Opened 11 years ago
Closed 11 years ago
#2982 closed defect (fixed)
mlp: invalid write with max_alloc
| Reported by: | ami_stuff | Owned by: | |
|---|---|---|---|
| Priority: | important | Component: | avcodec |
| Version: | git-master | Keywords: | mlp |
| Cc: | Blocked By: | ||
| Blocking: | Reproduced by developer: | yes | |
| Analyzed by developer: | no |
Description
http://www1.datafilehost.com/d/dcbb61c7
(gdb) r -max_alloc 4000000 -i ./crash.mlp -f null -
Starting program: /media/sdb1/ffmpeg-HEAD-93439e8/ffmpeg_g -max_alloc 4000000 -i ./crash.mlp -f null -
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/i386-linux-gnu/libthread_db.so.1".
ffmpeg version 2.0-93439e8 Copyright (c) 2000-2013 the FFmpeg developers
built on Sep 18 2013 23:23:15 with gcc 4.7 (Debian 4.7.2-5)
configuration: --disable-yasm --enable-gpl --disable-ffprobe --disable-ffserver
libavutil 52. 44.100 / 52. 44.100
libavcodec 55. 31.101 / 55. 31.101
libavformat 55. 18.100 / 55. 18.100
libavdevice 55. 3.100 / 55. 3.100
libavfilter 3. 86.101 / 3. 86.101
libswscale 2. 5.100 / 2. 5.100
libswresample 0. 17.103 / 0. 17.103
libpostproc 52. 3.100 / 52. 3.100
[mlp @ 0x9115560] mlpparse: Parity check failed.
[mlp @ 0x9115560] ff_combine_frame failed
Last message repeated 1746 times
Program received signal SIGSEGV, Segmentation fault.
0x085bba91 in ff_combine_frame (pc=pc@entry=0x9115ae0, next=-3944454,
next@entry=-3946109, buf=buf@entry=0xbfffedf0,
buf_size=buf_size@entry=0xbfffedf4) at libavcodec/parser.c:267
267 pc->state = (pc->state<<8) | pc->buffer[pc->last_index + next];
(gdb) bt
#0 0x085bba91 in ff_combine_frame (pc=pc@entry=0x9115ae0, next=-3944454,
next@entry=-3946109, buf=buf@entry=0xbfffedf0,
buf_size=buf_size@entry=0xbfffedf4) at libavcodec/parser.c:267
#1 0x08535266 in mlp_parse (s=0x9115980, avctx=0x9115560, poutbuf=0xbfffeec4,
poutbuf_size=0xbfffeec8,
buf=0xb79df008 "L\301\027\200\017G;\031\063eYL\360\254Y\260\222\345o\234lYEm(?\374\276\\\210GN\037\301h\"==K'&\016\367\215'\313Rd\t\226\226\207\030\235\322 rGZߩ\vZ\341J\353:\203\b\237X04\333*M\204t\343\216\345r\246\v#\220\001\026\250\344\006`\b#\265T\026\017,\345\063>\255V)\332F\036\232\315\301\067\377xbҫ?&v\202\225\341\315(\204d\234\064\335^\213b\376\227Q#\023\276\374Nߞ\036`ޢ\237\340\260\034\034\371ף\017\060\061\244W3]/\251\063\346\313q\332%\207f\325\016\274\017{;\200\027\374}\304\362\247\223O\204\255ݶɏ\255\223Zc\270,\221"..., buf_size=6530)
at libavcodec/mlp_parser.c:286
#2 0x085bb470 in av_parser_parse2 (s=0x9115980, avctx=0x9115560,
poutbuf=poutbuf@entry=0xbfffeec4,
poutbuf_size=poutbuf_size@entry=0xbfffeec8,
buf=buf@entry=0x912d8b0 "&\222)\243\370ro\273.\b\b\\6S@ !",
buf_size=buf_size@entry=416, pts=-9223372036854775808,
dts=-9223372036854775808, pos=-1) at libavcodec/parser.c:155
#3 0x08239551 in parse_packet (s=s@entry=0x9114d40, pkt=pkt@entry=0xbffff058,
stream_index=<optimized out>) at libavformat/utils.c:1201
#4 0x0823a48d in read_frame_internal (s=s@entry=0x9114d40,
pkt=pkt@entry=0xbffff238) at libavformat/utils.c:1379
---Type <return> to continue, or q <return> to quit---
#5 0x0823dd65 in avformat_find_stream_info (ic=0x9114d40, options=0x9115940)
at libavformat/utils.c:2801
#6 0x080a66b5 in open_input_file (o=o@entry=0xbffff51c,
filename=<optimized out>) at ffmpeg_opt.c:809
#7 0x080a4ed7 in open_files (inout=inout@entry=0x88e729b "input",
open_file=open_file@entry=0x80a62d0 <open_input_file>,
l=<error reading variable: Unhandled dwarf expression opcode 0xfa>,
l=<error reading variable: Unhandled dwarf expression opcode 0xfa>)
at ffmpeg_opt.c:2494
#8 0x080ad0e9 in ffmpeg_parse_options (argc=argc@entry=8,
argv=argv@entry=0xbffff9a4) at ffmpeg_opt.c:2531
#9 0x080a25da in main (argc=8, argv=0xbffff9a4) at ffmpeg.c:3393
(gdb)
knoppix@Microknoppix:/media/sdb1$ valgrind --leak-check=full ffmpeg-HEAD-93439e8/ffmpeg_g -max_alloc 4000000 -i ./crash.mlp -f null -
==3316== Memcheck, a memory error detector
==3316== Copyright (C) 2002-2011, and GNU GPL'd, by Julian Seward et al.
==3316== Using Valgrind-3.7.0 and LibVEX; rerun with -h for copyright info
==3316== Command: ffmpeg-HEAD-93439e8/ffmpeg_g -max_alloc 4000000 -i ./crash.mlp -f null -
==3316==
ffmpeg version 2.0-93439e8 Copyright (c) 2000-2013 the FFmpeg developers
built on Sep 18 2013 23:23:15 with gcc 4.7 (Debian 4.7.2-5)
configuration: --disable-yasm --enable-gpl --disable-ffprobe --disable-ffserver
libavutil 52. 44.100 / 52. 44.100
libavcodec 55. 31.101 / 55. 31.101
libavformat 55. 18.100 / 55. 18.100
libavdevice 55. 3.100 / 55. 3.100
libavfilter 3. 86.101 / 3. 86.101
libswscale 2. 5.100 / 2. 5.100
libswresample 0. 17.103 / 0. 17.103
libpostproc 52. 3.100 / 52. 3.100
[mlp @ 0x423a420] mlpparse: Parity check failed.
[mlp @ 0x423a420] ff_combine_frame failed
==3316== Invalid read of size 1times
==3316== at 0x85BBA91: ff_combine_frame (parser.c:267)
==3316== by 0x8535265: mlp_parse (mlp_parser.c:286)
==3316== by 0x85BB46F: av_parser_parse2 (parser.c:155)
==3316== by 0x8239550: parse_packet (utils.c:1201)
==3316== by 0x823A48C: read_frame_internal (utils.c:1379)
==3316== by 0x823DD64: avformat_find_stream_info (utils.c:2801)
==3316== by 0x80A66B4: open_input_file (ffmpeg_opt.c:809)
==3316== by 0x80A4ED6: open_files.isra.7 (ffmpeg_opt.c:2494)
==3316== by 0x40A5E15: (below main) (libc-start.c:228)
==3316== Address 0x441625b is 0 bytes after a block of size 6,987 alloc'd
==3316== at 0x40283EE: realloc (vg_replace_malloc.c:632)
==3316== by 0x8676DA4: av_fast_realloc (utils.c:73)
==3316== by 0x85BBB54: ff_combine_frame (parser.c:253)
==3316== by 0x8535265: mlp_parse (mlp_parser.c:286)
==3316== by 0x85BB46F: av_parser_parse2 (parser.c:155)
==3316== by 0x8239550: parse_packet (utils.c:1201)
==3316== by 0x823A48C: read_frame_internal (utils.c:1379)
==3316== by 0x823DD64: avformat_find_stream_info (utils.c:2801)
==3316== by 0x80A66B4: open_input_file (ffmpeg_opt.c:809)
==3316== by 0x80A4ED6: open_files.isra.7 (ffmpeg_opt.c:2494)
==3316== by 0x40A5E15: (below main) (libc-start.c:228)
==3316==
==3316== Invalid read of size 1
==3316== at 0x85BBAAB: ff_combine_frame (parser.c:268)
==3316== by 0x8535265: mlp_parse (mlp_parser.c:286)
==3316== by 0x85BB46F: av_parser_parse2 (parser.c:155)
==3316== by 0x8239550: parse_packet (utils.c:1201)
==3316== by 0x823A48C: read_frame_internal (utils.c:1379)
==3316== by 0x823DD64: avformat_find_stream_info (utils.c:2801)
==3316== by 0x80A66B4: open_input_file (ffmpeg_opt.c:809)
==3316== by 0x80A4ED6: open_files.isra.7 (ffmpeg_opt.c:2494)
==3316== by 0x40A5E15: (below main) (libc-start.c:228)
==3316== Address 0x441625b is 0 bytes after a block of size 6,987 alloc'd
==3316== at 0x40283EE: realloc (vg_replace_malloc.c:632)
==3316== by 0x8676DA4: av_fast_realloc (utils.c:73)
==3316== by 0x85BBB54: ff_combine_frame (parser.c:253)
==3316== by 0x8535265: mlp_parse (mlp_parser.c:286)
==3316== by 0x85BB46F: av_parser_parse2 (parser.c:155)
==3316== by 0x8239550: parse_packet (utils.c:1201)
==3316== by 0x823A48C: read_frame_internal (utils.c:1379)
==3316== by 0x823DD64: avformat_find_stream_info (utils.c:2801)
==3316== by 0x80A66B4: open_input_file (ffmpeg_opt.c:809)
==3316== by 0x80A4ED6: open_files.isra.7 (ffmpeg_opt.c:2494)
==3316== by 0x40A5E15: (below main) (libc-start.c:228)
==3316==
==3316== Invalid read of size 1
==3316== at 0x85BBAAB: ff_combine_frame (parser.c:268)
==3316== by 0xE0088703: ???
==3316== Address 0x460f8db is 707 bytes inside a block of size 1,040 free'd
==3316== at 0x402750C: free (vg_replace_malloc.c:427)
==3316== by 0x8862CB2: av_buffer_unref (buffer.c:115)
==3316== by 0x827B6BB: av_free_packet (avpacket.c:284)
==3316== by 0x8239707: parse_packet (utils.c:1286)
==3316== by 0x823A48C: read_frame_internal (utils.c:1379)
==3316== by 0x823DD64: avformat_find_stream_info (utils.c:2801)
==3316== by 0x80A66B4: open_input_file (ffmpeg_opt.c:809)
==3316== by 0x80A4ED6: open_files.isra.7 (ffmpeg_opt.c:2494)
==3316== by 0x40A5E15: (below main) (libc-start.c:228)
==3316==
==3316== Invalid read of size 1
==3316== at 0x85BBA91: ff_combine_frame (parser.c:267)
==3316== by 0xE0088703: ???
==3316== Address 0x460f8dc is 708 bytes inside a block of size 1,040 free'd
==3316== at 0x402750C: free (vg_replace_malloc.c:427)
==3316== by 0x8862CB2: av_buffer_unref (buffer.c:115)
==3316== by 0x827B6BB: av_free_packet (avpacket.c:284)
==3316== by 0x8239707: parse_packet (utils.c:1286)
==3316== by 0x823A48C: read_frame_internal (utils.c:1379)
==3316== by 0x823DD64: avformat_find_stream_info (utils.c:2801)
==3316== by 0x80A66B4: open_input_file (ffmpeg_opt.c:809)
==3316== by 0x80A4ED6: open_files.isra.7 (ffmpeg_opt.c:2494)
==3316== by 0x40A5E15: (below main) (libc-start.c:228)
==3316==
Last message repeated 1746 times
[mlp @ 0x423a420] mlpparse: Parity check failed.
==3316== Invalid read of size 1
==3316== at 0x85BBA02: ff_combine_frame (parser.c:226)
==3316== by 0x85354D5: mlp_parse (mlp_parser.c:251)
==3316== by 0x85BB46F: av_parser_parse2 (parser.c:155)
==3316== by 0x8239550: parse_packet (utils.c:1201)
==3316== by 0x823A48C: read_frame_internal (utils.c:1379)
==3316== by 0x823DD64: avformat_find_stream_info (utils.c:2801)
==3316== by 0x80A66B4: open_input_file (ffmpeg_opt.c:809)
==3316== by 0x80A4ED6: open_files.isra.7 (ffmpeg_opt.c:2494)
==3316== by 0x40A5E15: (below main) (libc-start.c:228)
==3316== Address 0x441625b is 0 bytes after a block of size 6,987 alloc'd
==3316== at 0x40283EE: realloc (vg_replace_malloc.c:632)
==3316== by 0x8676DA4: av_fast_realloc (utils.c:73)
==3316== by 0x85BBB54: ff_combine_frame (parser.c:253)
==3316== by 0x8535265: mlp_parse (mlp_parser.c:286)
==3316== by 0x85BB46F: av_parser_parse2 (parser.c:155)
==3316== by 0x8239550: parse_packet (utils.c:1201)
==3316== by 0x823A48C: read_frame_internal (utils.c:1379)
==3316== by 0x823DD64: avformat_find_stream_info (utils.c:2801)
==3316== by 0x80A66B4: open_input_file (ffmpeg_opt.c:809)
==3316== by 0x80A4ED6: open_files.isra.7 (ffmpeg_opt.c:2494)
==3316== by 0x40A5E15: (below main) (libc-start.c:228)
==3316==
==3316== Invalid write of size 1
==3316== at 0x85BBA09: ff_combine_frame (parser.c:226)
==3316== by 0x85354D5: mlp_parse (mlp_parser.c:251)
==3316== by 0x85BB46F: av_parser_parse2 (parser.c:155)
==3316== by 0x8239550: parse_packet (utils.c:1201)
==3316== by 0x823A48C: read_frame_internal (utils.c:1379)
==3316== by 0x823DD64: avformat_find_stream_info (utils.c:2801)
==3316== by 0x80A66B4: open_input_file (ffmpeg_opt.c:809)
==3316== by 0x80A4ED6: open_files.isra.7 (ffmpeg_opt.c:2494)
==3316== by 0x40A5E15: (below main) (libc-start.c:228)
==3316== Address 0x441625b is 0 bytes after a block of size 6,987 alloc'd
==3316== at 0x40283EE: realloc (vg_replace_malloc.c:632)
==3316== by 0x8676DA4: av_fast_realloc (utils.c:73)
==3316== by 0x85BBB54: ff_combine_frame (parser.c:253)
==3316== by 0x8535265: mlp_parse (mlp_parser.c:286)
==3316== by 0x85BB46F: av_parser_parse2 (parser.c:155)
==3316== by 0x8239550: parse_packet (utils.c:1201)
==3316== by 0x823A48C: read_frame_internal (utils.c:1379)
==3316== by 0x823DD64: avformat_find_stream_info (utils.c:2801)
==3316== by 0x80A66B4: open_input_file (ffmpeg_opt.c:809)
==3316== by 0x80A4ED6: open_files.isra.7 (ffmpeg_opt.c:2494)
==3316== by 0x40A5E15: (below main) (libc-start.c:228)
==3316==
==3316==
==3316== More than 10000000 total errors detected. I'm not reporting any more.
==3316== Final error counts will be inaccurate. Go fix your program!
==3316== Rerun with --error-limit=no to disable this cutoff. Note
==3316== that errors may occur in your program without prior warning from
==3316== Valgrind, because errors are no longer being displayed.
==3316==
[mlp @ 0x423a420] ff_combine_frame failed
--3316-- VALGRIND INTERNAL ERROR: Valgrind received a signal 11 (SIGSEGV) - exiting
--3316-- si_code=1; Faulting address: 0xF5F7F212; sp: 0x62b64e40
valgrind: the 'impossible' happened:
Killed by fatal signal
==3316== at 0x3804A1B2: vgPlain_arena_malloc (m_mallocfree.c:285)
sched status:
running_tid=1
Thread 1: status = VgTs_Runnable
==3316== at 0x4028308: malloc (vg_replace_malloc.c:263)
==3316== by 0x402849F: realloc (vg_replace_malloc.c:632)
==3316== by 0x8862FC7: av_buffer_realloc (buffer.c:164)
==3316== by 0x827AF8F: av_new_packet (avpacket.c:74)
==3316== by 0x81F29EC: ff_raw_read_partial_packet (rawdec.c:40)
==3316== by 0x82377E6: ff_read_packet (utils.c:658)
==3316== by 0x823A128: read_frame_internal (utils.c:1316)
==3316== by 0x823DD64: avformat_find_stream_info (utils.c:2801)
==3316== by 0x80A66B4: open_input_file (ffmpeg_opt.c:809)
==3316== by 0x80A4ED6: open_files.isra.7 (ffmpeg_opt.c:2494)
==3316== by 0x40A5E15: (below main) (libc-start.c:228)
Note: see also the FAQ in the source distribution.
It contains workarounds to several common problems.
In particular, if Valgrind aborted or crashed after
identifying problems in your program, there's a good chance
that fixing those problems will prevent Valgrind aborting or
crashing, especially if it happened in m_mallocfree.c.
If that doesn't help, please report this bug to: www.valgrind.org
In the bug report, send all the above text, the valgrind
version, and what OS and version you are using. Thanks.
Change History (2)
comment:1 by , 11 years ago
| Component: | undetermined → avcodec |
|---|---|
| Keywords: | mlp added |
| Priority: | normal → important |
| Reproduced by developer: | set |
| Status: | new → open |
| Version: | unspecified → git-master |
Note:
See TracTickets
for help on using tickets.
next in ff_combine_frame() is a large negative number (because of
mp->bytes_left -= mp->pc.index;in mlp_parser.c), makingpc->buffer[pc->last_index + next]an invalid memory access.