Opened 8 years ago
Closed 8 years ago
#5383 closed defect (fixed)
cfhd: crash with fuzzed file (threads 1)
Reported by: | ami_stuff | Owned by: | |
---|---|---|---|
Priority: | important | Component: | avcodec |
Version: | git-master | Keywords: | cfhd regression |
Cc: | Blocked By: | ||
Blocking: | Reproduced by developer: | no | |
Analyzed by developer: | no |
Description
http://www.datafilehost.com/d/877580e1
==2690== Invalid write of size 2 ==2690== at 0x83A0030: av_bswap16 (bswap.h:60) ==2690== by 0x83A0030: bytestream_get_be16 (bytestream.h:94) ==2690== by 0x83A0030: bytestream2_get_be16u (bytestream.h:94) ==2690== by 0x83A0030: cfhd_decode (cfhd.c:465) ==2690== by 0x874E125: avcodec_decode_video2 (utils.c:2172) ==2690== by 0x80DE19E: decode_video (ffmpeg.c:2078) ==2690== by 0x80E6A35: process_input_packet (ffmpeg.c:2331) ==2690== by 0x80E6A35: process_input (ffmpeg.c:4001) ==2690== by 0x80E95CF: transcode_step (ffmpeg.c:4089) ==2690== by 0x80E95CF: transcode (ffmpeg.c:4143) ==2690== by 0x80C6B84: main (ffmpeg.c:4334) ==2690== Address 0x74b69c0 is 0 bytes inside a block of size 153,600 free'd ==2690== at 0x402B3D8: free (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so) ==2690== by 0x83A0659: free_buffers (cfhd.c:145) ==2690== by 0x83A0659: cfhd_decode (cfhd.c:431) ==2690== by 0x874E125: avcodec_decode_video2 (utils.c:2172) ==2690== by 0x80DE19E: decode_video (ffmpeg.c:2078) ==2690== by 0x80E6A35: process_input_packet (ffmpeg.c:2331) ==2690== by 0x80E6A35: process_input (ffmpeg.c:4001) ==2690== by 0x80E95CF: transcode_step (ffmpeg.c:4089) ==2690== by 0x80E95CF: transcode (ffmpeg.c:4143) ==2690== by 0x80C6B84: main (ffmpeg.c:4334) ==2690== ==2690== Invalid write of size 2 ==2690== at 0x83A0390: cfhd_decode (cfhd.c:522) ==2690== by 0x874E125: avcodec_decode_video2 (utils.c:2172) ==2690== by 0x80DE19E: decode_video (ffmpeg.c:2078) ==2690== by 0x80E6A35: process_input_packet (ffmpeg.c:2331) ==2690== by 0x80E6A35: process_input (ffmpeg.c:4001) ==2690== by 0x80E95CF: transcode_step (ffmpeg.c:4089) ==2690== by 0x80E95CF: transcode (ffmpeg.c:4143) ==2690== by 0x80C6B84: main (ffmpeg.c:4334) ==2690== Address 0x74b69c0 is 0 bytes inside a block of size 153,600 free'd ==2690== at 0x402B3D8: free (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so) ==2690== by 0x83A0659: free_buffers (cfhd.c:145) ==2690== by 0x83A0659: cfhd_decode (cfhd.c:431) ==2690== by 0x874E125: avcodec_decode_video2 (utils.c:2172) ==2690== by 0x80DE19E: decode_video (ffmpeg.c:2078) ==2690== by 0x80E6A35: process_input_packet (ffmpeg.c:2331) ==2690== by 0x80E6A35: process_input (ffmpeg.c:4001) ==2690== by 0x80E95CF: transcode_step (ffmpeg.c:4089) ==2690== by 0x80E95CF: transcode (ffmpeg.c:4143) ==2690== by 0x80C6B84: main (ffmpeg.c:4334) ==2690== ==2690== Invalid write of size 2 ==2690== at 0x83A0399: cfhd_decode (cfhd.c:521) ==2690== by 0x874E125: avcodec_decode_video2 (utils.c:2172) ==2690== by 0x80DE19E: decode_video (ffmpeg.c:2078) ==2690== by 0x80E6A35: process_input_packet (ffmpeg.c:2331) ==2690== by 0x80E6A35: process_input (ffmpeg.c:4001) ==2690== by 0x80E95CF: transcode_step (ffmpeg.c:4089) ==2690== by 0x80E95CF: transcode (ffmpeg.c:4143) ==2690== by 0x80C6B84: main (ffmpeg.c:4334) ==2690== Address 0x74b69fe is 62 bytes inside a block of size 153,600 free'd ==2690== at 0x402B3D8: free (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so) ==2690== by 0x83A0659: free_buffers (cfhd.c:145) ==2690== by 0x83A0659: cfhd_decode (cfhd.c:431) ==2690== by 0x874E125: avcodec_decode_video2 (utils.c:2172) ==2690== by 0x80DE19E: decode_video (ffmpeg.c:2078) ==2690== by 0x80E6A35: process_input_packet (ffmpeg.c:2331) ==2690== by 0x80E6A35: process_input (ffmpeg.c:4001) ==2690== by 0x80E95CF: transcode_step (ffmpeg.c:4089) ==2690== by 0x80E95CF: transcode (ffmpeg.c:4143) ==2690== by 0x80C6B84: main (ffmpeg.c:4334)
aaa@aaa-VirtualBox /media/sdb1 $ ffmpeg/ffmpeg_g ffmpeg version 3.0.git Copyright (c) 2000-2016 the FFmpeg developers built with gcc 4.8 (Ubuntu 4.8.4-2ubuntu1~14.04.1) configuration: --disable-ffplay --disable-ffprobe --disable-ffserver --enable-gpl libavutil 55. 19.100 / 55. 19.100 libavcodec 57. 28.103 / 57. 28.103 libavformat 57. 28.102 / 57. 28.102 libavdevice 57. 0.101 / 57. 0.101 libavfilter 6. 39.102 / 6. 39.102 libswscale 4. 0.100 / 4. 0.100 libswresample 2. 0.101 / 2. 0.101 libpostproc 54. 0.100 / 54. 0.100 Hyper fast Audio and Video encoder usage: ffmpeg [options] [[infile options] -i infile]... {[outfile options] outfile}...
(gdb) r -threads 1 -loglevel -1 -i f/cfhd_q_low_444_alpha_fuzz2.avi -f null - Starting program: /media/sdb1/ffmpeg/ffmpeg_g -threads 1 -loglevel -1 -i f/cfhd_q_low_444_alpha_fuzz2.avi -f null - [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib/i386-linux-gnu/libthread_db.so.1". [New Thread 0xb7d94b40 (LWP 9717)] [New Thread 0xb7593b40 (LWP 9718)] [New Thread 0xb6d92b40 (LWP 9719)] [New Thread 0xb6591b40 (LWP 9720)] [New Thread 0xb5d90b40 (LWP 9721)] Program received signal SIGSEGV, Segmentation fault. 0x083a0030 in av_bswap16 (x=11716) at ./libavutil/bswap.h:60 60 x= (x>>8) | (x<<8); (gdb) bt #0 0x083a0030 in av_bswap16 (x=11716) at ./libavutil/bswap.h:60 #1 bytestream_get_be16 (b=<synthetic pointer>) at libavcodec/bytestream.h:94 #2 bytestream2_get_be16u (g=<synthetic pointer>) at libavcodec/bytestream.h:94 #3 cfhd_decode (avctx=0x9717a60, data=0x972c860, got_frame=0xbfffe310, avpkt=0xbfffe0cc) at libavcodec/cfhd.c:465 #4 0x0874e126 in avcodec_decode_video2 (avctx=0x9717a60, picture=picture@entry=0x972c860, got_picture_ptr=got_picture_ptr@entry=0xbfffe310, avpkt=avpkt@entry=0xbfffe358) at libavcodec/utils.c:2172 #5 0x080de19f in decode_video (ist=ist@entry=0x9711b60, pkt=pkt@entry=0xbfffe358, got_output=got_output@entry=0xbfffe310) at ffmpeg.c:2078 #6 0x080e6a36 in process_input_packet (no_eof=0, pkt=0xbfffe314, ist=0x9711b60) at ffmpeg.c:2331 #7 process_input (file_index=<optimized out>) at ffmpeg.c:4001 #8 0x080e95d0 in transcode_step () at ffmpeg.c:4089 #9 transcode () at ffmpeg.c:4143 #10 0x080c6b85 in main (argc=<optimized out>, argv=<optimized out>) at ffmpeg.c:4334 (gdb)
Change History (4)
comment:1 by , 8 years ago
Component: | undetermined → avcodec |
---|---|
Keywords: | cfhd regression added |
Priority: | normal → important |
Status: | new → open |
Version: | unspecified → git-master |
comment:2 by , 8 years ago
It's not a regression because that was the commit which added alpha support.
comment:3 by , 8 years ago
It's not a regression because that was the commit which added alpha support.
comment:4 by , 8 years ago
Resolution: | → fixed |
---|---|
Status: | open → closed |
Note:
See TracTickets
for help on using tickets.
Regression since 8adbe26b909aec76a4d3a80837d4453f1cfbddc1