Opened 3 years ago

Closed 3 years ago

#2919 closed defect (fixed)

png: invalid write 2

Reported by: ami_stuff Owned by:
Priority: important Component: avcodec
Version: git-master Keywords: png crash SIGSEGV regression
Cc: Blocked By:
Blocking: Reproduced by developer: yes
Analyzed by developer: no

Description

knoppix@Microknoppix:/media/sdb1$ valgrind --leak-check=full ffmpeg-HEAD-c042684/ffmpeg_g -i ./png_fuzz2.mov -f null -
==2886== Memcheck, a memory error detector
==2886== Copyright (C) 2002-2011, and GNU GPL'd, by Julian Seward et al.
==2886== Using Valgrind-3.7.0 and LibVEX; rerun with -h for copyright info
==2886== Command: ffmpeg-HEAD-c042684/ffmpeg_g -i ./png_fuzz2.mov -f null -
==2886== 
ffmpeg version 2.0-c042684 Copyright (c) 2000-2013 the FFmpeg developers
  built on Aug 30 2013 20:55:53 with gcc 4.7 (Debian 4.7.2-5)
  configuration: --disable-yasm --disable-ffprobe --disable-ffserver --enable-gpl
  libavutil      52. 42.100 / 52. 42.100
  libavcodec     55. 29.100 / 55. 29.100
  libavformat    55. 15.100 / 55. 15.100
  libavdevice    55.  3.100 / 55.  3.100
  libavfilter     3. 82.102 /  3. 82.102
  libswscale      2.  5.100 /  2.  5.100
  libswresample   0. 17.103 /  0. 17.103
  libpostproc    52.  3.100 / 52.  3.100
Input #0, mov,mp4,m4a,3gp,3g2,mj2, from './png_fuzz2.mov':
  Metadata:
    major_brand     : qt  
    minor_version   : 537199360
    compatible_brands: qt  
    creation_time   : 2012-03-24 20:40:58
  Duration: 00:00:05.96, start: 0.000000, bitrate: 567 kb/s
    Stream #0:0(eng): Video: png (png  / 0x20676E70), monob, 189x127 [SAR 2834:2834 DAR 189:127], 565 kb/s, 24 fps, 24 tbr, 1000k tbn, 1000k tbc (default)
    Metadata:
      creation_time   : 2012-03-24 20:40:58
      handler_name    : Procedura obs�ugi skr�t�w danych Apple
Output #0, null, to 'pipe:':
  Metadata:
    major_brand     : qt  
    minor_version   : 537199360
    compatible_brands: qt  
    encoder         : Lavf55.15.100
    Stream #0:0(eng): Video: rawvideo (B0W1 / 0x31573042), monob, 189x127 [SAR 1:1 DAR 189:127], q=2-31, 200 kb/s, 90k tbn, 24 tbc (default)
    Metadata:
      creation_time   : 2012-03-24 20:40:58
      handler_name    : Procedura obs�ugi skr�t�w danych Apple
Stream mapping:
  Stream #0:0 -> #0:0 (png -> rawvideo)
Press [q] to stop, [?] for help
[null @ 0x424b6c0] Encoder did not produce proper pts, making some up.
[png @ 0x431fd00] IDAT without IHDR
[png @ 0x43263a0] inflate returned error -3
[png @ 0x431e2a0] inflate returned error -3
[png @ 0x4320e20] IDAT without IHDR
[png @ 0x431ec00] inflate returned error -3
[png @ 0x4323060] inflate returned error -3
[png @ 0x4324160] Missing png signature
Error while decoding stream #0:0: Invalid data found when processing input
Error while decoding stream #0:0: Invalid data found when processing input
Error while decoding stream #0:0: Invalid data found when processing input
[png @ 0x4325280] inflate returned error -3
[png @ 0x43263a0] inflate returned error -3
[png @ 0x431e2a0] inflate returned error -3
[png @ 0x431ec00] inflate returned error -3
Error while decoding stream #0:0: Invalid data found when processing input
Error while decoding stream #0:0: Invalid data found when processing input
[png @ 0x431fd00] unsupported bit depth 9 and color type 0
Error while decoding stream #0:0: Invalid data found when processing input
[png @ 0x4320e20] chunk too big
Error while decoding stream #0:0: Invalid data found when processing input
Error while decoding stream #0:0: Invalid data found when processing input
Error while decoding stream #0:0: Invalid data found when processing input
Error while decoding stream #0:0: Invalid data found when processing input
Error while decoding stream #0:0: Invalid data found when processing input
[png @ 0x4321f40] inflate returned error -3
[png @ 0x4324160] inflate returned error -3
[png @ 0x43263a0] IEND without all image
[png @ 0x4325280] inflate returned error -3
[png @ 0x4323060] inflate returned error -3
[png @ 0x431e2a0] inflate returned error -3
Error while decoding stream #0:0: Invalid data found when processing input
Error while decoding stream #0:0: Invalid data found when processing input
Error while decoding stream #0:0: Invalid data found when processing input
Error while decoding stream #0:0: Invalid data found when processing input
Error while decoding stream #0:0: Invalid data found when processing input
==2886== Thread 16:
==2886== Invalid read of size 4
==2886==    at 0x85C065A: add_bytes_l2_c (pngdsp.c:34)
==2886==    by 0x85BF6DA: decode_frame (pngdec.c:332)
==2886==    by 0x85CC62D: frame_worker_thread (pthread.c:339)
==2886==    by 0x407B953: start_thread (pthread_create.c:304)
==2886==    by 0x416395D: clone (clone.S:130)
==2886==  Address 0x436b828 is 72 bytes inside a block of size 74 alloc'd
==2886==    at 0x40268A4: memalign (vg_replace_malloc.c:694)
==2886==    by 0x402695E: posix_memalign (vg_replace_malloc.c:835)
==2886==    by 0x886C6B7: av_mallocz (mem.c:93)
==2886==    by 0x8673922: av_fast_padded_mallocz (utils.c:92)
==2886==    by 0x85BF08A: decode_frame (pngdec.c:674)
==2886==    by 0x85CC62D: frame_worker_thread (pthread.c:339)
==2886==    by 0x407B953: start_thread (pthread_create.c:304)
==2886==    by 0x416395D: clone (clone.S:130)
==2886== 
==2886== Invalid read of size 4
==2886==    at 0x85C0634: add_bytes_l2_c (pngdsp.c:35)
==2886==    by 0x85BF6DA: decode_frame (pngdec.c:332)
==2886==    by 0x85CC62D: frame_worker_thread (pthread.c:339)
==2886==    by 0x407B953: start_thread (pthread_create.c:304)
==2886==    by 0x416395D: clone (clone.S:130)
==2886==  Address 0x436b9d8 is 88 bytes inside a block of size 91 alloc'd
==2886==    at 0x40268A4: memalign (vg_replace_malloc.c:694)
==2886==    by 0x402695E: posix_memalign (vg_replace_malloc.c:835)
==2886==    by 0x886C6B7: av_mallocz (mem.c:93)
==2886==    by 0x867386A: av_fast_padded_malloc (utils.c:92)
==2886==    by 0x85BF0D2: decode_frame (pngdec.c:684)
==2886==    by 0x85CC62D: frame_worker_thread (pthread.c:339)
==2886==    by 0x407B953: start_thread (pthread_create.c:304)
==2886==    by 0x416395D: clone (clone.S:130)
==2886== 
==2886== Invalid write of size 4
==2886==    at 0x85C0651: add_bytes_l2_c (pngdsp.c:37)
==2886==    by 0x85BF6DA: decode_frame (pngdec.c:332)
==2886==    by 0x85CC62D: frame_worker_thread (pthread.c:339)
==2886==    by 0x407B953: start_thread (pthread_create.c:304)
==2886==    by 0x416395D: clone (clone.S:130)
==2886==  Address 0x436b908 is 72 bytes inside a block of size 74 alloc'd
==2886==    at 0x40268A4: memalign (vg_replace_malloc.c:694)
==2886==    by 0x402695E: posix_memalign (vg_replace_malloc.c:835)
==2886==    by 0x886C6B7: av_mallocz (mem.c:93)
==2886==    by 0x867386A: av_fast_padded_malloc (utils.c:92)
==2886==    by 0x85BFF60: decode_frame (pngdec.c:679)
==2886==    by 0x85CC62D: frame_worker_thread (pthread.c:339)
==2886==    by 0x407B953: start_thread (pthread_create.c:304)
==2886==    by 0x416395D: clone (clone.S:130)
==2886== 
==2886== Invalid read of size 4
==2886==    at 0x85C0630: add_bytes_l2_c (pngdsp.c:36)
==2886==    by 0x85BF6DA: decode_frame (pngdec.c:332)
==2886==    by 0x85CC62D: frame_worker_thread (pthread.c:339)
==2886==    by 0x407B953: start_thread (pthread_create.c:304)
==2886==    by 0x416395D: clone (clone.S:130)
==2886==  Address 0x436b82c is 2 bytes after a block of size 74 alloc'd
==2886==    at 0x40268A4: memalign (vg_replace_malloc.c:694)
==2886==    by 0x402695E: posix_memalign (vg_replace_malloc.c:835)
==2886==    by 0x886C6B7: av_mallocz (mem.c:93)
==2886==    by 0x8673922: av_fast_padded_mallocz (utils.c:92)
==2886==    by 0x85BF08A: decode_frame (pngdec.c:674)
==2886==    by 0x85CC62D: frame_worker_thread (pthread.c:339)
==2886==    by 0x407B953: start_thread (pthread_create.c:304)
==2886==    by 0x416395D: clone (clone.S:130)
==2886== 
==2886== 
==2886== Process terminating with default action of signal 11 (SIGSEGV)
==2886==  Bad permissions for mapped region at address 0x4617000
==2886==    at 0x85C0634: add_bytes_l2_c (pngdsp.c:35)
==2886==    by 0x85BF6DA: decode_frame (pngdec.c:332)
==2886==    by 0x85CC62D: frame_worker_thread (pthread.c:339)
==2886==    by 0x407B953: start_thread (pthread_create.c:304)
==2886==    by 0x416395D: clone (clone.S:130)
==2886== 
==2886== HEAP SUMMARY:
==2886==     in use at exit: 240,017 bytes in 341 blocks
==2886==   total heap usage: 2,259 allocs, 1,918 frees, 1,926,025 bytes allocated
==2886== 
==2886== Thread 1:
==2886== 72 bytes in 9 blocks are definitely lost in loss record 81 of 137
==2886==    at 0x40268A4: memalign (vg_replace_malloc.c:694)
==2886==    by 0x402695E: posix_memalign (vg_replace_malloc.c:835)
==2886==    by 0x886C447: av_malloc (mem.c:93)
==2886==    by 0x885EBC8: av_buffer_alloc (buffer.c:70)
==2886==    by 0x85CDD77: ff_thread_get_buffer (pthread.c:944)
==2886==    by 0x85BEFFE: decode_frame (pngdec.c:648)
==2886==    by 0x85CC62D: frame_worker_thread (pthread.c:339)
==2886==    by 0x407B953: start_thread (pthread_create.c:304)
==2886==    by 0x416395D: clone (clone.S:130)
==2886== 
==2886== 180 bytes in 9 blocks are definitely lost in loss record 99 of 137
==2886==    at 0x40268A4: memalign (vg_replace_malloc.c:694)
==2886==    by 0x402695E: posix_memalign (vg_replace_malloc.c:835)
==2886==    by 0x886C6B7: av_mallocz (mem.c:93)
==2886==    by 0x885F410: av_buffer_pool_get (buffer.c:309)
==2886==    by 0x86731F5: video_get_buffer (utils.c:575)
==2886==    by 0x8674B00: get_buffer_internal (utils.c:865)
==2886==    by 0x8675093: ff_get_buffer (utils.c:877)
==2886==    by 0x85CDEA1: ff_thread_get_buffer (pthread.c:962)
==2886==    by 0x85BEFFE: decode_frame (pngdec.c:648)
==2886==    by 0x85CC62D: frame_worker_thread (pthread.c:339)
==2886==    by 0x407B953: start_thread (pthread_create.c:304)
==2886==    by 0x416395D: clone (clone.S:130)
==2886== 
==2886== 210 (40 direct, 170 indirect) bytes in 5 blocks are definitely lost in loss record 101 of 137
==2886==    at 0x4028308: malloc (vg_replace_malloc.c:263)
==2886==    by 0x402849F: realloc (vg_replace_malloc.c:632)
==2886==    by 0x886231F: av_dict_set (dict.c:81)
==2886==    by 0x85BEA96: decode_text_chunk.isra.4 (pngdec.c:503)
==2886==    by 0x85BF1FC: decode_frame (pngdec.c:736)
==2886==    by 0x85CC62D: frame_worker_thread (pthread.c:339)
==2886==    by 0x407B953: start_thread (pthread_create.c:304)
==2886==    by 0x416395D: clone (clone.S:130)
==2886== 
==2886== 216 bytes in 9 blocks are definitely lost in loss record 102 of 137
==2886==    at 0x40268A4: memalign (vg_replace_malloc.c:694)
==2886==    by 0x402695E: posix_memalign (vg_replace_malloc.c:835)
==2886==    by 0x886C6B7: av_mallocz (mem.c:93)
==2886==    by 0x885F27E: av_buffer_realloc (buffer.c:34)
==2886==    by 0x827A122: av_grow_packet (avpacket.c:73)
==2886==    by 0x8235973: append_packet_chunked (utils.c:157)
==2886==    by 0x81A066D: mov_read_packet (mov.c:3472)
==2886==    by 0x8236816: ff_read_packet (utils.c:651)
==2886==    by 0x8239178: read_frame_internal (utils.c:1307)
==2886==    by 0x8239DB9: av_read_frame (utils.c:1411)
==2886==    by 0x80B6BD5: process_input (ffmpeg.c:2874)
==2886==    by 0x80A2E32: main (ffmpeg.c:3181)
==2886== 
==2886== 216 bytes in 9 blocks are definitely lost in loss record 103 of 137
==2886==    at 0x40268A4: memalign (vg_replace_malloc.c:694)
==2886==    by 0x402695E: posix_memalign (vg_replace_malloc.c:835)
==2886==    by 0x886C6B7: av_mallocz (mem.c:93)
==2886==    by 0x885EBE6: av_buffer_alloc (buffer.c:34)
==2886==    by 0x85CDD77: ff_thread_get_buffer (pthread.c:944)
==2886==    by 0x85BEFFE: decode_frame (pngdec.c:648)
==2886==    by 0x85CC62D: frame_worker_thread (pthread.c:339)
==2886==    by 0x407B953: start_thread (pthread_create.c:304)
==2886==    by 0x416395D: clone (clone.S:130)
==2886== 
==2886== 216 bytes in 9 blocks are definitely lost in loss record 104 of 137
==2886==    at 0x40268A4: memalign (vg_replace_malloc.c:694)
==2886==    by 0x402695E: posix_memalign (vg_replace_malloc.c:835)
==2886==    by 0x886C6B7: av_mallocz (mem.c:93)
==2886==    by 0x885F53C: av_buffer_pool_get (buffer.c:34)
==2886==    by 0x86731F5: video_get_buffer (utils.c:575)
==2886==    by 0x8674B00: get_buffer_internal (utils.c:865)
==2886==    by 0x8675093: ff_get_buffer (utils.c:877)
==2886==    by 0x85CDEA1: ff_thread_get_buffer (pthread.c:962)
==2886==    by 0x85BEFFE: decode_frame (pngdec.c:648)
==2886==    by 0x85CC62D: frame_worker_thread (pthread.c:339)
==2886==    by 0x407B953: start_thread (pthread_create.c:304)
==2886==    by 0x416395D: clone (clone.S:130)
==2886== 
==2886== 1,296 bytes in 9 blocks are possibly lost in loss record 122 of 137
==2886==    at 0x4026A68: calloc (vg_replace_malloc.c:566)
==2886==    by 0x40111FB: _dl_allocate_tls (dl-tls.c:300)
==2886==    by 0x407C2A8: pthread_create@@GLIBC_2.1 (allocatestack.c:580)
==2886==    by 0x85CE5AE: ff_thread_init (pthread.c:872)
==2886==    by 0x867AF8D: avcodec_open2 (utils.c:1223)
==2886==    by 0x80B9F46: transcode_init (ffmpeg.c:1983)
==2886==    by 0x80A242F: main (ffmpeg.c:3204)
==2886== 
==2886== 1,296 bytes in 9 blocks are possibly lost in loss record 123 of 137
==2886==    at 0x4026A68: calloc (vg_replace_malloc.c:566)
==2886==    by 0x40111FB: _dl_allocate_tls (dl-tls.c:300)
==2886==    by 0x407C2A8: pthread_create@@GLIBC_2.1 (allocatestack.c:580)
==2886==    by 0x80D9591: ff_graph_thread_init (pthread.c:180)
==2886==    by 0x80CD507: avfilter_graph_alloc_filter (avfiltergraph.c:186)
==2886==    by 0x80D8144: create_filter (graphparser.c:112)
==2886==    by 0x80D8B99: avfilter_graph_parse2 (graphparser.c:169)
==2886== 
==2886== 32,768 bytes in 1 blocks are possibly lost in loss record 135 of 137
==2886==    at 0x40268A4: memalign (vg_replace_malloc.c:694)
==2886==    by 0x402695E: posix_memalign (vg_replace_malloc.c:835)
==2886==    by 0x886C6B7: av_mallocz (mem.c:93)
==2886==    by 0x4160A3D2: ??? (in /lib/i386-linux-gnu/libz.so.1.2.7)
==2886==    by 0x4160BA9C: inflate (in /lib/i386-linux-gnu/libz.so.1.2.7)
==2886==    by 0x85BF151: decode_frame (pngdec.c:376)
==2886==    by 0x85CC62D: frame_worker_thread (pthread.c:339)
==2886==    by 0x407B953: start_thread (pthread_create.c:304)
==2886==    by 0x416395D: clone (clone.S:130)
==2886== 
==2886== LEAK SUMMARY:
==2886==    definitely lost: 940 bytes in 50 blocks
==2886==    indirectly lost: 170 bytes in 10 blocks
==2886==      possibly lost: 35,360 bytes in 19 blocks
==2886==    still reachable: 203,547 bytes in 262 blocks
==2886==         suppressed: 0 bytes in 0 blocks
==2886== Reachable blocks (those to which a pointer was found) are not shown.
==2886== To see them, rerun with: --leak-check=full --show-reachable=yes
==2886== 
==2886== For counts of detected and suppressed errors, rerun with: -v
==2886== ERROR SUMMARY: 2011274 errors from 13 contexts (suppressed: 59 from 6)
Killed
knoppix@Microknoppix:/media/sdb1$ gdb ffmpeg-HEAD-c042684/ffmpeg_gGNU gdb (GDB) 7.4.1-debian
Copyright (C) 2012 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "i486-linux-gnu".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>...
Reading symbols from /media/sdb1/ffmpeg-HEAD-c042684/ffmpeg_g...done.
(gdb) r -i ./png_fuzz2.mov -f null -
Starting program: /media/sdb1/ffmpeg-HEAD-c042684/ffmpeg_g -i ./png_fuzz2.mov -f null -
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/i386-linux-gnu/libthread_db.so.1".
ffmpeg version 2.0-c042684 Copyright (c) 2000-2013 the FFmpeg developers
  built on Aug 30 2013 20:55:53 with gcc 4.7 (Debian 4.7.2-5)
  configuration: --disable-yasm --disable-ffprobe --disable-ffserver --enable-gpl
  libavutil      52. 42.100 / 52. 42.100
  libavcodec     55. 29.100 / 55. 29.100
  libavformat    55. 15.100 / 55. 15.100
  libavdevice    55.  3.100 / 55.  3.100
  libavfilter     3. 82.102 /  3. 82.102
  libswscale      2.  5.100 /  2.  5.100
  libswresample   0. 17.103 /  0. 17.103
  libpostproc    52.  3.100 / 52.  3.100
Input #0, mov,mp4,m4a,3gp,3g2,mj2, from './png_fuzz2.mov':
  Metadata:
    major_brand     : qt  
    minor_version   : 537199360
    compatible_brands: qt  
    creation_time   : 2012-03-24 20:40:58
  Duration: 00:00:05.96, start: 0.000000, bitrate: 567 kb/s
    Stream #0:0(eng): Video: png (png  / 0x20676E70), monob, 189x127 [SAR 2834:2834 DAR 189:127], 565 kb/s, 24 fps, 24 tbr, 1000k tbn, 1000k tbc (default)
    Metadata:
      creation_time   : 2012-03-24 20:40:58
      handler_name    : Procedura obs�ugi skr�t�w danych Apple
[New Thread 0xb7df8b70 (LWP 2912)]
[New Thread 0xb75f8b70 (LWP 2913)]
[New Thread 0xb6df8b70 (LWP 2914)]
[New Thread 0xb65f8b70 (LWP 2915)]
[New Thread 0xb5df8b70 (LWP 2916)]
[New Thread 0xb55f8b70 (LWP 2917)]
[New Thread 0xb4df8b70 (LWP 2918)]
[New Thread 0xb45f8b70 (LWP 2919)]
[New Thread 0xb3df8b70 (LWP 2920)]
[New Thread 0xb35f8b70 (LWP 2921)]
[New Thread 0xb2df8b70 (LWP 2922)]
[New Thread 0xb25f8b70 (LWP 2923)]
[New Thread 0xb1df8b70 (LWP 2924)]
[New Thread 0xb15f8b70 (LWP 2925)]
[New Thread 0xb0df8b70 (LWP 2926)]
[New Thread 0xb05f8b70 (LWP 2927)]
[New Thread 0xafdf8b70 (LWP 2928)]
[New Thread 0xaf5f8b70 (LWP 2929)]
Output #0, null, to 'pipe:':
  Metadata:
    major_brand     : qt  
    minor_version   : 537199360
    compatible_brands: qt  
    encoder         : Lavf55.15.100
    Stream #0:0(eng): Video: rawvideo (B0W1 / 0x31573042), monob, 189x127 [SAR 1:1 DAR 189:127], q=2-31, 200 kb/s, 90k tbn, 24 tbc (default)
    Metadata:
      creation_time   : 2012-03-24 20:40:58
      handler_name    : Procedura obs�ugi skr�t�w danych Apple
Stream mapping:
  Stream #0:0 -> #0:0 (png -> rawvideo)
Press [q] to stop, [?] for help
[null @ 0x91078a0] Encoder did not produce proper pts, making some up.
[png @ 0x90f9e60] inflate returned error -3
[png @ 0x90f4220] IDAT without IHDR
[png @ 0x91096e0] inflate returned error -3
[png @ 0x90f5180] IDAT without IHDR
[png @ 0x90f32c0] inflate returned error -3
[png @ 0x90f7040] inflate returned error -3
[png @ 0x90f7fa0] Missing png signature
Error while decoding stream #0:0: Invalid data found when processing input
[png @ 0x90f8f00] inflate returned error -3
Error while decoding stream #0:0: Invalid data found when processing input
    Last message repeated 1 times
[png @ 0x90f9e60] inflate returned error -3
    Last message repeated 1 times
[png @ 0x91096e0] inflate returned error -3
[png @ 0x90f32c0] inflate returned error -3
Error while decoding stream #0:0: Invalid data found when processing input
Error while decoding stream #0:0: Invalid data found when processing input
[png @ 0x90f4220] unsupported bit depth 9 and color type 0
[png @ 0x90f5180] chunk too big
Error while decoding stream #0:0: Invalid data found when processing input
Error while decoding stream #0:0: Invalid data found when processing input
    Last message repeated 1 times
[png @ 0x90f60e0] Error while decoding stream #0:0: Invalid data found when processing input
inflate returned error -3
[png @ 0x90f8f00] Error while decoding stream #0:0: Invalid data found when processing input
inflate returned error -3
[png @ 0x90f9e60] [png @ 0x90f7fa0] IEND without all image
[png @ 0x90f7040] inflate returned error -3
Error while decoding stream #0:0: Invalid data found when processing input
inflate returned error -3
[png @ 0x91096e0] inflate returned error -3
Error while decoding stream #0:0: Invalid data found when processing input
Error while decoding stream #0:0: Invalid data found when processing input
[png @ 0x90f4220] inflate returned error -3
Error while decoding stream #0:0: Invalid data found when processing input
[png @ 0x90f32c0] [png @ 0x90f5180] inflate returned error -3
inflate returned error -3
Error while decoding stream #0:0: Invalid data found when processing input
Error while decoding stream #0:0: Invalid data found when processing input
[png @ 0x90f60e0] inflate returned error -3
Error while decoding stream #0:0: Invalid data found when processing input
*** glibc detected *** /media/sdb1/ffmpeg-HEAD-c042684/ffmpeg_g: double free or corruption (!prev): 0x09109f60 ***

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0xb0df8b70 (LWP 2926)]
add_bytes_l2_c (dst=0x9101040 "\212\372", <incomplete sequence \346>, 
    src1=0x91010d0 "", src2=0x9100fa0 "o\366@\320\b\356\212\006\026L*\252", 
    w=3) at libavcodec/pngdsp.c:35
35	        long a = *(long *)(src1 + i);
(gdb) bt
#0  add_bytes_l2_c (dst=0x9101040 "\212\372", <incomplete sequence \346>, 
    src1=0x91010d0 "", src2=0x9100fa0 "o\366@\320\b\356\212\006\026L*\252", 
    w=3) at libavcodec/pngdsp.c:35
#1  0x085bf6db in png_handle_row (s=<optimized out>) at libavcodec/pngdec.c:332
#2  png_decode_idat (length=<optimized out>, s=<optimized out>)
    at libavcodec/pngdec.c:383
#3  decode_frame (avctx=0x90f7040, data=0x910b234, got_frame=0x910b3f0, 
    avpkt=0x910b1e4) at libavcodec/pngdec.c:694
#4  0x085cc62e in frame_worker_thread (arg=0x910b114)
    at libavcodec/pthread.c:339
#5  0xb7f87954 in start_thread (arg=0xb0df8b70) at pthread_create.c:304
#6  0xb7f0895e in clone () at ../sysdeps/unix/sysv/linux/i386/clone.S:130
(gdb) 

Attachments (1)

png_fuzz2.mov (412.9 KB) - added by ami_stuff 3 years ago.

Download all attachments as: .zip

Change History (3)

Changed 3 years ago by ami_stuff

comment:1 Changed 3 years ago by cehoyos

  • Component changed from undetermined to avcodec
  • Keywords png crash SIGSEGV regression added
  • Priority changed from normal to important
  • Reproduced by developer set
  • Status changed from new to open
  • Version changed from unspecified to git-master

Regression since 151ecc2 / 59f474b, only reproducible with --disable-yasm (and --disable-asm).

comment:2 Changed 3 years ago by cehoyos

  • Resolution set to fixed
  • Status changed from open to closed

Fixed by Michael in 86736f5.

Note: See TracTickets for help on using tickets.