Opened 4 years ago
Closed 4 years ago
#8860 closed defect (duplicate)
A stack-buffer-overflow in aacdec_template.c:539:24
Reported by: | Zhou Anshunkang | Owned by: | |
---|---|---|---|
Priority: | normal | Component: | avcodec |
Version: | git-master | Keywords: | aac |
Cc: | Blocked By: | ||
Blocking: | Reproduced by developer: | no | |
Analyzed by developer: | no |
Description
System info
Ubuntu x86_64, clang 6.0, ffmpeg (git-master https://github.com/FFmpeg/FFmpeg/commit/01a580f141627cfc8eae5de2300d2d93911887e3)
Configure
./configure --toolchain=clang-asan && make ffmpeg_g
Command line
./ffmpeg_g -y -f mov /dev/null -i @@
AddressSanitizer
built with clang version 6.0.0-1ubuntu2 (tags/RELEASE_600/final) configuration: --disable-shared --enable-debug=3 --disable-ffplay --disable-ffprobe --disable-doc --disable-asm --cc=clang --cxx=clang++ --ld=clang --toolchain=clang-asan libavutil 56. 58.100 / 56. 58.100 libavcodec 58.101.100 / 58.101.100 libavformat 58. 51.100 / 58. 51.100 libavdevice 58. 11.101 / 58. 11.101 libavfilter 7. 87.100 / 7. 87.100 libswscale 5. 8.100 / 5. 8.100 libswresample 3. 8.100 / 3. 8.100 [aac @ 0x61b000000080] Format aac detected only with low score of 1, misdetection possible! [aac @ 0x61b000000080] Packet corrupt (stream = 0, dts = NOPTS). [aac @ 0x619000000580] Error decoding AAC frame header. [aac @ 0x619000000580] More than one AAC RDB per ADTS frame is not implemented. Update your FFmpeg version to the newest one from Git. If the problem still occurs, it means that your file has a feature which has not been implemented. [aac @ 0x619000000580] Multiple frames in a packet. [aac @ 0x619000000580] channel element 3.6 is not allocated [aac @ 0x61b000000080] decoding for stream 0 failed [aac @ 0x61b000000080] Estimating duration from bitrate, this may be inaccurate [aac @ 0x61b000000080] Could not find codec parameters for stream 0 (Audio: aac (Main), 4.0, fltp, 198 kb/s): unspecified sample rate Consider increasing the value for the 'analyzeduration' (0) and 'probesize' (5000000) options Input #0, aac, from '/home/seviezhou/stack-overflow-output_configure-aacdec_template-539': Duration: 00:00:00.02, bitrate: 198 kb/s Stream #0:0: Audio: aac (Main), 4.0, fltp, 198 kb/s Stream mapping: Stream #0:0 -> #0:0 (aac (native) -> aac (native)) Press [q] to stop, [?] for help [aac @ 0x619000001e80] Error decoding AAC frame header. Error while decoding stream #0:0: Error number -50531338 occurred [aac @ 0x619000001e80] Gain control is not implemented. Update your FFmpeg version to the newest one from Git. If the problem still occurs, it means that your file has a feature which has not been implemented. [aac @ 0x619000001e80] Sample rate index in program config element does not match the sample rate index configured by the container. ================================================================= ==66288==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffeac79c4b4 at pc 0x0000027df271 bp 0x7ffeac79b770 sp 0x7ffeac79b768 READ of size 1 at 0x7ffeac79c4b4 thread T0 #0 0x27df270 in output_configure /home/seviezhou/ffmpeg/libavcodec/aacdec_template.c:539:24 #1 0x27ef51c in aac_decode_frame_int /home/seviezhou/ffmpeg/libavcodec/aacdec_template.c:3312:23 #2 0x27d7843 in aac_decode_frame /home/seviezhou/ffmpeg/libavcodec/aacdec_template.c:3457:15 #3 0x12659b8 in decode_simple_internal /home/seviezhou/ffmpeg/libavcodec/decode.c:342:15 #4 0x12659b8 in decode_simple_receive_frame /home/seviezhou/ffmpeg/libavcodec/decode.c:538 #5 0x12659b8 in decode_receive_frame_internal /home/seviezhou/ffmpeg/libavcodec/decode.c:556 #6 0x12652cd in avcodec_send_packet /home/seviezhou/ffmpeg/libavcodec/decode.c:614:15 #7 0x567e4e in decode /home/seviezhou/ffmpeg/fftools/ffmpeg.c:2217:15 #8 0x567e4e in decode_audio /home/seviezhou/ffmpeg/fftools/ffmpeg.c:2274 #9 0x567e4e in process_input_packet /home/seviezhou/ffmpeg/fftools/ffmpeg.c:2596 #10 0x560528 in process_input /home/seviezhou/ffmpeg/fftools/ffmpeg.c:4493:5 #11 0x560528 in transcode_step /home/seviezhou/ffmpeg/fftools/ffmpeg.c:4613 #12 0x560528 in transcode /home/seviezhou/ffmpeg/fftools/ffmpeg.c:4667 #13 0x555f45 in main /home/seviezhou/ffmpeg/fftools/ffmpeg.c:4872:9 #14 0x7fb163d6db96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310 #15 0x41df49 in _start (/home/seviezhou/ffmpeg/ffmpeg_g+0x41df49) Address 0x7ffeac79c4b4 is located in stack of thread T0 at offset 1012 in frame #0 0x27ea7ef in aac_decode_frame_int /home/seviezhou/ffmpeg/libavcodec/aacdec_template.c:3198 This frame has 7 object(s): [32, 288) 'buf.i.i' (line 2467) [352, 356) 'major.i.i' (line 2468) [368, 372) 'minor.i.i' (line 2468) [384, 404) 'hdr_info.i' (line 3065) [448, 640) 'layout_map.i' (line 3066) [704, 768) 'che_presence' (line 3206) [800, 992) 'layout_map' (line 3292) <== Memory access at offset 1012 overflows this variable HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext (longjmp and C++ exceptions *are* supported) SUMMARY: AddressSanitizer: stack-buffer-overflow /home/seviezhou/ffmpeg/libavcodec/aacdec_template.c:539:24 in output_configure Shadow bytes around the buggy address: 0x1000558eb840: f2 f2 f2 f2 f8 f2 f8 f2 f8 f8 f8 f2 f2 f2 f2 f2 0x1000558eb850: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 0x1000558eb860: f8 f8 f8 f8 f8 f8 f8 f8 f2 f2 f2 f2 f2 f2 f2 f2 0x1000558eb870: 00 00 00 00 00 00 00 00 f2 f2 f2 f2 00 00 00 00 0x1000558eb880: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x1000558eb890: 00 00 00 00 f3 f3[f3]f3 f3 f3 f3 f3 00 00 00 00 0x1000558eb8a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x1000558eb8b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x1000558eb8c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x1000558eb8d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x1000558eb8e0: 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==66288==ABORTING
Attachments (1)
Change History (4)
by , 4 years ago
Attachment: | stack-overflow-output_configure-aacdec_template-539 added |
---|
comment:1 by , 4 years ago
Replying to seviezhou:
configuration: --disable-shared --enable-debug=3 --disable-ffplay --disable-ffprobe --disable-doc --disable-asm --cc=clang --cxx=clang++ --ld=clang --toolchain=clang-asan
As said: Please use ./configure --toolchain=clang-asan && make ffmpeg_g
instead to make your reports more readable. And maybe wait with opening more aac related reports until the ones you opened are fixed.
comment:2 by , 4 years ago
Use ./configure --toolchain=clang-asan && make ffmpeg_g
:
ffmpeg version N-98802-g01a580f141 Copyright (c) 2000-2020 the FFmpeg developers built with clang version 6.0.0-1ubuntu2 (tags/RELEASE_600/final) configuration: --toolchain=clang-asan libavutil 56. 58.100 / 56. 58.100 libavcodec 58.101.100 / 58.101.100 libavformat 58. 51.100 / 58. 51.100 libavdevice 58. 11.101 / 58. 11.101 libavfilter 7. 87.100 / 7. 87.100 libswscale 5. 8.100 / 5. 8.100 libswresample 3. 8.100 / 3. 8.100 [aac @ 0x61b000000080] Format aac detected only with low score of 1, misdetection possible! [aac @ 0x61b000000080] Packet corrupt (stream = 0, dts = NOPTS). [aac @ 0x619000000580] Error decoding AAC frame header. [aac @ 0x619000000580] More than one AAC RDB per ADTS frame is not implemented. Update your FFmpeg version to the newest one from Git. If the problem still occurs, it means that your file has a feature which has not been implemented. [aac @ 0x619000000580] Multiple frames in a packet. [aac @ 0x619000000580] channel element 3.6 is not allocated [aac @ 0x61b000000080] decoding for stream 0 failed [aac @ 0x61b000000080] Estimating duration from bitrate, this may be inaccurate [aac @ 0x61b000000080] Could not find codec parameters for stream 0 (Audio: aac (Main), 4.0, fltp, 198 kb/s): unspecified sample rate Consider increasing the value for the 'analyzeduration' (0) and 'probesize' (5000000) options Input #0, aac, from 'stack-overflow-output_configure-aacdec_template-539': Duration: 00:00:00.02, bitrate: 198 kb/s Stream #0:0: Audio: aac (Main), 4.0, fltp, 198 kb/s Stream mapping: Stream #0:0 -> #0:0 (aac (native) -> aac (native)) Press [q] to stop, [?] for help [aac @ 0x619000001e80] Error decoding AAC frame header. Error while decoding stream #0:0: Error number -50531338 occurred [aac @ 0x619000001e80] Gain control is not implemented. Update your FFmpeg version to the newest one from Git. If the problem still occurs, it means that your file has a feature which has not been implemented. [aac @ 0x619000001e80] Sample rate index in program config element does not match the sample rate index configured by the container. ================================================================= ==30448==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7fffe9040e65 at pc 0x00000294ef91 bp 0x7fffe903fe10 sp 0x7fffe903fe08 READ of size 1 at 0x7fffe9040e65 thread T0 #0 0x294ef90 in output_configure /home/seviezhou/ffmpeg/libavcodec/aacdec_template.c:539:24 #1 0x295ee10 in aac_decode_frame_int /home/seviezhou/ffmpeg/libavcodec/aacdec_template.c:3312:23 #2 0x2947523 in aac_decode_frame /home/seviezhou/ffmpeg/libavcodec/aacdec_template.c:3457:15 #3 0x126db5c in decode_simple_internal /home/seviezhou/ffmpeg/libavcodec/decode.c:342:15 #4 0x126db5c in decode_simple_receive_frame /home/seviezhou/ffmpeg/libavcodec/decode.c:538 #5 0x126db5c in decode_receive_frame_internal /home/seviezhou/ffmpeg/libavcodec/decode.c:556 #6 0x126d46d in avcodec_send_packet /home/seviezhou/ffmpeg/libavcodec/decode.c:614:15 #7 0x567e4e in decode /home/seviezhou/ffmpeg/fftools/ffmpeg.c:2217:15 #8 0x567e4e in decode_audio /home/seviezhou/ffmpeg/fftools/ffmpeg.c:2274 #9 0x567e4e in process_input_packet /home/seviezhou/ffmpeg/fftools/ffmpeg.c:2596 #10 0x560528 in process_input /home/seviezhou/ffmpeg/fftools/ffmpeg.c:4493:5 #11 0x560528 in transcode_step /home/seviezhou/ffmpeg/fftools/ffmpeg.c:4613 #12 0x560528 in transcode /home/seviezhou/ffmpeg/fftools/ffmpeg.c:4667 #13 0x555f45 in main /home/seviezhou/ffmpeg/fftools/ffmpeg.c:4872:9 #14 0x7ffa992fbb96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310 #15 0x41df89 in _start (/home/seviezhou/ffmpeg/ffmpeg_g+0x41df89) Address 0x7fffe9040e65 is located in stack of thread T0 at offset 165 in frame #0 0x2946f3f in aac_decode_frame /home/seviezhou/ffmpeg/libavcodec/aacdec_template.c:3409 This frame has 4 object(s): [32, 64) 'gb.i' (line 1113) [96, 128) 'gb' (line 3413) [160, 164) 'new_extradata_size' (line 3417) <== Memory access at offset 165 overflows this variable [176, 180) 'jp_dualmono_size' (line 3421) HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext (longjmp and C++ exceptions *are* supported) SUMMARY: AddressSanitizer: stack-buffer-overflow /home/seviezhou/ffmpeg/libavcodec/aacdec_template.c:539:24 in output_configure Shadow bytes around the buggy address: 0x10007d200170: f8 f8 f8 f8 f8 f8 f8 f8 f2 f2 f2 f2 f2 f2 f2 f2 0x10007d200180: 00 00 00 00 00 00 00 00 f2 f2 f2 f2 00 00 00 00 0x10007d200190: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x10007d2001a0: 00 00 00 00 f3 f3 f3 f3 f3 f3 f3 f3 00 00 00 00 0x10007d2001b0: 00 00 00 00 00 00 00 00 f1 f1 f1 f1 f8 f8 f8 f8 =>0x10007d2001c0: f2 f2 f2 f2 00 00 00 00 f2 f2 f2 f2[04]f2 04 f3 0x10007d2001d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x10007d2001e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x10007d2001f0: 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1 0x10007d200200: 04 f2 f8 f3 00 00 00 00 00 00 00 00 00 00 00 00 0x10007d200210: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==30448==ABORTING
comment:3 by , 4 years ago
Resolution: | → duplicate |
---|---|
Status: | new → closed |
Fixed by Jan Ekström in d6f293353c94c7ce200f6e0975ae3de49787f91f
Note:
See TracTickets
for help on using tickets.
stack-overflow-output_configure-aacdec_template-539