New submission from David <[email protected]>:
Finding a bug in FFmpeg using zzuf for a GCI task. It crashes on a fuzzed input
file of the Pirates of The Caribbean sample found in
http://x264dev.blogspot.com/2008/05/test-clips.html. The zzuf fuzz settings are
"zzuf -s11 -r 0.03 -b8b-".
Crash log and gdb session included.
----------
files: crash_log.txt
messages: 12958
priority: normal
status: new
substatus: new
title: av_rescale assertion error, crash on fuzzed input
topic: avformat, ffmpeg
type: bug
________________________________________________
FFmpeg issue tracker <[email protected]>
<https://roundup.ffmpeg.org/issue2426>
________________________________________________
da...@animal:~/Data/GCI/ffmpeg$ gdb ./ffmpeg_g
GNU gdb (GDB) 7.2-ubuntu
Copyright (C) 2010 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law. Type "show copying"
and "show warranty" for details.
This GDB was configured as "i686-linux-gnu".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>...
Reading symbols from /home/david/Data/GCI/ffmpeg/ffmpeg_g...done.
(gdb) break libavformat/utils.c:1890
Breakpoint 1 at 0x8117cdd: file libavformat/utils.c, line 1890.
(gdb) r -i ../../deps/zzuf/crash_ffmpeg_black_s11_r003.fuzz -f null -
Starting program: /home/david/Data/GCI/ffmpeg/ffmpeg_g -i
../../deps/zzuf/crash_ffmpeg_black_s11_r003.fuzz -f null -
[Thread debugging using libthread_db enabled]
FFmpeg version SVN-r26014, Copyright (c) 2000-2010 the FFmpeg developers
built on Dec 14 2010 15:55:28 with gcc 4.4.5
configuration: --disable-optimizations --disable-asm
libavutil 50.34. 0 / 50.34. 0
libavcore 0.16. 0 / 0.16. 0
libavcodec 52.99. 1 / 52.99. 1
libavformat 52.88. 0 / 52.88. 0
libavdevice 52. 2. 2 / 52. 2. 2
libavfilter 1.69. 0 / 1.69. 0
libswscale 0.12. 0 / 0.12. 0
[mpeg1video @ 0x8ad05b0] matrix damaged
[mpeg1video @ 0x8ad05b0] sequence header damaged
[mpeg1video @ 0x8ad05b0] matrix damaged
[mpeg1video @ 0x8ad05b0] sequence header damaged
[mpeg1video @ 0x8ad05b0] matrix damaged
[mpeg1video @ 0x8ad05b0] sequence header damaged
[mpeg1video @ 0x8ad05b0] ignoring pic cod ext after 0
[mpeg1video @ 0x8ad05b0] matrix damaged
[mpeg1video @ 0x8ad05b0] sequence header damaged
[mpeg1video @ 0x8ad05b0] ignoring pic cod ext after 0
[mpeg1video @ 0x8ad05b0] matrix damaged
[mpeg1video @ 0x8ad05b0] sequence header damaged
[mpeg1video @ 0x8ad05b0] ignoring pic cod ext after 0
[mpeg1video @ 0x8ad05b0] matrix damaged
[mpeg1video @ 0x8ad05b0] sequence header damaged
[mpeg1video @ 0x8ad05b0] Missing picture start code
Last message repeated 3 times
[mpeg1video @ 0x8ad05b0] slice below image (81 >= 30)
[mpegvideo @ 0x8acdcc0] max_analyze_duration reached
[mpegvideo @ 0x8acdcc0] Estimating duration from bitrate, this may be inaccurate
Breakpoint 1, av_estimate_timings_from_bit_rate (ic=0x8acdcc0) at
libavformat/utils.c:1890
1890 duration= av_rescale(8*filesize, st->time_base.den,
ic->bit_rate*(int64_t)st->time_base.num);
(gdb) print ic->bit_rate
$1 = -1875801792
(gdb) print st->time_base.num
$2 = 1
(gdb) disass $pc-32,$pc+32
Dump of assembler code from 0x8117cbd to 0x8117cfd:
0x08117cbd <av_estimate_timings_from_bit_rate+213>: rolb $0x0,(%eax)
0x08117cc0 <av_estimate_timings_from_bit_rate+216>: add %al,%bh
0x08117cc2 <av_estimate_timings_from_bit_rate+218>: inc %ebp
0x08117cc3 <av_estimate_timings_from_bit_rate+219>: loopne 0x8117cc5
<av_estimate_timings_from_bit_rate+221>
0x08117cc5 <av_estimate_timings_from_bit_rate+221>: add %al,(%eax)
0x08117cc7 <av_estimate_timings_from_bit_rate+223>: add %ch,%cl
0x08117cc9 <av_estimate_timings_from_bit_rate+225>: mov %eax,0x8b000000
0x08117cce <av_estimate_timings_from_bit_rate+230>: push %ebp
0x08117ccf <av_estimate_timings_from_bit_rate+231>: loopne 0x8117c5c
<av_estimate_timings_from_bit_rate+116>
0x08117cd1 <av_estimate_timings_from_bit_rate+233>: inc %ebp
0x08117cd2 <av_estimate_timings_from_bit_rate+234>: or
%al,0x448b04c2(%ebx)
0x08117cd8 <av_estimate_timings_from_bit_rate+240>: nop
0x08117cd9 <av_estimate_timings_from_bit_rate+241>: or
%cl,0x458bdc45(%ecx)
0x08117cdf <av_estimate_timings_from_bit_rate+247>: or %cl,0xeb880(%ebx)
0x08117ce5 <av_estimate_timings_from_bit_rate+253>: add
%cl,-0x3e3c763f(%ecx)
0x08117ceb <av_estimate_timings_from_bit_rate+259>: sti
0x08117cec <av_estimate_timings_from_bit_rate+260>: pop %ds
0x08117ced <av_estimate_timings_from_bit_rate+261>: mov -0x24(%ebp),%eax
0x08117cf0 <av_estimate_timings_from_bit_rate+264>: mov 0x38(%eax),%eax
0x08117cf3 <av_estimate_timings_from_bit_rate+267>: mov %eax,%edx
0x08117cf5 <av_estimate_timings_from_bit_rate+269>: sar $0x1f,%edx
0x08117cf8 <av_estimate_timings_from_bit_rate+272>: mov %ebx,%esi
0x08117cfa <av_estimate_timings_from_bit_rate+274>: imul %eax,%esi
End of assembler dump.
(gdb) c
Continuing.
ffmpeg_g: libavutil/mathematics.c:79: av_rescale_rnd: Assertion `c > 0' failed.
Program received signal SIGABRT, Aborted.
0x0012e416 in __kernel_vsyscall ()
(gdb) bt
#0 0x0012e416 in __kernel_vsyscall ()
#1 0x002a7941 in raise () from /lib/libc.so.6
#2 0x002aae42 in abort () from /lib/libc.so.6
#3 0x002a08e8 in __assert_fail () from /lib/libc.so.6
#4 0x08446e87 in av_rescale_rnd (a=549859968, b=1200000, c=-1875801792,
rnd=AV_ROUND_ZERO) at libavutil/mathematics.c:79
#5 0x084471ef in av_rescale (a=0, b=0, c=-4294967296) at
libavutil/mathematics.c:130
#6 0x08117d40 in av_estimate_timings_from_bit_rate (ic=0x8acdcc0) at
libavformat/utils.c:1890
#7 0x08118282 in av_estimate_timings (ic=0x8acdcc0, old_offset=0) at
libavformat/utils.c:2006
#8 0x08119cb9 in av_find_stream_info (ic=0x8acdcc0) at libavformat/utils.c:2425
#9 0x08055851 in opt_input_file (filename=0xbffff5fb
"../../deps/zzuf/crash_ffmpeg_black_s11_r003.fuzz") at ffmpeg.c:3219
#10 0x08058eda in parse_options (argc=6, argv=0xbffff454, options=0x8450ac0,
parse_arg_function=0x8057033 <opt_output_file>) at cmdutils.c:204
#11 0x08058602 in main (argc=6, argv=0xbffff454) at ffmpeg.c:4338
(gdb) disass $pc-32,$pc+32
Dump of assembler code from 0x12e3f6 to 0x12e436:
0x0012e3f6: add %al,(%eax)
0x0012e3f8: add %al,(%eax)
0x0012e3fa: add %al,(%eax)
0x0012e3fc: add %al,(%eax)
0x0012e3fe: add %al,(%eax)
0x0012e400 <__kernel_sigreturn+0>: pop %eax
0x0012e401 <__kernel_sigreturn+1>: mov $0x77,%eax
0x0012e406 <__kernel_sigreturn+6>: int $0x80
0x0012e408 <__kernel_sigreturn+8>: nop
0x0012e409: lea 0x0(%esi),%esi
0x0012e40c <__kernel_rt_sigreturn+0>: mov $0xad,%eax
0x0012e411 <__kernel_rt_sigreturn+5>: int $0x80
0x0012e413 <__kernel_rt_sigreturn+7>: nop
0x0012e414 <__kernel_vsyscall+0>: int $0x80
=> 0x0012e416 <__kernel_vsyscall+2>: ret
0x0012e417: add %ch,(%esi)
0x0012e419: jae 0x12e483
0x0012e41b: jae 0x12e491
0x0012e41d: jb 0x12e493
0x0012e41f: popa
0x0012e420: bound %eax,(%eax)
0x0012e422: cs
0x0012e423: push $0x687361
0x0012e428: cs
0x0012e429: fs
0x0012e42a: jns 0x12e49a
0x0012e42c: jae 0x12e4a7
0x0012e42e: insl (%dx),%es:(%edi)
0x0012e42f: add %ch,(%esi)
0x0012e431: fs
0x0012e432: jns 0x12e4a2
0x0012e434: jae 0x12e4aa
End of assembler dump.
(gdb) info all-registers
eax 0x0 0
ecx 0x42c8 17096
edx 0x6 6
ebx 0x42c8 17096
esp 0xbfffecec 0xbfffecec
ebp 0xbfffecf8 0xbfffecf8
esi 0x3b2d5e 3878238
edi 0x3d6ff4 4026356
eip 0x12e416 0x12e416 <__kernel_vsyscall+2>
eflags 0x200202 [ IF ID ]
cs 0x73 115
ss 0x7b 123
ds 0x7b 123
es 0x7b 123
fs 0x0 0
gs 0x33 51
st0 0 (raw 0x00000000000000000000)
st1 0 (raw 0x00000000000000000000)
st2 0 (raw 0x00000000000000000000)
st3 0 (raw 0x00000000000000000000)
st4 1 (raw 0x3fff8000000000000000)
st5 9.9999999999999994515327145420957165e-21 (raw
0x3fbcbce5086492111800)
st6 0.0011133344444444390750158636969185943 (raw
0x3ff591ed4e0e8a56d914)
st7 0.040080040000000010159579089466519441 (raw
0x3ffaa42af7d05ba29ec9)
fctrl 0x37f 895
fstat 0x220 544
ftag 0xffff 65535
fiseg 0x0 0
fioff 0x0 0
foseg 0x0 0
fooff 0x0 0
fop 0x0 0
xmm0 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double =
{0x8000000000000000, 0x8000000000000000}, v16_int8 = {0x0, 0xff <repeats 15
times>},
v8_int16 = {0xff00, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
v4_int32 = {0xffffff00, 0xffffffff, 0xffffffff, 0xffffffff}, v2_int64 = {
0xffffffffffffff00, 0xffffffffffffffff}, uint128 =
0xffffffffffffffffffffffffffffff00}
xmm1 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0}, uint128
= 0x00000000000000000000000000000000}
xmm2 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0}, uint128
= 0x00000000000000000000000000000000}
xmm3 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0}, uint128
= 0x00000000000000000000000000000000}
xmm4 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0}, uint128
= 0x00000000000000000000000000000000}
xmm5 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0}, uint128
= 0x00000000000000000000000000000000}
xmm6 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0}, uint128
= 0x00000000000000000000000000000000}
xmm7 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0}, uint128
= 0x00000000000000000000000000000000}
mxcsr 0x1f80 [ IM DM ZM OM UM PM ]
mm0 {uint64 = 0x0, v2_int32 = {0x0, 0x0}, v4_int16 = {0x0, 0x0, 0x0,
0x0}, v8_int8 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}
---Type <return> to continue, or q <return> to quit---
mm1 {uint64 = 0x0, v2_int32 = {0x0, 0x0}, v4_int16 = {0x0, 0x0, 0x0,
0x0}, v8_int8 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}
mm2 {uint64 = 0x0, v2_int32 = {0x0, 0x0}, v4_int16 = {0x0, 0x0, 0x0,
0x0}, v8_int8 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}
mm3 {uint64 = 0x0, v2_int32 = {0x0, 0x0}, v4_int16 = {0x0, 0x0, 0x0,
0x0}, v8_int8 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}
mm4 {uint64 = 0x8000000000000000, v2_int32 = {0x0, 0x80000000},
v4_int16 = {0x0, 0x0, 0x0, 0x8000}, v8_int8 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0,
0x0, 0x80}}
mm5 {uint64 = 0xbce5086492111800, v2_int32 = {0x92111800,
0xbce50864}, v4_int16 = {0x1800, 0x9211, 0x864, 0xbce5}, v8_int8 = {0x0, 0x18,
0x11,
0x92, 0x64, 0x8, 0xe5, 0xbc}}
mm6 {uint64 = 0x91ed4e0e8a56d914, v2_int32 = {0x8a56d914,
0x91ed4e0e}, v4_int16 = {0xd914, 0x8a56, 0x4e0e, 0x91ed}, v8_int8 = {0x14,
0xd9,
0x56, 0x8a, 0xe, 0x4e, 0xed, 0x91}}
mm7 {uint64 = 0xa42af7d05ba29ec9, v2_int32 = {0x5ba29ec9,
0xa42af7d0}, v4_int16 = {0x9ec9, 0x5ba2, 0xf7d0, 0xa42a}, v8_int8 = {0xc9,
0x9e,
0xa2, 0x5b, 0xd0, 0xf7, 0x2a, 0xa4}}
(gdb)
