Opened 4 years ago

Closed 4 years ago

Last modified 4 years ago

#2949 closed defect (fixed)

tgv: invalid write with max_alloc

Reported by: ami_stuff Owned by:
Priority: normal Component: avcodec
Version: git-master Keywords: tgv crash SIGSEGV
Cc: Blocked By:
Blocking: Reproduced by developer: yes
Analyzed by developer: no

Description

http://www1.datafilehost.com/d/2d320c51

knoppix@Microknoppix:/media/sdb1$ gdb ffmpeg-HEAD-a67dcd7/ffmpeg_gGNU gdb (GDB) 7.4.1-debian
Copyright (C) 2012 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "i486-linux-gnu".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>...
Reading symbols from /media/sdb1/ffmpeg-HEAD-a67dcd7/ffmpeg_g...done.
(gdb) r -max_alloc 500000 -i ./fuzz.tgv -an -f null -
Starting program: /media/sdb1/ffmpeg-HEAD-a67dcd7/ffmpeg_g -max_alloc 500000 -i ./fuzz.tgv -an -f null -
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/i386-linux-gnu/libthread_db.so.1".
ffmpeg version 2.0-a67dcd7 Copyright (c) 2000-2013 the FFmpeg developers
  built on Sep  5 2013 17:23:55 with gcc 4.7 (Debian 4.7.2-5)
  configuration: --disable-yasm --disable-ffprobe --disable-ffserver --enable-gpl
  libavutil      52. 43.100 / 52. 43.100
  libavcodec     55. 31.101 / 55. 31.101
  libavformat    55. 16.101 / 55. 16.101
  libavdevice    55.  3.100 / 55.  3.100
  libavfilter     3. 83.102 /  3. 83.102
  libswscale      2.  5.100 /  2.  5.100
  libswresample   0. 17.103 /  0. 17.103
  libpostproc    52.  3.100 / 52.  3.100
Guessed Channel Layout for  Input Stream #0.1 : stereo
Input #0, ea, from './fuzz.tgv':
  Duration: N/A, start: 0.000000, bitrate: N/A
    Stream #0:0: Video: tgv, pal8, 320x132, 15 fps, 15 tbr, 90k tbn, 15 tbc
    Stream #0:1: Audio: adpcm_ima_ea_sead, 22050 Hz, stereo, s16, 176 kb/s
[New Thread 0xb7df8b70 (LWP 25733)]
[New Thread 0xb75f8b70 (LWP 25734)]
[New Thread 0xb6df8b70 (LWP 25735)]
[New Thread 0xb65f8b70 (LWP 25736)]
[New Thread 0xb5df8b70 (LWP 25737)]
[New Thread 0xb55f8b70 (LWP 25738)]
[New Thread 0xb4df8b70 (LWP 25739)]
[New Thread 0xb45f8b70 (LWP 25740)]
[New Thread 0xb3df8b70 (LWP 25741)]
Output #0, null, to 'pipe:':
  Metadata:
    encoder         : Lavf55.16.101
    Stream #0:0: Video: rawvideo, pal8, 320x132, q=2-31, 200 kb/s, 90k tbn, 15 tbc
Stream mapping:
  Stream #0:0 -> #0:0 (eatgv -> rawvideo)
Press [q] to stop, [?] for help
[null @ 0x91070c0] Encoder did not produce proper pts, making some up.
[eatgv @ 0x9106600] MV 31 -6 out of picture
[eatgv @ 0x9106600] MV 380 13 out of picture
[eatgv @ 0x9106600] MV -223 13 out of picture
[eatgv @ 0x9106600] MV -51 37 out of picture
[eatgv @ 0x9106600] MV 318 81 out of picture
[eatgv @ 0x9106600] MV 19 351 out of picture
[eatgv @ 0x9106600] MV 87 383 out of picture
[eatgv @ 0x9106600] MV -175 113 out of picture
[eatgv @ 0x9106600] MV -42 11 out of picture
[eatgv @ 0x9106600] MV 233 -126 out of picture
[eatgv @ 0x9106600] MV -58 111 out of picture
[eatgv @ 0x9106600] MV 213 -22 out of picture
[eatgv @ 0x9106600] MV 44 135 out of picture
[eatgv @ 0x9106600] MV 93 -10 out of picture
[eatgv @ 0x9106600] MV -2 1 out of picture
[eatgv @ 0x9106600] MV 340 133 out of picture
[eatgv @ 0x9106600] MV -279 3 out of picture
[eatgv @ 0x9106600] MV -279 7 out of picture
[eatgv @ 0x9106600] MV -267 7 out of picture
[eatgv @ 0x9106600] MV -283 11 out of picture
[eatgv @ 0x9106600] MV -431 19 out of picture
[eatgv @ 0x9106600] MV -199 23 out of picture
[eatgv @ 0x9106600] MV -271 31 out of picture
[eatgv @ 0x9106600] MV -223 31 out of picture
[eatgv @ 0x9106600] MV -455 35 out of picture
[eatgv @ 0x9106600] MV -211 43 out of picture
[eatgv @ 0x9106600] MV -199 43 out of picture
[eatgv @ 0x9106600] MV -411 47 out of picture
[eatgv @ 0x9106600] MV -239 51 out of picture
[eatgv @ 0x9106600] MV -219 55 out of picture
[eatgv @ 0x9106600] MV -207 55 out of picture
[eatgv @ 0x9106600] MV -207 63 out of picture
[eatgv @ 0x9106600] MV -239 67 out of picture
[eatgv @ 0x9106600] MV -211 67 out of picture
[eatgv @ 0x9106600] MV -331 79 out of picture
[eatgv @ 0x9106600] MV -311 91 out of picture
[eatgv @ 0x9106600] MV -427 95 out of picture
[eatgv @ 0x9106600] MV -431 99 out of picture
[eatgv @ 0x9106600] MV -427 99 out of picture
[eatgv @ 0x9106600] MV 237 134 out of picture
[eatgv @ 0x9106600] MV -219 111 out of picture
[eatgv @ 0x9106600] MV -34 23 out of picture
[eatgv @ 0x9106600] MV -30 23 out of picture
[eatgv @ 0x9106600] MV 363 92 out of picture
[eatgv @ 0x9106600] MV 205 135 out of picture
[eatgv @ 0x9106600] MV 324 0 out of picture
[eatgv @ 0x9106600] MV 281 -13 out of picture
[eatgv @ 0x9106600] MV 814 15 out of picture
[eatgv @ 0x9106600] MV 782 19 out of picture
[eatgv @ 0x9106600] MV 802 19 out of picture
[eatgv @ 0x9106600] MV 778 23 out of picture
[eatgv @ 0x9106600] MV 786 23 out of picture
[eatgv @ 0x9106600] MV 790 23 out of picture
[eatgv @ 0x9106600] MV 798 23 out of picture
[eatgv @ 0x9106600] MV 802 23 out of picture
[eatgv @ 0x9106600] MV 806 23 out of picture
[eatgv @ 0x9106600] MV 818 23 out of picture
[eatgv @ 0x9106600] MV 58 -1 out of picture
[eatgv @ 0x9106600] MV 782 27 out of picture
[eatgv @ 0x9106600] MV 786 27 out of picture
[eatgv @ 0x9106600] MV 742 31 out of picture
[eatgv @ 0x9106600] MV 762 31 out of picture
[eatgv @ 0x9106600] MV 798 31 out of picture
[eatgv @ 0x9106600] MV 818 31 out of picture
[eatgv @ 0x9106600] MV 778 43 out of picture
[eatgv @ 0x9106600] MV 762 47 out of picture
[eatgv @ 0x9106600] MV 538 55 out of picture
[eatgv @ 0x9106600] MV 758 55 out of picture
[eatgv @ 0x9106600] MV 630 59 out of picture
[eatgv @ 0x9106600] MV 750 67 out of picture
[eatgv @ 0x9106600] MV 670 71 out of picture
[eatgv @ 0x9106600] MV 674 83 out of picture
[eatgv @ 0x9106600] MV 562 95 out of picture
[eatgv @ 0x9106600] MV 686 103 out of picture
[eatgv @ 0x9106600] MV 602 115 out of picture
[eatgv @ 0x9106600] MV 686 119 out of picture
[eatgv @ 0x9106600] MV 682 127 out of picture
[eatgv @ 0x9106600] MV 196 136 out of picture
[eatgv @ 0x9106600] MV 116 144 out of picture
[eatgv @ 0x9106600] MV 12 148 out of picture
[eatgv @ 0x9106600] MV 156 152 out of picture
[eatgv @ 0x9106600] MV 104 156 out of picture
[eatgv @ 0x9106600] MV 104 160 out of picture
[eatgv @ 0x9106600] MV 112 160 out of picture
[eatgv @ 0x9106600] MV 109 -22 out of picture
[eatgv @ 0x9106600] MV 160 160 out of picture
[eatgv @ 0x9106600] MV 172 160 out of picture
[eatgv @ 0x9106600] MV 29 139 out of picture
[eatgv @ 0x9106600] truncated inter frame
Error while decoding stream #0:0: Invalid data found when processing input

Program received signal SIGSEGV, Segmentation fault.
0x0831bad3 in tgv_decode_inter (buf_end=<optimized out>, 
    buf=0x918707c "H\312s\215\377\327\t\031\217\207", s=0x90f5080, 
    frame=<optimized out>) at libavcodec/eatgv.c:205
205	            s->block_codebook[i][15-j] = tmp[get_bits(&gb, 2)];
(gdb) bt
#0  0x0831bad3 in tgv_decode_inter (buf_end=<optimized out>, 
    buf=0x918707c "H\312s\215\377\327\t\031\217\207", s=0x90f5080, 
    frame=<optimized out>) at libavcodec/eatgv.c:205
#1  tgv_decode_frame (avctx=0x9106600, data=0x90f56c0, got_frame=0xbffff4e4, 
    avpkt=0xbffff288) at libavcodec/eatgv.c:323
#2  0x086770fe in avcodec_decode_video2 (avctx=0x9106600, 
    picture=picture@entry=0x90f56c0, 
    got_picture_ptr=got_picture_ptr@entry=0xbffff4e4, 
    avpkt=avpkt@entry=0xbffff730) at libavcodec/utils.c:1983
#3  0x080b36fd in decode_video (ist=ist@entry=0x9107b80, 
    pkt=pkt@entry=0xbffff730, got_output=got_output@entry=0xbffff4e4)
    at ffmpeg.c:1668
#4  0x080b761a in output_packet (pkt=0xbffff6c8, ist=0x9107b80)
    at ffmpeg.c:1866
#5  process_input (file_index=2) at ffmpeg.c:3085
#6  0x080a2ec3 in transcode_step () at ffmpeg.c:3181
#7  transcode () at ffmpeg.c:3233
#8  main (argc=<optimized out>, argv=<optimized out>) at ffmpeg.c:3411
(gdb) 
knoppix@Microknoppix:/media/sdb1$ valgrind --leak-check=full ffmpeg-HEAD-a67dcd7/ffmpeg_g -max_alloc 500000 -i ./fuzz.tgv -f null -
==25707== Memcheck, a memory error detector
==25707== Copyright (C) 2002-2011, and GNU GPL'd, by Julian Seward et al.
==25707== Using Valgrind-3.7.0 and LibVEX; rerun with -h for copyright info
==25707== Command: ffmpeg-HEAD-a67dcd7/ffmpeg_g -max_alloc 500000 -i ./fuzz.tgv -f null -
==25707== 
ffmpeg version 2.0-a67dcd7 Copyright (c) 2000-2013 the FFmpeg developers
  built on Sep  5 2013 17:23:55 with gcc 4.7 (Debian 4.7.2-5)
  configuration: --disable-yasm --disable-ffprobe --disable-ffserver --enable-gpl
  libavutil      52. 43.100 / 52. 43.100
  libavcodec     55. 31.101 / 55. 31.101
  libavformat    55. 16.101 / 55. 16.101
  libavdevice    55.  3.100 / 55.  3.100
  libavfilter     3. 83.102 /  3. 83.102
  libswscale      2.  5.100 /  2.  5.100
  libswresample   0. 17.103 /  0. 17.103
  libpostproc    52.  3.100 / 52.  3.100
Guessed Channel Layout for  Input Stream #0.1 : stereo
Input #0, ea, from './fuzz.tgv':
  Duration: N/A, start: 0.000000, bitrate: N/A
    Stream #0:0: Video: tgv, pal8, 320x132, 15 fps, 15 tbr, 90k tbn, 15 tbc
    Stream #0:1: Audio: adpcm_ima_ea_sead, 22050 Hz, stereo, s16, 176 kb/s
Output #0, null, to 'pipe:':
  Metadata:
    encoder         : Lavf55.16.101
    Stream #0:0: Video: rawvideo, pal8, 320x132, q=2-31, 200 kb/s, 90k tbn, 15 tbc
    Stream #0:1: Audio: pcm_s16le, 22050 Hz, stereo, s16, 705 kb/s
Stream mapping:
  Stream #0:0 -> #0:0 (eatgv -> rawvideo)
  Stream #0:1 -> #0:1 (adpcm_ima_ea_sead -> pcm_s16le)
Press [q] to stop, [?] for help
[null @ 0x4379000] Encoder did not produce proper pts, making some up.
[eatgv @ 0x423a4c0] MV 31 -6 out of picture
[eatgv @ 0x423a4c0] MV 380 13 out of picture
[eatgv @ 0x423a4c0] MV -223 13 out of picture
[eatgv @ 0x423a4c0] MV -51 37 out of picture
[eatgv @ 0x423a4c0] MV 318 81 out of picture
[eatgv @ 0x423a4c0] MV 19 351 out of picture
[eatgv @ 0x423a4c0] MV 87 383 out of picture
[eatgv @ 0x423a4c0] MV -175 113 out of picture
[eatgv @ 0x423a4c0] MV -42 11 out of picture
[eatgv @ 0x423a4c0] MV 233 -126 out of picture
[eatgv @ 0x423a4c0] MV -58 111 out of picture
[eatgv @ 0x423a4c0] MV 213 -22 out of picture
[eatgv @ 0x423a4c0] MV 44 135 out of picture
[eatgv @ 0x423a4c0] MV 93 -10 out of picture
[eatgv @ 0x423a4c0] MV -2 1 out of picture
[eatgv @ 0x423a4c0] MV 340 133 out of picture
[eatgv @ 0x423a4c0] MV -279 3 out of picture
[eatgv @ 0x423a4c0] MV -279 7 out of picture
[eatgv @ 0x423a4c0] MV -267 7 out of picture
[eatgv @ 0x423a4c0] MV -283 11 out of picture
[eatgv @ 0x423a4c0] MV -431 19 out of picture
[eatgv @ 0x423a4c0] MV -199 23 out of picture
[eatgv @ 0x423a4c0] MV -271 31 out of picture
[eatgv @ 0x423a4c0] MV -223 31 out of picture
[eatgv @ 0x423a4c0] MV -455 35 out of picture
[eatgv @ 0x423a4c0] MV -211 43 out of picture
[eatgv @ 0x423a4c0] MV -199 43 out of picture
[eatgv @ 0x423a4c0] MV -411 47 out of picture
[eatgv @ 0x423a4c0] MV -239 51 out of picture
[eatgv @ 0x423a4c0] MV -219 55 out of picture
[eatgv @ 0x423a4c0] MV -207 55 out of picture
[eatgv @ 0x423a4c0] MV -207 63 out of picture
[eatgv @ 0x423a4c0] MV -239 67 out of picture
[eatgv @ 0x423a4c0] MV -211 67 out of picture
[eatgv @ 0x423a4c0] MV -331 79 out of picture
[eatgv @ 0x423a4c0] MV -311 91 out of picture
[eatgv @ 0x423a4c0] MV -427 95 out of picture
[eatgv @ 0x423a4c0] MV -431 99 out of picture
[eatgv @ 0x423a4c0] MV -427 99 out of picture
[eatgv @ 0x423a4c0] MV 237 134 out of picture
[eatgv @ 0x423a4c0] MV -219 111 out of picture
[eatgv @ 0x423a4c0] MV -34 23 out of picture
[eatgv @ 0x423a4c0] MV -30 23 out of picture
[eatgv @ 0x423a4c0] MV 363 92 out of picture
[eatgv @ 0x423a4c0] MV 205 135 out of picture
[eatgv @ 0x423a4c0] MV 324 0 out of picture
[eatgv @ 0x423a4c0] MV 281 -13 out of picture
[eatgv @ 0x423a4c0] MV 814 15 out of picture
[eatgv @ 0x423a4c0] MV 782 19 out of picture
[eatgv @ 0x423a4c0] MV 802 19 out of picture
[eatgv @ 0x423a4c0] MV 778 23 out of picture
[eatgv @ 0x423a4c0] MV 786 23 out of picture
[eatgv @ 0x423a4c0] MV 790 23 out of picture
[eatgv @ 0x423a4c0] MV 798 23 out of picture
[eatgv @ 0x423a4c0] MV 802 23 out of picture
[eatgv @ 0x423a4c0] MV 806 23 out of picture
[eatgv @ 0x423a4c0] MV 818 23 out of picture
[eatgv @ 0x423a4c0] MV 58 -1 out of picture
[eatgv @ 0x423a4c0] MV 782 27 out of picture
[eatgv @ 0x423a4c0] MV 786 27 out of picture
[eatgv @ 0x423a4c0] MV 742 31 out of picture
[eatgv @ 0x423a4c0] MV 762 31 out of picture
[eatgv @ 0x423a4c0] MV 798 31 out of picture
[eatgv @ 0x423a4c0] MV 818 31 out of picture
[eatgv @ 0x423a4c0] MV 778 43 out of picture
[eatgv @ 0x423a4c0] MV 762 47 out of picture
[eatgv @ 0x423a4c0] MV 538 55 out of picture
[eatgv @ 0x423a4c0] MV 758 55 out of picture
[eatgv @ 0x423a4c0] MV 630 59 out of picture
[eatgv @ 0x423a4c0] MV 750 67 out of picture
[eatgv @ 0x423a4c0] MV 670 71 out of picture
[eatgv @ 0x423a4c0] MV 674 83 out of picture
[eatgv @ 0x423a4c0] MV 562 95 out of picture
[eatgv @ 0x423a4c0] MV 686 103 out of picture
[eatgv @ 0x423a4c0] MV 602 115 out of picture
[eatgv @ 0x423a4c0] MV 686 119 out of picture
[eatgv @ 0x423a4c0] MV 682 127 out of picture
[eatgv @ 0x423a4c0] MV 196 136 out of picture
[eatgv @ 0x423a4c0] MV 116 144 out of picture
[eatgv @ 0x423a4c0] MV 12 148 out of picture
[eatgv @ 0x423a4c0] MV 156 152 out of picture
[eatgv @ 0x423a4c0] MV 104 156 out of picture
[eatgv @ 0x423a4c0] MV 104 160 out of picture
[eatgv @ 0x423a4c0] MV 112 160 out of picture
[eatgv @ 0x423a4c0] MV 109 -22 out of picture
[eatgv @ 0x423a4c0] MV 160 160 out of picture
[eatgv @ 0x423a4c0] MV 172 160 out of picture
[eatgv @ 0x423a4c0] MV 29 139 out of picture
[eatgv @ 0x423a4c0] truncated inter frame
Error while decoding stream #0:0: Invalid data found when processing input
==25707== Invalid write of size 1
==25707==    at 0x831BAD3: tgv_decode_frame (eatgv.c:205)
==25707==    by 0x86770FD: avcodec_decode_video2 (utils.c:1983)
==25707==    by 0x80B36FC: decode_video (ffmpeg.c:1668)
==25707==    by 0x9DC46F0: ???
==25707==  Address 0xf is not stack'd, malloc'd or (recently) free'd
==25707== 
==25707== 
==25707== Process terminating with default action of signal 11 (SIGSEGV)
==25707==  Access not within mapped region at address 0xF
==25707==    at 0x831BAD3: tgv_decode_frame (eatgv.c:205)
==25707==    by 0x86770FD: avcodec_decode_video2 (utils.c:1983)
==25707==    by 0x80B36FC: decode_video (ffmpeg.c:1668)
==25707==    by 0x9DC46F0: ???
==25707==  If you believe this happened as a result of a stack
==25707==  overflow in your program's main thread (unlikely but
==25707==  possible), you can try to increase the size of the
==25707==  main thread stack using the --main-stacksize= flag.
==25707==  The main thread stack size used in this run was 8388608.
==25707== 
==25707== HEAP SUMMARY:
==25707==     in use at exit: 984,530 bytes in 564 blocks
==25707==   total heap usage: 2,890 allocs, 2,326 frees, 2,605,079 bytes allocated
==25707== 
==25707== 2,592 bytes in 18 blocks are possibly lost in loss record 132 of 145
==25707==    at 0x4026A68: calloc (vg_replace_malloc.c:566)
==25707==    by 0x40111FB: _dl_allocate_tls (dl-tls.c:300)
==25707==    by 0x407C2A8: pthread_create@@GLIBC_2.1 (allocatestack.c:580)
==25707==    by 0x80D9651: ff_graph_thread_init (pthread.c:180)
==25707==    by 0x80CD5C7: avfilter_graph_alloc_filter (avfiltergraph.c:186)
==25707==    by 0x80D8204: create_filter (graphparser.c:112)
==25707==    by 0x80D8C59: avfilter_graph_parse2 (graphparser.c:169)
==25707== 
==25707== 30,944 bytes in 1 blocks are possibly lost in loss record 139 of 145
==25707==    at 0x4028308: malloc (vg_replace_malloc.c:263)
==25707==    by 0x402849F: realloc (vg_replace_malloc.c:632)
==25707==    by 0x831C361: tgv_decode_frame (eatgv.c:177)
==25707==    by 0x86770FD: avcodec_decode_video2 (utils.c:1983)
==25707==    by 0x80B36FC: decode_video (ffmpeg.c:1668)
==25707==    by 0x4EE3900: ???
==25707== 
==25707== LEAK SUMMARY:
==25707==    definitely lost: 0 bytes in 0 blocks
==25707==    indirectly lost: 0 bytes in 0 blocks
==25707==      possibly lost: 33,536 bytes in 19 blocks
==25707==    still reachable: 950,994 bytes in 545 blocks
==25707==         suppressed: 0 bytes in 0 blocks
==25707== Reachable blocks (those to which a pointer was found) are not shown.
==25707== To see them, rerun with: --leak-check=full --show-reachable=yes
==25707== 
==25707== For counts of detected and suppressed errors, rerun with: -v
==25707== ERROR SUMMARY: 3 errors from 3 contexts (suppressed: 59 from 6)
Killed

Change History (2)

comment:1 Changed 4 years ago by richardpl

  • Component changed from undetermined to avcodec
  • Reproduced by developer set
  • Resolution set to fixed
  • Status changed from new to closed
  • Version changed from unspecified to git-master

comment:2 Changed 4 years ago by cehoyos

  • Keywords tgv crash SIGSEGV added
Note: See TracTickets for help on using tickets.