#5441 closed defect (fixed)

rm: crash with fuzzed file

Reported by: ami_stuff Owned by:
Priority: important Component: avformat
Version: git-master Keywords: real crash SIGSEGV regression
Cc: Blocked By:
Blocking: Reproduced by developer: yes
Analyzed by developer: no

Description

aaa@aaa-VirtualBox /media/sdb1 $ valgrind --leak-check=full ffmpeg/ffmpeg_g -i lossless_32khz_stereo_fuzz.ra -f null -
==3232== Memcheck, a memory error detector
==3232== Copyright (C) 2002-2013, and GNU GPL'd, by Julian Seward et al.
==3232== Using Valgrind-3.10.1 and LibVEX; rerun with -h for copyright info
==3232== Command: ffmpeg/ffmpeg_g -i lossless_32khz_stereo_fuzz.ra -f null -
==3232== 
ffmpeg version 3.0.git Copyright (c) 2000-2016 the FFmpeg developers
  built with gcc 4.8 (Ubuntu 4.8.4-2ubuntu1~14.04.1)
  configuration: --disable-ffprobe --disable-ffserver --disable-ffplay --enable-gpl
  libavutil      55. 20.100 / 55. 20.100
  libavcodec     57. 34.100 / 57. 34.100
  libavformat    57. 34.100 / 57. 34.100
  libavdevice    57.  0.101 / 57.  0.101
  libavfilter     6. 41.101 /  6. 41.101
  libswscale      4.  1.100 /  4.  1.100
  libswresample   2.  0.101 /  2.  0.101
  libpostproc    54.  0.100 / 54.  0.100
==3232== Invalid read of size 4
==3232==    at 0x8BAA83A: av_log (log.c:363)
==3232==    by 0x83417FF: ff_get_extradata (utils.c:3129)
==3232==    by 0x82EBA1D: rm_read_extradata (rmdec.c:96)
==3232==    by 0x82EBA1D: ff_rm_read_mdpr_codecdata.part.4 (rmdec.c:337)
==3232==    by 0x82EC177: ff_rm_read_mdpr_codecdata (rmdec.c:324)
==3232==    by 0x82EC177: rm_read_header (rmdec.c:630)
==3232==    by 0x8346DDC: avformat_open_input (utils.c:552)
==3232==    by 0x80D5F04: open_input_file (ffmpeg_opt.c:949)
==3232==    by 0x80DA1CA: open_files (ffmpeg_opt.c:3003)
==3232==    by 0x80DA1CA: ffmpeg_parse_options (ffmpeg_opt.c:3040)
==3232==    by 0x80C87B9: main (ffmpeg.c:4321)
==3232==  Address 0xe is not stack'd, malloc'd or (recently) free'd
==3232== 
==3232== 
==3232== Process terminating with default action of signal 11 (SIGSEGV)
==3232==  Access not within mapped region at address 0xE
==3232==    at 0x8BAA83A: av_log (log.c:363)
==3232==    by 0x83417FF: ff_get_extradata (utils.c:3129)
==3232==    by 0x82EBA1D: rm_read_extradata (rmdec.c:96)
==3232==    by 0x82EBA1D: ff_rm_read_mdpr_codecdata.part.4 (rmdec.c:337)
==3232==    by 0x82EC177: ff_rm_read_mdpr_codecdata (rmdec.c:324)
==3232==    by 0x82EC177: rm_read_header (rmdec.c:630)
==3232==    by 0x8346DDC: avformat_open_input (utils.c:552)
==3232==    by 0x80D5F04: open_input_file (ffmpeg_opt.c:949)
==3232==    by 0x80DA1CA: open_files (ffmpeg_opt.c:3003)
==3232==    by 0x80DA1CA: ffmpeg_parse_options (ffmpeg_opt.c:3040)
==3232==    by 0x80C87B9: main (ffmpeg.c:4321)
==3232==  If you believe this happened as a result of a stack
==3232==  overflow in your program's main thread (unlikely but
==3232==  possible), you can try to increase the size of the
==3232==  main thread stack using the --main-stacksize= flag.
==3232==  The main thread stack size used in this run was 8388608.
==3232== 
==3232== HEAP SUMMARY:
==3232==     in use at exit: 37,902 bytes in 54 blocks
==3232==   total heap usage: 83 allocs, 29 frees, 4,267,608 bytes allocated
==3232== 
==3232== LEAK SUMMARY:
==3232==    definitely lost: 0 bytes in 0 blocks
==3232==    indirectly lost: 0 bytes in 0 blocks
==3232==      possibly lost: 0 bytes in 0 blocks
==3232==    still reachable: 37,902 bytes in 54 blocks
==3232==         suppressed: 0 bytes in 0 blocks
==3232== Reachable blocks (those to which a pointer was found) are not shown.
==3232== To see them, rerun with: --leak-check=full --show-leak-kinds=all
==3232== 
==3232== For counts of detected and suppressed errors, rerun with: -v
==3232== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)
Segmentation fault
(gdb) r -i lossless_32khz_stereo_fuzz.ra -f null -
Starting program: /media/sdb1/ffmpeg/ffmpeg_g -i lossless_32khz_stereo_fuzz.ra -f null -
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/i386-linux-gnu/libthread_db.so.1".
ffmpeg version 3.0.git Copyright (c) 2000-2016 the FFmpeg developers
  built with gcc 4.8 (Ubuntu 4.8.4-2ubuntu1~14.04.1)
  configuration: --disable-ffprobe --disable-ffserver --disable-ffplay --enable-gpl
  libavutil      55. 20.100 / 55. 20.100
  libavcodec     57. 34.100 / 57. 34.100
  libavformat    57. 34.100 / 57. 34.100
  libavdevice    57.  0.101 / 57.  0.101
  libavfilter     6. 41.101 /  6. 41.101
  libswscale      4.  1.100 /  4.  1.100
  libswresample   2.  0.101 /  2.  0.101
  libpostproc    54.  0.100 / 54.  0.100

Program received signal SIGSEGV, Segmentation fault.
0x08baa83a in av_log (avcl=avcl@entry=0x9729200, level=level@entry=16, 
    fmt=fmt@entry=0x8c662b4 "Failed to read extradata of size %d\n")
    at libavutil/log.c:363
363	    if (avc && avc->version >= (50 << 16 | 15 << 8 | 2) &&
(gdb) bt
#0  0x08baa83a in av_log (avcl=avcl@entry=0x9729200, level=level@entry=16, 
    fmt=fmt@entry=0x8c662b4 "Failed to read extradata of size %d\n")
    at libavutil/log.c:363
#1  0x08341800 in ff_get_extradata (par=0x9729200, pb=pb@entry=0x9730ae0, 
    size=size@entry=4194328) at libavformat/utils.c:3129
#2  0x082eba1e in rm_read_extradata (size=4194328, par=<optimized out>, 
    pb=0x9730ae0, s=0x9728200) at libavformat/rmdec.c:96
#3  ff_rm_read_mdpr_codecdata (s=s@entry=0x9728200, pb=0x9730ae0, 
    st=st@entry=0x9728aa0, rst=0x97296a0, 
    codec_data_size=codec_data_size@entry=4194328, 
    mime=mime@entry=0xbfffe73c "audio/x-ralf-mpeg4-generic")
    at libavformat/rmdec.c:337
#4  0x082ec178 in ff_rm_read_mdpr_codecdata (
    mime=0xbfffe73c "audio/x-ralf-mpeg4-generic", codec_data_size=4194328, 
    rst=<optimized out>, st=0x9728aa0, pb=<optimized out>, s=0x9728200)
    at libavformat/rmdec.c:324
#5  rm_read_header (s=0x9728200) at libavformat/rmdec.c:630
#6  0x08346ddd in avformat_open_input (ps=ps@entry=0xbfffecac, 
    filename=filename@entry=0xbffff32b "lossless_32khz_stereo_fuzz.ra", 
    fmt=fmt@entry=0x0, options=0x97280ec) at libavformat/utils.c:552
#7  0x080d5f05 in open_input_file (o=o@entry=0xbfffed5c, 
    filename=<optimized out>) at ffmpeg_opt.c:949
#8  0x080da1cb in open_files (inout=0x8c60022 "input", 
---Type <return> to continue, or q <return> to quit---
    open_file=0x80d45e0 <open_input_file>, l=<optimized out>, 
    l=<optimized out>) at ffmpeg_opt.c:3003
#9  ffmpeg_parse_options (argc=argc@entry=6, argv=argv@entry=0xbffff124)
    at ffmpeg_opt.c:3040
#10 0x080c87ba in main (argc=6, argv=0xbffff124) at ffmpeg.c:4321
(gdb) 

Attachments (1)

lossless_32khz_stereo_fuzz.ra (1.7 MB) - added by ami_stuff 19 months ago.

Download all attachments as: .zip

Change History (3)

Changed 19 months ago by ami_stuff

comment:1 Changed 19 months ago by cehoyos

  • Component changed from undetermined to avformat
  • Keywords real crash SIGSEGV regression added
  • Priority changed from normal to important
  • Reproduced by developer set
  • Status changed from new to open
  • Version changed from unspecified to git-master

comment:2 Changed 19 months ago by richardpl

  • Resolution set to fixed
  • Status changed from open to closed
Note: See TracTickets for help on using tickets.