Opened 8 years ago

Closed 8 years ago

#5778 closed defect (fixed)

mov: crash with fuzzed file

Reported by: ami_stuff Owned by:
Priority: important Component: avformat
Version: git-master Keywords: crash SIGSEGV mov regression
Cc: Blocked By:
Blocking: Reproduced by developer: yes
Analyzed by developer: no

Description 

(gdb) r -max_alloc 100000000 -i f/h264_fuzz.m4v
Starting program: /media/sdb1/ffmpeg/ffmpeg_g -max_alloc 100000000 -i f/h264_fuzz.m4v
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/i386-linux-gnu/libthread_db.so.1".
ffmpeg version 3.0.git Copyright (c) 2000-2016 the FFmpeg developers
  built with gcc 5.3.0 (Ubuntu 5.3.0-3ubuntu1~14.04) 20151204
  configuration: --disable-ffprobe --disable-ffserver --enable-gpl
  libavutil      55. 28.100 / 55. 28.100
  libavcodec     57. 51.102 / 57. 51.102
  libavformat    57. 46.101 / 57. 46.101
  libavdevice    57.  0.102 / 57.  0.102
  libavfilter     6. 51.100 /  6. 51.100
  libswscale      4.  1.100 /  4.  1.100
  libswresample   2.  1.100 /  2.  1.100
  libpostproc    54.  0.100 / 54.  0.100
[mov,mp4,m4a,3gp,3g2,mj2 @ 0x9883160] error reading header

Program received signal SIGSEGV, Segmentation fault.
0x08277269 in mov_read_close (s=0x9883160) at libavformat/mov.c:4834
4834	            av_free(sc->extradata[j]);
(gdb) bt
#0  0x08277269 in mov_read_close (s=0x9883160) at libavformat/mov.c:4834
#1  0x0827a5a2 in mov_read_header (s=0x9883160) at libavformat/mov.c:5038
#2  0x08331634 in avformat_open_input (ps=0xbfffe88c, 
    filename=0xbffff343 "f/h264_fuzz.m4v", fmt=0x0, options=0x98830fc)
    at libavformat/utils.c:555
#3  0x080cbc54 in open_input_file (o=o@entry=0xbfffe994, 
    filename=<optimized out>) at ffmpeg_opt.c:982
#4  0x080cd807 in open_files (l=0x988302c, l=0x988302c, 
    open_file=0x80ca380 <open_input_file>, inout=0x8c8f8a2 "input")
    at ffmpeg_opt.c:3069
#5  ffmpeg_parse_options (argc=5, argv=0xbffff124) at ffmpeg_opt.c:3106
#6  0x080bd36d in main (argc=5, argv=0xbffff124) at ffmpeg.c:4325
(gdb) 

aaa@aaa-VirtualBox /media/sdb1 $ valgrind --leak-check=full ffmpeg/ffmpeg_g -max_alloc 100000000 -i f/h264_fuzz.m4v
==10645== Memcheck, a memory error detector
==10645== Copyright (C) 2002-2013, and GNU GPL'd, by Julian Seward et al.
==10645== Using Valgrind-3.10.1 and LibVEX; rerun with -h for copyright info
==10645== Command: ffmpeg/ffmpeg_g -max_alloc 100000000 -i f/h264_fuzz.m4v
==10645== 
ffmpeg version 3.0.git Copyright (c) 2000-2016 the FFmpeg developers
  built with gcc 5.3.0 (Ubuntu 5.3.0-3ubuntu1~14.04) 20151204
  configuration: --disable-ffprobe --disable-ffserver --enable-gpl
  libavutil      55. 28.100 / 55. 28.100
  libavcodec     57. 51.102 / 57. 51.102
  libavformat    57. 46.101 / 57. 46.101
  libavdevice    57.  0.102 / 57.  0.102
  libavfilter     6. 51.100 /  6. 51.100
  libswscale      4.  1.100 /  4.  1.100
  libswresample   2.  1.100 /  2.  1.100
  libpostproc    54.  0.100 / 54.  0.100
[mov,mp4,m4a,3gp,3g2,mj2 @ 0x42bd340] error reading header
==10645== Invalid read of size 4
==10645==    at 0x8277269: mov_read_close (mov.c:4834)
==10645==    by 0x827A5A1: mov_read_header (mov.c:5038)
==10645==    by 0x8331633: avformat_open_input (utils.c:555)
==10645==    by 0x80CBC53: open_input_file (ffmpeg_opt.c:982)
==10645==    by 0x80CD806: open_files (ffmpeg_opt.c:3069)
==10645==    by 0x80CD806: ffmpeg_parse_options (ffmpeg_opt.c:3106)
==10645==    by 0x80BD36C: main (ffmpeg.c:4325)
==10645==  Address 0x0 is not stack'd, malloc'd or (recently) free'd
==10645== 
==10645== 
==10645== Process terminating with default action of signal 11 (SIGSEGV)
==10645==  Access not within mapped region at address 0x0
==10645==    at 0x8277269: mov_read_close (mov.c:4834)
==10645==    by 0x827A5A1: mov_read_header (mov.c:5038)
==10645==    by 0x8331633: avformat_open_input (utils.c:555)
==10645==    by 0x80CBC53: open_input_file (ffmpeg_opt.c:982)
==10645==    by 0x80CD806: open_files (ffmpeg_opt.c:3069)
==10645==    by 0x80CD806: ffmpeg_parse_options (ffmpeg_opt.c:3106)
==10645==    by 0x80BD36C: main (ffmpeg.c:4325)
==10645==  If you believe this happened as a result of a stack
==10645==  overflow in your program's main thread (unlikely but
==10645==  possible), you can try to increase the size of the
==10645==  main thread stack using the --main-stacksize= flag.
==10645==  The main thread stack size used in this run was 8388608.
==10645== 
==10645== HEAP SUMMARY:
==10645==     in use at exit: 56,850 bytes in 77 blocks
==10645==   total heap usage: 145 allocs, 68 frees, 99,821 bytes allocated
==10645== 
==10645== LEAK SUMMARY:
==10645==    definitely lost: 0 bytes in 0 blocks
==10645==    indirectly lost: 0 bytes in 0 blocks
==10645==      possibly lost: 0 bytes in 0 blocks
==10645==    still reachable: 56,850 bytes in 77 blocks
==10645==         suppressed: 0 bytes in 0 blocks
==10645== Reachable blocks (those to which a pointer was found) are not shown.
==10645== To see them, rerun with: --leak-check=full --show-leak-kinds=all
==10645== 
==10645== For counts of detected and suppressed errors, rerun with: -v
==10645== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)
Segmentation fault

Attachments (1)

h264_fuzz.m4v (1.2 MB ) - added by ami_stuff 8 years ago.

Download all attachments as: .zip

Change History (3)

by ami_stuff, 8 years ago

Attachment: h264_fuzz.m4v added

comment:1 by Carl Eugen Hoyos, 8 years ago

Component: undeterminedavformat
Keywords: crash SIGSEGV mov regression added
Priority: normalimportant
Reproduced by developer: set
Status: newopen
Version: unspecifiedgit-master

Regression since 3c058f57 / 76729970

comment:2 by Michael Niedermayer, 8 years ago

Resolution: fixed
Status: openclosed

Fixed in ae0192ef5fe8ca67b6532a57f829f744db3facb9

Note: See TracTickets for help on using tickets.