[issue2505] ffmpeg crashes on ts files with invalid headers

Daniel Kang Fri, 07 Jan 2011 04:59:23 -0800

New submission from Daniel Kang <[email protected]>:

For ts files with invalid headers (i.e. channels greater than
DCA_PRIM_CHANNELS_MAX), ffmpeg crashes with a buffer overread. The patch
attached adds a check for this.


FTP does not work in my current location, so I have uploaded the sample file.

gdb run:
(gdb) r -i ../fuzzed.ts -f null /dev/null
Starting program: ffmpeg/ffmpeg_g -i ../fuzzed.ts -f null /dev/null
[Thread debugging using libthread_db enabled]
FFmpeg version git-b06938e, Copyright (c) 2000-2011 the FFmpeg developers
  built on Jan  6 2011 20:01:54 with gcc 4.4.5
  configuration: --enable-gpl --disable-pthreads
  libavutil     50.36. 0 / 50.36. 0
  libavcore      0.16. 0 /  0.16. 0
  libavcodec    52.103. 1 / 52.103. 1
  libavformat   52.92. 0 / 52.92. 0
  libavdevice   52. 2. 3 / 52. 2. 3
  libavfilter    1.72. 0 /  1.72. 0
  libswscale     0.12. 0 /  0.12. 0
[dca @ 0x1202e90] Not a valid DCA frame
ERROR: block code look-up failed
    Last message repeated 25 times
[dca @ 0x1202e90] Didn't get subframe DSYNC
[dts @ 0x1200510] max_analyze_duration reached
[dts @ 0x1200510] Estimating duration from bitrate, this may be inaccurate
Input #0, dts, from '../fuzzed.ts':
  Duration: 223:05:36.00, bitrate: 0 kb/s
    Stream #0.0: Audio: dca, 48000 Hz, 5.1, s16, 0 kb/s
Output #0, null, to '/dev/null':
  Metadata:
    encoder         : Lavf52.92.0
    Stream #0.0: Audio: pcm_s16le, 48000 Hz, 5.1, s16, 4608 kb/s
Stream mapping:
  Stream #0.0 -> #0.0
Press [q] to stop encoding
[dca @ 0x1202e90] Not a valid DCA frame
Error while decoding stream #0.0
ERROR: block code look-up failed
    Last message repeated 25 times
[dca @ 0x1202e90] Didn't get subframe DSYNC
[dca @ 0x1202e90] Invalid bit allocation index
    Last message repeated 5 times
Program received signal SIGSEGV, Segmentation fault.
0x000000000081b3e7 in float_to_int16_sse2 (dst=0x1286e70, src=0x127fd50,
len=256, channels=<value optimized out>) at libavcodec/x86/dsputil_mmx.c:2388
2388        __asm__ volatile(
(gdb) bt
#0  0x000000000081b3e7 in float_to_int16_sse2 (dst=0x1286e70, src=0x127fd50,
len=256, channels=<value optimized out>) at libavcodec/x86/dsputil_mmx.c:2388
#1  float_to_int16_interleave_misc_sse2 (dst=0x1286e70, src=0x127fd50, len=256,
channels=<value optimized out>) at libavcodec/x86/dsputil_mmx.c:2516
#2  0x00000000005132c8 in dca_decode_frame (avctx=<value optimized out>,
data=<value optimized out>, data_size=<value optimized out>, avpkt=<value
optimized out>)
    at libavcodec/dca.c:1786
#3  0x0000000000755fdf in avcodec_decode_audio3 (avctx=0x1202e90,
samples=0x127fd50, frame_size_ptr=0x100, avpkt=0x7fffffffc140) at
libavcodec/utils.c:677
#4  0x0000000000434945 in output_packet (ist=0x121ecc0, ist_index=0,
ost_table=<value optimized out>, nb_ostreams=<value optimized out>,
pkt=0x7fffffffd4a0)
    at ffmpeg.c:1526
#5  0x00000000004364f7 in transcode (nb_output_files=<value optimized out>,
nb_input_files=<value optimized out>, stream_maps=<value optimized out>,
    nb_stream_maps=<value optimized out>, input_files=<value optimized out>,
output_files=<value optimized out>) at ffmpeg.c:2643
#6  0x0000000000437463 in main (argc=6, argv=<value optimized out>) at 
ffmpeg.c:4363
(gdb) disass $pc-32 $pc+32
Dump of assembler code from 0x81b3c7 to 0x81b407:
0x000000000081b3c7 <float_to_int16_interleave_misc_sse2+55>:    nopw  
0x0(%rax,%rax,1)
0x000000000081b3d0 <float_to_int16_interleave_misc_sse2+64>:    mov   
(%rsi,%rbx,1),%r8
0x000000000081b3d4 <float_to_int16_interleave_misc_sse2+68>:    mov    %rdx,%rax
0x000000000081b3d7 <float_to_int16_interleave_misc_sse2+71>:    mov    %r9,%rcx
0x000000000081b3da <float_to_int16_interleave_misc_sse2+74>:    add    %rax,%rax
0x000000000081b3dd <float_to_int16_interleave_misc_sse2+77>:    lea   
(%r8,%rax,2),%r8
0x000000000081b3e1 <float_to_int16_interleave_misc_sse2+81>:    add    %rax,%rcx
0x000000000081b3e4 <float_to_int16_interleave_misc_sse2+84>:    neg    %rax
0x000000000081b3e7 <float_to_int16_interleave_misc_sse2+87>:    cvtps2dq
(%r8,%rax,2),%xmm0
0x000000000081b3ed <float_to_int16_interleave_misc_sse2+93>:    cvtps2dq
0x10(%r8,%rax,2),%xmm1
0x000000000081b3f4 <float_to_int16_interleave_misc_sse2+100>:   packssdw 
%xmm1,%xmm0
0x000000000081b3f8 <float_to_int16_interleave_misc_sse2+104>:   movdqa
%xmm0,(%rcx,%rax,1)
0x000000000081b3fd <float_to_int16_interleave_misc_sse2+109>:   add    
$0x10,%rax
0x000000000081b401 <float_to_int16_interleave_misc_sse2+113>:   js     0x81b3e7
<float_to_int16_interleave_misc_sse2+87>
0x000000000081b403 <float_to_int16_interleave_misc_sse2+115>:   test   %rdx,%rdx
0x000000000081b406 <float_to_int16_interleave_misc_sse2+118>:   jle    0x81b425
<float_to_int16_interleave_misc_sse2+149>
End of assembler dump.
(gdb) info all-registers
rax            0xfffffffffffffe00       -512
rbx            0x0      0
rcx            0x7fffffffc140   140737488339264
rdx            0x100    256
rsi            0x127fd50        19397968
rdi            0x1286e70        19426928
rbp            0x7fffffffc160   0x7fffffffc160
rsp            0x7fffffffbf40   0x7fffffffbf40
r8             0x400    1024
r9             0x7fffffffbf40   140737488338752
r10            0x200    512
r11            0x10     16
r12            0x40     64
r13            0x127ed50        19393872
r14            0x20     32
r15            0x1261cc0        19274944
rip            0x81b3e7 0x81b3e7 <float_to_int16_interleave_misc_sse2+87>
eflags         0x10287  [ CF PF SF IF RF ]
cs             0x33     51
ss             0x2b     43
ds             0x0      0
es             0x0      0
fs             0x0      0
gs             0x0      0
st0            -nan(0x4605b3fecd)       (raw 0xffff0000004605b3fecd)
st1            -nan(0x2f0fddffe0fff4f)  (raw 0xffff02f0fddffe0fff4f)
st2            -nan(0xb9fd8a00000153)   (raw 0xffff00b9fd8a00000153)
st3            -nan(0x5b3fecd02f0fddf)  (raw 0xffff05b3fecd02f0fddf)
st4            -nan(0xfffffd8affffff4f) (raw 0xfffffffffd8affffff4f)
st5            -nan(0xb9fffffe0f)       (raw 0xffff000000b9fffffe0f)
st6            0.085797312344439878996175952163838474   (raw 
0x3ffbafb68054d520bf70)
st7            0.99631261218277801359642295575547166    (raw 
0x3ffeff0e57e5ead848e3)
fctrl          0x37f    895
fstat          0x20     32
ftag           0xffff   65535
fiseg          0x7fff   32767
fioff          0xf7699d07       -144073465
foseg          0x7fff   32767
fooff          0xffffc618       -14824
fop            0x51f    1311
xmm0           {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0x0, 0x0, 0x80, 0x3b, 0x0 <repeats 12 times>}, v8_int16 = {0x0,
0x3b80, 0x0, 0x0,
    0x0, 0x0, 0x0, 0x0}, v4_int32 = {0x3b800000, 0x0, 0x0, 0x0}, v2_int64 =
{0x3b800000, 0x0}, uint128 = 0x0000000000000000000000003b800000}
xmm1           {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0},
---Type <return> to continue, or q <return> to quit---
  v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0}, uint128 =
0x00000000000000000000000000000000}
xmm2           {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0},
  v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0}, uint128 =
0x00000000000000000000000000000000}
xmm3           {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0x3c, 0x9f, 0x2a, 0x3c, 0x0 <repeats 12 times>}, v8_int16 = {0x9f3c,
0x3c2a, 0x0,
    0x0, 0x0, 0x0, 0x0, 0x0}, v4_int32 = {0x3c2a9f3c, 0x0, 0x0, 0x0}, v2_int64 =
{0x3c2a9f3c, 0x0}, uint128 = 0x0000000000000000000000003c2a9f3c}
xmm4           {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0xb6, 0x2b, 0x6e, 0x3c, 0x0 <repeats 12 times>}, v8_int16 = {0x2bb6,
0x3c6e, 0x0,
    0x0, 0x0, 0x0, 0x0, 0x0}, v4_int32 = {0x3c6e2bb6, 0x0, 0x0, 0x0}, v2_int64 =
{0x3c6e2bb6, 0x0}, uint128 = 0x0000000000000000000000003c6e2bb6}
xmm5           {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0},
  v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0}, uint128 =
0x00000000000000000000000000000000}
xmm6           {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0},
  v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0}, uint128 =
0x00000000000000000000000000000000}
xmm7           {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0x0, 0x0, 0x0, 0x80, 0x0, 0x0, 0x0, 0x80, 0x0, 0x0, 0x0, 0x80, 0x0,
0x0, 0x0,
    0x80}, v8_int16 = {0x0, 0x8000, 0x0, 0x8000, 0x0, 0x8000, 0x0, 0x8000},
v4_int32 = {0x80000000, 0x80000000, 0x80000000, 0x80000000}, v2_int64 = {
    0x8000000080000000, 0x8000000080000000}, uint128 =
0x80000000800000008000000080000000}
xmm8           {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0},
  v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0}, uint128 =
0x00000000000000000000000000000000}
xmm9           {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x80, 0x0, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0, 0x0},
  v8_int16 = {0x0, 0x0, 0x0, 0x8000, 0x0, 0x0, 0x0, 0x0}, v4_int32 = {0x0,
0x80000000, 0x0, 0x0}, v2_int64 = {0x8000000000000000, 0x0},
  uint128 = 0x00000000000000008000000000000000}
xmm10          {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0},
  v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0}, uint128 =
0x00000000000000000000000000000000}
xmm11          {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x80, 0x0, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0, 0x0},
  v8_int16 = {0x0, 0x0, 0x0, 0x8000, 0x0, 0x0, 0x0, 0x0}, v4_int32 = {0x0,
0x80000000, 0x0, 0x0}, v2_int64 = {0x8000000000000000, 0x0},
  uint128 = 0x00000000000000008000000000000000}
xmm12          {v4_float = {0xffffcfa4, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0x16, 0x70, 0x41, 0xc6, 0x58, 0xac, 0x98, 0xb5, 0x0, 0x0, 0x0, 0x0, 
0x0,
    0x0, 0x0, 0x0}, v8_int16 = {0x7016, 0xc641, 0xac58, 0xb598, 0x0, 0x0, 0x0,
0x0}, v4_int32 = {0xc6417016, 0xb598ac58, 0x0, 0x0}, v2_int64 = 
{0xb598ac58c6417016,
    0x0}, uint128 = 0x0000000000000000b598ac58c6417016}
xmm13          {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0},
  v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0}, uint128 =
0x00000000000000000000000000000000}
xmm14          {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0},
  v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0}, uint128 =
0x00000000000000000000000000000000}
xmm15          {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0xa0, 0x83, 0x47, 0x3, 0x1d, 0x3c, 0x8a, 0xb5, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0, 0x0,
    0x0}, v8_int16 = {0x83a0, 0x347, 0x3c1d, 0xb58a, 0x0, 0x0, 0x0, 0x0},
v4_int32 = {0x34783a0, 0xb58a3c1d, 0x0, 0x0}, v2_int64 = {0xb58a3c1d034783a0, 
0x0},
  uint128 = 0x0000000000000000b58a3c1d034783a0}
mxcsr          0x1fa0   [ PE IM DM ZM OM UM PM ]

----------
files: ts_channel_check.diff
messages: 13272
priority: normal
status: open
substatus: open
title: ffmpeg crashes on ts files with invalid headers
type: bug

________________________________________________
FFmpeg issue tracker <[email protected]>
<https://roundup.ffmpeg.org/issue2505>
________________________________________________

ts_channel_check.diff
Description: Binary data

[issue2505] ffmpeg crashes on ts files with invalid headers

Reply via email to