Opened 5 years ago

Closed 5 years ago

#4162 closed defect (fixed)

matroska: deadlock with fuzzed file

Reported by: tholin Owned by:
Priority: important Component: avformat
Version: git-master Keywords: mkv deadlock regression
Cc: Blocked By:
Blocking: Reproduced by developer: yes
Analyzed by developer: no

Description

I found a deadlock with a fuzzed file.

$ gdb -args /home/cocobo/repository/mpv-build_fuzz/ffmpeg_build/ffmpeg -loglevel 99 -i hang.mkv 
GNU gdb (Gentoo 7.7.1 p1) 7.7.1
Copyright (C) 2014 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-pc-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<http://bugs.gentoo.org/>.
Find the GDB manual and other documentation resources online at:
<http://www.gnu.org/software/gdb/documentation/>.
For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from /home/cocobo/repository/mpv-build_fuzz/ffmpeg_build/ffmpeg...done.
(gdb) 
Starting program: /home/cocobo/repository/mpv-build_fuzz/ffmpeg_build/ffmpeg -loglevel 99 -i hang.mkv
warning: Could not load shared library symbols for linux-vdso.so.1.
Do you need "set solib-search-path" or "set sysroot"?
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib64/libthread_db.so.1".
ffmpeg version N-68186-g8524558 Copyright (c) 2000-2014 the FFmpeg developers
  built on Dec  5 2014 17:33:44 with gcc 4.8.3 (Gentoo 4.8.3 p1.1, pie-0.5.9)
  configuration: --prefix=/home/cocobo/repository/mpv-build_fuzz/build_libs --enable-static --disable-shared --enable-gpl --enable-avresample --enable-debug=gdb --disable-doc --disable-optimizations --disable-stripping
  libavutil      54. 15.100 / 54. 15.100
  libavcodec     56. 13.100 / 56. 13.100
  libavformat    56. 15.102 / 56. 15.102
  libavdevice    56.  3.100 / 56.  3.100
  libavfilter     5.  2.103 /  5.  2.103
  libavresample   2.  1.  0 /  2.  1.  0
  libswscale      3.  1.101 /  3.  1.101
  libswresample   1.  1.100 /  1.  1.100
  libpostproc    53.  3.100 / 53.  3.100
Splitting the commandline.
Reading option '-loglevel' ... matched as option 'loglevel' (set logging level) with argument '99'.
Reading option '-i' ... matched as input file with argument 'hang.mkv'.
Finished splitting the commandline.
Parsing a group of options: global .
Applying option loglevel (set logging level) with argument 99.
Successfully parsed a group of options.
Parsing a group of options: input file hang.mkv.
Successfully parsed a group of options.
Opening an input file: hang.mkv.
[matroska,webm @ 0x260eb60] Format matroska,webm probed with size=2048 and score=100
[matroska,webm @ 0x260eb60] Unknown entry 0x4D9B
Truncating packet of size 13500 to 1634
[matroska,webm @ 0x260eb60] Unknown entry 0x6FAC
[matroska,webm @ 0x260eb60] Unknown entry 0x80
[matroska,webm @ 0x260eb60] Unknown entry 0x82
Truncating packet of size 216507 to 1617
[matroska,webm @ 0x260eb60] Unknown entry 0x82
Truncating packet of size 10309051 to 1602
[matroska,webm @ 0x260eb60] Unknown entry 0x86
Truncating packet of size 105507919 to 1572
[matroska,webm @ 0x260eb60] Unknown entry 0x6FAC
[matroska,webm @ 0x260eb60] Unknown entry 0x80
[matroska,webm @ 0x260eb60] Unknown entry 0x6FAC
[matroska,webm @ 0x260eb60] Unknown entry 0x80
[matroska,webm @ 0x260eb60] Unknown entry 0x6FAC
[matroska,webm @ 0x260eb60] Unknown entry 0x80
[matroska,webm @ 0x260eb60] Unknown entry 0x6FAC
[matroska,webm @ 0x260eb60] Unknown entry 0x80
[matroska,webm @ 0x260eb60] Unknown entry 0x6FAC
[matroska,webm @ 0x260eb60] Unknown entry 0x80
[matroska,webm @ 0x260eb60] Unknown entry 0x6FAC
[matroska,webm @ 0x260eb60] Unknown entry 0x80
<repeats>

Program received signal SIGINT, Interrupt.
0x00007ffff56df550 in __write_nocancel () from /lib64/libc.so.6
(gdb) bt full
#0  0x00007ffff56df550 in __write_nocancel () from /lib64/libc.so.6
No symbol table info available.
#1  0x00007ffff567a563 in _IO_file_write () from /lib64/libc.so.6
No symbol table info available.
#2  0x00007ffff5679c23 in new_do_write () from /lib64/libc.so.6
No symbol table info available.
#3  0x00007ffff567ab76 in _IO_file_xsputn () from /lib64/libc.so.6
No symbol table info available.
#4  0x00007ffff566fc84 in fputs () from /lib64/libc.so.6
No symbol table info available.
#5  0x00000000011ddc47 in colored_fputs (level=4, tint=0, str=0x7fffffffc544 "Unknown entry 0x6FAC\n")
    at /home/cocobo/repository/mpv-build_fuzz/ffmpeg/libavutil/log.c:179
        local_use_color = 0
#6  0x00000000011de494 in av_log_default_callback (ptr=0x1e4db60, level=32, fmt=0x1272cf3 "Unknown entry 0x%X\n", 
    vl=0x7fffffffcdb8) at /home/cocobo/repository/mpv-build_fuzz/ffmpeg/libavutil/log.c:333
        print_prefix = 1
        count = 0
        prev = "[matroska,webm @ 0x1e4db60] Unknown entry 0x6FAC\n\000robed with size=2048 and score=100\n\000tatic --disable-shared --enable-gpl --enable-avresample --enable-debug=gdb --disable-doc --disable-optimizations --"...
        part = {{str = 0x7fffffffb944 "", len = 0, size = 1004, size_max = 1004, reserved_internal_buffer = "", 
            reserved_padding = "\000\000\000`\306\377\377\377\177\000\000\000\000\000\000\000\000\000\000t\272\377\377\377\177\000\000t\276\377\377\377\177\000\000t\302\377\377\377\177\000\000\300\317\377\377\377\177\000\000\000\317\377\377\377\177\000\000\360\271\377\377\377\177\000\000\217\337\035\001\000\000\000\000xC}\001\000\000\000\000`\272\377\377\377\177\000\000\350\316\377\377\377\177\000\000\340\251)\001\000\000\000\000\200\272\377\377\020", '\000' <repeats 19 times>, "\223\333\035\001", '\000' <repeats 12 times>, "`\306\377\377\377\177\000\000\000\000\000\000-\000\000\000\240\306\377\377\001\000\000\000p\316\377\377\377\177\000\000\270\344\035\001\000\000\000\000t\306\377\377\377\177\000\000#\234g\365\377"...}, {str = 0x7fffffffbd44 "[matroska,webm @ 0x1e4db60] ", len = 28, size = 1004, 
            size_max = 1004, reserved_internal_buffer = "[", 
            reserved_padding = "matroska,webm @ 0x1e4db60] ", '\000' <repeats 16 times>, "\200\276\377\377\377\177\000\000oYe\365\377\177\000\000\000\000\000\000\000\000\000\000(\000\000\000\060\000\000\000`\276\377\377\377\177\000\000\240\275\377\377\377\177\000\000\000\000\000\000\000\000\000\000\272Ze\365\377\177\000\000\000\000\000\000\000\000\000\000\002\000\000\000\000\000\000\000\004\313\377\377\377\177\000\000\\M\336\367\377\177\000\000\367\273 \001\000\000\000\000\021\000\000\000\000\000\000\000Џ`\365\377\177\000\000\027\000\000\000\000\000\000\000\004\276\377\377\377\177\000\000\034\000\000\000\354\003\000\000\354\003\000\000[matroska,"...}, {str = 0x7fffffffc144 "", len = 0, 
            size = 1004, size_max = 1004, reserved_internal_buffer = "", 
            reserved_padding = "\177\000\000\200\206 \001\000\000\000\000\000\000\000\000\060", '\000' <repeats 11 times>, "\340\325\377\377\377\177\000\000\223\333\035\001", '\000' <repeats 13 times>, "\316\377\377\377\177\000\000\000\000\000\000)\000\000\000<\316\377\377\001\000\000\000\020\326\377\377\377\177\000\000\270\344\035\001\000\000\000\000\024\316\377\377\377\177\000\000\006\000\000\000\000\000\000\000\210\326\377\377\377\177\000\000\200\206 \001\000\000\000\000\020\000\000\000\060", '\000' <repeats 11 times>, "\344\301\377\377\000\000\000\000\006\000\000\000\000\000\000\000\006\000\000\000\006\000\000\000\000\000\000\000\006\000\000\000\004\302\377\377\377\177\000\000\000\000\000\000\354\003\000\000\354\003\000\000\000\177\000\000\000\000\000\000\354"...}, {
            str = 0x7fffffffc544 "Unknown entry 0x6FAC\n", len = 21, size = 1004, size_max = 65536, 
            reserved_internal_buffer = "U", 
            reserved_padding = "nknown entry 0x6FAC\n", '\000' <repeats 119 times>, "\344\305\377\377\377\177\000\000\000\000\000\000\354\003\000\000\354\003", '\000' <repeats 14 times>, "\004\306\377\377\377\177\000\000\023\000\000\000\024\000\000\000\000\000\001\000Unknown e"...}}
        line = "[matroska,webm @ 0x1e4db60] Unknown entry 0x6FAC\n", '\000' <repeats 39 times>, "\030<\377\364\377\177\000\000P\311\377\377\377\177\000\000\030<\377\364\377\177\000\000X\020\373\367\377\177\000\000\060\217\230\366\377\177\000\000 \341\377\367\377\177\000\000\000\000\003\000\003\000\000\000\030| \000\000\000\000\000\214\062\377\364\377\177\000\000\344\311\377\377\377\177\000\000\000\000\000\000\354\003\000\000\354\003\000\000\000\000\000\000N\337^\000\000\000\000\000[matrosk"...
        is_atty = 1
        type = {16, 20}
        tint = 0
#7  0x00000000011de629 in av_vlog (avcl=0x1e4db60, level=32, fmt=0x1272cf3 "Unknown entry 0x%X\n", vl=0x7fffffffcdb8)
    at /home/cocobo/repository/mpv-build_fuzz/ffmpeg/libavutil/log.c:360
        log_callback = 0x11de130 <av_log_default_callback>
#8  0x00000000011de5e9 in av_log (avcl=0x1e4db60, level=32, fmt=0x1272cf3 "Unknown entry 0x%X\n")
    at /home/cocobo/repository/mpv-build_fuzz/ffmpeg/libavutil/log.c:352
        avc = 0x1285280 <av_format_context_class>
        vl = {{gp_offset = 24, fp_offset = 48, overflow_arg_area = 0x7fffffffce90, reg_save_area = 0x7fffffffcdd0}}
#9  0x00000000005e4a1a in ebml_parse_id (matroska=0x1e4e1a0, syntax=0x1272580 <matroska_seekhead_entry>, id=28588, 
    data=0x7ffff215a410) at /home/cocobo/repository/mpv-build_fuzz/ffmpeg/libavformat/matroskadec.c:930
        i = 2
#10 0x00000000005e4b00 in ebml_parse (matroska=0x1e4e1a0, syntax=0x1272580 <matroska_seekhead_entry>, 
    data=0x7ffff215a410) at /home/cocobo/repository/mpv-build_fuzz/ffmpeg/libavformat/matroskadec.c:947
No locals.
---Type <return> to continue, or q <return> to quit---
#11 0x00000000005e4cf2 in ebml_parse_nest (matroska=0x1e4e1a0, syntax=0x1272580 <matroska_seekhead_entry>, 
    data=0x7ffff215a410) at /home/cocobo/repository/mpv-build_fuzz/ffmpeg/libavformat/matroskadec.c:976
        i = 2
        res = 0
#12 0x00000000005e4fff in ebml_parse_elem (matroska=0x1e4e1a0, syntax=0x12725e0 <matroska_seekhead>, 
    data=0x7ffff215a410) at /home/cocobo/repository/mpv-build_fuzz/ffmpeg/libavformat/matroskadec.c:1046
        max_lengths = {0, 8, 8, 16777216, 16777216, 268435456, 0, 0, 0, 0}
        pb = 0x1e4d360
        id = 19899
        length = 12
        res = 0
        newelem = 0x7fffee1ad010
#13 0x00000000005e4a66 in ebml_parse_id (matroska=0x1e4e1a0, syntax=0x12725e0 <matroska_seekhead>, id=19899, 
    data=0x1e4e1a0) at /home/cocobo/repository/mpv-build_fuzz/ffmpeg/libavformat/matroskadec.c:934
        i = 0
#14 0x00000000005e4b00 in ebml_parse (matroska=0x1e4e1a0, syntax=0x12725e0 <matroska_seekhead>, data=0x1e4e1a0)
    at /home/cocobo/repository/mpv-build_fuzz/ffmpeg/libavformat/matroskadec.c:947
No locals.
#15 0x00000000005e4cf2 in ebml_parse_nest (matroska=0x1e4e1a0, syntax=0x12725e0 <matroska_seekhead>, data=0x1e4e1a0)
    at /home/cocobo/repository/mpv-build_fuzz/ffmpeg/libavformat/matroskadec.c:976
        i = 1
        res = 0
#16 0x00000000005e4fff in ebml_parse_elem (matroska=0x1e4e1a0, syntax=0x12726b0 <matroska_segment+144>, 
    data=0x1e4e1a0) at /home/cocobo/repository/mpv-build_fuzz/ffmpeg/libavformat/matroskadec.c:1046
        max_lengths = {0, 8, 8, 16777216, 16777216, 268435456, 0, 0, 0, 0}
        pb = 0x1e4d360
        id = 290298740
        length = 60
        res = 0
        newelem = 0x1e4d360
#17 0x00000000005e4a66 in ebml_parse_id (matroska=0x1e4e1a0, syntax=0x1272620 <matroska_segment>, id=290298740, 
    data=0x1e4e1a0) at /home/cocobo/repository/mpv-build_fuzz/ffmpeg/libavformat/matroskadec.c:934
        i = 6
#18 0x00000000005e4b00 in ebml_parse (matroska=0x1e4e1a0, syntax=0x1272620 <matroska_segment>, data=0x1e4e1a0)
    at /home/cocobo/repository/mpv-build_fuzz/ffmpeg/libavformat/matroskadec.c:947
No locals.
#19 0x00000000005e6470 in matroska_parse_seekhead_entry (matroska=0x1e4e1a0, idx=4173117)
    at /home/cocobo/repository/mpv-build_fuzz/ffmpeg/libavformat/matroskadec.c:1394
        seekhead_list = 0x1e4e340
        level_up = 0
        saved_id = 524531317
        seekhead = 0x7fffee1ad010
        before_pos = 1449
        level = {start = 0, length = 18446744073709551615}
        offset = 51
        ret = 0
#20 0x00000000005e65e6 in matroska_execute_seekhead (matroska=0x1e4e1a0)
    at /home/cocobo/repository/mpv-build_fuzz/ffmpeg/libavformat/matroskadec.c:1434
        seekhead = 0x7fffee1ad010
        seekhead_list = 0x1e4e340
        before_pos = 1449
        i = 4173117
#21 0x00000000005e8d3c in matroska_read_header (s=0x1e4db60)
    at /home/cocobo/repository/mpv-build_fuzz/ffmpeg/libavformat/matroskadec.c:2055
        matroska = 0x1e4e1a0
        attachments_list = 0x1e4e300
        chapters_list = 0x1e4e310
        attachments = 0x0
        chapters = 0x1e4d360
        max_start = 0
        pos = 1449
        ebml = {version = 1, max_size = 8, id_length = 4, doctype = 0x0, doctype_version = 2}
        i = 0
        j = -11496
        res = 1
#22 0x00000000006c473e in avformat_open_input (ps=0x7fffffffd3a0, filename=0x7fffffffde76 "hang.mkv", fmt=0x0, 
    options=0x1e45498) at /home/cocobo/repository/mpv-build_fuzz/ffmpeg/libavformat/utils.c:463
        s = 0x1e4db60
---Type <return> to continue, or q <return> to quit---
        ret = 100
        tmp = 0x1e4cd40
        id3v2_extra_meta = 0x0
#23 0x0000000000410fab in open_input_file (o=0x7fffffffd480, filename=0x7fffffffde76 "hang.mkv")
    at /home/cocobo/repository/mpv-build_fuzz/ffmpeg/ffmpeg_opt.c:873
        f = 0x0
        ic = 0x1e4db60
        file_iformat = 0x0
        err = 0
        i = 48
        ret = 0
        timestamp = 17179869184
        opts = 0x120bc97
        unused_opts = 0x0
        e = 0x0
        orig_nb_streams = 0
        video_codec_name = 0x0
        audio_codec_name = 0x0
        subtitle_codec_name = 0x0
        scan_all_pmts_set = 1
#24 0x00000000004190fb in open_files (l=0x1e3d0d8, inout=0x120bc97 "input", open_file=0x4108b3 <open_input_file>)
    at /home/cocobo/repository/mpv-build_fuzz/ffmpeg/ffmpeg_opt.c:2699
        g = 0x1e45470
        o = {g = 0x1e45470, start_time = -9223372036854775808, format = 0x0, codec_names = 0x0, nb_codec_names = 0, 
          audio_channels = 0x0, nb_audio_channels = 0, audio_sample_rate = 0x0, nb_audio_sample_rate = 0, 
          frame_rates = 0x0, nb_frame_rates = 0, frame_sizes = 0x0, nb_frame_sizes = 0, frame_pix_fmts = 0x0, 
          nb_frame_pix_fmts = 0, input_ts_offset = 0, rate_emu = 0, accurate_seek = 1, ts_scale = 0x0, 
          nb_ts_scale = 0, dump_attachment = 0x0, nb_dump_attachment = 0, hwaccels = 0x0, nb_hwaccels = 0, 
          hwaccel_devices = 0x0, nb_hwaccel_devices = 0, stream_maps = 0x0, nb_stream_maps = 0, 
          audio_channel_maps = 0x0, nb_audio_channel_maps = 0, metadata_global_manual = 0, 
          metadata_streams_manual = 0, metadata_chapters_manual = 0, attachments = 0x0, nb_attachments = 0, 
          chapters_input_file = 2147483647, recording_time = 9223372036854775807, stop_time = 9223372036854775807, 
          limit_filesize = 18446744073709551615, mux_preload = 0, mux_max_delay = 0.699999988, shortest = 0, 
          video_disable = 0, audio_disable = 0, subtitle_disable = 0, data_disable = 0, streamid_map = 0x0, 
          nb_streamid_map = 0, metadata = 0x0, nb_metadata = 0, max_frames = 0x0, nb_max_frames = 0, 
          bitstream_filters = 0x0, nb_bitstream_filters = 0, codec_tags = 0x0, nb_codec_tags = 0, sample_fmts = 0x0, 
          nb_sample_fmts = 0, qscale = 0x0, nb_qscale = 0, forced_key_frames = 0x0, nb_forced_key_frames = 0, 
          force_fps = 0x0, nb_force_fps = 0, frame_aspect_ratios = 0x0, nb_frame_aspect_ratios = 0, 
          rc_overrides = 0x0, nb_rc_overrides = 0, intra_matrices = 0x0, nb_intra_matrices = 0, 
          inter_matrices = 0x0, nb_inter_matrices = 0, chroma_intra_matrices = 0x0, nb_chroma_intra_matrices = 0, 
          top_field_first = 0x0, nb_top_field_first = 0, metadata_map = 0x0, nb_metadata_map = 0, presets = 0x0, 
          nb_presets = 0, copy_initial_nonkeyframes = 0x0, nb_copy_initial_nonkeyframes = 0, copy_prior_start = 0x0, 
          nb_copy_prior_start = 0, filters = 0x0, nb_filters = 0, filter_scripts = 0x0, nb_filter_scripts = 0, 
          reinit_filters = 0x0, nb_reinit_filters = 0, fix_sub_duration = 0x0, nb_fix_sub_duration = 0, 
          canvas_sizes = 0x0, nb_canvas_sizes = 0, pass = 0x0, nb_pass = 0, passlogfiles = 0x0, nb_passlogfiles = 0, 
          guess_layout_max = 0x0, nb_guess_layout_max = 0, apad = 0x0, nb_apad = 0, discard = 0x0, nb_discard = 0}
        i = 0
        ret = 0
#25 0x0000000000419288 in ffmpeg_parse_options (argc=5, argv=0x7fffffffda18)
    at /home/cocobo/repository/mpv-build_fuzz/ffmpeg/ffmpeg_opt.c:2736
        octx = {global_opts = {group_def = 0x1209e10 <global_group>, arg = 0x12084fb "", opts = 0x1e3d090, 
            nb_opts = 1, codec_opts = 0x0, format_opts = 0x0, resample_opts = 0x0, sws_opts = 0x0, swr_opts = 0x0}, 
          groups = 0x1e3d0c0, nb_groups = 2, cur_group = {group_def = 0x0, arg = 0x0, opts = 0x0, nb_opts = 0, 
            codec_opts = 0x0, format_opts = 0x0, resample_opts = 0x0, sws_opts = 0x0, swr_opts = 0x0}}
        error = "\000\000\000\000\000\000\000\000\002\213 \001", '\000' <repeats 28 times>, "\"\020m\000\000\000\000\000\000\331\377\377\377\177\000\000c\330A\000\000\000\000\000\002\213 \001\000\000\000\000\320\063L\001\001\000\000\000\000P\000\000\005\000\000\000\277\000\000\000\061\n\000\000\000\003\034\177\025\004\000\001\000\021\023\032\000\022\017\027\026", '\000' <repeats 14 times>
        ret = 0
#26 0x000000000042c797 in main (argc=5, argv=0x7fffffffda18)
    at /home/cocobo/repository/mpv-build_fuzz/ffmpeg/ffmpeg.c:3919
        ret = 32767
        ti = 0

The endless loop is the loop in matroska_execute_seekhead and it's endless because the seekhead_list->nb_elem value keeps increasing at the same rate as the loopvar.
I gave up trying to figure out why because the matroska format is a bit too complex for me...

Attachments (1)

hang.mkv (1.6 KB) - added by tholin 5 years ago.

Download all attachments as: .zip

Change History (4)

Changed 5 years ago by tholin

comment:1 Changed 5 years ago by cehoyos

  • Keywords mkv deadlock regression added
  • Reproduced by developer set
  • Status changed from new to open

Regression since d493170e

comment:2 Changed 5 years ago by gjdfgh

Regression since d493170e

Not really. This just made parsing more robust. You could probably construct a file that would cause the same issue before this commit.

Anyway, patch on ML: [PATCH] avformat/matroskadec: fix handling of recursive SeekHead? elements

comment:3 Changed 5 years ago by cehoyos

  • Resolution set to fixed
  • Status changed from open to closed

Fixed by wm4 in 6551acab

Note: See TracTickets for help on using tickets.