[issue2512] ffmpeg crashes on truemotion2 videos with invalid headers

Sat, 08 Jan 2011 16:00:50 -0800 

New submission from Daniel Kang <[email protected]>:

ffmpeg crashes on truemotion2 videos with invalid headers. The patch attached
adds sanity checks in several places.

gdb run:
(gdb) r -i ../fuzzed.avi del.mkv
Starting program: ffmpeg/ffmpeg_g -i ../fuzzed.avi del.mkv
[Thread debugging using libthread_db enabled]
FFmpeg version git-eb83619, Copyright (c) 2000-2011 the FFmpeg developers
  built on Jan  8 2011 14:37:10 with gcc 4.4.5
  configuration: --enable-gpl --disable-pthreads
  libavutil     50.36. 0 / 50.36. 0
  libavcore      0.16. 0 /  0.16. 0
  libavcodec    52.107. 0 / 52.107. 0
  libavformat   52.92. 0 / 52.92. 0
  libavdevice   52. 2. 3 / 52. 2. 3
  libavfilter    1.72. 0 /  1.72. 0
  libswscale     0.12. 0 /  0.12. 0
[avi @ 0x1200510] Something went wrong during header parsing, I will ignore it
and try to continue anyway.
Input #0, avi, from '../fuzzed.avi':
  Duration: 00:00:02.00, start: 0.000000, bitrate: 3424 kb/s
    Stream #0.0: Video: truemotion2, bgr24, 320x240, 15 tbr, 15 tbn, 15 tbc
File 'del.mkv' already exists. Overwrite ? [y/N] y
[buffer @ 0x12087f0] w:320 h:240 pixfmt:bgr24
[ffsink @ 0x1208a90] auto-inserting filter 'auto-inserted scaler 0' between the
filter 'src' and the filter 'out'
[scale @ 0x1208d90] w:320 h:240 fmt:bgr24 -> w:320 h:240 fmt:yuv420p
flags:0xa0000004
Output #0, matroska, to 'del.mkv':
  Metadata:
    encoder         : Lavf52.92.0
    Stream #0.0: Video: mpeg4, yuv420p, 320x240, q=2-31, 200 kb/s, 1k tbn, 15 
tbc
Stream mapping:
  Stream #0.0 -> #0.0
Press [q] to stop encoding
[truemotion2 @ 0x1202ee0] Tree exceeded its given depth (6)
[truemotion2 @ 0x1202ee0] Got less codes than expected: 3 of 9
Error while decoding stream #0.0

Program received signal SIGSEGV, Segmentation fault.
tm2_read_stream (avctx=0x36c0, data=<value optimized out>, data_size=<value
optimized out>, avpkt=<value optimized out>) at libavcodec/truemotion2.c:285
285                 if(tm2_read_deltas(ctx, stream_id) == -1)
(gdb) bt
#0  tm2_read_stream (avctx=0x36c0, data=<value optimized out>, data_size=<value
optimized out>, avpkt=<value optimized out>) at libavcodec/truemotion2.c:285
#1  decode_frame (avctx=0x36c0, data=<value optimized out>, data_size=<value
optimized out>, avpkt=<value optimized out>) at libavcodec/truemotion2.c:791
#2  0x0000000000756a58 in avcodec_decode_video2 (avctx=0x1202ee0,
picture=0x7fffffffc4c0, got_picture_ptr=0x7fffffffc70c, avpkt=0x7fffffffc650)
    at libavcodec/utils.c:637
#3  0x0000000000434789 in output_packet (ist=0x1208730, ist_index=0,
ost_table=<value optimized out>, nb_ostreams=<value optimized out>,
pkt=0x7fffffffd4b0)
    at ffmpeg.c:1550
#4  0x0000000000436587 in transcode (nb_output_files=<value optimized out>,
nb_input_files=<value optimized out>, stream_maps=<value optimized out>,
    nb_stream_maps=<value optimized out>, input_files=<value optimized out>,
output_files=<value optimized out>) at ffmpeg.c:2643
#5  0x00000000004374f3 in main (argc=4, argv=<value optimized out>) at 
ffmpeg.c:4365
(gdb) disass $pc-32 $pc+32
Dump of assembler code from 0x74afab to 0x74afeb:
0x000000000074afab <decode_frame+475>:  xor    %edx,%edx
0x000000000074afad <decode_frame+477>:  movl   $0x0,0x150(%rbx)
0x000000000074afb7 <decode_frame+487>:  mov    %rdi,0x148(%rbx)
0x000000000074afbe <decode_frame+494>:  mov    %rdx,0x140(%rbx)
0x000000000074afc5 <decode_frame+501>:  mov    %eax,0x154(%rbx)
0x000000000074afcb <decode_frame+507>:  mov    (%rsi),%eax
0x000000000074afcd <decode_frame+509>:  movl   $0x9,0x150(%rbx)
0x000000000074afd7 <decode_frame+519>:  bswap  %eax
0x000000000074afd9 <decode_frame+521>:  mov    (%rcx),%r8d
0x000000000074afdc <decode_frame+524>:  movl   $0xe,0x150(%rbx)
0x000000000074afe6 <decode_frame+534>:  shr    $0xf7,%eax
0x000000000074afe9 <decode_frame+537>:  bswap  %r8d
End of assembler dump.
(gdb) info all-registers
rax            0x0      0
rbx            0x128a580        19441024
rcx            0x1      1
rdx            0x0      0
rsi            0x0      0
rdi            0x0      0
rbp            0x36c0   0x36c0
rsp            0x7fffffffc0d0   0x7fffffffc0d0
r8             0xfffffff7       4294967287
r9             0x13be5a0        20702624
r10            0x3e00   15872
r11            0x428    1064
r12            0xf7f    3967
r13            0x14     20
r14            0x428    1064
r15            0x125ccac        19254444
rip            0x74afcb 0x74afcb <decode_frame+507>
eflags         0x10246  [ PF ZF IF RF ]
cs             0x33     51
ss             0x2b     43
ds             0x0      0
es             0x0      0
fs             0x0      0
gs             0x0      0
st0            -nan(0x00000003c)        (raw 0xffff000000000000003c)
st1            -nan(0x000000004)        (raw 0xffff0000000000000004)
st2            -inf     (raw 0xffff0000000000000000)
st3            -nan(0xf000000000000000) (raw 0xfffff000000000000000)
st4            0        (raw 0x00000000000000000000)
st5            0        (raw 0x00000000000000000000)
st6            -nan(0xf000000000000000) (raw 0xfffff000000000000000)
st7            -inf     (raw 0xffff0000000000000000)
fctrl          0x37f    895
fstat          0x0      0
ftag           0xffff   65535
fiseg          0x0      0
fioff          0x0      0
foseg          0x0      0
fooff          0x0      0
fop            0x0      0
xmm0           {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xff, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0, 0x0},
  v8_int16 = {0x0, 0x0, 0x0, 0x0, 0xff, 0x0, 0x0, 0x0}, v4_int32 = {0x0, 0x0,
0xff, 0x0}, v2_int64 = {0x0, 0xff}, uint128 = 
0x00000000000000ff0000000000000000}
xmm1           {v4_float = {0x0, 0x4d680000, 0x0, 0x0}, v2_double =
{0x8000000000000000, 0x0}, v16_int8 = {0x7d, 0xc3, 0x94, 0x25, 0xad, 0x49, 0xb2,
0x54, 0x0, 0x0,
---Type <return> to continue, or q <return> to quit---
    0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v8_int16 = {0xc37d, 0x2594, 0x49ad, 0x54b2,
0x0, 0x0, 0x0, 0x0}, v4_int32 = {0x2594c37d, 0x54b249ad, 0x0, 0x0}, v2_int64 = {
    0x54b249ad2594c37d, 0x0}, uint128 = 0x000000000000000054b249ad2594c37d}
xmm2           {v4_float = {0x2b020000, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0xfc, 0xa9, 0xf1, 0xd2, 0x4d, 0x62, 0x50, 0x3f, 0x0, 0x0, 0x0, 0x0, 
0x0,
    0x0, 0x0, 0x0}, v8_int16 = {0xa9fc, 0xd2f1, 0x624d, 0x3f50, 0x0, 0x0, 0x0,
0x0}, v4_int32 = {0xd2f1a9fc, 0x3f50624d, 0x0, 0x0}, v2_int64 = 
{0x3f50624dd2f1a9fc,
    0x0}, uint128 = 0x00000000000000003f50624dd2f1a9fc}
xmm3           {v4_float = {0x0, 0x4, 0x0, 0x0}, v2_double = {0x3e8,
0x8000000000000000}, v16_int8 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x40, 0x8f, 0x40, 0x0,
0x0, 0x0, 0xff,
    0xff, 0xff, 0xff, 0xff}, v8_int16 = {0x0, 0x0, 0x4000, 0x408f, 0x0, 0xff00,
0xffff, 0xffff}, v4_int32 = {0x0, 0x408f4000, 0xff000000, 0xffffffff}, v2_int64 
= {
    0x408f400000000000, 0xffffffffff000000}, uint128 =
0xffffffffff000000408f400000000000}
xmm4           {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0},
  v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0}, uint128 =
0x00000000000000000000000000000000}
xmm5           {v4_float = {0x0, 0x1, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0x0, 0x0, 0x0, 0xe0, 0x95, 0x9c, 0xe7, 0x3f, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0, 0x0,
    0x0}, v8_int16 = {0x0, 0xe000, 0x9c95, 0x3fe7, 0x0, 0x0, 0x0, 0x0}, v4_int32
= {0xe0000000, 0x3fe79c95, 0x0, 0x0}, v2_int64 = {0x3fe79c95e0000000, 0x0},
  uint128 = 0x00000000000000003fe79c95e0000000}
xmm6           {v4_float = {0x0, 0x1, 0x0, 0x0}, v2_double = {0x1, 0x0},
v16_int8 = {0x6d, 0x7d, 0xbf, 0xbb, 0x27, 0xaf, 0xf5, 0x3f, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0,
    0x0, 0x0}, v8_int16 = {0x7d6d, 0xbbbf, 0xaf27, 0x3ff5, 0x0, 0x0, 0x0, 0x0},
v4_int32 = {0xbbbf7d6d, 0x3ff5af27, 0x0, 0x0}, v2_int64 = {0x3ff5af27bbbf7d6d, 
0x0},
  uint128 = 0x00000000000000003ff5af27bbbf7d6d}
xmm7           {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0x0, 0x0, 0x0, 0x0, 0x68, 0xc8, 0xbc, 0x3b, 0x0, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0,
    0x0}, v8_int16 = {0x0, 0x0, 0xc868, 0x3bbc, 0x0, 0x0, 0x0, 0x0}, v4_int32 =
{0x0, 0x3bbcc868, 0x0, 0x0}, v2_int64 = {0x3bbcc86800000000, 0x0},
  uint128 = 0x00000000000000003bbcc86800000000}
xmm8           {v4_float = {0x0, 0xfffffffd, 0x0, 0x0}, v2_double =
{0xffffffffffffffd2, 0x0}, v16_int8 = {0xe0, 0xe6, 0x35, 0x67, 0x9e, 0x6, 0x47,
0xc0, 0x0, 0x0,
    0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v8_int16 = {0xe6e0, 0x6735, 0x69e, 0xc047,
0x0, 0x0, 0x0, 0x0}, v4_int32 = {0x6735e6e0, 0xc047069e, 0x0, 0x0}, v2_int64 = {
    0xc047069e6735e6e0, 0x0}, uint128 = 0x0000000000000000c047069e6735e6e0}
xmm9           {v4_float = {0x0, 0x1, 0x0, 0x0}, v2_double = {0x1, 0x0},
v16_int8 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xf0, 0x3f, 0x0, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0,
    0x0}, v8_int16 = {0x0, 0x0, 0x0, 0x3ff0, 0x0, 0x0, 0x0, 0x0}, v4_int32 =
{0x0, 0x3ff00000, 0x0, 0x0}, v2_int64 = {0x3ff0000000000000, 0x0},
  uint128 = 0x00000000000000003ff0000000000000}
xmm10          {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0x0, 0x0, 0x46, 0x84, 0x24, 0x59, 0xd6, 0x3e, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0, 0x0,
    0x0}, v8_int16 = {0x0, 0x8446, 0x5924, 0x3ed6, 0x0, 0x0, 0x0, 0x0}, v4_int32
= {0x84460000, 0x3ed65924, 0x0, 0x0}, v2_int64 = {0x3ed6592484460000, 0x0},
  uint128 = 0x00000000000000003ed6592484460000}
xmm11          {v4_float = {0x9689a800, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0x6a, 0xa2, 0x65, 0x50, 0xf2, 0xea, 0x8f, 0xbd, 0x0, 0x0, 0x0, 0x0, 
0x0,
    0x0, 0x0, 0x0}, v8_int16 = {0xa26a, 0x5065, 0xeaf2, 0xbd8f, 0x0, 0x0, 0x0,
0x0}, v4_int32 = {0x5065a26a, 0xbd8feaf2, 0x0, 0x0}, v2_int64 = 
{0xbd8feaf25065a26a,
    0x0}, uint128 = 0x0000000000000000bd8feaf25065a26a}
xmm12          {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0x29, 0xf2, 0x88, 0x6c, 0xa6, 0x49, 0xde, 0x3e, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0,
    0x0, 0x0}, v8_int16 = {0xf229, 0x6c88, 0x49a6, 0x3ede, 0x0, 0x0, 0x0, 0x0},
v4_int32 = {0x6c88f229, 0x3ede49a6, 0x0, 0x0}, v2_int64 = {0x3ede49a66c88f229, 
0x0},
  uint128 = 0x00000000000000003ede49a66c88f229}
xmm13          {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0xb3, 0x12, 0x58, 0x17, 0x64, 0x46, 0xe6, 0x3b, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0,
    0x0, 0x0}, v8_int16 = {0x12b3, 0x1758, 0x4664, 0x3be6, 0x0, 0x0, 0x0, 0x0},
v4_int32 = {0x175812b3, 0x3be64664, 0x0, 0x0}, v2_int64 = {0x3be64664175812b3, 
0x0},
  uint128 = 0x00000000000000003be64664175812b3}
xmm14          {v4_float = {0x0, 0x3, 0x0, 0x0}, v2_double = {0x2d, 0x0},
v16_int8 = {0xc0, 0x9, 0xf2, 0x16, 0xb5, 0xdf, 0x46, 0x40, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0,
    0x0, 0x0}, v8_int16 = {0x9c0, 0x16f2, 0xdfb5, 0x4046, 0x0, 0x0, 0x0, 0x0},
v4_int32 = {0x16f209c0, 0x4046dfb5, 0x0, 0x0}, v2_int64 = {0x4046dfb516f209c0, 
0x0},
  uint128 = 0x00000000000000004046dfb516f209c0}
xmm15          {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0},
  v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0}, uint128 =
0x00000000000000000000000000000000}
mxcsr          0x1fa0   [ PE IM DM ZM OM UM PM ]

----------
files: truemotion2_checks.diff
messages: 13303
priority: normal
status: open
substatus: open
title: ffmpeg crashes on truemotion2 videos with invalid headers
type: bug

________________________________________________
FFmpeg issue tracker <[email protected]>
<https://roundup.ffmpeg.org/issue2512>
________________________________________________

Attachment: truemotion2_checks.diff
Description: Binary data

Reply via email to