[FFmpeg-trac] #2903(avcodec:open): png: invalid write

FFmpeg trac at avcodec.org
Fri Aug 30 02:56:34 CEST 2013 

#2903: png: invalid write
-------------------------------------+-------------------------------------
             Reporter:  ami_stuff    |                    Owner:
                 Type:  defect       |                   Status:  open
             Priority:  important    |                Component:  avcodec
              Version:  git-master   |               Resolution:
             Keywords:  png          |               Blocked By:
  regression                         |  Reproduced by developer:  1
             Blocking:               |
Analyzed by developer:  0            |
-------------------------------------+-------------------------------------
Changes (by cehoyos):

 * status:  new => open
 * reproduced:  0 => 1
 * component:  undetermined => avcodec
 * priority:  normal => important
 * version:  unspecified => git-master
 * keywords:   => png regression


Comment:

 Regression since dd1d29b
 {{{
 $ valgrind ffmpeg_g -threads 4 -i png_fuzz.mov -f null -
 ==26607== Memcheck, a memory error detector
 ==26607== Copyright (C) 2002-2011, and GNU GPL'd, by Julian Seward et al.
 ==26607== Using Valgrind-3.7.0 and LibVEX; rerun with -h for copyright
 info
 ==26607== Command: ffmpeg_g -threads 4 -i png_fuzz.mov -f null -
 ==26607==
 ffmpeg version N-55890-g259292f Copyright (c) 2000-2013 the FFmpeg
 developers
   built on Aug 30 2013 02:55:25 with gcc 4.7 (SUSE Linux)
   configuration: --disable-indev=jack --disable-asm --disable-
 optimizations
   libavutil      52. 42.100 / 52. 42.100
   libavcodec     55. 29.100 / 55. 29.100
   libavformat    55. 15.100 / 55. 15.100
   libavdevice    55.  3.100 / 55.  3.100
   libavfilter     3. 82.102 /  3. 82.102
   libswscale      2.  5.100 /  2.  5.100
   libswresample   0. 17.103 /  0. 17.103
 Input #0, mov,mp4,m4a,3gp,3g2,mj2, from 'png_fuzz.mov':
   Metadata:
     major_brand     : qt
     minor_version   : 537199360
     compatible_brands: qt
     creation_time   : 2012-03-24 20:33:27
   Duration: 00:00:05.96, start: 0.000000, bitrate: 7021 kb/s
     Stream #0:0(eng): Video: png (png  / 0x20676E70), rgba, 189x127 [SAR
 2834:2834 DAR 189:127], 7019 kb/s, 24 fps, 24 tbr, 1000k tbn, 1000k tbc
 (default)
     Metadata:
       creation_time   : 2012-03-24 20:33:27
       handler_name    : Procedura obs�ugi skr�t�w danych Apple
 Output #0, null, to 'pipe:':
   Metadata:
     major_brand     : qt
     minor_version   : 537199360
     compatible_brands: qt
     encoder         : Lavf55.15.100
     Stream #0:0(eng): Video: rawvideo (RGBA / 0x41424752), rgba, 189x127
 [SAR 1:1 DAR 189:127], q=2-31, 200 kb/s, 90k tbn, 24 tbc (default)
     Metadata:
       creation_time   : 2012-03-24 20:33:27
       handler_name    : Procedura obs�ugi skr�t�w danych Apple
 Stream mapping:
   Stream #0:0 -> #0:0 (png -> rawvideo)
 Press [q] to stop, [?] for help
 [png @ 0x735aa50] inflate returned error -3
 [png @ 0x735bdf0] chunk too big
 [null @ 0x7282200] Encoder did not produce proper pts, making some up.
 Error while decoding stream #0:0: Invalid data found when processing input
 Error while decoding stream #0:0: Invalid data found when processing input
 [png @ 0x735bdf0] chunk too big
 [png @ 0x735d190] inflate returned error -3
 Error while decoding stream #0:0: Invalid data found when processing input
 [png @ 0x735aa50] inflate returned error -3
 [png @ 0x7359f30] inflate returned error -3
 [png @ 0x735d190] Missing png signature
 Error while decoding stream #0:0: Invalid data found when processing input
     Last message repeated 1 times
 Error while decoding stream #0:0: Invalid data found when processing input
 [png @ 0x735aa50] chunk too big
 [png @ 0x7359f30] inflate returned error -3
 [png @ 0x735bdf0] chunk too big
 Error while decoding stream #0:0: Invalid data found when processing input
 Error while decoding stream #0:0: Invalid data found when processing input
 [png @ 0x735d190] chunk too big
 Error while decoding stream #0:0: Invalid data found when processing input
 ==26607== Thread 12:eated 1 times
 ==26607== Invalid write of size 4
 ==26607==    at 0x4C2D4FF: memset (in /usr/lib64/valgrind
 /vgpreload_memcheck-amd64-linux.so)
 ==26607==    by 0xA58420: av_fast_padded_mallocz (utils.c:125)
 ==26607==    by 0x98BC4A: decode_frame (pngdec.c:672)
 ==26607==    by 0x99CDB0: frame_worker_thread (pthread.c:339)
 ==26607==    by 0x5D1AE0D: start_thread (in /lib64/libpthread-2.15.so)
 ==26607==  Address 0x74478d4 is 564 bytes inside a block of size 567
 alloc'd
 ==26607==    at 0x4C290FE: memalign (in /usr/lib64/valgrind
 /vgpreload_memcheck-amd64-linux.so)
 ==26607==    by 0x4C291A7: posix_memalign (in /usr/lib64/valgrind
 /vgpreload_memcheck-amd64-linux.so)
 ==26607==    by 0xD1FBFD: av_malloc (mem.c:93)
 ==26607==    by 0x98BC89: decode_frame (pngdec.c:677)
 ==26607==    by 0x99CDB0: frame_worker_thread (pthread.c:339)
 ==26607==    by 0x5D1AE0D: start_thread (in /lib64/libpthread-2.15.so)
 ==26607==
 ==26607== Invalid read of size 1
 ==26607==    at 0x9890C8: ff_add_png_paeth_prediction (pngdec.c:170)
 ==26607==    by 0x989B93: png_filter_row (pngdec.c:260)
 ==26607==    by 0x989DF0: png_handle_row (pngdec.c:297)
 ==26607==    by 0x98A35A: png_decode_idat (pngdec.c:381)
 ==26607==    by 0x98BD5C: decode_frame (pngdec.c:692)
 ==26607==    by 0x99CDB0: frame_worker_thread (pthread.c:339)
 ==26607==    by 0x5D1AE0D: start_thread (in /lib64/libpthread-2.15.so)
 ==26607==  Address 0x74478d7 is 0 bytes after a block of size 567 alloc'd
 ==26607==    at 0x4C290FE: memalign (in /usr/lib64/valgrind
 /vgpreload_memcheck-amd64-linux.so)
 ==26607==    by 0x4C291A7: posix_memalign (in /usr/lib64/valgrind
 /vgpreload_memcheck-amd64-linux.so)
 ==26607==    by 0xD1FBFD: av_malloc (mem.c:93)
 ==26607==    by 0x98BC89: decode_frame (pngdec.c:677)
 ==26607==    by 0x99CDB0: frame_worker_thread (pthread.c:339)
 ==26607==    by 0x5D1AE0D: start_thread (in /lib64/libpthread-2.15.so)
 ==26607==
 ==26607== Invalid read of size 1
 ==26607==    at 0x9890E7: ff_add_png_paeth_prediction (pngdec.c:171)
 ==26607==    by 0x989B93: png_filter_row (pngdec.c:260)
 ==26607==    by 0x989DF0: png_handle_row (pngdec.c:297)
 ==26607==    by 0x98A35A: png_decode_idat (pngdec.c:381)
 ==26607==    by 0x98BD5C: decode_frame (pngdec.c:692)
 ==26607==    by 0x99CDB0: frame_worker_thread (pthread.c:339)
 ==26607==    by 0x5D1AE0D: start_thread (in /lib64/libpthread-2.15.so)
 ==26607==  Address 0x74478d7 is 0 bytes after a block of size 567 alloc'd
 ==26607==    at 0x4C290FE: memalign (in /usr/lib64/valgrind
 /vgpreload_memcheck-amd64-linux.so)
 ==26607==    by 0x4C291A7: posix_memalign (in /usr/lib64/valgrind
 /vgpreload_memcheck-amd64-linux.so)
 ==26607==    by 0xD1FBFD: av_malloc (mem.c:93)
 ==26607==    by 0x98BC89: decode_frame (pngdec.c:677)
 ==26607==    by 0x99CDB0: frame_worker_thread (pthread.c:339)
 ==26607==    by 0x5D1AE0D: start_thread (in /lib64/libpthread-2.15.so)
 ==26607==
     Last message repeated 2 times
 frame=  143 fps= 31 q=0.0 Lsize=N/A time=00:00:05.95 bitrate=N/A dup=11
 drop=0
 video:13kB audio:0kB subtitle:0 global headers:0kB muxing overhead
 -100.160256%
 ==26607==
 ==26607== HEAP SUMMARY:
 ==26607==     in use at exit: 0 bytes in 0 blocks
 ==26607==   total heap usage: 6,033 allocs, 6,033 frees, 13,476,472 bytes
 allocated
 ==26607==
 ==26607== All heap blocks were freed -- no leaks are possible
 ==26607==
 ==26607== For counts of detected and suppressed errors, rerun with: -v
 ==26607== ERROR SUMMARY: 14058 errors from 3 contexts (suppressed: 2 from
 2)
 }}}

-- 
Ticket URL: <https://ffmpeg.org/trac/ffmpeg/ticket/2903#comment:5>
FFmpeg <http://ffmpeg.org>
FFmpeg issue tracker

More information about the FFmpeg-trac mailing list