[issue2513] ffmpeg crashes on cmv files with invalid decode flags

2011-01-09 Thread Peter Ross 

Peter Ross pr...@xvid.org added the comment:

Fixed in r26279.

--
status: open - closed
substatus: open - fixed


FFmpeg issue tracker iss...@roundup.ffmpeg.org
https://roundup.ffmpeg.org/issue2513

[issue2513] ffmpeg crashes on cmv files with invalid decode flags

2011-01-09 Thread Carl Eugen Hoyos 

Carl Eugen Hoyos ceho...@rainbow.studorg.tuwien.ac.at added the comment:

Sample moved to /samples/ffmpeg-bugs/roundup/issue2513


FFmpeg issue tracker iss...@roundup.ffmpeg.org
https://roundup.ffmpeg.org/issue2513

[issue2513] ffmpeg crashes on cmv files with invalid decode flags

2011-01-08 Thread Daniel Kang 

New submission from Daniel Kang daniel.d.k...@gmail.com:

When cmv_decode_inter uses the second-last frame as reference when it should
not, ffmpeg crashes. The patch attached adds a sanity check on that.

gdb run:
(gdb) r -i ../fuzzed.cmv del.mkv
Starting program: ffmpeg/ffmpeg_g -i ../fuzzed.cmv del.mkv
[Thread debugging using libthread_db enabled]
FFmpeg version git-fb6f2b4, Copyright (c) 2000-2011 the FFmpeg developers
  built on Jan  8 2011 18:38:24 with gcc 4.4.5
  configuration: --enable-gpl --disable-pthreads
  libavutil 50.36. 0 / 50.36. 0
  libavcore  0.16. 0 /  0.16. 0
  libavcodec52.107. 0 / 52.107. 0
  libavformat   52.92. 0 / 52.92. 0
  libavdevice   52. 2. 3 / 52. 2. 3
  libavfilter1.72. 0 /  1.72. 0
  libswscale 0.12. 0 /  0.12. 0
[ea @ 0x1200510] Estimating duration from bitrate, this may be inaccurate
Input #0, ea, from '../fuzzed.cmv':
  Duration: N/A, bitrate: N/A
Stream #0.0: Video: eacmv, pal8, 200x200, 10 fps, 10 tbr, 90k tbn, 10 tbc
File 'del.mkv' already exists. Overwrite ? [y/N] y
[buffer @ 0x123d870] w:200 h:200 pixfmt:pal8
[ffsink @ 0x123ab00] auto-inserting filter 'auto-inserted scaler 0' between the
filter 'src' and the filter 'out'
[scale @ 0x123add0] w:200 h:200 fmt:pal8 - w:200 h:200 fmt:yuv420p 
flags:0xa004
Output #0, matroska, to 'del.mkv':
  Metadata:
encoder : Lavf52.92.0
Stream #0.0: Video: mpeg4, yuv420p, 200x200, q=2-31, 200 kb/s, 1k tbn, 10 
tbc
Stream mapping:
  Stream #0.0 - #0.0
Press [q] to stop encoding

Program received signal SIGSEGV, Segmentation fault.
0x005a2385 in cmv_motcomp (avctx=0x12e5330, data=value optimized out,
data_size=value optimized out, avpkt=value optimized out) at
libavcodec/eacmv.c:74
74  dst[j*dst_stride + i] = src[(j+yoffset)*src_stride + 
i+xoffset];
(gdb) bt
#0  0x005a2385 in cmv_motcomp (avctx=0x12e5330, data=value optimized
out, data_size=value optimized out, avpkt=value optimized out)
at libavcodec/eacmv.c:74
#1  cmv_decode_inter (avctx=0x12e5330, data=value optimized out,
data_size=value optimized out, avpkt=value optimized out) at
libavcodec/eacmv.c:100
#2  cmv_decode_frame (avctx=0x12e5330, data=value optimized out,
data_size=value optimized out, avpkt=value optimized out) at
libavcodec/eacmv.c:180
#3  0x00756a98 in avcodec_decode_video2 (avctx=0x1202ed0,
picture=0x7fffc4c0, got_picture_ptr=0x7fffc70c, avpkt=0x7fffc650)
at libavcodec/utils.c:637
#4  0x00434789 in output_packet (ist=0x12035d0, ist_index=0,
ost_table=value optimized out, nb_ostreams=value optimized out,
pkt=0x7fffd4b0)
at ffmpeg.c:1550
#5  0x00436587 in transcode (nb_output_files=value optimized out,
nb_input_files=value optimized out, stream_maps=value optimized out,
nb_stream_maps=value optimized out, input_files=value optimized out,
output_files=value optimized out) at ffmpeg.c:2643
#6  0x004374f3 in main (argc=4, argv=value optimized out) at 
ffmpeg.c:4365
(gdb) disass $pc-32 $pc+32
Dump of assembler code from 0x5a2365 to 0x5a23a5:
0x005a2365 cmv_decode_frame+3493: rex.WR and$0x5c,%al
0x005a2368 cmv_decode_frame+3496: jle0x5a28d2
cmv_decode_frame+4882
0x005a236e cmv_decode_frame+3502: imul   0x74(%rsp),%ecx
0x005a2373 cmv_decode_frame+3507: mov0x40(%rsp),%r13
0x005a2378 cmv_decode_frame+3512: lea(%r11,%r15,1),%r12d
0x005a237c cmv_decode_frame+3516: movslq %r12d,%r12
0x005a237f cmv_decode_frame+3519: add%r8d,%ecx
0x005a2382 cmv_decode_frame+3522: movslq %ecx,%rcx
0x005a2385 cmv_decode_frame+3525: movzbl 0x0(%r13,%rcx,1),%ecx
0x005a238b cmv_decode_frame+3531: mov%cl,(%rdx,%r12,1)
0x005a238f cmv_decode_frame+3535: mov0x68(%rsp),%r12d
0x005a2394 cmv_decode_frame+3540: lea0x1(%r12),%ecx
0x005a2399 cmv_decode_frame+3545: mov%ecx,%r14d
0x005a239c cmv_decode_frame+3548: mov%ecx,0x50(%rsp)
0x005a23a0 cmv_decode_frame+3552: add%ebx,%r14d
0x005a23a3 cmv_decode_frame+3555: js 0x5a2a1d
cmv_decode_frame+5213
End of assembler dump.
(gdb) info all-registers
rax0xc8 200
rbx0x0  0
rcx0x58 88
rdx0x12fc95019908944
rsi0xe8 232
rdi0x1f 31
rbp0x0  0x0
rsp0x7fffc040   0x7fffc040
r8 0x58 88
r9 0x1e 30
r100x1d 29
r110x1960   6496
r120x19b8   6584
r130x0  0
r140x12e533019813168
r150x58 88
rip0x5a2385 0x5a2385 cmv_decode_frame+3525
eflags 0x10202  [ IF RF ]
cs 0x33 51
ss 0x2b 43
ds 0x0  0
es 0x0  0
fs 0x0  0
gs 0x0  0
st0

[issue2513] ffmpeg crashes on cmv files with invalid decode flags

2011-01-08 Thread Daniel Kang 

Daniel Kang daniel.d.k...@gmail.com added the comment:

I have uploaded a sample to /MPlayer/incoming/eacmv_invalid_decode_issue2513


FFmpeg issue tracker iss...@roundup.ffmpeg.org
https://roundup.ffmpeg.org/issue2513