Opened 2 years ago

Closed 2 years ago

#5371 closed defect (fixed)

h264_cabac: crash during fuzzed file decode

Reported by: qiubit Owned by:
Priority: important Component: avcodec
Version: git-master Keywords: h264 SIGSEGV crash regression
Cc: Blocked By:
Blocking: Reproduced by developer: yes
Analyzed by developer: no

Description

Summary of the bug:
Segfault when processing fuzzed file.

How to reproduce:

ffmpeg -i fuzzIn -vcodec copy -acodec copy fuzzOut

Backtrace:

gdb

pgolinski@Ubuntu-y580:~/Dokumenty/Programowanie/git/ffmpeg/build$ gdb ./ffmpeg_g
GNU gdb (Ubuntu 7.10-1ubuntu2) 7.10
Copyright (C) 2015 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
<http://www.gnu.org/software/gdb/documentation/>.
For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from ./ffmpeg_g...done.
(gdb) r -v 9 -loglevel 99 -i fuzzIn -acodec copy -vcodec copy fuzzOut
Starting program: /home/pgolinski/Dokumenty/Programowanie/git/ffmpeg/build/ffmpeg_g -v 9 -loglevel 99 -i fuzzIn -acodec copy -vcodec copy fuzzOut
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
ffmpeg version N-79116-gb098e1a Copyright (c) 2000-2016 the FFmpeg developers
  built with Ubuntu clang version 3.6.2-1 (tags/RELEASE_362/final) (based on LLVM 3.6.2)
  configuration: --cc=clang --cxx=clang++ --disable-stripping --disable-optimizations --enable-debug
  libavutil      55. 19.100 / 55. 19.100
  libavcodec     57. 30.100 / 57. 30.100
  libavformat    57. 29.100 / 57. 29.100
  libavdevice    57.  0.101 / 57.  0.101
  libavfilter     6. 39.102 /  6. 39.102
  libswscale      4.  0.100 /  4.  0.100
  libswresample   2.  0.101 /  2.  0.101
Splitting the commandline.
Reading option '-v' ... matched as option 'v' (set logging level) with argument '9'.
Reading option '-loglevel' ... matched as option 'loglevel' (set logging level) with argument '99'.
Reading option '-i' ... matched as input file with argument 'fuzzIn'.
Reading option '-acodec' ... matched as option 'acodec' (force audio codec ('copy' to copy stream)) with argument 'copy'.
Reading option '-vcodec' ... matched as option 'vcodec' (force video codec ('copy' to copy stream)) with argument 'copy'.
Reading option 'fuzzOut' ... matched as output file.
Finished splitting the commandline.
Parsing a group of options: global .
Applying option v (set logging level) with argument 9.
Successfully parsed a group of options.
Parsing a group of options: input file fuzzIn.
Successfully parsed a group of options.
Opening an input file: fuzzIn.
[file @ 0x241bb80] Setting default whitelist 'file,crypto'
Probing h264 score:51 size:1089
Probing mp3 score:1 size:1089
[h264 @ 0x241b3c0] Format h264 probed with size=2048 and score=51
[h264 @ 0x241b3c0] Before avformat_find_stream_info() pos: 0 bytes read:1089 seeks:0
[h264 @ 0x241c4a0] luma_log2_weight_denom 3071 is out of range
[h264 @ 0x241c4a0] chroma_log2_weight_denom 17 is out of range
[h264 @ 0x241c4a0] luma_log2_weight_denom 1029 is out of range
[h264 @ 0x241c4a0] illegal memory management control operation 32
[h264 @ 0x241c4a0] Frame num gap 15 13
[h264 @ 0x241c4a0] luma_log2_weight_denom 3071 is out of range
[h264 @ 0x241c4a0] chroma_log2_weight_denom 17 is out of range
[h264 @ 0x241c4a0] cabac_init_idc 22 overflow
[h264 @ 0x241c4a0] decode_slice_header error
[h264 @ 0x241c4a0] Unknown NAL code: 0 (111 bits)
[h264 @ 0x241c4a0] luma_log2_weight_denom 1029 is out of range
[h264 @ 0x241c4a0] bytestream overread -15
[h264 @ 0x241c4a0] error while decoding MB 0 0, bytestream -15
[h264 @ 0x241c4a0] slice type 32 too large at 1
[h264 @ 0x241c4a0] decode_slice_header error
[h264 @ 0x241c4a0] mmco: unref short failure
[h264 @ 0x241c4a0] number of reference frames (0+2) exceeds max (1; probably corrupt input), discarding one
[h264 @ 0x241c4a0] Frame num change from 12 to 15
[h264 @ 0x241c4a0] decode_slice_header error
[h264 @ 0x241c4a0] illegal short term reference assignment for second field in complementary field pair (first field is long term)

Program received signal SIGSEGV, Segmentation fault.
0x0000000001324827 in decode_cabac_residual_internal (h=0x7ffff7ee1040, sl=0x2438b40, block=0x2444190, cat=5, n=0, 
    scantable=0x7ffff7f143d0 "", qmul=0x1a00, max_coeff=64, is_dc=0, chroma422=0) at src/libavcodec/h264_cabac.c:1761
1761	        STORE_BLOCK(int16_t)
(gdb) bt
#0  0x0000000001324827 in decode_cabac_residual_internal (h=0x7ffff7ee1040, sl=0x2438b40, block=0x2444190, cat=5, n=0, 
    scantable=0x7ffff7f143d0 "", qmul=0x1a00, max_coeff=64, is_dc=0, chroma422=0) at src/libavcodec/h264_cabac.c:1761
#1  decode_cabac_residual_nondc_internal (h=0x7ffff7ee1040, sl=0x2438b40, block=0x2444190, cat=5, n=0, scantable=0x7ffff7f143d0 "", 
    qmul=0x1a00, max_coeff=64) at src/libavcodec/h264_cabac.c:1799
#2  0x0000000001310e1b in decode_cabac_residual_nondc (h=0x7ffff7ee1040, sl=0x2438b40, block=0x2444190, cat=5, n=0, 
    scantable=0x7ffff7f143d0 "", qmul=0x1a00, max_coeff=64) at src/libavcodec/h264_cabac.c:1860
#3  decode_cabac_luma_residual (h=0x7ffff7ee1040, sl=0x2438b40, scan=0x7ffff7f143c0 "", scan8x8=0x7ffff7f143d0 "", pixel_shift=0, 
    mb_type=16789664, cbp=29, p=0) at src/libavcodec/h264_cabac.c:1893
#4  ff_h264_decode_mb_cabac (h=0x7ffff7ee1040, sl=0x2438b40) at src/libavcodec/h264_cabac.c:2407
#5  0x00000000009fb0ee in decode_slice (avctx=0x241c4a0, arg=0x2438b40) at src/libavcodec/h264_slice.c:2378
#6  0x00000000009fa9cc in ff_h264_execute_decode_slices (h=0x7ffff7ee1040, context_count=1) at src/libavcodec/h264_slice.c:2551
#7  0x0000000000967aff in decode_nal_units (h=0x7ffff7ee1040, buf=0x2446e20 "", buf_size=145, parse_extradata=0) at src/libavcodec/h264.c:1648
#8  0x0000000000969ee5 in h264_decode_frame (avctx=0x241c4a0, data=0x247e7a0, got_frame=0x7fffffffd1dc, avpkt=0x7fffffffd048)
    at src/libavcodec/h264.c:1874
#9  0x0000000000ded3b9 in avcodec_decode_video2 (avctx=0x241c4a0, picture=0x247e7a0, got_picture_ptr=0x7fffffffd1dc, avpkt=0x7fffffffd158)
    at src/libavcodec/utils.c:2172
#10 0x00000000007e7a15 in try_decode_frame (s=0x241b3c0, st=0x241c0c0, avpkt=0x7fffffffd628, options=0x241bca0)
    at src/libavformat/utils.c:2819
#11 0x00000000007e6476 in avformat_find_stream_info (ic=0x241b3c0, options=0x241bca0) at src/libavformat/utils.c:3480
#12 0x0000000000410258 in open_input_file (o=0x7fffffffd900, filename=0x7fffffffe31f "fuzzIn") at src/ffmpeg_opt.c:969
#13 0x000000000040f7cb in open_files (l=0x241b058, inout=0x1732b72 "input", open_file=0x40f860 <open_input_file>) at src/ffmpeg_opt.c:3003
#14 0x000000000040f572 in ffmpeg_parse_options (argc=12, argv=0x7fffffffdf18) at src/ffmpeg_opt.c:3040
#15 0x000000000042189a in main (argc=12, argv=0x7fffffffdf18) at src/ffmpeg.c:4312
(gdb) disass $pc-32,$pc+32
Dump of assembler code from 0x1324807 to 0x1324847:
   0x0000000001324807 <decode_cabac_residual_nondc_internal+4375>:	add    %al,(%rax)
   0x0000000001324809 <decode_cabac_residual_nondc_internal+4377>:	xor    %eax,%eax
   0x000000000132480b <decode_cabac_residual_nondc_internal+4379>:	mov    -0x178(%rbp),%rcx
   0x0000000001324812 <decode_cabac_residual_nondc_internal+4386>:	add    $0xc720,%rcx
   0x0000000001324819 <decode_cabac_residual_nondc_internal+4393>:	movslq -0x314(%rbp),%rdx
   0x0000000001324820 <decode_cabac_residual_nondc_internal+4400>:	mov    -0x198(%rbp),%rsi
=> 0x0000000001324827 <decode_cabac_residual_nondc_internal+4407>:	sub    (%rsi,%rdx,4),%eax
   0x000000000132482a <decode_cabac_residual_nondc_internal+4410>:	mov    %rcx,-0x58(%rbp)
   0x000000000132482e <decode_cabac_residual_nondc_internal+4414>:	mov    %eax,-0x5c(%rbp)
   0x0000000001324831 <decode_cabac_residual_nondc_internal+4417>:	mov    -0x5c(%rbp),%eax
   0x0000000001324834 <decode_cabac_residual_nondc_internal+4420>:	mov    -0x58(%rbp),%rcx
   0x0000000001324838 <decode_cabac_residual_nondc_internal+4424>:	mov    %rcx,-0x3d0(%rbp)
   0x000000000132483f <decode_cabac_residual_nondc_internal+4431>:	mov    %eax,%ecx
   0x0000000001324841 <decode_cabac_residual_nondc_internal+4433>:	mov    -0x3d0(%rbp),%rdi
End of assembler dump.
(gdb) info all-registers
rax            0x0	0
rbx            0x196a9a8	26651048
rcx            0x2445260	38031968
rdx            0x14	20
rsi            0x1a00	6656
rdi            0x2445260	38031968
rbp            0x7fffffffab80	0x7fffffffab80
rsp            0x7fffffffa770	0x7fffffffa770
r8             0x0	0
r9             0x100	256
r10            0x4c	76
r11            0x4e	78
r12            0x407170	4223344
r13            0x7fffffffdf10	140737488346896
r14            0x2444070	38027376
r15            0x0	0
rip            0x1324827	0x1324827 <decode_cabac_residual_nondc_internal+4407>
eflags         0x10206	[ PF IF RF ]
cs             0x33	51
ss             0x2b	43
ds             0x0	0
es             0x0	0
fs             0x0	0
gs             0x0	0
st0            -nan(0x8080808080808080)	(raw 0xffff8080808080808080)
st1            -nan(0x8080808080808080)	(raw 0xffff8080808080808080)
st2            0	(raw 0x00000000000000000000)
st3            0	(raw 0x00000000000000000000)
st4            0	(raw 0x00000000000000000000)
st5            0	(raw 0x00000000000000000000)
st6            0	(raw 0x00000000000000000000)
st7            0	(raw 0x00000000000000000000)
fctrl          0x37f	895
fstat          0x0	0
ftag           0x555a	21850
fiseg          0x0	0
fioff          0x0	0
foseg          0x0	0
---Type <return> to continue, or q <return> to quit---
fooff          0x0	0
fop            0x0	0
mxcsr          0x1fa0	[ PE IM DM ZM OM UM PM ]
ymm0           {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_double = {0x0, 0x0, 0x0, 0x0}, v32_int8 = {0x0, 0x0, 0x0, 0x0, 0x0, 
    0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x0, 0x1, 0x0 <repeats 19 times>}, v16_int16 = {0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x1, 0x0, 0x0, 0x0, 0x0, 0x0, 
    0x0, 0x0, 0x0, 0x0}, v8_int32 = {0x0, 0x0, 0x1, 0x1, 0x0, 0x0, 0x0, 0x0}, v4_int64 = {0x0, 0x100000001, 0x0, 0x0}, v2_int128 = {
    0x00000001000000010000000000000000, 0x00000000000000000000000000000000}}
ymm1           {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_double = {0x8000000000000000, 0x0, 0x0, 0x0}, v32_int8 = {0x80, 0x80, 
    0x80, 0x80, 0x79, 0x79, 0x79, 0x79, 0x0 <repeats 24 times>}, v16_int16 = {0x8080, 0x8080, 0x7979, 0x7979, 0x0 <repeats 12 times>}, 
  v8_int32 = {0x80808080, 0x79797979, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_int64 = {0x7979797980808080, 0x0, 0x0, 0x0}, v2_int128 = {
    0x00000000000000007979797980808080, 0x00000000000000000000000000000000}}
ymm2           {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_double = {0x0, 0x0, 0x0, 0x0}, v32_int8 = {0x0 <repeats 32 times>}, 
  v16_int16 = {0x0 <repeats 16 times>}, v8_int32 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_int64 = {0x0, 0x0, 0x0, 0x0}, v2_int128 = {
    0x00000000000000000000000000000000, 0x00000000000000000000000000000000}}
ymm3           {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_double = {0x0, 0x0, 0x0, 0x0}, v32_int8 = {0x0 <repeats 32 times>}, 
  v16_int16 = {0x0 <repeats 16 times>}, v8_int32 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_int64 = {0x0, 0x0, 0x0, 0x0}, v2_int128 = {
    0x00000000000000000000000000000000, 0x00000000000000000000000000000000}}
ymm4           {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_double = {0x8000000000000000, 0x0, 0x0, 0x0}, v32_int8 = {0x80, 0x80, 
    0x80, 0x80, 0x77, 0x77, 0x77, 0x77, 0x0 <repeats 24 times>}, v16_int16 = {0x8080, 0x8080, 0x7777, 0x7777, 0x0 <repeats 12 times>}, 
  v8_int32 = {0x80808080, 0x77777777, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_int64 = {0x7777777780808080, 0x0, 0x0, 0x0}, v2_int128 = {
    0x00000000000000007777777780808080, 0x00000000000000000000000000000000}}
ymm5           {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_double = {0x0, 0x0, 0x0, 0x0}, v32_int8 = {0x0 <repeats 32 times>}, 
  v16_int16 = {0x0 <repeats 16 times>}, v8_int32 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_int64 = {0x0, 0x0, 0x0, 0x0}, v2_int128 = {
    0x00000000000000000000000000000000, 0x00000000000000000000000000000000}}
ymm6           {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_double = {0x0, 0x0, 0x0, 0x0}, v32_int8 = {0x0 <repeats 32 times>}, 
  v16_int16 = {0x0 <repeats 16 times>}, v8_int32 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_int64 = {0x0, 0x0, 0x0, 0x0}, v2_int128 = {
    0x00000000000000000000000000000000, 0x00000000000000000000000000000000}}
ymm7           {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_double = {0x0, 0x0, 0x0, 0x0}, v32_int8 = {0x0 <repeats 32 times>}, 
  v16_int16 = {0x0 <repeats 16 times>}, v8_int32 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_int64 = {0x0, 0x0, 0x0, 0x0}, v2_int128 = {
    0x00000000000000000000000000000000, 0x00000000000000000000000000000000}}
ymm8           {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_double = {0x0, 0x0, 0x0, 0x0}, v32_int8 = {0x0 <repeats 32 times>}, 
  v16_int16 = {0x0 <repeats 16 times>}, v8_int32 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_int64 = {0x0, 0x0, 0x0, 0x0}, v2_int128 = {
    0x00000000000000000000000000000000, 0x00000000000000000000000000000000}}
ymm9           {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_double = {0x0, 0x0, 0x0, 0x0}, v32_int8 = {0x0, 0x0, 0x0, 0x0, 0x0, 
    0x0, 0x0, 0x0, 0x0, 0x0, 0xff, 0x0 <repeats 21 times>}, v16_int16 = {0x0, 0x0, 0x0, 0x0, 0x0, 0xff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 
    0x0, 0x0, 0x0}, v8_int32 = {0x0, 0x0, 0xff0000, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_int64 = {0x0, 0xff0000, 0x0, 0x0}, v2_int128 = {
    0x0000000000ff00000000000000000000, 0x00000000000000000000000000000000}}
ymm10          {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_double = {0x0, 0x8000000000000000, 0x0, 0x0}, v32_int8 = {0x0, 0x0, 
---Type <return> to continue, or q <return> to quit---
    0x0, 0xff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xff, 0x0, 0x0, 0xff, 0x0 <repeats 16 times>}, v16_int16 = {0x0, 0xff00, 0x0, 0x0, 
    0x0, 0x0, 0xff, 0xff00, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v8_int32 = {0xff000000, 0x0, 0x0, 0xff0000ff, 0x0, 0x0, 0x0, 0x0}, 
  v4_int64 = {0xff000000, 0xff0000ff00000000, 0x0, 0x0}, v2_int128 = {0xff0000ff0000000000000000ff000000, 0x00000000000000000000000000000000}}
ymm11          {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_double = {0x0, 0x0, 0x0, 0x0}, v32_int8 = {0x0, 0x0, 0x0, 0x0, 0x0, 
    0x0, 0x0, 0x0, 0xff, 0x0, 0x0, 0x0, 0xff, 0x0 <repeats 19 times>}, v16_int16 = {0x0, 0x0, 0x0, 0x0, 0xff, 0x0, 0xff, 0x0, 0x0, 0x0, 0x0, 
    0x0, 0x0, 0x0, 0x0, 0x0}, v8_int32 = {0x0, 0x0, 0xff, 0xff, 0x0, 0x0, 0x0, 0x0}, v4_int64 = {0x0, 0xff000000ff, 0x0, 0x0}, v2_int128 = {
    0x000000ff000000ff0000000000000000, 0x00000000000000000000000000000000}}
ymm12          {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_double = {0x8000000000000000, 0x8000000000000000, 0x0, 0x0}, 
  v32_int8 = {0x0, 0xff, 0x0, 0x0, 0x0, 0x0, 0xff, 0xff, 0x0, 0x0, 0x0, 0x0, 0xff, 0xff, 0xff, 0xff, 0x0 <repeats 16 times>}, v16_int16 = {
    0xff00, 0x0, 0x0, 0xffff, 0x0, 0x0, 0xffff, 0xffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v8_int32 = {0xff00, 0xffff0000, 0x0, 
    0xffffffff, 0x0, 0x0, 0x0, 0x0}, v4_int64 = {0xffff00000000ff00, 0xffffffff00000000, 0x0, 0x0}, v2_int128 = {
    0xffffffff00000000ffff00000000ff00, 0x00000000000000000000000000000000}}
ymm13          {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_double = {0x0, 0x0, 0x0, 0x0}, v32_int8 = {0x0 <repeats 32 times>}, 
  v16_int16 = {0x0 <repeats 16 times>}, v8_int32 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_int64 = {0x0, 0x0, 0x0, 0x0}, v2_int128 = {
    0x00000000000000000000000000000000, 0x00000000000000000000000000000000}}
ymm14          {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_double = {0x0, 0x0, 0x0, 0x0}, v32_int8 = {0x0 <repeats 32 times>}, 
  v16_int16 = {0x0 <repeats 16 times>}, v8_int32 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_int64 = {0x0, 0x0, 0x0, 0x0}, v2_int128 = {
    0x00000000000000000000000000000000, 0x00000000000000000000000000000000}}
ymm15          {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_double = {0x0, 0x0, 0x0, 0x0}, v32_int8 = {0x0 <repeats 32 times>}, 
  v16_int16 = {0x0 <repeats 16 times>}, v8_int32 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_int64 = {0x0, 0x0, 0x0, 0x0}, v2_int128 = {
    0x00000000000000000000000000000000, 0x00000000000000000000000000000000}}

valgrind

pgolinski@Ubuntu-y580:~/Dokumenty/Programowanie/git/ffmpeg/build$ valgrind ./ffmpeg_g -v 9 -loglevel 99 -i fuzzIn -acodec copy -vcodec copy fuzzOut
==31079== Memcheck, a memory error detector
==31079== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al.
==31079== Using Valgrind-3.11.0 and LibVEX; rerun with -h for copyright info
==31079== Command: ./ffmpeg_g -v 9 -loglevel 99 -i fuzzIn -acodec copy -vcodec copy fuzzOut
==31079== 
ffmpeg version N-79116-gb098e1a Copyright (c) 2000-2016 the FFmpeg developers
  built with Ubuntu clang version 3.6.2-1 (tags/RELEASE_362/final) (based on LLVM 3.6.2)
  configuration: --cc=clang --cxx=clang++ --disable-stripping --disable-optimizations --enable-debug
  libavutil      55. 19.100 / 55. 19.100
  libavcodec     57. 30.100 / 57. 30.100
  libavformat    57. 29.100 / 57. 29.100
  libavdevice    57.  0.101 / 57.  0.101
  libavfilter     6. 39.102 /  6. 39.102
  libswscale      4.  0.100 /  4.  0.100
  libswresample   2.  0.101 /  2.  0.101
Splitting the commandline.
Reading option '-v' ... matched as option 'v' (set logging level) with argument '9'.
Reading option '-loglevel' ... matched as option 'loglevel' (set logging level) with argument '99'.
Reading option '-i' ... matched as input file with argument 'fuzzIn'.
Reading option '-acodec' ... matched as option 'acodec' (force audio codec ('copy' to copy stream)) with argument 'copy'.
Reading option '-vcodec' ... matched as option 'vcodec' (force video codec ('copy' to copy stream)) with argument 'copy'.
Reading option 'fuzzOut' ... matched as output file.
Finished splitting the commandline.
Parsing a group of options: global .
Applying option v (set logging level) with argument 9.
Successfully parsed a group of options.
Parsing a group of options: input file fuzzIn.
Successfully parsed a group of options.
Opening an input file: fuzzIn.
[file @ 0xa9796a0] Setting default whitelist 'file,crypto'
Probing h264 score:51 size:1089
Probing mp3 score:1 size:1089
[h264 @ 0xa9788c0] Format h264 probed with size=2048 and score=51
[h264 @ 0xa9788c0] Before avformat_find_stream_info() pos: 0 bytes read:1089 seeks:0
[h264 @ 0xa98b560] luma_log2_weight_denom 3071 is out of range
==31079==    at 0x165B901: VALGRIND_PRINTF_BACKTRACE (valgrind.h:6816)
==31079==    by 0x165B4F3: av_log_default_callback (log.c:346)
==31079==    by 0x165BB55: av_vlog (log.c:374)
==31079==    by 0x165BB06: av_log (log.c:366)
==31079==    by 0x968897: ff_pred_weight_table (h264.c:1014)
==31079==    by 0x9E9709: scan_mmco_reset (h264_parser.c:176)
==31079==    by 0x9E8A7F: parse_nal_units (h264_parser.c:404)
==31079==    by 0x9E77BA: h264_parse (h264_parser.c:535)
==31079==    by 0xCCCAEA: av_parser_parse2 (parser.c:180)
==31079==    by 0x7EDF28: parse_packet (utils.c:1300)
==31079==    by 0x7E0C5C: read_frame_internal (utils.c:1465)
==31079==    by 0x7E596F: avformat_find_stream_info (utils.c:3360)
[h264 @ 0xa98b560] chroma_log2_weight_denom 17 is out of range
==31079==    at 0x165B901: VALGRIND_PRINTF_BACKTRACE (valgrind.h:6816)
==31079==    by 0x165B4F3: av_log_default_callback (log.c:346)
==31079==    by 0x165BB55: av_vlog (log.c:374)
==31079==    by 0x165BB06: av_log (log.c:366)
==31079==    by 0x9688E4: ff_pred_weight_table (h264.c:1018)
==31079==    by 0x9E9709: scan_mmco_reset (h264_parser.c:176)
==31079==    by 0x9E8A7F: parse_nal_units (h264_parser.c:404)
==31079==    by 0x9E77BA: h264_parse (h264_parser.c:535)
==31079==    by 0xCCCAEA: av_parser_parse2 (parser.c:180)
==31079==    by 0x7EDF28: parse_packet (utils.c:1300)
==31079==    by 0x7E0C5C: read_frame_internal (utils.c:1465)
==31079==    by 0x7E596F: avformat_find_stream_info (utils.c:3360)
[h264 @ 0xa98b560] luma_log2_weight_denom 1029 is out of range
==31079==    at 0x165B901: VALGRIND_PRINTF_BACKTRACE (valgrind.h:6816)
==31079==    by 0x165B4F3: av_log_default_callback (log.c:346)
==31079==    by 0x165BB55: av_vlog (log.c:374)
==31079==    by 0x165BB06: av_log (log.c:366)
==31079==    by 0x968897: ff_pred_weight_table (h264.c:1014)
==31079==    by 0x9E9709: scan_mmco_reset (h264_parser.c:176)
==31079==    by 0x9E8A7F: parse_nal_units (h264_parser.c:404)
==31079==    by 0x9E77BA: h264_parse (h264_parser.c:535)
==31079==    by 0xCCCAEA: av_parser_parse2 (parser.c:180)
==31079==    by 0x7EDF28: parse_packet (utils.c:1300)
==31079==    by 0x7E0C5C: read_frame_internal (utils.c:1465)
==31079==    by 0x7E596F: avformat_find_stream_info (utils.c:3360)
[h264 @ 0xa98b560] illegal memory management control operation 32
==31079==    at 0x165B901: VALGRIND_PRINTF_BACKTRACE (valgrind.h:6816)
==31079==    by 0x165B4F3: av_log_default_callback (log.c:346)
==31079==    by 0x165BB55: av_vlog (log.c:374)
==31079==    by 0x165BB06: av_log (log.c:366)
==31079==    by 0x9E9783: scan_mmco_reset (h264_parser.c:183)
==31079==    by 0x9E8A7F: parse_nal_units (h264_parser.c:404)
==31079==    by 0x9E77BA: h264_parse (h264_parser.c:535)
==31079==    by 0xCCCAEA: av_parser_parse2 (parser.c:180)
==31079==    by 0x7EDF28: parse_packet (utils.c:1300)
==31079==    by 0x7E0C5C: read_frame_internal (utils.c:1465)
==31079==    by 0x7E596F: avformat_find_stream_info (utils.c:3360)
==31079==    by 0x410257: open_input_file (ffmpeg_opt.c:969)
[h264 @ 0xa98b560] Frame num gap 15 13
[h264 @ 0xa98b560] luma_log2_weight_denom 3071 is out of range
==31079==    at 0x165B901: VALGRIND_PRINTF_BACKTRACE (valgrind.h:6816)
==31079==    by 0x165B4F3: av_log_default_callback (log.c:346)
==31079==    by 0x165BB55: av_vlog (log.c:374)
==31079==    by 0x165BB06: av_log (log.c:366)
==31079==    by 0x968897: ff_pred_weight_table (h264.c:1014)
==31079==    by 0x9F7A1C: ff_h264_decode_slice_header (h264_slice.c:1743)
==31079==    by 0x96745A: decode_nal_units (h264.c:1527)
==31079==    by 0x969EE4: h264_decode_frame (h264.c:1874)
==31079==    by 0xDED3B8: avcodec_decode_video2 (utils.c:2172)
==31079==    by 0x7E7A14: try_decode_frame (utils.c:2819)
==31079==    by 0x7E6475: avformat_find_stream_info (utils.c:3480)
==31079==    by 0x410257: open_input_file (ffmpeg_opt.c:969)
[h264 @ 0xa98b560] chroma_log2_weight_denom 17 is out of range
==31079==    at 0x165B901: VALGRIND_PRINTF_BACKTRACE (valgrind.h:6816)
==31079==    by 0x165B4F3: av_log_default_callback (log.c:346)
==31079==    by 0x165BB55: av_vlog (log.c:374)
==31079==    by 0x165BB06: av_log (log.c:366)
==31079==    by 0x9688E4: ff_pred_weight_table (h264.c:1018)
==31079==    by 0x9F7A1C: ff_h264_decode_slice_header (h264_slice.c:1743)
==31079==    by 0x96745A: decode_nal_units (h264.c:1527)
==31079==    by 0x969EE4: h264_decode_frame (h264.c:1874)
==31079==    by 0xDED3B8: avcodec_decode_video2 (utils.c:2172)
==31079==    by 0x7E7A14: try_decode_frame (utils.c:2819)
==31079==    by 0x7E6475: avformat_find_stream_info (utils.c:3480)
==31079==    by 0x410257: open_input_file (ffmpeg_opt.c:969)
[h264 @ 0xa98b560] cabac_init_idc 22 overflow
==31079==    at 0x165B901: VALGRIND_PRINTF_BACKTRACE (valgrind.h:6816)
==31079==    by 0x165B4F3: av_log_default_callback (log.c:346)
==31079==    by 0x165BB55: av_vlog (log.c:374)
==31079==    by 0x165BB06: av_log (log.c:366)
==31079==    by 0x9F7CB8: ff_h264_decode_slice_header (h264_slice.c:1784)
==31079==    by 0x96745A: decode_nal_units (h264.c:1527)
==31079==    by 0x969EE4: h264_decode_frame (h264.c:1874)
==31079==    by 0xDED3B8: avcodec_decode_video2 (utils.c:2172)
==31079==    by 0x7E7A14: try_decode_frame (utils.c:2819)
==31079==    by 0x7E6475: avformat_find_stream_info (utils.c:3480)
==31079==    by 0x410257: open_input_file (ffmpeg_opt.c:969)
==31079==    by 0x40F7CA: open_files (ffmpeg_opt.c:3003)
[h264 @ 0xa98b560] decode_slice_header error
==31079==    at 0x165B901: VALGRIND_PRINTF_BACKTRACE (valgrind.h:6816)
==31079==    by 0x165B4F3: av_log_default_callback (log.c:346)
==31079==    by 0x165BB55: av_vlog (log.c:374)
==31079==    by 0x165BB06: av_log (log.c:366)
==31079==    by 0x967B82: decode_nal_units (h264.c:1656)
==31079==    by 0x969EE4: h264_decode_frame (h264.c:1874)
==31079==    by 0xDED3B8: avcodec_decode_video2 (utils.c:2172)
==31079==    by 0x7E7A14: try_decode_frame (utils.c:2819)
==31079==    by 0x7E6475: avformat_find_stream_info (utils.c:3480)
==31079==    by 0x410257: open_input_file (ffmpeg_opt.c:969)
==31079==    by 0x40F7CA: open_files (ffmpeg_opt.c:3003)
==31079==    by 0x40F571: ffmpeg_parse_options (ffmpeg_opt.c:3040)
[h264 @ 0xa98b560] Unknown NAL code: 0 (111 bits)
[h264 @ 0xa98b560] luma_log2_weight_denom 1029 is out of range
==31079==    at 0x165B901: VALGRIND_PRINTF_BACKTRACE (valgrind.h:6816)
==31079==    by 0x165B4F3: av_log_default_callback (log.c:346)
==31079==    by 0x165BB55: av_vlog (log.c:374)
==31079==    by 0x165BB06: av_log (log.c:366)
==31079==    by 0x968897: ff_pred_weight_table (h264.c:1014)
==31079==    by 0x9F7A1C: ff_h264_decode_slice_header (h264_slice.c:1743)
==31079==    by 0x96745A: decode_nal_units (h264.c:1527)
==31079==    by 0x969EE4: h264_decode_frame (h264.c:1874)
==31079==    by 0xDED3B8: avcodec_decode_video2 (utils.c:2172)
==31079==    by 0x7E7A14: try_decode_frame (utils.c:2819)
==31079==    by 0x7E6475: avformat_find_stream_info (utils.c:3480)
==31079==    by 0x410257: open_input_file (ffmpeg_opt.c:969)
[h264 @ 0xa98b560] bytestream overread -15
[h264 @ 0xa98b560] error while decoding MB 0 0, bytestream -15
==31079==    at 0x165B901: VALGRIND_PRINTF_BACKTRACE (valgrind.h:6816)
==31079==    by 0x165B4F3: av_log_default_callback (log.c:346)
==31079==    by 0x165BB55: av_vlog (log.c:374)
==31079==    by 0x165BB06: av_log (log.c:366)
==31079==    by 0x9FB343: decode_slice (h264_slice.c:2407)
==31079==    by 0x9FA9CB: ff_h264_execute_decode_slices (h264_slice.c:2551)
==31079==    by 0x967AFE: decode_nal_units (h264.c:1648)
==31079==    by 0x969EE4: h264_decode_frame (h264.c:1874)
==31079==    by 0xDED3B8: avcodec_decode_video2 (utils.c:2172)
==31079==    by 0x7E7A14: try_decode_frame (utils.c:2819)
==31079==    by 0x7E6475: avformat_find_stream_info (utils.c:3480)
==31079==    by 0x410257: open_input_file (ffmpeg_opt.c:969)
[h264 @ 0xa98b560] slice type 32 too large at 1
==31079==    at 0x165B901: VALGRIND_PRINTF_BACKTRACE (valgrind.h:6816)
==31079==    by 0x165B4F3: av_log_default_callback (log.c:346)
==31079==    by 0x165BB55: av_vlog (log.c:374)
==31079==    by 0x165BB06: av_log (log.c:366)
==31079==    by 0x9F5881: ff_h264_decode_slice_header (h264_slice.c:1220)
==31079==    by 0x96745A: decode_nal_units (h264.c:1527)
==31079==    by 0x969EE4: h264_decode_frame (h264.c:1874)
==31079==    by 0xDED3B8: avcodec_decode_video2 (utils.c:2172)
==31079==    by 0x7E7A14: try_decode_frame (utils.c:2819)
==31079==    by 0x7E6475: avformat_find_stream_info (utils.c:3480)
==31079==    by 0x410257: open_input_file (ffmpeg_opt.c:969)
==31079==    by 0x40F7CA: open_files (ffmpeg_opt.c:3003)
[h264 @ 0xa98b560] decode_slice_header error
==31079==    at 0x165B901: VALGRIND_PRINTF_BACKTRACE (valgrind.h:6816)
==31079==    by 0x165B4F3: av_log_default_callback (log.c:346)
==31079==    by 0x165BB55: av_vlog (log.c:374)
==31079==    by 0x165BB06: av_log (log.c:366)
==31079==    by 0x967B82: decode_nal_units (h264.c:1656)
==31079==    by 0x969EE4: h264_decode_frame (h264.c:1874)
==31079==    by 0xDED3B8: avcodec_decode_video2 (utils.c:2172)
==31079==    by 0x7E7A14: try_decode_frame (utils.c:2819)
==31079==    by 0x7E6475: avformat_find_stream_info (utils.c:3480)
==31079==    by 0x410257: open_input_file (ffmpeg_opt.c:969)
==31079==    by 0x40F7CA: open_files (ffmpeg_opt.c:3003)
==31079==    by 0x40F571: ffmpeg_parse_options (ffmpeg_opt.c:3040)
[h264 @ 0xa98b560] mmco: unref short failure
==31079==    at 0x165B901: VALGRIND_PRINTF_BACKTRACE (valgrind.h:6816)
==31079==    by 0x165B4F3: av_log_default_callback (log.c:346)
==31079==    by 0x165BB55: av_vlog (log.c:374)
==31079==    by 0x165BB06: av_log (log.c:366)
==31079==    by 0x9EFD78: ff_h264_execute_ref_pic_marking (h264_refs.c:646)
==31079==    by 0x9EA17A: ff_h264_field_end (h264_picture.c:168)
==31079==    by 0x9F55F6: ff_h264_decode_slice_header (h264_slice.c:1189)
==31079==    by 0x96745A: decode_nal_units (h264.c:1527)
==31079==    by 0x969EE4: h264_decode_frame (h264.c:1874)
==31079==    by 0xDED3B8: avcodec_decode_video2 (utils.c:2172)
==31079==    by 0x7E7A14: try_decode_frame (utils.c:2819)
==31079==    by 0x7E6475: avformat_find_stream_info (utils.c:3480)
[h264 @ 0xa98b560] number of reference frames (0+2) exceeds max (1; probably corrupt input), discarding one
==31079==    at 0x165B901: VALGRIND_PRINTF_BACKTRACE (valgrind.h:6816)
==31079==    by 0x165B4F3: av_log_default_callback (log.c:346)
==31079==    by 0x165BB55: av_vlog (log.c:374)
==31079==    by 0x165BB06: av_log (log.c:366)
==31079==    by 0x9F05C8: ff_h264_execute_ref_pic_marking (h264_refs.c:778)
==31079==    by 0x9EA17A: ff_h264_field_end (h264_picture.c:168)
==31079==    by 0x9F55F6: ff_h264_decode_slice_header (h264_slice.c:1189)
==31079==    by 0x96745A: decode_nal_units (h264.c:1527)
==31079==    by 0x969EE4: h264_decode_frame (h264.c:1874)
==31079==    by 0xDED3B8: avcodec_decode_video2 (utils.c:2172)
==31079==    by 0x7E7A14: try_decode_frame (utils.c:2819)
==31079==    by 0x7E6475: avformat_find_stream_info (utils.c:3480)
[h264 @ 0xa98b560] Frame num change from 12 to 15
==31079==    at 0x165B901: VALGRIND_PRINTF_BACKTRACE (valgrind.h:6816)
==31079==    by 0x165B4F3: av_log_default_callback (log.c:346)
==31079==    by 0x165BB55: av_vlog (log.c:374)
==31079==    by 0x165BB06: av_log (log.c:366)
==31079==    by 0x9F6665: ff_h264_decode_slice_header (h264_slice.c:1433)
==31079==    by 0x96745A: decode_nal_units (h264.c:1527)
==31079==    by 0x969EE4: h264_decode_frame (h264.c:1874)
==31079==    by 0xDED3B8: avcodec_decode_video2 (utils.c:2172)
==31079==    by 0x7E7A14: try_decode_frame (utils.c:2819)
==31079==    by 0x7E6475: avformat_find_stream_info (utils.c:3480)
==31079==    by 0x410257: open_input_file (ffmpeg_opt.c:969)
==31079==    by 0x40F7CA: open_files (ffmpeg_opt.c:3003)
[h264 @ 0xa98b560] decode_slice_header error
==31079==    at 0x165B901: VALGRIND_PRINTF_BACKTRACE (valgrind.h:6816)
==31079==    by 0x165B4F3: av_log_default_callback (log.c:346)
==31079==    by 0x165BB55: av_vlog (log.c:374)
==31079==    by 0x165BB06: av_log (log.c:366)
==31079==    by 0x967B82: decode_nal_units (h264.c:1656)
==31079==    by 0x969EE4: h264_decode_frame (h264.c:1874)
==31079==    by 0xDED3B8: avcodec_decode_video2 (utils.c:2172)
==31079==    by 0x7E7A14: try_decode_frame (utils.c:2819)
==31079==    by 0x7E6475: avformat_find_stream_info (utils.c:3480)
==31079==    by 0x410257: open_input_file (ffmpeg_opt.c:969)
==31079==    by 0x40F7CA: open_files (ffmpeg_opt.c:3003)
==31079==    by 0x40F571: ffmpeg_parse_options (ffmpeg_opt.c:3040)
[h264 @ 0xa98b560] illegal short term reference assignment for second field in complementary field pair (first field is long term)
==31079==    at 0x165B901: VALGRIND_PRINTF_BACKTRACE (valgrind.h:6816)
==31079==    by 0x165B4F3: av_log_default_callback (log.c:346)
==31079==    by 0x165BB55: av_vlog (log.c:374)
==31079==    by 0x165BB06: av_log (log.c:366)
==31079==    by 0x9F041E: ff_h264_execute_ref_pic_marking (h264_refs.c:750)
==31079==    by 0x9EA17A: ff_h264_field_end (h264_picture.c:168)
==31079==    by 0x96A0A5: h264_decode_frame (h264.c:1896)
==31079==    by 0xDED3B8: avcodec_decode_video2 (utils.c:2172)
==31079==    by 0x7E7A14: try_decode_frame (utils.c:2819)
==31079==    by 0x7E6475: avformat_find_stream_info (utils.c:3480)
==31079==    by 0x410257: open_input_file (ffmpeg_opt.c:969)
==31079==    by 0x40F7CA: open_files (ffmpeg_opt.c:3003)
==31079== Invalid read of size 4
==31079==    at 0x1324827: decode_cabac_residual_internal (h264_cabac.c:1761)
==31079==    by 0x1324827: decode_cabac_residual_nondc_internal (h264_cabac.c:1799)
==31079==    by 0x1310E1A: decode_cabac_residual_nondc (h264_cabac.c:1860)
==31079==    by 0x1310E1A: decode_cabac_luma_residual (h264_cabac.c:1893)
==31079==    by 0x1310E1A: ff_h264_decode_mb_cabac (h264_cabac.c:2407)
==31079==    by 0x9FB0ED: decode_slice (h264_slice.c:2378)
==31079==    by 0x9FA9CB: ff_h264_execute_decode_slices (h264_slice.c:2551)
==31079==    by 0x967AFE: decode_nal_units (h264.c:1648)
==31079==    by 0x969EE4: h264_decode_frame (h264.c:1874)
==31079==    by 0xDED3B8: avcodec_decode_video2 (utils.c:2172)
==31079==    by 0x7E7A14: try_decode_frame (utils.c:2819)
==31079==    by 0x7E6475: avformat_find_stream_info (utils.c:3480)
==31079==    by 0x410257: open_input_file (ffmpeg_opt.c:969)
==31079==    by 0x40F7CA: open_files (ffmpeg_opt.c:3003)
==31079==    by 0x40F571: ffmpeg_parse_options (ffmpeg_opt.c:3040)
==31079==  Address 0x1a50 is not stack'd, malloc'd or (recently) free'd
==31079== 
==31079== 
==31079== Process terminating with default action of signal 11 (SIGSEGV)
==31079==  Access not within mapped region at address 0x1A50
==31079==    at 0x1324827: decode_cabac_residual_internal (h264_cabac.c:1761)
==31079==    by 0x1324827: decode_cabac_residual_nondc_internal (h264_cabac.c:1799)
==31079==    by 0x1310E1A: decode_cabac_residual_nondc (h264_cabac.c:1860)
==31079==    by 0x1310E1A: decode_cabac_luma_residual (h264_cabac.c:1893)
==31079==    by 0x1310E1A: ff_h264_decode_mb_cabac (h264_cabac.c:2407)
==31079==    by 0x9FB0ED: decode_slice (h264_slice.c:2378)
==31079==    by 0x9FA9CB: ff_h264_execute_decode_slices (h264_slice.c:2551)
==31079==    by 0x967AFE: decode_nal_units (h264.c:1648)
==31079==    by 0x969EE4: h264_decode_frame (h264.c:1874)
==31079==    by 0xDED3B8: avcodec_decode_video2 (utils.c:2172)
==31079==    by 0x7E7A14: try_decode_frame (utils.c:2819)
==31079==    by 0x7E6475: avformat_find_stream_info (utils.c:3480)
==31079==    by 0x410257: open_input_file (ffmpeg_opt.c:969)
==31079==    by 0x40F7CA: open_files (ffmpeg_opt.c:3003)
==31079==    by 0x40F571: ffmpeg_parse_options (ffmpeg_opt.c:3040)
==31079==  If you believe this happened as a result of a stack
==31079==  overflow in your program's main thread (unlikely but
==31079==  possible), you can try to increase the size of the
==31079==  main thread stack using the --main-stacksize= flag.
==31079==  The main thread stack size used in this run was 8388608.
==31079== 
==31079== HEAP SUMMARY:
==31079==     in use at exit: 1,405,838 bytes in 209 blocks
==31079==   total heap usage: 345 allocs, 136 frees, 1,472,242 bytes allocated
==31079== 
==31079== LEAK SUMMARY:
==31079==    definitely lost: 0 bytes in 0 blocks
==31079==    indirectly lost: 0 bytes in 0 blocks
==31079==      possibly lost: 0 bytes in 0 blocks
==31079==    still reachable: 1,405,838 bytes in 209 blocks
==31079==         suppressed: 0 bytes in 0 blocks
==31079== Rerun with --leak-check=full to see details of leaked memory
==31079== 
==31079== For counts of detected and suppressed errors, rerun with: -v
==31079== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)
Segmentation fault

Attachments (1)

fuzzIn (1.1 KB) - added by qiubit 2 years ago.

Download all attachments as: .zip

Change History (3)

Changed 2 years ago by qiubit

comment:1 Changed 2 years ago by cehoyos

  • Keywords regression added; cabac removed
  • Priority changed from normal to important
  • Reproduced by developer set
  • Status changed from new to open
  • Version changed from unspecified to git-master

Regression since 69738466189a0f68b0a635b4804ef9cf7bee3672 related to ticket #4389

comment:2 Changed 2 years ago by michael

  • Resolution set to fixed
  • Status changed from open to closed
Note: See TracTickets for help on using tickets.