hq_hqa: crash withfuzzed file 3

[ami_stuff]

​http://www.datafilehost.com/d/af64df1c

knoppix@Microknoppix:/media/sdb1$ valgrind --leak-check=full ffmpeg/ffmpeg_g -i fuzz9.avi -f null -
==12470== Memcheck, a memory error detector
==12470== Copyright (C) 2002-2011, and GNU GPL'd, by Julian Seward et al.
==12470== Using Valgrind-3.7.0 and LibVEX; rerun with -h for copyright info
==12470== Command: ffmpeg/ffmpeg_g -i fuzz9.avi -f null -
==12470== 
ffmpeg version 2.6.git Copyright (c) 2000-2015 the FFmpeg developers
  built with gcc 4.7 (Debian 4.7.2-4)
  configuration: --disable-ffserver --disable-ffprobe --disable-ffplay --enable-gpl
  libavutil      54. 23.101 / 54. 23.101
  libavcodec     56. 35.101 / 56. 35.101
  libavformat    56. 31.100 / 56. 31.100
  libavdevice    56.  4.100 / 56.  4.100
  libavfilter     5. 14.100 /  5. 14.100
  libswscale      3.  1.101 /  3.  1.101
  libswresample   1.  1.100 /  1.  1.100
  libpostproc    53.  3.100 / 53.  3.100
[avi @ 0x4c2d0e0] Something went wrong during header parsing, I will ignore it and try to continue anyway.
[hq_hqa @ 0x4c3f040] Invalid slice size 25116.
Input #0, avi, from 'fuzz9.avi':
  Duration: 00:00:24.80, start: 0.000000, bitrate: 1146 kb/s
    Stream #0:0: Video: hq_hqa (CUVC / 0x43565543), yuv422p, 720x480 [SAR 9:10 DAR 27:20], 5 fps, 5 tbr, 5 tbn, 5 tbc
Output #0, null, to 'pipe:':
  Metadata:
    encoder         : Lavf56.31.100
    Stream #0:0: Video: rawvideo (Y42B / 0x42323459), yuv422p, 720x480 [SAR 9:10 DAR 27:20], q=2-31, 200 kb/s, 5 fps, 5 tbn, 5 tbc
    Metadata:
      encoder         : Lavc56.35.101 rawvideo
Stream mapping:
  Stream #0:0 -> #0:0 (hq_hqa (native) -> rawvideo (native))
Press [q] to stop, [?] for help
[hq_hqa @ 0x4d01c20] Invalid slice size 25116.
[null @ 0x4d02940] Encoder did not produce proper pts, making some up.
[hq_hqa @ 0x4d01c20] Not a HQ/HQA frame.
Error while decoding stream #0:0: Invalid data found when processing input
[hq_hqa @ 0x4d01c20] Invalid slice size 24696.
[hq_hqa @ 0x4d01c20] Not a HQ/HQA frame.
Error while decoding stream #0:0: Invalid data found when processing input
[hq_hqa @ 0x4d01c20] Invalid slice size 28844.
[hq_hqa @ 0x4d01c20] HQ Profile 33 is not implemented. Update your FFmpeg version to the newest one from Git. If the problem still occurs, it means that your file has a feature which has not been implemented.
[hq_hqa @ 0x4d01c20] If you want to help, upload a sample of this file to ftp://upload.ffmpeg.org/incoming/ and contact the ffmpeg-devel mailing list. (ffmpeg-devel@ffmpeg.org)
[hq_hqa @ 0x4d01c20] Invalid slice size 29958.
Input stream #0:0 frame changed from size:720x480 fmt:yuv422p to size:160x120 fmt:yuv422p
[hq_hqa @ 0x4d01c20] Invalid INFO size (268435480).
Error while decoding stream #0:0: Invalid data found when processing input
[hq_hqa @ 0x4d01c20] Invalid slice size 1077982.
Input stream #0:0 frame changed from size:160x120 fmt:yuv422p to size:720x480 fmt:yuv422p
[hq_hqa @ 0x4d01c20] Invalid INFO size (524304).
Error while decoding stream #0:0: Invalid data found when processing input
[hq_hqa @ 0x4d01c20] Invalid INFO size (536870936). bitrate=N/A    
Error while decoding stream #0:0: Invalid data found when processing input
[hq_hqa @ 0x4d01c20] Not a HQ/HQA frame.
Error while decoding stream #0:0: Invalid data found when processing input
[hq_hqa @ 0x4d01c20] Not a HQ/HQA frame.
Error while decoding stream #0:0: Invalid data found when processing input
[hq_hqa @ 0x4d01c20] Not a HQ/HQA frame.
Error while decoding stream #0:0: Invalid data found when processing input
[hq_hqa @ 0x4d01c20] Invalid INFO size (671089688).
Error while decoding stream #0:0: Invalid data found when processing input
[hq_hqa @ 0x4d01c20] Not a HQ/HQA frame.
Error while decoding stream #0:0: Invalid data found when processing input
[hq_hqa @ 0x4d01c20] Invalid slice size 28612.
[hq_hqa @ 0x4d01c20] Error decoding macroblock 0 at slice 5.
[hq_hqa @ 0x4d01c20] Error decoding frame.
Error while decoding stream #0:0: Invalid data found when processing input
[hq_hqa @ 0x4d01c20] Invalid slice size 29198.
[hq_hqa @ 0x4d01c20] Invalid slice size 29732.
[hq_hqa @ 0x4d01c20] Not a HQ/HQA frame.
Error while decoding stream #0:0: Invalid data found when processing input
[hq_hqa @ 0x4d01c20] Not a HQ/HQA frame.
Error while decoding stream #0:0: Invalid data found when processing input
[hq_hqa @ 0x4d01c20] Invalid slice size 26448.
[hq_hqa @ 0x4d01c20] Not a HQ/HQA frame.
Error while decoding stream #0:0: Invalid data found when processing input
[hq_hqa @ 0x4d01c20] Not a HQ/HQA frame.
Error while decoding stream #0:0: Invalid data found when processing input
[hq_hqa @ 0x4d01c20] Not a HQ/HQA frame.
Error while decoding stream #0:0: Invalid data found when processing input
[hq_hqa @ 0x4d01c20] Not a HQ/HQA frame.
Error while decoding stream #0:0: Invalid data found when processing input
[hq_hqa @ 0x4d01c20] Invalid slice size 26390.
[hq_hqa @ 0x4d01c20] Not a HQ/HQA frame.
Error while decoding stream #0:0: Invalid data found when processing input
[hq_hqa @ 0x4d01c20] Invalid slice size 30368.
[hq_hqa @ 0x4d01c20] Invalid slice size 30150.
==12470== Invalid write of size 4
==12470==    at 0x85A3FD7: hq_hqa_decode_frame (hq_hqa.c:344)
==12470==    by 0xD0C9B6: ???
==12470==  Address 0x49c3f is not stack'd, malloc'd or (recently) free'd
==12470== 
==12470== 
==12470== Process terminating with default action of signal 11 (SIGSEGV)
==12470==  Access not within mapped region at address 0x49C3F
==12470==    at 0x85A3FD7: hq_hqa_decode_frame (hq_hqa.c:344)
==12470==    by 0xD0C9B6: ???
==12470==  If you believe this happened as a result of a stack
==12470==  overflow in your program's main thread (unlikely but
==12470==  possible), you can try to increase the size of the
==12470==  main thread stack using the --main-stacksize= flag.
==12470==  The main thread stack size used in this run was 8388608.
==12470== 
==12470== HEAP SUMMARY:
==12470==     in use at exit: 1,571,873 bytes in 160 blocks
==12470==   total heap usage: 4,138 allocs, 3,978 frees, 8,001,376 bytes allocated
==12470== 
==12470== LEAK SUMMARY:
==12470==    definitely lost: 0 bytes in 0 blocks
==12470==    indirectly lost: 0 bytes in 0 blocks
==12470==      possibly lost: 0 bytes in 0 blocks
==12470==    still reachable: 1,571,873 bytes in 160 blocks
==12470==         suppressed: 0 bytes in 0 blocks
==12470== Reachable blocks (those to which a pointer was found) are not shown.
==12470== To see them, rerun with: --leak-check=full --show-reachable=yes
==12470== 
==12470== For counts of detected and suppressed errors, rerun with: -v
==12470== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 95 from 6)
Segmentation fault

(gdb) r -i fuzz9.avi -f null -
Starting program: /media/sdb1/ffmpeg/ffmpeg_g -i fuzz9.avi -f null -
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/i386-linux-gnu/libthread_db.so.1".
ffmpeg version 2.6.git Copyright (c) 2000-2015 the FFmpeg developers
  built with gcc 4.7 (Debian 4.7.2-4)
  configuration: --disable-ffserver --disable-ffprobe --disable-ffplay --enable-gpl
  libavutil      54. 23.101 / 54. 23.101
  libavcodec     56. 35.101 / 56. 35.101
  libavformat    56. 31.100 / 56. 31.100
  libavdevice    56.  4.100 / 56.  4.100
  libavfilter     5. 14.100 /  5. 14.100
  libswscale      3.  1.101 /  3.  1.101
  libswresample   1.  1.100 /  1.  1.100
  libpostproc    53.  3.100 / 53.  3.100
[avi @ 0x9557a40] Something went wrong during header parsing, I will ignore it and try to continue anyway.
[hq_hqa @ 0x9558260] Invalid slice size 25116.
Input #0, avi, from 'fuzz9.avi':
  Duration: 00:00:24.80, start: 0.000000, bitrate: 1146 kb/s
    Stream #0:0: Video: hq_hqa (CUVC / 0x43565543), yuv422p, 720x480 [SAR 9:10 DAR 27:20], 5 fps, 5 tbr, 5 tbn, 5 tbc
Output #0, null, to 'pipe:':
  Metadata:
    encoder         : Lavf56.31.100
    Stream #0:0: Video: rawvideo (Y42B / 0x42323459), yuv422p, 720x480 [SAR 9:10 DAR 27:20], q=2-31, 200 kb/s, 5 fps, 5 tbn, 5 tbc
    Metadata:
      encoder         : Lavc56.35.101 rawvideo
Stream mapping:
  Stream #0:0 -> #0:0 (hq_hqa (native) -> rawvideo (native))
Press [q] to stop, [?] for help
[hq_hqa @ 0x9558c80] Invalid slice size 25116.
[null @ 0x9559bc0] Encoder did not produce proper pts, making some up.
[hq_hqa @ 0x9558c80] Not a HQ/HQA frame.
Error while decoding stream #0:0: Invalid data found when processing input
[hq_hqa @ 0x9558c80] Invalid slice size 24696.
[hq_hqa @ 0x9558c80] Not a HQ/HQA frame.
Error while decoding stream #0:0: Invalid data found when processing input
[hq_hqa @ 0x9558c80] Invalid slice size 28844.
[hq_hqa @ 0x9558c80] HQ Profile 33 is not implemented. Update your FFmpeg version to the newest one from Git. If the problem still occurs, it means that your file has a feature which has not been implemented.
[hq_hqa @ 0x9558c80] If you want to help, upload a sample of this file to ftp://upload.ffmpeg.org/incoming/ and contact the ffmpeg-devel mailing list. (ffmpeg-devel@ffmpeg.org)
[hq_hqa @ 0x9558c80] Invalid slice size 29958.
Input stream #0:0 frame changed from size:720x480 fmt:yuv422p to size:160x120 fmt:yuv422p
[hq_hqa @ 0x9558c80] Invalid INFO size (268435480).
Error while decoding stream #0:0: Invalid data found when processing input
[hq_hqa @ 0x9558c80] Invalid slice size 1077982.
Input stream #0:0 frame changed from size:160x120 fmt:yuv422p to size:720x480 fmt:yuv422p
[hq_hqa @ 0x9558c80] Invalid INFO size (524304).
Error while decoding stream #0:0: Invalid data found when processing input
[hq_hqa @ 0x9558c80] Invalid INFO size (536870936).
Error while decoding stream #0:0: Invalid data found when processing input
[hq_hqa @ 0x9558c80] Not a HQ/HQA frame.
Error while decoding stream #0:0: Invalid data found when processing input
[hq_hqa @ 0x9558c80] Not a HQ/HQA frame.
Error while decoding stream #0:0: Invalid data found when processing input
[hq_hqa @ 0x9558c80] Not a HQ/HQA frame.
Error while decoding stream #0:0: Invalid data found when processing input
[hq_hqa @ 0x9558c80] Invalid INFO size (671089688).
Error while decoding stream #0:0: Invalid data found when processing input
[hq_hqa @ 0x9558c80] Not a HQ/HQA frame.
Error while decoding stream #0:0: Invalid data found when processing input
[hq_hqa @ 0x9558c80] Invalid slice size 28612.
[hq_hqa @ 0x9558c80] Error decoding macroblock 0 at slice 5.
[hq_hqa @ 0x9558c80] Error decoding frame.
Error while decoding stream #0:0: Invalid data found when processing input
[hq_hqa @ 0x9558c80] Invalid slice size 29198.
[hq_hqa @ 0x9558c80] Invalid slice size 29732.
[hq_hqa @ 0x9558c80] Not a HQ/HQA frame.
Error while decoding stream #0:0: Invalid data found when processing input
[hq_hqa @ 0x9558c80] Not a HQ/HQA frame.
Error while decoding stream #0:0: Invalid data found when processing input
[hq_hqa @ 0x9558c80] Invalid slice size 26448.
[hq_hqa @ 0x9558c80] Not a HQ/HQA frame.
Error while decoding stream #0:0: Invalid data found when processing input
[hq_hqa @ 0x9558c80] Not a HQ/HQA frame.
Error while decoding stream #0:0: Invalid data found when processing input
[hq_hqa @ 0x9558c80] Not a HQ/HQA frame.
Error while decoding stream #0:0: Invalid data found when processing input
[hq_hqa @ 0x9558c80] Not a HQ/HQA frame.
Error while decoding stream #0:0: Invalid data found when processing input
[hq_hqa @ 0x9558c80] Invalid slice size 26390.
[hq_hqa @ 0x9558c80] Not a HQ/HQA frame.
Error while decoding stream #0:0: Invalid data found when processing input
[hq_hqa @ 0x9558c80] Invalid slice size 30368.
[hq_hqa @ 0x9558c80] Invalid slice size 30150.

Program received signal SIGSEGV, Segmentation fault.
hq_hqa_decode_frame (avctx=0x610a8, data=0x49beb, got_frame=0xb7d267, 
    avpkt=0x762875) at libavcodec/hq_hqa.c:344
warning: Source file is more recent than executable.
344	    pic->key_frame = 1;
(gdb) bt
#0  hq_hqa_decode_frame (avctx=0x610a8, data=0x49beb, got_frame=0xb7d267, 
    avpkt=0x762875) at libavcodec/hq_hqa.c:344
#1  0x00d0c9b7 in ?? ()
#2  0x000610a8 in ?? ()
#3  0x00049beb in ?? ()
#4  0x00b7d267 in ?? ()
#5  0x00762875 in ?? ()
#6  0x00a8dd46 in ?? ()
#7  0xbffff31c in ?? ()
Backtrace stopped: previous frame inner to this frame (corrupt stack?)
(gdb) 

[Carl Eugen Hoyos]

Not reproducible on x86-64.

[Carl Eugen Hoyos]

Duplicate of ticket #4509 - fixed in 653bf3c5a1505bbe2ae8c1c0899e79f4c84bc94a