[FFmpeg-trac] #4299(avcodec:new): mpeg2: crash with fuzzed file
FFmpeg
trac at avcodec.org
Thu Feb 5 22:04:58 CET 2015
#4299: mpeg2: crash with fuzzed file
------------------------------------+-----------------------------------
Reporter: tholin | Owner:
Type: defect | Status: new
Priority: normal | Component: avcodec
Version: git-master | Resolution:
Keywords: | Blocked By:
Blocking: | Reproduced by developer: 0
Analyzed by developer: 0 |
------------------------------------+-----------------------------------
Comment (by tholin):
More info as requested.
{{{
$ gdb --args ~/repository/mpv-build_ffmpeg_vanilla/ffmpeg_build/ffmpeg -i
ffmpeg_mpeg2_crash.mpg -f null -
GNU gdb (Gentoo 7.7.1 p1) 7.7.1
Copyright (C) 2014 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later
<http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law. Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-pc-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<http://bugs.gentoo.org/>.
Find the GDB manual and other documentation resources online at:
<http://www.gnu.org/software/gdb/documentation/>.
For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from /home/cocobo/repository/mpv-
build_ffmpeg_vanilla/ffmpeg_build/ffmpeg...done.
(gdb) r
Starting program: /home/cocobo/repository/mpv-
build_ffmpeg_vanilla/ffmpeg_build/ffmpeg -i ffmpeg_mpeg2_crash.mpg -f null
-
warning: Could not load shared library symbols for linux-vdso.so.1.
Do you need "set solib-search-path" or "set sysroot"?
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib64/libthread_db.so.1".
ffmpeg version N-69570-g7801a54 Copyright (c) 2000-2015 the FFmpeg
developers
built with gcc 4.8.3 (Gentoo 4.8.3 p1.1, pie-0.5.9)
configuration: --prefix=/home/cocobo/repository/mpv-
build_ffmpeg_vanilla/build_libs --enable-static --disable-shared --enable-
gpl --enable-avresample --enable-debug=gdb --disable-doc --disable-
optimizations --disable-stripping
libavutil 54. 18.100 / 54. 18.100
libavcodec 56. 21.102 / 56. 21.102
libavformat 56. 19.100 / 56. 19.100
libavdevice 56. 4.100 / 56. 4.100
libavfilter 5. 9.103 / 5. 9.103
libavresample 2. 1. 0 / 2. 1. 0
libswscale 3. 1.101 / 3. 1.101
libswresample 1. 1.100 / 1. 1.100
libpostproc 53. 3.100 / 53. 3.100
[mpeg1video @ 0x1e90be0] frame_rate_index 0 is invalid
Last message repeated 1 times
[mpegvideo @ 0x1e901c0] Estimating duration from bitrate, this may be
inaccurate
Input #0, mpegvideo, from 'ffmpeg_mpeg2_crash.mpg':
Duration: 00:00:00.00, bitrate: 19692 kb/s
Stream #0:0: Video: mpeg2video (Main), yuv420p(tv), 4099x12 [SAR
64:12297 DAR 16:9], 19737 kb/s, 11.99 tbr, 1200k tbn, 23.98 tbc
[New Thread 0x7ffff4de9700 (LWP 17633)]
[New Thread 0x7ffff45e8700 (LWP 17634)]
[New Thread 0x7ffff3de7700 (LWP 17635)]
[New Thread 0x7ffff35e6700 (LWP 17636)]
[New Thread 0x7ffff2de5700 (LWP 17637)]
[New Thread 0x7ffff25e4700 (LWP 17638)]
[New Thread 0x7ffff1de3700 (LWP 17639)]
[New Thread 0x7ffff15e2700 (LWP 17640)]
[New Thread 0x7ffff0de1700 (LWP 17641)]
Output #0, null, to 'pipe:':
Metadata:
encoder : Lavf56.19.100
Stream #0:0: Video: rawvideo (I420 / 0x30323449), yuv420p, 4099x12
[SAR 64:12297 DAR 16:9], q=2-31, 200 kb/s, 11.99 fps, 11.99 tbn, 11.99 tbc
Metadata:
encoder : Lavc56.21.102 rawvideo
Stream mapping:
Stream #0:0 -> #0:0 (mpeg2video (native) -> rawvideo (native))
Press [q] to stop, [?] for help
[mpeg2video @ 0x1e913c0] frame_rate_index 0 is invalid
Last message repeated 1 times
[mpeg2video @ 0x1e913c0] Missing picture start code, guessing missing
values
[mpeg2video @ 0x1e913c0] Missing picture start code
[mpeg2video @ 0x1e913c0] warning: first frame is no keyframe
Program received signal SIGSEGV, Segmentation fault.
0x0000000001054171 in ff_put_pixels16_y2_sse2.loop ()
at /home/cocobo/repository/mpv-
build_ffmpeg_vanilla/ffmpeg/libavcodec/x86/hpeldsp.asm:263
263 PUT_PIXELS8_Y2
(gdb) info register
rax 0x1054140 17121600
rbx 0x0 0
rcx 0x4 4
rdx 0x2080 8320
rsi 0x7ffff05dd780 140737226069888
rdi 0x7ffff7fed600 140737354061312
rbp 0x7fffffffc990 0x7fffffffc990
rsp 0x7fffffffc7d8 0x7fffffffc7d8
r8 0x4100 16640
r9 0x1e7c660 31966816
r10 0x1 1
r11 0x0 0
r12 0x407320 4223776
r13 0x7fffffffd9e0 140737488345568
r14 0x0 0
r15 0x0 0
rip 0x1054171 0x1054171
<ff_put_pixels16_y2_sse2.loop+38>
eflags 0x10202 [ IF RF ]
cs 0x33 51
ss 0x2b 43
ds 0x0 0
es 0x0 0
fs 0x0 0
gs 0x0 0
(gdb) up
#1 0x0000000000af2657 in mpeg_motion_internal (mb_y=0, is_mpeg12=1, h=16,
motion_y=1,
motion_x=0, pix_op=0x1e923a0, ref_picture=0x1e7c660, field_select=1,
bottom_field=0, field_based=0, dest_cr=0x1e728e0 "", dest_cb=0x1e86a20
"",
dest_y=0x7ffff7fd7080 '\200' <repeats 16 times>, s=0x1e91880)
at /home/cocobo/repository/mpv-
build_ffmpeg_vanilla/ffmpeg/libavcodec/mpegvideo_motion.c:357
357 pix_op[0][dxy](dest_y, ptr_y, linesize, h);
(gdb) print dest_y
$1 = (uint8_t *) 0x7ffff7fd7080 '\200' <repeats 16 times>
(gdb) print ptr_y
$2 = (uint8_t *) 0x7ffff05c1080 '\200' <repeats 200 times>...
(gdb) print linesize
$3 = 8320
(gdb) info args
mb_y = 0
is_mpeg12 = 1
h = 16
motion_y = 1
motion_x = 0
pix_op = 0x1e923a0
ref_picture = 0x1e7c660
field_select = 1
bottom_field = 0
field_based = 0
dest_cr = 0x1e728e0 ""
dest_cb = 0x1e86a20 ""
dest_y = 0x7ffff7fd7080 '\200' <repeats 16 times>
s = 0x1e91880
(gdb) info locals
ptr_y = 0x7ffff05c1080 '\200' <repeats 200 times>...
ptr_cr = 0x1eb19c0 '\200' <repeats 200 times>...
dxy = 2
src_y = 0
mx = 0
uvsrc_x = 0
uvlinesize = 4160
linesize = 8320
ptr_cb = 0x1ea9780 '\200' <repeats 200 times>...
uvdxy = 0
my = 0
src_x = 0
uvsrc_y = 0
v_edge_pos = 16
}}}
--
Ticket URL: <https://trac.ffmpeg.org/ticket/4299#comment:2>
FFmpeg <https://ffmpeg.org>
FFmpeg issue tracker
More information about the FFmpeg-trac
mailing list