Discussion:
[issue2524] ffmpeg crashes on nuv files
(too old to reply)
Daniel Kang
2011-01-10 02:55:53 UTC
Permalink
New submission from Daniel Kang <***@gmail.com>:

When ffmpeg decodes nuv files, in decode_init, c->decomp_buf is set to NULL.
This is fine in most cases, but when the buffer is not set later (e.g. for a
video with a corrupted header), ffmpeg crashes when trying to access it. The
patch attached adds a check for this.

gdb run:
(gdb) r -i ../fuzzed.nuv del.mkv
Starting program: /afs/csl.tjhsst.edu/students/2011/2011dkang/ffmpeg/ffmpeg_g -i
../fuzzed.nuv del.mkv
[Thread debugging using libthread_db enabled]
FFmpeg version git-a4f63cd, Copyright (c) 2000-2011 the FFmpeg developers
built on Jan 9 2011 20:25:23 with gcc 4.4.5
configuration: --enable-gpl
libavutil 50.36. 0 / 50.36. 0
libavcore 0.16. 0 / 0.16. 0
libavcodec 52.108. 0 / 52.108. 0
libavformat 52.92. 0 / 52.92. 0
libavdevice 52. 2. 3 / 52. 2. 3
libavfilter 1.72. 0 / 1.72. 0
libswscale 0.12. 0 / 0.12. 0
[NULL @ 0x1204eb0] [IMGUTILS @ 0x7fffffffd0c0] Picture size 1073742464x480 is
invalid
[NULL @ 0x1204eb0] ignoring invalid width/height values

Program received signal SIGSEGV, Segmentation fault.
copy (out=0x0, outlen=0x7fffffffd09c, in=<value optimized out>, inlen=<value
optimized out>) at /usr/include/bits/string3.h:52
52 return __builtin___memcpy_chk (__dest, __src, __len, __bos0 (__dest));
(gdb) bt
#0 copy (out=0x0, outlen=0x7fffffffd09c, in=<value optimized out>, inlen=<value
optimized out>) at /usr/include/bits/string3.h:52
#1 av_lzo1x_decode (out=0x0, outlen=0x7fffffffd09c, in=<value optimized out>,
inlen=<value optimized out>) at libavutil/lzo.c:214
#2 0x00000000006bde5d in decode_frame (avctx=0x1204eb0, data=<value optimized
out>, data_size=<value optimized out>, avpkt=<value optimized out>)
at libavcodec/nuv.c:181
#3 0x0000000000758848 in avcodec_decode_video2 (avctx=0x1204eb0,
picture=0x7fffffffd150, got_picture_ptr=0x7fffffffd43c, avpkt=0x120af20) at
libavcodec/utils.c:637
#4 0x00000000004d7a50 in try_decode_frame (ic=0x1202510) at
libavformat/utils.c:2080
#5 av_find_stream_info (ic=0x1202510) at libavformat/utils.c:2361
#6 0x000000000043175b in opt_input_file (filename=0x7fffffffdafe
"../fuzzed.nuv") at ffmpeg.c:3214
#7 0x000000000043b91c in parse_options (argc=4, argv=0x7fffffffd758,
options=<value optimized out>, parse_arg_function=0x438330 <opt_output_file>) at
cmdutils.c:208
#8 0x0000000000437922 in main (argc=4, argv=0x7fffffffd758) at ffmpeg.c:4345
(gdb) disass $pc-32 $pc+32
A syntax error in expression, near `$pc+32'.
(gdb) info all-registers
rax 0xfffffffc 4294967292
rbx 0x12196d1 18978513
rcx 0x0 0
rdx 0x120010 1179664
rsi 0x7fffffffd09c 140737488343196
rdi 0x0 0
rbp 0x0 0x0
rsp 0x7fffffffcfa0 0x7fffffffcfa0
r8 0xcb4e40 13323840
r9 0x101010101010101 72340172838076673
r10 0x0 0
r11 0x0 0
r12 0x0 0
r13 0xfffffffffffffffc -4
r14 0x2 2
r15 0x8f74 36724
rip 0x92181b 0x92181b <av_lzo1x_decode+395>
eflags 0x10216 [ PF AF IF RF ]
cs 0x33 51
ss 0x2b 43
ds 0x0 0
es 0x0 0
fs 0x0 0
gs 0x0 0
st0 0 (raw 0x00000000000000000000)
st1 0 (raw 0x00000000000000000000)
st2 0 (raw 0x00000000000000000000)
st3 0 (raw 0x00000000000000000000)
st4 0 (raw 0x00000000000000000000)
st5 0 (raw 0x00000000000000000000)
st6 0 (raw 0x00000000000000000000)
st7 0 (raw 0x00000000000000000000)
fctrl 0x37f 895
fstat 0x0 0
ftag 0xffff 65535
fiseg 0x0 0
fioff 0x0 0
foseg 0x0 0
fooff 0x0 0
fop 0x0 0
xmm0 {v4_float = {0x84eec800, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0x4e, 0xc4, 0x5e, 0xd0, 0x8f, 0x78, 0x60, 0x3f, 0x0, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0, 0x0}, v8_int16 = {0xc44e, 0xd05e, 0x788f, 0x3f60, 0x0, 0x0, 0x0,
0x0}, v4_int32 = {0xd05ec44e, 0x3f60788f, 0x0, 0x0}, v2_int64 = {0x3f60788fd05ec44e,
0x0}, uint128 = 0x00000000000000003f60788fd05ec44e}
---Type <return> to continue, or q <return> to quit---
xmm1 {v4_float = {0x0, 0x1, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0xa4, 0xba, 0x93, 0x62, 0x5a, 0xae, 0x91, 0x3f, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0,
0x0, 0x0}, v8_int16 = {0xbaa4, 0x6293, 0xae5a, 0x3f91, 0x0, 0x0, 0x0, 0x0},
v4_int32 = {0x6293baa4, 0x3f91ae5a, 0x0, 0x0}, v2_int64 = {0x3f91ae5a6293baa4, 0x0},
uint128 = 0x00000000000000003f91ae5a6293baa4}
xmm2 {v4_float = {0x0, 0x1, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0x1b, 0x2f, 0xdd, 0x24, 0x6, 0x81, 0xb5, 0x3f, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0, 0x0,
0x0}, v8_int16 = {0x2f1b, 0x24dd, 0x8106, 0x3fb5, 0x0, 0x0, 0x0, 0x0},
v4_int32 = {0x24dd2f1b, 0x3fb58106, 0x0, 0x0}, v2_int64 = {0x3fb5810624dd2f1b, 0x0},
uint128 = 0x00000000000000003fb5810624dd2f1b}
xmm3 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double =
{0x8000000000000000, 0x0}, v16_int8 = {0x0, 0x0, 0xff, 0x0, 0x0, 0x0, 0x0, 0xff,
0x0, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0, 0x0}, v8_int16 = {0x0, 0xff, 0x0, 0xff00, 0x0, 0x0, 0x0, 0x0},
v4_int32 = {0xff0000, 0xff000000, 0x0, 0x0}, v2_int64 = {0xff00000000ff0000, 0x0},
uint128 = 0x0000000000000000ff00000000ff0000}
xmm4 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0,
0x8000000000000000}, v16_int8 = {0x73, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x54,
0x72, 0x69, 0x65,
0x64, 0x20, 0x74, 0x6f}, v8_int16 = {0x73, 0x0, 0x0, 0x0, 0x7254, 0x6569,
0x2064, 0x6f74}, v4_int32 = {0x73, 0x0, 0x65697254, 0x6f742064}, v2_int64 = {0x73,
0x6f74206465697254}, uint128 = 0x6f742064656972540000000000000073}
xmm5 {v4_float = {0x0, 0x1, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0x0, 0x0, 0x0, 0xe0, 0x95, 0x9c, 0xe7, 0x3f, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0, 0x0,
0x0}, v8_int16 = {0x0, 0xe000, 0x9c95, 0x3fe7, 0x0, 0x0, 0x0, 0x0}, v4_int32
= {0xe0000000, 0x3fe79c95, 0x0, 0x0}, v2_int64 = {0x3fe79c95e0000000, 0x0},
uint128 = 0x00000000000000003fe79c95e0000000}
xmm6 {v4_float = {0x0, 0x1, 0x0, 0x0}, v2_double = {0x1, 0x0},
v16_int8 = {0x6d, 0x7d, 0xbf, 0xbb, 0x27, 0xaf, 0xf5, 0x3f, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0,
0x0, 0x0}, v8_int16 = {0x7d6d, 0xbbbf, 0xaf27, 0x3ff5, 0x0, 0x0, 0x0, 0x0},
v4_int32 = {0xbbbf7d6d, 0x3ff5af27, 0x0, 0x0}, v2_int64 = {0x3ff5af27bbbf7d6d, 0x0},
uint128 = 0x00000000000000003ff5af27bbbf7d6d}
xmm7 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0x0, 0x0, 0x0, 0x0, 0x68, 0xc8, 0xbc, 0x3b, 0x0, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0,
0x0}, v8_int16 = {0x0, 0x0, 0xc868, 0x3bbc, 0x0, 0x0, 0x0, 0x0}, v4_int32 =
{0x0, 0x3bbcc868, 0x0, 0x0}, v2_int64 = {0x3bbcc86800000000, 0x0},
uint128 = 0x00000000000000003bbcc86800000000}
xmm8 {v4_float = {0x0, 0xfffffffd, 0x0, 0x0}, v2_double =
{0xffffffffffffffd2, 0x0}, v16_int8 = {0xe0, 0xe6, 0x35, 0x67, 0x9e, 0x6, 0x47,
0xc0, 0x0, 0x0,
0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v8_int16 = {0xe6e0, 0x6735, 0x69e, 0xc047,
0x0, 0x0, 0x0, 0x0}, v4_int32 = {0x6735e6e0, 0xc047069e, 0x0, 0x0}, v2_int64 = {
0xc047069e6735e6e0, 0x0}, uint128 = 0x0000000000000000c047069e6735e6e0}
xmm9 {v4_float = {0x0, 0x1, 0x0, 0x0}, v2_double = {0x1, 0x0},
v16_int8 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xf0, 0x3f, 0x0, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0,
0x0}, v8_int16 = {0x0, 0x0, 0x0, 0x3ff0, 0x0, 0x0, 0x0, 0x0}, v4_int32 =
{0x0, 0x3ff00000, 0x0, 0x0}, v2_int64 = {0x3ff0000000000000, 0x0},
uint128 = 0x00000000000000003ff0000000000000}
xmm10 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0x0, 0x0, 0x46, 0x84, 0x24, 0x59, 0xd6, 0x3e, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0, 0x0,
0x0}, v8_int16 = {0x0, 0x8446, 0x5924, 0x3ed6, 0x0, 0x0, 0x0, 0x0}, v4_int32
= {0x84460000, 0x3ed65924, 0x0, 0x0}, v2_int64 = {0x3ed6592484460000, 0x0},
uint128 = 0x00000000000000003ed6592484460000}
xmm11 {v4_float = {0x9689a800, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0x6a, 0xa2, 0x65, 0x50, 0xf2, 0xea, 0x8f, 0xbd, 0x0, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0, 0x0}, v8_int16 = {0xa26a, 0x5065, 0xeaf2, 0xbd8f, 0x0, 0x0, 0x0,
0x0}, v4_int32 = {0x5065a26a, 0xbd8feaf2, 0x0, 0x0}, v2_int64 = {0xbd8feaf25065a26a,
0x0}, uint128 = 0x0000000000000000bd8feaf25065a26a}
xmm12 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0x29, 0xf2, 0x88, 0x6c, 0xa6, 0x49, 0xde, 0x3e, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0,
0x0, 0x0}, v8_int16 = {0xf229, 0x6c88, 0x49a6, 0x3ede, 0x0, 0x0, 0x0, 0x0},
v4_int32 = {0x6c88f229, 0x3ede49a6, 0x0, 0x0}, v2_int64 = {0x3ede49a66c88f229, 0x0},
uint128 = 0x00000000000000003ede49a66c88f229}
xmm13 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0xb3, 0x12, 0x58, 0x17, 0x64, 0x46, 0xe6, 0x3b, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0,
0x0, 0x0}, v8_int16 = {0x12b3, 0x1758, 0x4664, 0x3be6, 0x0, 0x0, 0x0, 0x0},
v4_int32 = {0x175812b3, 0x3be64664, 0x0, 0x0}, v2_int64 = {0x3be64664175812b3, 0x0},
uint128 = 0x00000000000000003be64664175812b3}
xmm14 {v4_float = {0x0, 0x3, 0x0, 0x0}, v2_double = {0x2d, 0x0},
v16_int8 = {0xc0, 0x9, 0xf2, 0x16, 0xb5, 0xdf, 0x46, 0x40, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0,
0x0, 0x0}, v8_int16 = {0x9c0, 0x16f2, 0xdfb5, 0x4046, 0x0, 0x0, 0x0, 0x0},
v4_int32 = {0x16f209c0, 0x4046dfb5, 0x0, 0x0}, v2_int64 = {0x4046dfb516f209c0, 0x0},
uint128 = 0x00000000000000004046dfb516f209c0}
xmm15 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0},
---Type <return> to continue, or q <return> to quit---
v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0}, uint128 =
0x00000000000000000000000000000000}
mxcsr 0x1fa0 [ PE IM DM ZM OM UM PM ]

----------
files: nuv_null_pointer_check.diff
messages: 13333
priority: normal
status: open
substatus: open
title: ffmpeg crashes on nuv files
type: bug

________________________________________________
FFmpeg issue tracker <***@roundup.ffmpeg.org>
<https://roundup.ffmpeg.org/issue2524>
________________________________________________
Daniel Kang
2011-01-10 03:04:35 UTC
Permalink
Daniel Kang <***@gmail.com> added the comment:

I have uploaded a sample to /MPlayer/incoming/nuv_null_pointer_2524.

________________________________________________
FFmpeg issue tracker <***@roundup.ffmpeg.org>
<https://roundup.ffmpeg.org/issue2524>
________________________________________________
Carl Eugen Hoyos
2011-01-14 10:49:31 UTC
Permalink
Carl Eugen Hoyos <***@rainbow.studorg.tuwien.ac.at> added the comment:

First 50k moved to /samples/ffmpeg-bugs/roundup/issue2524

----------
priority: normal -> important
substatus: open -> reproduced
topic: +avcodec

________________________________________________
FFmpeg issue tracker <***@roundup.ffmpeg.org>
<https://roundup.ffmpeg.org/issue2524>
________________________________________________
Anton Khirnov
2011-04-01 08:13:18 UTC
Permalink
Anton Khirnov <***@khirnov.net> added the comment:

fixed in 4be170c9371dfd3ae07a348b449002fc1d2b70e4

----------
status: open -> closed
substatus: reproduced -> fixed
topic: -avcodec

______________________________________________
Libav issue tracker <***@roundup.libav.org>
<https://roundup.libav.org/issue2524>
______________________________________________

Loading...