[FFmpeg-trac] #123(FFplay:open): Fuzzed sample crashes ffplay

FFmpeg trac at avcodec.org
Tue Jun 7 02:27:26 CEST 2011 

#123: Fuzzed sample crashes ffplay
--------------------+----------------------
Reporter:  cehoyos  |       Owner:  michael
    Type:  defect   |      Status:  open
Priority:  normal   |   Component:  FFplay
 Version:  git      |  Resolution:
Keywords:           |  Blocked By:
Blocking:           |  Reproduced:  0
Analyzed:  0        |
--------------------+----------------------

Comment (by cehoyos):

 mplayer -vo sdl does not crash for me, but I was able to produce a
 backtrace with ffplay:
 {{{
 (gdb) r crash_pirateszz_2_s25_r003.fuzz.sample
 ffplay version git-N-30584-gd58ed64, Copyright (c) 2003-2011 the FFmpeg
 developers
   built on Jun  7 2011 01:57:06 with gcc 4.5.3
   configuration: --cc=/usr/local/gcc-4.5.3/bin/gcc --enable-gpl
   libavutil    51.  6. 1 / 51.  6. 1
   libavcodec   53.  6. 1 / 53.  6. 1
   libavformat  53.  2. 0 / 53.  2. 0
   libavdevice  53.  1. 1 / 53.  1. 1
   libavfilter   2. 14. 0 /  2. 14. 0
   libswscale    0. 14. 1 /  0. 14. 1
   libpostproc  51.  2. 0 / 51.  2. 0

 ...

 [mpeg2video @ 0x13286c0] slice below image (57 >= 30)
 [mpeg2video @ 0x13286c0] ignoring pic cod ext after 0
 [mpeg2video @ 0x13286c0] slice below image (67 >= 30)
 [mpeg2video @ 0x13286c0] warning: first frame is no keyframe
 [mpeg2video @ 0x13286c0] slice mismatch
 [mpeg2video @ 0x13286c0] invalid mb type in P Frame at 51 2
 [mpeg2video @ 0x13286c0] ac-tex damaged at 0 3
 [mpeg2video @ 0x13286c0] ac-tex damaged at 0 5
 [mpeg2video @ 0x13286c0] ac-tex damaged at 0 8
 [mpeg2video @ 0x13286c0] ac-tex damaged at 14 9
 [mpeg2video @ 0x13286c0] ac-tex damaged at 0 16
 [mpeg2video @ 0x13286c0] ac-tex damaged at 1 18
 [mpeg2video @ 0x13286c0] ac-tex damaged at 0 20
 [mpeg2video @ 0x13286c0] slice below image (53 >= 30)
 [mpeg2video @ 0x13286c0] slice mismatch
 [mpeg2video @ 0x13286c0] slice below image (70 >= 30)
 [mpeg2video @ 0x13286c0] matrix damaged
 [mpeg2video @ 0x13286c0] sequence header damaged
 [mpeg2video @ 0x13286c0] Warning MVs not available
 [mpeg2video @ 0x13286c0] concealing 9030 DC, 9030 AC, 9030 MV errors
    3.19 A-V:  0.000 s:0.2 aq=    0KB vq=   69KB sq=    0B f=0/8
 Program received signal SIGSEGV, Segmentation fault.
 [Switching to Thread 0x7ffff43f4910 (LWP 8473)]
 0x00007ffff6ae4722 in memcpy () from /lib64/libc.so.6
 (gdb) bt
 #0  0x00007ffff6ae4722 in memcpy () from /lib64/libc.so.6
 #1  0x0000000000970e6f in av_image_copy_plane (height=151, bytewidth=720,
 src_linesize=4816,
     src=<value optimized out>, dst_linesize=720, dst=<value optimized
 out>) at libavutil/imgutils.c:238
 #2  av_image_copy (height=151, bytewidth=720, src_linesize=4816,
 src=<value optimized out>,
     dst_linesize=720, dst=<value optimized out>) at
 libavutil/imgutils.c:271
 #3  0x000000000066b931 in av_picture_copy (dst=<value optimized out>,
 src=<value optimized out>,
     pix_fmt=<value optimized out>, width=<value optimized out>,
 height=<value optimized out>)
     at libavcodec/imgconvert.c:669
 #4  0x000000000040961b in queue_picture (pos=-1, pts1=3.7198833333333332,
 src_frame=0x1327840,
     is=0x7ffff4bf6040) at ffplay.c:1403
 #5  video_thread (pos=-1, pts1=3.7198833333333332, src_frame=0x1327840,
 is=0x7ffff4bf6040)
     at ffplay.c:1790
 #6  0x00007ffff766a3b5 in ?? () from /usr/lib64/libSDL-1.2.so.0
 #7  0x00007ffff76ad539 in ?? () from /usr/lib64/libSDL-1.2.so.0
 #8  0x00007ffff744065d in start_thread () from /lib64/libpthread.so.0
 #9  0x00007ffff6b35ecd in clone () from /lib64/libc.so.6
 #10 0x0000000000000000 in ?? ()
 (gdb) disass $pc-32 $pc+32
 Dump of assembler code from 0x7ffff6ae4702 to 0x7ffff6ae4742:
 0x00007ffff6ae4702 <memcpy+178>:        nopw   %cs:0x0(%rax,%rax,1)
 0x00007ffff6ae4710 <memcpy+192>:        cmp    $0x400,%rdx
 0x00007ffff6ae4717 <memcpy+199>:        ja     0x7ffff6ae4790 <memcpy+320>
 0x00007ffff6ae4719 <memcpy+201>:        mov    %edx,%ecx
 0x00007ffff6ae471b <memcpy+203>:        shr    $0x5,%ecx
 0x00007ffff6ae471e <memcpy+206>:        je     0x7ffff6ae4780 <memcpy+304>
 0x00007ffff6ae4720 <memcpy+208>:        dec    %ecx
 0x00007ffff6ae4722 <memcpy+210>:        mov    (%rsi),%rax
 0x00007ffff6ae4725 <memcpy+213>:        mov    0x8(%rsi),%r8
 0x00007ffff6ae4729 <memcpy+217>:        mov    0x10(%rsi),%r9
 0x00007ffff6ae472d <memcpy+221>:        mov    0x18(%rsi),%r10
 0x00007ffff6ae4731 <memcpy+225>:        mov    %rax,(%rdi)
 0x00007ffff6ae4734 <memcpy+228>:        mov    %r8,0x8(%rdi)
 0x00007ffff6ae4738 <memcpy+232>:        mov    %r9,0x10(%rdi)
 0x00007ffff6ae473c <memcpy+236>:        mov    %r10,0x18(%rdi)
 0x00007ffff6ae4740 <memcpy+240>:        lea    0x20(%rsi),%rsi
 End of assembler dump.
 (gdb) info register
 rax            0x7ffff1c00d50   140737249283408
 rbx            0x2d0    720
 rcx            0x15     21
 rdx            0x2d0    720
 rsi            0x7fffec1f3d90   140737154858384
 rdi            0x7ffff1c00d50   140737249283408
 rbp            0x96     0x96
 rsp            0x7ffff43f3e88   0x7ffff43f3e88
 r8             0x0      0
 r9             0x0      0
 r10            0x0      0
 r11            0x2d0    720
 r12            0x7fffec1f5060   140737154863200
 r13            0x7ffff1c01020   140737249284128
 r14            0x12d0   4816
 r15            0x2d0    720
 rip            0x7ffff6ae4722   0x7ffff6ae4722 <memcpy+210>
 eflags         0x10203  [ CF IF RF ]
 cs             0x33     51
 ss             0x2b     43
 ds             0x0      0
 es             0x0      0
 fs             0x0      0
 gs             0x0      0
 fctrl          0x37f    895
 fstat          0x0      0
 ftag           0xffff   65535
 fiseg          0x0      0
 fioff          0x0      0
 foseg          0x0      0
 fooff          0x0      0
 fop            0x0      0
 mxcsr          0x1fa0   [ PE IM DM ZM OM UM PM ]
 }}}

-- 
Ticket URL: <https://avcodec.org/trac/ffmpeg/ticket/123#comment:2>
FFmpeg <http://ffmpeg.org>
FFmpeg issue tracker

More information about the FFmpeg-trac mailing list