Opened 5 years ago

Closed 5 years ago

#3462 closed defect (fixed)

cinepakenc: invalid read

Reported by: ami_stuff Owned by:
Priority: important Component: avcodec
Version: git-master Keywords: cinepak crash SIGSEGV
Cc: Blocked By:
Blocking: Reproduced by developer: yes
Analyzed by developer: no

Description

(gdb) r -i 2.tif -vcodec cinepak out.avi
Starting program: /media/sdb1/ffmpeg-HEAD-7d7487e/ffmpeg_g -i 2.tif -vcodec cinepak out.avi
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/i386-linux-gnu/libthread_db.so.1".
ffmpeg version 2.2.git-7d7487e Copyright (c) 2000-2014 the FFmpeg developers
  built on Mar 13 2014 12:14:03 with gcc 4.7 (Debian 4.7.2-5)
  configuration: --disable-yasm --disable-ffprobe --disable-ffserver --enable-gpl
  libavutil      52. 66.101 / 52. 66.101
  libavcodec     55. 52.102 / 55. 52.102
  libavformat    55. 34.101 / 55. 34.101
  libavdevice    55. 11.100 / 55. 11.100
  libavfilter     4.  3.100 /  4.  3.100
  libswscale      2.  5.101 /  2.  5.101
  libswresample   0. 18.100 /  0. 18.100
  libpostproc    52.  3.100 / 52.  3.100
Input #0, image2, from '2.tif':
  Duration: 00:00:00.04, start: 0.000000, bitrate: N/A
    Stream #0:0: Video: tiff, monob, 2048x2048, 25 tbr, 25 tbn, 25 tbc
[New Thread 0xb7db5b70 (LWP 2937)]
[New Thread 0xb75b5b70 (LWP 2938)]
[New Thread 0xb6db5b70 (LWP 2939)]
[New Thread 0xb65b5b70 (LWP 2940)]
[New Thread 0xb5db5b70 (LWP 2941)]
[New Thread 0xb55b5b70 (LWP 2942)]
[New Thread 0xb4db5b70 (LWP 2943)]
[New Thread 0xb45b5b70 (LWP 2944)]
[New Thread 0xb3db5b70 (LWP 2945)]
[New Thread 0xb086bb70 (LWP 2946)]
[New Thread 0xb006bb70 (LWP 2947)]
[New Thread 0xaf86bb70 (LWP 2948)]
[New Thread 0xaf06bb70 (LWP 2949)]
[New Thread 0xae86bb70 (LWP 2950)]
[New Thread 0xae06bb70 (LWP 2951)]
[New Thread 0xad86bb70 (LWP 2952)]
[New Thread 0xad06bb70 (LWP 2953)]
[New Thread 0xac86bb70 (LWP 2954)]
Output #0, avi, to 'out.avi':
  Metadata:
    ISFT            : Lavf55.34.101
    Stream #0:0: Video: cinepak (cvid / 0x64697663), gray, 2048x2048, q=2-31, 200 kb/s, 25 tbn, 25 tbc
Stream mapping:
  Stream #0:0 -> #0:0 (tiff -> cinepak)
Press [q] to stop, [?] for help

Program received signal SIGSEGV, Segmentation fault.
get_high_utility_cell (elbg=<synthetic pointer>) at libavcodec/elbg.c:112
112	    while (elbg->utility_inc[i] < r)
(gdb) bt
#0  get_high_utility_cell (elbg=<synthetic pointer>) at libavcodec/elbg.c:112
#1  do_shiftings (elbg=<optimized out>) at libavcodec/elbg.c:317
#2  avpriv_do_elbg (points=0xb25b5020, dim=4, numpoints=471444, 
    codebook=0xbfffda64, numCB=4, max_steps=1, closest_cb=0xb21b4020, 
    rand_state=0x92d0148) at libavcodec/elbg.c:411
#3  0x082b5196 in quantize (s=s@entry=0x92d0100, h=h@entry=1024, 
    pict=pict@entry=0xbffff340, info=info@entry=0xbfffc264, encoding=ENC_V4, 
    encoding@entry=16, v1mode=0) at libavcodec/cinepakenc.c:856
#4  0x082b6788 in rd_strip (s=s@entry=0x92d0100, h=1024, 
    keyframe=keyframe@entry=1, last_pict=last_pict@entry=0xbffff300, 
    pict=pict@entry=0xbffff340, scratch_pict=scratch_pict@entry=0xbffff380, 
    buf=0xb116d02a "\020\017\230\250", best_score=best_score@entry=0xbffff2f8, 
    y=<error reading variable: Unhandled dwarf expression opcode 0xfa>)
    at libavcodec/cinepakenc.c:1015
#5  0x082b77c7 in rd_frame (buf=0xab87a020 "", isakeyframe=1, frame=0x9319940, 
    s=<optimized out>, buf_size=<optimized out>)
    at libavcodec/cinepakenc.c:1205
#6  cinepak_encode_frame (avctx=0x92cfb40, pkt=0xbffff778, frame=0x9319940, 
    got_packet=0xbffff4f4) at libavcodec/cinepakenc.c:1278
#7  0x086f3575 in avcodec_encode_video2 (avctx=avctx@entry=0x92cfb40, 
    avpkt=avpkt@entry=0xbffff778, frame=frame@entry=0x9319940, 
    got_packet_ptr=got_packet_ptr@entry=0xbffff4f4) at libavcodec/utils.c:1892
#8  0x080c4725 in do_video_out (in_picture=0x9319940, ost=0x92cff40, 
---Type <return> to continue, or q <return> to quit---
    s=0x92cf380) at ffmpeg.c:997
#9  reap_filters () at ffmpeg.c:1157
#10 0x080ac17c in transcode_from_filter (best_ist=<synthetic pointer>, 
    graph=0x92ceae0) at ffmpeg.c:3330
#11 transcode_step () at ffmpeg.c:3381
#12 transcode () at ffmpeg.c:3442
#13 main (argc=<optimized out>, argv=<optimized out>) at ffmpeg.c:3622
(gdb) 
knoppix@Microknoppix:/media/sdb1$ valgrind --leak-check=full ffmpeg-HEAD-7d7487e/ffmpeg_g -i 2.tif -vcodec cinepak out.avi
==2895== Memcheck, a memory error detector
==2895== Copyright (C) 2002-2011, and GNU GPL'd, by Julian Seward et al.
==2895== Using Valgrind-3.7.0 and LibVEX; rerun with -h for copyright info
==2895== Command: ffmpeg-HEAD-7d7487e/ffmpeg_g -i 2.tif -vcodec cinepak out.avi
==2895== 
ffmpeg version 2.2.git-7d7487e Copyright (c) 2000-2014 the FFmpeg developers
  built on Mar 13 2014 12:14:03 with gcc 4.7 (Debian 4.7.2-5)
  configuration: --disable-yasm --disable-ffprobe --disable-ffserver --enable-gpl
  libavutil      52. 66.101 / 52. 66.101
  libavcodec     55. 52.102 / 55. 52.102
  libavformat    55. 34.101 / 55. 34.101
  libavdevice    55. 11.100 / 55. 11.100
  libavfilter     4.  3.100 /  4.  3.100
  libswscale      2.  5.101 /  2.  5.101
  libswresample   0. 18.100 /  0. 18.100
  libpostproc    52.  3.100 / 52.  3.100
Input #0, image2, from '2.tif':
  Duration: 00:00:00.04, start: 0.000000, bitrate: N/A
    Stream #0:0: Video: tiff, monob, 2048x2048, 25 tbr, 25 tbn, 25 tbc
Output #0, avi, to 'out.avi':
  Metadata:
    ISFT            : Lavf55.34.101
    Stream #0:0: Video: cinepak (cvid / 0x64697663), gray, 2048x2048, q=2-31, 200 kb/s, 25 tbn, 25 tbc
Stream mapping:
  Stream #0:0 -> #0:0 (tiff -> cinepak)
Press [q] to stop, [?] for help
==2895== Invalid read of size 4
==2895==    at 0x8342E6B: avpriv_do_elbg (elbg.c:112)
==2895==    by 0x82B5195: quantize.constprop.15 (cinepakenc.c:856)
==2895==  Address 0x158b2210 is 0 bytes after a block of size 16 alloc'd
==2895==    at 0x40268A4: memalign (vg_replace_malloc.c:694)
==2895==    by 0x402695E: posix_memalign (vg_replace_malloc.c:835)
==2895==    by 0x893B337: av_malloc (mem.c:94)
==2895==    by 0x8342B63: avpriv_do_elbg (elbg.c:376)
==2895==    by 0x82B5195: quantize.constprop.15 (cinepakenc.c:856)
==2895== 
==2895== Conditional jump or move depends on uninitialised value(s)
==2895==    at 0x8342E75: avpriv_do_elbg (elbg.c:112)
==2895==    by 0x82B5195: quantize.constprop.15 (cinepakenc.c:856)
==2895== 
==2895== 
==2895== Process terminating with default action of signal 11 (SIGSEGV)
==2895==  Access not within mapped region at address 0x158B3000
==2895==    at 0x8342E6B: avpriv_do_elbg (elbg.c:112)
==2895==    by 0x82B5195: quantize.constprop.15 (cinepakenc.c:856)
==2895==  If you believe this happened as a result of a stack
==2895==  overflow in your program's main thread (unlikely but
==2895==  possible), you can try to increase the size of the
==2895==  main thread stack using the --main-stacksize= flag.
==2895==  The main thread stack size used in this run was 8388608.
==2895== 
==2895== HEAP SUMMARY:
==2895==     in use at exit: 69,016,706 bytes in 229 blocks
==2895==   total heap usage: 3,193 allocs, 2,964 frees, 152,027,251 bytes allocated
==2895== 
==2895== 1,296 bytes in 9 blocks are possibly lost in loss record 109 of 146
==2895==    at 0x4026A68: calloc (vg_replace_malloc.c:566)
==2895==    by 0x40111FB: _dl_allocate_tls (dl-tls.c:300)
==2895==    by 0x407C2A8: pthread_create@@GLIBC_2.1 (allocatestack.c:580)
==2895==    by 0x80E5351: ff_graph_thread_init (pthread.c:187)
==2895==    by 0x80D8B1F: avfilter_graph_alloc_filter (avfiltergraph.c:189)
==2895==    by 0x422B3DF: ???
==2895== 
==2895== 1,296 bytes in 9 blocks are possibly lost in loss record 110 of 146
==2895==    at 0x4026A68: calloc (vg_replace_malloc.c:566)
==2895==    by 0x40111FB: _dl_allocate_tls (dl-tls.c:300)
==2895==    by 0x407C2A8: pthread_create@@GLIBC_2.1 (allocatestack.c:580)
==2895==    by 0x8648BC2: ff_frame_thread_init (pthread_frame.c:710)
==2895==    by 0x86F816D: avcodec_open2 (utils.c:1315)
==2895==    by 0x80CA721: transcode_init (ffmpeg.c:2145)
==2895==    by 0x80AB2DE: main (ffmpeg.c:3413)
==2895== 
==2895== LEAK SUMMARY:
==2895==    definitely lost: 0 bytes in 0 blocks
==2895==    indirectly lost: 0 bytes in 0 blocks
==2895==      possibly lost: 2,592 bytes in 18 blocks
==2895==    still reachable: 69,014,114 bytes in 211 blocks
==2895==         suppressed: 0 bytes in 0 blocks
==2895== Reachable blocks (those to which a pointer was found) are not shown.
==2895== To see them, rerun with: --leak-check=full --show-reachable=yes
==2895== 
==2895== For counts of detected and suppressed errors, rerun with: -v
==2895== Use --track-origins=yes to see where uninitialised values come from
==2895== ERROR SUMMARY: 895 errors from 4 contexts (suppressed: 59 from 6)
Killed

Attachments (1)

2.tif (266.2 KB) - added by ami_stuff 5 years ago.

Download all attachments as: .zip

Change History (3)

Changed 5 years ago by ami_stuff

comment:1 Changed 5 years ago by cehoyos

  • Component changed from undetermined to avcodec
  • Keywords cinepak crash SIGSEGV added
  • Priority changed from normal to important
  • Reproduced by developer set
  • Status changed from new to open
  • Version changed from unspecified to git-master

comment:2 Changed 5 years ago by michael

  • Resolution set to fixed
  • Status changed from open to closed
Note: See TracTickets for help on using tickets.