[FFmpeg-devel] [PATCH 3/3] avcodec/cfhd: More strictly check tag order and multiplicity

Michael Niedermayer michael at niedermayer.cc
Fri Apr 2 01:25:53 EEST 2021 

On Thu, Apr 01, 2021 at 09:22:23PM +0200, Paul B Mahol wrote:
> Try this attached patch. I have not looked at all samples, as some allocate
> too much memory for my system.

> But this patch points where real bugs are, unlike yours patch which hides
> real bugs even more.

I would appreciate if cfhd wouldnt have so many real bugs.
Your approach seems to be to fix what the fuzzer finds. What my patch was
moving toward is to make the code more secure and robust not to fix individual
bugs. My patch was never intended to be the end of such improvment, but with
the first stage being rejected iam of course not putting time in the next ...

but thats not so importrant now, whats important is the bugs here
and your patch eliminates all of the current group but one. Thats good!
Heres what remains:
ffmpeg -threads 1 -i dec_fuzzer-30739.nut -f null -

[cfhd @ 0x16b0c6c0] Sample format of 1039 is not implemented. Update your FFmpeg version to the newest one from Git. If the problem still occurs, it means that your file has a feature which has not been implemented.
Error while decoding stream #0:0: Not yet implemented in FFmpeg, patches welcome
==17282==    at 0x123322D: VALGRIND_PRINTF_BACKTRACE (valgrind.h:6303)
==17282==    by 0x1233DEB: av_log_default_callback (log.c:397)
==17282==    by 0x1234092: av_vlog (log.c:432)
==17282==    by 0x1233EF1: av_log (log.c:411)
==17282==    by 0x254285: process_input_packet (ffmpeg.c:2718)
==17282==    by 0x25BB79: process_input (ffmpeg.c:4606)
==17282==    by 0x25C06D: transcode_step (ffmpeg.c:4746)
==17282==    by 0x25C1D5: transcode (ffmpeg.c:4800)
==17282==    by 0x25CB3F: main (ffmpeg.c:5005)
==17282== Conditional jump or move depends on uninitialised value(s)
==17282==    at 0x82BBF4: av_clip_uintp2_c (common.h:304)
==17282==    by 0x82C915: interlaced_vertical_filter (cfhd.c:205)
==17282==    by 0x83424E: cfhd_decode (cfhd.c:1278)
==17282==    by 0x860064: decode_simple_internal (decode.c:327)
==17282==    by 0x860C9B: decode_simple_receive_frame (decode.c:526)
==17282==    by 0x860D95: decode_receive_frame_internal (decode.c:546)
==17282==    by 0x861019: avcodec_send_packet (decode.c:608)
==17282==    by 0x2525A7: decode (ffmpeg.c:2285)
==17282==    by 0x252DC7: decode_video (ffmpeg.c:2425)
==17282==    by 0x253EF3: process_input_packet (ffmpeg.c:2672)
==17282==    by 0x25BB79: process_input (ffmpeg.c:4606)
==17282==    by 0x25C06D: transcode_step (ffmpeg.c:4746)
==17282==    by 0x25C1D5: transcode (ffmpeg.c:4800)
==17282==    by 0x25CB3F: main (ffmpeg.c:5005)
==17282==  Uninitialised value was created by a heap allocation
==17282==    at 0x4C33E76: memalign (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==17282==    by 0x4C33F91: posix_memalign (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==17282==    by 0x1236BA6: av_malloc (mem.c:86)
==17282==    by 0x1236DB8: av_malloc_array (mem.c:187)
==17282==    by 0x82D072: alloc_buffers (cfhd.c:296)
==17282==    by 0x82F8DD: cfhd_decode (cfhd.c:664)
==17282==    by 0x860064: decode_simple_internal (decode.c:327)
==17282==    by 0x860C9B: decode_simple_receive_frame (decode.c:526)
==17282==    by 0x860D95: decode_receive_frame_internal (decode.c:546)
==17282==    by 0x861019: avcodec_send_packet (decode.c:608)
==17282==    by 0x2525A7: decode (ffmpeg.c:2285)
==17282==    by 0x252DC7: decode_video (ffmpeg.c:2425)
==17282==    by 0x253EF3: process_input_packet (ffmpeg.c:2672)
==17282==    by 0x25BB79: process_input (ffmpeg.c:4606)
==17282==    by 0x25C06D: transcode_step (ffmpeg.c:4746)
==17282==    by 0x25C1D5: transcode (ffmpeg.c:4800)
==17282==    by 0x25CB3F: main (ffmpeg.c:5005)
==17282== 
==17282== Conditional jump or move depends on uninitialised value(s)
==17282==    at 0x82BBF4: av_clip_uintp2_c (common.h:304)
==17282==    by 0x82C93C: interlaced_vertical_filter (cfhd.c:206)
==17282==    by 0x83424E: cfhd_decode (cfhd.c:1278)
==17282==    by 0x860064: decode_simple_internal (decode.c:327)
==17282==    by 0x860C9B: decode_simple_receive_frame (decode.c:526)
==17282==    by 0x860D95: decode_receive_frame_internal (decode.c:546)
==17282==    by 0x861019: avcodec_send_packet (decode.c:608)
==17282==    by 0x2525A7: decode (ffmpeg.c:2285)
==17282==    by 0x252DC7: decode_video (ffmpeg.c:2425)
==17282==    by 0x253EF3: process_input_packet (ffmpeg.c:2672)
==17282==    by 0x25BB79: process_input (ffmpeg.c:4606)
==17282==    by 0x25C06D: transcode_step (ffmpeg.c:4746)
==17282==    by 0x25C1D5: transcode (ffmpeg.c:4800)
==17282==    by 0x25CB3F: main (ffmpeg.c:5005)
==17282==  Uninitialised value was created by a heap allocation
==17282==    at 0x4C33E76: memalign (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==17282==    by 0x4C33F91: posix_memalign (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==17282==    by 0x1236BA6: av_malloc (mem.c:86)
==17282==    by 0x1236DB8: av_malloc_array (mem.c:187)
==17282==    by 0x82D072: alloc_buffers (cfhd.c:296)
==17282==    by 0x82F8DD: cfhd_decode (cfhd.c:664)
==17282==    by 0x860064: decode_simple_internal (decode.c:327)
==17282==    by 0x860C9B: decode_simple_receive_frame (decode.c:526)
==17282==    by 0x860D95: decode_receive_frame_internal (decode.c:546)
==17282==    by 0x861019: avcodec_send_packet (decode.c:608)
==17282==    by 0x2525A7: decode (ffmpeg.c:2285)
==17282==    by 0x252DC7: decode_video (ffmpeg.c:2425)
==17282==    by 0x253EF3: process_input_packet (ffmpeg.c:2672)
==17282==    by 0x25BB79: process_input (ffmpeg.c:4606)
==17282==    by 0x25C06D: transcode_step (ffmpeg.c:4746)
==17282==    by 0x25C1D5: transcode (ffmpeg.c:4800)
==17282==    by 0x25CB3F: main (ffmpeg.c:5005)
==17282== 
==17282== Invalid write of size 2
==17282==    at 0x82C956: interlaced_vertical_filter (cfhd.c:206)
==17282==    by 0x83424E: cfhd_decode (cfhd.c:1278)
==17282==    by 0x860064: decode_simple_internal (decode.c:327)
==17282==    by 0x860C9B: decode_simple_receive_frame (decode.c:526)
==17282==    by 0x860D95: decode_receive_frame_internal (decode.c:546)
==17282==    by 0x861019: avcodec_send_packet (decode.c:608)
==17282==    by 0x2525A7: decode (ffmpeg.c:2285)
==17282==    by 0x252DC7: decode_video (ffmpeg.c:2425)
==17282==    by 0x253EF3: process_input_packet (ffmpeg.c:2672)
==17282==    by 0x25BB79: process_input (ffmpeg.c:4606)
==17282==    by 0x25C06D: transcode_step (ffmpeg.c:4746)
==17282==    by 0x25C1D5: transcode (ffmpeg.c:4800)
==17282==    by 0x25CB3F: main (ffmpeg.c:5005)
==17282==  Address 0x2a0cd24e is 2,621,518 bytes inside a block of size 2,621,519 alloc'd
==17282==    at 0x4C33E76: memalign (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==17282==    by 0x4C33F91: posix_memalign (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==17282==    by 0x1236BA6: av_malloc (mem.c:86)
==17282==    by 0x121C724: av_buffer_alloc (buffer.c:72)
==17282==    by 0x121C79F: av_buffer_allocz (buffer.c:85)
==17282==    by 0x121D15C: pool_alloc_buffer (buffer.c:351)
==17282==    by 0x121D2A3: av_buffer_pool_get (buffer.c:388)
==17282==    by 0x863DAC: video_get_buffer (decode.c:1663)
==17282==    by 0x863F9B: avcodec_default_get_buffer2 (decode.c:1702)
==17282==    by 0x254E5A: get_buffer (ffmpeg.c:2943)
==17282==    by 0x864A5A: ff_get_buffer (decode.c:1937)
==17282==    by 0xB219CE: thread_get_buffer_internal (pthread_frame.c:1006)
==17282==    by 0xB21E2B: ff_thread_get_buffer (pthread_frame.c:1098)
==17282==    by 0x82F9FA: cfhd_decode (cfhd.c:682)
==17282==    by 0x860064: decode_simple_internal (decode.c:327)
==17282==    by 0x860C9B: decode_simple_receive_frame (decode.c:526)
==17282==    by 0x860D95: decode_receive_frame_internal (decode.c:546)
==17282==    by 0x861019: avcodec_send_packet (decode.c:608)
==17282==    by 0x2525A7: decode (ffmpeg.c:2285)
==17282==    by 0x252DC7: decode_video (ffmpeg.c:2425)
==17282== 
[cfhd @ 0x16b0c6c0] Invalid plane dimensions
==17282==    at 0x123322D: VALGRIND_PRINTF_BACKTRACE (valgrind.h:6303)
==17282==    by 0x1233DEB: av_log_default_callback (log.c:397)
==17282==    by 0x1234092: av_vlog (log.c:432)
==17282==    by 0x1233EF1: av_log (log.c:411)
==17282==    by 0x832813: cfhd_decode (cfhd.c:1096)
==17282==    by 0x860064: decode_simple_internal (decode.c:327)
==17282==    by 0x860C9B: decode_simple_receive_frame (decode.c:526)
==17282==    by 0x860D95: decode_receive_frame_internal (decode.c:546)
==17282==    by 0x861019: avcodec_send_packet (decode.c:608)
==17282==    by 0x2525A7: decode (ffmpeg.c:2285)
==17282==    by 0x252DC7: decode_video (ffmpeg.c:2425)
==17282==    by 0x253EF3: process_input_packet (ffmpeg.c:2672)
==17282==    by 0x25BB79: process_input (ffmpeg.c:4606)
==17282==    by 0x25C06D: transcode_step (ffmpeg.c:4746)
==17282==    by 0x25C1D5: transcode (ffmpeg.c:4800)
==17282==    by 0x25CB3F: main (ffmpeg.c:5005)
Error while decoding stream #0:0: Invalid argument
==17282==    at 0x123322D: VALGRIND_PRINTF_BACKTRACE (valgrind.h:6303)
==17282==    by 0x1233DEB: av_log_default_callback (log.c:397)
==17282==    by 0x1234092: av_vlog (log.c:432)
==17282==    by 0x1233EF1: av_log (log.c:411)
==17282==    by 0x254285: process_input_packet (ffmpeg.c:2718)
==17282==    by 0x25BB79: process_input (ffmpeg.c:4606)
==17282==    by 0x25C06D: transcode_step (ffmpeg.c:4746)
==17282==    by 0x25C1D5: transcode (ffmpeg.c:4800)
==17282==    by 0x25CB3F: main (ffmpeg.c:5005)
[cfhd @ 0x16b0c6c0] Invalid dimensions
==17282==    at 0x123322D: VALGRIND_PRINTF_BACKTRACE (valgrind.h:6303)
==17282==    by 0x1233DEB: av_log_default_callback (log.c:397)
==17282==    by 0x1234092: av_vlog (log.c:432)
==17282==    by 0x1233EF1: av_log (log.c:411)
==17282==    by 0x830E9D: cfhd_decode (cfhd.c:897)
==17282==    by 0x860064: decode_simple_internal (decode.c:327)
==17282==    by 0x860C9B: decode_simple_receive_frame (decode.c:526)
==17282==    by 0x860D95: decode_receive_frame_internal (decode.c:546)
==17282==    by 0x861019: avcodec_send_packet (decode.c:608)
==17282==    by 0x2525A7: decode (ffmpeg.c:2285)
==17282==    by 0x252DC7: decode_video (ffmpeg.c:2425)
==17282==    by 0x253EF3: process_input_packet (ffmpeg.c:2672)
==17282==    by 0x25BB79: process_input (ffmpeg.c:4606)
==17282==    by 0x25C06D: transcode_step (ffmpeg.c:4746)
==17282==    by 0x25C1D5: transcode (ffmpeg.c:4800)
==17282==    by 0x25CB3F: main (ffmpeg.c:5005)
Error while decoding stream #0:0: Invalid argument
==17282==    at 0x123322D: VALGRIND_PRINTF_BACKTRACE (valgrind.h:6303)
==17282==    by 0x1233DEB: av_log_default_callback (log.c:397)
==17282==    by 0x1234092: av_vlog (log.c:432)
==17282==    by 0x1233EF1: av_log (log.c:411)
==17282==    by 0x254285: process_input_packet (ffmpeg.c:2718)
==17282==    by 0x25BB79: process_input (ffmpeg.c:4606)
==17282==    by 0x25C06D: transcode_step (ffmpeg.c:4746)
==17282==    by 0x25C1D5: transcode (ffmpeg.c:4800)
==17282==    by 0x25CB3F: main (ffmpeg.c:5005)
[cfhd @ 0x16b0c6c0] Invalid dimensionsme=00:00:00.00 bitrate=N/A speed=5.23e-06x    
==17282==    at 0x123322D: VALGRIND_PRINTF_BACKTRACE (valgrind.h:6303)
==17282==    by 0x1233DEB: av_log_default_callback (log.c:397)
==17282==    by 0x1234092: av_vlog (log.c:432)
==17282==    by 0x1233EF1: av_log (log.c:411)
==17282==    by 0x830E9D: cfhd_decode (cfhd.c:897)
==17282==    by 0x860064: decode_simple_internal (decode.c:327)
==17282==    by 0x860C9B: decode_simple_receive_frame (decode.c:526)
==17282==    by 0x860D95: decode_receive_frame_internal (decode.c:546)
==17282==    by 0x861019: avcodec_send_packet (decode.c:608)
==17282==    by 0x2525A7: decode (ffmpeg.c:2285)

[...]

-- 
Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

The greatest way to live with honor in this world is to be what we pretend
to be. -- Socrates
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 195 bytes
Desc: not available
URL: <https://ffmpeg.org/pipermail/ffmpeg-devel/attachments/20210402/80f09949/attachment.sig>

More information about the ffmpeg-devel mailing list