New submission from Daniel Kang <[email protected]>: ffmpeg crashes with the error "Stream #0.0Floating point exception" for y4m files with invalid frame rates that aren't both 0, with the arguments "ffmpeg -i ../y4m_invalid_header_crash_small.y4m test.mkv". The file was generated with zzuf and foreman. The gdb run is below.
The error is caused by division by zero. This happens because ffmpeg reads in
the invalid header, but keeps the frame rate 0/0. I have attached a patch for
the function yuv4_read_header in libavformat/yuv4mpeg.c to better check for
invalid frame rates. Upon compiling and testing, the output is:
./ffmpeg -i ../y4m_invalid_header_crash_small.y4m test.mkv
FFmpeg version git-7285124, Copyright (c) 2000-2010 the FFmpeg developers
built on Dec 31 2010 23:19:50 with gcc 4.4.5
configuration: --enable-gpl --samples=../fate/fate-suite/
libavutil 50.36. 0 / 50.36. 0
libavcore 0.16. 0 / 0.16. 0
libavcodec 52.101. 0 / 52.101. 0
libavformat 52.91. 0 / 52.91. 0
libavdevice 52. 2. 2 / 52. 2. 2
libavfilter 1.72. 0 / 1.72. 0
libswscale 0.12. 0 / 0.12. 0
[yuv4mpegpipe @ 0x11f9510] Estimating duration from bitrate, this may be
inaccurate
Input #0, yuv4mpegpipe, from '../y4m_invalid_header_crash_small.y4m':
Duration: N/A, bitrate: N/A
Stream #0.0: Video: rawvideo, yuv420p, 352x288, PAR 128:117 DAR 1408:1053,
25 tbr, 25 tbn, 25 tbc
[buffer @ 0x1201e60] w:352 h:288 pixfmt:yuv420p
Output #0, matroska, to 'test.mkv':
Metadata:
encoder : Lavf52.91.0
Stream #0.0: Video: mpeg4, yuv420p, 352x288 [PAR 128:117 DAR 1408:1053],
q=2-31, 200 kb/s, 1k tbn, 25 tbc
Stream mapping:
Stream #0.0 -> #0.0
Press [q] to stop encoding
frame= 2 fps= 0 q=2.0 Lsize= 88kB time=0.08 bitrate=8995.8kbits/s
video:87kB audio:0kB global headers:0kB muxing overhead 0.651182%
gdb run output:
(gdb) r -i ../y4m_invalid_header_crash_small.y4m test.mkv
Starting program: ffmpeg/ffmpeg_g -i ../y4m_invalid_header_crash_small.y4m
test.mkv
[Thread debugging using libthread_db enabled]
FFmpeg version git-cace0b2, Copyright (c) 2000-2010 the FFmpeg developers
built on Dec 31 2010 23:16:40 with gcc 4.4.5
configuration: --enable-gpl --samples=../fate/fate-suite/
libavutil 50.36. 0 / 50.36. 0
libavcore 0.16. 0 / 0.16. 0
libavcodec 52.101. 0 / 52.101. 0
libavformat 52.91. 0 / 52.91. 0
libavdevice 52. 2. 2 / 52. 2. 2
libavfilter 1.72. 0 / 1.72. 0
libswscale 0.12. 0 / 0.12. 0
[yuv4mpegpipe @ 0x11f9510] Estimating duration from bitrate, this may be
inaccurate
Input #0, yuv4mpegpipe, from '../y4m_invalid_header_crash_small.y4m':
Duration: N/A, bitrate: N/A
Stream #0.0
Program received signal SIGFPE, Arithmetic exception.
0x00000000004d6a5d in dump_stream_format (ic=<value optimized out>, i=0,
index=<value optimized out>, is_output=0) at libavformat/utils.c:3185
3185 av_log(NULL, AV_LOG_DEBUG, ", %d, %d/%d", st->codec_info_nb_frames,
st->time_base.num/g, st->time_base.den/g);
(gdb) bt
#0 0x00000000004d6a5d in dump_stream_format (ic=<value optimized out>, i=0,
index=<value optimized out>, is_output=0) at libavformat/utils.c:3185
#1 0x00000000004d7219 in dump_format (ic=0x11f9510, index=0, url=<value
optimized out>, is_output=0) at libavformat/utils.c:3286
#2 0x0000000000430381 in opt_input_file (filename=0x7fffffffdca4
"../y4m_invalid_header_crash_small.y4m") at ffmpeg.c:3314
#3 0x000000000043a70c in parse_options (argc=4, argv=0x7fffffffd928,
options=<value optimized out>, parse_arg_function=0x437260 <opt_output_file>) at
cmdutils.c:204
#4 0x00000000004363a2 in main (argc=4, argv=0x7fffffffd928) at ffmpeg.c:4330
(gdb) disass $pc-32 $pc+32
Dump of assembler code from 0x4d6a3d to 0x4d6a7d:
0x00000000004d6a3d <dump_stream_format+173>: add %al,(%rax)
0x00000000004d6a3f <dump_stream_format+175>: xor %edi,%edi
0x00000000004d6a41 <dump_stream_format+177>: xor %eax,%eax
0x00000000004d6a43 <dump_stream_format+179>: callq 0x919250 <av_log>
0x00000000004d6a48 <dump_stream_format+184>: mov 0x44(%rbx),%edx
0x00000000004d6a4b <dump_stream_format+187>: mov 0x208(%rbx),%ecx
0x00000000004d6a51 <dump_stream_format+193>: xor %edi,%edi
0x00000000004d6a53 <dump_stream_format+195>: mov $0x30,%esi
0x00000000004d6a58 <dump_stream_format+200>: mov %edx,%eax
0x00000000004d6a5a <dump_stream_format+202>: sar $0x1f,%edx
0x00000000004d6a5d <dump_stream_format+205>: idiv %ebp
0x00000000004d6a5f <dump_stream_format+207>: mov 0x40(%rbx),%edx
0x00000000004d6a62 <dump_stream_format+210>: mov %eax,%r9d
0x00000000004d6a65 <dump_stream_format+213>: mov %edx,%eax
0x00000000004d6a67 <dump_stream_format+215>: sar $0x1f,%edx
0x00000000004d6a6a <dump_stream_format+218>: idiv %ebp
0x00000000004d6a6c <dump_stream_format+220>: mov $0x939da8,%edx
0x00000000004d6a71 <dump_stream_format+225>: mov %eax,%r8d
0x00000000004d6a74 <dump_stream_format+228>: xor %eax,%eax
0x00000000004d6a76 <dump_stream_format+230>: callq 0x919250 <av_log>
0x00000000004d6a7b <dump_stream_format+235>: mov $0xa01a55,%edx
End of assembler dump.
(gdb) info all-registers
rax 0x0 0
rbx 0x11fa5d0 18851280
rcx 0x2 2
rdx 0x0 0
rsi 0x30 48
rdi 0x0 0
rbp 0x0 0x0
rsp 0x7fffffffd470 0x7fffffffd470
r8 0xfefefefefefefeff -72340172838076673
r9 0xff2f2d2f221f6c60 -58778589673329568
r10 0x1161740 18224960
r11 0x246 582
r12 0x0 0
r13 0x0 0
r14 0x0 0
r15 0x7fffffffd490 140737488344208
rip 0x4d6a5d 0x4d6a5d <dump_stream_format+205>
eflags 0x10246 [ PF ZF IF RF ]
cs 0x33 51
ss 0x2b 43
ds 0x0 0
es 0x0 0
fs 0x0 0
gs 0x0 0
st0 0 (raw 0x00000000000000000000)
st1 0 (raw 0x00000000000000000000)
st2 0 (raw 0x00000000000000000000)
st3 0 (raw 0x00000000000000000000)
st4 0 (raw 0x00000000000000000000)
st5 0 (raw 0x00000000000000000000)
st6 0 (raw 0x00000000000000000000)
st7 0 (raw 0x00000000000000000000)
fctrl 0x37f 895
fstat 0x0 0
ftag 0xffff 65535
fiseg 0x0 0
fioff 0x0 0
foseg 0x0 0
fooff 0x0 0
fop 0x0 0
xmm0 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0},
v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0}, uint128 =
0x00000000000000000000000000000000}
xmm1 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0x25 <repeats 16 times>}, v8_int16 = {0x2525, 0x2525, 0x2525,
0x2525, 0x2525,
---Type <return> to continue, or q <return> to quit---
0x2525, 0x2525, 0x2525}, v4_int32 = {0x25252525, 0x25252525, 0x25252525,
0x25252525}, v2_int64 = {0x2525252525252525, 0x2525252525252525},
uint128 = 0x25252525252525252525252525252525}
xmm2 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0},
v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0}, uint128 =
0x00000000000000000000000000000000}
xmm3 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double =
{0x8000000000000000, 0x0}, v16_int8 = {0x0, 0x0, 0xff, 0x0, 0x0, 0x0, 0x0, 0xff,
0x0, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0, 0x0}, v8_int16 = {0x0, 0xff, 0x0, 0xff00, 0x0, 0x0, 0x0, 0x0},
v4_int32 = {0xff0000, 0xff000000, 0x0, 0x0}, v2_int64 = {0xff00000000ff0000,
0x0},
uint128 = 0x0000000000000000ff00000000ff0000}
xmm4 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0,
0x8000000000000000}, v16_int8 = {0x73, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x54,
0x72, 0x69, 0x65,
0x64, 0x20, 0x74, 0x6f}, v8_int16 = {0x73, 0x0, 0x0, 0x0, 0x7254, 0x6569,
0x2064, 0x6f74}, v4_int32 = {0x73, 0x0, 0x65697254, 0x6f742064}, v2_int64 =
{0x73,
0x6f74206465697254}, uint128 = 0x6f742064656972540000000000000073}
xmm5 {v4_float = {0x0, 0x1, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0x0, 0x0, 0x0, 0xe0, 0x95, 0x9c, 0xe7, 0x3f, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0, 0x0,
0x0}, v8_int16 = {0x0, 0xe000, 0x9c95, 0x3fe7, 0x0, 0x0, 0x0, 0x0}, v4_int32
= {0xe0000000, 0x3fe79c95, 0x0, 0x0}, v2_int64 = {0x3fe79c95e0000000, 0x0},
uint128 = 0x00000000000000003fe79c95e0000000}
xmm6 {v4_float = {0x0, 0x1, 0x0, 0x0}, v2_double = {0x1, 0x0},
v16_int8 = {0x6d, 0x7d, 0xbf, 0xbb, 0x27, 0xaf, 0xf5, 0x3f, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0,
0x0, 0x0}, v8_int16 = {0x7d6d, 0xbbbf, 0xaf27, 0x3ff5, 0x0, 0x0, 0x0, 0x0},
v4_int32 = {0xbbbf7d6d, 0x3ff5af27, 0x0, 0x0}, v2_int64 = {0x3ff5af27bbbf7d6d,
0x0},
uint128 = 0x00000000000000003ff5af27bbbf7d6d}
xmm7 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0x0, 0x0, 0x0, 0x0, 0x68, 0xc8, 0xbc, 0x3b, 0x0, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0,
0x0}, v8_int16 = {0x0, 0x0, 0xc868, 0x3bbc, 0x0, 0x0, 0x0, 0x0}, v4_int32 =
{0x0, 0x3bbcc868, 0x0, 0x0}, v2_int64 = {0x3bbcc86800000000, 0x0},
uint128 = 0x00000000000000003bbcc86800000000}
xmm8 {v4_float = {0x0, 0xfffffffd, 0x0, 0x0}, v2_double =
{0xffffffffffffffd2, 0x0}, v16_int8 = {0xe0, 0xe6, 0x35, 0x67, 0x9e, 0x6, 0x47,
0xc0, 0x0, 0x0,
0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v8_int16 = {0xe6e0, 0x6735, 0x69e, 0xc047,
0x0, 0x0, 0x0, 0x0}, v4_int32 = {0x6735e6e0, 0xc047069e, 0x0, 0x0}, v2_int64 = {
0xc047069e6735e6e0, 0x0}, uint128 = 0x0000000000000000c047069e6735e6e0}
xmm9 {v4_float = {0x0, 0x1, 0x0, 0x0}, v2_double = {0x1, 0x0},
v16_int8 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xf0, 0x3f, 0x0, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0,
0x0}, v8_int16 = {0x0, 0x0, 0x0, 0x3ff0, 0x0, 0x0, 0x0, 0x0}, v4_int32 =
{0x0, 0x3ff00000, 0x0, 0x0}, v2_int64 = {0x3ff0000000000000, 0x0},
uint128 = 0x00000000000000003ff0000000000000}
xmm10 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0x0, 0x0, 0x46, 0x84, 0x24, 0x59, 0xd6, 0x3e, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0, 0x0,
0x0}, v8_int16 = {0x0, 0x8446, 0x5924, 0x3ed6, 0x0, 0x0, 0x0, 0x0}, v4_int32
= {0x84460000, 0x3ed65924, 0x0, 0x0}, v2_int64 = {0x3ed6592484460000, 0x0},
uint128 = 0x00000000000000003ed6592484460000}
xmm11 {v4_float = {0x9689a800, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0x6a, 0xa2, 0x65, 0x50, 0xf2, 0xea, 0x8f, 0xbd, 0x0, 0x0, 0x0, 0x0,
0x0,
0x0, 0x0, 0x0}, v8_int16 = {0xa26a, 0x5065, 0xeaf2, 0xbd8f, 0x0, 0x0, 0x0,
0x0}, v4_int32 = {0x5065a26a, 0xbd8feaf2, 0x0, 0x0}, v2_int64 =
{0xbd8feaf25065a26a,
0x0}, uint128 = 0x0000000000000000bd8feaf25065a26a}
xmm12 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0x29, 0xf2, 0x88, 0x6c, 0xa6, 0x49, 0xde, 0x3e, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0,
0x0, 0x0}, v8_int16 = {0xf229, 0x6c88, 0x49a6, 0x3ede, 0x0, 0x0, 0x0, 0x0},
v4_int32 = {0x6c88f229, 0x3ede49a6, 0x0, 0x0}, v2_int64 = {0x3ede49a66c88f229,
0x0},
uint128 = 0x00000000000000003ede49a66c88f229}
xmm13 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0xb3, 0x12, 0x58, 0x17, 0x64, 0x46, 0xe6, 0x3b, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0,
0x0, 0x0}, v8_int16 = {0x12b3, 0x1758, 0x4664, 0x3be6, 0x0, 0x0, 0x0, 0x0},
v4_int32 = {0x175812b3, 0x3be64664, 0x0, 0x0}, v2_int64 = {0x3be64664175812b3,
0x0},
uint128 = 0x00000000000000003be64664175812b3}
xmm14 {v4_float = {0x0, 0x3, 0x0, 0x0}, v2_double = {0x2d, 0x0},
v16_int8 = {0xc0, 0x9, 0xf2, 0x16, 0xb5, 0xdf, 0x46, 0x40, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0,
0x0, 0x0}, v8_int16 = {0x9c0, 0x16f2, 0xdfb5, 0x4046, 0x0, 0x0, 0x0, 0x0},
v4_int32 = {0x16f209c0, 0x4046dfb5, 0x0, 0x0}, v2_int64 = {0x4046dfb516f209c0,
0x0},
uint128 = 0x00000000000000004046dfb516f209c0}
xmm15 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0},
v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0}, uint128 =
0x00000000000000000000000000000000}
mxcsr 0x1fa0 [ PE IM DM ZM OM UM PM ]
----------
files: fix.diff
messages: 13136
priority: normal
status: new
substatus: new
title: ffmpeg crashes on y4m with invalid header
type: bug
________________________________________________
FFmpeg issue tracker <[email protected]>
<https://roundup.ffmpeg.org/issue2470>
________________________________________________
fix.diff
Description: Binary data
