New submission from Daniel Kang <daniel.d.k...@gmail.com>: When ffmpeg encounters an interplay video with an invalid decode opcode, it attempts to decode it using that opcode. When the opcode is invalid, ffmpeg attempts to access a null pointer. The patch attached adds a check for this.
gdb run:
(gdb) r -i ../fuzzed.mve -f null /dev/null
Starting program: ffmpeg/ffmpeg_g -i ../fuzzed.mve -f null /dev/null
[Thread debugging using libthread_db enabled]
FFmpeg version git-294ac5d, Copyright (c) 2000-2011 the FFmpeg developers
built on Jan 9 2011 16:01:12 with gcc 4.4.5
configuration: --enable-gpl
libavutil 50.36. 0 / 50.36. 0
libavcore 0.16. 0 / 0.16. 0
libavcodec 52.108. 0 / 52.108. 0
libavformat 52.92. 0 / 52.92. 0
libavdevice 52. 2. 3 / 52. 2. 3
libavfilter 1.72. 0 / 1.72. 0
libswscale 0.12. 0 / 0.12. 0
[ipmovie @ 0x1202510] Estimating duration from bitrate, this may be inaccurate
Input #0, ipmovie, from '../fuzzed.mve':
Duration: 00:00:11.88, bitrate: 705 kb/s
Stream #0.0: Video: interplayvideo, rgb555le, 640x320, 1000k tbr, 1000k tbn,
1000k tbc
Stream #0.1: Audio: interplay_dpcm, 44100 Hz, 2 channels, s16, 705 kb/s
[buffer @ 0x1209a80] w:640 h:320 pixfmt:rgb555le
Output #0, null, to '/dev/null':
Metadata:
encoder : Lavf52.92.0
Stream #0.0: Video: rawvideo, rgb555le, 640x320, q=2-31, 200 kb/s, 90k tbn,
1000k tbc
Stream #0.1: Audio: pcm_s16le, 44100 Hz, 2 channels, s16, 1411 kb/s
Stream mapping:
Stream #0.0 -> #0.0
Stream #0.1 -> #0.1
Press [q] to stop encoding
Program received signal SIGSEGV, Segmentation fault.
0x00000000007d0627 in put_pixels16_sse2 (
block=0x7ffff7e15770
"\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200"...,
pixels=0x5760 <Address 0x5760 out of bounds>, line_size=<value optimized
out>, h=8) at libavcodec/x86/dsputil_mmx.c:453
453 __asm__ volatile(
(gdb) bt
#0 0x00000000007d0627 in put_pixels16_sse2 (
block=0x7ffff7e15770
"\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200"...,
pixels=0x5760 <Address 0x5760 out of bounds>, line_size=<value optimized
out>, h=8) at libavcodec/x86/dsputil_mmx.c:453
#1 0x000000000062165f in copy_from (s=0xfc0) at libavcodec/interplayvideo.c:102
#2 ipvideo_decode_block_opcode_0x1 (s=0xfc0) at libavcodec/interplayvideo.c:114
#3 0x000000000061fac4 in ipvideo_decode_opcodes (avctx=0x1205330, data=<value
optimized out>, data_size=0x7fffffffc6fc, avpkt=<value optimized out>)
at libavcodec/interplayvideo.c:999
#4 ipvideo_decode_frame (avctx=0x1205330, data=<value optimized out>,
data_size=0x7fffffffc6fc, avpkt=<value optimized out>) at
libavcodec/interplayvideo.c:1062
#5 0x00000000007586f8 in avcodec_decode_video2 (avctx=0x1205330,
picture=0x7fffffffc4b0, got_picture_ptr=0x7fffffffc6fc, avpkt=0x7fffffffc640)
at libavcodec/utils.c:637
#6 0x0000000000434c09 in output_packet (ist=0x1209900, ist_index=0,
ost_table=<value optimized out>, nb_ostreams=<value optimized out>,
pkt=0x7fffffffd4a0)
at ffmpeg.c:1550
#7 0x0000000000436a07 in transcode (nb_output_files=<value optimized out>,
nb_input_files=<value optimized out>, stream_maps=<value optimized out>,
nb_stream_maps=<value optimized out>, input_files=<value optimized out>,
output_files=<value optimized out>) at ffmpeg.c:2643
#8 0x0000000000437973 in main (argc=6, argv=<value optimized out>) at
ffmpeg.c:4365
(gdb) disass $pc-32 $pc+32
A syntax error in expression, near `$pc+32'.
(gdb) info all-registers
rax 0xfc0 4032
rbx 0x1213660 18953824
rcx 0x8 8
rdx 0x540 1344
rsi 0x5760 22368
rdi 0x7ffff7e15770 140737352128368
rbp 0x1205330 0x1205330
rsp 0x7fffffffc1f8 0x7fffffffc1f8
r8 0x0 0
r9 0x0 0
r10 0x538 1336
r11 0xffffffffffffd608 -10744
r12 0x1f50 8016
r13 0x7fffffffc6fc 140737488340732
r14 0x1b0 432
r15 0x358 856
rip 0x7d0627 0x7d0627 <put_pixels16_sse2+7>
eflags 0x10246 [ PF ZF IF RF ]
cs 0x33 51
ss 0x2b 43
ds 0x0 0
es 0x0 0
fs 0x0 0
gs 0x0 0
st0 -nan(0x000000036) (raw 0xffff0000000000000036)
st1 -nan(0x00000000a) (raw 0xffff000000000000000a)
st2 -inf (raw 0xffff0000000000000000)
st3 -nan(0xfa00000000000000) (raw 0xfffffa00000000000000)
st4 0 (raw 0x00000000000000000000)
st5 0 (raw 0x00000000000000000000)
st6 -nan(0xfa00000000000000) (raw 0xfffffa00000000000000)
st7 -inf (raw 0xffff0000000000000000)
fctrl 0x37f 895
fstat 0x0 0
ftag 0xffff 65535
fiseg 0x0 0
fioff 0x0 0
foseg 0x0 0
fooff 0x0 0
fop 0x0 0
xmm0 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0x80 <repeats 16 times>}, v8_int16 = {0x8080, 0x8080, 0x8080,
0x8080, 0x8080,
0x8080, 0x8080, 0x8080}, v4_int32 = {0x80808080, 0x80808080, 0x80808080,
0x80808080}, v2_int64 = {0x8080808080808080, 0x8080808080808080},
uint128 = 0x80808080808080808080808080808080}
---Type <return> to continue, or q <return> to quit---
xmm1 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0},
v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0}, uint128 =
0x00000000000000000000000000000000}
xmm2 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0x28, 0x58, 0xa7, 0x7b, 0x3b, 0x4d, 0xe7, 0x3e, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0,
0x0, 0x0}, v8_int16 = {0x5828, 0x7ba7, 0x4d3b, 0x3ee7, 0x0, 0x0, 0x0, 0x0},
v4_int32 = {0x7ba75828, 0x3ee74d3b, 0x0, 0x0}, v2_int64 = {0x3ee74d3b7ba75828,
0x0},
uint128 = 0x00000000000000003ee74d3b7ba75828}
xmm3 {v4_float = {0x0, 0x7, 0x0, 0x0}, v2_double = {0x15f90, 0x0},
v16_int8 = {0x0, 0x0, 0x0, 0x0, 0x0, 0xf9, 0xf5, 0x40, 0x0, 0x0, 0x0, 0x0, 0x0,
0x0,
0xff, 0x0}, v8_int16 = {0x0, 0x0, 0xf900, 0x40f5, 0x0, 0x0, 0x0, 0xff},
v4_int32 = {0x0, 0x40f5f900, 0x0, 0xff0000}, v2_int64 = {0x40f5f90000000000,
0xff000000000000}, uint128 = 0x00ff00000000000040f5f90000000000}
xmm4 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0,
0x8000000000000000}, v16_int8 = {0x73, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x54,
0x72, 0x69, 0x65,
0x64, 0x20, 0x74, 0x6f}, v8_int16 = {0x73, 0x0, 0x0, 0x0, 0x7254, 0x6569,
0x2064, 0x6f74}, v4_int32 = {0x73, 0x0, 0x65697254, 0x6f742064}, v2_int64 =
{0x73,
0x6f74206465697254}, uint128 = 0x6f742064656972540000000000000073}
xmm5 {v4_float = {0x0, 0x1, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0x0, 0x0, 0x0, 0xe0, 0x95, 0x9c, 0xe7, 0x3f, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0, 0x0,
0x0}, v8_int16 = {0x0, 0xe000, 0x9c95, 0x3fe7, 0x0, 0x0, 0x0, 0x0}, v4_int32
= {0xe0000000, 0x3fe79c95, 0x0, 0x0}, v2_int64 = {0x3fe79c95e0000000, 0x0},
uint128 = 0x00000000000000003fe79c95e0000000}
xmm6 {v4_float = {0x0, 0x1, 0x0, 0x0}, v2_double = {0x1, 0x0},
v16_int8 = {0x6d, 0x7d, 0xbf, 0xbb, 0x27, 0xaf, 0xf5, 0x3f, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0,
0x0, 0x0}, v8_int16 = {0x7d6d, 0xbbbf, 0xaf27, 0x3ff5, 0x0, 0x0, 0x0, 0x0},
v4_int32 = {0xbbbf7d6d, 0x3ff5af27, 0x0, 0x0}, v2_int64 = {0x3ff5af27bbbf7d6d,
0x0},
uint128 = 0x00000000000000003ff5af27bbbf7d6d}
xmm7 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0x0, 0x0, 0x0, 0x0, 0x68, 0xc8, 0xbc, 0x3b, 0x0, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0,
0x0}, v8_int16 = {0x0, 0x0, 0xc868, 0x3bbc, 0x0, 0x0, 0x0, 0x0}, v4_int32 =
{0x0, 0x3bbcc868, 0x0, 0x0}, v2_int64 = {0x3bbcc86800000000, 0x0},
uint128 = 0x00000000000000003bbcc86800000000}
xmm8 {v4_float = {0x0, 0xfffffffd, 0x0, 0x0}, v2_double =
{0xffffffffffffffd2, 0x0}, v16_int8 = {0xe0, 0xe6, 0x35, 0x67, 0x9e, 0x6, 0x47,
0xc0, 0x0, 0x0,
0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v8_int16 = {0xe6e0, 0x6735, 0x69e, 0xc047,
0x0, 0x0, 0x0, 0x0}, v4_int32 = {0x6735e6e0, 0xc047069e, 0x0, 0x0}, v2_int64 = {
0xc047069e6735e6e0, 0x0}, uint128 = 0x0000000000000000c047069e6735e6e0}
xmm9 {v4_float = {0x0, 0x1, 0x0, 0x0}, v2_double = {0x1, 0x0},
v16_int8 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xf0, 0x3f, 0x0, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0,
0x0}, v8_int16 = {0x0, 0x0, 0x0, 0x3ff0, 0x0, 0x0, 0x0, 0x0}, v4_int32 =
{0x0, 0x3ff00000, 0x0, 0x0}, v2_int64 = {0x3ff0000000000000, 0x0},
uint128 = 0x00000000000000003ff0000000000000}
xmm10 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0x0, 0x0, 0x46, 0x84, 0x24, 0x59, 0xd6, 0x3e, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0, 0x0,
0x0}, v8_int16 = {0x0, 0x8446, 0x5924, 0x3ed6, 0x0, 0x0, 0x0, 0x0}, v4_int32
= {0x84460000, 0x3ed65924, 0x0, 0x0}, v2_int64 = {0x3ed6592484460000, 0x0},
uint128 = 0x00000000000000003ed6592484460000}
xmm11 {v4_float = {0x9689a800, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0x6a, 0xa2, 0x65, 0x50, 0xf2, 0xea, 0x8f, 0xbd, 0x0, 0x0, 0x0, 0x0,
0x0,
0x0, 0x0, 0x0}, v8_int16 = {0xa26a, 0x5065, 0xeaf2, 0xbd8f, 0x0, 0x0, 0x0,
0x0}, v4_int32 = {0x5065a26a, 0xbd8feaf2, 0x0, 0x0}, v2_int64 =
{0xbd8feaf25065a26a,
0x0}, uint128 = 0x0000000000000000bd8feaf25065a26a}
xmm12 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0x29, 0xf2, 0x88, 0x6c, 0xa6, 0x49, 0xde, 0x3e, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0,
0x0, 0x0}, v8_int16 = {0xf229, 0x6c88, 0x49a6, 0x3ede, 0x0, 0x0, 0x0, 0x0},
v4_int32 = {0x6c88f229, 0x3ede49a6, 0x0, 0x0}, v2_int64 = {0x3ede49a66c88f229,
0x0},
uint128 = 0x00000000000000003ede49a66c88f229}
xmm13 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0xb3, 0x12, 0x58, 0x17, 0x64, 0x46, 0xe6, 0x3b, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0,
0x0, 0x0}, v8_int16 = {0x12b3, 0x1758, 0x4664, 0x3be6, 0x0, 0x0, 0x0, 0x0},
v4_int32 = {0x175812b3, 0x3be64664, 0x0, 0x0}, v2_int64 = {0x3be64664175812b3,
0x0},
uint128 = 0x00000000000000003be64664175812b3}
xmm14 {v4_float = {0x0, 0x3, 0x0, 0x0}, v2_double = {0x2d, 0x0},
v16_int8 = {0xc0, 0x9, 0xf2, 0x16, 0xb5, 0xdf, 0x46, 0x40, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0,
0x0, 0x0}, v8_int16 = {0x9c0, 0x16f2, 0xdfb5, 0x4046, 0x0, 0x0, 0x0, 0x0},
v4_int32 = {0x16f209c0, 0x4046dfb5, 0x0, 0x0}, v2_int64 = {0x4046dfb516f209c0,
0x0},
uint128 = 0x00000000000000004046dfb516f209c0}
xmm15 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0},
v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0}, uint128 =
0x00000000000000000000000000000000}
---Type <return> to continue, or q <return> to quit---
mxcsr 0x1fa0 [ PE IM DM ZM OM UM PM ]
----------
files: mve_invalid_decode_check.diff
messages: 13328
priority: normal
status: open
substatus: open
title: ffmpeg crashes on interplay videos with invalid decode opcodes
type: bug
________________________________________________
FFmpeg issue tracker <iss...@roundup.ffmpeg.org>
<https://roundup.ffmpeg.org/issue2522>
________________________________________________
mve_invalid_decode_check.diff
Description: Binary data
