[FFmpeg-trac] #5441(undetermined:new): rm: crash with fuzzed file

FFmpeg trac at avcodec.org
Thu Apr 14 17:03:38 CEST 2016 

#5441: rm: crash with fuzzed file
-------------------------------------+-------------------------------------
               Reporter:  ami_stuff  |                  Owner:
                   Type:  defect     |                 Status:  new
               Priority:  normal     |              Component:
                Version:             |  undetermined
  unspecified                        |               Keywords:
             Blocked By:             |               Blocking:
Reproduced by developer:  0          |  Analyzed by developer:  0
-------------------------------------+-------------------------------------
 {{{
 aaa at aaa-VirtualBox /media/sdb1 $ valgrind --leak-check=full
 ffmpeg/ffmpeg_g -i lossless_32khz_stereo_fuzz.ra -f null -
 ==3232== Memcheck, a memory error detector
 ==3232== Copyright (C) 2002-2013, and GNU GPL'd, by Julian Seward et al.
 ==3232== Using Valgrind-3.10.1 and LibVEX; rerun with -h for copyright
 info
 ==3232== Command: ffmpeg/ffmpeg_g -i lossless_32khz_stereo_fuzz.ra -f null
 -
 ==3232==
 ffmpeg version 3.0.git Copyright (c) 2000-2016 the FFmpeg developers
   built with gcc 4.8 (Ubuntu 4.8.4-2ubuntu1~14.04.1)
   configuration: --disable-ffprobe --disable-ffserver --disable-ffplay
 --enable-gpl
   libavutil      55. 20.100 / 55. 20.100
   libavcodec     57. 34.100 / 57. 34.100
   libavformat    57. 34.100 / 57. 34.100
   libavdevice    57.  0.101 / 57.  0.101
   libavfilter     6. 41.101 /  6. 41.101
   libswscale      4.  1.100 /  4.  1.100
   libswresample   2.  0.101 /  2.  0.101
   libpostproc    54.  0.100 / 54.  0.100
 ==3232== Invalid read of size 4
 ==3232==    at 0x8BAA83A: av_log (log.c:363)
 ==3232==    by 0x83417FF: ff_get_extradata (utils.c:3129)
 ==3232==    by 0x82EBA1D: rm_read_extradata (rmdec.c:96)
 ==3232==    by 0x82EBA1D: ff_rm_read_mdpr_codecdata.part.4 (rmdec.c:337)
 ==3232==    by 0x82EC177: ff_rm_read_mdpr_codecdata (rmdec.c:324)
 ==3232==    by 0x82EC177: rm_read_header (rmdec.c:630)
 ==3232==    by 0x8346DDC: avformat_open_input (utils.c:552)
 ==3232==    by 0x80D5F04: open_input_file (ffmpeg_opt.c:949)
 ==3232==    by 0x80DA1CA: open_files (ffmpeg_opt.c:3003)
 ==3232==    by 0x80DA1CA: ffmpeg_parse_options (ffmpeg_opt.c:3040)
 ==3232==    by 0x80C87B9: main (ffmpeg.c:4321)
 ==3232==  Address 0xe is not stack'd, malloc'd or (recently) free'd
 ==3232==
 ==3232==
 ==3232== Process terminating with default action of signal 11 (SIGSEGV)
 ==3232==  Access not within mapped region at address 0xE
 ==3232==    at 0x8BAA83A: av_log (log.c:363)
 ==3232==    by 0x83417FF: ff_get_extradata (utils.c:3129)
 ==3232==    by 0x82EBA1D: rm_read_extradata (rmdec.c:96)
 ==3232==    by 0x82EBA1D: ff_rm_read_mdpr_codecdata.part.4 (rmdec.c:337)
 ==3232==    by 0x82EC177: ff_rm_read_mdpr_codecdata (rmdec.c:324)
 ==3232==    by 0x82EC177: rm_read_header (rmdec.c:630)
 ==3232==    by 0x8346DDC: avformat_open_input (utils.c:552)
 ==3232==    by 0x80D5F04: open_input_file (ffmpeg_opt.c:949)
 ==3232==    by 0x80DA1CA: open_files (ffmpeg_opt.c:3003)
 ==3232==    by 0x80DA1CA: ffmpeg_parse_options (ffmpeg_opt.c:3040)
 ==3232==    by 0x80C87B9: main (ffmpeg.c:4321)
 ==3232==  If you believe this happened as a result of a stack
 ==3232==  overflow in your program's main thread (unlikely but
 ==3232==  possible), you can try to increase the size of the
 ==3232==  main thread stack using the --main-stacksize= flag.
 ==3232==  The main thread stack size used in this run was 8388608.
 ==3232==
 ==3232== HEAP SUMMARY:
 ==3232==     in use at exit: 37,902 bytes in 54 blocks
 ==3232==   total heap usage: 83 allocs, 29 frees, 4,267,608 bytes
 allocated
 ==3232==
 ==3232== LEAK SUMMARY:
 ==3232==    definitely lost: 0 bytes in 0 blocks
 ==3232==    indirectly lost: 0 bytes in 0 blocks
 ==3232==      possibly lost: 0 bytes in 0 blocks
 ==3232==    still reachable: 37,902 bytes in 54 blocks
 ==3232==         suppressed: 0 bytes in 0 blocks
 ==3232== Reachable blocks (those to which a pointer was found) are not
 shown.
 ==3232== To see them, rerun with: --leak-check=full --show-leak-kinds=all
 ==3232==
 ==3232== For counts of detected and suppressed errors, rerun with: -v
 ==3232== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)
 Segmentation fault
 }}}

 {{{
 (gdb) r -i lossless_32khz_stereo_fuzz.ra -f null -
 Starting program: /media/sdb1/ffmpeg/ffmpeg_g -i
 lossless_32khz_stereo_fuzz.ra -f null -
 [Thread debugging using libthread_db enabled]
 Using host libthread_db library "/lib/i386-linux-gnu/libthread_db.so.1".
 ffmpeg version 3.0.git Copyright (c) 2000-2016 the FFmpeg developers
   built with gcc 4.8 (Ubuntu 4.8.4-2ubuntu1~14.04.1)
   configuration: --disable-ffprobe --disable-ffserver --disable-ffplay
 --enable-gpl
   libavutil      55. 20.100 / 55. 20.100
   libavcodec     57. 34.100 / 57. 34.100
   libavformat    57. 34.100 / 57. 34.100
   libavdevice    57.  0.101 / 57.  0.101
   libavfilter     6. 41.101 /  6. 41.101
   libswscale      4.  1.100 /  4.  1.100
   libswresample   2.  0.101 /  2.  0.101
   libpostproc    54.  0.100 / 54.  0.100

 Program received signal SIGSEGV, Segmentation fault.
 0x08baa83a in av_log (avcl=avcl at entry=0x9729200, level=level at entry=16,
     fmt=fmt at entry=0x8c662b4 "Failed to read extradata of size %d\n")
     at libavutil/log.c:363
 363         if (avc && avc->version >= (50 << 16 | 15 << 8 | 2) &&
 (gdb) bt
 #0  0x08baa83a in av_log (avcl=avcl at entry=0x9729200, level=level at entry=16,
     fmt=fmt at entry=0x8c662b4 "Failed to read extradata of size %d\n")
     at libavutil/log.c:363
 #1  0x08341800 in ff_get_extradata (par=0x9729200, pb=pb at entry=0x9730ae0,
     size=size at entry=4194328) at libavformat/utils.c:3129
 #2  0x082eba1e in rm_read_extradata (size=4194328, par=<optimized out>,
     pb=0x9730ae0, s=0x9728200) at libavformat/rmdec.c:96
 #3  ff_rm_read_mdpr_codecdata (s=s at entry=0x9728200, pb=0x9730ae0,
     st=st at entry=0x9728aa0, rst=0x97296a0,
     codec_data_size=codec_data_size at entry=4194328,
     mime=mime at entry=0xbfffe73c "audio/x-ralf-mpeg4-generic")
     at libavformat/rmdec.c:337
 #4  0x082ec178 in ff_rm_read_mdpr_codecdata (
     mime=0xbfffe73c "audio/x-ralf-mpeg4-generic", codec_data_size=4194328,
     rst=<optimized out>, st=0x9728aa0, pb=<optimized out>, s=0x9728200)
     at libavformat/rmdec.c:324
 #5  rm_read_header (s=0x9728200) at libavformat/rmdec.c:630
 #6  0x08346ddd in avformat_open_input (ps=ps at entry=0xbfffecac,
     filename=filename at entry=0xbffff32b "lossless_32khz_stereo_fuzz.ra",
     fmt=fmt at entry=0x0, options=0x97280ec) at libavformat/utils.c:552
 #7  0x080d5f05 in open_input_file (o=o at entry=0xbfffed5c,
     filename=<optimized out>) at ffmpeg_opt.c:949
 #8  0x080da1cb in open_files (inout=0x8c60022 "input",
 ---Type <return> to continue, or q <return> to quit---
     open_file=0x80d45e0 <open_input_file>, l=<optimized out>,
     l=<optimized out>) at ffmpeg_opt.c:3003
 #9  ffmpeg_parse_options (argc=argc at entry=6, argv=argv at entry=0xbffff124)
     at ffmpeg_opt.c:3040
 #10 0x080c87ba in main (argc=6, argv=0xbffff124) at ffmpeg.c:4321
 (gdb)
 }}}

--
Ticket URL: <https://trac.ffmpeg.org/ticket/5441>
FFmpeg <https://ffmpeg.org>
FFmpeg issue tracker

More information about the FFmpeg-trac mailing list