[FFmpeg-trac] #4299(avcodec:new): mpeg2: crash with fuzzed file
FFmpeg
trac at avcodec.org
Tue Feb 10 21:19:27 CET 2015
#4299: mpeg2: crash with fuzzed file
------------------------------------+-----------------------------------
Reporter: tholin | Owner:
Type: defect | Status: new
Priority: normal | Component: avcodec
Version: git-master | Resolution:
Keywords: | Blocked By:
Blocking: | Reproduced by developer: 0
Analyzed by developer: 0 |
------------------------------------+-----------------------------------
Comment (by tholin):
I can trigger the crash on several of my systems but if I build with ASan
or without pthreads it won't crash. The crashes seems to be random and I
guess it's dependent of the precise layout of the address space. I did
some more fuzzing with the previous file as input and got some files with
valgrind warnings. I add them too.
{{{
$ valgrind ./ffmpeg -v 9 -loglevel 99 -i ~/fuzz/ffmpeg_mpeg2_crash2.mpg -f
null -
==27304== Memcheck, a memory error detector
==27304== Copyright (C) 2002-2013, and GNU GPL'd, by Julian Seward et al.
==27304== Using Valgrind-3.10.1 and LibVEX; rerun with -h for copyright
info
==27304== Command: ./ffmpeg -v 9 -loglevel 99 -i
/home/cocobo/fuzz/ffmpeg_mpeg2_crash2.mpg -f null -
==27304==
ffmpeg version N-69683-g8b77c4d Copyright (c) 2000-2015 the FFmpeg
developers
built with gcc 4.8.3 (Gentoo 4.8.3 p1.1, pie-0.5.9)
configuration: --enable-debug=gdb --disable-optimizations --disable-
stripping
libavutil 54. 18.100 / 54. 18.100
libavcodec 56. 21.102 / 56. 21.102
libavformat 56. 19.100 / 56. 19.100
libavdevice 56. 4.100 / 56. 4.100
libavfilter 5. 9.104 / 5. 9.104
libswscale 3. 1.101 / 3. 1.101
libswresample 1. 1.100 / 1. 1.100
Splitting the commandline.
Reading option '-v' ... matched as option 'v' (set logging level) with
argument '9'.
Reading option '-loglevel' ... matched as option 'loglevel' (set logging
level) with argument '99'.
Reading option '-i' ... matched as input file with argument
'/home/cocobo/fuzz/ffmpeg_mpeg2_crash2.mpg'.
Reading option '-f' ... matched as option 'f' (force format) with argument
'null'.
Reading option '-' ... matched as output file.
Finished splitting the commandline.
Parsing a group of options: global .
Applying option v (set logging level) with argument 9.
Successfully parsed a group of options.
Parsing a group of options: input file
/home/cocobo/fuzz/ffmpeg_mpeg2_crash2.mpg.
Successfully parsed a group of options.
Opening an input file: /home/cocobo/fuzz/ffmpeg_mpeg2_crash2.mpg.
[mpegvideo @ 0x7e48da0] Format mpegvideo probed with size=2048 and
score=51
[mpegvideo @ 0x7e48da0] Before avformat_find_stream_info() pos: 0 bytes
read:122 seeks:0
[mpeg1video @ 0x7e5af40] frame_rate_index 0 is invalid
Last message repeated 1 times
[mpegvideo @ 0x7e48da0] Estimating duration from bitrate, this may be
inaccurate
[mpegvideo @ 0x7e48da0] After avformat_find_stream_info() pos: 122 bytes
read:122 seeks:0 frames:2
Input #0, mpegvideo, from '/home/cocobo/fuzz/ffmpeg_mpeg2_crash2.mpg':
Duration: 00:00:00.00, bitrate: 19918 kb/s
Stream #0:0, 2, 1/1200000: Video: mpeg2video (Main), yuv420p(tv,
center), 4099x12 [SAR 64:12297 DAR 16:9], 1001/24000, 19737 kb/s, 11.99
tbr, 1200k tbn, 23.98 tbc
Successfully opened the file.
Parsing a group of options: output file -.
Applying option f (force format) with argument null.
Successfully parsed a group of options.
Opening an output file: -.
Successfully opened the file.
detected 8 logical cores
[graph 0 input from stream 0:0 @ 0x7e76ec0] Setting 'video_size' to value
'4099x12'
[graph 0 input from stream 0:0 @ 0x7e76ec0] Setting 'pix_fmt' to value '0'
[graph 0 input from stream 0:0 @ 0x7e76ec0] Setting 'time_base' to value
'1/1200000'
[graph 0 input from stream 0:0 @ 0x7e76ec0] Setting 'pixel_aspect' to
value '64/12297'
[graph 0 input from stream 0:0 @ 0x7e76ec0] Setting 'sws_param' to value
'flags=2'
[graph 0 input from stream 0:0 @ 0x7e76ec0] Setting 'frame_rate' to value
'24000/2002'
[graph 0 input from stream 0:0 @ 0x7e76ec0] w:4099 h:12 pixfmt:yuv420p
tb:1/1200000 fr:24000/2002 sar:64/12297 sws_param:flags=2
[AVFilterGraph @ 0x7e75000] query_formats: 3 queried, 2 merged, 0 already
done, 0 delayed
Output #0, null, to 'pipe:':
Metadata:
encoder : Lavf56.19.100
Stream #0:0, 0, 1001/12000: Video: rawvideo (I420 / 0x30323449),
yuv420p(center), 4099x12 [SAR 64:12297 DAR 16:9], 1001/12000, q=2-31, 200
kb/s, 11.99 fps, 11.99 tbn, 11.99 tbc
Metadata:
encoder : Lavc56.21.102 rawvideo
Stream mapping:
Stream #0:0 -> #0:0 (mpeg2video (native) -> rawvideo (native))
Press [q] to stop, [?] for help
[mpeg2video @ 0x7e6ffe0] frame_rate_index 0 is invalid
Last message repeated 1 times
[mpeg2video @ 0x7e6ffe0] Missing picture start code, guessing missing
values
[mpeg2video @ 0x7e6ffe0] Missing picture start code
[mpeg2video @ 0x7e6ffe0] warning: first frame is no keyframe
==27304== Invalid read of size 16
==27304== at 0x1036F9C: ??? (hpeldsp.asm:480)
==27304== by 0xACDBA4: mpv_motion_internal (mpegvideo_motion.c:951)
==27304== by 0xACDBA4: ff_mpv_motion (mpegvideo_motion.c:981)
==27304== by 0xAA5536: mpv_decode_mb_internal (mpegvideo.c:3153)
==27304== by 0xAA5536: ff_mpv_decode_mb (mpegvideo.c:3287)
==27304== by 0xA57B76: mpeg_decode_slice (mpeg12dec.c:1879)
==27304== by 0xA5A8CC: decode_chunks (mpeg12dec.c:2710)
==27304== by 0xA5AC6F: mpeg_decode_frame (mpeg12dec.c:2787)
==27304== by 0xBFF2F9: avcodec_decode_video2 (utils.c:2372)
==27304== by 0x4248A3: decode_video (ffmpeg.c:1958)
==27304== by 0x425A09: process_input_packet (ffmpeg.c:2206)
==27304== by 0x42C2B6: process_input (ffmpeg.c:3696)
==27304== by 0x42C63F: transcode_step (ffmpeg.c:3790)
==27304== by 0x42C74F: transcode (ffmpeg.c:3842)
==27304== Address 0x80ae6d0 is 1 bytes after a block of size 133,167
alloc'd
==27304== at 0x4C2B560: memalign (vg_replace_malloc.c:760)
==27304== by 0x4C2B677: posix_memalign (vg_replace_malloc.c:913)
==27304== by 0x11BBAFB: av_malloc (mem.c:95)
==27304== by 0x11AC9FC: av_buffer_alloc (buffer.c:71)
==27304== by 0x11ACA61: av_buffer_allocz (buffer.c:84)
==27304== by 0x11AD099: pool_alloc_buffer (buffer.c:330)
==27304== by 0x11AD1C7: av_buffer_pool_get (buffer.c:394)
==27304== by 0xBFA098: video_get_buffer (utils.c:670)
==27304== by 0xBFA3F2: avcodec_default_get_buffer2 (utils.c:730)
==27304== by 0x42648F: get_buffer (ffmpeg.c:2380)
==27304== by 0xBFB012: get_buffer_internal (utils.c:1019)
==27304== by 0xBFB07E: ff_get_buffer (utils.c:1032)
==27304==
[mpeg2video @ 0x7e6ffe0] invalid cbp -1 at 58 1
[output stream 0:0 @ 0x7e78d40] EOF on sink link output stream
0:0:default.
No more output streams to write to, finishing.
frame= 1 fps=0.0 q=0.0 Lsize=N/A time=00:00:00.16 bitrate=N/A
video:0kB audio:0kB subtitle:0kB other streams:0kB global headers:0kB
muxing overhead: unknown
Input file #0 (/home/cocobo/fuzz/ffmpeg_mpeg2_crash2.mpg):
Input stream #0:0 (video): 2 packets read (122 bytes); 1 frames decoded;
Total: 2 packets (122 bytes) demuxed
Output file #0 (pipe:):
Output stream #0:0 (video): 0 frames encoded; 1 packets muxed (96
bytes);
Total: 1 packets (96 bytes) muxed
3 frames successfully decoded, 0 decoding errors
[AVIOContext @ 0x7e51ae0] Statistics: 122 bytes read, 0 seeks
==27304==
==27304== HEAP SUMMARY:
==27304== in use at exit: 80 bytes in 2 blocks
==27304== total heap usage: 1,171 allocs, 1,169 frees, 2,624,803 bytes
allocated
==27304==
==27304== LEAK SUMMARY:
==27304== definitely lost: 0 bytes in 0 blocks
==27304== indirectly lost: 0 bytes in 0 blocks
==27304== possibly lost: 0 bytes in 0 blocks
==27304== still reachable: 80 bytes in 2 blocks
==27304== suppressed: 0 bytes in 0 blocks
==27304== Rerun with --leak-check=full to see details of leaked memory
==27304==
==27304== For counts of detected and suppressed errors, rerun with: -v
==27304== ERROR SUMMARY: 15 errors from 1 contexts (suppressed: 0 from 0)
}}}
--
Ticket URL: <https://trac.ffmpeg.org/ticket/4299#comment:4>
FFmpeg <https://ffmpeg.org>
FFmpeg issue tracker
More information about the FFmpeg-trac
mailing list