Opened 3 years ago

Closed 3 years ago

#2982 closed defect (fixed)

mlp: invalid write with max_alloc

Reported by: ami_stuff Owned by:
Priority: important Component: avcodec
Version: git-master Keywords: mlp
Cc: Blocked By:
Blocking: Reproduced by developer: yes
Analyzed by developer: no

Description

http://www1.datafilehost.com/d/dcbb61c7

(gdb) r -max_alloc 4000000 -i ./crash.mlp -f null -
Starting program: /media/sdb1/ffmpeg-HEAD-93439e8/ffmpeg_g -max_alloc 4000000 -i ./crash.mlp -f null -
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/i386-linux-gnu/libthread_db.so.1".
ffmpeg version 2.0-93439e8 Copyright (c) 2000-2013 the FFmpeg developers
  built on Sep 18 2013 23:23:15 with gcc 4.7 (Debian 4.7.2-5)
  configuration: --disable-yasm --enable-gpl --disable-ffprobe --disable-ffserver
  libavutil      52. 44.100 / 52. 44.100
  libavcodec     55. 31.101 / 55. 31.101
  libavformat    55. 18.100 / 55. 18.100
  libavdevice    55.  3.100 / 55.  3.100
  libavfilter     3. 86.101 /  3. 86.101
  libswscale      2.  5.100 /  2.  5.100
  libswresample   0. 17.103 /  0. 17.103
  libpostproc    52.  3.100 / 52.  3.100
[mlp @ 0x9115560] mlpparse: Parity check failed.
[mlp @ 0x9115560] ff_combine_frame failed
    Last message repeated 1746 times
Program received signal SIGSEGV, Segmentation fault.
0x085bba91 in ff_combine_frame (pc=pc@entry=0x9115ae0, next=-3944454, 
    next@entry=-3946109, buf=buf@entry=0xbfffedf0, 
    buf_size=buf_size@entry=0xbfffedf4) at libavcodec/parser.c:267
267	        pc->state = (pc->state<<8) | pc->buffer[pc->last_index + next];
(gdb) bt
#0  0x085bba91 in ff_combine_frame (pc=pc@entry=0x9115ae0, next=-3944454, 
    next@entry=-3946109, buf=buf@entry=0xbfffedf0, 
    buf_size=buf_size@entry=0xbfffedf4) at libavcodec/parser.c:267
#1  0x08535266 in mlp_parse (s=0x9115980, avctx=0x9115560, poutbuf=0xbfffeec4, 
    poutbuf_size=0xbfffeec8, 
    buf=0xb79df008 "L\301\027\200\017G;\031\063eYL\360\254Y\260\222\345o\234lYEm(?\374\276\\\210GN\037\301h\"==K'&\016\367\215'\313Rd\t\226\226\207\030\235\322 rGZߩ\vZ\341J\353:\203\b\237X04\333*M\204t\343\216\345r\246\v#\220\001\026\250\344\006`\b#\265T\026\017,\345\063>\255V)\332F\036\232\315\301\067\377xbҫ?&v\202\225\341\315(\204d\234\064\335^\213b\376\227Q#\023\276\374Nߞ\036`ޢ\237\340\260\034\034\371ף\017\060\061\244W3]/\251\063\346\313q\332%\207f\325\016\274\017{;\200\027\374}\304\362\247\223O\204\255ݶɏ\255\223Zc\270,\221"..., buf_size=6530)
    at libavcodec/mlp_parser.c:286
#2  0x085bb470 in av_parser_parse2 (s=0x9115980, avctx=0x9115560, 
    poutbuf=poutbuf@entry=0xbfffeec4, 
    poutbuf_size=poutbuf_size@entry=0xbfffeec8, 
    buf=buf@entry=0x912d8b0 "&\222)\243\370ro\273.\b\b\\6S@ !", 
    buf_size=buf_size@entry=416, pts=-9223372036854775808, 
    dts=-9223372036854775808, pos=-1) at libavcodec/parser.c:155
#3  0x08239551 in parse_packet (s=s@entry=0x9114d40, pkt=pkt@entry=0xbffff058, 
    stream_index=<optimized out>) at libavformat/utils.c:1201
#4  0x0823a48d in read_frame_internal (s=s@entry=0x9114d40, 
    pkt=pkt@entry=0xbffff238) at libavformat/utils.c:1379
---Type <return> to continue, or q <return> to quit---
#5  0x0823dd65 in avformat_find_stream_info (ic=0x9114d40, options=0x9115940)
    at libavformat/utils.c:2801
#6  0x080a66b5 in open_input_file (o=o@entry=0xbffff51c, 
    filename=<optimized out>) at ffmpeg_opt.c:809
#7  0x080a4ed7 in open_files (inout=inout@entry=0x88e729b "input", 
    open_file=open_file@entry=0x80a62d0 <open_input_file>, 
    l=<error reading variable: Unhandled dwarf expression opcode 0xfa>, 
    l=<error reading variable: Unhandled dwarf expression opcode 0xfa>)
    at ffmpeg_opt.c:2494
#8  0x080ad0e9 in ffmpeg_parse_options (argc=argc@entry=8, 
    argv=argv@entry=0xbffff9a4) at ffmpeg_opt.c:2531
#9  0x080a25da in main (argc=8, argv=0xbffff9a4) at ffmpeg.c:3393
(gdb) 
knoppix@Microknoppix:/media/sdb1$ valgrind --leak-check=full ffmpeg-HEAD-93439e8/ffmpeg_g -max_alloc 4000000 -i ./crash.mlp -f null -
==3316== Memcheck, a memory error detector
==3316== Copyright (C) 2002-2011, and GNU GPL'd, by Julian Seward et al.
==3316== Using Valgrind-3.7.0 and LibVEX; rerun with -h for copyright info
==3316== Command: ffmpeg-HEAD-93439e8/ffmpeg_g -max_alloc 4000000 -i ./crash.mlp -f null -
==3316== 
ffmpeg version 2.0-93439e8 Copyright (c) 2000-2013 the FFmpeg developers
  built on Sep 18 2013 23:23:15 with gcc 4.7 (Debian 4.7.2-5)
  configuration: --disable-yasm --enable-gpl --disable-ffprobe --disable-ffserver
  libavutil      52. 44.100 / 52. 44.100
  libavcodec     55. 31.101 / 55. 31.101
  libavformat    55. 18.100 / 55. 18.100
  libavdevice    55.  3.100 / 55.  3.100
  libavfilter     3. 86.101 /  3. 86.101
  libswscale      2.  5.100 /  2.  5.100
  libswresample   0. 17.103 /  0. 17.103
  libpostproc    52.  3.100 / 52.  3.100
[mlp @ 0x423a420] mlpparse: Parity check failed.
[mlp @ 0x423a420] ff_combine_frame failed
==3316== Invalid read of size 1times
==3316==    at 0x85BBA91: ff_combine_frame (parser.c:267)
==3316==    by 0x8535265: mlp_parse (mlp_parser.c:286)
==3316==    by 0x85BB46F: av_parser_parse2 (parser.c:155)
==3316==    by 0x8239550: parse_packet (utils.c:1201)
==3316==    by 0x823A48C: read_frame_internal (utils.c:1379)
==3316==    by 0x823DD64: avformat_find_stream_info (utils.c:2801)
==3316==    by 0x80A66B4: open_input_file (ffmpeg_opt.c:809)
==3316==    by 0x80A4ED6: open_files.isra.7 (ffmpeg_opt.c:2494)
==3316==    by 0x40A5E15: (below main) (libc-start.c:228)
==3316==  Address 0x441625b is 0 bytes after a block of size 6,987 alloc'd
==3316==    at 0x40283EE: realloc (vg_replace_malloc.c:632)
==3316==    by 0x8676DA4: av_fast_realloc (utils.c:73)
==3316==    by 0x85BBB54: ff_combine_frame (parser.c:253)
==3316==    by 0x8535265: mlp_parse (mlp_parser.c:286)
==3316==    by 0x85BB46F: av_parser_parse2 (parser.c:155)
==3316==    by 0x8239550: parse_packet (utils.c:1201)
==3316==    by 0x823A48C: read_frame_internal (utils.c:1379)
==3316==    by 0x823DD64: avformat_find_stream_info (utils.c:2801)
==3316==    by 0x80A66B4: open_input_file (ffmpeg_opt.c:809)
==3316==    by 0x80A4ED6: open_files.isra.7 (ffmpeg_opt.c:2494)
==3316==    by 0x40A5E15: (below main) (libc-start.c:228)
==3316== 
==3316== Invalid read of size 1
==3316==    at 0x85BBAAB: ff_combine_frame (parser.c:268)
==3316==    by 0x8535265: mlp_parse (mlp_parser.c:286)
==3316==    by 0x85BB46F: av_parser_parse2 (parser.c:155)
==3316==    by 0x8239550: parse_packet (utils.c:1201)
==3316==    by 0x823A48C: read_frame_internal (utils.c:1379)
==3316==    by 0x823DD64: avformat_find_stream_info (utils.c:2801)
==3316==    by 0x80A66B4: open_input_file (ffmpeg_opt.c:809)
==3316==    by 0x80A4ED6: open_files.isra.7 (ffmpeg_opt.c:2494)
==3316==    by 0x40A5E15: (below main) (libc-start.c:228)
==3316==  Address 0x441625b is 0 bytes after a block of size 6,987 alloc'd
==3316==    at 0x40283EE: realloc (vg_replace_malloc.c:632)
==3316==    by 0x8676DA4: av_fast_realloc (utils.c:73)
==3316==    by 0x85BBB54: ff_combine_frame (parser.c:253)
==3316==    by 0x8535265: mlp_parse (mlp_parser.c:286)
==3316==    by 0x85BB46F: av_parser_parse2 (parser.c:155)
==3316==    by 0x8239550: parse_packet (utils.c:1201)
==3316==    by 0x823A48C: read_frame_internal (utils.c:1379)
==3316==    by 0x823DD64: avformat_find_stream_info (utils.c:2801)
==3316==    by 0x80A66B4: open_input_file (ffmpeg_opt.c:809)
==3316==    by 0x80A4ED6: open_files.isra.7 (ffmpeg_opt.c:2494)
==3316==    by 0x40A5E15: (below main) (libc-start.c:228)
==3316== 
==3316== Invalid read of size 1
==3316==    at 0x85BBAAB: ff_combine_frame (parser.c:268)
==3316==    by 0xE0088703: ???
==3316==  Address 0x460f8db is 707 bytes inside a block of size 1,040 free'd
==3316==    at 0x402750C: free (vg_replace_malloc.c:427)
==3316==    by 0x8862CB2: av_buffer_unref (buffer.c:115)
==3316==    by 0x827B6BB: av_free_packet (avpacket.c:284)
==3316==    by 0x8239707: parse_packet (utils.c:1286)
==3316==    by 0x823A48C: read_frame_internal (utils.c:1379)
==3316==    by 0x823DD64: avformat_find_stream_info (utils.c:2801)
==3316==    by 0x80A66B4: open_input_file (ffmpeg_opt.c:809)
==3316==    by 0x80A4ED6: open_files.isra.7 (ffmpeg_opt.c:2494)
==3316==    by 0x40A5E15: (below main) (libc-start.c:228)
==3316== 
==3316== Invalid read of size 1
==3316==    at 0x85BBA91: ff_combine_frame (parser.c:267)
==3316==    by 0xE0088703: ???
==3316==  Address 0x460f8dc is 708 bytes inside a block of size 1,040 free'd
==3316==    at 0x402750C: free (vg_replace_malloc.c:427)
==3316==    by 0x8862CB2: av_buffer_unref (buffer.c:115)
==3316==    by 0x827B6BB: av_free_packet (avpacket.c:284)
==3316==    by 0x8239707: parse_packet (utils.c:1286)
==3316==    by 0x823A48C: read_frame_internal (utils.c:1379)
==3316==    by 0x823DD64: avformat_find_stream_info (utils.c:2801)
==3316==    by 0x80A66B4: open_input_file (ffmpeg_opt.c:809)
==3316==    by 0x80A4ED6: open_files.isra.7 (ffmpeg_opt.c:2494)
==3316==    by 0x40A5E15: (below main) (libc-start.c:228)
==3316== 
    Last message repeated 1746 times
[mlp @ 0x423a420] mlpparse: Parity check failed.
==3316== Invalid read of size 1
==3316==    at 0x85BBA02: ff_combine_frame (parser.c:226)
==3316==    by 0x85354D5: mlp_parse (mlp_parser.c:251)
==3316==    by 0x85BB46F: av_parser_parse2 (parser.c:155)
==3316==    by 0x8239550: parse_packet (utils.c:1201)
==3316==    by 0x823A48C: read_frame_internal (utils.c:1379)
==3316==    by 0x823DD64: avformat_find_stream_info (utils.c:2801)
==3316==    by 0x80A66B4: open_input_file (ffmpeg_opt.c:809)
==3316==    by 0x80A4ED6: open_files.isra.7 (ffmpeg_opt.c:2494)
==3316==    by 0x40A5E15: (below main) (libc-start.c:228)
==3316==  Address 0x441625b is 0 bytes after a block of size 6,987 alloc'd
==3316==    at 0x40283EE: realloc (vg_replace_malloc.c:632)
==3316==    by 0x8676DA4: av_fast_realloc (utils.c:73)
==3316==    by 0x85BBB54: ff_combine_frame (parser.c:253)
==3316==    by 0x8535265: mlp_parse (mlp_parser.c:286)
==3316==    by 0x85BB46F: av_parser_parse2 (parser.c:155)
==3316==    by 0x8239550: parse_packet (utils.c:1201)
==3316==    by 0x823A48C: read_frame_internal (utils.c:1379)
==3316==    by 0x823DD64: avformat_find_stream_info (utils.c:2801)
==3316==    by 0x80A66B4: open_input_file (ffmpeg_opt.c:809)
==3316==    by 0x80A4ED6: open_files.isra.7 (ffmpeg_opt.c:2494)
==3316==    by 0x40A5E15: (below main) (libc-start.c:228)
==3316== 
==3316== Invalid write of size 1
==3316==    at 0x85BBA09: ff_combine_frame (parser.c:226)
==3316==    by 0x85354D5: mlp_parse (mlp_parser.c:251)
==3316==    by 0x85BB46F: av_parser_parse2 (parser.c:155)
==3316==    by 0x8239550: parse_packet (utils.c:1201)
==3316==    by 0x823A48C: read_frame_internal (utils.c:1379)
==3316==    by 0x823DD64: avformat_find_stream_info (utils.c:2801)
==3316==    by 0x80A66B4: open_input_file (ffmpeg_opt.c:809)
==3316==    by 0x80A4ED6: open_files.isra.7 (ffmpeg_opt.c:2494)
==3316==    by 0x40A5E15: (below main) (libc-start.c:228)
==3316==  Address 0x441625b is 0 bytes after a block of size 6,987 alloc'd
==3316==    at 0x40283EE: realloc (vg_replace_malloc.c:632)
==3316==    by 0x8676DA4: av_fast_realloc (utils.c:73)
==3316==    by 0x85BBB54: ff_combine_frame (parser.c:253)
==3316==    by 0x8535265: mlp_parse (mlp_parser.c:286)
==3316==    by 0x85BB46F: av_parser_parse2 (parser.c:155)
==3316==    by 0x8239550: parse_packet (utils.c:1201)
==3316==    by 0x823A48C: read_frame_internal (utils.c:1379)
==3316==    by 0x823DD64: avformat_find_stream_info (utils.c:2801)
==3316==    by 0x80A66B4: open_input_file (ffmpeg_opt.c:809)
==3316==    by 0x80A4ED6: open_files.isra.7 (ffmpeg_opt.c:2494)
==3316==    by 0x40A5E15: (below main) (libc-start.c:228)
==3316== 
==3316== 
==3316== More than 10000000 total errors detected.  I'm not reporting any more.
==3316== Final error counts will be inaccurate.  Go fix your program!
==3316== Rerun with --error-limit=no to disable this cutoff.  Note
==3316== that errors may occur in your program without prior warning from
==3316== Valgrind, because errors are no longer being displayed.
==3316== 
[mlp @ 0x423a420] ff_combine_frame failed
--3316-- VALGRIND INTERNAL ERROR: Valgrind received a signal 11 (SIGSEGV) - exiting
--3316-- si_code=1;  Faulting address: 0xF5F7F212;  sp: 0x62b64e40

valgrind: the 'impossible' happened:
   Killed by fatal signal
==3316==    at 0x3804A1B2: vgPlain_arena_malloc (m_mallocfree.c:285)

sched status:
  running_tid=1

Thread 1: status = VgTs_Runnable
==3316==    at 0x4028308: malloc (vg_replace_malloc.c:263)
==3316==    by 0x402849F: realloc (vg_replace_malloc.c:632)
==3316==    by 0x8862FC7: av_buffer_realloc (buffer.c:164)
==3316==    by 0x827AF8F: av_new_packet (avpacket.c:74)
==3316==    by 0x81F29EC: ff_raw_read_partial_packet (rawdec.c:40)
==3316==    by 0x82377E6: ff_read_packet (utils.c:658)
==3316==    by 0x823A128: read_frame_internal (utils.c:1316)
==3316==    by 0x823DD64: avformat_find_stream_info (utils.c:2801)
==3316==    by 0x80A66B4: open_input_file (ffmpeg_opt.c:809)
==3316==    by 0x80A4ED6: open_files.isra.7 (ffmpeg_opt.c:2494)
==3316==    by 0x40A5E15: (below main) (libc-start.c:228)


Note: see also the FAQ in the source distribution.
It contains workarounds to several common problems.
In particular, if Valgrind aborted or crashed after
identifying problems in your program, there's a good chance
that fixing those problems will prevent Valgrind aborting or
crashing, especially if it happened in m_mallocfree.c.

If that doesn't help, please report this bug to: www.valgrind.org

In the bug report, send all the above text, the valgrind
version, and what OS and version you are using.  Thanks.

Change History (2)

comment:1 Changed 3 years ago by cehoyos

  • Component changed from undetermined to avcodec
  • Keywords mlp added
  • Priority changed from normal to important
  • Reproduced by developer set
  • Status changed from new to open
  • Version changed from unspecified to git-master

next in ff_combine_frame() is a large negative number (because of mp->bytes_left -= mp->pc.index; in mlp_parser.c), making pc->buffer[pc->last_index + next] an invalid memory access.

comment:2 Changed 3 years ago by cehoyos

  • Resolution set to fixed
  • Status changed from open to closed

Fixed by Michael in f31011e.

Note: See TracTickets for help on using tickets.