Opened 6 years ago

Closed 6 years ago

#6829 closed defect (fixed)

tivo: crash with fuzzed file

Reported by: ami_stuff Owned by:
Priority: important Component: avformat
Version: git-master Keywords: tivo crash SIGSEGV
Cc: Blocked By:
Blocking: Reproduced by developer: yes
Analyzed by developer: no

Description

https://files.fm/u/wzee5nkr

(gdb) r -i f/ty/live_fuzz.ty+ -f null -
The program being debugged has been started already.
Start it from the beginning? (y or n) y

Starting program: /media/sdb1/ffmpeg/ffmpeg_g -i f/ty/live_fuzz.ty+ -f null -
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/i386-linux-gnu/libthread_db.so.1".
ffmpeg version 3.4.git Copyright (c) 2000-2017 the FFmpeg developers
  built with gcc 5.3.0 (Ubuntu 5.3.0-3ubuntu1~14.04) 20151204
  configuration: --enable-gpl --disable-ffprobe --disable-ffplay --disable-ffserver
  libavutil      56.  0.100 / 56.  0.100
  libavcodec     58.  2.100 / 58.  2.100
  libavformat    58.  2.100 / 58.  2.100
  libavdevice    58.  0.100 / 58.  0.100
  libavfilter     7.  0.101 /  7.  0.101
  libswscale      5.  0.101 /  5.  0.101
  libswresample   3.  0.101 /  3.  0.101
  libpostproc    55.  0.100 / 55.  0.100
[ty @ 0x9aa9200] DTS discontinuity in stream 1: packet 14 with DTS 26958472, packet 15 with DTS 1100702456
Input #0, ty, from 'f/ty/live_fuzz.ty+':
  Duration: N/A, start: 299.154578, bitrate: N/A
    Stream #0:0: Video: mpeg2video (Main), yuv420p(tv, top first), 480x480 [SAR 4:3 DAR 4:3], 27.75 fps, 59.94 tbr, 90k tbn, 59.94 tbc
    Stream #0:1: Audio: mp2, 48000 Hz, stereo, s16p, 160 kb/s
[New Thread 0xb7575b40 (LWP 2450)]
[New Thread 0xb6d74b40 (LWP 2451)]
[New Thread 0xb6573b40 (LWP 2452)]
[New Thread 0xb5d72b40 (LWP 2453)]
[New Thread 0xb5571b40 (LWP 2454)]
[New Thread 0xb4d70b40 (LWP 2455)]
[New Thread 0xb456fb40 (LWP 2456)]
[New Thread 0xb3d6eb40 (LWP 2457)]
Stream mapping:
  Stream #0:0 -> #0:0 (mpeg2video (native) -> wrapped_avframe (native))
  Stream #0:1 -> #0:1 (mp2 (native) -> pcm_s16le (native))
Press [q] to stop, [?] for help
[New Thread 0xb356db40 (LWP 2458)]
[New Thread 0xb2d6cb40 (LWP 2459)]
[New Thread 0xb256bb40 (LWP 2460)]
[New Thread 0xb1d6ab40 (LWP 2461)]
[New Thread 0xb1569b40 (LWP 2462)]
[New Thread 0xb0d68b40 (LWP 2463)]
[New Thread 0xb0567b40 (LWP 2464)]
[New Thread 0xafd66b40 (LWP 2465)]
[mp2 @ 0x9ac4dc0] Header missing
Error while decoding stream #0:1: Invalid data found when processing input
[mpeg2video @ 0x9aae8a0] ac-tex damaged at 4 0
[mpeg2video @ 0x9aae8a0] Invalid mb type in I-frame at 4 3
[mpeg2video @ 0x9aae8a0] ac-tex damaged at 4 10
[mpeg2video @ 0x9aae8a0] ac-tex damaged at 13 13
[mpeg2video @ 0x9aae8a0] ac-tex damaged at 9 4
[mpeg2video @ 0x9aae8a0] ac-tex damaged at 2 5
[mpeg2video @ 0x9aae8a0] ac-tex damaged at 0 6
[mpeg2video @ 0x9aae8a0] ac-tex damaged at 13 17
[mpeg2video @ 0x9aae8a0] ac-tex damaged at 0 11
[mpeg2video @ 0x9aae8a0] ac-tex damaged at 13 18
[mpeg2video @ 0x9aae8a0] ac-tex damaged at 3 19
[mpeg2video @ 0x9aae8a0] ac-tex damaged at 19 12
[mpeg2video @ 0x9aae8a0] ac-tex damaged at 19 14
[mpeg2video @ 0x9aae8a0] ac-tex damaged at 5 15
[mpeg2video @ 0x9aae8a0] ac-tex damaged at 5 16
[mpeg2video @ 0x9aae8a0] skipped MB in I-frame at 27 1
[mpeg2video @ 0x9aae8a0] ac-tex damaged at 17 2
[mpeg2video @ 0x9aae8a0] ac-tex damaged at 5 20
[mpeg2video @ 0x9aae8a0] ac-tex damaged at 5 21
[mpeg2video @ 0x9aae8a0] ac-tex damaged at 12 22
[mpeg2video @ 0x9aae8a0] ac-tex damaged at 0 7
[mpeg2video @ 0x9aae8a0] ac-tex damaged at 4 27
[mpeg2video @ 0x9aae8a0] ac-tex damaged at 7 28
[mpeg2video @ 0x9aae8a0] ac-tex damaged at 4 8
[mpeg2video @ 0x9aae8a0] ac-tex damaged at 3 9
[mpeg2video @ 0x9aae8a0] skipped MB in I-frame at 20 29
[mpeg2video @ 0x9aae8a0] ac-tex damaged at 2 23
[mpeg2video @ 0x9aae8a0] skipped MB in I-frame at 1 24
[mpeg2video @ 0x9aae8a0] ac-tex damaged at 4 26
[mpeg2video @ 0x9aae8a0] Warning MVs not available
[mpeg2video @ 0x9aae8a0] concealing 900 DC, 900 AC, 900 MV errors in I frame
[mpeg2video @ 0x9aae8a0] ignoring extra picture following a frame-picture
[mpeg2video @ 0x9aae8a0] Missing picture start code
    Last message repeated 19 times
[mpeg2video @ 0x9aae8a0] mb incr damaged
    Last message repeated 1 times
[mpeg2video @ 0x9aae8a0] ac-tex damaged at 0 9
[mpeg2video @ 0x9aae8a0] Invalid mb type in P-frame at 4 10
[mpeg2video @ 0x9aae8a0] ac-tex damaged at 17 7
[mpeg2video @ 0x9aae8a0] mb incr damaged
[mpeg2video @ 0x9aae8a0] ac-tex damaged at 17 15
[mpeg2video @ 0x9aae8a0] ac-tex damaged at 8 19
[mpeg2video @ 0x9aae8a0] ac-tex damaged at 0 23
[mpeg2video @ 0x9aae8a0] ac-tex damaged at 23 24
[mpeg2video @ 0x9aae8a0] Warning MVs not available
[mpeg2video @ 0x9aae8a0] concealing 571 DC, 571 AC, 571 MV errors in P frame
[...]
[mpeg2video @ 0x9aae8a0] Warning MVs not available
[mpeg2video @ 0x9aae8a0] concealing 541 DC, 541 AC, 541 MV errors in B frame
[mpeg2video @ 0x9aae8a0] ignoring pic cod ext after 0
[mpeg2video @ 0x9aae8a0] ac-tex damaged at 27 0
[mpeg2video @ 0x9aae8a0] invalid cbp -1 at 13 7
[mpeg2video @ 0x9aae8a0] ac-tex damaged at 6 11
[mpeg2video @ 0x9aae8a0] ac-tex damaged at 28 9
[mpeg2video @ 0x9aae8a0] ac-tex damaged at 14 3
[mpeg2video @ 0x9aae8a0] Invalid mb type in B-frame at 9 14
[mpeg2video @ 0x9aae8a0] Invalid mb type in B-frame at 18 14
[mpeg2video @ 0x9aae8a0] ac-tex damaged at 13 4
[mpeg2video @ 0x9aae8a0] ac-tex damaged at 6 18
[mpeg2video @ 0x9aae8a0] invalid cbp 0 at 18 21
[mpeg2video @ 0x9aae8a0] mb incr damaged
    Last message repeated 1 times
[mpeg2video @ 0x9aae8a0] Warning MVs not available
[mpeg2video @ 0x9aae8a0] concealing 480 DC, 480 AC, 480 MV errors in B frame
[mpeg2video @ 0x9aae8a0] slice below image (129 >= 30)
Error while decoding stream #0:0: Invalid data found when processing input
[mpeg2video @ 0x9aae8a0] slice below image (35 >= 30)
Error while decoding stream #0:0: Invalid data found when processing input
[mpeg2video @ 0x9aae8a0] Invalid mb type in B-frame at 26 0
[mpeg2video @ 0x9aae8a0] ac-tex damaged at 7 5
[mpeg2video @ 0x9aae8a0] invalid cbp -1 at 23 12
[mpeg2video @ 0x9aae8a0] ac-tex damaged at 8 13
[mpeg2video @ 0x9aae8a0] ac-tex damaged at 11 21
[mpeg2video @ 0x9aae8a0] ac-tex damaged at 16 8
[mpeg2video @ 0x9aae8a0] ac-tex damaged at 16 15
[mpeg2video @ 0x9aae8a0] mb incr damaged
[mpeg2video @ 0x9aae8a0] Invalid mb type in B-frame at 10 6
[mpeg2video @ 0x9aae8a0] mb incr damaged
[mpeg2video @ 0x9aae8a0] ac-tex damaged at 0 25
[mpeg2video @ 0x9aae8a0] ac-tex damaged at 14 26
[mpeg2video @ 0x9aae8a0] end mismatch left=391 600000 at 0 30
[mpeg2video @ 0x9aae8a0] Warning MVs not available
[mpeg2video @ 0x9aae8a0] concealing 570 DC, 570 AC, 570 MV errors in B frame
[mpeg2video @ 0x9aae8a0] ac-tex damaged at 6 1
[mpeg2video @ 0x9aae8a0] invalid cbp 0 at 20 10
[mpeg2video @ 0x9aae8a0] ac-tex damaged at 28 9
[mpeg2video @ 0x9aae8a0] Invalid mb type in B-frame at 8 11
[mpeg2video @ 0x9aae8a0] ac-tex damaged at 9 3
[mpeg2video @ 0x9aae8a0] ac-tex damaged at 15 22
[mpeg2video @ 0x9aae8a0] ac-tex damaged at 12 25
[mpeg2video @ 0x9aae8a0] ac-tex damaged at 27 13
[mpeg2video @ 0x9aae8a0] ac-tex damaged at 16 15
[mpeg2video @ 0x9aae8a0] Invalid mb type in B-frame at 21 16
[mpeg2video @ 0x9aae8a0] Warning MVs not available
[mpeg2video @ 0x9aae8a0] concealing 412 DC, 412 AC, 412 MV errors in B frame
[mpeg2video @ 0x9aae8a0] Invalid mb type in P-frame at 17 1
[mpeg2video @ 0x9aae8a0] Invalid mb type in P-frame at 22 3
[mpeg2video @ 0x9aae8a0] Invalid mb type in P-frame at 2 10
[mpeg2video @ 0x9aae8a0] ac-tex damaged at 12 12
[mpeg2video @ 0x9aae8a0] mb incr damaged
[mpeg2video @ 0x9aae8a0] invalid cbp -1 at 3 17
[mpeg2video @ 0x9aae8a0] slice mismatch
[mpeg2video @ 0x9aae8a0] ac-tex damaged at 9 16
[mpeg2video @ 0x9aae8a0] ac-tex damaged at 14 28
[mpeg2video @ 0x9aae8a0] ac-tex damaged at 15 23
[mpeg2video @ 0x9aae8a0] ac-tex damaged at 26 26
[mpeg2video @ 0x9aae8a0] Warning MVs not available
[mpeg2video @ 0x9aae8a0] concealing 571 DC, 571 AC, 571 MV errors in P frame
[mpeg2video @ 0x9aae8a0] slice below image (156 >= 30)
Error while decoding stream #0:0: Invalid data found when processing input
[mpeg2video @ 0x9aae8a0] mb incr damaged
[mpeg2video @ 0x9aae8a0] Invalid mb type in B-frame at 24 8
[mpeg2video @ 0x9aae8a0] ac-tex damaged at 4 11
[mpeg2video @ 0x9aae8a0] ac-tex damaged at 15 13
[mpeg2video @ 0x9aae8a0] ac-tex damaged at 22 17
[mpeg2video @ 0x9aae8a0] ac-tex damaged at 5 18
[mpeg2video @ 0x9aae8a0] skip with previntra
[mpeg2video @ 0x9aae8a0] ac-tex damaged at 10 14
[mpeg2video @ 0x9aae8a0] mb incr damaged
[mpeg2video @ 0x9aae8a0] slice mismatch
[mpeg2video @ 0x9aae8a0] invalid cbp 0 at 24 1
[mpeg2video @ 0x9aae8a0] invalid cbp -1 at 20 12
[mpeg2video @ 0x9aae8a0] ac-tex damaged at 8 22
[mpeg2video @ 0x9aae8a0] Invalid mb type in B-frame at 7 19
[mpeg2video @ 0x9aae8a0] Warning MVs not available
[mpeg2video @ 0x9aae8a0] concealing 510 DC, 510 AC, 510 MV errors in B frame
[mpeg2video @ 0x9aae8a0] ac-tex damaged at 3 1
[mpeg2video @ 0x9aae8a0] slice mismatch
    Last message repeated 2 times
[mpeg2video @ 0x9aae8a0] ac-tex damaged at 6 7
[mpeg2video @ 0x9aae8a0] ac-tex damaged at 9 8
[mpeg2video @ 0x9aae8a0] Warning MVs not available
[mpeg2video @ 0x9aae8a0] concealing 814 DC, 814 AC, 814 MV errors in P frame

Program received signal SIGSEGV, Segmentation fault.
ty_read_packet (s=0x9aa9200, pkt=0xbfffe668) at libavformat/ty.c:732
732	        rec_size = rec->rec_size;
(gdb) bt
#0  ty_read_packet (s=0x9aa9200, pkt=0xbfffe668) at libavformat/ty.c:732
#1  0x0838f482 in ff_read_packet (s=0x9aa9200, pkt=0xbfffe668)
    at libavformat/utils.c:823
#2  0x0839301c in read_frame_internal (s=s@entry=0x9aa9200, 
    pkt=pkt@entry=0xbfffe928) at libavformat/utils.c:1526
#3  0x08394420 in av_read_frame (s=0x9aa9200, pkt=0xbfffe928)
    at libavformat/utils.c:1723
#4  0x080dbacf in get_input_packet (f=f@entry=0x9aab2e0, 
    pkt=pkt@entry=0xbfffe928) at fftools/ffmpeg.c:4072
#5  0x080eb02f in process_input (file_index=0) at fftools/ffmpeg.c:4195
#6  transcode_step () at fftools/ffmpeg.c:4542
#7  transcode () at fftools/ffmpeg.c:4596
#8  0x080c6af9 in main (argc=<optimized out>, argv=<optimized out>)
    at fftools/ffmpeg.c:4802

Attachments (1)

live_fuzz_cut.ty (2.4 MB ) - added by Carl Eugen Hoyos 6 years ago.

Change History (3)

comment:1 by Carl Eugen Hoyos, 6 years ago

Component: undeterminedavformat
Keywords: tivo crash SIGSEGV added
Priority: normalimportant
Reproduced by developer: set
Status: newopen
Version: unspecifiedgit-master

by Carl Eugen Hoyos, 6 years ago

Attachment: live_fuzz_cut.ty added

comment:2 by Carl Eugen Hoyos, 6 years ago

Resolution: fixed
Status: openclosed
Note: See TracTickets for help on using tickets.