Opened 6 years ago

Closed 6 years ago

Last modified 6 years ago

#2961 closed defect (fixed)

indeo4: invalid read

Reported by: ami_stuff Owned by:
Priority: important Component: avcodec
Version: git-master Keywords: iv41 crash SIGSEGV regression
Cc: Blocked By:
Blocking: Reproduced by developer: yes
Analyzed by developer: no

Description

knoppix@Microknoppix:/media/sdb1$ valgrind --leak-check=full ffmpeg-HEAD-bbcaf25/ffmpeg_g -i iv41_2_fuzz.avi -f null -
==19679== Memcheck, a memory error detector
==19679== Copyright (C) 2002-2011, and GNU GPL'd, by Julian Seward et al.
==19679== Using Valgrind-3.7.0 and LibVEX; rerun with -h for copyright info
==19679== Command: ffmpeg-HEAD-bbcaf25/ffmpeg_g -i iv41_2_fuzz.avi -f null -
==19679== 
ffmpeg version 2.0-bbcaf25 Copyright (c) 2000-2013 the FFmpeg developers
  built on Sep 12 2013 00:30:03 with gcc 4.7 (Debian 4.7.2-5)
  configuration: --disable-yasm --disable-ffprobe --disable-ffserver --enable-gpl
  libavutil      52. 43.100 / 52. 43.100
  libavcodec     55. 31.101 / 55. 31.101
  libavformat    55. 16.102 / 55. 16.102
  libavdevice    55.  3.100 / 55.  3.100
  libavfilter     3. 84.100 /  3. 84.100
  libswscale      2.  5.100 /  2.  5.100
  libswresample   0. 17.103 /  0. 17.103
  libpostproc    52.  3.100 / 52.  3.100
Input #0, avi, from 'iv41_2_fuzz.avi':
  Duration: 00:00:12.64, start: 0.000000, bitrate: 33 kb/s
    Stream #0:0: Video: indeo4 (IV41 / 0x31345649), yuv410p, 64x48, 23.97 tbr, 23.97 tbn, 23.97 tbc
Output #0, null, to 'pipe:':
  Metadata:
    encoder         : Lavf55.16.102
    Stream #0:0: Video: rawvideo (YUV9 / 0x39565559), yuv410p, 64x48, q=2-31, 200 kb/s, 90k tbn, 23.97 tbc
Stream mapping:
  Stream #0:0 -> #0:0 (indeo4 -> rawvideo)
Press [q] to stop, [?] for help
[null @ 0x42500e0] Encoder did not produce proper pts, making some up.
Error while decoding stream #0:0: Invalid data found when processing input
    Last message repeated 55 times
[indeo4 @ 0x423a4e0] Corrupted tile data encountered!
[indeo4 @ 0x423a4e0] Error while decoding band: 0, plane: 0
Error while decoding stream #0:0: Invalid data found when processing input
[indeo4 @ 0x423a4e0] Invalid picture start code!
[indeo4 @ 0x423a4e0] Error while decoding picture header: -1094995529
Error while decoding stream #0:0: Invalid data found when processing input
[indeo4 @ 0x423a4e0] Corrupted tile data encountered!
[indeo4 @ 0x423a4e0] Error while decoding band: 0, plane: 0
Error while decoding stream #0:0: Invalid data found when processing input
    Last message repeated 1 times
[indeo4 @ 0x423a4e0] Scalability: unsupported subdivision! Luma bands: 0, chroma bands: 0
[indeo4 @ 0x423a4e0] Error while decoding picture header: -1094995529
Error while decoding stream #0:0: Invalid data found when processing input
[indeo4 @ 0x423a4e0] Invalid picture start code!
[indeo4 @ 0x423a4e0] Error while decoding picture header: -1094995529
Error while decoding stream #0:0: Invalid data found when processing input
[indeo4 @ 0x423a4e0] Only YVU9 picture format is supported!
[indeo4 @ 0x423a4e0] Error while decoding picture header: -1094995529
Error while decoding stream #0:0: Invalid data found when processing input
[indeo4 @ 0x423a4e0] Scalability: unsupported subdivision! Luma bands: 0, chroma bands: 0
[indeo4 @ 0x423a4e0] Error while decoding picture header: -1094995529
Error while decoding stream #0:0: Invalid data found when processing input
[indeo4 @ 0x423a4e0] Too many corrections: 127
[indeo4 @ 0x423a4e0] Error while decoding band header: -1094995529
[indeo4 @ 0x423a4e0] Error while decoding band: 0, plane: 0
Error while decoding stream #0:0: Invalid data found when processing input
[indeo4 @ 0x423a4e0] Invalid picture start code!
[indeo4 @ 0x423a4e0] Error while decoding picture header: -1094995529
Error while decoding stream #0:0: Invalid data found when processing input
[indeo4 @ 0x423a4e0] Corrupted tile data encountered!
[indeo4 @ 0x423a4e0] Error while decoding band: 0, plane: 0
Error while decoding stream #0:0: Invalid data found when processing input
[indeo4 @ 0x423a4e0] Invalid frame type: 7
[indeo4 @ 0x423a4e0] Error while decoding picture header: -1094995529
Error while decoding stream #0:0: Invalid data found when processing input
    Last message repeated 1 times
[indeo4 @ 0x423a4e0] Scalability: unsupported subdivision! Luma bands: 0, chroma bands: 0
[indeo4 @ 0x423a4e0] Error while decoding picture header: -1094995529
Error while decoding stream #0:0: Invalid data found when processing input
[indeo4 @ 0x423a4e0] Corrupted tile data encountered!
[indeo4 @ 0x423a4e0] Error while decoding band: 0, plane: 0
Error while decoding stream #0:0: Invalid data found when processing input
[indeo4 @ 0x423a4e0] Scalability: unsupported subdivision! Luma bands: 0, chroma bands: 0
[indeo4 @ 0x423a4e0] Error while decoding picture header: -1094995529
Error while decoding stream #0:0: Invalid data found when processing input
[indeo4 @ 0x423a4e0] Invalid frame type: 7
[indeo4 @ 0x423a4e0] Error while decoding picture header: -1094995529
Error while decoding stream #0:0: Invalid data found when processing input
[indeo4 @ 0x423a4e0] Corrupted tile data encountered!
[indeo4 @ 0x423a4e0] Error while decoding band: 0, plane: 0
Error while decoding stream #0:0: Invalid data found when processing input
[indeo4 @ 0x423a4e0] Tile data size is zero!
[indeo4 @ 0x423a4e0] Error while decoding band: 0, plane: 0
Error while decoding stream #0:0: Invalid data found when processing input
    Last message repeated 1 times
[indeo4 @ 0x423a4e0] Couldn't reallocate color planes!
[indeo4 @ 0x423a4e0] Error while decoding picture header: -12
Error while decoding stream #0:0: Cannot allocate memory
==19679== Invalid read of size 4
==19679==    at 0x84F7F3B: ff_ivi_decode_frame (ivi_common.c:1024)
==19679==    by 0x80B38DC: decode_video (ffmpeg.c:1668)
==19679==    by 0x37CA3EAD: ???
==19679==  Address 0x1c is not stack'd, malloc'd or (recently) free'd
==19679== 
==19679== 
==19679== Process terminating with default action of signal 11 (SIGSEGV)
==19679==  Access not within mapped region at address 0x1C
==19679==    at 0x84F7F3B: ff_ivi_decode_frame (ivi_common.c:1024)
==19679==    by 0x80B38DC: decode_video (ffmpeg.c:1668)
==19679==    by 0x37CA3EAD: ???
==19679==  If you believe this happened as a result of a stack
==19679==  overflow in your program's main thread (unlikely but
==19679==  possible), you can try to increase the size of the
==19679==  main thread stack using the --main-stacksize= flag.
==19679==  The main thread stack size used in this run was 8388608.
==19679== 
==19679== HEAP SUMMARY:
==19679==     in use at exit: 68,888 bytes in 103 blocks
==19679==   total heap usage: 2,775 allocs, 2,672 frees, 1,179,414 bytes allocated
==19679== 
==19679== 1,296 bytes in 9 blocks are possibly lost in loss record 83 of 88
==19679==    at 0x4026A68: calloc (vg_replace_malloc.c:566)
==19679==    by 0x40111FB: _dl_allocate_tls (dl-tls.c:300)
==19679==    by 0x407C2A8: pthread_create@@GLIBC_2.1 (allocatestack.c:580)
==19679==    by 0x80D9821: ff_graph_thread_init (pthread.c:180)
==19679==    by 0x80CD797: avfilter_graph_alloc_filter (avfiltergraph.c:186)
==19679==    by 0x80D83D4: create_filter (graphparser.c:112)
==19679==    by 0x80D8E29: avfilter_graph_parse2 (graphparser.c:169)
==19679== 
==19679== LEAK SUMMARY:
==19679==    definitely lost: 0 bytes in 0 blocks
==19679==    indirectly lost: 0 bytes in 0 blocks
==19679==      possibly lost: 1,296 bytes in 9 blocks
==19679==    still reachable: 67,592 bytes in 94 blocks
==19679==         suppressed: 0 bytes in 0 blocks
==19679== Reachable blocks (those to which a pointer was found) are not shown.
==19679== To see them, rerun with: --leak-check=full --show-reachable=yes
==19679== 
==19679== For counts of detected and suppressed errors, rerun with: -v
==19679== ERROR SUMMARY: 2 errors from 2 contexts (suppressed: 59 from 6)
Killed
knoppix@Microknoppix:/media/sdb1$ gdb ffmpeg-HEAD-bbcaf25/ffmpeg_gGNU gdb (GDB) 7.4.1-debian
Copyright (C) 2012 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "i486-linux-gnu".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>...
Reading symbols from /media/sdb1/ffmpeg-HEAD-bbcaf25/ffmpeg_g...done.
(gdb) r -i ./iv41_2_fuzz.avi -f null -
Starting program: /media/sdb1/ffmpeg-HEAD-bbcaf25/ffmpeg_g -i ./iv41_2_fuzz.avi -f null -
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/i386-linux-gnu/libthread_db.so.1".
ffmpeg version 2.0-bbcaf25 Copyright (c) 2000-2013 the FFmpeg developers
  built on Sep 12 2013 00:30:03 with gcc 4.7 (Debian 4.7.2-5)
  configuration: --disable-yasm --disable-ffprobe --disable-ffserver --enable-gpl
  libavutil      52. 43.100 / 52. 43.100
  libavcodec     55. 31.101 / 55. 31.101
  libavformat    55. 16.102 / 55. 16.102
  libavdevice    55.  3.100 / 55.  3.100
  libavfilter     3. 84.100 /  3. 84.100
  libswscale      2.  5.100 /  2.  5.100
  libswresample   0. 17.103 /  0. 17.103
  libpostproc    52.  3.100 / 52.  3.100
Input #0, avi, from './iv41_2_fuzz.avi':
  Duration: 00:00:12.64, start: 0.000000, bitrate: 33 kb/s
    Stream #0:0: Video: indeo4 (IV41 / 0x31345649), yuv410p, 64x48, 23.97 tbr, 23.97 tbn, 23.97 tbc
[New Thread 0xb7df8b70 (LWP 19696)]
[New Thread 0xb75f8b70 (LWP 19697)]
[New Thread 0xb6df8b70 (LWP 19698)]
[New Thread 0xb65f8b70 (LWP 19699)]
[New Thread 0xb5df8b70 (LWP 19700)]
[New Thread 0xb55f8b70 (LWP 19701)]
[New Thread 0xb4df8b70 (LWP 19702)]
[New Thread 0xb45f8b70 (LWP 19703)]
[New Thread 0xb3df8b70 (LWP 19704)]
Output #0, null, to 'pipe:':
  Metadata:
    encoder         : Lavf55.16.102
    Stream #0:0: Video: rawvideo (YUV9 / 0x39565559), yuv410p, 64x48, q=2-31, 200 kb/s, 90k tbn, 23.97 tbc
Stream mapping:
  Stream #0:0 -> #0:0 (indeo4 -> rawvideo)
Press [q] to stop, [?] for help
[null @ 0x9116960] Encoder did not produce proper pts, making some up.
Error while decoding stream #0:0: Invalid data found when processing input
    Last message repeated 55 times
[indeo4 @ 0x9114640] Corrupted tile data encountered!
[indeo4 @ 0x9114640] Error while decoding band: 0, plane: 0
Error while decoding stream #0:0: Invalid data found when processing input
[indeo4 @ 0x9114640] Invalid picture start code!
[indeo4 @ 0x9114640] Error while decoding picture header: -1094995529
Error while decoding stream #0:0: Invalid data found when processing input
[indeo4 @ 0x9114640] Corrupted tile data encountered!
[indeo4 @ 0x9114640] Error while decoding band: 0, plane: 0
Error while decoding stream #0:0: Invalid data found when processing input
    Last message repeated 1 times
[indeo4 @ 0x9114640] Scalability: unsupported subdivision! Luma bands: 0, chroma bands: 0
[indeo4 @ 0x9114640] Error while decoding picture header: -1094995529
Error while decoding stream #0:0: Invalid data found when processing input
[indeo4 @ 0x9114640] Invalid picture start code!
[indeo4 @ 0x9114640] Error while decoding picture header: -1094995529
Error while decoding stream #0:0: Invalid data found when processing input
[indeo4 @ 0x9114640] Only YVU9 picture format is supported!
[indeo4 @ 0x9114640] Error while decoding picture header: -1094995529
Error while decoding stream #0:0: Invalid data found when processing input
[indeo4 @ 0x9114640] Scalability: unsupported subdivision! Luma bands: 0, chroma bands: 0
[indeo4 @ 0x9114640] Error while decoding picture header: -1094995529
Error while decoding stream #0:0: Invalid data found when processing input
[indeo4 @ 0x9114640] Too many corrections: 127
[indeo4 @ 0x9114640] Error while decoding band header: -1094995529
[indeo4 @ 0x9114640] Error while decoding band: 0, plane: 0
Error while decoding stream #0:0: Invalid data found when processing input
[indeo4 @ 0x9114640] Invalid picture start code!
[indeo4 @ 0x9114640] Error while decoding picture header: -1094995529
Error while decoding stream #0:0: Invalid data found when processing input
[indeo4 @ 0x9114640] Corrupted tile data encountered!
[indeo4 @ 0x9114640] Error while decoding band: 0, plane: 0
Error while decoding stream #0:0: Invalid data found when processing input
[indeo4 @ 0x9114640] Invalid frame type: 7
[indeo4 @ 0x9114640] Error while decoding picture header: -1094995529
Error while decoding stream #0:0: Invalid data found when processing input
    Last message repeated 1 times
[indeo4 @ 0x9114640] Scalability: unsupported subdivision! Luma bands: 0, chroma bands: 0
[indeo4 @ 0x9114640] Error while decoding picture header: -1094995529
Error while decoding stream #0:0: Invalid data found when processing input
[indeo4 @ 0x9114640] Corrupted tile data encountered!
[indeo4 @ 0x9114640] Error while decoding band: 0, plane: 0
Error while decoding stream #0:0: Invalid data found when processing input
[indeo4 @ 0x9114640] Scalability: unsupported subdivision! Luma bands: 0, chroma bands: 0
[indeo4 @ 0x9114640] Error while decoding picture header: -1094995529
Error while decoding stream #0:0: Invalid data found when processing input
[indeo4 @ 0x9114640] Invalid frame type: 7
[indeo4 @ 0x9114640] Error while decoding picture header: -1094995529
Error while decoding stream #0:0: Invalid data found when processing input
[indeo4 @ 0x9114640] Corrupted tile data encountered!
[indeo4 @ 0x9114640] Error while decoding band: 0, plane: 0
Error while decoding stream #0:0: Invalid data found when processing input
[indeo4 @ 0x9114640] Tile data size is zero!
[indeo4 @ 0x9114640] Error while decoding band: 0, plane: 0
Error while decoding stream #0:0: Invalid data found when processing input
    Last message repeated 1 times
[indeo4 @ 0x9114640] Couldn't reallocate color planes!
[indeo4 @ 0x9114640] Error while decoding picture header: -12
Error while decoding stream #0:0: Cannot allocate memory

Program received signal SIGSEGV, Segmentation fault.
0x084f7f3b in ff_ivi_decode_frame (avctx=0x9114640, data=0x9118e20, 
    got_frame=0xbffff504, avpkt=0xbffff2a8) at libavcodec/ivi_common.c:1024
1024	            if (!ctx->planes[p].bands[0].buf)
(gdb) bt
#0  0x084f7f3b in ff_ivi_decode_frame (avctx=0x9114640, data=0x9118e20, 
    got_frame=0xbffff504, avpkt=0xbffff2a8) at libavcodec/ivi_common.c:1024
#1  0x0867a04e in avcodec_decode_video2 (avctx=0x9114640, 
    picture=picture@entry=0x9118e20, 
    got_picture_ptr=got_picture_ptr@entry=0xbffff504, 
    avpkt=avpkt@entry=0xbffff750) at libavcodec/utils.c:1995
#2  0x080b38dd in decode_video (ist=ist@entry=0x9118080, 
    pkt=pkt@entry=0xbffff750, got_output=got_output@entry=0xbffff504)
    at ffmpeg.c:1668
#3  0x080b77fa in output_packet (pkt=0xbffff6e8, ist=0x9118080)
    at ffmpeg.c:1866
#4  process_input (file_index=1) at ffmpeg.c:3089
#5  0x080a2fd3 in transcode_step () at ffmpeg.c:3185
#6  transcode () at ffmpeg.c:3237
#7  main (argc=<optimized out>, argv=<optimized out>) at ffmpeg.c:3415
(gdb) 

Attachments (1)

iv41_2_fuzz.avi (52.2 KB) - added by ami_stuff 6 years ago.

Download all attachments as: .zip

Change History (6)

Changed 6 years ago by ami_stuff

comment:1 Changed 6 years ago by cehoyos

  • Component changed from undetermined to avcodec
  • Keywords iv41 crash SIGSEGV added
  • Priority changed from normal to important
  • Reproduced by developer set
  • Status changed from new to open
  • Version changed from unspecified to git-master
Program received signal SIGSEGV, Segmentation fault.
ff_ivi_decode_frame (avctx=0x16f0360, data=0x16d9040, got_frame=0x7fffffffd7ec, avpkt=<optimized out>) at libavcodec/ivi_common.c:1024
1024                if (!ctx->planes[p].bands[0].buf)
(gdb) bt
#0  ff_ivi_decode_frame (avctx=0x16f0360, data=0x16d9040, got_frame=0x7fffffffd7ec, avpkt=<optimized out>) at libavcodec/ivi_common.c:1024
#1  0x00000000009da72b in avcodec_decode_video2 (avctx=0x16f0360, picture=picture@entry=0x16d9040, got_picture_ptr=got_picture_ptr@entry=0x7fffffffd7ec, avpkt=avpkt@entry=0x7fffffffda50)
    at libavcodec/utils.c:1995
#2  0x000000000046c650 in decode_video (ist=ist@entry=0x16f4220, pkt=pkt@entry=0x7fffffffda50, got_output=got_output@entry=0x7fffffffd7ec) at ffmpeg.c:1668
#3  0x000000000046f94f in output_packet (pkt=0x7fffffffd9f0, ist=0x16f4220) at ffmpeg.c:1866
#4  process_input (file_index=<optimized out>) at ffmpeg.c:3089
#5  0x000000000045da10 in transcode_step () at ffmpeg.c:3185
#6  transcode () at ffmpeg.c:3237
#7  main (argc=<optimized out>, argv=<optimized out>) at ffmpeg.c:3415
(gdb) disass $pc-32,$pc+32
Dump of assembler code from 0x85f7c7 to 0x85f807:
   0x000000000085f7c7 <ff_ivi_decode_frame+743>:        jl     0x85f7ed <ff_ivi_decode_frame+781>
   0x000000000085f7c9 <ff_ivi_decode_frame+745>:        push   %rax
   0x000000000085f7ca <ff_ivi_decode_frame+746>:        mov    0x1244(%rdi),%r11d
   0x000000000085f7d1 <ff_ivi_decode_frame+753>:        test   %r11d,%r11d
   0x000000000085f7d4 <ff_ivi_decode_frame+756>:        jne    0x860876 <ff_ivi_decode_frame+5014>
   0x000000000085f7da <ff_ivi_decode_frame+762>:        mov    0x1280(%rdi),%rax
   0x000000000085f7e1 <ff_ivi_decode_frame+769>:        mov    $0xbebbb1b7,%r9d
=> 0x000000000085f7e7 <ff_ivi_decode_frame+775>:        cmpq   $0x0,0x28(%rax)
   0x000000000085f7ec <ff_ivi_decode_frame+780>:        je     0x85f84e <ff_ivi_decode_frame+878>
   0x000000000085f7ee <ff_ivi_decode_frame+782>:        mov    0x1290(%rdi),%rax
   0x000000000085f7f5 <ff_ivi_decode_frame+789>:        cmpq   $0x0,0x28(%rax)
   0x000000000085f7fa <ff_ivi_decode_frame+794>:        je     0x85f84e <ff_ivi_decode_frame+878>
   0x000000000085f7fc <ff_ivi_decode_frame+796>:        mov    0x12a0(%rdi),%rax
   0x000000000085f803 <ff_ivi_decode_frame+803>:        cmpq   $0x0,0x28(%rax)
End of assembler dump.
(gdb) info register
rax            0x0      0
rbx            0x16d9040        23957568
rcx            0x0      0
rdx            0x0      0
rsi            0x16e47e0        24004576
rdi            0x16f56a0        24073888
rbp            0x7fffffffda50   0x7fffffffda50
rsp            0x7fffffffd420   0x7fffffffd420
r8             0x5      5
r9             0xbebbb1b7       3199971767
r10            0x18     24
r11            0x0      0
r12            0x16f0360        24052576
r13            0x7fffffffda50   140737488345680
r14            0x16f4220        24068640
r15            0x16f4228        24068648
rip            0x85f7e7 0x85f7e7 <ff_ivi_decode_frame+775>
eflags         0x10246  [ PF ZF IF RF ]
cs             0x33     51
ss             0x2b     43
ds             0x0      0
es             0x0      0
fs             0x0      0
gs             0x0      0

comment:2 Changed 6 years ago by cehoyos

  • Keywords regression added

Regression since fcbf16a.

comment:3 follow-up: Changed 6 years ago by michael

cant reproduce, maybe fixed by a92538b7c0defc86c55fb91f55dfa36aad192673

comment:4 in reply to: ↑ 3 Changed 6 years ago by ami_stuff

  • Resolution set to fixed
  • Status changed from open to closed

Replying to michael:

cant reproduce, maybe fixed by a92538b7c0defc86c55fb91f55dfa36aad192673

doesn't crash here anymore, so probably fixed

comment:5 Changed 6 years ago by cehoyos

Fixed in 8d0b899 / a92538b

Note: See TracTickets for help on using tickets.