[FFmpeg-trac] #5778(undetermined:new): mov: crash with fuzzed file

FFmpeg trac at avcodec.org
Sun Aug 14 15:05:05 EEST 2016


#5778: mov: crash with fuzzed file
-------------------------------------+-------------------------------------
               Reporter:  ami_stuff  |                  Owner:
                   Type:  defect     |                 Status:  new
               Priority:  normal     |              Component:
                Version:             |  undetermined
  unspecified                        |               Keywords:
             Blocked By:             |               Blocking:
Reproduced by developer:  0          |  Analyzed by developer:  0
-------------------------------------+-------------------------------------
 {{{
 (gdb) r -max_alloc 100000000 -i f/h264_fuzz.m4v
 Starting program: /media/sdb1/ffmpeg/ffmpeg_g -max_alloc 100000000 -i
 f/h264_fuzz.m4v
 [Thread debugging using libthread_db enabled]
 Using host libthread_db library "/lib/i386-linux-gnu/libthread_db.so.1".
 ffmpeg version 3.0.git Copyright (c) 2000-2016 the FFmpeg developers
   built with gcc 5.3.0 (Ubuntu 5.3.0-3ubuntu1~14.04) 20151204
   configuration: --disable-ffprobe --disable-ffserver --enable-gpl
   libavutil      55. 28.100 / 55. 28.100
   libavcodec     57. 51.102 / 57. 51.102
   libavformat    57. 46.101 / 57. 46.101
   libavdevice    57.  0.102 / 57.  0.102
   libavfilter     6. 51.100 /  6. 51.100
   libswscale      4.  1.100 /  4.  1.100
   libswresample   2.  1.100 /  2.  1.100
   libpostproc    54.  0.100 / 54.  0.100
 [mov,mp4,m4a,3gp,3g2,mj2 @ 0x9883160] error reading header

 Program received signal SIGSEGV, Segmentation fault.
 0x08277269 in mov_read_close (s=0x9883160) at libavformat/mov.c:4834
 4834                av_free(sc->extradata[j]);
 (gdb) bt
 #0  0x08277269 in mov_read_close (s=0x9883160) at libavformat/mov.c:4834
 #1  0x0827a5a2 in mov_read_header (s=0x9883160) at libavformat/mov.c:5038
 #2  0x08331634 in avformat_open_input (ps=0xbfffe88c,
     filename=0xbffff343 "f/h264_fuzz.m4v", fmt=0x0, options=0x98830fc)
     at libavformat/utils.c:555
 #3  0x080cbc54 in open_input_file (o=o at entry=0xbfffe994,
     filename=<optimized out>) at ffmpeg_opt.c:982
 #4  0x080cd807 in open_files (l=0x988302c, l=0x988302c,
     open_file=0x80ca380 <open_input_file>, inout=0x8c8f8a2 "input")
     at ffmpeg_opt.c:3069
 #5  ffmpeg_parse_options (argc=5, argv=0xbffff124) at ffmpeg_opt.c:3106
 #6  0x080bd36d in main (argc=5, argv=0xbffff124) at ffmpeg.c:4325
 (gdb)
 }}}

 {{{
 aaa at aaa-VirtualBox /media/sdb1 $ valgrind --leak-check=full
 ffmpeg/ffmpeg_g -max_alloc 100000000 -i f/h264_fuzz.m4v
 ==10645== Memcheck, a memory error detector
 ==10645== Copyright (C) 2002-2013, and GNU GPL'd, by Julian Seward et al.
 ==10645== Using Valgrind-3.10.1 and LibVEX; rerun with -h for copyright
 info
 ==10645== Command: ffmpeg/ffmpeg_g -max_alloc 100000000 -i f/h264_fuzz.m4v
 ==10645==
 ffmpeg version 3.0.git Copyright (c) 2000-2016 the FFmpeg developers
   built with gcc 5.3.0 (Ubuntu 5.3.0-3ubuntu1~14.04) 20151204
   configuration: --disable-ffprobe --disable-ffserver --enable-gpl
   libavutil      55. 28.100 / 55. 28.100
   libavcodec     57. 51.102 / 57. 51.102
   libavformat    57. 46.101 / 57. 46.101
   libavdevice    57.  0.102 / 57.  0.102
   libavfilter     6. 51.100 /  6. 51.100
   libswscale      4.  1.100 /  4.  1.100
   libswresample   2.  1.100 /  2.  1.100
   libpostproc    54.  0.100 / 54.  0.100
 [mov,mp4,m4a,3gp,3g2,mj2 @ 0x42bd340] error reading header
 ==10645== Invalid read of size 4
 ==10645==    at 0x8277269: mov_read_close (mov.c:4834)
 ==10645==    by 0x827A5A1: mov_read_header (mov.c:5038)
 ==10645==    by 0x8331633: avformat_open_input (utils.c:555)
 ==10645==    by 0x80CBC53: open_input_file (ffmpeg_opt.c:982)
 ==10645==    by 0x80CD806: open_files (ffmpeg_opt.c:3069)
 ==10645==    by 0x80CD806: ffmpeg_parse_options (ffmpeg_opt.c:3106)
 ==10645==    by 0x80BD36C: main (ffmpeg.c:4325)
 ==10645==  Address 0x0 is not stack'd, malloc'd or (recently) free'd
 ==10645==
 ==10645==
 ==10645== Process terminating with default action of signal 11 (SIGSEGV)
 ==10645==  Access not within mapped region at address 0x0
 ==10645==    at 0x8277269: mov_read_close (mov.c:4834)
 ==10645==    by 0x827A5A1: mov_read_header (mov.c:5038)
 ==10645==    by 0x8331633: avformat_open_input (utils.c:555)
 ==10645==    by 0x80CBC53: open_input_file (ffmpeg_opt.c:982)
 ==10645==    by 0x80CD806: open_files (ffmpeg_opt.c:3069)
 ==10645==    by 0x80CD806: ffmpeg_parse_options (ffmpeg_opt.c:3106)
 ==10645==    by 0x80BD36C: main (ffmpeg.c:4325)
 ==10645==  If you believe this happened as a result of a stack
 ==10645==  overflow in your program's main thread (unlikely but
 ==10645==  possible), you can try to increase the size of the
 ==10645==  main thread stack using the --main-stacksize= flag.
 ==10645==  The main thread stack size used in this run was 8388608.
 ==10645==
 ==10645== HEAP SUMMARY:
 ==10645==     in use at exit: 56,850 bytes in 77 blocks
 ==10645==   total heap usage: 145 allocs, 68 frees, 99,821 bytes allocated
 ==10645==
 ==10645== LEAK SUMMARY:
 ==10645==    definitely lost: 0 bytes in 0 blocks
 ==10645==    indirectly lost: 0 bytes in 0 blocks
 ==10645==      possibly lost: 0 bytes in 0 blocks
 ==10645==    still reachable: 56,850 bytes in 77 blocks
 ==10645==         suppressed: 0 bytes in 0 blocks
 ==10645== Reachable blocks (those to which a pointer was found) are not
 shown.
 ==10645== To see them, rerun with: --leak-check=full --show-leak-kinds=all
 ==10645==
 ==10645== For counts of detected and suppressed errors, rerun with: -v
 ==10645== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)
 Segmentation fault
 }}}

--
Ticket URL: <https://trac.ffmpeg.org/ticket/5778>
FFmpeg <https://ffmpeg.org>
FFmpeg issue tracker


More information about the FFmpeg-trac mailing list