Opened 3 years ago

Closed 3 years ago

#5052 closed defect (fixed)

ffv1 fuzzing crash with API

Reported by: kierank Owned by:
Priority: important Component: avcodec
Version: 2.4.11 Keywords: ffv1 crash regression
Cc: michael Blocked By:
Blocking: Reproduced by developer: no
Analyzed by developer: no

Description

FFmpeg compiled with:

--disable-everything --enable-demuxer=matroska --enable-decoder=ffv1 --enable-muxer=rawvideo --enable-encoder=rawvideo --enable-protocol=file

Test application:
http://paste.ubuntu.com/13600344/

./fffuzz fuzz.mkv /dev/null

Sample:
http://obe.tv/Downloads/fuzz/fuzz.mkv

Crash:
http://paste.ubuntu.com/13600369/

Change History (18)

comment:1 Changed 3 years ago by michael

Which ffmpeg revission is that ? the line numbers from the stack trace seem not to match ffmpeg master

comment:2 Changed 3 years ago by michael

Cannot reproduce this (tried attached app with provided configure with and without valgrind

comment:3 Changed 3 years ago by michael

  • Cc michael added

comment:4 Changed 3 years ago by kierank

The fuzzer is using 93f3752b970cc7c9e1a360037fff1ddb9dcbb86e (FFmpeg 2.7.3)

comment:5 Changed 3 years ago by cehoyos

  • Component changed from undetermined to avcodec
  • Keywords ffv1 crash regression added
  • Priority changed from normal to important
  • Version changed from unspecified to 2.8.3

Regression since a0c0900e still reproducible with 2.0.7, 2.1.8, 2.2.16, 2.3.6 and 2.4.11.

Last edited 3 years ago by cehoyos (previous) (diff)

comment:6 Changed 3 years ago by kierank

  • Resolution set to fixed
  • Status changed from new to closed

Fixed in release branches

comment:7 Changed 3 years ago by cehoyos

  • Resolution fixed deleted
  • Status changed from closed to reopened

comment:8 Changed 3 years ago by kierank

This is fixed, no?

comment:9 Changed 3 years ago by cehoyos

No.

comment:10 Changed 3 years ago by kierank

Michael's backports fixed it for me, which revision fails?

comment:11 Changed 3 years ago by cehoyos

What is unclear about comment:5?

comment:12 Changed 3 years ago by cehoyos

(Whose backports?)

comment:14 Changed 3 years ago by cehoyos

Ah, my backports from today.

comment:15 Changed 3 years ago by kierank

Ah sorry, your backports.

comment:16 Changed 3 years ago by michael

  • Version changed from 2.8.3 to 2.4.11

IIUC the newest release branch this is still unfixed on is 2.4, thus updating version

comment:17 follow-up: Changed 3 years ago by michael

backported the commits that fixed it in previous releases to 2.4

comment:18 in reply to: ↑ 17 Changed 3 years ago by cehoyos

  • Resolution set to fixed
  • Status changed from reopened to closed

Replying to michael:

backported the commits that fixed it in previous releases to 2.4

Thank you!

Note: See TracTickets for help on using tickets.