Opened 7 years ago
Closed 7 years ago
#5957 closed defect (fixed)
ffprobe: crash with null "-of" option
| Reported by: | Bo Chen | Owned by: | Alexander Strasser |
|---|---|---|---|
| Priority: | normal | Component: | ffprobe |
| Version: | git-master | Keywords: | regression |
| Cc: | Blocked By: | ||
| Blocking: | Reproduced by developer: | yes | |
| Analyzed by developer: | yes |
Description
Summary of the bug:
A segmentation fault will occur when launch ffprobe with the following pattern:
$ ffprobe -of x (where "x" is "\x00")
How to reproduce:
As "\x00" is normally parsed as string terminator, we can't input it through command-line. I use function "execv()" to launch ffprobe to reproduce the defect. Compile and run the following stub program will reproduce the segmentation fault being reported here.
#include <sys/types.h>
#include <unistd.h>
#include <stdio.h>
main()
{
char *parmList[] = {"./ffprobe_g", "-of", "compact", NULL};
char crash_input[8] = {0};
parmList[2] = crash_input;
execv("./ffprobe_g", parmList);
printf("Return not expected. Must be an execv error.\n");
}
GDB Output:
chenbo@svl13:~/tools/FFmpeg/crash$ gdb a.out
GNU gdb (Ubuntu/Linaro 7.4-2012.04-0ubuntu2.1) 7.4-2012.04
Copyright (C) 2012 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law. Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
For bug reporting instructions, please see:
<http://bugs.launchpad.net/gdb-linaro/>...
Reading symbols from /home/chenbo/tools/FFmpeg/crash/a.out...done.
(gdb) list
1 #include <sys/types.h>
2 #include <unistd.h>
3 #include <stdio.h>
4
5 main()
6 {
7 char *parmList[] = {"./ffprobe_g", "-of", "compact", NULL};
8
9 char crash_input[1] = {0};
10 parmList[2] = crash_input;
11
12 execv("../ffprobe_g", parmList);
13 printf("Return not expected. Must be an execv error.\n");
14 }
(gdb) r
Starting program: /home/chenbo/tools/FFmpeg/crash/a.out
warning: no loadable sections found in added symbol-file system-supplied DSO at 0x2aaaaaacd000
process 12800 is executing new program: /home/chenbo/tools/FFmpeg/ffprobe_g
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
ffprobe version N-82487-g1546d48 Copyright (c) 2007-2016 the FFmpeg developers
built with gcc 4.8 (Ubuntu 4.8.1-2ubuntu1~12.04)
configuration:
libavutil 55. 40.100 / 55. 40.100
libavcodec 57. 66.103 / 57. 66.103
libavformat 57. 57.100 / 57. 57.100
libavdevice 57. 2.100 / 57. 2.100
libavfilter 6. 67.100 / 6. 67.100
libswscale 4. 3.101 / 4. 3.101
libswresample 2. 4.100 / 2. 4.100
Program received signal SIGSEGV, Segmentation fault.
__strcmp_sse42 () at ../sysdeps/x86_64/multiarch/strcmp-sse42.S:164
164 ../sysdeps/x86_64/multiarch/strcmp-sse42.S: No such file or directory.
(gdb) bt
#0 __strcmp_sse42 () at ../sysdeps/x86_64/multiarch/strcmp-sse42.S:164
#1 0x000000000047c72d in main () at ffprobe.c:805
(gdb) disass $pc-32,$pc+32
Dump of assembler code from 0x2aaaac98f1aa to 0x2aaaac98f1ea:
0x00002aaaac98f1aa: add %al,(%rax)
0x00002aaaac98f1ac: add %al,(%rax)
0x00002aaaac98f1ae: add %al,(%rax)
0x00002aaaac98f1b0 <__strcmp_sse42+0>: mov %esi,%ecx
0x00002aaaac98f1b2 <__strcmp_sse42+2>: mov %edi,%eax
0x00002aaaac98f1b4 <__strcmp_sse42+4>: and $0x3f,%rcx
0x00002aaaac98f1b8 <__strcmp_sse42+8>: and $0x3f,%rax
0x00002aaaac98f1bc <__strcmp_sse42+12>: cmp $0x30,%ecx
0x00002aaaac98f1bf <__strcmp_sse42+15>: ja 0x2aaaac98f200 <__strcmp_sse42+80>
0x00002aaaac98f1c1 <__strcmp_sse42+17>: cmp $0x30,%eax
0x00002aaaac98f1c4 <__strcmp_sse42+20>: ja 0x2aaaac98f200 <__strcmp_sse42+80>
0x00002aaaac98f1c6 <__strcmp_sse42+22>: movdqu (%rdi),%xmm1
=> 0x00002aaaac98f1ca <__strcmp_sse42+26>: movdqu (%rsi),%xmm2
0x00002aaaac98f1ce <__strcmp_sse42+30>: pxor %xmm0,%xmm0
0x00002aaaac98f1d2 <__strcmp_sse42+34>: pcmpeqb %xmm1,%xmm0
0x00002aaaac98f1d6 <__strcmp_sse42+38>: pcmpeqb %xmm2,%xmm1
0x00002aaaac98f1da <__strcmp_sse42+42>: psubb %xmm0,%xmm1
0x00002aaaac98f1de <__strcmp_sse42+46>: pmovmskb %xmm1,%edx
0x00002aaaac98f1e2 <__strcmp_sse42+50>: sub $0xffff,%edx
0x00002aaaac98f1e8 <__strcmp_sse42+56>: jne 0x2aaaac98ff30 <__strcmp_sse42+3456>
End of assembler dump.
(gdb) info all-registers
rax 0x2f 47
rbx 0xf57fc0 16089024
rcx 0x0 0
rdx 0x0 0
rsi 0x0 0
rdi 0xf52f2f 16068399
rbp 0x15cf448 0x15cf448
rsp 0x7fffffffe268 0x7fffffffe268
r8 0x10087b0 16811952
r9 0x0 0
r10 0x7fffffffdfd0 140737488347088
r11 0x2aaaac997910 46912528546064
r12 0x0 0
r13 0x0 0
r14 0x0 0
r15 0x0 0
rip 0x2aaaac98f1ca 0x2aaaac98f1ca <__strcmp_sse42+26>
eflags 0x10287 [ CF PF SF IF RF ]
cs 0x33 51
ss 0x2b 43
ds 0x0 0
es 0x0 0
fs 0x0 0
gs 0x0 0
st0 0 (raw 0x00000000000000000000)
st1 0 (raw 0x00000000000000000000)
st2 0 (raw 0x00000000000000000000)
st3 0 (raw 0x00000000000000000000)
st4 0 (raw 0x00000000000000000000)
st5 0 (raw 0x00000000000000000000)
st6 0 (raw 0x00000000000000000000)
st7 0 (raw 0x00000000000000000000)
fctrl 0x37f 895
fstat 0x0 0
ftag 0xffff 65535
fiseg 0x0 0
fioff 0x0 0
foseg 0x0 0
fooff 0x0 0
fop 0x0 0
---Type <return> to continue, or q <return> to quit---mxcsr 0x1f80 [ IM DM ZM OM UM PM ]
ymm0 {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_double = {0x0, 0x8000000000000000, 0x0, 0x0}, v32_int8 = {0x8, 0x9,
0xa, 0xb, 0xc, 0xd, 0xe, 0xf, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x0 <repeats 16 times>}, v16_int16 = {0x908, 0xb0a, 0xd0c,
0xf0e, 0xffff, 0xffff, 0xffff, 0xffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v8_int32 = {0xb0a0908, 0xf0e0d0c, 0xffffffff, 0xffffffff,
0x0, 0x0, 0x0, 0x0}, v4_int64 = {0xf0e0d0c0b0a0908, 0xffffffffffffffff, 0x0, 0x0}, v2_int128 = {0xffffffffffffffff0f0e0d0c0b0a0908,
0x00000000000000000000000000000000}}
ymm1 {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_double = {0x0, 0x8000000000000000, 0x0, 0x0}, v32_int8 = {0x64, 0x65,
0x66, 0x61, 0x75, 0x6c, 0x74, 0x0, 0x55, 0x6e, 0x72, 0x65, 0x63, 0x6f, 0x67, 0x6e, 0x0 <repeats 16 times>}, v16_int16 = {0x6564, 0x6166,
0x6c75, 0x74, 0x6e55, 0x6572, 0x6f63, 0x6e67, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v8_int32 = {0x61666564, 0x746c75, 0x65726e55,
0x6e676f63, 0x0, 0x0, 0x0, 0x0}, v4_int64 = {0x746c7561666564, 0x6e676f6365726e55, 0x0, 0x0}, v2_int128 = {
0x6e676f6365726e5500746c7561666564, 0x00000000000000000000000000000000}}
ymm2 {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_double = {0x0, 0x0, 0x0, 0x0}, v32_int8 = {0x0 <repeats 32 times>},
v16_int16 = {0x0 <repeats 16 times>}, v8_int32 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_int64 = {0x0, 0x0, 0x0, 0x0}, v2_int128 = {
0x00000000000000000000000000000000, 0x00000000000000000000000000000000}}
ymm3 {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_double = {0x0, 0x0, 0x0, 0x0}, v32_int8 = {0x0 <repeats 32 times>},
v16_int16 = {0x0 <repeats 16 times>}, v8_int32 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_int64 = {0x0, 0x0, 0x0, 0x0}, v2_int128 = {
0x00000000000000000000000000000000, 0x00000000000000000000000000000000}}
ymm4 {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_double = {0x8000000000000000, 0x0, 0x0, 0x0}, v32_int8 = {0x32, 0x35,
0x36, 0x63, 0x6f, 0x6c, 0x6f, 0x72, 0x0, 0x1b, 0x5b, 0x25, 0x64, 0x3b, 0x33, 0x25, 0x0 <repeats 16 times>}, v16_int16 = {0x3532, 0x6336,
0x6c6f, 0x726f, 0x1b00, 0x255b, 0x3b64, 0x2533, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v8_int32 = {0x63363532, 0x726f6c6f, 0x255b1b00,
0x25333b64, 0x0, 0x0, 0x0, 0x0}, v4_int64 = {0x726f6c6f63363532, 0x25333b64255b1b00, 0x0, 0x0}, v2_int128 = {
0x25333b64255b1b00726f6c6f63363532, 0x00000000000000000000000000000000}}
ymm5 {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_double = {0x0, 0x0, 0x0, 0x0}, v32_int8 = {0x0 <repeats 32 times>},
v16_int16 = {0x0 <repeats 16 times>}, v8_int32 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_int64 = {0x0, 0x0, 0x0, 0x0}, v2_int128 = {
0x00000000000000000000000000000000, 0x00000000000000000000000000000000}}
ymm6 {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_double = {0x0, 0x0, 0x0, 0x0}, v32_int8 = {0x0 <repeats 32 times>},
v16_int16 = {0x0 <repeats 16 times>}, v8_int32 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_int64 = {0x0, 0x0, 0x0, 0x0}, v2_int128 = {
0x00000000000000000000000000000000, 0x00000000000000000000000000000000}}
ymm7 {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_double = {0x0, 0x0, 0x0, 0x0}, v32_int8 = {0x0 <repeats 32 times>},
v16_int16 = {0x0 <repeats 16 times>}, v8_int32 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_int64 = {0x0, 0x0, 0x0, 0x0}, v2_int128 = {
0x00000000000000000000000000000000, 0x00000000000000000000000000000000}}
ymm8 {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_double = {0x0, 0x0, 0x0, 0x0}, v32_int8 = {0x0 <repeats 32 times>},
v16_int16 = {0x0 <repeats 16 times>}, v8_int32 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_int64 = {0x0, 0x0, 0x0, 0x0}, v2_int128 = {
0x00000000000000000000000000000000, 0x00000000000000000000000000000000}}
ymm9 {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_double = {0x0, 0x0, 0x0, 0x0}, v32_int8 = {0x0 <repeats 32 times>},
v16_int16 = {0x0 <repeats 16 times>}, v8_int32 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_int64 = {0x0, 0x0, 0x0, 0x0}, v2_int128 = {
0x00000000000000000000000000000000, 0x00000000000000000000000000000000}}
ymm10 {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_double = {0x0, 0x0, 0x0, 0x0}, v32_int8 = {0x0 <repeats 32 times>},
v16_int16 = {0x0 <repeats 16 times>}, v8_int32 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_int64 = {0x0, 0x0, 0x0, 0x0}, v2_int128 = {
0x00000000000000000000000000000000, 0x00000000000000000000000000000000}}
ymm11 {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_double = {0x0, 0x0, 0x0, 0x0}, v32_int8 = {0x0 <repeats 32 times>},
v16_int16 = {0x0 <repeats 16 times>}, v8_int32 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_int64 = {0x0, 0x0, 0x0, 0x0}, v2_int128 = {
0x00000000000000000000000000000000, 0x00000000000000000000000000000000}}
ymm12 {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_double = {0x0, 0x0, 0x0, 0x0}, v32_int8 = {0x0 <repeats 32 times>},
v16_int16 = {0x0 <repeats 16 times>}, v8_int32 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_int64 = {0x0, 0x0, 0x0, 0x0}, v2_int128 = {
0x00000000000000000000000000000000, 0x00000000000000000000000000000000}}
ymm13 {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_double = {0x0, 0x0, 0x0, 0x0}, v32_int8 = {0x0 <repeats 32 times>},
v16_int16 = {0x0 <repeats 16 times>}, v8_int32 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_int64 = {0x0, 0x0, 0x0, 0x0}, v2_int128 = {
0x00000000000000000000000000000000, 0x00000000000000000000000000000000}}
ymm14 {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_double = {0x0, 0x0, 0x0, 0x0}, v32_int8 = {0x0 <repeats 32 times>},
v16_int16 = {0x0 <repeats 16 times>}, v8_int32 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_int64 = {0x0, 0x0, 0x0, 0x0}, v2_int128 = {
0x00000000000000000000000000000000, 0x00000000000000000000000000000000}}
ymm15 {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_double = {0x0, 0x0, 0x0, 0x0}, v32_int8 = {0x0 <repeats 32 times>},
v16_int16 = {0x0 <repeats 16 times>}, v8_int32 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_int64 = {0x0, 0x0, 0x0, 0x0}, v2_int128 = {
0x00000000000000000000000000000000, 0x00000000000000000000000000000000}}
(gdb)
Patches should be submitted to the ffmpeg-devel mailing list and not this bug tracker.
Change History (3)
comment:1 by , 7 years ago
| Owner: | set to |
|---|---|
| Reproduced by developer: | set |
| Status: | new → open |
comment:3 by , 7 years ago
| Analyzed by developer: | set |
|---|---|
| Resolution: | → fixed |
| Status: | open → closed |
Fixed in commit:
commit 427a47abcddab15e10ce26d971f712d90c53884b
Author: Stefano Sabatini <stefasab@gmail.com>
Date: Thu Nov 17 12:11:13 2016 +0100
ffprobe: fix crash in case -of is specified with an empty string
Fix trac issue #5957.
Note:
See TracTickets
for help on using tickets.
You should be able to reproduce this by simply passing -of with an empty argument.
E.g. on the a shell with:
I believe I have identified the culprit in ffprobe.c source file. Will try to come up with a patch tomorrow.