[FFmpeg-trac] #5441(undetermined:new): rm: crash with fuzzed file
FFmpeg
trac at avcodec.org
Thu Apr 14 17:03:38 CEST 2016
#5441: rm: crash with fuzzed file
-------------------------------------+-------------------------------------
Reporter: ami_stuff | Owner:
Type: defect | Status: new
Priority: normal | Component:
Version: | undetermined
unspecified | Keywords:
Blocked By: | Blocking:
Reproduced by developer: 0 | Analyzed by developer: 0
-------------------------------------+-------------------------------------
{{{
aaa at aaa-VirtualBox /media/sdb1 $ valgrind --leak-check=full
ffmpeg/ffmpeg_g -i lossless_32khz_stereo_fuzz.ra -f null -
==3232== Memcheck, a memory error detector
==3232== Copyright (C) 2002-2013, and GNU GPL'd, by Julian Seward et al.
==3232== Using Valgrind-3.10.1 and LibVEX; rerun with -h for copyright
info
==3232== Command: ffmpeg/ffmpeg_g -i lossless_32khz_stereo_fuzz.ra -f null
-
==3232==
ffmpeg version 3.0.git Copyright (c) 2000-2016 the FFmpeg developers
built with gcc 4.8 (Ubuntu 4.8.4-2ubuntu1~14.04.1)
configuration: --disable-ffprobe --disable-ffserver --disable-ffplay
--enable-gpl
libavutil 55. 20.100 / 55. 20.100
libavcodec 57. 34.100 / 57. 34.100
libavformat 57. 34.100 / 57. 34.100
libavdevice 57. 0.101 / 57. 0.101
libavfilter 6. 41.101 / 6. 41.101
libswscale 4. 1.100 / 4. 1.100
libswresample 2. 0.101 / 2. 0.101
libpostproc 54. 0.100 / 54. 0.100
==3232== Invalid read of size 4
==3232== at 0x8BAA83A: av_log (log.c:363)
==3232== by 0x83417FF: ff_get_extradata (utils.c:3129)
==3232== by 0x82EBA1D: rm_read_extradata (rmdec.c:96)
==3232== by 0x82EBA1D: ff_rm_read_mdpr_codecdata.part.4 (rmdec.c:337)
==3232== by 0x82EC177: ff_rm_read_mdpr_codecdata (rmdec.c:324)
==3232== by 0x82EC177: rm_read_header (rmdec.c:630)
==3232== by 0x8346DDC: avformat_open_input (utils.c:552)
==3232== by 0x80D5F04: open_input_file (ffmpeg_opt.c:949)
==3232== by 0x80DA1CA: open_files (ffmpeg_opt.c:3003)
==3232== by 0x80DA1CA: ffmpeg_parse_options (ffmpeg_opt.c:3040)
==3232== by 0x80C87B9: main (ffmpeg.c:4321)
==3232== Address 0xe is not stack'd, malloc'd or (recently) free'd
==3232==
==3232==
==3232== Process terminating with default action of signal 11 (SIGSEGV)
==3232== Access not within mapped region at address 0xE
==3232== at 0x8BAA83A: av_log (log.c:363)
==3232== by 0x83417FF: ff_get_extradata (utils.c:3129)
==3232== by 0x82EBA1D: rm_read_extradata (rmdec.c:96)
==3232== by 0x82EBA1D: ff_rm_read_mdpr_codecdata.part.4 (rmdec.c:337)
==3232== by 0x82EC177: ff_rm_read_mdpr_codecdata (rmdec.c:324)
==3232== by 0x82EC177: rm_read_header (rmdec.c:630)
==3232== by 0x8346DDC: avformat_open_input (utils.c:552)
==3232== by 0x80D5F04: open_input_file (ffmpeg_opt.c:949)
==3232== by 0x80DA1CA: open_files (ffmpeg_opt.c:3003)
==3232== by 0x80DA1CA: ffmpeg_parse_options (ffmpeg_opt.c:3040)
==3232== by 0x80C87B9: main (ffmpeg.c:4321)
==3232== If you believe this happened as a result of a stack
==3232== overflow in your program's main thread (unlikely but
==3232== possible), you can try to increase the size of the
==3232== main thread stack using the --main-stacksize= flag.
==3232== The main thread stack size used in this run was 8388608.
==3232==
==3232== HEAP SUMMARY:
==3232== in use at exit: 37,902 bytes in 54 blocks
==3232== total heap usage: 83 allocs, 29 frees, 4,267,608 bytes
allocated
==3232==
==3232== LEAK SUMMARY:
==3232== definitely lost: 0 bytes in 0 blocks
==3232== indirectly lost: 0 bytes in 0 blocks
==3232== possibly lost: 0 bytes in 0 blocks
==3232== still reachable: 37,902 bytes in 54 blocks
==3232== suppressed: 0 bytes in 0 blocks
==3232== Reachable blocks (those to which a pointer was found) are not
shown.
==3232== To see them, rerun with: --leak-check=full --show-leak-kinds=all
==3232==
==3232== For counts of detected and suppressed errors, rerun with: -v
==3232== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)
Segmentation fault
}}}
{{{
(gdb) r -i lossless_32khz_stereo_fuzz.ra -f null -
Starting program: /media/sdb1/ffmpeg/ffmpeg_g -i
lossless_32khz_stereo_fuzz.ra -f null -
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/i386-linux-gnu/libthread_db.so.1".
ffmpeg version 3.0.git Copyright (c) 2000-2016 the FFmpeg developers
built with gcc 4.8 (Ubuntu 4.8.4-2ubuntu1~14.04.1)
configuration: --disable-ffprobe --disable-ffserver --disable-ffplay
--enable-gpl
libavutil 55. 20.100 / 55. 20.100
libavcodec 57. 34.100 / 57. 34.100
libavformat 57. 34.100 / 57. 34.100
libavdevice 57. 0.101 / 57. 0.101
libavfilter 6. 41.101 / 6. 41.101
libswscale 4. 1.100 / 4. 1.100
libswresample 2. 0.101 / 2. 0.101
libpostproc 54. 0.100 / 54. 0.100
Program received signal SIGSEGV, Segmentation fault.
0x08baa83a in av_log (avcl=avcl at entry=0x9729200, level=level at entry=16,
fmt=fmt at entry=0x8c662b4 "Failed to read extradata of size %d\n")
at libavutil/log.c:363
363 if (avc && avc->version >= (50 << 16 | 15 << 8 | 2) &&
(gdb) bt
#0 0x08baa83a in av_log (avcl=avcl at entry=0x9729200, level=level at entry=16,
fmt=fmt at entry=0x8c662b4 "Failed to read extradata of size %d\n")
at libavutil/log.c:363
#1 0x08341800 in ff_get_extradata (par=0x9729200, pb=pb at entry=0x9730ae0,
size=size at entry=4194328) at libavformat/utils.c:3129
#2 0x082eba1e in rm_read_extradata (size=4194328, par=<optimized out>,
pb=0x9730ae0, s=0x9728200) at libavformat/rmdec.c:96
#3 ff_rm_read_mdpr_codecdata (s=s at entry=0x9728200, pb=0x9730ae0,
st=st at entry=0x9728aa0, rst=0x97296a0,
codec_data_size=codec_data_size at entry=4194328,
mime=mime at entry=0xbfffe73c "audio/x-ralf-mpeg4-generic")
at libavformat/rmdec.c:337
#4 0x082ec178 in ff_rm_read_mdpr_codecdata (
mime=0xbfffe73c "audio/x-ralf-mpeg4-generic", codec_data_size=4194328,
rst=<optimized out>, st=0x9728aa0, pb=<optimized out>, s=0x9728200)
at libavformat/rmdec.c:324
#5 rm_read_header (s=0x9728200) at libavformat/rmdec.c:630
#6 0x08346ddd in avformat_open_input (ps=ps at entry=0xbfffecac,
filename=filename at entry=0xbffff32b "lossless_32khz_stereo_fuzz.ra",
fmt=fmt at entry=0x0, options=0x97280ec) at libavformat/utils.c:552
#7 0x080d5f05 in open_input_file (o=o at entry=0xbfffed5c,
filename=<optimized out>) at ffmpeg_opt.c:949
#8 0x080da1cb in open_files (inout=0x8c60022 "input",
---Type <return> to continue, or q <return> to quit---
open_file=0x80d45e0 <open_input_file>, l=<optimized out>,
l=<optimized out>) at ffmpeg_opt.c:3003
#9 ffmpeg_parse_options (argc=argc at entry=6, argv=argv at entry=0xbffff124)
at ffmpeg_opt.c:3040
#10 0x080c87ba in main (argc=6, argv=0xbffff124) at ffmpeg.c:4321
(gdb)
}}}
--
Ticket URL: <https://trac.ffmpeg.org/ticket/5441>
FFmpeg <https://ffmpeg.org>
FFmpeg issue tracker
More information about the FFmpeg-trac
mailing list