[issue2508] ffmpeg crashes on duk files with invalid vector table IDs

Fri, 07 Jan 2011 21:42:32 -0800 

New submission from Daniel Kang <[email protected]>:

ffmpeg crashes on truemotion1 videos with invalid vector table IDs. ffmpeg
checks if the vector table ID is too large, but not if it will be negative. The
patch attached adds this check.

gdb run:
(gdb) r -i ../fuzzed.duk del.mkv
Starting program: ffmpeg/ffmpeg_g -i ../fuzzed.duk del.mkv
[Thread debugging using libthread_db enabled]
FFmpeg version git-cdba2ad, Copyright (c) 2000-2011 the FFmpeg developers
  built on Jan  7 2011 23:52:01 with gcc 4.4.5
  configuration: --enable-gpl --disable-pthreads
  libavutil     50.36. 0 / 50.36. 0
  libavcore      0.16. 0 /  0.16. 0
  libavcodec    52.103. 1 / 52.103. 1
  libavformat   52.92. 0 / 52.92. 0
  libavdevice   52. 2. 3 / 52. 2. 3
  libavfilter    1.72. 0 /  1.72. 0
  libswscale     0.12. 0 /  0.12. 0
[avi @ 0x1200510] Something went wrong during header parsing, I will ignore it
and try to continue anyway.

Program received signal SIGSEGV, Segmentation fault.
gen_vector_table15 (avctx=<value optimized out>, data=<value optimized out>,
data_size=<value optimized out>, avpkt=<value optimized out>)
    at libavcodec/truemotion1.c:243
243             len = *sel_vector_table++ / 2;
(gdb) bt
#0  gen_vector_table15 (avctx=<value optimized out>, data=<value optimized out>,
data_size=<value optimized out>, avpkt=<value optimized out>)
    at libavcodec/truemotion1.c:243
#1  truemotion1_decode_header (avctx=<value optimized out>, data=<value
optimized out>, data_size=<value optimized out>, avpkt=<value optimized out>)
    at libavcodec/truemotion1.c:429
#2  truemotion1_decode_frame (avctx=<value optimized out>, data=<value optimized
out>, data_size=<value optimized out>, avpkt=<value optimized out>)
    at libavcodec/truemotion1.c:858
#3  0x0000000000756990 in avcodec_decode_video2 (avctx=0x1202ee0,
picture=0x7fffffffd160, got_picture_ptr=0x7fffffffd43c, avpkt=0x121ec10) at
libavcodec/utils.c:632
#4  0x00000000004d7490 in try_decode_frame (ic=0x1200510) at
libavformat/utils.c:2080
#5  av_find_stream_info (ic=0x1200510) at libavformat/utils.c:2361
#6  0x000000000043126b in opt_input_file (filename=0x7fffffffdafe
"../fuzzed.duk") at ffmpeg.c:3214
#7  0x000000000043b42c in parse_options (argc=4, argv=0x7fffffffd758,
options=<value optimized out>, parse_arg_function=0x437e40 <opt_output_file>) at
cmdutils.c:208
#8  0x0000000000437432 in main (argc=4, argv=0x7fffffffd758) at ffmpeg.c:4345
(gdb) disass $pc-32 $pc+32
Dump of assembler code from 0x749ff6 to 0x74a036:
0x0000000000749ff6 <truemotion1_decode_frame+982>:      orl   
$0x1,0x170(%rbx,%rdx,4)
0x0000000000749ffe <truemotion1_decode_frame+990>:      orl   
$0x1,0x1170(%rbx,%rdx,4)
0x000000000074a006 <truemotion1_decode_frame+998>:      cmp    $0x400,%r11d
0x000000000074a00d <truemotion1_decode_frame+1005>:     je     0x74a4f9
<truemotion1_decode_frame+2265>
0x000000000074a013 <truemotion1_decode_frame+1011>:     mov    %r13,%r12
0x000000000074a016 <truemotion1_decode_frame+1014>:     movzbl (%r12),%r14d
0x000000000074a01b <truemotion1_decode_frame+1019>:     lea    0x1(%r12),%r13
0x000000000074a020 <truemotion1_decode_frame+1024>:     shr    %r14b
0x000000000074a023 <truemotion1_decode_frame+1027>:     movzbl %r14b,%r14d
0x000000000074a027 <truemotion1_decode_frame+1031>:     test   %r14d,%r14d
0x000000000074a02a <truemotion1_decode_frame+1034>:     je     0x749fea
<truemotion1_decode_frame+970>
0x000000000074a02c <truemotion1_decode_frame+1036>:     lea    -0x1(%r14),%r15d
0x000000000074a030 <truemotion1_decode_frame+1040>:     mov    %r11d,%esi
0x000000000074a033 <truemotion1_decode_frame+1043>:     mov    %r13,%rdx
End of assembler dump.
(gdb) info all-registers
rax            0x1202ee0        18886368
rbx            0x1211660        18945632
rcx            0x2      2
rdx            0xa      10
rsi            0x1215830        18962480
rdi            0x1      1
rbp            0x4254   0x4254
rsp            0x7fffffffcfa0   0x7fffffffcfa0
r8             0x20600  132608
r9             0x0      0
r10            0x8000000000000000       -9223372036854775808
r11            0x0      0
r12            0x0      0
r13            0x2e     46
r14            0x2      2
r15            0x1      1
rip            0x74a016 0x74a016 <truemotion1_decode_frame+1014>
eflags         0x10246  [ PF ZF IF RF ]
cs             0x33     51
ss             0x2b     43
ds             0x0      0
es             0x0      0
fs             0x0      0
gs             0x0      0
st0            0        (raw 0x00000000000000000000)
st1            0        (raw 0x00000000000000000000)
st2            0        (raw 0x00000000000000000000)
st3            0        (raw 0x00000000000000000000)
st4            0        (raw 0x00000000000000000000)
st5            0        (raw 0x00000000000000000000)
st6            0        (raw 0x00000000000000000000)
st7            0        (raw 0x00000000000000000000)
fctrl          0x37f    895
fstat          0x0      0
ftag           0xffff   65535
fiseg          0x0      0
fioff          0x0      0
foseg          0x0      0
fooff          0x0      0
fop            0x0      0
xmm0           {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0x17, 0x67, 0x5c, 0x61, 0x59, 0x48, 0x73, 0x3f, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0,
    0x0, 0x0}, v8_int16 = {0x6717, 0x615c, 0x4859, 0x3f73, 0x0, 0x0, 0x0, 0x0},
v4_int32 = {0x615c6717, 0x3f734859, 0x0, 0x0}, v2_int64 = {0x3f734859615c6717, 
0x0},
  uint128 = 0x00000000000000003f734859615c6717}
---Type <return> to continue, or q <return> to quit---
xmm1           {v4_float = {0x0, 0xffffffff, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0x80, 0x10, 0x1f, 0x75, 0xa3, 0x8, 0x80, 0xbf, 0x0, 0x0, 0x0, 0x0, 
0x0,
    0x0, 0x0, 0x0}, v8_int16 = {0x1080, 0x751f, 0x8a3, 0xbf80, 0x0, 0x0, 0x0,
0x0}, v4_int32 = {0x751f1080, 0xbf8008a3, 0x0, 0x0}, v2_int64 = 
{0xbf8008a3751f1080,
    0x0}, uint128 = 0x0000000000000000bf8008a3751f1080}
xmm2           {v4_float = {0x0, 0x1, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0x77, 0xec, 0x6, 0xb6, 0xb2, 0x82, 0xeb, 0x3f, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0, 0x0,
    0x0}, v8_int16 = {0xec77, 0xb606, 0x82b2, 0x3feb, 0x0, 0x0, 0x0, 0x0},
v4_int32 = {0xb606ec77, 0x3feb82b2, 0x0, 0x0}, v2_int64 = {0x3feb82b2b606ec77, 
0x0},
  uint128 = 0x00000000000000003feb82b2b606ec77}
xmm3           {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double =
{0x8000000000000000, 0x0}, v16_int8 = {0x0, 0x0, 0xff, 0x0, 0x0, 0x0, 0x0, 0xff,
0x0, 0x0, 0x0, 0x0, 0x0,
    0x0, 0x0, 0x0}, v8_int16 = {0x0, 0xff, 0x0, 0xff00, 0x0, 0x0, 0x0, 0x0},
v4_int32 = {0xff0000, 0xff000000, 0x0, 0x0}, v2_int64 = {0xff00000000ff0000, 
0x0},
  uint128 = 0x0000000000000000ff00000000ff0000}
xmm4           {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0,
0x8000000000000000}, v16_int8 = {0x73, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x54,
0x72, 0x69, 0x65,
    0x64, 0x20, 0x74, 0x6f}, v8_int16 = {0x73, 0x0, 0x0, 0x0, 0x7254, 0x6569,
0x2064, 0x6f74}, v4_int32 = {0x73, 0x0, 0x65697254, 0x6f742064}, v2_int64 = 
{0x73,
    0x6f74206465697254}, uint128 = 0x6f742064656972540000000000000073}
xmm5           {v4_float = {0x0, 0x1, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0x0, 0x0, 0x0, 0xe0, 0x95, 0x9c, 0xe7, 0x3f, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0, 0x0,
    0x0}, v8_int16 = {0x0, 0xe000, 0x9c95, 0x3fe7, 0x0, 0x0, 0x0, 0x0}, v4_int32
= {0xe0000000, 0x3fe79c95, 0x0, 0x0}, v2_int64 = {0x3fe79c95e0000000, 0x0},
  uint128 = 0x00000000000000003fe79c95e0000000}
xmm6           {v4_float = {0x0, 0x1, 0x0, 0x0}, v2_double = {0x1, 0x0},
v16_int8 = {0x6d, 0x7d, 0xbf, 0xbb, 0x27, 0xaf, 0xf5, 0x3f, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0,
    0x0, 0x0}, v8_int16 = {0x7d6d, 0xbbbf, 0xaf27, 0x3ff5, 0x0, 0x0, 0x0, 0x0},
v4_int32 = {0xbbbf7d6d, 0x3ff5af27, 0x0, 0x0}, v2_int64 = {0x3ff5af27bbbf7d6d, 
0x0},
  uint128 = 0x00000000000000003ff5af27bbbf7d6d}
xmm7           {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0x0, 0x0, 0x0, 0x0, 0x68, 0xc8, 0xbc, 0x3b, 0x0, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0,
    0x0}, v8_int16 = {0x0, 0x0, 0xc868, 0x3bbc, 0x0, 0x0, 0x0, 0x0}, v4_int32 =
{0x0, 0x3bbcc868, 0x0, 0x0}, v2_int64 = {0x3bbcc86800000000, 0x0},
  uint128 = 0x00000000000000003bbcc86800000000}
xmm8           {v4_float = {0x0, 0xfffffffd, 0x0, 0x0}, v2_double =
{0xffffffffffffffd2, 0x0}, v16_int8 = {0xe0, 0xe6, 0x35, 0x67, 0x9e, 0x6, 0x47,
0xc0, 0x0, 0x0,
    0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v8_int16 = {0xe6e0, 0x6735, 0x69e, 0xc047,
0x0, 0x0, 0x0, 0x0}, v4_int32 = {0x6735e6e0, 0xc047069e, 0x0, 0x0}, v2_int64 = {
    0xc047069e6735e6e0, 0x0}, uint128 = 0x0000000000000000c047069e6735e6e0}
xmm9           {v4_float = {0x0, 0x1, 0x0, 0x0}, v2_double = {0x1, 0x0},
v16_int8 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xf0, 0x3f, 0x0, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0,
    0x0}, v8_int16 = {0x0, 0x0, 0x0, 0x3ff0, 0x0, 0x0, 0x0, 0x0}, v4_int32 =
{0x0, 0x3ff00000, 0x0, 0x0}, v2_int64 = {0x3ff0000000000000, 0x0},
  uint128 = 0x00000000000000003ff0000000000000}
xmm10          {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0x0, 0x0, 0x46, 0x84, 0x24, 0x59, 0xd6, 0x3e, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0, 0x0,
    0x0}, v8_int16 = {0x0, 0x8446, 0x5924, 0x3ed6, 0x0, 0x0, 0x0, 0x0}, v4_int32
= {0x84460000, 0x3ed65924, 0x0, 0x0}, v2_int64 = {0x3ed6592484460000, 0x0},
  uint128 = 0x00000000000000003ed6592484460000}
xmm11          {v4_float = {0x9689a800, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0x6a, 0xa2, 0x65, 0x50, 0xf2, 0xea, 0x8f, 0xbd, 0x0, 0x0, 0x0, 0x0, 
0x0,
    0x0, 0x0, 0x0}, v8_int16 = {0xa26a, 0x5065, 0xeaf2, 0xbd8f, 0x0, 0x0, 0x0,
0x0}, v4_int32 = {0x5065a26a, 0xbd8feaf2, 0x0, 0x0}, v2_int64 = 
{0xbd8feaf25065a26a,
    0x0}, uint128 = 0x0000000000000000bd8feaf25065a26a}
xmm12          {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0x29, 0xf2, 0x88, 0x6c, 0xa6, 0x49, 0xde, 0x3e, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0,
    0x0, 0x0}, v8_int16 = {0xf229, 0x6c88, 0x49a6, 0x3ede, 0x0, 0x0, 0x0, 0x0},
v4_int32 = {0x6c88f229, 0x3ede49a6, 0x0, 0x0}, v2_int64 = {0x3ede49a66c88f229, 
0x0},
  uint128 = 0x00000000000000003ede49a66c88f229}
xmm13          {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0xb3, 0x12, 0x58, 0x17, 0x64, 0x46, 0xe6, 0x3b, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0,
    0x0, 0x0}, v8_int16 = {0x12b3, 0x1758, 0x4664, 0x3be6, 0x0, 0x0, 0x0, 0x0},
v4_int32 = {0x175812b3, 0x3be64664, 0x0, 0x0}, v2_int64 = {0x3be64664175812b3, 
0x0},
  uint128 = 0x00000000000000003be64664175812b3}
xmm14          {v4_float = {0x0, 0x3, 0x0, 0x0}, v2_double = {0x2d, 0x0},
v16_int8 = {0xc0, 0x9, 0xf2, 0x16, 0xb5, 0xdf, 0x46, 0x40, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0,
    0x0, 0x0}, v8_int16 = {0x9c0, 0x16f2, 0xdfb5, 0x4046, 0x0, 0x0, 0x0, 0x0},
v4_int32 = {0x16f209c0, 0x4046dfb5, 0x0, 0x0}, v2_int64 = {0x4046dfb516f209c0, 
0x0},
  uint128 = 0x00000000000000004046dfb516f209c0}
xmm15          {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0},
---Type <return> to continue, or q <return> to quit---
  v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0}, uint128 =
0x00000000000000000000000000000000}
mxcsr          0x1fa0   [ PE IM DM ZM OM UM PM ]

----------
files: duk_vectable_id_check.diff
messages: 13291
priority: normal
status: open
substatus: open
title: ffmpeg crashes on duk files with invalid vector table IDs
type: bug

________________________________________________
FFmpeg issue tracker <[email protected]>
<https://roundup.ffmpeg.org/issue2508>
________________________________________________

Attachment: duk_vectable_id_check.diff
Description: Binary data

Reply via email to