[FFmpeg-trac] #4162(avformat:new): matroska: deadlock with fuzzed file
FFmpeg
trac at avcodec.org
Fri Dec 5 23:30:13 CET 2014
#4162: matroska: deadlock with fuzzed file
----------------------------------+--------------------------------------
Reporter: tholin | Type: defect
Status: new | Priority: important
Component: avformat | Version: git-master
Keywords: | Blocked By:
Blocking: | Reproduced by developer: 0
Analyzed by developer: 0 |
----------------------------------+--------------------------------------
I found a deadlock with a fuzzed file.
{{{
$ gdb -args /home/cocobo/repository/mpv-build_fuzz/ffmpeg_build/ffmpeg
-loglevel 99 -i hang.mkv
GNU gdb (Gentoo 7.7.1 p1) 7.7.1
Copyright (C) 2014 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later
<http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law. Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-pc-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<http://bugs.gentoo.org/>.
Find the GDB manual and other documentation resources online at:
<http://www.gnu.org/software/gdb/documentation/>.
For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from /home/cocobo/repository/mpv-
build_fuzz/ffmpeg_build/ffmpeg...done.
(gdb)
Starting program: /home/cocobo/repository/mpv-
build_fuzz/ffmpeg_build/ffmpeg -loglevel 99 -i hang.mkv
warning: Could not load shared library symbols for linux-vdso.so.1.
Do you need "set solib-search-path" or "set sysroot"?
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib64/libthread_db.so.1".
ffmpeg version N-68186-g8524558 Copyright (c) 2000-2014 the FFmpeg
developers
built on Dec 5 2014 17:33:44 with gcc 4.8.3 (Gentoo 4.8.3 p1.1,
pie-0.5.9)
configuration: --prefix=/home/cocobo/repository/mpv-
build_fuzz/build_libs --enable-static --disable-shared --enable-gpl
--enable-avresample --enable-debug=gdb --disable-doc --disable-
optimizations --disable-stripping
libavutil 54. 15.100 / 54. 15.100
libavcodec 56. 13.100 / 56. 13.100
libavformat 56. 15.102 / 56. 15.102
libavdevice 56. 3.100 / 56. 3.100
libavfilter 5. 2.103 / 5. 2.103
libavresample 2. 1. 0 / 2. 1. 0
libswscale 3. 1.101 / 3. 1.101
libswresample 1. 1.100 / 1. 1.100
libpostproc 53. 3.100 / 53. 3.100
Splitting the commandline.
Reading option '-loglevel' ... matched as option 'loglevel' (set logging
level) with argument '99'.
Reading option '-i' ... matched as input file with argument 'hang.mkv'.
Finished splitting the commandline.
Parsing a group of options: global .
Applying option loglevel (set logging level) with argument 99.
Successfully parsed a group of options.
Parsing a group of options: input file hang.mkv.
Successfully parsed a group of options.
Opening an input file: hang.mkv.
[matroska,webm @ 0x260eb60] Format matroska,webm probed with size=2048 and
score=100
[matroska,webm @ 0x260eb60] Unknown entry 0x4D9B
Truncating packet of size 13500 to 1634
[matroska,webm @ 0x260eb60] Unknown entry 0x6FAC
[matroska,webm @ 0x260eb60] Unknown entry 0x80
[matroska,webm @ 0x260eb60] Unknown entry 0x82
Truncating packet of size 216507 to 1617
[matroska,webm @ 0x260eb60] Unknown entry 0x82
Truncating packet of size 10309051 to 1602
[matroska,webm @ 0x260eb60] Unknown entry 0x86
Truncating packet of size 105507919 to 1572
[matroska,webm @ 0x260eb60] Unknown entry 0x6FAC
[matroska,webm @ 0x260eb60] Unknown entry 0x80
[matroska,webm @ 0x260eb60] Unknown entry 0x6FAC
[matroska,webm @ 0x260eb60] Unknown entry 0x80
[matroska,webm @ 0x260eb60] Unknown entry 0x6FAC
[matroska,webm @ 0x260eb60] Unknown entry 0x80
[matroska,webm @ 0x260eb60] Unknown entry 0x6FAC
[matroska,webm @ 0x260eb60] Unknown entry 0x80
[matroska,webm @ 0x260eb60] Unknown entry 0x6FAC
[matroska,webm @ 0x260eb60] Unknown entry 0x80
[matroska,webm @ 0x260eb60] Unknown entry 0x6FAC
[matroska,webm @ 0x260eb60] Unknown entry 0x80
<repeats>
Program received signal SIGINT, Interrupt.
0x00007ffff56df550 in __write_nocancel () from /lib64/libc.so.6
(gdb) bt full
#0 0x00007ffff56df550 in __write_nocancel () from /lib64/libc.so.6
No symbol table info available.
#1 0x00007ffff567a563 in _IO_file_write () from /lib64/libc.so.6
No symbol table info available.
#2 0x00007ffff5679c23 in new_do_write () from /lib64/libc.so.6
No symbol table info available.
#3 0x00007ffff567ab76 in _IO_file_xsputn () from /lib64/libc.so.6
No symbol table info available.
#4 0x00007ffff566fc84 in fputs () from /lib64/libc.so.6
No symbol table info available.
#5 0x00000000011ddc47 in colored_fputs (level=4, tint=0,
str=0x7fffffffc544 "Unknown entry 0x6FAC\n")
at /home/cocobo/repository/mpv-build_fuzz/ffmpeg/libavutil/log.c:179
local_use_color = 0
#6 0x00000000011de494 in av_log_default_callback (ptr=0x1e4db60,
level=32, fmt=0x1272cf3 "Unknown entry 0x%X\n",
vl=0x7fffffffcdb8) at /home/cocobo/repository/mpv-
build_fuzz/ffmpeg/libavutil/log.c:333
print_prefix = 1
count = 0
prev = "[matroska,webm @ 0x1e4db60] Unknown entry
0x6FAC\n\000robed with size=2048 and score=100\n\000tatic --disable-shared
--enable-gpl --enable-avresample --enable-debug=gdb --disable-doc
--disable-optimizations --"...
part = {{str = 0x7fffffffb944 "", len = 0, size = 1004, size_max =
1004, reserved_internal_buffer = "",
reserved_padding =
"\000\000\000`\306\377\377\377\177\000\000\000\000\000\000\000\000\000\000t\272\377\377\377\177\000\000t\276\377\377\377\177\000\000t\302\377\377\377\177\000\000\300\317\377\377\377\177\000\000\000\317\377\377\377\177\000\000\360\271\377\377\377\177\000\000\217\337\035\001\000\000\000\000xC}\001\000\000\000\000`\272\377\377\377\177\000\000\350\316\377\377\377\177\000\000\340\251)\001\000\000\000\000\200\272\377\377\020",
'\000' <repeats 19 times>, "\223\333\035\001", '\000' <repeats 12 times>,
"`\306\377\377\377\177\000\000\000\000\000\000-\000\000\000\240\306\377\377\001\000\000\000p\316\377\377\377\177\000\000\270\344\035\001\000\000\000\000t\306\377\377\377\177\000\000#\234g\365\377"...},
{str = 0x7fffffffbd44 "[matroska,webm @ 0x1e4db60] ", len = 28, size =
1004,
size_max = 1004, reserved_internal_buffer = "[",
reserved_padding = "matroska,webm @ 0x1e4db60] ", '\000'
<repeats 16 times>,
"\200\276\377\377\377\177\000\000oYe\365\377\177\000\000\000\000\000\000\000\000\000\000(\000\000\000\060\000\000\000`\276\377\377\377\177\000\000\240\275\377\377\377\177\000\000\000\000\000\000\000\000\000\000\272Ze\365\377\177\000\000\000\000\000\000\000\000\000\000\002\000\000\000\000\000\000\000\004\313\377\377\377\177\000\000\\M\336\367\377\177\000\000\367\273
\001\000\000\000\000\021\000\000\000\000\000\000\000Џ`\365\377\177\000\000\027\000\000\000\000\000\000\000\004\276\377\377\377\177\000\000\034\000\000\000\354\003\000\000\354\003\000\000[matroska,"...},
{str = 0x7fffffffc144 "", len = 0,
size = 1004, size_max = 1004, reserved_internal_buffer = "",
reserved_padding = "\177\000\000\200\206
\001\000\000\000\000\000\000\000\000\060", '\000' <repeats 11 times>,
"\340\325\377\377\377\177\000\000\223\333\035\001", '\000' <repeats 13
times>,
"\316\377\377\377\177\000\000\000\000\000\000)\000\000\000<\316\377\377\001\000\000\000\020\326\377\377\377\177\000\000\270\344\035\001\000\000\000\000\024\316\377\377\377\177\000\000\006\000\000\000\000\000\000\000\210\326\377\377\377\177\000\000\200\206
\001\000\000\000\000\020\000\000\000\060", '\000' <repeats 11 times>,
"\344\301\377\377\000\000\000\000\006\000\000\000\000\000\000\000\006\000\000\000\006\000\000\000\000\000\000\000\006\000\000\000\004\302\377\377\377\177\000\000\000\000\000\000\354\003\000\000\354\003\000\000\000\177\000\000\000\000\000\000\354"...},
{
str = 0x7fffffffc544 "Unknown entry 0x6FAC\n", len = 21, size
= 1004, size_max = 65536,
reserved_internal_buffer = "U",
reserved_padding = "nknown entry 0x6FAC\n", '\000' <repeats
119 times>,
"\344\305\377\377\377\177\000\000\000\000\000\000\354\003\000\000\354\003",
'\000' <repeats 14 times>,
"\004\306\377\377\377\177\000\000\023\000\000\000\024\000\000\000\000\000\001\000Unknown
e"...}}
line = "[matroska,webm @ 0x1e4db60] Unknown entry 0x6FAC\n",
'\000' <repeats 39 times>,
"\030<\377\364\377\177\000\000P\311\377\377\377\177\000\000\030<\377\364\377\177\000\000X\020\373\367\377\177\000\000\060\217\230\366\377\177\000\000
\341\377\367\377\177\000\000\000\000\003\000\003\000\000\000\030|
\000\000\000\000\000\214\062\377\364\377\177\000\000\344\311\377\377\377\177\000\000\000\000\000\000\354\003\000\000\354\003\000\000\000\000\000\000N\337^\000\000\000\000\000[matrosk"...
is_atty = 1
type = {16, 20}
tint = 0
#7 0x00000000011de629 in av_vlog (avcl=0x1e4db60, level=32, fmt=0x1272cf3
"Unknown entry 0x%X\n", vl=0x7fffffffcdb8)
at /home/cocobo/repository/mpv-build_fuzz/ffmpeg/libavutil/log.c:360
log_callback = 0x11de130 <av_log_default_callback>
#8 0x00000000011de5e9 in av_log (avcl=0x1e4db60, level=32, fmt=0x1272cf3
"Unknown entry 0x%X\n")
at /home/cocobo/repository/mpv-build_fuzz/ffmpeg/libavutil/log.c:352
avc = 0x1285280 <av_format_context_class>
vl = {{gp_offset = 24, fp_offset = 48, overflow_arg_area =
0x7fffffffce90, reg_save_area = 0x7fffffffcdd0}}
#9 0x00000000005e4a1a in ebml_parse_id (matroska=0x1e4e1a0,
syntax=0x1272580 <matroska_seekhead_entry>, id=28588,
data=0x7ffff215a410) at /home/cocobo/repository/mpv-
build_fuzz/ffmpeg/libavformat/matroskadec.c:930
i = 2
#10 0x00000000005e4b00 in ebml_parse (matroska=0x1e4e1a0, syntax=0x1272580
<matroska_seekhead_entry>,
data=0x7ffff215a410) at /home/cocobo/repository/mpv-
build_fuzz/ffmpeg/libavformat/matroskadec.c:947
No locals.
---Type <return> to continue, or q <return> to quit---
#11 0x00000000005e4cf2 in ebml_parse_nest (matroska=0x1e4e1a0,
syntax=0x1272580 <matroska_seekhead_entry>,
data=0x7ffff215a410) at /home/cocobo/repository/mpv-
build_fuzz/ffmpeg/libavformat/matroskadec.c:976
i = 2
res = 0
#12 0x00000000005e4fff in ebml_parse_elem (matroska=0x1e4e1a0,
syntax=0x12725e0 <matroska_seekhead>,
data=0x7ffff215a410) at /home/cocobo/repository/mpv-
build_fuzz/ffmpeg/libavformat/matroskadec.c:1046
max_lengths = {0, 8, 8, 16777216, 16777216, 268435456, 0, 0, 0, 0}
pb = 0x1e4d360
id = 19899
length = 12
res = 0
newelem = 0x7fffee1ad010
#13 0x00000000005e4a66 in ebml_parse_id (matroska=0x1e4e1a0,
syntax=0x12725e0 <matroska_seekhead>, id=19899,
data=0x1e4e1a0) at /home/cocobo/repository/mpv-
build_fuzz/ffmpeg/libavformat/matroskadec.c:934
i = 0
#14 0x00000000005e4b00 in ebml_parse (matroska=0x1e4e1a0, syntax=0x12725e0
<matroska_seekhead>, data=0x1e4e1a0)
at /home/cocobo/repository/mpv-
build_fuzz/ffmpeg/libavformat/matroskadec.c:947
No locals.
#15 0x00000000005e4cf2 in ebml_parse_nest (matroska=0x1e4e1a0,
syntax=0x12725e0 <matroska_seekhead>, data=0x1e4e1a0)
at /home/cocobo/repository/mpv-
build_fuzz/ffmpeg/libavformat/matroskadec.c:976
i = 1
res = 0
#16 0x00000000005e4fff in ebml_parse_elem (matroska=0x1e4e1a0,
syntax=0x12726b0 <matroska_segment+144>,
data=0x1e4e1a0) at /home/cocobo/repository/mpv-
build_fuzz/ffmpeg/libavformat/matroskadec.c:1046
max_lengths = {0, 8, 8, 16777216, 16777216, 268435456, 0, 0, 0, 0}
pb = 0x1e4d360
id = 290298740
length = 60
res = 0
newelem = 0x1e4d360
#17 0x00000000005e4a66 in ebml_parse_id (matroska=0x1e4e1a0,
syntax=0x1272620 <matroska_segment>, id=290298740,
data=0x1e4e1a0) at /home/cocobo/repository/mpv-
build_fuzz/ffmpeg/libavformat/matroskadec.c:934
i = 6
#18 0x00000000005e4b00 in ebml_parse (matroska=0x1e4e1a0, syntax=0x1272620
<matroska_segment>, data=0x1e4e1a0)
at /home/cocobo/repository/mpv-
build_fuzz/ffmpeg/libavformat/matroskadec.c:947
No locals.
#19 0x00000000005e6470 in matroska_parse_seekhead_entry
(matroska=0x1e4e1a0, idx=4173117)
at /home/cocobo/repository/mpv-
build_fuzz/ffmpeg/libavformat/matroskadec.c:1394
seekhead_list = 0x1e4e340
level_up = 0
saved_id = 524531317
seekhead = 0x7fffee1ad010
before_pos = 1449
level = {start = 0, length = 18446744073709551615}
offset = 51
ret = 0
#20 0x00000000005e65e6 in matroska_execute_seekhead (matroska=0x1e4e1a0)
at /home/cocobo/repository/mpv-
build_fuzz/ffmpeg/libavformat/matroskadec.c:1434
seekhead = 0x7fffee1ad010
seekhead_list = 0x1e4e340
before_pos = 1449
i = 4173117
#21 0x00000000005e8d3c in matroska_read_header (s=0x1e4db60)
at /home/cocobo/repository/mpv-
build_fuzz/ffmpeg/libavformat/matroskadec.c:2055
matroska = 0x1e4e1a0
attachments_list = 0x1e4e300
chapters_list = 0x1e4e310
attachments = 0x0
chapters = 0x1e4d360
max_start = 0
pos = 1449
ebml = {version = 1, max_size = 8, id_length = 4, doctype = 0x0,
doctype_version = 2}
i = 0
j = -11496
res = 1
#22 0x00000000006c473e in avformat_open_input (ps=0x7fffffffd3a0,
filename=0x7fffffffde76 "hang.mkv", fmt=0x0,
options=0x1e45498) at /home/cocobo/repository/mpv-
build_fuzz/ffmpeg/libavformat/utils.c:463
s = 0x1e4db60
---Type <return> to continue, or q <return> to quit---
ret = 100
tmp = 0x1e4cd40
id3v2_extra_meta = 0x0
#23 0x0000000000410fab in open_input_file (o=0x7fffffffd480,
filename=0x7fffffffde76 "hang.mkv")
at /home/cocobo/repository/mpv-build_fuzz/ffmpeg/ffmpeg_opt.c:873
f = 0x0
ic = 0x1e4db60
file_iformat = 0x0
err = 0
i = 48
ret = 0
timestamp = 17179869184
opts = 0x120bc97
unused_opts = 0x0
e = 0x0
orig_nb_streams = 0
video_codec_name = 0x0
audio_codec_name = 0x0
subtitle_codec_name = 0x0
scan_all_pmts_set = 1
#24 0x00000000004190fb in open_files (l=0x1e3d0d8, inout=0x120bc97
"input", open_file=0x4108b3 <open_input_file>)
at /home/cocobo/repository/mpv-build_fuzz/ffmpeg/ffmpeg_opt.c:2699
g = 0x1e45470
o = {g = 0x1e45470, start_time = -9223372036854775808, format =
0x0, codec_names = 0x0, nb_codec_names = 0,
audio_channels = 0x0, nb_audio_channels = 0, audio_sample_rate =
0x0, nb_audio_sample_rate = 0,
frame_rates = 0x0, nb_frame_rates = 0, frame_sizes = 0x0,
nb_frame_sizes = 0, frame_pix_fmts = 0x0,
nb_frame_pix_fmts = 0, input_ts_offset = 0, rate_emu = 0,
accurate_seek = 1, ts_scale = 0x0,
nb_ts_scale = 0, dump_attachment = 0x0, nb_dump_attachment = 0,
hwaccels = 0x0, nb_hwaccels = 0,
hwaccel_devices = 0x0, nb_hwaccel_devices = 0, stream_maps =
0x0, nb_stream_maps = 0,
audio_channel_maps = 0x0, nb_audio_channel_maps = 0,
metadata_global_manual = 0,
metadata_streams_manual = 0, metadata_chapters_manual = 0,
attachments = 0x0, nb_attachments = 0,
chapters_input_file = 2147483647, recording_time =
9223372036854775807, stop_time = 9223372036854775807,
limit_filesize = 18446744073709551615, mux_preload = 0,
mux_max_delay = 0.699999988, shortest = 0,
video_disable = 0, audio_disable = 0, subtitle_disable = 0,
data_disable = 0, streamid_map = 0x0,
nb_streamid_map = 0, metadata = 0x0, nb_metadata = 0, max_frames
= 0x0, nb_max_frames = 0,
bitstream_filters = 0x0, nb_bitstream_filters = 0, codec_tags =
0x0, nb_codec_tags = 0, sample_fmts = 0x0,
nb_sample_fmts = 0, qscale = 0x0, nb_qscale = 0,
forced_key_frames = 0x0, nb_forced_key_frames = 0,
force_fps = 0x0, nb_force_fps = 0, frame_aspect_ratios = 0x0,
nb_frame_aspect_ratios = 0,
rc_overrides = 0x0, nb_rc_overrides = 0, intra_matrices = 0x0,
nb_intra_matrices = 0,
inter_matrices = 0x0, nb_inter_matrices = 0,
chroma_intra_matrices = 0x0, nb_chroma_intra_matrices = 0,
top_field_first = 0x0, nb_top_field_first = 0, metadata_map =
0x0, nb_metadata_map = 0, presets = 0x0,
nb_presets = 0, copy_initial_nonkeyframes = 0x0,
nb_copy_initial_nonkeyframes = 0, copy_prior_start = 0x0,
nb_copy_prior_start = 0, filters = 0x0, nb_filters = 0,
filter_scripts = 0x0, nb_filter_scripts = 0,
reinit_filters = 0x0, nb_reinit_filters = 0, fix_sub_duration =
0x0, nb_fix_sub_duration = 0,
canvas_sizes = 0x0, nb_canvas_sizes = 0, pass = 0x0, nb_pass =
0, passlogfiles = 0x0, nb_passlogfiles = 0,
guess_layout_max = 0x0, nb_guess_layout_max = 0, apad = 0x0,
nb_apad = 0, discard = 0x0, nb_discard = 0}
i = 0
ret = 0
#25 0x0000000000419288 in ffmpeg_parse_options (argc=5,
argv=0x7fffffffda18)
at /home/cocobo/repository/mpv-build_fuzz/ffmpeg/ffmpeg_opt.c:2736
octx = {global_opts = {group_def = 0x1209e10 <global_group>, arg =
0x12084fb "", opts = 0x1e3d090,
nb_opts = 1, codec_opts = 0x0, format_opts = 0x0,
resample_opts = 0x0, sws_opts = 0x0, swr_opts = 0x0},
groups = 0x1e3d0c0, nb_groups = 2, cur_group = {group_def = 0x0,
arg = 0x0, opts = 0x0, nb_opts = 0,
codec_opts = 0x0, format_opts = 0x0, resample_opts = 0x0,
sws_opts = 0x0, swr_opts = 0x0}}
error = "\000\000\000\000\000\000\000\000\002\213 \001", '\000'
<repeats 28 times>,
"\"\020m\000\000\000\000\000\000\331\377\377\377\177\000\000c\330A\000\000\000\000\000\002\213
\001\000\000\000\000\320\063L\001\001\000\000\000\000P\000\000\005\000\000\000\277\000\000\000\061\n\000\000\000\003\034\177\025\004\000\001\000\021\023\032\000\022\017\027\026",
'\000' <repeats 14 times>
ret = 0
#26 0x000000000042c797 in main (argc=5, argv=0x7fffffffda18)
at /home/cocobo/repository/mpv-build_fuzz/ffmpeg/ffmpeg.c:3919
ret = 32767
ti = 0
}}}
The endless loop is the loop in matroska_execute_seekhead and it's endless
because the seekhead_list->nb_elem value keeps increasing at the same rate
as the loopvar.
I gave up trying to figure out why because the matroska format is a bit
too complex for me...
--
Ticket URL: <https://trac.ffmpeg.org/ticket/4162>
FFmpeg <https://ffmpeg.org>
FFmpeg issue tracker
More information about the FFmpeg-trac
mailing list