Opened 7 years ago

Closed 3 years ago

#6255 closed defect (fixed)

Corrupt .flv file segfaults ffprobe (-print_format json) -show_streams $filename

Reported by: Katie Holly Owned by:
Priority: important Component: ffprobe
Version: git-master Keywords: crash SIGSEGV regression
Cc: Blocked By:
Blocking: Reproduced by developer: yes
Analyzed by developer: no

Description

corrupt.flv (File attached)

00000000  46 4c 56 01 30 00 00 00  09 30 30 30 30 09 00 00  |FLV.0....0000...|
00000010  30 30 30 30 30 30 30 30  17 00 30 30 30 01 30 30  |00000000..000.00|
00000020  30 ff e1 00 0a 30 30 30  30 30 30 30 30 09 00 00  |0....00000000...|
00000030  13 30 30 30 30 30 30 30  27 30 30 30 30 30 30 30  |.0000000'0000000|
00000040  30 30 30 30 30 30 30 30  30 30 30 00 00 00 1e 09  |00000000000.....|
00000050  00 00 11 30 30 30 30 30  30 30 30 30 30 30 30 00  |...000000000000.|
00000060  00 00 08 e7 30 30 30 42  df e8 81 00 00 00 1c     |....000B.......|
0000006f

https://scr.meo.ws/snapshot/1490263786338886565.png

ffprobe -print_format default -show_streams $filename

GDB:

Program received signal SIGSEGV, Segmentation fault.
strlen () at ../sysdeps/x86_64/strlen.S:106
106     ../sysdeps/x86_64/strlen.S: No such file or directory.
(gdb) bt
#0  strlen () at ../sysdeps/x86_64/strlen.S:106
#1  0x00007ffff660e99c in _IO_puts (str=0x0) at ioputs.c:36
#2  0x00000000005a5bed in writer_print_string (wctx=wctx@entry=0x3bb30b0, key=key@entry=0x2cb31b3 "chroma_location", val=0x0, flags=0) at ffprobe.c:673
#3  0x00000000005bdbe5 in show_stream (w=w@entry=0x3bb30b0, fmt_ctx=fmt_ctx@entry=0x3bb59e0, stream_idx=stream_idx@entry=0, ist=<optimized out>, in_program=in_program@entry=0) at ffprobe.c:2289
#4  0x000000000057dcd0 in show_streams (ifile=0x7fffffffe940, w=0x3bb30b0) at ffprobe.c:2436
#5  probe_file (filename=<optimized out>, wctx=0x3bb30b0) at ffprobe.c:2750
#6  main (argc=<optimized out>, argv=<optimized out>) at ffprobe.c:3397
(gdb) up 2
#2  0x00000000005a5bed in writer_print_string (wctx=wctx@entry=0x3bb30b0, key=key@entry=0x2cb31b3 "chroma_location", val=0x0, flags=0) at ffprobe.c:673
673                 wctx->writer->print_string(wctx, key, val);
(gdb) l
 668                            key, val, section->unique_name);
 669                 }
 670                 av_free(key1);
 671                 av_free(val1);
 672             } else {
*673                 wctx->writer->print_string(wctx, key, val);
 674             }
 675
 676             wctx->nb_item[wctx->level]++;
 677         }

Valgrind:

==940423== Invalid read of size 1
==940423==    at 0x4C2C1A2: strlen (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==940423==    by 0x632E99B: puts (ioputs.c:36)
==940423==    by 0x5A5BEC: writer_print_string.constprop.29 (ffprobe.c:673)
==940423==    by 0x5BDBE4: show_stream (ffprobe.c:2289)
==940423==    by 0x57DCCF: show_streams (ffprobe.c:2436)
==940423==    by 0x57DCCF: probe_file (ffprobe.c:2750)
==940423==    by 0x57DCCF: main (ffprobe.c:3397)
==940423==  Address 0x0 is not stack'd, malloc'd or (recently) free'd
==940423==
==940423==
==940423== Process terminating with default action of signal 11 (SIGSEGV)
==940423==  Access not within mapped region at address 0x0
==940423==    at 0x4C2C1A2: strlen (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==940423==    by 0x632E99B: puts (ioputs.c:36)
==940423==    by 0x5A5BEC: writer_print_string.constprop.29 (ffprobe.c:673)
==940423==    by 0x5BDBE4: show_stream (ffprobe.c:2289)
==940423==    by 0x57DCCF: show_streams (ffprobe.c:2436)
==940423==    by 0x57DCCF: probe_file (ffprobe.c:2750)
==940423==    by 0x57DCCF: main (ffprobe.c:3397)
==940423==  If you believe this happened as a result of a stack
==940423==  overflow in your program's main thread (unlikely but
==940423==  possible), you can try to increase the size of the
==940423==  main thread stack using the --main-stacksize= flag.
==940423==  The main thread stack size used in this run was 8388608.
==940423==
==940423== HEAP SUMMARY:
==940423==     in use at exit: 2,257,232 bytes in 89 blocks
==940423==   total heap usage: 225 allocs, 136 frees, 2,709,948 bytes allocated
==940423==
==940423== LEAK SUMMARY:
==940423==    definitely lost: 0 bytes in 0 blocks
==940423==    indirectly lost: 0 bytes in 0 blocks
==940423==      possibly lost: 0 bytes in 0 blocks
==940423==    still reachable: 2,257,232 bytes in 89 blocks
==940423==         suppressed: 0 bytes in 0 blocks
==940423== Rerun with --leak-check=full to see details of leaked memory
==940423==
==940423== For counts of detected and suppressed errors, rerun with: -v
==940423== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)

ffprobe -print_format compact -show_streams $filename

GDB:

Program received signal SIGSEGV, Segmentation fault.
c_escape_str (dst=0x7fffffffd700, src=0x0, sep=124 '|', log_ctx=0x3bb30b0) at ffprobe.c:934
934         for (p = src; *p; p++) {
(gdb) bt
#0  c_escape_str (dst=0x7fffffffd700, src=0x0, sep=124 '|', log_ctx=0x3bb30b0) at ffprobe.c:934
#1  0x000000000059c1d2 in compact_print_str (wctx=0x3bb30b0, key=0x2cb31b3 "chroma_location", value=0x0) at ffprobe.c:1077
#2  0x00000000005a5bed in writer_print_string (wctx=wctx@entry=0x3bb30b0, key=key@entry=0x2cb31b3 "chroma_location", val=0x0, flags=0) at ffprobe.c:673
#3  0x00000000005bdbe5 in show_stream (w=w@entry=0x3bb30b0, fmt_ctx=fmt_ctx@entry=0x3bb5a90, stream_idx=stream_idx@entry=0, ist=<optimized out>, in_program=in_program@entry=0) at ffprobe.c:2289
#4  0x000000000057dcd0 in show_streams (ifile=0x7fffffffe900, w=0x3bb30b0) at ffprobe.c:2436
#5  probe_file (filename=<optimized out>, wctx=0x3bb30b0) at ffprobe.c:2750
#6  main (argc=<optimized out>, argv=<optimized out>) at ffprobe.c:3397
(gdb) l
 929      */
 930     static const char *c_escape_str(AVBPrint *dst, const char *src, const char sep, void *log_ctx)
 931     {
 932         const char *p;
 933
*934         for (p = src; *p; p++) {
 935             switch (*p) {
 936             case '\b': av_bprintf(dst, "%s", "\\b");  break;
 937             case '\f': av_bprintf(dst, "%s", "\\f");  break;
 938             case '\n': av_bprintf(dst, "%s", "\\n");  break;

Valgrind:

==214239== Invalid read of size 1
==214239==    at 0x59E48F: c_escape_str (ffprobe.c:934)
==214239==    by 0x59C1D1: compact_print_str (ffprobe.c:1077)
==214239==    by 0x5A5BEC: writer_print_string.constprop.29 (ffprobe.c:673)
==214239==    by 0x5BDBE4: show_stream (ffprobe.c:2289)
==214239==    by 0x57DCCF: show_streams (ffprobe.c:2436)
==214239==    by 0x57DCCF: probe_file (ffprobe.c:2750)
==214239==    by 0x57DCCF: main (ffprobe.c:3397)
==214239==  Address 0x0 is not stack'd, malloc'd or (recently) free'd
==214239==
==214239==
==214239== Process terminating with default action of signal 11 (SIGSEGV)
==214239==  Access not within mapped region at address 0x0
==214239==    at 0x59E48F: c_escape_str (ffprobe.c:934)
==214239==    by 0x59C1D1: compact_print_str (ffprobe.c:1077)
==214239==    by 0x5A5BEC: writer_print_string.constprop.29 (ffprobe.c:673)
==214239==    by 0x5BDBE4: show_stream (ffprobe.c:2289)
==214239==    by 0x57DCCF: show_streams (ffprobe.c:2436)
==214239==    by 0x57DCCF: probe_file (ffprobe.c:2750)
==214239==    by 0x57DCCF: main (ffprobe.c:3397)
==214239==  If you believe this happened as a result of a stack
==214239==  overflow in your program's main thread (unlikely but
==214239==  possible), you can try to increase the size of the
==214239==  main thread stack using the --main-stacksize= flag.
==214239==  The main thread stack size used in this run was 8388608.
==214239==
==214239== HEAP SUMMARY:
==214239==     in use at exit: 2,257,348 bytes in 91 blocks
==214239==   total heap usage: 229 allocs, 138 frees, 2,710,068 bytes allocated
==214239==
==214239== LEAK SUMMARY:
==214239==    definitely lost: 0 bytes in 0 blocks
==214239==    indirectly lost: 0 bytes in 0 blocks
==214239==      possibly lost: 0 bytes in 0 blocks
==214239==    still reachable: 2,257,348 bytes in 91 blocks
==214239==         suppressed: 0 bytes in 0 blocks
==214239== Rerun with --leak-check=full to see details of leaked memory
==214239==
==214239== For counts of detected and suppressed errors, rerun with: -v
==214239== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)
Segmentation fault

ffprobe -print_format json -show_streams $filename

GDB:

Program received signal SIGSEGV, Segmentation fault.
json_print_item_str (key=<optimized out>, value=0x0, wctx=<optimized out>) at ffprobe.c:1482
1482        printf(" \"%s\"", json_escape_str(&buf, value, wctx));
(gdb) bt
#0  json_print_item_str (key=<optimized out>, value=0x0, wctx=<optimized out>) at ffprobe.c:1482
#1  0x00000000005a5bed in writer_print_string (wctx=wctx@entry=0x3bb30b0, key=key@entry=0x2cb31b3 "chroma_location", val=0x0, flags=0) at ffprobe.c:673
#2  0x00000000005bdbe5 in show_stream (w=w@entry=0x3bb30b0, fmt_ctx=fmt_ctx@entry=0x3bb59d0, stream_idx=stream_idx@entry=0, ist=<optimized out>, in_program=in_program@entry=0) at ffprobe.c:2289
#3  0x000000000057dcd0 in show_streams (ifile=0x7fffffffe920, w=0x3bb30b0) at ffprobe.c:2436
#4  probe_file (filename=<optimized out>, wctx=0x3bb30b0) at ffprobe.c:2750
#5  main (argc=<optimized out>, argv=<optimized out>) at ffprobe.c:3397
(gdb) l
 1477        AVBPrint buf;
 1478
 1479        av_bprint_init(&buf, 1, AV_BPRINT_SIZE_UNLIMITED);
 1480        printf("\"%s\":", json_escape_str(&buf, key,   wctx));
 1481        av_bprint_clear(&buf);
*1482        printf(" \"%s\"", json_escape_str(&buf, value, wctx));
 1483        av_bprint_finalize(&buf, NULL);
 1484    }
 1485
 1486    static void json_print_str(WriterContext *wctx, const char *key, const char *value)

Valgrind:

==1007190== Invalid read of size 1
==1007190==    at 0x5A9F60: json_escape_str (ffprobe.c:1398)
==1007190==    by 0x5A9F60: json_print_item_str.isra.9 (ffprobe.c:1482)
==1007190==    by 0x5A5BEC: writer_print_string.constprop.29 (ffprobe.c:673)
==1007190==    by 0x5BDBE4: show_stream (ffprobe.c:2289)
==1007190==    by 0x57DCCF: show_streams (ffprobe.c:2436)
==1007190==    by 0x57DCCF: probe_file (ffprobe.c:2750)
==1007190==    by 0x57DCCF: main (ffprobe.c:3397)
==1007190==  Address 0x0 is not stack'd, malloc'd or (recently) free'd
==1007190==
==1007190==
==1007190== Process terminating with default action of signal 11 (SIGSEGV)
==1007190==  Access not within mapped region at address 0x0
==1007190==    at 0x5A9F60: json_escape_str (ffprobe.c:1398)
==1007190==    by 0x5A9F60: json_print_item_str.isra.9 (ffprobe.c:1482)
==1007190==    by 0x5A5BEC: writer_print_string.constprop.29 (ffprobe.c:673)
==1007190==    by 0x5BDBE4: show_stream (ffprobe.c:2289)
==1007190==    by 0x57DCCF: show_streams (ffprobe.c:2436)
==1007190==    by 0x57DCCF: probe_file (ffprobe.c:2750)
==1007190==    by 0x57DCCF: main (ffprobe.c:3397)
==1007190==  If you believe this happened as a result of a stack
==1007190==  overflow in your program's main thread (unlikely but
==1007190==  possible), you can try to increase the size of the
==1007190==  main thread stack using the --main-stacksize= flag.
==1007190==  The main thread stack size used in this run was 8388608.
==1007190==
==1007190== HEAP SUMMARY:
==1007190==     in use at exit: 2,257,205 bytes in 89 blocks
==1007190==   total heap usage: 225 allocs, 136 frees, 2,709,921 bytes allocated
==1007190==
==1007190== LEAK SUMMARY:
==1007190==    definitely lost: 0 bytes in 0 blocks
==1007190==    indirectly lost: 0 bytes in 0 blocks
==1007190==      possibly lost: 0 bytes in 0 blocks
==1007190==    still reachable: 2,257,205 bytes in 89 blocks
==1007190==         suppressed: 0 bytes in 0 blocks
==1007190== Rerun with --leak-check=full to see details of leaked memory
==1007190==
==1007190== For counts of detected and suppressed errors, rerun with: -v
==1007190== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)

Not attaching more examples but it seems all writers are affected by this

Attachments (1)

corrupt.flv (111 bytes ) - added by Katie Holly 7 years ago.

Download all attachments as: .zip

Change History (4)

by Katie Holly, 7 years ago

Attachment: corrupt.flv added

comment:1 by Carl Eugen Hoyos, 7 years ago

Keywords: crash SIGSEGV regression added
Priority: normalimportant
Reproduced by developer: set
Status: newopen

Regression since e0faad837cd5047a1310cefa0cf163d8caa865e7, (possibly) related to ticket #5648.

comment:2 by Carl Eugen Hoyos, 7 years ago

Patch sent:
http://ffmpeg.org/pipermail/ffmpeg-devel/2017-March/209049.html

Afaict, other developers prefer that this crash will not be fixed;-(

comment:3 by mkver, 3 years ago

Resolution: fixed
Status: openclosed
Note: See TracTickets for help on using tickets.