New submission from Daniel Kang <[email protected]>: ffmpeg crashes on avi files with invalid headers. When the resolution is larger than the allocated size, ffmpeg crashes. The patch attached fixes the issue. This only happens with the arguments "-i fuzzed.avi -f null /dev/null", but works when encoding to a file (e.g. "-i fuzzed.avi temp.avi").
gdb run:
(gdb) r -i ../fuzzed.avi -f null /dev/null
Starting program: ffmpeg/ffmpeg_g -i ../fuzzed.avi -f null /dev/null
[Thread debugging using libthread_db enabled]
FFmpeg version git-aa976d2, Copyright (c) 2000-2011 the FFmpeg developers
built on Jan 6 2011 17:45:34 with gcc 4.4.5
configuration: --enable-gpl
libavutil 50.36. 0 / 50.36. 0
libavcore 0.16. 0 / 0.16. 0
libavcodec 52.103. 1 / 52.103. 1
libavformat 52.92. 0 / 52.92. 0
libavdevice 52. 2. 3 / 52. 2. 3
libavfilter 1.72. 0 / 1.72. 0
libswscale 0.12. 0 / 0.12. 0
Input #0, avi, from '../fuzzed.avi':
Duration: 00:00:04.40, start: 0.000000, bitrate: 2858 kb/s
Stream #0.0: Video: cljr, yuv411p, 242x16532, 28.40 tbr, 28.40 tbn, 28.40
tbc
[buffer @ 0x1205560] w:242 h:16532 pixfmt:yuv411p
Output #0, null, to '/dev/null':
Metadata:
encoder : Lavf52.92.0
Stream #0.0: Video: rawvideo, yuv411p, 242x16532, q=2-31, 200 kb/s, 90k tbn,
28.40 tbc
Stream mapping:
Stream #0.0 -> #0.0
Press [q] to stop encoding
Program received signal SIGSEGV, Segmentation fault.
0x000000000050da0c in av_bswap32 (avctx=0x1202ee0, data=0x7fffffffc4c0,
data_size=0x7fffffffc6fc, avpkt=<value optimized out>) at
./libavutil/x86/bswap.h:42
42 __asm__("bswap %0" : "+r" (x));
(gdb) bt
#0 0x000000000050da0c in av_bswap32 (avctx=0x1202ee0, data=0x7fffffffc4c0,
data_size=0x7fffffffc6fc, avpkt=<value optimized out>) at
./libavutil/x86/bswap.h:42
#1 get_bits (avctx=0x1202ee0, data=0x7fffffffc4c0, data_size=0x7fffffffc6fc,
avpkt=<value optimized out>) at libavcodec/get_bits.h:365
#2 decode_frame (avctx=0x1202ee0, data=0x7fffffffc4c0,
data_size=0x7fffffffc6fc, avpkt=<value optimized out>) at libavcodec/cljr.c:74
#3 0x0000000000757080 in avcodec_decode_video2 (avctx=0x1202ee0,
picture=0x7fffffffc4c0, got_picture_ptr=0x7fffffffc6fc, avpkt=0x7fffffffc640)
at libavcodec/utils.c:632
#4 0x0000000000434ae9 in output_packet (ist=0x1205480, ist_index=0,
ost_table=<value optimized out>, nb_ostreams=<value optimized out>,
pkt=0x7fffffffd4a0)
at ffmpeg.c:1550
#5 0x00000000004368e7 in transcode (nb_output_files=<value optimized out>,
nb_input_files=<value optimized out>, stream_maps=<value optimized out>,
nb_stream_maps=<value optimized out>, input_files=<value optimized out>,
output_files=<value optimized out>) at ffmpeg.c:2643
#6 0x0000000000437853 in main (argc=6, argv=<value optimized out>) at
ffmpeg.c:4363
(gdb) disass $pc-32 $pc+32
Dump of assembler code from 0x50d9ec to 0x50da2c:
0x000000000050d9ec <decode_frame+396>: callq 0x4319bec
0x000000000050d9f1 <decode_frame+401>: mov %al,0x2(%rdx)
0x000000000050d9f4 <decode_frame+404>: mov 0x190(%r12),%r10d
0x000000000050d9fc <decode_frame+412>: mov 0x180(%r12),%rcx
0x000000000050da04 <decode_frame+420>: mov %r10d,%eax
0x000000000050da07 <decode_frame+423>: shr $0x3,%eax
0x000000000050da0a <decode_frame+426>: mov %eax,%eax
0x000000000050da0c <decode_frame+428>: mov (%rcx,%rax,1),%eax
0x000000000050da0f <decode_frame+431>: mov %r10d,%ecx
0x000000000050da12 <decode_frame+434>: add $0x5,%r10d
0x000000000050da16 <decode_frame+438>: and $0x7,%ecx
0x000000000050da19 <decode_frame+441>: mov %r10d,0x190(%r12)
0x000000000050da21 <decode_frame+449>: bswap %eax
0x000000000050da23 <decode_frame+451>: shl %cl,%eax
0x000000000050da25 <decode_frame+453>: shr $0xfb,%eax
0x000000000050da28 <decode_frame+456>: shl $0x3,%eax
0x000000000050da2b <decode_frame+459>: mov %al,0x1(%rdx)
End of assembler dump.
(gdb) info all-registers
rax 0x2a99d 174493
rbx 0x1202ee0 18886368
rcx 0x1211660 18945632
rdx 0x7ffff4d8b6a0 140737301231264
rsi 0x7ffff4b1cdb8 140737298681272
rdi 0x7ffff4c40db8 140737299877304
rbp 0x7fffffffc4c0 0x7fffffffc4c0
rsp 0x7fffffffc250 0x7fffffffc250
r8 0x7ffff4d8b680 140737301231232
r9 0x2cb 715
r10 0x154cea 1395946
r11 0x7ffff4d59220 140737301025312
r12 0x1205860 18896992
r13 0x1205868 18897000
r14 0xa8c0 43200
r15 0x7fffffffc6fc 140737488340732
rip 0x50da0c 0x50da0c <decode_frame+428>
eflags 0x10202 [ IF RF ]
cs 0x33 51
ss 0x2b 43
ds 0x0 0
es 0x0 0
fs 0x0 0
gs 0x0 0
st0 -nan(0x00000003c) (raw 0xffff000000000000003c)
st1 -nan(0x000000004) (raw 0xffff0000000000000004)
st2 -nan(0x000000001) (raw 0xffff0000000000000001)
st3 -nan(0xc66a9680b0d29000) (raw 0xffffc66a9680b0d29000)
st4 0 (raw 0x00000000000000000000)
st5 0 (raw 0x00000000000000000000)
st6 -nan(0xc000000000000000) (raw 0xffffc000000000000000)
st7 -inf (raw 0xffff0000000000000000)
fctrl 0x37f 895
fstat 0x0 0
ftag 0xffff 65535
fiseg 0x0 0
fioff 0x0 0
foseg 0x0 0
fooff 0x0 0
fop 0x0 0
xmm0 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0x80 <repeats 16 times>}, v8_int16 = {0x8080, 0x8080, 0x8080,
0x8080, 0x8080,
0x8080, 0x8080, 0x8080}, v4_int32 = {0x80808080, 0x80808080, 0x80808080,
0x80808080}, v2_int64 = {0x8080808080808080, 0x8080808080808080},
uint128 = 0x80808080808080808080808080808080}
---Type <return> to continue, or q <return> to quit---
xmm1 {v4_float = {0x0, 0x4d680000, 0x0, 0x0}, v2_double =
{0x8000000000000000, 0x0}, v16_int8 = {0x7d, 0xc3, 0x94, 0x25, 0xad, 0x49, 0xb2,
0x54, 0x0, 0x0,
0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v8_int16 = {0xc37d, 0x2594, 0x49ad, 0x54b2,
0x0, 0x0, 0x0, 0x0}, v4_int32 = {0x2594c37d, 0x54b249ad, 0x0, 0x0}, v2_int64 = {
0x54b249ad2594c37d, 0x0}, uint128 = 0x000000000000000054b249ad2594c37d}
xmm2 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0x28, 0x58, 0xa7, 0x7b, 0x3b, 0x4d, 0xe7, 0x3e, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0,
0x0, 0x0}, v8_int16 = {0x5828, 0x7ba7, 0x4d3b, 0x3ee7, 0x0, 0x0, 0x0, 0x0},
v4_int32 = {0x7ba75828, 0x3ee74d3b, 0x0, 0x0}, v2_int64 = {0x3ee74d3b7ba75828,
0x0},
uint128 = 0x00000000000000003ee74d3b7ba75828}
xmm3 {v4_float = {0x0, 0x7, 0x0, 0x0}, v2_double = {0x15f90, 0x0},
v16_int8 = {0x0, 0x0, 0x0, 0x0, 0x0, 0xf9, 0xf5, 0x40, 0x0, 0x0, 0x0, 0x0, 0x0,
0x0,
0xff, 0x0}, v8_int16 = {0x0, 0x0, 0xf900, 0x40f5, 0x0, 0x0, 0x0, 0xff},
v4_int32 = {0x0, 0x40f5f900, 0x0, 0xff0000}, v2_int64 = {0x40f5f90000000000,
0xff000000000000}, uint128 = 0x00ff00000000000040f5f90000000000}
xmm4 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0x54, 0xec, 0x35, 0x16, 0xb3, 0xe9, 0x8f, 0xbd, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0,
0x0, 0x0}, v8_int16 = {0xec54, 0x1635, 0xe9b3, 0xbd8f, 0x0, 0x0, 0x0, 0x0},
v4_int32 = {0x1635ec54, 0xbd8fe9b3, 0x0, 0x0}, v2_int64 = {0xbd8fe9b31635ec54,
0x0},
uint128 = 0x0000000000000000bd8fe9b31635ec54}
xmm5 {v4_float = {0x0, 0x1, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0x0, 0x0, 0x0, 0xe0, 0x95, 0x9c, 0xe7, 0x3f, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0, 0x0,
0x0}, v8_int16 = {0x0, 0xe000, 0x9c95, 0x3fe7, 0x0, 0x0, 0x0, 0x0}, v4_int32
= {0xe0000000, 0x3fe79c95, 0x0, 0x0}, v2_int64 = {0x3fe79c95e0000000, 0x0},
uint128 = 0x00000000000000003fe79c95e0000000}
xmm6 {v4_float = {0x0, 0x1, 0x0, 0x0}, v2_double = {0x1, 0x0},
v16_int8 = {0x6d, 0x7d, 0xbf, 0xbb, 0x27, 0xaf, 0xf5, 0x3f, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0,
0x0, 0x0}, v8_int16 = {0x7d6d, 0xbbbf, 0xaf27, 0x3ff5, 0x0, 0x0, 0x0, 0x0},
v4_int32 = {0xbbbf7d6d, 0x3ff5af27, 0x0, 0x0}, v2_int64 = {0x3ff5af27bbbf7d6d,
0x0},
uint128 = 0x00000000000000003ff5af27bbbf7d6d}
xmm7 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0x0, 0x0, 0x0, 0x0, 0x68, 0xc8, 0xbc, 0x3b, 0x0, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0,
0x0}, v8_int16 = {0x0, 0x0, 0xc868, 0x3bbc, 0x0, 0x0, 0x0, 0x0}, v4_int32 =
{0x0, 0x3bbcc868, 0x0, 0x0}, v2_int64 = {0x3bbcc86800000000, 0x0},
uint128 = 0x00000000000000003bbcc86800000000}
xmm8 {v4_float = {0x0, 0xfffffffd, 0x0, 0x0}, v2_double =
{0xffffffffffffffd2, 0x0}, v16_int8 = {0xe0, 0xe6, 0x35, 0x67, 0x9e, 0x6, 0x47,
0xc0, 0x0, 0x0,
0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v8_int16 = {0xe6e0, 0x6735, 0x69e, 0xc047,
0x0, 0x0, 0x0, 0x0}, v4_int32 = {0x6735e6e0, 0xc047069e, 0x0, 0x0}, v2_int64 = {
0xc047069e6735e6e0, 0x0}, uint128 = 0x0000000000000000c047069e6735e6e0}
xmm9 {v4_float = {0x0, 0x1, 0x0, 0x0}, v2_double = {0x1, 0x0},
v16_int8 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xf0, 0x3f, 0x0, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0,
0x0}, v8_int16 = {0x0, 0x0, 0x0, 0x3ff0, 0x0, 0x0, 0x0, 0x0}, v4_int32 =
{0x0, 0x3ff00000, 0x0, 0x0}, v2_int64 = {0x3ff0000000000000, 0x0},
uint128 = 0x00000000000000003ff0000000000000}
xmm10 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0x0, 0x0, 0x46, 0x84, 0x24, 0x59, 0xd6, 0x3e, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0, 0x0,
0x0}, v8_int16 = {0x0, 0x8446, 0x5924, 0x3ed6, 0x0, 0x0, 0x0, 0x0}, v4_int32
= {0x84460000, 0x3ed65924, 0x0, 0x0}, v2_int64 = {0x3ed6592484460000, 0x0},
uint128 = 0x00000000000000003ed6592484460000}
xmm11 {v4_float = {0x9689a800, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0x6a, 0xa2, 0x65, 0x50, 0xf2, 0xea, 0x8f, 0xbd, 0x0, 0x0, 0x0, 0x0,
0x0,
0x0, 0x0, 0x0}, v8_int16 = {0xa26a, 0x5065, 0xeaf2, 0xbd8f, 0x0, 0x0, 0x0,
0x0}, v4_int32 = {0x5065a26a, 0xbd8feaf2, 0x0, 0x0}, v2_int64 =
{0xbd8feaf25065a26a,
0x0}, uint128 = 0x0000000000000000bd8feaf25065a26a}
xmm12 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0x29, 0xf2, 0x88, 0x6c, 0xa6, 0x49, 0xde, 0x3e, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0,
0x0, 0x0}, v8_int16 = {0xf229, 0x6c88, 0x49a6, 0x3ede, 0x0, 0x0, 0x0, 0x0},
v4_int32 = {0x6c88f229, 0x3ede49a6, 0x0, 0x0}, v2_int64 = {0x3ede49a66c88f229,
0x0},
uint128 = 0x00000000000000003ede49a66c88f229}
xmm13 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0xb3, 0x12, 0x58, 0x17, 0x64, 0x46, 0xe6, 0x3b, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0,
0x0, 0x0}, v8_int16 = {0x12b3, 0x1758, 0x4664, 0x3be6, 0x0, 0x0, 0x0, 0x0},
v4_int32 = {0x175812b3, 0x3be64664, 0x0, 0x0}, v2_int64 = {0x3be64664175812b3,
0x0},
uint128 = 0x00000000000000003be64664175812b3}
xmm14 {v4_float = {0x0, 0x3, 0x0, 0x0}, v2_double = {0x2d, 0x0},
v16_int8 = {0xc0, 0x9, 0xf2, 0x16, 0xb5, 0xdf, 0x46, 0x40, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0,
0x0, 0x0}, v8_int16 = {0x9c0, 0x16f2, 0xdfb5, 0x4046, 0x0, 0x0, 0x0, 0x0},
v4_int32 = {0x16f209c0, 0x4046dfb5, 0x0, 0x0}, v2_int64 = {0x4046dfb516f209c0,
0x0},
uint128 = 0x00000000000000004046dfb516f209c0}
xmm15 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0},
---Type <return> to continue, or q <return> to quit---
v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0}, uint128 =
0x00000000000000000000000000000000}
mxcsr 0x1fa0 [ PE IM DM ZM OM UM PM ]
----------
files: cljr_buffer_check.diff
messages: 13260
priority: normal
status: open
substatus: open
title: ffmpeg crashes on avi files with invalid headers
type: bug
________________________________________________
FFmpeg issue tracker <[email protected]>
<https://roundup.ffmpeg.org/issue2501>
________________________________________________
cljr_buffer_check.diff
Description: Binary data
