[issue2490] ffmpeg crashes for mov files with invalid time creation

Daniel Kang Tue, 04 Jan 2011 20:38:49 -0800

New submission from Daniel Kang <[email protected]>:

ffmpeg crashes on mov files with invalid time creation. gmtime will return NULL
for times it cannot convert
(http://www.open-std.org/jtc1/sc22/wg14/www/docs/n1124.pdf p. 335). strftime
crash when NULL is passed to it. I have attached a patch to fix this issue.


gdb run:
(gdb) r -i ../fuzzed.mov del.mkv
Starting program: /afs/csl.tjhsst.edu/students/2011/2011dkang/ffmpeg/ffmpeg_g -i
../fuzzed.mov del.mkv
[Thread debugging using libthread_db enabled]
FFmpeg version git-5fbd1d4, Copyright (c) 2000-2011 the FFmpeg developers
  built on Jan  4 2011 22:05:23 with gcc 4.4.5
  configuration: --enable-gpl
  libavutil     50.36. 0 / 50.36. 0
  libavcore      0.16. 0 /  0.16. 0
  libavcodec    52.102. 0 / 52.102. 0
  libavformat   52.92. 0 / 52.92. 0
  libavdevice   52. 2. 2 / 52. 2. 2
  libavfilter    1.72. 0 /  1.72. 0
  libswscale     0.12. 0 /  0.12. 0

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff6d7057f in ?? () from /lib/libc.so.6
(gdb) bt
#0  0x00007ffff6d7057f in ?? () from /lib/libc.so.6
#1  0x00007ffff6d72626 in strftime_l () from /lib/libc.so.6
#2  0x0000000000486808 in mov_metadata_creation_time (c=<value optimized out>,
pb=0x12075b0, atom=...) at libavformat/mov.c:595
#3  mov_read_mdhd (c=<value optimized out>, pb=0x12075b0, atom=...) at
libavformat/mov.c:626
#4  0x0000000000482fbd in mov_read_default (c=0x11ff5a0, pb=0x12075b0, atom=...)
at libavformat/mov.c:302
#5  0x0000000000482fbd in mov_read_default (c=0x11ff5a0, pb=0x12075b0, atom=...)
at libavformat/mov.c:302
#6  0x0000000000485865 in mov_read_trak (c=0x11ff5a0, pb=0x12075b0, atom=...) at
libavformat/mov.c:1738
#7  0x0000000000482fbd in mov_read_default (c=0x11ff5a0, pb=0x12075b0, atom=...)
at libavformat/mov.c:302
#8  0x0000000000483485 in mov_read_moov (c=0x7fffffffcf50, pb=0x0, atom=...) at
libavformat/mov.c:575
#9  0x0000000000482fbd in mov_read_default (c=0x11ff5a0, pb=0x12075b0, atom=...)
at libavformat/mov.c:302
#10 0x00000000004876e0 in mov_read_header (s=<value optimized out>, ap=<value
optimized out>) at libavformat/mov.c:2353
#11 0x00000000004d15a9 in av_open_input_stream (ic_ptr=0x7fffffffd4d8,
pb=0x12075b0, filename=0x7fffffffdafe "../fuzzed.mov", fmt=0xca17a0,
ap=0x7fffffffd4a0)
    at libavformat/utils.c:487
#12 0x00000000004d3768 in av_open_input_file (ic_ptr=0x7fffffffd4d8,
filename=0x7fffffffdafe "../fuzzed.mov", fmt=0xca17a0, buf_size=0,
ap=0x7fffffffd4a0)
    at libavformat/utils.c:643
#13 0x0000000000430f2d in opt_input_file (filename=0x7fffffffdafe
"../fuzzed.mov") at ffmpeg.c:3178
#14 0x000000000043b53c in parse_options (argc=4, argv=0x7fffffffd758,
options=<value optimized out>, parse_arg_function=0x438000 <opt_output_file>) at
cmdutils.c:208
#15 0x0000000000437142 in main (argc=4, argv=0x7fffffffd758) at ffmpeg.c:4340
(gdb) disass $pc-32 $pc+32
Dump of assembler code from 0x7ffff6d7055f to 0x7ffff6d7059f:
0x00007ffff6d7055f:     push   %rbx
0x00007ffff6d70560:     sub    $0xf8,%rsp
0x00007ffff6d70567:     mov    %rcx,0x30(%rsp)
0x00007ffff6d7056c:     mov    %r8,0x68(%rsp)
0x00007ffff6d70571:     mov    0x10(%r9),%rax
0x00007ffff6d70575:     mov    0x30(%rsp),%rsi
0x00007ffff6d7057a:     mov    %rax,0x60(%rsp)
0x00007ffff6d7057f:     mov    0x8(%rcx),%ecx
0x00007ffff6d70582:     mov    %ecx,0x3c(%rsp)
0x00007ffff6d70586:     mov    0x30(%rsi),%rsi
0x00007ffff6d7058a:     cmp    $0xc,%ecx
0x00007ffff6d7058d:     mov    %rsi,0x70(%rsp)
0x00007ffff6d70592:     jle    0x7ffff6d70770
0x00007ffff6d70598:     sub    $0xc,%ecx
0x00007ffff6d7059b:     mov    %ecx,0x3c(%rsp)
End of assembler dump.
(gdb) info all-registers
rax            0x7ffff702b2e0   140737337537248
rbx            0x12075b0        18904496
rcx            0x0      0
rdx            0x9348ab 9652395
rsi            0x0      0
rdi            0x7fffffffcf50   140737488342864
rbp            0x1200160        0x1200160
rsp            0x7fffffffcdf0   0x7fffffffcdf0
r8             0x7fffffffcf2f   140737488342831
r9             0x7ffff702d580   140737337546112
r10            0xfffffffffffffeba       -326
r11            0xa3d70a3d70a3d70b       -6640827866535438581
r12            0x7ffff702d580   140737337546112
r13            0x11ff760        18872160
r14            0x12002e8        18875112
r15            0x20     32
rip            0x7ffff6d7057f   0x7ffff6d7057f
eflags         0x10206  [ PF IF RF ]
cs             0x33     51
ss             0x2b     43
ds             0x0      0
es             0x0      0
fs             0x0      0
gs             0x0      0
st0            0        (raw 0x00000000000000000000)
st1            0        (raw 0x00000000000000000000)
st2            0        (raw 0x00000000000000000000)
st3            0        (raw 0x00000000000000000000)
st4            0        (raw 0x00000000000000000000)
st5            0        (raw 0x00000000000000000000)
st6            0        (raw 0x00000000000000000000)
st7            0        (raw 0x00000000000000000000)
fctrl          0x37f    895
fstat          0x0      0
ftag           0xffff   65535
fiseg          0x0      0
fioff          0x0      0
foseg          0x0      0
fooff          0x0      0
fop            0x0      0
xmm0           {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0},
  v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0}, uint128 =
0x00000000000000000000000000000000}
xmm1           {v4_float = {0x0, 0x1, 0x0, 0x0}, v2_double = {0x1, 0x0},
v16_int8 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xf0, 0x3f, 0xff, 0xff, 0xff, 0x0,
0x0, 0x0, 0x0,
---Type <return> to continue, or q <return> to quit---
    0x0}, v8_int16 = {0x0, 0x0, 0x0, 0x3ff0, 0xffff, 0xff, 0x0, 0x0}, v4_int32 =
{0x0, 0x3ff00000, 0xffffff, 0x0}, v2_int64 = {0x3ff0000000000000, 0xffffff},
  uint128 = 0x0000000000ffffff3ff0000000000000}
xmm2           {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0},
  v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0}, uint128 =
0x00000000000000000000000000000000}
xmm3           {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0x6c, 0x69, 0x63, 0x65, 0x73, 0x0 <repeats 11 times>}, v8_int16 =
{0x696c,
    0x6563, 0x73, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_int32 = {0x6563696c, 0x73, 0x0,
0x0}, v2_int64 = {0x736563696c, 0x0}, uint128 = 
0x0000000000000000000000736563696c}
xmm4           {v4_float = {0x0, 0x0, 0x0, 0x1e400000}, v2_double =
{0x8000000000000000, 0x8000000000000000}, v16_int8 = {0x54, 0x72, 0x69, 0x65,
0x64, 0x20, 0x74,
    0x6f, 0x20, 0x63, 0x6f, 0x70, 0x79, 0x20, 0x41, 0x56}, v8_int16 = {0x7254,
0x6569, 0x2064, 0x6f74, 0x6320, 0x706f, 0x2079, 0x5641}, v4_int32 = {0x65697254,
    0x6f742064, 0x706f6320, 0x56412079}, v2_int64 = {0x6f74206465697254,
0x56412079706f6320}, uint128 = 0x56412079706f63206f74206465697254}
xmm5           {v4_float = {0x0, 0x1, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0x0, 0x0, 0x0, 0xe0, 0x95, 0x9c, 0xe7, 0x3f, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0, 0x0,
    0x0}, v8_int16 = {0x0, 0xe000, 0x9c95, 0x3fe7, 0x0, 0x0, 0x0, 0x0}, v4_int32
= {0xe0000000, 0x3fe79c95, 0x0, 0x0}, v2_int64 = {0x3fe79c95e0000000, 0x0},
  uint128 = 0x00000000000000003fe79c95e0000000}
xmm6           {v4_float = {0x0, 0x1, 0x0, 0x0}, v2_double = {0x1, 0x0},
v16_int8 = {0x6d, 0x7d, 0xbf, 0xbb, 0x27, 0xaf, 0xf5, 0x3f, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0,
    0x0, 0x0}, v8_int16 = {0x7d6d, 0xbbbf, 0xaf27, 0x3ff5, 0x0, 0x0, 0x0, 0x0},
v4_int32 = {0xbbbf7d6d, 0x3ff5af27, 0x0, 0x0}, v2_int64 = {0x3ff5af27bbbf7d6d, 
0x0},
  uint128 = 0x00000000000000003ff5af27bbbf7d6d}
xmm7           {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0x0, 0x0, 0x0, 0x0, 0x68, 0xc8, 0xbc, 0x3b, 0x0, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0,
    0x0}, v8_int16 = {0x0, 0x0, 0xc868, 0x3bbc, 0x0, 0x0, 0x0, 0x0}, v4_int32 =
{0x0, 0x3bbcc868, 0x0, 0x0}, v2_int64 = {0x3bbcc86800000000, 0x0},
  uint128 = 0x00000000000000003bbcc86800000000}
xmm8           {v4_float = {0x0, 0xfffffffd, 0x0, 0x0}, v2_double =
{0xffffffffffffffd2, 0x0}, v16_int8 = {0xe0, 0xe6, 0x35, 0x67, 0x9e, 0x6, 0x47,
0xc0, 0x0, 0x0,
    0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v8_int16 = {0xe6e0, 0x6735, 0x69e, 0xc047,
0x0, 0x0, 0x0, 0x0}, v4_int32 = {0x6735e6e0, 0xc047069e, 0x0, 0x0}, v2_int64 = {
    0xc047069e6735e6e0, 0x0}, uint128 = 0x0000000000000000c047069e6735e6e0}
xmm9           {v4_float = {0x0, 0x1, 0x0, 0x0}, v2_double = {0x1, 0x0},
v16_int8 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xf0, 0x3f, 0x0, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0,
    0x0}, v8_int16 = {0x0, 0x0, 0x0, 0x3ff0, 0x0, 0x0, 0x0, 0x0}, v4_int32 =
{0x0, 0x3ff00000, 0x0, 0x0}, v2_int64 = {0x3ff0000000000000, 0x0},
  uint128 = 0x00000000000000003ff0000000000000}
xmm10          {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0x0, 0x0, 0x46, 0x84, 0x24, 0x59, 0xd6, 0x3e, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0, 0x0,
    0x0}, v8_int16 = {0x0, 0x8446, 0x5924, 0x3ed6, 0x0, 0x0, 0x0, 0x0}, v4_int32
= {0x84460000, 0x3ed65924, 0x0, 0x0}, v2_int64 = {0x3ed6592484460000, 0x0},
  uint128 = 0x00000000000000003ed6592484460000}
xmm11          {v4_float = {0x9689a800, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0x6a, 0xa2, 0x65, 0x50, 0xf2, 0xea, 0x8f, 0xbd, 0x0, 0x0, 0x0, 0x0, 
0x0,
    0x0, 0x0, 0x0}, v8_int16 = {0xa26a, 0x5065, 0xeaf2, 0xbd8f, 0x0, 0x0, 0x0,
0x0}, v4_int32 = {0x5065a26a, 0xbd8feaf2, 0x0, 0x0}, v2_int64 = 
{0xbd8feaf25065a26a,
    0x0}, uint128 = 0x0000000000000000bd8feaf25065a26a}
xmm12          {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0x29, 0xf2, 0x88, 0x6c, 0xa6, 0x49, 0xde, 0x3e, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0,
    0x0, 0x0}, v8_int16 = {0xf229, 0x6c88, 0x49a6, 0x3ede, 0x0, 0x0, 0x0, 0x0},
v4_int32 = {0x6c88f229, 0x3ede49a6, 0x0, 0x0}, v2_int64 = {0x3ede49a66c88f229, 
0x0},
  uint128 = 0x00000000000000003ede49a66c88f229}
xmm13          {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0xb3, 0x12, 0x58, 0x17, 0x64, 0x46, 0xe6, 0x3b, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0,
    0x0, 0x0}, v8_int16 = {0x12b3, 0x1758, 0x4664, 0x3be6, 0x0, 0x0, 0x0, 0x0},
v4_int32 = {0x175812b3, 0x3be64664, 0x0, 0x0}, v2_int64 = {0x3be64664175812b3, 
0x0},
  uint128 = 0x00000000000000003be64664175812b3}
xmm14          {v4_float = {0x0, 0x3, 0x0, 0x0}, v2_double = {0x2d, 0x0},
v16_int8 = {0xc0, 0x9, 0xf2, 0x16, 0xb5, 0xdf, 0x46, 0x40, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0,
    0x0, 0x0}, v8_int16 = {0x9c0, 0x16f2, 0xdfb5, 0x4046, 0x0, 0x0, 0x0, 0x0},
v4_int32 = {0x16f209c0, 0x4046dfb5, 0x0, 0x0}, v2_int64 = {0x4046dfb516f209c0, 
0x0},
  uint128 = 0x00000000000000004046dfb516f209c0}
xmm15          {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0},
  v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0}, uint128 =
0x00000000000000000000000000000000}
mxcsr          0x1fa0   [ PE IM DM ZM OM UM PM ]

----------
files: mov_fix.diff
messages: 13215
priority: normal
status: open
substatus: open
title: ffmpeg crashes for mov files with invalid time creation
type: bug

________________________________________________
FFmpeg issue tracker <[email protected]>
<https://roundup.ffmpeg.org/issue2490>
________________________________________________

mov_fix.diff
Description: Binary data

[issue2490] ffmpeg crashes for mov files with invalid time creation

Reply via email to