Opened 13 years ago

Closed 13 years ago

Last modified 11 years ago

#71 closed defect (fixed)

Segmentation fault with interlaced MPEG2 sample

Reported by: Carl Eugen Hoyos Owned by:
Priority: important Component: avcodec
Version: git-master Keywords: mpeg2 interlaced crash SIGSEGV roundup
Cc: Blocked By:
Blocking: Reproduced by developer: yes
Analyzed by developer: no

Description

(issue 2367)
Attached interlaced MPEG2 sample from Optelecom Siqura C-60 E-MC crashes FFmpeg

(gdb) r -i exploit.bin

FFmpeg version git-N-29196-ge61b83d, Copyright (c) 2000-2011 the FFmpeg developers
  built on Apr 19 2011 19:44:16 with gcc 4.4.5
  configuration: --cc='/usr/local/gcc-4.4.5/bin/gcc -m32' --disable-asm
  libavutil    50. 40. 1 / 50. 40. 1
  libavcodec   52.120. 0 / 52.120. 0
  libavformat  52.108. 0 / 52.108. 0
  libavdevice  52.  4. 0 / 52.  4. 0
  libavfilter   1. 79. 1 /  1. 79. 1
  libswscale    0. 13. 0 /  0. 13. 0

Program received signal SIGSEGV, Segmentation fault.
0x081781e0 in put_pixels8_8_c (h=<value optimized out>, line_size=<value optimized out>,
    pixels=<value optimized out>, block=<value optimized out>) at libavcodec/dsputil_internal.h:756
756     PIXOP2(put, op_put)
(gdb) bt
#0  0x081781e0 in put_pixels8_8_c (h=<value optimized out>, line_size=<value optimized out>,
    pixels=<value optimized out>, block=<value optimized out>) at libavcodec/dsputil_internal.h:756
#1  put_pixels16_8_c (h=<value optimized out>, line_size=<value optimized out>,
    pixels=<value optimized out>, block=<value optimized out>) at libavcodec/dsputil_internal.h:756
#2  0x083a6ace in mpeg_motion_internal (mb_y=<value optimized out>, is_mpeg12=<value optimized out>,
    h=<value optimized out>, motion_y=<value optimized out>, motion_x=<value optimized out>,
    pix_op=<value optimized out>, ref_picture=<value optimized out>, field_select=<value optimized out>,
    bottom_field=<value optimized out>, field_based=<value optimized out>, dest_cr=<value optimized out>,
    dest_cb=<value optimized out>, dest_y=<value optimized out>, s=<value optimized out>)
    at libavcodec/mpegvideo_common.h:352
#3  mpeg_motion (mb_y=<value optimized out>, is_mpeg12=<value optimized out>, h=<value optimized out>,
    motion_y=<value optimized out>, motion_x=<value optimized out>, pix_op=<value optimized out>,
    ref_picture=<value optimized out>, field_select=<value optimized out>,
    bottom_field=<value optimized out>, field_based=<value optimized out>, dest_cr=<value optimized out>,
    dest_cb=<value optimized out>, dest_y=<value optimized out>, s=<value optimized out>)
    at libavcodec/mpegvideo_common.h:375
#4  MPV_motion_internal (mb_y=<value optimized out>, is_mpeg12=<value optimized out>,
    h=<value optimized out>, motion_y=<value optimized out>, motion_x=<value optimized out>,
    pix_op=<value optimized out>, ref_picture=<value optimized out>, field_select=<value optimized out>,
    bottom_field=<value optimized out>, field_based=<value optimized out>, dest_cr=<value optimized out>,
    dest_cb=<value optimized out>, dest_y=<value optimized out>, s=<value optimized out>)
    at libavcodec/mpegvideo_common.h:823
#5  MPV_motion (mb_y=<value optimized out>, is_mpeg12=<value optimized out>, h=<value optimized out>,
    motion_y=<value optimized out>, motion_x=<value optimized out>, pix_op=<value optimized out>,
    ref_picture=<value optimized out>, field_select=<value optimized out>,
    bottom_field=<value optimized out>, field_based=<value optimized out>, dest_cr=<value optimized out>,
    dest_cb=<value optimized out>, dest_y=<value optimized out>, s=<value optimized out>)
    at libavcodec/mpegvideo_common.h:892
#6  0x083afec1 in MPV_decode_mb_internal (is_mpeg12=<value optimized out>,
    lowres_flag=<value optimized out>, block=<value optimized out>, s=<value optimized out>)
    at libavcodec/mpegvideo.c:2117
#7  MPV_decode_mb (is_mpeg12=<value optimized out>, lowres_flag=<value optimized out>,
    block=<value optimized out>, s=<value optimized out>) at libavcodec/mpegvideo.c:2253
#8  0x0836070b in mpeg_decode_slice (s1=0x8c69c50, mb_y=<value optimized out>, buf=<value optimized out>,
    buf_size=501) at libavcodec/mpeg12.c:1843
#9  0x08366d18 in decode_chunks (avctx=<value optimized out>, picture=<value optimized out>,
    data_size=<value optimized out>, buf=0x8c77e60 "", buf_size=11505) at libavcodec/mpeg12.c:2535
#10 0x08367240 in mpeg_decode_frame (avctx=0x8c69690, data=0xffffcbc4, data_size=0xffffcd8c,
    avpkt=0x8c6f880) at libavcodec/mpeg12.c:2323
#11 0x08479077 in avcodec_decode_video2 (avctx=0x8c69690, picture=0xffffcbc4, got_picture_ptr=0xffffcd8c,
    avpkt=0x8c6f880) at libavcodec/utils.c:719
#12 0x08119231 in try_decode_frame (avpkt=<value optimized out>, st=<value optimized out>)
    at libavformat/utils.c:2127
#13 av_find_stream_info (avpkt=<value optimized out>, st=<value optimized out>)
    at libavformat/utils.c:2417
#14 0x0804d7d6 in opt_input_file (filename=0xffffd28b "exploit.bin") at ffmpeg.c:3303
#15 0x08059e85 in parse_options (argc=3, argv=0xffffd024, options=0x85c7800,
    parse_arg_function=0x8056790 <opt_output_file>) at cmdutils.c:222
#16 0x08055c51 in main (argc=3, argv=0xffffd024) at ffmpeg.c:4443
(gdb) disass $pc-12 $pc+32
Dump of assembler code from 0x81781d4 to 0x8178200:
0x081781d4 <put_pixels8_8_c+0>: test   %esi,%esi
0x081781d6 <put_pixels8_8_c+2>: jle    0x8178219 <put_pixels16_8_c+89>
0x081781d8 <put_pixels8_8_c+4>: xor    %eax,%eax
0x081781da <put_pixels8_8_c+6>: xor    %ebx,%ebx
0x081781dc <put_pixels8_8_c+8>: lea    0x0(%esi,%eiz,1),%esi
0x081781e0 <put_pixels8_8_c+12>:        mov    (%ecx,%eax,1),%ebp
0x081781e3 <put_pixels8_8_c+15>:        add    $0x1,%ebx
0x081781e6 <put_pixels8_8_c+18>:        mov    %ebp,(%edx,%eax,1)
0x081781e9 <put_pixels8_8_c+21>:        mov    0x4(%ecx,%eax,1),%ebp
0x081781ed <put_pixels8_8_c+25>:        mov    %ebp,0x4(%edx,%eax,1)
0x081781f1 <put_pixels8_8_c+29>:        add    %edi,%eax
0x081781f3 <put_pixels8_8_c+31>:        cmp    %esi,%ebx
0x081781f5 <put_pixels8_8_c+33>:        jne    0x81781e0 <put_pixels8_8_c+12>
0x081781f7 <put_pixels8_8_c+35>:        xor    %eax,%eax
0x081781f9 <put_pixels8_8_c+37>:        xor    %ebx,%ebx
0x081781fb <put_pixels8_8_c+39>:        nop
0x081781fc <put_pixels8_8_c+40>:        lea    0x0(%esi,%eiz,1),%esi
End of assembler dump.
(gdb) info register
eax            0x0      0
ecx            0x2f0    752
edx            0xf7c9c220       -137772512
ebx            0x0      0
esp            0xffffc67c       0xffffc67c
ebp            0x10     0x10
esi            0x10     16
edi            0x5e0    1504
eip            0x81781e0        0x81781e0 <put_pixels8_8_c+12>
eflags         0x10246  [ PF ZF IF RF ]
cs             0x23     35
ss             0x2b     43
ds             0x2b     43
es             0x2b     43
fs             0x0      0
gs             0x63     99

Attachments (1)

exploit.bin (11.3 KB ) - added by Carl Eugen Hoyos 13 years ago.

Download all attachments as: .zip

Change History (3)

by Carl Eugen Hoyos, 13 years ago

Attachment: exploit.bin added

comment:1 by Michael Niedermayer, 13 years ago

Keywords: mpeg2 interlaced crash added
Resolution: fixed
Status: newclosed
Version: gitgit-master

Applied a (old and missed) patch by anatoly that fixes this

comment:2 by Carl Eugen Hoyos, 11 years ago

Keywords: SIGSEGV roundup added
Note: See TracTickets for help on using tickets.