[issue655] FFMPEG crash in indeo3 decoding
Benoit Fouet benoit.fo...@free.fr added the comment: On 01/23/2009 03:20 PM, Michael Niedermayer wrote: Michael Niedermayer michae...@gmx.at added the comment: On Fri, Oct 03, 2008 at 12:37:58AM +, Michael Niedermayer wrote: On Tue, Sep 30, 2008 at 08:10:08AM +, Benoit Fouet wrote: [...] also, i would suggest error message return instead of silently continuing. Besides these, the patch should be applied as it fixes something possibly exploitable. new patch below (more correct IMHO); will be applied in two parts if ok ok Has this patch been applied? no If not, why not? [...] at that time, I wanted to have a deeper look at indeo3.c to see why it was not working properly, but I failed to do it. So I just applied this patch (in two parts, as I said I would) Ben FFmpeg issue tracker ffmpeg_iss...@live.polito.it https://roundup.ffmpeg.org/roundup/ffmpeg/issue655
[issue655] FFMPEG crash in indeo3 decoding
Benoit Fouet benoit.fo...@free.fr added the comment: fixed in r16802 -- status: open - closed substatus: reproduced - fixed FFmpeg issue tracker ffmpeg_iss...@live.polito.it https://roundup.ffmpeg.org/roundup/ffmpeg/issue655
[issue655] FFMPEG crash in indeo3 decoding
NikolaySemenkov nikolaysemen...@gmail.com added the comment: thanks, forks fine now. FFmpeg issue tracker ffmpeg_iss...@live.polito.it https://roundup.ffmpeg.org/roundup/ffmpeg/issue655
[issue655] FFMPEG crash in indeo3 decoding
Michael Niedermayer michae...@gmx.at added the comment: On Fri, Oct 03, 2008 at 12:37:58AM +, Michael Niedermayer wrote: On Tue, Sep 30, 2008 at 08:10:08AM +, Benoit Fouet wrote: [...] also, i would suggest error message return instead of silently continuing. Besides these, the patch should be applied as it fixes something possibly exploitable. new patch below (more correct IMHO); will be applied in two parts if ok ok Has this patch been applied? If not, why not? [...] -- Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB While the State exists there can be no freedom; when there is freedom there will be no State. -- Vladimir Lenin FFmpeg issue tracker ffmpeg_iss...@live.polito.it https://roundup.ffmpeg.org/roundup/ffmpeg/issue655
[issue655] FFMPEG crash in indeo3 decoding
NikolaySemenkov nikolaysemen...@gmail.com added the comment: I just not found any of these 3 patches for indeo3.c in the svn trunk repo. FFmpeg issue tracker ffmpeg_iss...@live.polito.it https://roundup.ffmpeg.org/roundup/ffmpeg/issue655
[issue655] FFMPEG crash in indeo3 decoding
Benoit Fouet [EMAIL PROTECTED] added the comment: Michael Niedermayer wrote: Michael Niedermayer [EMAIL PROTECTED] added the comment: On Mon, Sep 29, 2008 at 01:07:41PM +, Benoit Fouet wrote: [...] recompiled with -O0, I had another backtrace... anyway, it seems we are writing where we should not :) Here is a patch to fix the segfault, I'll have to look closer into the file to try to understand how it works. please do [...] @@ -1025,7 +1025,7 @@ } } -if(strip strip_tbl) +if(strip strip_tbl || strip = strip_tbl + FFARRAY_SIZE(strip_tbl)) return; I belive the strip strip_tbl cannot be true here indeed, I'll remove it in a second step, though also, i would suggest error message return instead of silently continuing. Besides these, the patch should be applied as it fixes something possibly exploitable. new patch below (more correct IMHO); will be applied in two parts if ok Index: libavcodec/indeo3.c === --- libavcodec/indeo3.c (revision 15469) +++ libavcodec/indeo3.c (working copy) @@ -348,6 +348,10 @@ if(cmd == 0) { strip++; + if(strip = strip_tbl + 20) { + av_log(s-avctx, AV_LOG_WARNING, out of range strip\n); + break; + } memcpy(strip, strip-1, sizeof(ustr_t)); strip-split_flag = 1; strip-split_direction = 0; @@ -355,6 +359,10 @@ continue; } else if(cmd == 1) { strip++; + if(strip = strip_tbl + 20) { + av_log(s-avctx, AV_LOG_WARNING, out of range strip\n); + break; + } memcpy(strip, strip-1, sizeof(ustr_t)); strip-split_flag = 1; strip-split_direction = 1; @@ -1025,9 +1033,6 @@ } } -if(strip strip_tbl) - return; - for( ; strip = strip_tbl; strip--) { if(strip-split_flag != 0) { strip-split_flag = 0; __ FFmpeg issue tracker [EMAIL PROTECTED] https://roundup.mplayerhq.hu/roundup/ffmpeg/issue655 __
[issue655] FFMPEG crash in indeo3 decoding
Benoit Fouet [EMAIL PROTECTED] added the comment: Diego Biurrun wrote: Diego Biurrun [EMAIL PROTECTED] added the comment: On Fri, Sep 26, 2008 at 09:18:54PM +, Vitor wrote: Vitor [EMAIL PROTECTED] added the comment: Michael Niedermayer wrote: Michael Niedermayer [EMAIL PROTECTED] added the comment: On Fri, Sep 26, 2008 at 04:59:12PM +, Vitor wrote: [...] Program received signal SIGSEGV, Segmentation fault. am i missing the backtrace in there? It was not that useful: (gdb) bt #0 0x082d398c in iv_Decode_Chunk (s=0x88378a0, cur=0x883af00 pppphh``hhpppp\214T``hh````fjbFHhppxxppdphhpdhh``XXTTL,\220��\220`FFR`x|\200z\212\216\236, '�' repeats 40 times, ƾ, '�' repeats 28 times, ��, '�' repeats 20 times, ƾ..., ref=0x88458b0 pppphh``hhpppp\214T``hh````dp\\HLlppxxppdphhpdhh``DD0\224��\220`DDH\\`x|\200\200\210\210�, '�' repeats 40 times, ��, '�' repeats 50 times, ��..., width=8, height=4, buf1=0x1 Address 0x1 out of bounds, fflags2=0, hdr=0x1 Address 0x1 out of bounds, buf2=0xc8 Address 0xc8 out of bounds, min_width_160=16) at libavcodec/indeo3.c:343 #1 0x000c in ?? () FWIW, I get the same bt with my K6-III. recompiled with -O0, I had another backtrace... anyway, it seems we are writing where we should not :) Here is a patch to fix the segfault, I'll have to look closer into the file to try to understand how it works. Also, the sample shows some artifacts at the beginning that go away with the binary decoder. the artifacts are still there, though Index: libavcodec/indeo3.c === --- libavcodec/indeo3.c (revision 15461) +++ libavcodec/indeo3.c (working copy) @@ -337,7 +337,7 @@ rle_v1 = rle_v2 = rle_v3 = 0; - while(strip = strip_tbl) { + while(strip = strip_tbl strip strip_tbl + FFARRAY_SIZE(strip_tbl)) { if(bit_pos = 0) { bit_pos = 8; bit_buf = *buf1++; @@ -1025,7 +1025,7 @@ } } -if(strip strip_tbl) +if(strip strip_tbl || strip = strip_tbl + FFARRAY_SIZE(strip_tbl)) return; for( ; strip = strip_tbl; strip--) { __ FFmpeg issue tracker [EMAIL PROTECTED] https://roundup.mplayerhq.hu/roundup/ffmpeg/issue655 __
[issue655] FFMPEG crash in indeo3 decoding
Vitor [EMAIL PROTECTED] added the comment: Core dump: Starting program: ffmpeg_g -i decoding_crashed.avi -acodec pcm_s16le out.avi FFmpeg version SVN-r15401, Copyright (c) 2000-2008 Fabrice Bellard, et al. configuration: --cc=ccache gcc libavutil 49.10. 0 / 49.10. 0 libavcodec52. 0. 0 / 52. 0. 0 libavformat 52.22. 1 / 52.22. 1 libavdevice 52. 1. 0 / 52. 1. 0 built on Sep 24 2008 22:07:19, gcc: 4.2.3 (Ubuntu 4.2.3-2ubuntu7) Input #0, avi, from 'decoding_crashed.avi': Duration: 00:00:19.00, start: 0.00, bitrate: 674 kb/s Stream #0.0: Video: indeo3, yuv410p, 240x180, 12.00 tb(r) Stream #0.1: Audio: adpcm_ms, 11025 Hz, mono, s16, 45 kb/s File 'out.avi' already exists. Overwrite ? [y/N] y Output #0, avi, to 'out.avi': Stream #0.0: Video: mpeg4, yuv420p, 240x180, q=2-31, 200 kb/s, 12.00 tb(c) Stream #0.1: Audio: pcm_s16le, 11025 Hz, mono, s16, 176 kb/s Stream mapping: Stream #0.0 - #0.0 Stream #0.1 - #0.1 Press [q] to stop encoding Program received signal SIGSEGV, Segmentation fault. 0x082d2e4c in iv_Decode_Chunk (s=0x88368a0, cur=0x8839f00 pppphh``hhpppp\214T``hh````fjbFHhppxxppdphhpdhh``XXTTL,\220��\220`FFR`x|\200z\212\216\236, '�' repeats 40 times, ƾ, '�' repeats 28 times, ��, '�' repeats 20 times, ƾ..., ref=0x88448b0 pppphh``hhpppp\214T``hh````dp\\HLlppxxppdphhpdhh``DD0\224��\220`DDH\\`x|\200\200\210\210�, '�' repeats 40 times, ��, '�' repeats 50 times, ��..., width=8, height=4, buf1=0x1 Address 0x1 out of bounds, fflags2=0, hdr=0x1 Address 0x1 out of bounds, buf2=0xc8 Address 0xc8 out of bounds, min_width_160=16) at libavcodec/indeo3.c:343 343 bit_buf = *buf1++; -- substatus: needs_more_info - reproduced title: FFMPEG crashed while decoding particular file - FFMPEG crash in indeo3 decoding __ FFmpeg issue tracker [EMAIL PROTECTED] https://roundup.mplayerhq.hu/roundup/ffmpeg/issue655 __
[issue655] FFMPEG crash in indeo3 decoding
Michael Niedermayer [EMAIL PROTECTED] added the comment: On Fri, Sep 26, 2008 at 04:59:12PM +, Vitor wrote: [...] Program received signal SIGSEGV, Segmentation fault. am i missing the backtrace in there? btw, indeo3.c is in need of cleanup :) [...] -- Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB No great genius has ever existed without some touch of madness. -- Aristotle -- title: FFMPEG crashed while decoding particular file - FFMPEG crash in indeo3 decoding __ FFmpeg issue tracker [EMAIL PROTECTED] https://roundup.mplayerhq.hu/roundup/ffmpeg/issue655 __
[issue655] FFMPEG crash in indeo3 decoding
Vitor [EMAIL PROTECTED] added the comment: Michael Niedermayer wrote: Michael Niedermayer [EMAIL PROTECTED] added the comment: On Fri, Sep 26, 2008 at 04:59:12PM +, Vitor wrote: [...] Program received signal SIGSEGV, Segmentation fault. am i missing the backtrace in there? It was not that useful: (gdb) bt #0 0x082d398c in iv_Decode_Chunk (s=0x88378a0, cur=0x883af00 pppphh``hhpppp\214T``hh````fjbFHhppxxppdphhpdhh``XXTTL,\220��\220`FFR`x|\200z\212\216\236, '�' repeats 40 times, ƾ, '�' repeats 28 times, ��, '�' repeats 20 times, ƾ..., ref=0x88458b0 pppphh``hhpppp\214T``hh````dp\\HLlppxxppdphhpdhh``DD0\224��\220`DDH\\`x|\200\200\210\210�, '�' repeats 40 times, ��, '�' repeats 50 times, ��..., width=8, height=4, buf1=0x1 Address 0x1 out of bounds, fflags2=0, hdr=0x1 Address 0x1 out of bounds, buf2=0xc8 Address 0xc8 out of bounds, min_width_160=16) at libavcodec/indeo3.c:343 #1 0x000c in ?? () btw, indeo3.c is in need of cleanup :) Who knows, maybe one day it'll get some :) -Vitor __ FFmpeg issue tracker [EMAIL PROTECTED] https://roundup.mplayerhq.hu/roundup/ffmpeg/issue655 __
[issue655] FFMPEG crash in indeo3 decoding
Diego Biurrun [EMAIL PROTECTED] added the comment: On Fri, Sep 26, 2008 at 09:18:54PM +, Vitor wrote: Vitor [EMAIL PROTECTED] added the comment: Michael Niedermayer wrote: Michael Niedermayer [EMAIL PROTECTED] added the comment: On Fri, Sep 26, 2008 at 04:59:12PM +, Vitor wrote: [...] Program received signal SIGSEGV, Segmentation fault. am i missing the backtrace in there? It was not that useful: (gdb) bt #0 0x082d398c in iv_Decode_Chunk (s=0x88378a0, cur=0x883af00 pppphh``hhpppp\214T``hh````fjbFHhppxxppdphhpdhh``XXTTL,\220��\220`FFR`x|\200z\212\216\236, '�' repeats 40 times, ƾ, '�' repeats 28 times, ��, '�' repeats 20 times, ƾ..., ref=0x88458b0 pppphh``hhpppp\214T``hh````dp\\HLlppxxppdphhpdhh``DD0\224��\220`DDH\\`x|\200\200\210\210�, '�' repeats 40 times, ��, '�' repeats 50 times, ��..., width=8, height=4, buf1=0x1 Address 0x1 out of bounds, fflags2=0, hdr=0x1 Address 0x1 out of bounds, buf2=0xc8 Address 0xc8 out of bounds, min_width_160=16) at libavcodec/indeo3.c:343 #1 0x000c in ?? () FWIW, I get the same bt with my K6-III. Also, the sample shows some artifacts at the beginning that go away with the binary decoder. Diego __ FFmpeg issue tracker [EMAIL PROTECTED] https://roundup.mplayerhq.hu/roundup/ffmpeg/issue655 __