[issue1295] AAC decoder crashes on illegal bitstream

[Carl Eugen Hoyos]

Carl Eugen Hoyos <ceho...@rainbow.studorg.tuwien.ac.at> added the comment:

I can reproduce the crash with current svn (r20872), but backtrace and
valgrind's output look different:

(gdb) bt
#0  0x00000000004e4c9a in spectral_to_sample (ac=0x1469e70) at 
libavcodec/aac.c:1652
#1  0x00000000004e1525 in aac_decode_frame (avccontext=0x1469e70, data=0x0,
data_size=0xfffffffb, avpkt=0x14648f0) at libavcodec/aac.c:1795
#2  0x00000000004dde15 in avcodec_decode_audio3 (avctx=0x1469e70, samples=0x0,
frame_size_ptr=0xfffffffb, avpkt=0x14648f0) at libavcodec/utils.c:629
#3  0x000000000040d7d7 in output_packet (ist=0x1469e70, ist_index=0,
ost_table=0xfffffffb, nb_ostreams=21383408, pkt=0x80) at ffmpeg.c:1324
#4  0x000000000040cc41 in av_encode (output_files=0x1469e70, nb_output_files=0,
input_files=0xfffffffb, nb_input_files=21383408, stream_maps=0x80,
nb_stream_maps=0) at ffmpeg.c:2306
#5  0x000000000040a2f4 in main (argc=21405296, argv=0x0) at ffmpeg.c:4006
(gdb) disass $pc-32 $pc+32
Dump of assembler code from 0x4e4c7a to 0x4e4cba:
0x00000000004e4c7a <spectral_to_sample+26>:     (bad)
0x00000000004e4c7b <spectral_to_sample+27>:     mov    %edx,%ebp
0x00000000004e4c7d <spectral_to_sample+29>:     mov    %rdi,%r15
0x00000000004e4c80 <spectral_to_sample+32>:     jmp    0x4e4c89
<spectral_to_sample+41>
0x00000000004e4c82 <spectral_to_sample+34>:     mov    (%rsp),%edx
0x00000000004e4c85 <spectral_to_sample+37>:     lea    0x3(%rdx),%r13d
0x00000000004e4c89 <spectral_to_sample+41>:     dec    %edx
0x00000000004e4c8b <spectral_to_sample+43>:     mov    %ebp,%ebx
0x00000000004e4c8d <spectral_to_sample+45>:     mov    %r13d,%r14d
0x00000000004e4c90 <spectral_to_sample+48>:     shl    $0x7,%r14
0x00000000004e4c94 <spectral_to_sample+52>:     add    %r15,%r14
0x00000000004e4c97 <spectral_to_sample+55>:     mov    %edx,(%rsp)
0x00000000004e4c9a <spectral_to_sample+58>:     mov    0x310(%r14),%r12
0x00000000004e4ca1 <spectral_to_sample+65>:     test   %r12,%r12
0x00000000004e4ca4 <spectral_to_sample+68>:     je     0x4e5a07
<spectral_to_sample+3495>
0x00000000004e4caa <spectral_to_sample+74>:     cmp    $0x1,%r13d
0x00000000004e4cae <spectral_to_sample+78>:     ja     0x4e509c
<spectral_to_sample+1084>
0x00000000004e4cb4 <spectral_to_sample+84>:     xor    %eax,%eax
0x00000000004e4cb6 <spectral_to_sample+86>:     lea    0x98b0(%r12),%rsi
End of assembler dump.
(gdb) info registers
rax            0x0      0
rbx            0x0      0
rcx            0x14648f0        21383408
rdx            0xfffffffb       4294967291
rsi            0x0      0
rdi            0x1469e70        21405296
rbp            0x0      0x0
rsp            0x7fff30c3bdc0   0x7fff30c3bdc0
r8             0x80     128
r9             0x8000000000000000       -9223372036854775808
r10            0x8000000000000000       -9223372036854775808
r11            0xb550e0 11882720
r12            0x0      0
r13            0xffffffff       4294967295
r14            0x8001463950     549777193296
r15            0x14639d0        21379536
rip            0x4e4c9a 0x4e4c9a <spectral_to_sample+58>
eflags         0x10206  [ PF IF RF ]
cs             0x33     51
ss             0x2b     43
ds             0x0      0
es             0x0      0
fs             0x0      0
gs             0x0      0
fctrl          0x37f    895
fstat          0x0      0
ftag           0xffff   65535
fiseg          0x0      0
fioff          0x0      0
foseg          0x0      0
fooff          0x0      0
fop            0x0      0
mxcsr          0x9fe4   [ ZE PE DAZ IM DM ZM OM UM PM FZ ]

==28962== Invalid read of size 8
==28962==    at 0x4E4C9A: spectral_to_sample (aac.c:1652)
==28962==    by 0x4E1524: aac_decode_frame (aac.c:1795)
==28962==    by 0x4DDE14: avcodec_decode_audio3 (utils.c:629)
==28962==    by 0x40D7D6: output_packet (ffmpeg.c:1324)
==28962==    by 0x40CC40: av_encode (ffmpeg.c:2306)
==28962==    by 0x40A2F3: main (ffmpeg.c:4006)
==28962==  Address 0x800a9c8b50 is not stack'd, malloc'd or (recently) free'd

----------
status: new -> open
substatus: new -> reproduced

_____________________________________________________
FFmpeg issue tracker <iss...@roundup.ffmpeg.org>
<https://roundup.ffmpeg.org/roundup/ffmpeg/issue1295>
_____________________________________________________