Opened 5 years ago

Closed 5 years ago

Last modified 5 years ago

#3869 closed defect (fixed)

mjpeg: invalid write (fuzzed file)

Reported by: ami_stuff Owned by:
Priority: important Component: avcodec
Version: git-master Keywords: mjpeg crash regression
Cc: Blocked By:
Blocking: Reproduced by developer: yes
Analyzed by developer: no

Description

(gdb) r -i ab2.jpg
Starting program: /media/sdb1/ffmpeg-snapshot/ffmpeg_g -i ab2.jpg
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/i386-linux-gnu/libthread_db.so.1".
ffmpeg version 2.3.git Copyright (c) 2000-2014 the FFmpeg developers
  built on Aug 14 2014 23:56:56 with gcc 4.7 (Debian 4.7.2-5)
  configuration: --disable-yasm --enable-gpl --disable-ffserver --disable-ffprobe
  libavutil      54.  3.100 / 54.  3.100
  libavcodec     56.  0.101 / 56.  0.101
  libavformat    56.  1.100 / 56.  1.100
  libavdevice    56.  0.100 / 56.  0.100
  libavfilter     5.  0.100 /  5.  0.100
  libswscale      3.  0.100 /  3.  0.100
  libswresample   1.  0.100 /  1.  0.100
  libpostproc    53.  0.100 / 53.  0.100
[mjpeg @ 0x93affc0] mjpeg_decode_dc: bad vlc: 0:1 (0x93b0918)
[mjpeg @ 0x93affc0] error dc
[mjpeg @ 0x93affc0] error y=10 x=58
*** glibc detected *** /media/sdb1/ffmpeg-snapshot/ffmpeg_g: double free or corruption (out): 0xb7be9020 ***
======= Backtrace: =========
/lib/i386-linux-gnu/libc.so.6(+0x70a8a)[0xb7ea4a8a]
/lib/i386-linux-gnu/libc.so.6(+0x722e8)[0xb7ea62e8]
/lib/i386-linux-gnu/libc.so.6(cfree+0x6d)[0xb7ea93ed]
/media/sdb1/ffmpeg-snapshot/ffmpeg_g[0x89e3772]
======= Memory map: ========
08048000-08d11000 r-xp 00000000 08:11 4562       /media/sdb1/ffmpeg-snapshot/ffmpeg_g
08d11000-08d33000 rw-p 00cc8000 08:11 4562       /media/sdb1/ffmpeg-snapshot/ffmpeg_g
08d33000-093c3000 rw-p 00000000 00:00 0          [heap]
41602000-41619000 r-xp 00000000 08:02 10056      /lib/i386-linux-gnu/libz.so.1.2.7
41619000-4161a000 r--p 00016000 08:02 10056      /lib/i386-linux-gnu/libz.so.1.2.7
4161a000-4161b000 rw-p 00017000 08:02 10056      /lib/i386-linux-gnu/libz.so.1.2.7
41628000-41659000 r-xp 00000000 08:02 10014      /lib/i386-linux-gnu/libncursesw.so.5.9
41659000-4165a000 r--p 00030000 08:02 10014      /lib/i386-linux-gnu/libncursesw.so.5.9
4165a000-4165b000 rw-p 00031000 08:02 10014      /lib/i386-linux-gnu/libncursesw.so.5.9
41673000-41676000 r-xp 00000000 08:02 24959      /usr/lib/i386-linux-gnu/libpulse-simple.so.0.0.3
41676000-41677000 r--p 00002000 08:02 24959      /usr/lib/i386-linux-gnu/libpulse-simple.so.0.0.3
41677000-41678000 rw-p 00003000 08:02 24959      /usr/lib/i386-linux-gnu/libpulse-simple.so.0.0.3
4178e000-418c2000 r-xp 00000000 08:02 24566      /usr/lib/i386-linux-gnu/libX11.so.6.3.0
418c2000-418c6000 rw-p 00133000 08:02 24566      /usr/lib/i386-linux-gnu/libX11.so.6.3.0
418c8000-418e9000 r-xp 00000000 08:02 25047      /usr/lib/i386-linux-gnu/libxcb.so.1.1.0
418e9000-418ea000 r--p 00020000 08:02 25047      /usr/lib/i386-linux-gnu/libxcb.so.1.1.0
418ea000-418eb000 rw-p 00021000 08:02 25047      /usr/lib/i386-linux-gnu/libxcb.so.1.1.0
418ed000-418ef000 r-xp 00000000 08:02 24568      /usr/lib/i386-linux-gnu/libXau.so.6.0.0
418ef000-418f0000 rw-p 00001000 08:02 24568      /usr/lib/i386-linux-gnu/libXau.so.6.0.0
418f2000-418f7000 r-xp 00000000 08:02 24574      /usr/lib/i386-linux-gnu/libXdmcp.so.6.0.0
418f7000-418f8000 rw-p 00004000 08:02 24574      /usr/lib/i386-linux-gnu/libXdmcp.so.6.0.0
41913000-41924000 r-xp 00000000 08:02 24575      /usr/lib/i386-linux-gnu/libXext.so.6.4.0
41924000-41925000 rw-p 00010000 08:02 24575      /usr/lib/i386-linux-gnu/libXext.so.6.4.0
41cd1000-41cd3000 r-xp 00000000 08:02 25013      /usr/lib/i386-linux-gnu/libts-0.0.so.0.1.1
41cd3000-41cd4000 rw-p 00001000 08:02 25013      /usr/lib/i386-linux-gnu/libts-0.0.so.0.1.1
41cd6000-41ce4000 r-xp 00000000 08:02 24578      /usr/lib/i386-linux-gnu/libXi.so.6.1.0
41ce4000-41ce5000 rw-p 0000e000 08:02 24578      /usr/lib/i386-linux-gnu/libXi.so.6.1.0
41f58000-41f6e000 r-xp 00000000 08:02 24654      /usr/lib/i386-linux-gnu/libdirect-1.2.so.9.0.1
41f6e000-41f6f000 rw-p 00016000 08:02 24654      /usr/lib/i386-linux-gnu/libdirect-1.2.so.9.0.1
41f94000-41f98000 r-xp 00000000 08:02 9978       /lib/i386-linux-gnu/libattr.so.1.1.0
41f98000-41f99000 r--p 00003000 08:02 9978       /lib/i386-linux-gnu/libattr.so.1.1.0
41f99000-41f9a000 rw-p 00004000 08:02 9978       /lib/i386-linux-gnu/libattr.so.1.1.0
41f9c000-41fa0000 r-xp 00000000 08:02 9985       /lib/i386-linux-gnu/libcap.so.2.22
41fa0000-41fa1000 rw-p 00003000 08:02 9985       /lib/i386-linux-gnu/libcap.so.2.22
41fa3000-41fab000 r-xp 00000000 08:02 10054      /lib/i386-linux-gnu/libwrap.so.0.7.6
41fab000-41fac000 r--p 00007000 08:02 10054      /lib/i386-linux-gnu/libwrap.so.0.7.6
41fac000-41fad000 rw-p 00008000 08:02 10054      /lib/i386-linux-gnu/libwrap.so.0.7.6
41faf000-41fb4000 r-xp 00000000 08:02 24589      /usr/lib/i386-linux-gnu/libXtst.so.6.1.0
41fb4000-41fb5000 rw-p 00004000 08:02 24589      /usr/lib/i386-linux-gnu/libXtst.so.6.1.0
4244e000-42457000 r-xp 00000000 08:02 24707      /usr/lib/i386-linux-gnu/libfusion-1.2.so.9.0.1
42457000-42458000 rw-p 00008000 08:02 24707      /usr/lib/i386-linux-gnu/libfusion-1.2.so.9.0.1
42489000-42491000 r-xp 00000000 08:02 10005      /lib/i386-linux-gnu/libjson.so.0.1.0
42491000-42492000 r--p 00007000 08:02 10005      /lib/i386-linux-gnu/libjson.so.0.1.0
42492000-42493000 rw-p 00008000 08:02 10005      /lib/i386-linux-gnu/libjson.so.0.1.0
42495000-4249a000 r-xp 00000000 08:02 24603      /usr/lib/i386-linux-gnu/libasyncns.so.0.3.1
4249a000-4249b000 rw-p 00004000 08:02 24603      /usr/lib/i386-linux-gnu/libasyncns.so.0.3.1
424a1000-424a7000 r-xp 00000000 08:02 24920      /usr/lib/i386-linux-gnu/libogg.so.0.8.0
424a7000-424a8000 rw-p 00005000 08:02 24920      /usr/lib/i386-linux-gnu/libogg.so.0.8.0
424aa000-424d4000 r-xp 00000000 08:02 25032      /usr/lib/i386-linux-gnu/libvorbis.so.0.4.5
424d4000-424d5000 r--p 00029000 08:02 25032      /usr/lib/i386-linux-gnu/libvorbis.so.0.4.5
424d5000-424d6000 rw-p 0002a000 08:02 25032      /usr/lib/i386-linux-gnu/libvorbis.so.0.4.5
424d8000-42526000 r-xp 00000000 08:02 24551      /usr/lib/i386-linux-gnu/libFLAC.so.8.2.0
42526000-42527000 r--p 0004d000 08:02 24551      /usr/lib/i386-linux-gnu/libFLAC.so.8.2.0
42527000-42528000 rw-p 0004e000 08:02 24551      /usr/lib/i386-linux-gnu/libFLAC.so.8.2.0
42530000-42534000 r-xp 00000000 08:02 10053      /lib/i386-linux-gnu/libuuid.so.1.3.0
42534000-42535000 r--p 00003000 08:02 10053      /lib/i386-linux-gnu/libuuid.so.1.3.0
42535000-42536000 rw-p 00004000 08:02 10053      /lib/i386-linux-gnu/libuuid.so.1.3.0
4254b000-4263e000 r-xp 00000000 08:02 24600      /usr/lib/i386-linux-gnu/libasound.so.2.0.0
4263e000-42642000 r--p 000f2000 08:02 24600      /usr/lib/i386-linux-gnu/libasound.so.2.0.0
42642000-42643000 rw-p 000f6000 08:02 24600      /usr/lib/i386-linux-gnu/libasound.so.2.0.0
4266f000-426b8000 r-xp 00000000 08:02 9989       /lib/i386-linux-gnu/libdbus-1.so.3.7.2
426b8000-426b9000 ---p 00049000 08:02 9989       /lib/i386-linux-gnu/libdbus-1.so.3.7.2
426b9000-426ba000 r--p 00049000 08:02 9989       /lib/i386-linux-gnu/libdbus-1.so.3.7.2
426ba000-426bb000 rw-p 0004a000 08:02 9989       /lib/i386-linux-gnu/libdbus-1.so.3.7.2
426e9000-42705000 r-xp 00000000 08:02 9997       /lib/i386-linux-gnu/libgcc_s.so.1
42705000-42706000 rw-p 0001b000 08:02 9997       /lib/i386-linux-gnu/libgcc_s.so.1
427f8000-427ff000 r-xp 00000000 08:02 24562      /usr/lib/i386-linux-gnu/libSM.so.6.0.1
427ff000-42800000 rw-p 00006000 08:02 24562      /usr/lib/i386-linux-gnu/libSM.so.6.0.1
42802000-42818000 r-xp 00000000 08:02 24556      /usr/lib/i386-linux-gnu/libICE.so.6.3.0
42818000-4281a000 rw-p 00015000 08:02 24556      /usr/lib/i386-linux-gnu/libICE.so.6.3.0
4281a000-4281b000 rw-p 00000000 00:00 0 
428aa000-428c7000 r-xp 00000000 08:02 10046      /lib/i386-linux-gnu/libtinfo.so.5.9
428c7000-428c9000 r--p 0001c000 08:02 10046      /lib/i386-linux-gnu/libtinfo.so.5.9
428c9000-428ca000 rw-p 0001e000 08:02 10046      /lib/i386-linux-gnu/libtinfo.so.5.9
42af2000-42b75000 r-xp 00000000 08:02 24655      /usr/lib/i386-linux-gnu/libdirectfb-1.2.so.9.0.1
42b75000-42b78000 rw-p 00082000 08:02 24655      /usr/lib/i386-linux-gnu/libdirectfb-1.2.so.9.0.1
42bb9000-42bba000 r-xp 00000000 08:02 24565      /usr/lib/i386-linux-gnu/libX11-xcb.so.1.0.0
42bba000-42bbb000 rw-p 00000000 08:02 24565      /usr/lib/i386-linux-gnu/libX11-xcb.so.1.0.0
42bc5000-42c13000 r-xp 00000000 08:02 24960      /usr/lib/i386-linux-gnu/libpulse.so.0.14.2
42c13000-42c14000 r--p 0004d000 08:02 24960      /usr/lib/i386-linux-gnu/libpulse.so.0.14.2
42c14000-42c15000 rw-p 0004e000 08:02 24960      /usr/lib/i386-linux-gnu/libpulse.so.0.14.2
42e38000-42f9e000 r-xp 00000000 08:02 25033      /usr/lib/i386-linux-gnu/libvorbisenc.so.2.0.8
42f9e000-42faf000 r--p 00165000 08:02 25033      /usr/lib/i386-linux-gnu/libvorbisenc.so.2.0.8
42faf000-42fb0000 rw-p 00176000 08:02 25033      /usr/lib/i386-linux-gnu/libvorbisenc.so.2.0.8
42fb2000-43018000 r-xp 00000000 08:02 26819      /usr/lib/i386-linux-gnu/pulseaudio/libpulsecommon-2.0.so
43018000-43019000 r--p 00065000 08:02 26819      /usr/lib/i386-linux-gnu/pulseaudio/libpulsecommon-2.0.so
43019000-4301a000 rw-p 00066000 08:02 26819      /usr/lib/i386-linux-gnu/pulseaudio/libpulsecommon-2.0.so
4308c000-430f9000 r-xp 00000000 08:02 24984      /usr/lib/i386-linux-gnu/libsndfile.so.1.0.25
430f9000-430fb000 r--p 0006c000 08:02 24984      /usr/lib/i386-linux-gnu/libsndfile.so.1.0.25
430fb000-430fc000 rw-p 0006e000 08:02 24984      /usr/lib/i386-linux-gnu/libsndfile.so.1.0.25
430fc000-43100000 rw-p 00000000 00:00 0 
43102000-431ea000 r-xp 00000000 08:02 10042      /lib/i386-linux-gnu/libslang.so.2.2.4
431ea000-431ec000 r--p 000e8000 08:02 10042      /lib/i386-linux-gnu/libslang.so.2.2.4
431ec000-431fb000 rw-p 000ea000 08:02 10042      /lib/i386-linux-gnu/libslang.so.2.2.4
431fb000-43235000 rw-p 00000000 00:00 0 
44162000-441d4000 r-xp 00000000 08:02 24561      /usr/lib/i386-linux-gnu/libSDL-1.2.so.0.11.4
441d4000-441d5000 r--p 00071000 08:02 24561      /usr/lib/i386-linux-gnu/libSDL-1.2.so.0.11.4
441d5000-441d6000 rw-p 00072000 08:02 24561      /usr/lib/i386-linux-gnu/libSDL-1.2.so.0.11.4
441d6000-44200000 rw-p 00000000 00:00 0 
44202000-442c9000 r-xp 00000000 08:02 24627      /usr/lib/i386-linux-gnu/libcaca.so.0.99.18
442c9000-442ca000 rw-p 000c6000 08:02 24627      /usr/lib/i386-linux-gnu/libcaca.so.0.99.18
442ca000-442cf000 rw-p 00000000 00:00 0 
b7800000-b7821000 rw-p 00000000 00:00 0 
b7821000-b7900000 ---p 00000000 00:00 0 
b7907000-b7d5a000 rw-p 00000000 00:00 0 
b7dac000-b7dfc000 rw-p 00000000 00:00 0 
b7dfc000-b7e0d000 r-xp 00000000 08:02 29160      /lib/i386-linux-gnu/libresolv-2.13.so
b7e0d000-b7e0e000 r--p 00010000 08:02 29160      /lib/i386-linux-gnu/libresolv-2.13.so
b7e0e000-b7e0f000 rw-p 00011000 08:02 29160      /lib/i386-linux-gnu/libresolv-2.13.so
b7e0f000-b7e12000 rw-p 00000000 00:00 0 
b7e12000-b7e25000 r-xp 00000000 08:02 29162      /lib/i386-linux-gnu/libnsl-2.13.so
b7e25000-b7e26000 r--p 00012000 08:02 29162      /lib/i386-linux-gnu/libnsl-2.13.so
b7e26000-b7e27000 rw-p 00013000 08:02 29162      /lib/i386-linux-gnu/libnsl-2.13.so
b7e27000-b7e2f000 rw-p 00000000 00:00 0 
b7e2f000-b7e31000 r-xp 00000000 08:02 29151      /lib/i386-linux-gnu/libdl-2.13.so
b7e31000-b7e32000 r--p 00001000 08:02 29151      /lib/i386-linux-gnu/libdl-2.13.so
b7e32000-b7e33000 rw-p 00002000 08:02 29151      /lib/i386-linux-gnu/libdl-2.13.so
b7e33000-b7e34000 rw-p 00000000 00:00 0 
b7e34000-b7f7b000 r-xp 00000000 08:02 29158      /lib/i386-linux-gnu/libc-2.13.so
b7f7b000-b7f7c000 ---p 00147000 08:02 29158      /lib/i386-linux-gnu/libc-2.13.so
b7f7c000-b7f7e000 r--p 00147000 08:02 29158      /lib/i386-linux-gnu/libc-2.13.so
b7f7e000-b7f7f000 rw-p 00149000 08:02 29158      /lib/i386-linux-gnu/libc-2.13.so
b7f7f000-b7f82000 rw-p 00000000 00:00 0 
b7f82000-b7f97000 r-xp 00000000 08:02 29148      /lib/i386-linux-gnu/libpthread-2.13.so
b7f97000-b7f98000 r--p 00014000 08:02 29148      /lib/i386-linux-gnu/libpthread-2.13.so
b7f98000-b7f99000 rw-p 00015000 08:02 29148      /lib/i386-linux-gnu/libpthread-2.13.so
b7f99000-b7f9b000 rw-p 00000000 00:00 0 
b7f9b000-b7fa2000 r-xp 00000000 08:02 29153      /lib/i386-linux-gnu/librt-2.13.so
b7fa2000-b7fa3000 r--p 00006000 08:02 29153      /lib/i386-linux-gnu/librt-2.13.so
b7fa3000-b7fa4000 rw-p 00007000 08:02 29153      /lib/i386-linux-gnu/librt-2.13.so
b7fa4000-b7fc8000 r-xp 00000000 08:02 29155      /lib/i386-linux-gnu/libm-2.13.so
b7fc8000-b7fc9000 r--p 00023000 08:02 29155      /lib/i386-linux-gnu/libm-2.13.so
b7fc9000-b7fca000 rw-p 00024000 08:02 29155      /lib/i386-linux-gnu/libm-2.13.so
b7fca000-b7fcb000 rw-p 00000000 00:00 0 
b7fe0000-b7fe2000 rw-p 00000000 00:00 0 
b7fe2000-b7ffe000 r-xp 00000000 08:02 29161      /lib/i386-linux-gnu/ld-2.13.so
b7ffe000-b7fff000 r--p 0001b000 08:02 29161      /lib/i386-linux-gnu/ld-2.13.so
b7fff000-b8000000 rw-p 0001c000 08:02 29161      /lib/i386-linux-gnu/ld-2.13.so
bffdf000-c0000000 rw-p 00000000 00:00 0          [stack]
ffffe000-fffff000 r-xp 00000000 00:00 0          [vdso]

Program received signal SIGABRT, Aborted.
0xb7e5e667 in *__GI_raise (sig=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:64
64	../nptl/sysdeps/unix/sysv/linux/raise.c: No such file or directory.
(gdb) bt
#0  0xb7e5e667 in *__GI_raise (sig=6)
    at ../nptl/sysdeps/unix/sysv/linux/raise.c:64
#1  0xb7e61a52 in *__GI_abort () at abort.c:92
#2  0xb7e9a98d in __libc_message (do_abort=2, 
    fmt=0xb7f61330 "*** glibc detected *** %s: %s: 0x%s ***\n")
    at ../sysdeps/unix/sysv/linux/libc_fatal.c:189
#3  0xb7ea4a8a in malloc_printerr (action=<optimized out>, 
    str=0x6 <Address 0x6 out of bounds>, ptr=0xb7be9020) at malloc.c:6283
#4  0xb7ea62e8 in _int_free (av=<optimized out>, p=<optimized out>)
    at malloc.c:4795
#5  0xb7ea93ed in *__GI___libc_free (mem=0xb7be9020) at malloc.c:3738
#6  0x089e3772 in buffer_pool_free (pool=0x93a8420) at libavutil/buffer.c:230
#7  av_buffer_pool_uninit (ppool=ppool@entry=0x93aeb60)
    at libavutil/buffer.c:246
#8  0x0808c76e in avcodec_close (avctx=0x93affc0) at libavcodec/utils.c:2717
#9  0x08291864 in avformat_find_stream_info (ic=0x93af340, options=0x93af100)
    at libavformat/utils.c:3249
#10 0x080be3de in open_input_file (o=o@entry=0xbffff54c, 
    filename=<optimized out>) at ffmpeg_opt.c:888
#11 0x080b7d17 in open_files (inout=inout@entry=0x8a76cfb "input", 
    open_file=open_file@entry=0x80bdf90 <open_input_file>, 
    l=<error reading variable: Unhandled dwarf expression opcode 0xfa>, 
    l=<error reading variable: Unhandled dwarf expression opcode 0xfa>)
---Type <return> to continue, or q <return> to quit---    at ffmpeg_opt.c:2670
#12 0x080bff09 in ffmpeg_parse_options (argc=argc@entry=3, 
    argv=argv@entry=0xbffff9f4) at ffmpeg_opt.c:2707
#13 0x080af43a in main (argc=3, argv=0xbffff9f4) at ffmpeg.c:3824
(gdb) 
knoppix@Microknoppix:/media/sdb1$ valgrind --leak-check=full  ffmpeg-snapshot/ffmpeg_g -i ab2.jpg
==10795== Memcheck, a memory error detector
==10795== Copyright (C) 2002-2011, and GNU GPL'd, by Julian Seward et al.
==10795== Using Valgrind-3.7.0 and LibVEX; rerun with -h for copyright info
==10795== Command: ffmpeg-snapshot/ffmpeg_g -i ab2.jpg
==10795== 
ffmpeg version 2.3.git Copyright (c) 2000-2014 the FFmpeg developers
  built on Aug 14 2014 23:56:56 with gcc 4.7 (Debian 4.7.2-5)
  configuration: --disable-yasm --enable-gpl --disable-ffserver --disable-ffprobe
  libavutil      54.  3.100 / 54.  3.100
  libavcodec     56.  0.101 / 56.  0.101
  libavformat    56.  1.100 / 56.  1.100
  libavdevice    56.  0.100 / 56.  0.100
  libavfilter     5.  0.100 /  5.  0.100
  libswscale      3.  0.100 /  3.  0.100
  libswresample   1.  0.100 /  1.  0.100
  libpostproc    53.  0.100 / 53.  0.100
[mjpeg @ 0x42276a0] mjpeg_decode_dc: bad vlc: 0:1 (0x42286b8)
[mjpeg @ 0x42276a0] error dc
[mjpeg @ 0x42276a0] error y=10 x=58
==10795== Invalid read of size 2
==10795==    at 0x85B1A00: ff_mjpeg_decode_sos (mjpegdec.c:1158)
==10795==    by 0x85B2A79: ff_mjpeg_decode_frame (mjpegdec.c:2039)
==10795==    by 0x873F48E: avcodec_decode_video2 (utils.c:2264)
==10795==    by 0x8288B7A: try_decode_frame (utils.c:2587)
==10795==  Address 0x45bc6ae is 1,510,030 bytes inside a block of size 1,510,031 alloc'd
==10795==    at 0x40268A4: memalign (vg_replace_malloc.c:694)
==10795==    by 0x402695E: posix_memalign (vg_replace_malloc.c:835)
==10795==    by 0x89F1C57: av_malloc (mem.c:95)
==10795==    by 0x89E3202: av_buffer_allocz (buffer.c:70)
==10795==    by 0x89E37E8: av_buffer_pool_get (buffer.c:305)
==10795==    by 0x873B4A5: video_get_buffer (utils.c:657)
==10795==    by 0x873D848: get_buffer_internal (utils.c:1002)
==10795==    by 0x873DBD3: ff_get_buffer (utils.c:1015)
==10795==    by 0x85AEB24: ff_mjpeg_decode_sof (mjpegdec.c:554)
==10795==    by 0x85B2B56: ff_mjpeg_decode_frame (mjpegdec.c:1980)
==10795==    by 0x873F48E: avcodec_decode_video2 (utils.c:2264)
==10795==    by 0x8288B7A: try_decode_frame (utils.c:2587)
==10795== 
==10795== Invalid write of size 2
==10795==    at 0x85B1A05: ff_mjpeg_decode_sos (mjpegdec.c:1158)
==10795==    by 0x85B2A79: ff_mjpeg_decode_frame (mjpegdec.c:2039)
==10795==    by 0x873F48E: avcodec_decode_video2 (utils.c:2264)
==10795==    by 0x8288B7A: try_decode_frame (utils.c:2587)
==10795==  Address 0x45bc6ae is 1,510,030 bytes inside a block of size 1,510,031 alloc'd
==10795==    at 0x40268A4: memalign (vg_replace_malloc.c:694)
==10795==    by 0x402695E: posix_memalign (vg_replace_malloc.c:835)
==10795==    by 0x89F1C57: av_malloc (mem.c:95)
==10795==    by 0x89E3202: av_buffer_allocz (buffer.c:70)
==10795==    by 0x89E37E8: av_buffer_pool_get (buffer.c:305)
==10795==    by 0x873B4A5: video_get_buffer (utils.c:657)
==10795==    by 0x873D848: get_buffer_internal (utils.c:1002)
==10795==    by 0x873DBD3: ff_get_buffer (utils.c:1015)
==10795==    by 0x85AEB24: ff_mjpeg_decode_sof (mjpegdec.c:554)
==10795==    by 0x85B2B56: ff_mjpeg_decode_frame (mjpegdec.c:1980)
==10795==    by 0x873F48E: avcodec_decode_video2 (utils.c:2264)
==10795==    by 0x8288B7A: try_decode_frame (utils.c:2587)
==10795== 
==10795== Invalid write of size 8
==10795==    at 0x885D39E: ff_put_pixels_clamped_mmx (idctdsp_mmx.c:69)
==10795==    by 0x85B074E: ff_mjpeg_decode_sos (mjpegdec.c:1326)
==10795==    by 0x85B2A79: ff_mjpeg_decode_frame (mjpegdec.c:2039)
==10795==    by 0x873F48E: avcodec_decode_video2 (utils.c:2264)
==10795==    by 0x8288B7A: try_decode_frame (utils.c:2587)
==10795==  Address 0x45bc6b0 is 1 bytes after a block of size 1,510,031 alloc'd
==10795==    at 0x40268A4: memalign (vg_replace_malloc.c:694)
==10795==    by 0x402695E: posix_memalign (vg_replace_malloc.c:835)
==10795==    by 0x89F1C57: av_malloc (mem.c:95)
==10795==    by 0x89E3202: av_buffer_allocz (buffer.c:70)
==10795==    by 0x89E37E8: av_buffer_pool_get (buffer.c:305)
==10795==    by 0x873B4A5: video_get_buffer (utils.c:657)
==10795==    by 0x873D848: get_buffer_internal (utils.c:1002)
==10795==    by 0x873DBD3: ff_get_buffer (utils.c:1015)
==10795==    by 0x85AEB24: ff_mjpeg_decode_sof (mjpegdec.c:554)
==10795==    by 0x85B2B56: ff_mjpeg_decode_frame (mjpegdec.c:1980)
==10795==    by 0x873F48E: avcodec_decode_video2 (utils.c:2264)
==10795==    by 0x8288B7A: try_decode_frame (utils.c:2587)
==10795== 
==10795== Invalid read of size 2
==10795==    at 0x85B1A0D: ff_mjpeg_decode_sos (mjpegdec.c:1157)
==10795==    by 0x85B2A79: ff_mjpeg_decode_frame (mjpegdec.c:2039)
==10795==    by 0x873F48E: avcodec_decode_video2 (utils.c:2264)
==10795==    by 0x8288B7A: try_decode_frame (utils.c:2587)
==10795==  Address 0x45bc6b4 is 5 bytes after a block of size 1,510,031 alloc'd
==10795==    at 0x40268A4: memalign (vg_replace_malloc.c:694)
==10795==    by 0x402695E: posix_memalign (vg_replace_malloc.c:835)
==10795==    by 0x89F1C57: av_malloc (mem.c:95)
==10795==    by 0x89E3202: av_buffer_allocz (buffer.c:70)
==10795==    by 0x89E37E8: av_buffer_pool_get (buffer.c:305)
==10795==    by 0x873B4A5: video_get_buffer (utils.c:657)
==10795==    by 0x873D848: get_buffer_internal (utils.c:1002)
==10795==    by 0x873DBD3: ff_get_buffer (utils.c:1015)
==10795==    by 0x85AEB24: ff_mjpeg_decode_sof (mjpegdec.c:554)
==10795==    by 0x85B2B56: ff_mjpeg_decode_frame (mjpegdec.c:1980)
==10795==    by 0x873F48E: avcodec_decode_video2 (utils.c:2264)
==10795==    by 0x8288B7A: try_decode_frame (utils.c:2587)
==10795== 
--10795-- VALGRIND INTERNAL ERROR: Valgrind received a signal 11 (SIGSEGV) - exiting
--10795-- si_code=1;  Faulting address: 0x61687420;  sp: 0x62a56cd0

valgrind: the 'impossible' happened:
   Killed by fatal signal
==10795==    at 0x3803C4D9: vgPlain_strcmp (m_libcbase.c:306)
==10795==    by 0x3803D101: vgPlain_assert_fail (m_libcassert.c:274)
==10795==    by 0x65736164: ???

sched status:
  running_tid=1

Thread 1: status = VgTs_Runnable
==10795==    at 0x40268A4: memalign (vg_replace_malloc.c:694)
==10795==    by 0x402695E: posix_memalign (vg_replace_malloc.c:835)
==10795==    by 0x89F1F37: av_mallocz (mem.c:95)
==10795==    by 0x89E32C3: av_buffer_ref (buffer.c:93)
==10795==    by 0x89EC104: av_frame_ref (frame.c:298)
==10795==    by 0x85B2BD0: ff_mjpeg_decode_frame (mjpegdec.c:2016)
==10795==    by 0x873F48E: avcodec_decode_video2 (utils.c:2264)
==10795==    by 0x8288B7A: try_decode_frame (utils.c:2587)


Note: see also the FAQ in the source distribution.
It contains workarounds to several common problems.
In particular, if Valgrind aborted or crashed after
identifying problems in your program, there's a good chance
that fixing those problems will prevent Valgrind aborting or
crashing, especially if it happened in m_mallocfree.c.

If that doesn't help, please report this bug to: www.valgrind.org

In the bug report, send all the above text, the valgrind
version, and what OS and version you are using.  Thanks.

Attachments (1)

ab2.jpg (305.8 KB) - added by ami_stuff 5 years ago.

Download all attachments as: .zip

Change History (4)

Changed 5 years ago by ami_stuff

comment:1 Changed 5 years ago by cehoyos

  • Component changed from undetermined to avcodec
  • Keywords mjpeg crash regression added
  • Priority changed from normal to important
  • Reproduced by developer set
  • Status changed from new to open
  • Version changed from unspecified to git-master

comment:2 Changed 5 years ago by michael

  • Resolution set to fixed
  • Status changed from open to closed

comment:3 Changed 5 years ago by cehoyos

Regression since a9f79728

Note: See TracTickets for help on using tickets.