#9123 closed defect (fixed)

dss seek crash

Reported by: bird Owned by:
Priority: important Component: avformat
Version: git-master Keywords: dss crash
Cc: Blocked By:
Blocking: Reproduced by developer: yes
Analyzed by developer: no

Description

Summary of the bug:
There is a segmentation fault when extracting frames from the video.
How to reproduce:

$ ./ffmpeg_g -ss 0 -i ./4 -s 320x240 -y -f image2 output.jpeg
ffmpeg version N-101261-g78d5e1c653 Copyright (c) 2000-2021 the FFmpeg developers
  built with clang version 6.0.0-1ubuntu2 (tags/RELEASE_600/final)
  configuration: --prefix=/home/bird/ffmpeg_build_new --pkg-config-flags=--static --extra-cflags='-I/home/bird/ffmpeg_build_new/include -fno-omit-frame-pointer -g -fsanitize=address' --extra-cxxflags='-fno-omit-frame-pointer -g -fsanitize=address' --extra-ldflags='-L/home/bird/ffmpeg_build_new/lib -fsanitize=address' --extra-libs='-lpthread -lm' --bindir=/home/bird/bin_new --enable-gpl --enable-gnutls --enable-libass --enable-libfdk-aac --enable-libfreetype --enable-libmp3lame --enable-libopus --enable-libvpx --enable-libx264 --enable-libx265 --enable-nonfree --cc=clang --cxx=clang++ --enable-debug
  libavutil      56. 66.100 / 56. 66.100
  libavcodec     58.125.100 / 58.125.100
  libavformat    58. 68.100 / 58. 68.100
  libavdevice    58. 12.100 / 58. 12.100
  libavfilter     7.107.100 /  7.107.100
  libswscale      5.  8.100 /  5.  8.100
  libswresample   3.  8.100 /  3.  8.100
  libpostproc    55.  8.100 / 55.  8.100
[dss @ 0x61b000000080] Estimating duration from bitrate, this may be inaccurate
AddressSanitizer:DEADLYSIGNAL
=================================================================
==16161==ERROR: AddressSanitizer: SEGV on unknown address 0x606f8e8e8f50 (pc 0x7f0a6ac75476 bp 0x7ffde5743fc0 sp 0x7ffde5743748 T0)
==16161==The signal is caused by a WRITE memory access.
    #0 0x7f0a6ac75475  /build/glibc-S9d2JN/glibc-2.27/string/../sysdeps/x86_64/multiarch/memmove-vec-unaligned-erms.S:410
    #1 0x4e1f2d in __asan_memcpy (/disk1/fuzzing/ffmpeg_latest/ffmpeg_g+0x4e1f2d)
    #2 0xdebec6 in avio_read /disk1/fuzzing/ffmpeg_latest/libavformat/aviobuf.c:673:13
    #3 0xe2e91a in dss_723_1_read_packet /disk1/fuzzing/ffmpeg_latest/libavformat/dss.c:308:11
    #4 0xe2e91a in dss_read_packet /disk1/fuzzing/ffmpeg_latest/libavformat/dss.c:323
    #5 0x1136aa1 in ff_read_packet /disk1/fuzzing/ffmpeg_latest/libavformat/utils.c:823:15
    #6 0x113be26 in read_frame_internal /disk1/fuzzing/ffmpeg_latest/libavformat/utils.c:1526:15
    #7 0x113b14c in av_read_frame /disk1/fuzzing/ffmpeg_latest/libavformat/utils.c:1730:17
    #8 0x1142e4a in seek_frame_generic /disk1/fuzzing/ffmpeg_latest/libavformat/utils.c:2388:31
    #9 0x1142e4a in seek_frame_internal /disk1/fuzzing/ffmpeg_latest/libavformat/utils.c:2461
    #10 0x1142e4a in av_seek_frame /disk1/fuzzing/ffmpeg_latest/libavformat/utils.c:2481
    #11 0x11439ff in avformat_seek_file /disk1/fuzzing/ffmpeg_latest/libavformat/utils.c:2533:19
    #12 0x51dd2d in open_input_file /disk1/fuzzing/ffmpeg_latest/fftools/ffmpeg_opt.c:1252:15
    #13 0x51c42a in open_files /disk1/fuzzing/ffmpeg_latest/fftools/ffmpeg_opt.c:3335:15
    #14 0x51be55 in ffmpeg_parse_options /disk1/fuzzing/ffmpeg_latest/fftools/ffmpeg_opt.c:3375:11
    #15 0x55ba9f in main /disk1/fuzzing/ffmpeg_latest/fftools/ffmpeg.c:4964:11
    #16 0x7f0a6abdbbf6 in __libc_start_main /build/glibc-S9d2JN/glibc-2.27/csu/../csu/libc-start.c:310
    #17 0x423609 in _start (/disk1/fuzzing/ffmpeg_latest/ffmpeg_g+0x423609)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /build/glibc-S9d2JN/glibc-2.27/string/../sysdeps/x86_64/multiarch/memmove-vec-unaligned-erms.S:410

Attachments (1)

4 (2.0 KB ) - added by bird 16 months ago.

Download all attachments as: .zip

Change History (4)

by bird, 16 months ago

Attachment: 4 added

comment:1 by Carl Eugen Hoyos, 16 months ago

Component: ffmpegavformat
Keywords: dss crash added
Priority: normalimportant
Reproduced by developer: set
Status: newopen
$ valgrind ffmpeg_g -ss 0 -i ./4 
==24733== Memcheck, a memory error detector
==24733== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
==24733== Using Valgrind-3.16.1 and LibVEX; rerun with -h for copyright info
==24733== Command: ffmpeg_g -ss 0 -i ./4
==24733== 
ffmpeg version N-101291-gd3d99a0a06 Copyright (c) 2000-2021 the FFmpeg developers
  built with gcc 10 (SUSE Linux)
  configuration: --enable-gpl
  libavutil      56. 66.100 / 56. 66.100
  libavcodec     58.125.100 / 58.125.100
  libavformat    58. 68.100 / 58. 68.100
  libavdevice    58. 12.100 / 58. 12.100
  libavfilter     7.107.100 /  7.107.100
  libswscale      5.  8.100 /  5.  8.100
  libswresample   3.  8.100 /  3.  8.100
  libpostproc    55.  8.100 / 55.  8.100
[dss @ 0x5082540] Estimating duration from bitrate, this may be inaccurate
==24733== Invalid write of size 1
==24733==    at 0x483DEF3: memcpy@GLIBC_2.2.5 (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==24733==    by 0x720723: avio_read (aviobuf.c:673)
==24733==    by 0x7367EB: dss_723_1_read_packet (dss.c:308)
==24733==    by 0x7367EB: dss_read_packet (dss.c:323)
==24733==    by 0x833BE9: ff_read_packet (utils.c:823)
==24733==    by 0x834D7A: read_frame_internal (utils.c:1526)
==24733==    by 0x835C27: av_read_frame (utils.c:1730)
==24733==    by 0x83780C: seek_frame_generic (utils.c:2388)
==24733==    by 0x83780C: seek_frame_internal (utils.c:2461)
==24733==    by 0x83780C: av_seek_frame (utils.c:2481)
==24733==    by 0x8373F9: avformat_seek_file (utils.c:2533)
==24733==    by 0x49C7A0: open_input_file (ffmpeg_opt.c:1252)
==24733==    by 0x4A0117: open_files (ffmpeg_opt.c:3335)
==24733==    by 0x4A0117: ffmpeg_parse_options (ffmpeg_opt.c:3375)
==24733==    by 0x494C97: main (ffmpeg.c:4964)
==24733==  Address 0xffffffff9398d422 is not stack'd, malloc'd or (recently) free'd
==24733== 
==24733== 
==24733== Process terminating with default action of signal 11 (SIGSEGV): dumping core
==24733==  Access not within mapped region at address 0xFFFFFFFF9398D422
==24733==    at 0x483DEF3: memcpy@GLIBC_2.2.5 (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==24733==    by 0x720723: avio_read (aviobuf.c:673)
==24733==    by 0x7367EB: dss_723_1_read_packet (dss.c:308)
==24733==    by 0x7367EB: dss_read_packet (dss.c:323)
==24733==    by 0x833BE9: ff_read_packet (utils.c:823)
==24733==    by 0x834D7A: read_frame_internal (utils.c:1526)
==24733==    by 0x835C27: av_read_frame (utils.c:1730)
==24733==    by 0x83780C: seek_frame_generic (utils.c:2388)
==24733==    by 0x83780C: seek_frame_internal (utils.c:2461)
==24733==    by 0x83780C: av_seek_frame (utils.c:2481)
==24733==    by 0x8373F9: avformat_seek_file (utils.c:2533)
==24733==    by 0x49C7A0: open_input_file (ffmpeg_opt.c:1252)
==24733==    by 0x4A0117: open_files (ffmpeg_opt.c:3335)
==24733==    by 0x4A0117: ffmpeg_parse_options (ffmpeg_opt.c:3375)
==24733==    by 0x494C97: main (ffmpeg.c:4964)
==24733==  If you believe this happened as a result of a stack
==24733==  overflow in your program's main thread (unlikely but
==24733==  possible), you can try to increase the size of the
==24733==  main thread stack using the --main-stacksize= flag.
==24733==  The main thread stack size used in this run was 8388608.
==24733== 
==24733== HEAP SUMMARY:
==24733==     in use at exit: 38,836 bytes in 40 blocks
==24733==   total heap usage: 257 allocs, 217 frees, 103,484 bytes allocated
==24733== 
==24733== LEAK SUMMARY:
==24733==    definitely lost: 0 bytes in 0 blocks
==24733==    indirectly lost: 0 bytes in 0 blocks
==24733==      possibly lost: 0 bytes in 0 blocks
==24733==    still reachable: 38,836 bytes in 40 blocks
==24733==         suppressed: 0 bytes in 0 blocks
==24733== Rerun with --leak-check=full to see details of leaked memory
==24733== 
==24733== For lists of detected and suppressed errors, rerun with: -s
==24733== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)
Segmentation fault (core dumped)

comment:2 by Carl Eugen Hoyos, 16 months ago

Summary: segmentation fault when extracting frames from the videodss seek crash

Possible duplicate of ticket #9120

comment:3 by mkver, 15 months ago

Resolution: fixed
Status: openclosed
Note: See TracTickets for help on using tickets.