Opened 3 years ago

Closed 3 years ago

Last modified 3 years ago

#4294 closed defect (fixed)

tta: crash with fuzzed file

Reported by: tholin Owned by:
Priority: important Component: avformat
Version: git-master Keywords:
Cc: Blocked By:
Blocking: Reproduced by developer: no
Analyzed by developer: no

Description

The attached file segfaults.
I had to manually edit the file to make the seek table crc match. It would be nice if the tta code could honor the avctx->err_recognition & AV_EF_CRCCHECK flag. It's easier to fuzz that way.

$ gdb --args ./ffmpeg -i ~/fuzz/ffmpeg_tta_crash.tta 
GNU gdb (Gentoo 7.7.1 p1) 7.7.1
Copyright (C) 2014 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-pc-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<http://bugs.gentoo.org/>.
Find the GDB manual and other documentation resources online at:
<http://www.gnu.org/software/gdb/documentation/>.
For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from ./ffmpeg...done.
(gdb) r
Starting program: /home/cocobo/repository/mpv-build_ffmpeg_vanilla/ffmpeg_build/ffmpeg -i /home/cocobo/fuzz/ffmpeg_tta_crash.tta
warning: Could not load shared library symbols for linux-vdso.so.1.
Do you need "set solib-search-path" or "set sysroot"?
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib64/libthread_db.so.1".
ffmpeg version N-69499-gfc35df8 Copyright (c) 2000-2015 the FFmpeg developers
  built with gcc 4.8.3 (Gentoo 4.8.3 p1.1, pie-0.5.9)
  configuration: --prefix=/home/cocobo/repository/mpv-build_ffmpeg_vanilla/build_libs --enable-static --disable-shared --enable-gpl --enable-avresample --enable-debug=gdb --disable-doc --disable-optimizations --disable-stripping
  libavutil      54. 18.100 / 54. 18.100
  libavcodec     56. 21.102 / 56. 21.102
  libavformat    56. 19.100 / 56. 19.100
  libavdevice    56.  4.100 / 56.  4.100
  libavfilter     5.  9.103 /  5.  9.103
  libavresample   2.  1.  0 /  2.  1.  0
  libswscale      3.  1.101 /  3.  1.101
  libswresample   1.  1.100 /  1.  1.100
  libpostproc    53.  3.100 / 53.  3.100

Program received signal SIGSEGV, Segmentation fault.
0x00000000006c17d8 in tta_read_packet (s=0x1e83360, pkt=0x7fffffffce80)
    at /home/cocobo/repository/mpv-build_ffmpeg_vanilla/ffmpeg/libavformat/tta.c:156
156         size = st->index_entries[c->currentframe].size;
(gdb) bt
#0  0x00000000006c17d8 in tta_read_packet (s=0x1e83360, pkt=0x7fffffffce80)
    at /home/cocobo/repository/mpv-build_ffmpeg_vanilla/ffmpeg/libavformat/tta.c:156
#1  0x00000000006c76d1 in ff_read_packet (s=0x1e83360, pkt=0x7fffffffce80)
    at /home/cocobo/repository/mpv-build_ffmpeg_vanilla/ffmpeg/libavformat/utils.c:665
#2  0x00000000006ca0b3 in read_frame_internal (s=0x1e83360, pkt=0x7fffffffd120)
    at /home/cocobo/repository/mpv-build_ffmpeg_vanilla/ffmpeg/libavformat/utils.c:1317
#3  0x00000000006d0573 in avformat_find_stream_info (ic=0x1e83360, options=0x1e829e0)
    at /home/cocobo/repository/mpv-build_ffmpeg_vanilla/ffmpeg/libavformat/utils.c:3171
#4  0x0000000000411202 in open_input_file (o=0x7fffffffd440, 
    filename=0x7fffffffde2b "/home/cocobo/fuzz/ffmpeg_tta_crash.tta")
    at /home/cocobo/repository/mpv-build_ffmpeg_vanilla/ffmpeg/ffmpeg_opt.c:908
#5  0x000000000041931a in open_files (l=0x1e6f0d8, inout=0x1238af7 "input", 
    open_file=0x410953 <open_input_file>)
    at /home/cocobo/repository/mpv-build_ffmpeg_vanilla/ffmpeg/ffmpeg_opt.c:2718
#6  0x00000000004194a7 in ffmpeg_parse_options (argc=3, argv=0x7fffffffd9e8)
    at /home/cocobo/repository/mpv-build_ffmpeg_vanilla/ffmpeg/ffmpeg_opt.c:2755
#7  0x000000000042ce83 in main (argc=3, argv=0x7fffffffd9e8)
    at /home/cocobo/repository/mpv-build_ffmpeg_vanilla/ffmpeg/ffmpeg.c:3996

Attachments (1)

ffmpeg_tta_crash.tta (26.6 KB) - added by tholin 3 years ago.

Download all attachments as: .zip

Change History (4)

Changed 3 years ago by tholin

comment:1 Changed 3 years ago by gjdfgh

Patch sent.

comment:2 Changed 3 years ago by richardpl

  • Resolution set to fixed
  • Status changed from new to closed

comment:3 in reply to: ↑ description Changed 3 years ago by jamrial

Replying to tholin:

It would be nice if the tta code could honor the avctx->err_recognition & AV_EF_CRCCHECK flag. It's easier to fuzz that way.

Commit 15a88468aecd84ac233e0b21266a22d28307147f addresses this.

Note: See TracTickets for help on using tickets.