#5957 closed defect (fixed)

ffprobe: crash with null "-of" option

Reported by: likebreath Owned by: beastd
Priority: normal Component: ffprobe
Version: git-master Keywords: regression
Cc: Blocked By:
Blocking: Reproduced by developer: yes
Analyzed by developer: yes

Description

Summary of the bug:

A segmentation fault will occur when launch ffprobe with the following pattern:

$ ffprobe -of x (where "x" is "\x00")

How to reproduce:

As "\x00" is normally parsed as string terminator, we can't input it through command-line. I use function "execv()" to launch ffprobe to reproduce the defect. Compile and run the following stub program will reproduce the segmentation fault being reported here.

#include <sys/types.h>
#include <unistd.h>
#include <stdio.h>

main()
{
  char *parmList[] = {"./ffprobe_g", "-of", "compact", NULL};

  char crash_input[8] = {0};
  parmList[2] =  crash_input;

  execv("./ffprobe_g", parmList);
  printf("Return not expected. Must be an execv error.\n");
}

GDB Output:

chenbo@svl13:~/tools/FFmpeg/crash$ gdb a.out
GNU gdb (Ubuntu/Linaro 7.4-2012.04-0ubuntu2.1) 7.4-2012.04
Copyright (C) 2012 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
For bug reporting instructions, please see:
<http://bugs.launchpad.net/gdb-linaro/>...
Reading symbols from /home/chenbo/tools/FFmpeg/crash/a.out...done.
(gdb) list
1	#include <sys/types.h>
2	#include <unistd.h>
3	#include <stdio.h>
4	
5	main()
6	{
7	  char *parmList[] = {"./ffprobe_g", "-of", "compact", NULL};
8	
9	  char crash_input[1] = {0};
10	  parmList[2] =  crash_input;
11	
12	  execv("../ffprobe_g", parmList);
13	  printf("Return not expected. Must be an execv error.\n");
14	}
(gdb) r
Starting program: /home/chenbo/tools/FFmpeg/crash/a.out 
warning: no loadable sections found in added symbol-file system-supplied DSO at 0x2aaaaaacd000
process 12800 is executing new program: /home/chenbo/tools/FFmpeg/ffprobe_g
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
ffprobe version N-82487-g1546d48 Copyright (c) 2007-2016 the FFmpeg developers
  built with gcc 4.8 (Ubuntu 4.8.1-2ubuntu1~12.04)
  configuration: 
  libavutil      55. 40.100 / 55. 40.100
  libavcodec     57. 66.103 / 57. 66.103
  libavformat    57. 57.100 / 57. 57.100
  libavdevice    57.  2.100 / 57.  2.100
  libavfilter     6. 67.100 /  6. 67.100
  libswscale      4.  3.101 /  4.  3.101
  libswresample   2.  4.100 /  2.  4.100

Program received signal SIGSEGV, Segmentation fault.
__strcmp_sse42 () at ../sysdeps/x86_64/multiarch/strcmp-sse42.S:164
164	../sysdeps/x86_64/multiarch/strcmp-sse42.S: No such file or directory.
(gdb) bt
#0  __strcmp_sse42 () at ../sysdeps/x86_64/multiarch/strcmp-sse42.S:164
#1  0x000000000047c72d in main () at ffprobe.c:805
(gdb) disass $pc-32,$pc+32
Dump of assembler code from 0x2aaaac98f1aa to 0x2aaaac98f1ea:
   0x00002aaaac98f1aa:	add    %al,(%rax)
   0x00002aaaac98f1ac:	add    %al,(%rax)
   0x00002aaaac98f1ae:	add    %al,(%rax)
   0x00002aaaac98f1b0 <__strcmp_sse42+0>:	mov    %esi,%ecx
   0x00002aaaac98f1b2 <__strcmp_sse42+2>:	mov    %edi,%eax
   0x00002aaaac98f1b4 <__strcmp_sse42+4>:	and    $0x3f,%rcx
   0x00002aaaac98f1b8 <__strcmp_sse42+8>:	and    $0x3f,%rax
   0x00002aaaac98f1bc <__strcmp_sse42+12>:	cmp    $0x30,%ecx
   0x00002aaaac98f1bf <__strcmp_sse42+15>:	ja     0x2aaaac98f200 <__strcmp_sse42+80>
   0x00002aaaac98f1c1 <__strcmp_sse42+17>:	cmp    $0x30,%eax
   0x00002aaaac98f1c4 <__strcmp_sse42+20>:	ja     0x2aaaac98f200 <__strcmp_sse42+80>
   0x00002aaaac98f1c6 <__strcmp_sse42+22>:	movdqu (%rdi),%xmm1
=> 0x00002aaaac98f1ca <__strcmp_sse42+26>:	movdqu (%rsi),%xmm2
   0x00002aaaac98f1ce <__strcmp_sse42+30>:	pxor   %xmm0,%xmm0
   0x00002aaaac98f1d2 <__strcmp_sse42+34>:	pcmpeqb %xmm1,%xmm0
   0x00002aaaac98f1d6 <__strcmp_sse42+38>:	pcmpeqb %xmm2,%xmm1
   0x00002aaaac98f1da <__strcmp_sse42+42>:	psubb  %xmm0,%xmm1
   0x00002aaaac98f1de <__strcmp_sse42+46>:	pmovmskb %xmm1,%edx
   0x00002aaaac98f1e2 <__strcmp_sse42+50>:	sub    $0xffff,%edx
   0x00002aaaac98f1e8 <__strcmp_sse42+56>:	jne    0x2aaaac98ff30 <__strcmp_sse42+3456>
End of assembler dump.
(gdb) info all-registers

rax            0x2f	47
rbx            0xf57fc0	16089024
rcx            0x0	0
rdx            0x0	0
rsi            0x0	0
rdi            0xf52f2f	16068399
rbp            0x15cf448	0x15cf448
rsp            0x7fffffffe268	0x7fffffffe268
r8             0x10087b0	16811952
r9             0x0	0
r10            0x7fffffffdfd0	140737488347088
r11            0x2aaaac997910	46912528546064
r12            0x0	0
r13            0x0	0
r14            0x0	0
r15            0x0	0
rip            0x2aaaac98f1ca	0x2aaaac98f1ca <__strcmp_sse42+26>
eflags         0x10287	[ CF PF SF IF RF ]
cs             0x33	51
ss             0x2b	43
ds             0x0	0
es             0x0	0
fs             0x0	0
gs             0x0	0
st0            0	(raw 0x00000000000000000000)
st1            0	(raw 0x00000000000000000000)
st2            0	(raw 0x00000000000000000000)
st3            0	(raw 0x00000000000000000000)
st4            0	(raw 0x00000000000000000000)
st5            0	(raw 0x00000000000000000000)
st6            0	(raw 0x00000000000000000000)
st7            0	(raw 0x00000000000000000000)
fctrl          0x37f	895
fstat          0x0	0
ftag           0xffff	65535
fiseg          0x0	0
fioff          0x0	0
foseg          0x0	0
fooff          0x0	0
fop            0x0	0
---Type <return> to continue, or q <return> to quit---mxcsr          0x1f80	[ IM DM ZM OM UM PM ]
ymm0           {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_double = {0x0, 0x8000000000000000, 0x0, 0x0}, v32_int8 = {0x8, 0x9, 
    0xa, 0xb, 0xc, 0xd, 0xe, 0xf, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x0 <repeats 16 times>}, v16_int16 = {0x908, 0xb0a, 0xd0c, 
    0xf0e, 0xffff, 0xffff, 0xffff, 0xffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v8_int32 = {0xb0a0908, 0xf0e0d0c, 0xffffffff, 0xffffffff, 
    0x0, 0x0, 0x0, 0x0}, v4_int64 = {0xf0e0d0c0b0a0908, 0xffffffffffffffff, 0x0, 0x0}, v2_int128 = {0xffffffffffffffff0f0e0d0c0b0a0908, 
    0x00000000000000000000000000000000}}
ymm1           {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_double = {0x0, 0x8000000000000000, 0x0, 0x0}, v32_int8 = {0x64, 0x65, 
    0x66, 0x61, 0x75, 0x6c, 0x74, 0x0, 0x55, 0x6e, 0x72, 0x65, 0x63, 0x6f, 0x67, 0x6e, 0x0 <repeats 16 times>}, v16_int16 = {0x6564, 0x6166, 
    0x6c75, 0x74, 0x6e55, 0x6572, 0x6f63, 0x6e67, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v8_int32 = {0x61666564, 0x746c75, 0x65726e55, 
    0x6e676f63, 0x0, 0x0, 0x0, 0x0}, v4_int64 = {0x746c7561666564, 0x6e676f6365726e55, 0x0, 0x0}, v2_int128 = {
    0x6e676f6365726e5500746c7561666564, 0x00000000000000000000000000000000}}
ymm2           {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_double = {0x0, 0x0, 0x0, 0x0}, v32_int8 = {0x0 <repeats 32 times>}, 
  v16_int16 = {0x0 <repeats 16 times>}, v8_int32 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_int64 = {0x0, 0x0, 0x0, 0x0}, v2_int128 = {
    0x00000000000000000000000000000000, 0x00000000000000000000000000000000}}
ymm3           {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_double = {0x0, 0x0, 0x0, 0x0}, v32_int8 = {0x0 <repeats 32 times>}, 
  v16_int16 = {0x0 <repeats 16 times>}, v8_int32 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_int64 = {0x0, 0x0, 0x0, 0x0}, v2_int128 = {
    0x00000000000000000000000000000000, 0x00000000000000000000000000000000}}
ymm4           {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_double = {0x8000000000000000, 0x0, 0x0, 0x0}, v32_int8 = {0x32, 0x35, 
    0x36, 0x63, 0x6f, 0x6c, 0x6f, 0x72, 0x0, 0x1b, 0x5b, 0x25, 0x64, 0x3b, 0x33, 0x25, 0x0 <repeats 16 times>}, v16_int16 = {0x3532, 0x6336, 
    0x6c6f, 0x726f, 0x1b00, 0x255b, 0x3b64, 0x2533, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v8_int32 = {0x63363532, 0x726f6c6f, 0x255b1b00, 
    0x25333b64, 0x0, 0x0, 0x0, 0x0}, v4_int64 = {0x726f6c6f63363532, 0x25333b64255b1b00, 0x0, 0x0}, v2_int128 = {
    0x25333b64255b1b00726f6c6f63363532, 0x00000000000000000000000000000000}}
ymm5           {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_double = {0x0, 0x0, 0x0, 0x0}, v32_int8 = {0x0 <repeats 32 times>}, 
  v16_int16 = {0x0 <repeats 16 times>}, v8_int32 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_int64 = {0x0, 0x0, 0x0, 0x0}, v2_int128 = {
    0x00000000000000000000000000000000, 0x00000000000000000000000000000000}}
ymm6           {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_double = {0x0, 0x0, 0x0, 0x0}, v32_int8 = {0x0 <repeats 32 times>}, 
  v16_int16 = {0x0 <repeats 16 times>}, v8_int32 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_int64 = {0x0, 0x0, 0x0, 0x0}, v2_int128 = {
    0x00000000000000000000000000000000, 0x00000000000000000000000000000000}}
ymm7           {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_double = {0x0, 0x0, 0x0, 0x0}, v32_int8 = {0x0 <repeats 32 times>}, 
  v16_int16 = {0x0 <repeats 16 times>}, v8_int32 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_int64 = {0x0, 0x0, 0x0, 0x0}, v2_int128 = {
    0x00000000000000000000000000000000, 0x00000000000000000000000000000000}}
ymm8           {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_double = {0x0, 0x0, 0x0, 0x0}, v32_int8 = {0x0 <repeats 32 times>}, 
  v16_int16 = {0x0 <repeats 16 times>}, v8_int32 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_int64 = {0x0, 0x0, 0x0, 0x0}, v2_int128 = {
    0x00000000000000000000000000000000, 0x00000000000000000000000000000000}}
ymm9           {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_double = {0x0, 0x0, 0x0, 0x0}, v32_int8 = {0x0 <repeats 32 times>}, 
  v16_int16 = {0x0 <repeats 16 times>}, v8_int32 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_int64 = {0x0, 0x0, 0x0, 0x0}, v2_int128 = {
    0x00000000000000000000000000000000, 0x00000000000000000000000000000000}}
ymm10          {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_double = {0x0, 0x0, 0x0, 0x0}, v32_int8 = {0x0 <repeats 32 times>}, 
  v16_int16 = {0x0 <repeats 16 times>}, v8_int32 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_int64 = {0x0, 0x0, 0x0, 0x0}, v2_int128 = {
    0x00000000000000000000000000000000, 0x00000000000000000000000000000000}}
ymm11          {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_double = {0x0, 0x0, 0x0, 0x0}, v32_int8 = {0x0 <repeats 32 times>}, 
  v16_int16 = {0x0 <repeats 16 times>}, v8_int32 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_int64 = {0x0, 0x0, 0x0, 0x0}, v2_int128 = {
    0x00000000000000000000000000000000, 0x00000000000000000000000000000000}}
ymm12          {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_double = {0x0, 0x0, 0x0, 0x0}, v32_int8 = {0x0 <repeats 32 times>}, 
  v16_int16 = {0x0 <repeats 16 times>}, v8_int32 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_int64 = {0x0, 0x0, 0x0, 0x0}, v2_int128 = {
    0x00000000000000000000000000000000, 0x00000000000000000000000000000000}}
ymm13          {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_double = {0x0, 0x0, 0x0, 0x0}, v32_int8 = {0x0 <repeats 32 times>}, 
  v16_int16 = {0x0 <repeats 16 times>}, v8_int32 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_int64 = {0x0, 0x0, 0x0, 0x0}, v2_int128 = {
    0x00000000000000000000000000000000, 0x00000000000000000000000000000000}}
ymm14          {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_double = {0x0, 0x0, 0x0, 0x0}, v32_int8 = {0x0 <repeats 32 times>}, 
  v16_int16 = {0x0 <repeats 16 times>}, v8_int32 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_int64 = {0x0, 0x0, 0x0, 0x0}, v2_int128 = {
    0x00000000000000000000000000000000, 0x00000000000000000000000000000000}}
ymm15          {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_double = {0x0, 0x0, 0x0, 0x0}, v32_int8 = {0x0 <repeats 32 times>}, 
  v16_int16 = {0x0 <repeats 16 times>}, v8_int32 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_int64 = {0x0, 0x0, 0x0, 0x0}, v2_int128 = {
    0x00000000000000000000000000000000, 0x00000000000000000000000000000000}}
(gdb) 

Patches should be submitted to the ffmpeg-devel mailing list and not this bug tracker.

Change History (3)

comment:1 Changed 20 months ago by beastd

  • Owner set to beastd
  • Reproduced by developer set
  • Status changed from new to open

You should be able to reproduce this by simply passing -of with an empty argument.

E.g. on the a shell with:

./ffprobe -of ''

I believe I have identified the culprit in ffprobe.c source file. Will try to come up with a patch tomorrow.

comment:2 Changed 20 months ago by cehoyos

  • Keywords regression added

Regression since b874e2d0

comment:3 Changed 20 months ago by saste

  • Analyzed by developer set
  • Resolution set to fixed
  • Status changed from open to closed

Fixed in commit:

commit 427a47abcddab15e10ce26d971f712d90c53884b
Author: Stefano Sabatini <stefasab@gmail.com>
Date:   Thu Nov 17 12:11:13 2016 +0100

    ffprobe: fix crash in case -of is specified with an empty string
    
    Fix trac issue #5957.
Note: See TracTickets for help on using tickets.