New submission from Daniel Kang <[email protected]>: ffmpeg crashes on mm files with buf_sizes that are large but increment the height too much. I have attached a patch that fixes this.
This is the gdb run:
(gdb) r -i ../fuzzed.mm del.mkv
Starting program: ffmpeg/ffmpeg_g -i ../fuzzed.mm del.mkv
[Thread debugging using libthread_db enabled]
FFmpeg version git-b85aec9, Copyright (c) 2000-2011 the FFmpeg developers
built on Jan 5 2011 19:37:29 with gcc 4.4.5
configuration: --enable-gpl
libavutil 50.36. 0 / 50.36. 0
libavcore 0.16. 0 / 0.16. 0
libavcodec 52.102. 0 / 52.102. 0
libavformat 52.92. 0 / 52.92. 0
libavdevice 52. 2. 3 / 52. 2. 3
libavfilter 1.72. 0 / 1.72. 0
libswscale 0.12. 0 / 0.12. 0
[mm @ 0x11ff510] Estimating duration from bitrate, this may be inaccurate
Input #0, mm, from '../fuzzed.mm':
Duration: N/A, start: 0.000000, bitrate: N/A
Stream #0.0: Video: mmvideo, pal8, 256x160, 10 tbr, 10 tbn, 10 tbc
Stream #0.1: Audio: pcm_u8, 8000 Hz, 1 channels, u8, 64 kb/s
[NULL @ 0x1207190] Requested sampling rate unsupported using closest supported
(16000)
File 'del.mkv' already exists. Overwrite ? [y/N] y
[buffer @ 0x1239fd0] w:256 h:160 pixfmt:pal8
[ffsink @ 0x123a260] auto-inserting filter 'auto-inserted scaler 0' between the
filter 'src' and the filter 'out'
[scale @ 0x123ced0] w:256 h:160 fmt:pal8 -> w:256 h:160 fmt:yuv420p
flags:0xa0000004
Output #0, matroska, to 'del.mkv':
Metadata:
encoder : Lavf52.92.0
Stream #0.0: Video: mpeg4, yuv420p, 256x160, q=2-31, 200 kb/s, 1k tbn, 10
tbc
Stream #0.1: Audio: mp2, 16000 Hz, 1 channels, s16, 64 kb/s
Stream mapping:
Stream #0.0 -> #0.0
Stream #0.1 -> #0.1
Press [q] to stop encoding
Warning, using s16 intermediate sample format for resampling
Program received signal SIGSEGV, Segmentation fault.
0x00007ffff6d4f199 in free () from /lib/libc.so.6
(gdb) bt
#0 0x00007ffff6d4f199 in free () from /lib/libc.so.6
#1 0x000000000091fa71 in av_free (arg=<value optimized out>) at
libavutil/mem.c:146
#2 av_freep (arg=<value optimized out>) at libavutil/mem.c:153
#3 0x00000000007565fb in avcodec_default_get_buffer (s=0x1206d20,
pic=0x12c2398) at libavcodec/utils.c:265
#4 0x0000000000687c86 in alloc_frame_buffer (s=0x1210660, pic=0x12c2398,
shared=<value optimized out>) at libavcodec/mpegvideo.c:230
#5 ff_alloc_picture (s=0x1210660, pic=0x12c2398, shared=<value optimized out>)
at libavcodec/mpegvideo.c:272
#6 0x0000000000699461 in load_input_picture (avctx=0x1206d20, buf=<value
optimized out>, buf_size=<value optimized out>, data=0x7fffffffc3b0)
at libavcodec/mpegvideo_enc.c:871
#7 MPV_encode_picture (avctx=0x1206d20, buf=<value optimized out>,
buf_size=<value optimized out>, data=0x7fffffffc3b0) at
libavcodec/mpegvideo_enc.c:1253
#8 0x000000000075600f in avcodec_encode_video (avctx=0x1206d20,
buf=0x7ffff7fb8010 "", buf_size=262144, pict=0x7fffffffc3b0) at
libavcodec/utils.c:582
#9 0x0000000000433d5b in do_video_out (ist=0x12077f0, ist_index=<value
optimized out>, ost_table=<value optimized out>, nb_ostreams=<value optimized
out>,
pkt=<value optimized out>) at ffmpeg.c:1258
#10 output_packet (ist=0x12077f0, ist_index=<value optimized out>,
ost_table=<value optimized out>, nb_ostreams=<value optimized out>, pkt=<value
optimized out>)
at ffmpeg.c:1673
#11 0x00000000004368d7 in transcode (nb_output_files=<value optimized out>,
nb_input_files=<value optimized out>, stream_maps=<value optimized out>,
nb_stream_maps=<value optimized out>, input_files=<value optimized out>,
output_files=<value optimized out>) at ffmpeg.c:2643
#12 0x0000000000437843 in main (argc=4, argv=<value optimized out>) at
ffmpeg.c:4363
(gdb) disass $pc-32 $pc+32
Dump of assembler code from 0x7ffff6d4f179 to 0x7ffff6d4f1b9:
0x00007ffff6d4f179: (bad)
0x00007ffff6d4f17a: test %al,(%rax)
0x00007ffff6d4f17c: add %al,(%rax)
0x00007ffff6d4f17e: add %al,(%rax)
0x00007ffff6d4f180 <free+0>: mov 0x2ddde9(%rip),%rax # 0x7ffff702cf70
0x00007ffff6d4f187 <free+7>: push %rbx
0x00007ffff6d4f188 <free+8>: mov (%rax),%rax
0x00007ffff6d4f18b <free+11>: test %rax,%rax
0x00007ffff6d4f18e <free+14>: jne 0x7ffff6d4f24b <free+203>
0x00007ffff6d4f194 <free+20>: test %rdi,%rdi
0x00007ffff6d4f197 <free+23>: je 0x7ffff6d4f208 <free+136>
0x00007ffff6d4f199 <free+25>: mov -0x8(%rdi),%rax
0x00007ffff6d4f19d <free+29>: lea -0x10(%rdi),%rdx
0x00007ffff6d4f1a1 <free+33>: test $0x2,%al
0x00007ffff6d4f1a3 <free+35>: jne 0x7ffff6d4f210 <free+144>
0x00007ffff6d4f1a5 <free+37>: test $0x4,%al
0x00007ffff6d4f1a7 <free+39>: lea 0x2dfcb2(%rip),%rbx # 0x7ffff702ee60
0x00007ffff6d4f1ae <free+46>: je 0x7ffff6d4f1bc <free+60>
0x00007ffff6d4f1b0 <free+48>: mov %rdx,%rax
0x00007ffff6d4f1b3 <free+51>: and $0xfffffffffc000000,%rax
End of assembler dump.
(gdb) info all-registers
rax 0x0 0
rbx 0x1315780 20010880
rcx 0x3 3
rdx 0x7e7e7e7f 2122219135
rsi 0xa0 160
rdi 0x7d7d7d7d7d7d7d7d 9042521604759584125
rbp 0x1206d20 0x1206d20
rsp 0x7fffffffc090 0x7fffffffc090
r8 0x1b000 110592
r9 0x1 1
r10 0x1210668 18941544
r11 0x40000 262144
r12 0x12c2398 19669912
r13 0x1316410 20014096
r14 0x21 33
r15 0x41 65
rip 0x7ffff6d4f199 0x7ffff6d4f199 <free+25>
eflags 0x10206 [ PF IF RF ]
cs 0x33 51
ss 0x2b 43
ds 0x0 0
es 0x0 0
fs 0x0 0
gs 0x0 0
st0 -nan(0x1b801b801b801b80) (raw 0xffff1b801b801b801b80)
st1 -nan(0x400000000000) (raw 0xffff0000400000000000)
st2 -nan(0x37003700370037) (raw 0xffff0037003700370037)
st3 -nan(0xdc00000000000) (raw 0xffff000dc00000000000)
st4 -nan(0xdc000000dc000) (raw 0xffff000dc000000dc000)
st5 -nan(0x130013001380138) (raw 0xffff0130013001380138)
st6 -nan(0x9797979797979797) (raw 0xffff9797979797979797)
st7 -inf (raw 0xffff0000000000000000)
fctrl 0x37f 895
fstat 0x0 0
ftag 0xffff 65535
fiseg 0x0 0
fioff 0x0 0
foseg 0x0 0
fooff 0x0 0
fop 0x0 0
xmm0 {v4_float = {0x0, 0x1, 0x0, 0x0}, v2_double = {0x1, 0x0},
v16_int8 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xf0, 0x3f, 0x0, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0,
0x0}, v8_int16 = {0x0, 0x0, 0x0, 0x3ff0, 0x0, 0x0, 0x0, 0x0}, v4_int32 =
{0x0, 0x3ff00000, 0x0, 0x0}, v2_int64 = {0x3ff0000000000000, 0x0},
uint128 = 0x00000000000000003ff0000000000000}
---Type <return> to continue, or q <return> to quit---
xmm1 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0},
v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0}, uint128 =
0x00000000000000000000000000000000}
xmm2 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0},
v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0}, uint128 =
0x00000000000000000000000000000000}
xmm3 {v4_float = {0x0, 0x4, 0x0, 0x0}, v2_double = {0x3e8, 0x0},
v16_int8 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x40, 0x8f, 0x40, 0x1, 0x0, 0x1, 0x0, 0x1,
0x0, 0x1,
0x0}, v8_int16 = {0x0, 0x0, 0x4000, 0x408f, 0x1, 0x1, 0x1, 0x1}, v4_int32 =
{0x0, 0x408f4000, 0x10001, 0x10001}, v2_int64 = {0x408f400000000000,
0x1000100010001},
uint128 = 0x0001000100010001408f400000000000}
xmm4 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0},
v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0}, uint128 =
0x00000000000000000000000000000000}
xmm5 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0x0, 0x4, 0x0, 0x4, 0x0, 0x4, 0x0, 0x4, 0x0, 0x4, 0x0, 0x4, 0x0,
0x4, 0x0, 0x4},
v8_int16 = {0x400, 0x400, 0x400, 0x400, 0x400, 0x400, 0x400, 0x400}, v4_int32
= {0x4000400, 0x4000400, 0x4000400, 0x4000400}, v2_int64 = {0x400040004000400,
0x400040004000400}, uint128 = 0x04000400040004000400040004000400}
xmm6 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0},
v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0}, uint128 =
0x00000000000000000000000000000000}
xmm7 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0},
v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0}, uint128 =
0x00000000000000000000000000000000}
xmm8 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0},
v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0}, uint128 =
0x00000000000000000000000000000000}
xmm9 {v4_float = {0x0, 0x9, 0x0, 0x0}, v2_double = {0x54c14, 0x0},
v16_int8 = {0x0, 0x0, 0x0, 0x0, 0x50, 0x30, 0x15, 0x41, 0x0, 0x0, 0x0, 0x0, 0x0,
0x0,
0x0, 0x0}, v8_int16 = {0x0, 0x0, 0x3050, 0x4115, 0x0, 0x0, 0x0, 0x0},
v4_int32 = {0x0, 0x41153050, 0x0, 0x0}, v2_int64 = {0x4115305000000000, 0x0},
uint128 = 0x00000000000000004115305000000000}
xmm10 {v4_float = {0x0, 0x4b, 0x0, 0x0}, v2_double = {0x5ffffffffff,
0x0}, v16_int8 = {0x2c, 0xfd, 0xff, 0xff, 0xff, 0xff, 0x97, 0x42, 0x0, 0x0, 0x0,
0x0,
0x0, 0x0, 0x0, 0x0}, v8_int16 = {0xfd2c, 0xffff, 0xffff, 0x4297, 0x0, 0x0,
0x0, 0x0}, v4_int32 = {0xfffffd2c, 0x4297ffff, 0x0, 0x0}, v2_int64 = {
0x4297fffffffffd2c, 0x0}, uint128 = 0x00000000000000004297fffffffffd2c}
xmm11 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0xd1, 0xa, 0x76, 0xe0, 0xa4, 0x94, 0x4e, 0x3e, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0, 0x0,
0x0}, v8_int16 = {0xad1, 0xe076, 0x94a4, 0x3e4e, 0x0, 0x0, 0x0, 0x0},
v4_int32 = {0xe0760ad1, 0x3e4e94a4, 0x0, 0x0}, v2_int64 = {0x3e4e94a4e0760ad1,
0x0},
uint128 = 0x00000000000000003e4e94a4e0760ad1}
xmm12 {v4_float = {0x0, 0x1, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xe0, 0x3f, 0x0, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0,
0x0}, v8_int16 = {0x0, 0x0, 0x0, 0x3fe0, 0x0, 0x0, 0x0, 0x0}, v4_int32 =
{0x0, 0x3fe00000, 0x0, 0x0}, v2_int64 = {0x3fe0000000000000, 0x0},
uint128 = 0x00000000000000003fe0000000000000}
xmm13 {v4_float = {0x0, 0x1, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xe0, 0x3f, 0x0, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0,
0x0}, v8_int16 = {0x0, 0x0, 0x0, 0x3fe0, 0x0, 0x0, 0x0, 0x0}, v4_int32 =
{0x0, 0x3fe00000, 0x0, 0x0}, v2_int64 = {0x3fe0000000000000, 0x0},
uint128 = 0x00000000000000003fe0000000000000}
xmm14 {v4_float = {0x0, 0x9, 0x0, 0x0}, v2_double = {0x54c14, 0x0},
v16_int8 = {0x0, 0x0, 0x0, 0x0, 0x50, 0x30, 0x15, 0x41, 0x0, 0x0, 0x0, 0x0, 0x0,
0x0,
0x0, 0x0}, v8_int16 = {0x0, 0x0, 0x3050, 0x4115, 0x0, 0x0, 0x0, 0x0},
v4_int32 = {0x0, 0x41153050, 0x0, 0x0}, v2_int64 = {0x4115305000000000, 0x0},
uint128 = 0x00000000000000004115305000000000}
xmm15 {v4_float = {0x0, 0x1, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0x87, 0xc7, 0xde, 0xfc, 0xd1, 0x21, 0x89, 0x3f, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0,
0x0, 0x0}, v8_int16 = {0xc787, 0xfcde, 0x21d1, 0x3f89, 0x0, 0x0, 0x0, 0x0},
v4_int32 = {0xfcdec787, 0x3f8921d1, 0x0, 0x0}, v2_int64 = {0x3f8921d1fcdec787,
0x0},
uint128 = 0x00000000000000003f8921d1fcdec787}
mxcsr 0x1fa0 [ PE IM DM ZM OM UM PM ]
----------
files: mm_height_sanity_check.diff
messages: 13234
priority: normal
status: open
substatus: open
title: ffmpeg crashes for mm files with buf_size that overruns height
type: bug
________________________________________________
FFmpeg issue tracker <[email protected]>
<https://roundup.ffmpeg.org/issue2495>
________________________________________________
mm_height_sanity_check.diff
Description: Binary data
