[FFmpeg-trac] #5957(ffprobe:new): ffprobe: crash with null "-of" option
FFmpeg
trac at avcodec.org
Wed Nov 16 03:11:29 EET 2016
#5957: ffprobe: crash with null "-of" option
------------------------------------+--------------------------------------
Reporter: likebreath | Type: defect
Status: new | Priority: normal
Component: ffprobe | Version: git-master
Keywords: | Blocked By:
Blocking: | Reproduced by developer: 0
Analyzed by developer: 0 |
------------------------------------+--------------------------------------
= Summary of the bug: =
A segmentation fault will occur when launch ffprobe with the following
pattern:
{{{
$ ffprobe -of x (where "x" is "\x00")
}}}
= How to reproduce: =
As "\x00" is normally parsed as string terminator, we can't input it
through command-line. I use function "execv()" to launch ffprobe to
reproduce the defect. Compile and run the following stub program will
reproduce the segmentation fault being reported here.
{{{
#include <sys/types.h>
#include <unistd.h>
#include <stdio.h>
main()
{
char *parmList[] = {"./ffprobe_g", "-of", "compact", NULL};
char crash_input[8] = {0};
parmList[2] = crash_input;
execv("./ffprobe_g", parmList);
printf("Return not expected. Must be an execv error.\n");
}
}}}
= GDB Output: =
{{{
chenbo at svl13:~/tools/FFmpeg/crash$ gdb a.out
GNU gdb (Ubuntu/Linaro 7.4-2012.04-0ubuntu2.1) 7.4-2012.04
Copyright (C) 2012 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later
<http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law. Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
For bug reporting instructions, please see:
<http://bugs.launchpad.net/gdb-linaro/>...
Reading symbols from /home/chenbo/tools/FFmpeg/crash/a.out...done.
(gdb) list
1 #include <sys/types.h>
2 #include <unistd.h>
3 #include <stdio.h>
4
5 main()
6 {
7 char *parmList[] = {"./ffprobe_g", "-of", "compact", NULL};
8
9 char crash_input[1] = {0};
10 parmList[2] = crash_input;
11
12 execv("../ffprobe_g", parmList);
13 printf("Return not expected. Must be an execv error.\n");
14 }
(gdb) r
Starting program: /home/chenbo/tools/FFmpeg/crash/a.out
warning: no loadable sections found in added symbol-file system-supplied
DSO at 0x2aaaaaacd000
process 12800 is executing new program:
/home/chenbo/tools/FFmpeg/ffprobe_g
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
ffprobe version N-82487-g1546d48 Copyright (c) 2007-2016 the FFmpeg
developers
built with gcc 4.8 (Ubuntu 4.8.1-2ubuntu1~12.04)
configuration:
libavutil 55. 40.100 / 55. 40.100
libavcodec 57. 66.103 / 57. 66.103
libavformat 57. 57.100 / 57. 57.100
libavdevice 57. 2.100 / 57. 2.100
libavfilter 6. 67.100 / 6. 67.100
libswscale 4. 3.101 / 4. 3.101
libswresample 2. 4.100 / 2. 4.100
Program received signal SIGSEGV, Segmentation fault.
__strcmp_sse42 () at ../sysdeps/x86_64/multiarch/strcmp-sse42.S:164
164 ../sysdeps/x86_64/multiarch/strcmp-sse42.S: No such file or
directory.
(gdb) bt
#0 __strcmp_sse42 () at ../sysdeps/x86_64/multiarch/strcmp-sse42.S:164
#1 0x000000000047c72d in main () at ffprobe.c:805
(gdb) disass $pc-32,$pc+32
Dump of assembler code from 0x2aaaac98f1aa to 0x2aaaac98f1ea:
0x00002aaaac98f1aa: add %al,(%rax)
0x00002aaaac98f1ac: add %al,(%rax)
0x00002aaaac98f1ae: add %al,(%rax)
0x00002aaaac98f1b0 <__strcmp_sse42+0>: mov %esi,%ecx
0x00002aaaac98f1b2 <__strcmp_sse42+2>: mov %edi,%eax
0x00002aaaac98f1b4 <__strcmp_sse42+4>: and $0x3f,%rcx
0x00002aaaac98f1b8 <__strcmp_sse42+8>: and $0x3f,%rax
0x00002aaaac98f1bc <__strcmp_sse42+12>: cmp $0x30,%ecx
0x00002aaaac98f1bf <__strcmp_sse42+15>: ja 0x2aaaac98f200
<__strcmp_sse42+80>
0x00002aaaac98f1c1 <__strcmp_sse42+17>: cmp $0x30,%eax
0x00002aaaac98f1c4 <__strcmp_sse42+20>: ja 0x2aaaac98f200
<__strcmp_sse42+80>
0x00002aaaac98f1c6 <__strcmp_sse42+22>: movdqu (%rdi),%xmm1
=> 0x00002aaaac98f1ca <__strcmp_sse42+26>: movdqu (%rsi),%xmm2
0x00002aaaac98f1ce <__strcmp_sse42+30>: pxor %xmm0,%xmm0
0x00002aaaac98f1d2 <__strcmp_sse42+34>: pcmpeqb %xmm1,%xmm0
0x00002aaaac98f1d6 <__strcmp_sse42+38>: pcmpeqb %xmm2,%xmm1
0x00002aaaac98f1da <__strcmp_sse42+42>: psubb %xmm0,%xmm1
0x00002aaaac98f1de <__strcmp_sse42+46>: pmovmskb %xmm1,%edx
0x00002aaaac98f1e2 <__strcmp_sse42+50>: sub $0xffff,%edx
0x00002aaaac98f1e8 <__strcmp_sse42+56>: jne 0x2aaaac98ff30
<__strcmp_sse42+3456>
End of assembler dump.
(gdb) info all-registers
rax 0x2f 47
rbx 0xf57fc0 16089024
rcx 0x0 0
rdx 0x0 0
rsi 0x0 0
rdi 0xf52f2f 16068399
rbp 0x15cf448 0x15cf448
rsp 0x7fffffffe268 0x7fffffffe268
r8 0x10087b0 16811952
r9 0x0 0
r10 0x7fffffffdfd0 140737488347088
r11 0x2aaaac997910 46912528546064
r12 0x0 0
r13 0x0 0
r14 0x0 0
r15 0x0 0
rip 0x2aaaac98f1ca 0x2aaaac98f1ca <__strcmp_sse42+26>
eflags 0x10287 [ CF PF SF IF RF ]
cs 0x33 51
ss 0x2b 43
ds 0x0 0
es 0x0 0
fs 0x0 0
gs 0x0 0
st0 0 (raw 0x00000000000000000000)
st1 0 (raw 0x00000000000000000000)
st2 0 (raw 0x00000000000000000000)
st3 0 (raw 0x00000000000000000000)
st4 0 (raw 0x00000000000000000000)
st5 0 (raw 0x00000000000000000000)
st6 0 (raw 0x00000000000000000000)
st7 0 (raw 0x00000000000000000000)
fctrl 0x37f 895
fstat 0x0 0
ftag 0xffff 65535
fiseg 0x0 0
fioff 0x0 0
foseg 0x0 0
fooff 0x0 0
fop 0x0 0
---Type <return> to continue, or q <return> to quit---mxcsr
0x1f80 [ IM DM ZM OM UM PM ]
ymm0 {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0},
v4_double = {0x0, 0x8000000000000000, 0x0, 0x0}, v32_int8 = {0x8, 0x9,
0xa, 0xb, 0xc, 0xd, 0xe, 0xf, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
0xff, 0xff, 0x0 <repeats 16 times>}, v16_int16 = {0x908, 0xb0a, 0xd0c,
0xf0e, 0xffff, 0xffff, 0xffff, 0xffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0}, v8_int32 = {0xb0a0908, 0xf0e0d0c, 0xffffffff, 0xffffffff,
0x0, 0x0, 0x0, 0x0}, v4_int64 = {0xf0e0d0c0b0a0908,
0xffffffffffffffff, 0x0, 0x0}, v2_int128 =
{0xffffffffffffffff0f0e0d0c0b0a0908,
0x00000000000000000000000000000000}}
ymm1 {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0},
v4_double = {0x0, 0x8000000000000000, 0x0, 0x0}, v32_int8 = {0x64, 0x65,
0x66, 0x61, 0x75, 0x6c, 0x74, 0x0, 0x55, 0x6e, 0x72, 0x65, 0x63, 0x6f,
0x67, 0x6e, 0x0 <repeats 16 times>}, v16_int16 = {0x6564, 0x6166,
0x6c75, 0x74, 0x6e55, 0x6572, 0x6f63, 0x6e67, 0x0, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0, 0x0}, v8_int32 = {0x61666564, 0x746c75, 0x65726e55,
0x6e676f63, 0x0, 0x0, 0x0, 0x0}, v4_int64 = {0x746c7561666564,
0x6e676f6365726e55, 0x0, 0x0}, v2_int128 = {
0x6e676f6365726e5500746c7561666564,
0x00000000000000000000000000000000}}
ymm2 {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0},
v4_double = {0x0, 0x0, 0x0, 0x0}, v32_int8 = {0x0 <repeats 32 times>},
v16_int16 = {0x0 <repeats 16 times>}, v8_int32 = {0x0, 0x0, 0x0, 0x0,
0x0, 0x0, 0x0, 0x0}, v4_int64 = {0x0, 0x0, 0x0, 0x0}, v2_int128 = {
0x00000000000000000000000000000000,
0x00000000000000000000000000000000}}
ymm3 {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0},
v4_double = {0x0, 0x0, 0x0, 0x0}, v32_int8 = {0x0 <repeats 32 times>},
v16_int16 = {0x0 <repeats 16 times>}, v8_int32 = {0x0, 0x0, 0x0, 0x0,
0x0, 0x0, 0x0, 0x0}, v4_int64 = {0x0, 0x0, 0x0, 0x0}, v2_int128 = {
0x00000000000000000000000000000000,
0x00000000000000000000000000000000}}
ymm4 {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0},
v4_double = {0x8000000000000000, 0x0, 0x0, 0x0}, v32_int8 = {0x32, 0x35,
0x36, 0x63, 0x6f, 0x6c, 0x6f, 0x72, 0x0, 0x1b, 0x5b, 0x25, 0x64, 0x3b,
0x33, 0x25, 0x0 <repeats 16 times>}, v16_int16 = {0x3532, 0x6336,
0x6c6f, 0x726f, 0x1b00, 0x255b, 0x3b64, 0x2533, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0, 0x0, 0x0}, v8_int32 = {0x63363532, 0x726f6c6f, 0x255b1b00,
0x25333b64, 0x0, 0x0, 0x0, 0x0}, v4_int64 = {0x726f6c6f63363532,
0x25333b64255b1b00, 0x0, 0x0}, v2_int128 = {
0x25333b64255b1b00726f6c6f63363532,
0x00000000000000000000000000000000}}
ymm5 {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0},
v4_double = {0x0, 0x0, 0x0, 0x0}, v32_int8 = {0x0 <repeats 32 times>},
v16_int16 = {0x0 <repeats 16 times>}, v8_int32 = {0x0, 0x0, 0x0, 0x0,
0x0, 0x0, 0x0, 0x0}, v4_int64 = {0x0, 0x0, 0x0, 0x0}, v2_int128 = {
0x00000000000000000000000000000000,
0x00000000000000000000000000000000}}
ymm6 {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0},
v4_double = {0x0, 0x0, 0x0, 0x0}, v32_int8 = {0x0 <repeats 32 times>},
v16_int16 = {0x0 <repeats 16 times>}, v8_int32 = {0x0, 0x0, 0x0, 0x0,
0x0, 0x0, 0x0, 0x0}, v4_int64 = {0x0, 0x0, 0x0, 0x0}, v2_int128 = {
0x00000000000000000000000000000000,
0x00000000000000000000000000000000}}
ymm7 {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0},
v4_double = {0x0, 0x0, 0x0, 0x0}, v32_int8 = {0x0 <repeats 32 times>},
v16_int16 = {0x0 <repeats 16 times>}, v8_int32 = {0x0, 0x0, 0x0, 0x0,
0x0, 0x0, 0x0, 0x0}, v4_int64 = {0x0, 0x0, 0x0, 0x0}, v2_int128 = {
0x00000000000000000000000000000000,
0x00000000000000000000000000000000}}
ymm8 {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0},
v4_double = {0x0, 0x0, 0x0, 0x0}, v32_int8 = {0x0 <repeats 32 times>},
v16_int16 = {0x0 <repeats 16 times>}, v8_int32 = {0x0, 0x0, 0x0, 0x0,
0x0, 0x0, 0x0, 0x0}, v4_int64 = {0x0, 0x0, 0x0, 0x0}, v2_int128 = {
0x00000000000000000000000000000000,
0x00000000000000000000000000000000}}
ymm9 {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0},
v4_double = {0x0, 0x0, 0x0, 0x0}, v32_int8 = {0x0 <repeats 32 times>},
v16_int16 = {0x0 <repeats 16 times>}, v8_int32 = {0x0, 0x0, 0x0, 0x0,
0x0, 0x0, 0x0, 0x0}, v4_int64 = {0x0, 0x0, 0x0, 0x0}, v2_int128 = {
0x00000000000000000000000000000000,
0x00000000000000000000000000000000}}
ymm10 {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0},
v4_double = {0x0, 0x0, 0x0, 0x0}, v32_int8 = {0x0 <repeats 32 times>},
v16_int16 = {0x0 <repeats 16 times>}, v8_int32 = {0x0, 0x0, 0x0, 0x0,
0x0, 0x0, 0x0, 0x0}, v4_int64 = {0x0, 0x0, 0x0, 0x0}, v2_int128 = {
0x00000000000000000000000000000000,
0x00000000000000000000000000000000}}
ymm11 {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0},
v4_double = {0x0, 0x0, 0x0, 0x0}, v32_int8 = {0x0 <repeats 32 times>},
v16_int16 = {0x0 <repeats 16 times>}, v8_int32 = {0x0, 0x0, 0x0, 0x0,
0x0, 0x0, 0x0, 0x0}, v4_int64 = {0x0, 0x0, 0x0, 0x0}, v2_int128 = {
0x00000000000000000000000000000000,
0x00000000000000000000000000000000}}
ymm12 {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0},
v4_double = {0x0, 0x0, 0x0, 0x0}, v32_int8 = {0x0 <repeats 32 times>},
v16_int16 = {0x0 <repeats 16 times>}, v8_int32 = {0x0, 0x0, 0x0, 0x0,
0x0, 0x0, 0x0, 0x0}, v4_int64 = {0x0, 0x0, 0x0, 0x0}, v2_int128 = {
0x00000000000000000000000000000000,
0x00000000000000000000000000000000}}
ymm13 {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0},
v4_double = {0x0, 0x0, 0x0, 0x0}, v32_int8 = {0x0 <repeats 32 times>},
v16_int16 = {0x0 <repeats 16 times>}, v8_int32 = {0x0, 0x0, 0x0, 0x0,
0x0, 0x0, 0x0, 0x0}, v4_int64 = {0x0, 0x0, 0x0, 0x0}, v2_int128 = {
0x00000000000000000000000000000000,
0x00000000000000000000000000000000}}
ymm14 {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0},
v4_double = {0x0, 0x0, 0x0, 0x0}, v32_int8 = {0x0 <repeats 32 times>},
v16_int16 = {0x0 <repeats 16 times>}, v8_int32 = {0x0, 0x0, 0x0, 0x0,
0x0, 0x0, 0x0, 0x0}, v4_int64 = {0x0, 0x0, 0x0, 0x0}, v2_int128 = {
0x00000000000000000000000000000000,
0x00000000000000000000000000000000}}
ymm15 {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0},
v4_double = {0x0, 0x0, 0x0, 0x0}, v32_int8 = {0x0 <repeats 32 times>},
v16_int16 = {0x0 <repeats 16 times>}, v8_int32 = {0x0, 0x0, 0x0, 0x0,
0x0, 0x0, 0x0, 0x0}, v4_int64 = {0x0, 0x0, 0x0, 0x0}, v2_int128 = {
0x00000000000000000000000000000000,
0x00000000000000000000000000000000}}
(gdb)
}}}
Patches should be submitted to the ffmpeg-devel mailing list and not this
bug tracker.
--
Ticket URL: <https://trac.ffmpeg.org/ticket/5957>
FFmpeg <https://ffmpeg.org>
FFmpeg issue tracker
More information about the FFmpeg-trac
mailing list