[FFmpeg-trac] #4299(avcodec:new): mpeg2: crash with fuzzed file
FFmpeg
trac at avcodec.org
Thu Feb 5 12:39:01 CET 2015
#4299: mpeg2: crash with fuzzed file
---------------------------------+--------------------------------------
Reporter: tholin | Type: defect
Status: new | Priority: normal
Component: avcodec | Version: git-master
Keywords: | Blocked By:
Blocking: | Reproduced by developer: 0
Analyzed by developer: 0 |
---------------------------------+--------------------------------------
The attached file segfaults.
It will not segfault in valgrind or any program that links against ffmpeg.
It only segfault with ffmpeg when -f null is used.
{{{
$ gdb --args ./ffmpeg -v 9 -loglevel 99 -i ~/fuzz/ffmpeg_mpeg2_crash.mpg
-f null -
GNU gdb (Gentoo 7.7.1 p1) 7.7.1
Copyright (C) 2014 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later
<http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law. Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-pc-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<http://bugs.gentoo.org/>.
Find the GDB manual and other documentation resources online at:
<http://www.gnu.org/software/gdb/documentation/>.
For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from ./ffmpeg...done.
(gdb) r
Starting program: /home/cocobo/repository/mpv-
build_ffmpeg_vanilla/ffmpeg_build/ffmpeg -v 9 -loglevel 99 -i
/home/cocobo/fuzz/ffmpeg_mpeg2_crash.mpg -f null -
warning: Could not load shared library symbols for linux-vdso.so.1.
Do you need "set solib-search-path" or "set sysroot"?
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib64/libthread_db.so.1".
ffmpeg version N-69570-g7801a54 Copyright (c) 2000-2015 the FFmpeg
developers
built with gcc 4.8.3 (Gentoo 4.8.3 p1.1, pie-0.5.9)
configuration: --prefix=/home/cocobo/repository/mpv-
build_ffmpeg_vanilla/build_libs --enable-static --disable-shared --enable-
gpl --enable-avresample --enable-debug=gdb --disable-doc --disable-
optimizations --disable-stripping
libavutil 54. 18.100 / 54. 18.100
libavcodec 56. 21.102 / 56. 21.102
libavformat 56. 19.100 / 56. 19.100
libavdevice 56. 4.100 / 56. 4.100
libavfilter 5. 9.103 / 5. 9.103
libavresample 2. 1. 0 / 2. 1. 0
libswscale 3. 1.101 / 3. 1.101
libswresample 1. 1.100 / 1. 1.100
libpostproc 53. 3.100 / 53. 3.100
Splitting the commandline.
Reading option '-v' ... matched as option 'v' (set logging level) with
argument '9'.
Reading option '-loglevel' ... matched as option 'loglevel' (set logging
level) with argument '99'.
Reading option '-i' ... matched as input file with argument
'/home/cocobo/fuzz/ffmpeg_mpeg2_crash.mpg'.
Reading option '-f' ... matched as option 'f' (force format) with argument
'null'.
Reading option '-' ... matched as output file.
Finished splitting the commandline.
Parsing a group of options: global .
Applying option v (set logging level) with argument 9.
Successfully parsed a group of options.
Parsing a group of options: input file
/home/cocobo/fuzz/ffmpeg_mpeg2_crash.mpg.
Successfully parsed a group of options.
Opening an input file: /home/cocobo/fuzz/ffmpeg_mpeg2_crash.mpg.
[mpegvideo @ 0x1e90140] Format mpegvideo probed with size=2048 and
score=51
[mpegvideo @ 0x1e90140] Before avformat_find_stream_info() pos: 0 bytes
read:64 seeks:0
[mpeg1video @ 0x1e90b60] frame_rate_index 0 is invalid
Last message repeated 1 times
[mpegvideo @ 0x1e90140] Estimating duration from bitrate, this may be
inaccurate
[mpegvideo @ 0x1e90140] After avformat_find_stream_info() pos: 64 bytes
read:64 seeks:0 frames:2
Input #0, mpegvideo, from '/home/cocobo/fuzz/ffmpeg_mpeg2_crash.mpg':
Duration: 00:00:00.00, bitrate: 19692 kb/s
Stream #0:0, 2, 1/1200000: Video: mpeg2video (Main), yuv420p(tv,
center), 4099x12 [SAR 64:12297 DAR 16:9], 1001/24000, 19737 kb/s, 11.99
tbr, 1200k tbn, 23.98 tbc
Successfully opened the file.
Parsing a group of options: output file -.
Applying option f (force format) with argument null.
Successfully parsed a group of options.
Opening an output file: -.
Successfully opened the file.
detected 8 logical cores
[New Thread 0x7ffff4de9700 (LWP 24824)]
[New Thread 0x7ffff45e8700 (LWP 24825)]
[New Thread 0x7ffff3de7700 (LWP 24826)]
[New Thread 0x7ffff35e6700 (LWP 24827)]
[New Thread 0x7ffff2de5700 (LWP 24828)]
[New Thread 0x7ffff25e4700 (LWP 24829)]
[New Thread 0x7ffff1de3700 (LWP 24830)]
[New Thread 0x7ffff15e2700 (LWP 24831)]
[New Thread 0x7ffff0de1700 (LWP 24832)]
[graph 0 input from stream 0:0 @ 0x1e85440] Setting 'video_size' to value
'4099x12'
[graph 0 input from stream 0:0 @ 0x1e85440] Setting 'pix_fmt' to value '0'
[graph 0 input from stream 0:0 @ 0x1e85440] Setting 'time_base' to value
'1/1200000'
[graph 0 input from stream 0:0 @ 0x1e85440] Setting 'pixel_aspect' to
value '64/12297'
[graph 0 input from stream 0:0 @ 0x1e85440] Setting 'sws_param' to value
'flags=2'
[graph 0 input from stream 0:0 @ 0x1e85440] Setting 'frame_rate' to value
'24000/2002'
[graph 0 input from stream 0:0 @ 0x1e85440] w:4099 h:12 pixfmt:yuv420p
tb:1/1200000 fr:24000/2002 sar:64/12297 sws_param:flags=2
[AVFilterGraph @ 0x1e85b60] query_formats: 3 queried, 2 merged, 0 already
done, 0 delayed
Output #0, null, to 'pipe:':
Metadata:
encoder : Lavf56.19.100
Stream #0:0, 0, 1001/12000: Video: rawvideo (I420 / 0x30323449),
yuv420p(center), 4099x12 [SAR 64:12297 DAR 16:9], 1001/12000, q=2-31, 200
kb/s, 11.99 fps, 11.99 tbn, 11.99 tbc
Metadata:
encoder : Lavc56.21.102 rawvideo
Stream mapping:
Stream #0:0 -> #0:0 (mpeg2video (native) -> rawvideo (native))
Press [q] to stop, [?] for help
[mpeg2video @ 0x1e912a0] frame_rate_index 0 is invalid
Last message repeated 1 times
[mpeg2video @ 0x1e912a0] Missing picture start code, guessing missing
values
[mpeg2video @ 0x1e912a0] Missing picture start code
[mpeg2video @ 0x1e912a0] warning: first frame is no keyframe
Program received signal SIGSEGV, Segmentation fault.
0x0000000001054171 in ff_put_pixels16_y2_sse2.loop ()
at /home/cocobo/repository/mpv-
build_ffmpeg_vanilla/ffmpeg/libavcodec/x86/hpeldsp.asm:263
263 PUT_PIXELS8_Y2
(gdb) bt
#0 0x0000000001054171 in ff_put_pixels16_y2_sse2.loop ()
at /home/cocobo/repository/mpv-
build_ffmpeg_vanilla/ffmpeg/libavcodec/x86/hpeldsp.asm:263
#1 0x0000000000af2657 in mpeg_motion_internal (mb_y=0, is_mpeg12=1, h=16,
motion_y=1, motion_x=0,
pix_op=0x1e94ae0, ref_picture=0x1e7c940, field_select=1,
bottom_field=0, field_based=0, dest_cr=0x1e728e0 "",
dest_cb=0x1e86980 "", dest_y=0x7ffff7fd7080 '\200' <repeats 16 times>,
s=0x1e93fc0)
at /home/cocobo/repository/mpv-
build_ffmpeg_vanilla/ffmpeg/libavcodec/mpegvideo_motion.c:357
#2 mpeg_motion (s=0x1e93fc0, dest_y=0x7ffff7fd7080 '\200' <repeats 16
times>, dest_cb=0x1e86980 "",
dest_cr=0x1e728e0 "", field_select=1, ref_picture=0x1e7c940,
pix_op=0x1e94ae0, motion_x=0, motion_y=1, h=16,
mb_y=0) at /home/cocobo/repository/mpv-
build_ffmpeg_vanilla/ffmpeg/libavcodec/mpegvideo_motion.c:379
#3 0x0000000000af8221 in mpv_motion_internal (is_mpeg12=1, qpix_op=0x0,
pix_op=0x1e94ae0, ref_picture=0x1e7c940,
dir=0, dest_cr=0x1e728e0 "", dest_cb=0x1e86980 "",
dest_y=0x7ffff7fd7080 '\200' <repeats 16 times>, s=0x1e93fc0)
at /home/cocobo/repository/mpv-
build_ffmpeg_vanilla/ffmpeg/libavcodec/mpegvideo_motion.c:951
#4 ff_mpv_motion (s=0x1e93fc0, dest_y=0x7ffff7fd7080 '\200' <repeats 16
times>, dest_cb=0x1e86980 "",
dest_cr=0x1e728e0 "", dir=0, ref_picture=0x1e7c940, pix_op=0x1e94ae0,
qpix_op=0x0)
at /home/cocobo/repository/mpv-
build_ffmpeg_vanilla/ffmpeg/libavcodec/mpegvideo_motion.c:981
#5 0x0000000000acfbb3 in mpv_decode_mb_internal (is_mpeg12=1,
lowres_flag=0, block=0x1e7ffa0, s=0x1e93fc0)
at /home/cocobo/repository/mpv-
build_ffmpeg_vanilla/ffmpeg/libavcodec/mpegvideo.c:3153
#6 ff_mpv_decode_mb (s=0x1e93fc0, block=0x1e7ffa0)
at /home/cocobo/repository/mpv-
build_ffmpeg_vanilla/ffmpeg/libavcodec/mpegvideo.c:3287
#7 0x0000000000a821f3 in mpeg_decode_slice (s=0x1e93fc0, mb_y=1,
buf=0x7fffffffcec8, buf_size=4)
at /home/cocobo/repository/mpv-
build_ffmpeg_vanilla/ffmpeg/libavcodec/mpeg12dec.c:1879
#8 0x0000000000a84f49 in decode_chunks (avctx=0x1e912a0,
picture=0x1e93460, got_output=0x7fffffffd208,
buf=0x1ea8ef0 "", buf_size=37)
at /home/cocobo/repository/mpv-
build_ffmpeg_vanilla/ffmpeg/libavcodec/mpeg12dec.c:2710
#9 0x0000000000a852ec in mpeg_decode_frame (avctx=0x1e912a0,
data=0x1e93460, got_output=0x7fffffffd208,
avpkt=0x7fffffffcfe0) at /home/cocobo/repository/mpv-
build_ffmpeg_vanilla/ffmpeg/libavcodec/mpeg12dec.c:2787
#10 0x0000000000c29938 in avcodec_decode_video2 (avctx=0x1e912a0,
picture=0x1e93460,
got_picture_ptr=0x7fffffffd208, avpkt=0x7fffffffd2a0)
at /home/cocobo/repository/mpv-
build_ffmpeg_vanilla/ffmpeg/libavcodec/utils.c:2372
#11 0x0000000000424bc3 in decode_video (ist=0x1e910a0, pkt=0x7fffffffd2a0,
got_output=0x7fffffffd208)
at /home/cocobo/repository/mpv-
build_ffmpeg_vanilla/ffmpeg/ffmpeg.c:1958
#12 0x0000000000425d29 in process_input_packet (ist=0x1e910a0,
pkt=0x7fffffffd530)
at /home/cocobo/repository/mpv-
build_ffmpeg_vanilla/ffmpeg/ffmpeg.c:2206
#13 0x000000000042c5d6 in process_input (file_index=0)
at /home/cocobo/repository/mpv-
build_ffmpeg_vanilla/ffmpeg/ffmpeg.c:3696
#14 0x000000000042c95f in transcode_step () at /home/cocobo/repository
/mpv-build_ffmpeg_vanilla/ffmpeg/ffmpeg.c:3790
#15 0x000000000042ca6f in transcode () at /home/cocobo/repository/mpv-
build_ffmpeg_vanilla/ffmpeg/ffmpeg.c:3842
#16 0x000000000042cf6b in main (argc=10, argv=0x7fffffffd998)
at /home/cocobo/repository/mpv-
build_ffmpeg_vanilla/ffmpeg/ffmpeg.c:4020
}}}
--
Ticket URL: <https://trac.ffmpeg.org/ticket/4299>
FFmpeg <https://ffmpeg.org>
FFmpeg issue tracker
More information about the FFmpeg-trac
mailing list