Discussion:
[issue2489] ffmpeg crashes on fuzzed 4xm file
(too old to reply)
Daniel Kang
2011-01-05 02:49:17 UTC
Permalink
New submission from Daniel Kang <***@gmail.com>:

ffmpeg crashes on a fuzzed 4xm file. I believe the error is an invalid memory
read, but I cannot locate the bug. I have attached the file.

Here is the gdb run:
(gdb) r -i ../fuzzed.4xm -f null /dev/null
Starting program: /afs/csl.tjhsst.edu/students/2011/2011dkang/ffmpeg/ffmpeg_g -i
../fuzzed.4xm -f null /dev/null
[Thread debugging using libthread_db enabled]
FFmpeg version git-d9f239a, Copyright (c) 2000-2011 the FFmpeg developers
built on Jan 4 2011 21:45:12 with gcc 4.4.5
configuration: --enable-gpl --samples=../fate/fate-suite/
libavutil 50.36. 0 / 50.36. 0
libavcore 0.16. 0 / 0.16. 0
libavcodec 52.101. 0 / 52.101. 0
libavformat 52.92. 0 / 52.92. 0
libavdevice 52. 2. 2 / 52. 2. 2
libavfilter 1.72. 0 / 1.72. 0
libswscale 0.12. 0 / 0.12. 0
[4xm @ 0x11fa510] Estimating duration from bitrate, this may be inaccurate
Input #0, 4xm, from '../fuzzed.4xm':
Duration: 00:00:14.00, start: 0.000000, bitrate: 664 kb/s
Stream #0.0: Video: 4xm, rgb565le, 648x480, 1 tbr, 1 tbn, 1 tbc
Stream #0.1: Audio: adpcm_4xm, 22050 Hz, 2 channels, s16, 705 kb/s
[buffer @ 0x1203460] w:648 h:480 pixfmt:rgb565le
Output #0, null, to '/dev/null':
Metadata:
encoder : Lavf52.92.0
Stream #0.0: Video: rawvideo, rgb565le, 648x480, q=2-31, 200 kb/s, 90k tbn,
1 tbc
Stream #0.1: Audio: pcm_s16le, 22050 Hz, 2 channels, s16, 705 kb/s
Stream mapping:
Stream #0.0 -> #0.0
Stream #0.1 -> #0.1
Press [q] to stop encoding

Program received signal SIGSEGV, Segmentation fault.
mcdc (f=<value optimized out>, dst=0x7ffff7f19010, src=0x287c, log2w=3,
log2h=<value optimized out>, stride=648) at libavcodec/4xm.c:309
309 LE_CENTRIC_MUL(dst, src, scale, dc);
(gdb) bt
#0 mcdc (f=<value optimized out>, dst=0x7ffff7f19010, src=0x287c, log2w=3,
log2h=<value optimized out>, stride=648) at libavcodec/4xm.c:309
#1 decode_p_block (f=<value optimized out>, dst=0x7ffff7f19010, src=0x287c,
log2w=3, log2h=<value optimized out>, stride=648) at libavcodec/4xm.c:336
#2 0x000000000084ab6f in decode_p_block (f=0x12132f0, dst=0x7ffff7f19010,
src=0x0, log2w=3, log2h=<value optimized out>, stride=<value optimized out>)
at libavcodec/4xm.c:339
#3 0x000000000084ab6f in decode_p_block (f=0x12132f0, dst=0x7ffff7f19010,
src=0x0, log2w=3, log2h=<value optimized out>, stride=<value optimized out>)
at libavcodec/4xm.c:339
#4 0x000000000084b419 in decode_p_frame (avctx=<value optimized out>,
data=<value optimized out>, data_size=<value optimized out>, avpkt=<value
optimized out>)
at libavcodec/4xm.c:411
#5 decode_frame (avctx=<value optimized out>, data=<value optimized out>,
data_size=<value optimized out>, avpkt=<value optimized out>) at
libavcodec/4xm.c:795
#6 0x0000000000754520 in avcodec_decode_video2 (avctx=0x11fd090,
picture=0x7fffffffc4c0, got_picture_ptr=0x7fffffffc6fc, avpkt=0x7fffffffc640)
at libavcodec/utils.c:632
#7 0x00000000004336b9 in output_packet (ist=0x12032e0, ist_index=0,
ost_table=<value optimized out>, nb_ostreams=<value optimized out>,
pkt=0x7fffffffd4a0)
at ffmpeg.c:1547
#8 0x00000000004354b7 in transcode (nb_output_files=<value optimized out>,
nb_input_files=<value optimized out>, stream_maps=<value optimized out>,
nb_stream_maps=<value optimized out>, input_files=<value optimized out>,
output_files=<value optimized out>) at ffmpeg.c:2640
#9 0x0000000000436423 in main (argc=6, argv=<value optimized out>) at ffmpeg.c:4360
(gdb) disass $pc-32 $pc+32
Dump of assembler code from 0x84ad30 to 0x84ad70:
0x000000000084ad30 <decode_p_block+784>: shr $0xea,%eax
0x000000000084ad33 <decode_p_block+787>: idiv %edi
0x000000000084ad35 <decode_p_block+789>: ljmpq *<internal disassembler
error>
0x000000000084ad37 <decode_p_block+791>: in $0xfe,%eax
0x000000000084ad39 <decode_p_block+793>: (bad)
0x000000000084ad3a <decode_p_block+794>: incl -0x2271f040(%rbp)
0x000000000084ad40 <decode_p_block+800>: (bad)
0x000000000084ad41 <decode_p_block+801>: (bad)
0x000000000084ad42 <decode_p_block+802>: decl 0x63(%rax)
0x000000000084ad45 <decode_p_block+805>: jl 0x84ad6b <decode_p_block+843>
0x000000000084ad47 <decode_p_block+807>: adc $0x31,%al
0x000000000084ad49 <decode_p_block+809>: (bad)
0x000000000084ad4a <decode_p_block+810>: xor %ebx,%ebx
0x000000000084ad4c <decode_p_block+812>: add %rdi,%rdi
0x000000000084ad4f <decode_p_block+815>: nop
0x000000000084ad50 <decode_p_block+816>: mov (%rcx,%rdx,1),%esi
0x000000000084ad53 <decode_p_block+819>: add $0x1,%ebx
0x000000000084ad56 <decode_p_block+822>: mov %esi,(%r12,%rdx,1)
0x000000000084ad5a <decode_p_block+826>: mov 0x4(%rcx,%rdx,1),%esi
0x000000000084ad5e <decode_p_block+830>: mov %esi,0x4(%r12,%rdx,1)
0x000000000084ad63 <decode_p_block+835>: mov 0x8(%rcx,%rdx,1),%esi
0x000000000084ad67 <decode_p_block+839>: mov %esi,0x8(%r12,%rdx,1)
0x000000000084ad6c <decode_p_block+844>: mov 0xc(%rcx,%rdx,1),%esi
End of assembler dump.
(gdb) info all-registers
rax 0x2 2
rbx 0x0 0
rcx 0x287c 10364
rdx 0x0 0
rsi 0x0 0
rdi 0x510 1296
rbp 0x3 0x3
rsp 0x7fffffffbf50 0x7fffffffbf50
r8 0x8 8
r9 0x288 648
r10 0x0 0
r11 0x7ffff7f19010 140737353191440
r12 0x7ffff7f19010 140737353191440
r13 0x0 0
r14 0x1 1
r15 0x3 3
rip 0x84ad50 0x84ad50 <decode_p_block+816>
eflags 0x10212 [ AF IF RF ]
cs 0x33 51
ss 0x2b 43
ds 0x0 0
es 0x0 0
fs 0x0 0
gs 0x0 0
st0 -nan(0x000000034) (raw 0xffff0000000000000034)
st1 -nan(0x00000000c) (raw 0xffff000000000000000c)
st2 -inf (raw 0xffff0000000000000000)
st3 -nan(0x10000000000000) (raw 0xffff0010000000000000)
st4 0 (raw 0x00000000000000000000)
st5 0 (raw 0x00000000000000000000)
st6 -nan(0xa000000000000000) (raw 0xffffa000000000000000)
st7 -nan(0x000000001) (raw 0xffff0000000000000001)
fctrl 0x37f 895
fstat 0x0 0
ftag 0xffff 65535
fiseg 0x0 0
fioff 0x0 0
foseg 0x0 0
fooff 0x0 0
fop 0x0 0
xmm0 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0x80 <repeats 16 times>}, v8_int16 = {0x8080, 0x8080, 0x8080,
0x8080, 0x8080,
0x8080, 0x8080, 0x8080}, v4_int32 = {0x80808080, 0x80808080, 0x80808080,
0x80808080}, v2_int64 = {0x8080808080808080, 0x8080808080808080},
uint128 = 0x80808080808080808080808080808080}
---Type <return> to continue, or q <return> to quit---
xmm1 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0},
v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0}, uint128 =
0x00000000000000000000000000000000}
xmm2 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0x28, 0x58, 0xa7, 0x7b, 0x3b, 0x4d, 0xe7, 0x3e, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0,
0x0, 0x0}, v8_int16 = {0x5828, 0x7ba7, 0x4d3b, 0x3ee7, 0x0, 0x0, 0x0, 0x0},
v4_int32 = {0x7ba75828, 0x3ee74d3b, 0x0, 0x0}, v2_int64 = {0x3ee74d3b7ba75828, 0x0},
uint128 = 0x00000000000000003ee74d3b7ba75828}
xmm3 {v4_float = {0x0, 0x7, 0x0, 0x0}, v2_double = {0x15f90, 0x0},
v16_int8 = {0x0, 0x0, 0x0, 0x0, 0x0, 0xf9, 0xf5, 0x40, 0x0, 0xff, 0x0, 0x0, 0x0,
0x0,
0x0, 0x0}, v8_int16 = {0x0, 0x0, 0xf900, 0x40f5, 0xff00, 0x0, 0x0, 0x0},
v4_int32 = {0x0, 0x40f5f900, 0xff00, 0x0}, v2_int64 = {0x40f5f90000000000, 0xff00},
uint128 = 0x000000000000ff0040f5f90000000000}
xmm4 {v4_float = {0x0, 0x0, 0x3081e400, 0x0}, v2_double =
{0x8000000000000000, 0x8000000000000000}, v16_int8 = {0x65, 0x0, 0x73, 0x70,
0x65, 0x63, 0x69,
0x66, 0x79, 0x20, 0x4c, 0x50, 0x43, 0x20, 0x61, 0x6c}, v8_int16 = {0x65,
0x7073, 0x6365, 0x6669, 0x2079, 0x504c, 0x2043, 0x6c61}, v4_int32 = {0x70730065,
0x66696365, 0x504c2079, 0x6c612043}, v2_int64 = {0x6669636570730065,
0x6c612043504c2079}, uint128 = 0x6c612043504c20796669636570730065}
xmm5 {v4_float = {0x0, 0x1, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0x0, 0x0, 0x0, 0xe0, 0x95, 0x9c, 0xe7, 0x3f, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0, 0x0,
0x0}, v8_int16 = {0x0, 0xe000, 0x9c95, 0x3fe7, 0x0, 0x0, 0x0, 0x0}, v4_int32
= {0xe0000000, 0x3fe79c95, 0x0, 0x0}, v2_int64 = {0x3fe79c95e0000000, 0x0},
uint128 = 0x00000000000000003fe79c95e0000000}
xmm6 {v4_float = {0x0, 0x1, 0x0, 0x0}, v2_double = {0x1, 0x0},
v16_int8 = {0x6d, 0x7d, 0xbf, 0xbb, 0x27, 0xaf, 0xf5, 0x3f, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0,
0x0, 0x0}, v8_int16 = {0x7d6d, 0xbbbf, 0xaf27, 0x3ff5, 0x0, 0x0, 0x0, 0x0},
v4_int32 = {0xbbbf7d6d, 0x3ff5af27, 0x0, 0x0}, v2_int64 = {0x3ff5af27bbbf7d6d, 0x0},
uint128 = 0x00000000000000003ff5af27bbbf7d6d}
xmm7 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0x0, 0x0, 0x0, 0x0, 0x68, 0xc8, 0xbc, 0x3b, 0x0, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0,
0x0}, v8_int16 = {0x0, 0x0, 0xc868, 0x3bbc, 0x0, 0x0, 0x0, 0x0}, v4_int32 =
{0x0, 0x3bbcc868, 0x0, 0x0}, v2_int64 = {0x3bbcc86800000000, 0x0},
uint128 = 0x00000000000000003bbcc86800000000}
xmm8 {v4_float = {0x0, 0xfffffffd, 0x0, 0x0}, v2_double =
{0xffffffffffffffd2, 0x0}, v16_int8 = {0xe0, 0xe6, 0x35, 0x67, 0x9e, 0x6, 0x47,
0xc0, 0x0, 0x0,
0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v8_int16 = {0xe6e0, 0x6735, 0x69e, 0xc047,
0x0, 0x0, 0x0, 0x0}, v4_int32 = {0x6735e6e0, 0xc047069e, 0x0, 0x0}, v2_int64 = {
0xc047069e6735e6e0, 0x0}, uint128 = 0x0000000000000000c047069e6735e6e0}
xmm9 {v4_float = {0x0, 0x1, 0x0, 0x0}, v2_double = {0x1, 0x0},
v16_int8 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xf0, 0x3f, 0x0, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0,
0x0}, v8_int16 = {0x0, 0x0, 0x0, 0x3ff0, 0x0, 0x0, 0x0, 0x0}, v4_int32 =
{0x0, 0x3ff00000, 0x0, 0x0}, v2_int64 = {0x3ff0000000000000, 0x0},
uint128 = 0x00000000000000003ff0000000000000}
xmm10 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0x0, 0x0, 0x46, 0x84, 0x24, 0x59, 0xd6, 0x3e, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0, 0x0,
0x0}, v8_int16 = {0x0, 0x8446, 0x5924, 0x3ed6, 0x0, 0x0, 0x0, 0x0}, v4_int32
= {0x84460000, 0x3ed65924, 0x0, 0x0}, v2_int64 = {0x3ed6592484460000, 0x0},
uint128 = 0x00000000000000003ed6592484460000}
xmm11 {v4_float = {0x9689a800, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0x6a, 0xa2, 0x65, 0x50, 0xf2, 0xea, 0x8f, 0xbd, 0x0, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0, 0x0}, v8_int16 = {0xa26a, 0x5065, 0xeaf2, 0xbd8f, 0x0, 0x0, 0x0,
0x0}, v4_int32 = {0x5065a26a, 0xbd8feaf2, 0x0, 0x0}, v2_int64 = {0xbd8feaf25065a26a,
0x0}, uint128 = 0x0000000000000000bd8feaf25065a26a}
xmm12 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0x29, 0xf2, 0x88, 0x6c, 0xa6, 0x49, 0xde, 0x3e, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0,
0x0, 0x0}, v8_int16 = {0xf229, 0x6c88, 0x49a6, 0x3ede, 0x0, 0x0, 0x0, 0x0},
v4_int32 = {0x6c88f229, 0x3ede49a6, 0x0, 0x0}, v2_int64 = {0x3ede49a66c88f229, 0x0},
uint128 = 0x00000000000000003ede49a66c88f229}
xmm13 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0xb3, 0x12, 0x58, 0x17, 0x64, 0x46, 0xe6, 0x3b, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0,
0x0, 0x0}, v8_int16 = {0x12b3, 0x1758, 0x4664, 0x3be6, 0x0, 0x0, 0x0, 0x0},
v4_int32 = {0x175812b3, 0x3be64664, 0x0, 0x0}, v2_int64 = {0x3be64664175812b3, 0x0},
uint128 = 0x00000000000000003be64664175812b3}
xmm14 {v4_float = {0x0, 0x3, 0x0, 0x0}, v2_double = {0x2d, 0x0},
v16_int8 = {0xc0, 0x9, 0xf2, 0x16, 0xb5, 0xdf, 0x46, 0x40, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0,
0x0, 0x0}, v8_int16 = {0x9c0, 0x16f2, 0xdfb5, 0x4046, 0x0, 0x0, 0x0, 0x0},
v4_int32 = {0x16f209c0, 0x4046dfb5, 0x0, 0x0}, v2_int64 = {0x4046dfb516f209c0, 0x0},
uint128 = 0x00000000000000004046dfb516f209c0}
xmm15 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0},
v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0}, uint128 =
0x00000000000000000000000000000000}
---Type <return> to continue, or q <return> to quit---
mxcsr 0x1fa0 [ PE IM DM ZM OM UM PM ]
File '4xm_crash.4xm' not attached - you can download it from https://roundup.ffmpeg.org/file1261.

----------
files: 4xm_crash.4xm
messages: 13212
priority: normal
status: open
substatus: open
title: ffmpeg crashes on fuzzed 4xm file
type: bug

________________________________________________
FFmpeg issue tracker <***@roundup.ffmpeg.org>
<https://roundup.ffmpeg.org/issue2489>
________________________________________________
Carl Eugen Hoyos
2011-01-05 13:29:51 UTC
Permalink
Carl Eugen Hoyos <***@rainbow.studorg.tuwien.ac.at> added the comment:

FFmpeg version SVN-r26223, Copyright (c) 2000-2011 the FFmpeg developers
built on Jan 5 2011 14:28:21 with gcc 4.3.2 [gcc-4_3-branch revision 141291]
configuration:
libavutil 50.36. 0 / 50.36. 0
libavcore 0.16. 0 / 0.16. 0
libavcodec 52.102. 0 / 52.102. 0
libavformat 52.92. 0 / 52.92. 0
libavdevice 52. 2. 2 / 52. 2. 2
libavfilter 1.72. 0 / 1.72. 0
libswscale 0.12. 0 / 0.12. 0
==12486== Warning: set address range perms: large range 536887784 (undefined)
[4xm @ 0x438a780] Estimating duration from bitrate, this may be inaccurate
Input #0, 4xm, from '4xm_crash.4xm':
Duration: 00:00:14.00, start: 0.000000, bitrate: 664 kb/s
Stream #0.0: Video: 4xm, rgb565le, 648x480, 1 tbr, 1 tbn, 1 tbc
Stream #0.1: Audio: adpcm_4xm, 22050 Hz, 2 channels, s16, 705 kb/s
[buffer @ 0x43aee30] w:648 h:480 pixfmt:rgb565le
Output #0, null, to 'pipe:':
Metadata:
encoder : Lavf52.92.0
Stream #0.0: Video: rawvideo, rgb565le, 648x480, q=2-31, 200 kb/s, 90k tbn,
1 tbc
Stream #0.1: Audio: pcm_s16le, 22050 Hz, 2 channels, s16, 705 kb/s
Stream mapping:
Stream #0.0 -> #0.0
Stream #0.1 -> #0.1
Press [q] to stop encoding
==12486== Invalid read of size 4
==12486== at 0x8471E00: decode_p_block (4xm.c:309)
==12486== Address 0x287c is not stack'd, malloc'd or (recently) free'd
==12486==
==12486== Process terminating with default action of signal 11 (SIGSEGV)
==12486== Access not within mapped region at address 0x287C
==12486== at 0x8471E00: decode_p_block (4xm.c:309)

----------
priority: normal -> important
substatus: open -> reproduced

________________________________________________
FFmpeg issue tracker <***@roundup.ffmpeg.org>
<https://roundup.ffmpeg.org/issue2489>
________________________________________________
Anton Khirnov
2011-04-01 08:22:04 UTC
Permalink
Anton Khirnov <***@khirnov.net> added the comment:

fixed in 013291501fac5162e93bbcc9783e5e25d9cd2ab3

----------
status: open -> closed
substatus: reproduced -> fixed

______________________________________________
Libav issue tracker <***@roundup.libav.org>
<https://roundup.libav.org/issue2489>
______________________________________________

Loading...