[FFmpeg-devel] Buffer overflow in ALS decoder

Måns Rullgård mans
Tue Feb 16 17:59:45 CET 2010 

Valgrind is reporting a buffer overflow in the ALS decoder:

==23779== Memcheck, a memory error detector
==23779== Copyright (C) 2002-2009, and GNU GPL'd, by Julian Seward et al.
==23779== Using Valgrind-3.5.0 and LibVEX; rerun with -h for copyright info
==23779== Command: ./ffmpeg_g -i /misc/samples/mphq/fate-suite/lossless-audio/als_04_2ch48k16b.mp4 -f crc -
==23779== 
FFmpeg version git-svn-r21849, Copyright (c) 2000-2010 Fabrice Bellard, et al.
  built on Feb 16 2010 16:19:18 with gcc 4.3.4
  configuration: --cpu=core2 --enable-gpl
  libavutil     50. 9. 0 / 50. 9. 0
  libavcodec    52.54. 0 / 52.54. 0
  libavformat   52.52. 0 / 52.52. 0
  libavdevice   52. 2. 0 / 52. 2. 0
  libswscale     0. 9. 0 /  0. 9. 0
Input #0, mov,mp4,m4a,3gp,3g2,mj2, from '/misc/samples/mphq/fate-suite/lossless-audio/als_04_2ch48k16b.mp4':
  Metadata:
    major_brand     : mp42
    minor_version   : 0
    compatible_brands: mp42isom
  Duration: 00:00:14.81, start: 0.000000, bitrate: 442 kb/s
    Stream #0.0(und): Audio: als, 48000 Hz, 2 channels, s16, 441 kb/s
Output #0, crc, to 'pipe:':
  Metadata:
    encoder         : Lavf52.52.0
    Stream #0.0(und): Audio: pcm_s16le, 48000 Hz, 2 channels, s16, 1536 kb/s
Stream mapping:
  Stream #0.0 -> #0.0
Press [q] to stop encoding
Multiple frames in a packet from stream 0
==23779== Invalid write of size 4
==23779==    at 0x4DC80F: read_frame_data (alsdec.c:1126)
==23779==    by 0x4DCEE9: decode_frame (alsdec.c:1403)
==23779==    by 0x4BFB2C: avcodec_decode_audio3 (utils.c:631)
==23779==    by 0x42BB9A: output_packet (ffmpeg.c:1340)
==23779==    by 0x42E8FB: av_encode (ffmpeg.c:2324)
==23779==    by 0x42F12D: main (ffmpeg.c:4027)
==23779==  Address 0x62762c8 is 0 bytes after a block of size 88 alloc'd
==23779==    at 0x4C228A0: memalign (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==23779==    by 0x4C2295A: posix_memalign (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==23779==    by 0x876231: av_malloc (mem.c:83)
==23779==    by 0x407D18: decode_init (alsdec.c:1565)
==23779==    by 0x4C1343: avcodec_open (utils.c:491)
==23779==    by 0x42E154: av_encode (ffmpeg.c:2092)
==23779==    by 0x42F12D: main (ffmpeg.c:4027)
==23779== 
==23779== Invalid read of size 4
==23779==    at 0x4D8C50: revert_channel_correlation (alsdec.c:1179)
==23779==    by 0x4DC8A1: read_frame_data (alsdec.c:1342)
==23779==    by 0x4DCEE9: decode_frame (alsdec.c:1403)
==23779==    by 0x4BFB2C: avcodec_decode_audio3 (utils.c:631)
==23779==    by 0x42BB9A: output_packet (ffmpeg.c:1340)
==23779==    by 0x42E8FB: av_encode (ffmpeg.c:2324)
==23779==    by 0x42F12D: main (ffmpeg.c:4027)
==23779==  Address 0x62762c8 is 0 bytes after a block of size 88 alloc'd
==23779==    at 0x4C228A0: memalign (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==23779==    by 0x4C2295A: posix_memalign (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==23779==    by 0x876231: av_malloc (mem.c:83)
==23779==    by 0x407D18: decode_init (alsdec.c:1565)
==23779==    by 0x4C1343: avcodec_open (utils.c:491)
==23779==    by 0x42E154: av_encode (ffmpeg.c:2092)
==23779==    by 0x42F12D: main (ffmpeg.c:4027)
==23779== 
==23779== Invalid read of size 4
==23779==    at 0x4D8DAB: revert_channel_correlation (alsdec.c:1199)
==23779==    by 0x4DC8A1: read_frame_data (alsdec.c:1342)
==23779==    by 0x4DCEE9: decode_frame (alsdec.c:1403)
==23779==    by 0x4BFB2C: avcodec_decode_audio3 (utils.c:631)
==23779==    by 0x42BB9A: output_packet (ffmpeg.c:1340)
==23779==    by 0x42E8FB: av_encode (ffmpeg.c:2324)
==23779==    by 0x42F12D: main (ffmpeg.c:4027)
==23779==  Address 0x62762c8 is 0 bytes after a block of size 88 alloc'd
==23779==    at 0x4C228A0: memalign (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==23779==    by 0x4C2295A: posix_memalign (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==23779==    by 0x876231: av_malloc (mem.c:83)
==23779==    by 0x407D18: decode_init (alsdec.c:1565)
==23779==    by 0x4C1343: avcodec_open (utils.c:491)
==23779==    by 0x42E154: av_encode (ffmpeg.c:2092)
==23779==    by 0x42F12D: main (ffmpeg.c:4027)
==23779== 
CRC=0x7e67db0b
size=       0kB time=14.81 bitrate=   0.0kbits/s    
video:0kB audio:2777kB global headers:0kB muxing overhead -99.999473%
==23779== 
==23779== HEAP SUMMARY:
==23779==     in use at exit: 0 bytes in 0 blocks
==23779==   total heap usage: 805 allocs, 805 frees, 6,002,034 bytes allocated
==23779== 
==23779== All heap blocks were freed -- no leaks are possible
==23779== 
==23779== For counts of detected and suppressed errors, rerun with: -v
==23779== ERROR SUMMARY: 531 errors from 3 contexts (suppressed: 6 from 6)

-- 
M?ns Rullg?rd
mans at mansr.com

More information about the ffmpeg-devel mailing list