[Ffmpeg-devel] fuzzer bugs

Mike Melanson mike
Mon Jan 15 23:01:05 CET 2007 

Diego Biurrun wrote:
> Hi,
> 
> Samuel Hocevar wrote his own fuzzer and let it loose on some multimedia
> players:
> 
> http://sam.zoy.org/zzuf/
> 
> ffplay shows quite a few crashes, MPlayer as well, some of which are
> related to FFmpeg.  No time for details right now, but it's easy enough
> to reproduce and the samples are tiny.

More data-- using current SVN, I tried the files with ffplay to
reproduce Zoy's results and then tried ffmpeg to check whether the
problem was in FFmpeg's core libs.

=====================

lol-ffplay.ac3: my ffmpeg is not set up to decode AC3

lol-ffplay.flac: ffplay fails as the fuzz page reports; not sure how to
convert 3+channel FLAC to another format

lol-ffplay.ogg: ffplay crashes but ffmpeg just reports unsupported codec
and bails; valgrind reports no invalid memory ops

=====================

lol-ffmpeg.avi, converting with ffmpeg:

Program received signal SIGSEGV, Segmentation fault.
avi_read_header (s=0x854cf90, ap=0xafe92fac) at avidec.c:471
471                         st->codec->codec_type = CODEC_TYPE_DATA;
(gdb) bt
#0  avi_read_header (s=0x854cf90, ap=0xafe92fac) at avidec.c:471
#1  0x080632f2 in av_open_input_stream (ic_ptr=0xafe92fe4, pb=0xafe92ed4,
    filename=0xafe9569e "lol-ffplay.avi", fmt=0x84dba80, ap=0xafe92fac)
at utils.c:400
#2  0x0806794d in av_open_input_file (ic_ptr=0xafe92fe4,
    filename=0xafe9569e "lol-ffplay.avi", fmt=0x84dba80, buf_size=0,
ap=0xafe92fac)
    at utils.c:513
#3  0x0805744d in opt_input_file (filename=0xafe9569e "lol-ffplay.avi")
at ffmpeg.c:2586
#4  0x0805fe6c in parse_options (argc=4, argv=0xafe937a4, options=0x8449040)
    at cmdutils.c:105
#5  0x0805cf7a in main (argc=4, argv=0xafe937a4) at ffmpeg.c:3921

=====================

lol-ffplay.m2v, converting with ffmpeg:

Program received signal SIGSEGV, Segmentation fault.
0x081ce4c0 in mpeg_decode_mb (s=0x857e270, block=<value optimized out>)
at mpeg12.c:1478
1478        s->current_picture.mb_type[ s->mb_x + s->mb_y*s->mb_stride
]= mb_type;
(gdb) bt
#0  0x081ce4c0 in mpeg_decode_mb (s=0x857e270, block=<value optimized out>)
    at mpeg12.c:1478
#1  0x081d0b2d in mpeg_decode_slice (s1=0x857e270, mb_y=1, buf=0xaf7edeb4,
    buf_size=157530) at mpeg12.c:2603
#2  0x081d29e7 in mpeg_decode_frame (avctx=0x8556080, data=0xaf80a660,
    data_size=0xaf80a8b8, buf=0xa7d4f020 "", buf_size=159930) at
mpeg12.c:3198
#3  0x080be590 in avcodec_decode_video (avctx=0x8556080, picture=0xaf80a660,
    got_picture_ptr=0xaf80a8b8, buf=0xa7d4f020 "", buf_size=159930) at
utils.c:904
#4  0x0806751f in av_find_stream_info (ic=0x854cf90) at utils.c:1735
#5  0x08057470 in opt_input_file (filename=0xaf80b69e "lol-ffplay.m2v")
at ffmpeg.c:2596
#6  0x0805fe6c in parse_options (argc=4, argv=0xaf80b124, options=0x8449040)
    at cmdutils.c:105
#7  0x0805cf7a in main (argc=4, argv=0xaf80b124) at ffmpeg.c:3921

=====================

lol-ffplay.mpg, converting with ffmpeg:

Program received signal SIGSEGV, Segmentation fault.
0x081ce4c0 in mpeg_decode_mb (s=0x855c600, block=<value optimized out>)
at mpeg12.c:1478
1478        s->current_picture.mb_type[ s->mb_x + s->mb_y*s->mb_stride
]= mb_type;
(gdb) bt
#0  0x081ce4c0 in mpeg_decode_mb (s=0x855c600, block=<value optimized out>)
    at mpeg12.c:1478
#1  0x081d0b2d in mpeg_decode_slice (s1=0x855c600, mb_y=1,
buf=0xafee66e4, buf_size=10039)
    at mpeg12.c:2603
#2  0x081d29e7 in mpeg_decode_frame (avctx=0x8556080, data=0xaff02e90,
    data_size=0xaff030e8, buf=0x8559c30 "", buf_size=10690) at mpeg12.c:3198
#3  0x080be590 in avcodec_decode_video (avctx=0x8556080, picture=0xaff02e90,
    got_picture_ptr=0xaff030e8, buf=0x8559c30 "", buf_size=10690) at
utils.c:904
#4  0x0806751f in av_find_stream_info (ic=0x854cf90) at utils.c:1735
#5  0x08057470 in opt_input_file (filename=0xaff0569e "lol-ffplay.mpg")
at ffmpeg.c:2596
#6  0x0805fe6c in parse_options (argc=4, argv=0xaff03954, options=0x8449040)
    at cmdutils.c:105
#7  0x0805cf7a in main (argc=4, argv=0xaff03954) at ffmpeg.c:3921

=====================

lol-ffmpeg.ogm, converting with ffmpeg:

Program received signal SIGSEGV, Segmentation fault.
0x080a8b96 in ogg_read_header (s=0x854cf90, ap=0xafb756cc) at ogg2.c:452
452         if(os->codec->gptopts){
(gdb) bt
#0  0x080a8b96 in ogg_read_header (s=0x854cf90, ap=0xafb756cc) at ogg2.c:452
#1  0x080632f2 in av_open_input_stream (ic_ptr=0xafb75704, pb=0xafb755f4,
    filename=0xafb7769e "lol-ffplay.ogm", fmt=0x84dcbe0, ap=0xafb756cc)
at utils.c:400
#2  0x0806794d in av_open_input_file (ic_ptr=0xafb75704,
    filename=0xafb7769e "lol-ffplay.ogm", fmt=0x84dcbe0, buf_size=0,
ap=0xafb756cc)
    at utils.c:513
#3  0x0805744d in opt_input_file (filename=0xafb7769e "lol-ffplay.ogm")
at ffmpeg.c:2586
#4  0x0805fe6c in parse_options (argc=4, argv=0xafb75ec4, options=0x8449040)
    at cmdutils.c:105
#5  0x0805cf7a in main (argc=4, argv=0xafb75ec4) at ffmpeg.c:3921

=====================

lol-ffplay.wmv, converting with ffmpeg:

Program received signal SIGSEGV, Segmentation fault.
0xa7e95fca in memcpy () from /lib/libc.so.6
(gdb) bt
#0  0xa7e95fca in memcpy () from /lib/libc.so.6
#1  0x0806a12b in get_buffer (s=0x85554fb, buf=0x19a <Address 0x19a out
of bounds>,
    size=0) at aviobuf.c:365
#2  0x0807ae9e in asf_read_packet (s=0x854cf90, pkt=0x854dea0) at asf.c:715
#3  0x08063eeb in av_read_frame_internal (s=0x854cf90, pkt=0xaffbc9c8)
at utils.c:540
#4  0x08065fe0 in av_find_stream_info (ic=0x854cf90) at utils.c:1841
#5  0x08057470 in opt_input_file (filename=0xaffbd69e "lol-ffplay.wmv")
at ffmpeg.c:2596
#6  0x0805fe6c in parse_options (argc=4, argv=0xaffbd2a4, options=0x8449040)
    at cmdutils.c:105
#7  0x0805cf7a in main (argc=4, argv=0xaffbd2a4) at ffmpeg.c:3921


-- 
	-Mike Melanson

More information about the ffmpeg-devel mailing list