Context Navigation

#5383 closed defect (fixed)

cfhd: crash with fuzzed file (threads 1)

Reported by:	ami_stuff	Owned by:
Priority:	important	Component:	avcodec
Version:	git-master	Keywords:	cfhd regression
Cc:		Blocked By:
Blocking:		Reproduced by developer:	no
Analyzed by developer:	no

Description

http://www.datafilehost.com/d/877580e1

==2690== Invalid write of size 2
==2690==    at 0x83A0030: av_bswap16 (bswap.h:60)
==2690==    by 0x83A0030: bytestream_get_be16 (bytestream.h:94)
==2690==    by 0x83A0030: bytestream2_get_be16u (bytestream.h:94)
==2690==    by 0x83A0030: cfhd_decode (cfhd.c:465)
==2690==    by 0x874E125: avcodec_decode_video2 (utils.c:2172)
==2690==    by 0x80DE19E: decode_video (ffmpeg.c:2078)
==2690==    by 0x80E6A35: process_input_packet (ffmpeg.c:2331)
==2690==    by 0x80E6A35: process_input (ffmpeg.c:4001)
==2690==    by 0x80E95CF: transcode_step (ffmpeg.c:4089)
==2690==    by 0x80E95CF: transcode (ffmpeg.c:4143)
==2690==    by 0x80C6B84: main (ffmpeg.c:4334)
==2690==  Address 0x74b69c0 is 0 bytes inside a block of size 153,600 free'd
==2690==    at 0x402B3D8: free (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
==2690==    by 0x83A0659: free_buffers (cfhd.c:145)
==2690==    by 0x83A0659: cfhd_decode (cfhd.c:431)
==2690==    by 0x874E125: avcodec_decode_video2 (utils.c:2172)
==2690==    by 0x80DE19E: decode_video (ffmpeg.c:2078)
==2690==    by 0x80E6A35: process_input_packet (ffmpeg.c:2331)
==2690==    by 0x80E6A35: process_input (ffmpeg.c:4001)
==2690==    by 0x80E95CF: transcode_step (ffmpeg.c:4089)
==2690==    by 0x80E95CF: transcode (ffmpeg.c:4143)
==2690==    by 0x80C6B84: main (ffmpeg.c:4334)
==2690== 
==2690== Invalid write of size 2
==2690==    at 0x83A0390: cfhd_decode (cfhd.c:522)
==2690==    by 0x874E125: avcodec_decode_video2 (utils.c:2172)
==2690==    by 0x80DE19E: decode_video (ffmpeg.c:2078)
==2690==    by 0x80E6A35: process_input_packet (ffmpeg.c:2331)
==2690==    by 0x80E6A35: process_input (ffmpeg.c:4001)
==2690==    by 0x80E95CF: transcode_step (ffmpeg.c:4089)
==2690==    by 0x80E95CF: transcode (ffmpeg.c:4143)
==2690==    by 0x80C6B84: main (ffmpeg.c:4334)
==2690==  Address 0x74b69c0 is 0 bytes inside a block of size 153,600 free'd
==2690==    at 0x402B3D8: free (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
==2690==    by 0x83A0659: free_buffers (cfhd.c:145)
==2690==    by 0x83A0659: cfhd_decode (cfhd.c:431)
==2690==    by 0x874E125: avcodec_decode_video2 (utils.c:2172)
==2690==    by 0x80DE19E: decode_video (ffmpeg.c:2078)
==2690==    by 0x80E6A35: process_input_packet (ffmpeg.c:2331)
==2690==    by 0x80E6A35: process_input (ffmpeg.c:4001)
==2690==    by 0x80E95CF: transcode_step (ffmpeg.c:4089)
==2690==    by 0x80E95CF: transcode (ffmpeg.c:4143)
==2690==    by 0x80C6B84: main (ffmpeg.c:4334)
==2690== 
==2690== Invalid write of size 2
==2690==    at 0x83A0399: cfhd_decode (cfhd.c:521)
==2690==    by 0x874E125: avcodec_decode_video2 (utils.c:2172)
==2690==    by 0x80DE19E: decode_video (ffmpeg.c:2078)
==2690==    by 0x80E6A35: process_input_packet (ffmpeg.c:2331)
==2690==    by 0x80E6A35: process_input (ffmpeg.c:4001)
==2690==    by 0x80E95CF: transcode_step (ffmpeg.c:4089)
==2690==    by 0x80E95CF: transcode (ffmpeg.c:4143)
==2690==    by 0x80C6B84: main (ffmpeg.c:4334)
==2690==  Address 0x74b69fe is 62 bytes inside a block of size 153,600 free'd
==2690==    at 0x402B3D8: free (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
==2690==    by 0x83A0659: free_buffers (cfhd.c:145)
==2690==    by 0x83A0659: cfhd_decode (cfhd.c:431)
==2690==    by 0x874E125: avcodec_decode_video2 (utils.c:2172)
==2690==    by 0x80DE19E: decode_video (ffmpeg.c:2078)
==2690==    by 0x80E6A35: process_input_packet (ffmpeg.c:2331)
==2690==    by 0x80E6A35: process_input (ffmpeg.c:4001)
==2690==    by 0x80E95CF: transcode_step (ffmpeg.c:4089)
==2690==    by 0x80E95CF: transcode (ffmpeg.c:4143)
==2690==    by 0x80C6B84: main (ffmpeg.c:4334)

aaa@aaa-VirtualBox /media/sdb1 $ ffmpeg/ffmpeg_g
ffmpeg version 3.0.git Copyright (c) 2000-2016 the FFmpeg developers
  built with gcc 4.8 (Ubuntu 4.8.4-2ubuntu1~14.04.1)
  configuration: --disable-ffplay --disable-ffprobe --disable-ffserver --enable-gpl
  libavutil      55. 19.100 / 55. 19.100
  libavcodec     57. 28.103 / 57. 28.103
  libavformat    57. 28.102 / 57. 28.102
  libavdevice    57.  0.101 / 57.  0.101
  libavfilter     6. 39.102 /  6. 39.102
  libswscale      4.  0.100 /  4.  0.100
  libswresample   2.  0.101 /  2.  0.101
  libpostproc    54.  0.100 / 54.  0.100
Hyper fast Audio and Video encoder
usage: ffmpeg [options] [[infile options] -i infile]... {[outfile options] outfile}...

(gdb) r -threads 1 -loglevel -1 -i f/cfhd_q_low_444_alpha_fuzz2.avi -f null -
Starting program: /media/sdb1/ffmpeg/ffmpeg_g -threads 1 -loglevel -1 -i f/cfhd_q_low_444_alpha_fuzz2.avi -f null -
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/i386-linux-gnu/libthread_db.so.1".
[New Thread 0xb7d94b40 (LWP 9717)]
[New Thread 0xb7593b40 (LWP 9718)]
[New Thread 0xb6d92b40 (LWP 9719)]
[New Thread 0xb6591b40 (LWP 9720)]
[New Thread 0xb5d90b40 (LWP 9721)]

Program received signal SIGSEGV, Segmentation fault.
0x083a0030 in av_bswap16 (x=11716) at ./libavutil/bswap.h:60
60	    x= (x>>8) | (x<<8);
(gdb) bt
#0  0x083a0030 in av_bswap16 (x=11716) at ./libavutil/bswap.h:60
#1  bytestream_get_be16 (b=<synthetic pointer>) at libavcodec/bytestream.h:94
#2  bytestream2_get_be16u (g=<synthetic pointer>) at libavcodec/bytestream.h:94
#3  cfhd_decode (avctx=0x9717a60, data=0x972c860, got_frame=0xbfffe310, 
    avpkt=0xbfffe0cc) at libavcodec/cfhd.c:465
#4  0x0874e126 in avcodec_decode_video2 (avctx=0x9717a60, 
    picture=picture@entry=0x972c860, 
    got_picture_ptr=got_picture_ptr@entry=0xbfffe310, 
    avpkt=avpkt@entry=0xbfffe358) at libavcodec/utils.c:2172
#5  0x080de19f in decode_video (ist=ist@entry=0x9711b60, 
    pkt=pkt@entry=0xbfffe358, got_output=got_output@entry=0xbfffe310)
    at ffmpeg.c:2078
#6  0x080e6a36 in process_input_packet (no_eof=0, pkt=0xbfffe314, 
    ist=0x9711b60) at ffmpeg.c:2331
#7  process_input (file_index=<optimized out>) at ffmpeg.c:4001
#8  0x080e95d0 in transcode_step () at ffmpeg.c:4089
#9  transcode () at ffmpeg.c:4143
#10 0x080c6b85 in main (argc=<optimized out>, argv=<optimized out>)
    at ffmpeg.c:4334
(gdb)

Change History (4)

comment:1 by Carl Eugen Hoyos, 8 years ago

Component:	undetermined → avcodec
Keywords:	cfhd regression added
Priority:	normal → important
Status:	new → open
Version:	unspecified → git-master

Regression since 8adbe26b909aec76a4d3a80837d4453f1cfbddc1

comment:2 by Kieran Kunhya, 8 years ago

It's not a regression because that was the commit which added alpha support.

comment:3 by Kieran Kunhya, 8 years ago

It's not a regression because that was the commit which added alpha support.

comment:4 by Carl Eugen Hoyos, 8 years ago

Resolution:	→ fixed
Status:	open → closed

Fixed in e9a9ca1936ea2853cdfb8913d44711d240eec60d

Note: See TracTickets for help on using tickets.

Download in other formats: