[FFmpeg-trac] #6255(ffprobe:new): Corrupt .flv file segfaults ffprobe (-print_format json) -show_streams $filename
FFmpeg
trac at avcodec.org
Thu Mar 23 12:20:38 EET 2017
#6255: Corrupt .flv file segfaults ffprobe (-print_format json) -show_streams
$filename
---------------------------------+--------------------------------------
Reporter: Fusl | Type: defect
Status: new | Priority: normal
Component: ffprobe | Version: git-master
Keywords: | Blocked By:
Blocking: | Reproduced by developer: 0
Analyzed by developer: 0 |
---------------------------------+--------------------------------------
> corrupt.flv (File attached)
{{{
00000000 46 4c 56 01 30 00 00 00 09 30 30 30 30 09 00 00
|FLV.0....0000...|
00000010 30 30 30 30 30 30 30 30 17 00 30 30 30 01 30 30
|00000000..000.00|
00000020 30 ff e1 00 0a 30 30 30 30 30 30 30 30 09 00 00
|0....00000000...|
00000030 13 30 30 30 30 30 30 30 27 30 30 30 30 30 30 30
|.0000000'0000000|
00000040 30 30 30 30 30 30 30 30 30 30 30 00 00 00 1e 09
|00000000000.....|
00000050 00 00 11 30 30 30 30 30 30 30 30 30 30 30 30 00
|...000000000000.|
00000060 00 00 08 e7 30 30 30 42 df e8 81 00 00 00 1c
|....000B.......|
0000006f
}}}
[[Image(https://scr.meo.ws/snapshot/1490263786338886565.png)]]
> ffprobe -print_format '''default''' -show_streams $filename
GDB:
{{{
Program received signal SIGSEGV, Segmentation fault.
strlen () at ../sysdeps/x86_64/strlen.S:106
106 ../sysdeps/x86_64/strlen.S: No such file or directory.
(gdb) bt
#0 strlen () at ../sysdeps/x86_64/strlen.S:106
#1 0x00007ffff660e99c in _IO_puts (str=0x0) at ioputs.c:36
#2 0x00000000005a5bed in writer_print_string (wctx=wctx at entry=0x3bb30b0,
key=key at entry=0x2cb31b3 "chroma_location", val=0x0, flags=0) at
ffprobe.c:673
#3 0x00000000005bdbe5 in show_stream (w=w at entry=0x3bb30b0,
fmt_ctx=fmt_ctx at entry=0x3bb59e0, stream_idx=stream_idx at entry=0,
ist=<optimized out>, in_program=in_program at entry=0) at ffprobe.c:2289
#4 0x000000000057dcd0 in show_streams (ifile=0x7fffffffe940, w=0x3bb30b0)
at ffprobe.c:2436
#5 probe_file (filename=<optimized out>, wctx=0x3bb30b0) at
ffprobe.c:2750
#6 main (argc=<optimized out>, argv=<optimized out>) at ffprobe.c:3397
(gdb) up 2
#2 0x00000000005a5bed in writer_print_string (wctx=wctx at entry=0x3bb30b0,
key=key at entry=0x2cb31b3 "chroma_location", val=0x0, flags=0) at
ffprobe.c:673
673 wctx->writer->print_string(wctx, key, val);
(gdb) l
668 key, val, section->unique_name);
669 }
670 av_free(key1);
671 av_free(val1);
672 } else {
*673 wctx->writer->print_string(wctx, key, val);
674 }
675
676 wctx->nb_item[wctx->level]++;
677 }
}}}
Valgrind:
{{{
==940423== Invalid read of size 1
==940423== at 0x4C2C1A2: strlen (in /usr/lib/valgrind
/vgpreload_memcheck-amd64-linux.so)
==940423== by 0x632E99B: puts (ioputs.c:36)
==940423== by 0x5A5BEC: writer_print_string.constprop.29
(ffprobe.c:673)
==940423== by 0x5BDBE4: show_stream (ffprobe.c:2289)
==940423== by 0x57DCCF: show_streams (ffprobe.c:2436)
==940423== by 0x57DCCF: probe_file (ffprobe.c:2750)
==940423== by 0x57DCCF: main (ffprobe.c:3397)
==940423== Address 0x0 is not stack'd, malloc'd or (recently) free'd
==940423==
==940423==
==940423== Process terminating with default action of signal 11 (SIGSEGV)
==940423== Access not within mapped region at address 0x0
==940423== at 0x4C2C1A2: strlen (in /usr/lib/valgrind
/vgpreload_memcheck-amd64-linux.so)
==940423== by 0x632E99B: puts (ioputs.c:36)
==940423== by 0x5A5BEC: writer_print_string.constprop.29
(ffprobe.c:673)
==940423== by 0x5BDBE4: show_stream (ffprobe.c:2289)
==940423== by 0x57DCCF: show_streams (ffprobe.c:2436)
==940423== by 0x57DCCF: probe_file (ffprobe.c:2750)
==940423== by 0x57DCCF: main (ffprobe.c:3397)
==940423== If you believe this happened as a result of a stack
==940423== overflow in your program's main thread (unlikely but
==940423== possible), you can try to increase the size of the
==940423== main thread stack using the --main-stacksize= flag.
==940423== The main thread stack size used in this run was 8388608.
==940423==
==940423== HEAP SUMMARY:
==940423== in use at exit: 2,257,232 bytes in 89 blocks
==940423== total heap usage: 225 allocs, 136 frees, 2,709,948 bytes
allocated
==940423==
==940423== LEAK SUMMARY:
==940423== definitely lost: 0 bytes in 0 blocks
==940423== indirectly lost: 0 bytes in 0 blocks
==940423== possibly lost: 0 bytes in 0 blocks
==940423== still reachable: 2,257,232 bytes in 89 blocks
==940423== suppressed: 0 bytes in 0 blocks
==940423== Rerun with --leak-check=full to see details of leaked memory
==940423==
==940423== For counts of detected and suppressed errors, rerun with: -v
==940423== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)
}}}
> ffprobe -print_format '''compact''' -show_streams $filename
GDB:
{{{
Program received signal SIGSEGV, Segmentation fault.
c_escape_str (dst=0x7fffffffd700, src=0x0, sep=124 '|', log_ctx=0x3bb30b0)
at ffprobe.c:934
934 for (p = src; *p; p++) {
(gdb) bt
#0 c_escape_str (dst=0x7fffffffd700, src=0x0, sep=124 '|',
log_ctx=0x3bb30b0) at ffprobe.c:934
#1 0x000000000059c1d2 in compact_print_str (wctx=0x3bb30b0, key=0x2cb31b3
"chroma_location", value=0x0) at ffprobe.c:1077
#2 0x00000000005a5bed in writer_print_string (wctx=wctx at entry=0x3bb30b0,
key=key at entry=0x2cb31b3 "chroma_location", val=0x0, flags=0) at
ffprobe.c:673
#3 0x00000000005bdbe5 in show_stream (w=w at entry=0x3bb30b0,
fmt_ctx=fmt_ctx at entry=0x3bb5a90, stream_idx=stream_idx at entry=0,
ist=<optimized out>, in_program=in_program at entry=0) at ffprobe.c:2289
#4 0x000000000057dcd0 in show_streams (ifile=0x7fffffffe900, w=0x3bb30b0)
at ffprobe.c:2436
#5 probe_file (filename=<optimized out>, wctx=0x3bb30b0) at
ffprobe.c:2750
#6 main (argc=<optimized out>, argv=<optimized out>) at ffprobe.c:3397
(gdb) l
929 */
930 static const char *c_escape_str(AVBPrint *dst, const char *src,
const char sep, void *log_ctx)
931 {
932 const char *p;
933
*934 for (p = src; *p; p++) {
935 switch (*p) {
936 case '\b': av_bprintf(dst, "%s", "\\b"); break;
937 case '\f': av_bprintf(dst, "%s", "\\f"); break;
938 case '\n': av_bprintf(dst, "%s", "\\n"); break;
}}}
Valgrind:
{{{
==214239== Invalid read of size 1
==214239== at 0x59E48F: c_escape_str (ffprobe.c:934)
==214239== by 0x59C1D1: compact_print_str (ffprobe.c:1077)
==214239== by 0x5A5BEC: writer_print_string.constprop.29
(ffprobe.c:673)
==214239== by 0x5BDBE4: show_stream (ffprobe.c:2289)
==214239== by 0x57DCCF: show_streams (ffprobe.c:2436)
==214239== by 0x57DCCF: probe_file (ffprobe.c:2750)
==214239== by 0x57DCCF: main (ffprobe.c:3397)
==214239== Address 0x0 is not stack'd, malloc'd or (recently) free'd
==214239==
==214239==
==214239== Process terminating with default action of signal 11 (SIGSEGV)
==214239== Access not within mapped region at address 0x0
==214239== at 0x59E48F: c_escape_str (ffprobe.c:934)
==214239== by 0x59C1D1: compact_print_str (ffprobe.c:1077)
==214239== by 0x5A5BEC: writer_print_string.constprop.29
(ffprobe.c:673)
==214239== by 0x5BDBE4: show_stream (ffprobe.c:2289)
==214239== by 0x57DCCF: show_streams (ffprobe.c:2436)
==214239== by 0x57DCCF: probe_file (ffprobe.c:2750)
==214239== by 0x57DCCF: main (ffprobe.c:3397)
==214239== If you believe this happened as a result of a stack
==214239== overflow in your program's main thread (unlikely but
==214239== possible), you can try to increase the size of the
==214239== main thread stack using the --main-stacksize= flag.
==214239== The main thread stack size used in this run was 8388608.
==214239==
==214239== HEAP SUMMARY:
==214239== in use at exit: 2,257,348 bytes in 91 blocks
==214239== total heap usage: 229 allocs, 138 frees, 2,710,068 bytes
allocated
==214239==
==214239== LEAK SUMMARY:
==214239== definitely lost: 0 bytes in 0 blocks
==214239== indirectly lost: 0 bytes in 0 blocks
==214239== possibly lost: 0 bytes in 0 blocks
==214239== still reachable: 2,257,348 bytes in 91 blocks
==214239== suppressed: 0 bytes in 0 blocks
==214239== Rerun with --leak-check=full to see details of leaked memory
==214239==
==214239== For counts of detected and suppressed errors, rerun with: -v
==214239== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)
Segmentation fault
}}}
> ffprobe -print_format '''json''' -show_streams $filename
GDB:
{{{
Program received signal SIGSEGV, Segmentation fault.
json_print_item_str (key=<optimized out>, value=0x0, wctx=<optimized out>)
at ffprobe.c:1482
1482 printf(" \"%s\"", json_escape_str(&buf, value, wctx));
(gdb) bt
#0 json_print_item_str (key=<optimized out>, value=0x0, wctx=<optimized
out>) at ffprobe.c:1482
#1 0x00000000005a5bed in writer_print_string (wctx=wctx at entry=0x3bb30b0,
key=key at entry=0x2cb31b3 "chroma_location", val=0x0, flags=0) at
ffprobe.c:673
#2 0x00000000005bdbe5 in show_stream (w=w at entry=0x3bb30b0,
fmt_ctx=fmt_ctx at entry=0x3bb59d0, stream_idx=stream_idx at entry=0,
ist=<optimized out>, in_program=in_program at entry=0) at ffprobe.c:2289
#3 0x000000000057dcd0 in show_streams (ifile=0x7fffffffe920, w=0x3bb30b0)
at ffprobe.c:2436
#4 probe_file (filename=<optimized out>, wctx=0x3bb30b0) at
ffprobe.c:2750
#5 main (argc=<optimized out>, argv=<optimized out>) at ffprobe.c:3397
(gdb) l
1477 AVBPrint buf;
1478
1479 av_bprint_init(&buf, 1, AV_BPRINT_SIZE_UNLIMITED);
1480 printf("\"%s\":", json_escape_str(&buf, key, wctx));
1481 av_bprint_clear(&buf);
*1482 printf(" \"%s\"", json_escape_str(&buf, value, wctx));
1483 av_bprint_finalize(&buf, NULL);
1484 }
1485
1486 static void json_print_str(WriterContext *wctx, const char *key,
const char *value)
}}}
Valgrind:
{{{
==1007190== Invalid read of size 1
==1007190== at 0x5A9F60: json_escape_str (ffprobe.c:1398)
==1007190== by 0x5A9F60: json_print_item_str.isra.9 (ffprobe.c:1482)
==1007190== by 0x5A5BEC: writer_print_string.constprop.29
(ffprobe.c:673)
==1007190== by 0x5BDBE4: show_stream (ffprobe.c:2289)
==1007190== by 0x57DCCF: show_streams (ffprobe.c:2436)
==1007190== by 0x57DCCF: probe_file (ffprobe.c:2750)
==1007190== by 0x57DCCF: main (ffprobe.c:3397)
==1007190== Address 0x0 is not stack'd, malloc'd or (recently) free'd
==1007190==
==1007190==
==1007190== Process terminating with default action of signal 11 (SIGSEGV)
==1007190== Access not within mapped region at address 0x0
==1007190== at 0x5A9F60: json_escape_str (ffprobe.c:1398)
==1007190== by 0x5A9F60: json_print_item_str.isra.9 (ffprobe.c:1482)
==1007190== by 0x5A5BEC: writer_print_string.constprop.29
(ffprobe.c:673)
==1007190== by 0x5BDBE4: show_stream (ffprobe.c:2289)
==1007190== by 0x57DCCF: show_streams (ffprobe.c:2436)
==1007190== by 0x57DCCF: probe_file (ffprobe.c:2750)
==1007190== by 0x57DCCF: main (ffprobe.c:3397)
==1007190== If you believe this happened as a result of a stack
==1007190== overflow in your program's main thread (unlikely but
==1007190== possible), you can try to increase the size of the
==1007190== main thread stack using the --main-stacksize= flag.
==1007190== The main thread stack size used in this run was 8388608.
==1007190==
==1007190== HEAP SUMMARY:
==1007190== in use at exit: 2,257,205 bytes in 89 blocks
==1007190== total heap usage: 225 allocs, 136 frees, 2,709,921 bytes
allocated
==1007190==
==1007190== LEAK SUMMARY:
==1007190== definitely lost: 0 bytes in 0 blocks
==1007190== indirectly lost: 0 bytes in 0 blocks
==1007190== possibly lost: 0 bytes in 0 blocks
==1007190== still reachable: 2,257,205 bytes in 89 blocks
==1007190== suppressed: 0 bytes in 0 blocks
==1007190== Rerun with --leak-check=full to see details of leaked memory
==1007190==
==1007190== For counts of detected and suppressed errors, rerun with: -v
==1007190== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)
}}}
Not attaching more examples but it seems all
[https://ffmpeg.org/ffprobe.html#toc-Writers writers] are affected by this
--
Ticket URL: <https://trac.ffmpeg.org/ticket/6255>
FFmpeg <https://ffmpeg.org>
FFmpeg issue tracker
More information about the FFmpeg-trac
mailing list