in 0 blocks
==8682== Reachable blocks (those to which a pointer was found) are not shown.
==8682== To see them, rerun with: --leak-check=full --show-reachable=yes
==8682== 
==8682== For counts of detected and suppressed errors, rerun with: -v
==8682== ERROR SUMMARY: 89 errors from 25 contexts (suppressed: 247 from 11)
Killed

Attachments (1)

fuzzed6.mov (657.2 KB) - added by ami_stuff 3 years ago.

Download all attachments as: .zip

Change History (3)

Changed 3 years ago by ami_stuff

comment:1 Changed 3 years ago by cehoyos

  • Component changed from undetermined to avcodec
  • Keywords rpza added
  • Priority changed from normal to important
  • Reproduced by developer set
  • Status changed from new to open
  • Version changed from unspecified to git-master

comment:2 Changed 3 years ago by michael

  • Resolution set to fixed
  • Status changed from open to closed
Note: See TracTickets for help on using tickets.