[issue2513] ffmpeg crashes on cmv files with invalid decode flags

Daniel Kang Sat, 08 Jan 2011 18:19:18 -0800

New submission from Daniel Kang <[email protected]>:

When cmv_decode_inter uses the second-last frame as reference when it should
not, ffmpeg crashes. The patch attached adds a sanity check on that.


gdb run:
(gdb) r -i ../fuzzed.cmv del.mkv
Starting program: ffmpeg/ffmpeg_g -i ../fuzzed.cmv del.mkv
[Thread debugging using libthread_db enabled]
FFmpeg version git-fb6f2b4, Copyright (c) 2000-2011 the FFmpeg developers
  built on Jan  8 2011 18:38:24 with gcc 4.4.5
  configuration: --enable-gpl --disable-pthreads
  libavutil     50.36. 0 / 50.36. 0
  libavcore      0.16. 0 /  0.16. 0
  libavcodec    52.107. 0 / 52.107. 0
  libavformat   52.92. 0 / 52.92. 0
  libavdevice   52. 2. 3 / 52. 2. 3
  libavfilter    1.72. 0 /  1.72. 0
  libswscale     0.12. 0 /  0.12. 0
[ea @ 0x1200510] Estimating duration from bitrate, this may be inaccurate
Input #0, ea, from '../fuzzed.cmv':
  Duration: N/A, bitrate: N/A
    Stream #0.0: Video: eacmv, pal8, 200x200, 10 fps, 10 tbr, 90k tbn, 10 tbc
File 'del.mkv' already exists. Overwrite ? [y/N] y
[buffer @ 0x123d870] w:200 h:200 pixfmt:pal8
[ffsink @ 0x123ab00] auto-inserting filter 'auto-inserted scaler 0' between the
filter 'src' and the filter 'out'
[scale @ 0x123add0] w:200 h:200 fmt:pal8 -> w:200 h:200 fmt:yuv420p 
flags:0xa0000004
Output #0, matroska, to 'del.mkv':
  Metadata:
    encoder         : Lavf52.92.0
    Stream #0.0: Video: mpeg4, yuv420p, 200x200, q=2-31, 200 kb/s, 1k tbn, 10 
tbc
Stream mapping:
  Stream #0.0 -> #0.0
Press [q] to stop encoding

Program received signal SIGSEGV, Segmentation fault.
0x00000000005a2385 in cmv_motcomp (avctx=0x12e5330, data=<value optimized out>,
data_size=<value optimized out>, avpkt=<value optimized out>) at
libavcodec/eacmv.c:74
74                  dst[j*dst_stride + i] = src[(j+yoffset)*src_stride + 
i+xoffset];
(gdb) bt
#0  0x00000000005a2385 in cmv_motcomp (avctx=0x12e5330, data=<value optimized
out>, data_size=<value optimized out>, avpkt=<value optimized out>)
    at libavcodec/eacmv.c:74
#1  cmv_decode_inter (avctx=0x12e5330, data=<value optimized out>,
data_size=<value optimized out>, avpkt=<value optimized out>) at
libavcodec/eacmv.c:100
#2  cmv_decode_frame (avctx=0x12e5330, data=<value optimized out>,
data_size=<value optimized out>, avpkt=<value optimized out>) at
libavcodec/eacmv.c:180
#3  0x0000000000756a98 in avcodec_decode_video2 (avctx=0x1202ed0,
picture=0x7fffffffc4c0, got_picture_ptr=0x7fffffffc70c, avpkt=0x7fffffffc650)
    at libavcodec/utils.c:637
#4  0x0000000000434789 in output_packet (ist=0x12035d0, ist_index=0,
ost_table=<value optimized out>, nb_ostreams=<value optimized out>,
pkt=0x7fffffffd4b0)
    at ffmpeg.c:1550
#5  0x0000000000436587 in transcode (nb_output_files=<value optimized out>,
nb_input_files=<value optimized out>, stream_maps=<value optimized out>,
    nb_stream_maps=<value optimized out>, input_files=<value optimized out>,
output_files=<value optimized out>) at ffmpeg.c:2643
#6  0x00000000004374f3 in main (argc=4, argv=<value optimized out>) at 
ffmpeg.c:4365
(gdb) disass $pc-32 $pc+32
Dump of assembler code from 0x5a2365 to 0x5a23a5:
0x00000000005a2365 <cmv_decode_frame+3493>:     rex.WR and    $0x5c,%al
0x00000000005a2368 <cmv_decode_frame+3496>:     jle    0x5a28d2
<cmv_decode_frame+4882>
0x00000000005a236e <cmv_decode_frame+3502>:     imul   0x74(%rsp),%ecx
0x00000000005a2373 <cmv_decode_frame+3507>:     mov    0x40(%rsp),%r13
0x00000000005a2378 <cmv_decode_frame+3512>:     lea    (%r11,%r15,1),%r12d
0x00000000005a237c <cmv_decode_frame+3516>:     movslq %r12d,%r12
0x00000000005a237f <cmv_decode_frame+3519>:     add    %r8d,%ecx
0x00000000005a2382 <cmv_decode_frame+3522>:     movslq %ecx,%rcx
0x00000000005a2385 <cmv_decode_frame+3525>:     movzbl 0x0(%r13,%rcx,1),%ecx
0x00000000005a238b <cmv_decode_frame+3531>:     mov    %cl,(%rdx,%r12,1)
0x00000000005a238f <cmv_decode_frame+3535>:     mov    0x68(%rsp),%r12d
0x00000000005a2394 <cmv_decode_frame+3540>:     lea    0x1(%r12),%ecx
0x00000000005a2399 <cmv_decode_frame+3545>:     mov    %ecx,%r14d
0x00000000005a239c <cmv_decode_frame+3548>:     mov    %ecx,0x50(%rsp)
0x00000000005a23a0 <cmv_decode_frame+3552>:     add    %ebx,%r14d
0x00000000005a23a3 <cmv_decode_frame+3555>:     js     0x5a2a1d
<cmv_decode_frame+5213>
End of assembler dump.
(gdb) info all-registers
rax            0xc8     200
rbx            0x0      0
rcx            0x58     88
rdx            0x12fc950        19908944
rsi            0xe8     232
rdi            0x1f     31
rbp            0x0      0x0
rsp            0x7fffffffc040   0x7fffffffc040
r8             0x58     88
r9             0x1e     30
r10            0x1d     29
r11            0x1960   6496
r12            0x19b8   6584
r13            0x0      0
r14            0x12e5330        19813168
r15            0x58     88
rip            0x5a2385 0x5a2385 <cmv_decode_frame+3525>
eflags         0x10202  [ IF RF ]
cs             0x33     51
ss             0x2b     43
ds             0x0      0
es             0x0      0
fs             0x0      0
gs             0x0      0
st0            -nan(0x8080808080808080) (raw 0xffff8080808080808080)
st1            -nan(0x8080808080808080) (raw 0xffff8080808080808080)
st2            -nan(0x8080808080808080) (raw 0xffff8080808080808080)
st3            -nan(0x80008000800080)   (raw 0xffff0080008000800080)
st4            -nan(0x8080808080808080) (raw 0xffff8080808080808080)
st5            -nan(0x80008000800080)   (raw 0xffff0080008000800080)
st6            -nan(0x8080808080808080) (raw 0xffff8080808080808080)
st7            -nan(0x80008000800080)   (raw 0xffff0080008000800080)
fctrl          0x37f    895
fstat          0x0      0
ftag           0xffff   65535
fiseg          0x0      0
fioff          0x0      0
foseg          0x0      0
fooff          0x0      0
fop            0x0      0
xmm0           {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0x80 <repeats 16 times>}, v8_int16 = {0x8080, 0x8080, 0x8080,
0x8080, 0x8080,
    0x8080, 0x8080, 0x8080}, v4_int32 = {0x80808080, 0x80808080, 0x80808080,
0x80808080}, v2_int64 = {0x8080808080808080, 0x8080808080808080},
  uint128 = 0x80808080808080808080808080808080}
---Type <return> to continue, or q <return> to quit---
xmm1           {v4_float = {0x0, 0x4d680000, 0x0, 0x0}, v2_double =
{0x8000000000000000, 0x0}, v16_int8 = {0x7d, 0xc3, 0x94, 0x25, 0xad, 0x49, 0xb2,
0x54, 0x0, 0x0,
    0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v8_int16 = {0xc37d, 0x2594, 0x49ad, 0x54b2,
0x0, 0x0, 0x0, 0x0}, v4_int32 = {0x2594c37d, 0x54b249ad, 0x0, 0x0}, v2_int64 = {
    0x54b249ad2594c37d, 0x0}, uint128 = 0x000000000000000054b249ad2594c37d}
xmm2           {v4_float = {0x2b020000, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0xfc, 0xa9, 0xf1, 0xd2, 0x4d, 0x62, 0x50, 0x3f, 0xe4, 0xe9, 0xfe, 
0xff,
    0x0, 0x0, 0x0, 0x0}, v8_int16 = {0xa9fc, 0xd2f1, 0x624d, 0x3f50, 0xe9e4,
0xfffe, 0x0, 0x0}, v4_int32 = {0xd2f1a9fc, 0x3f50624d, 0xfffee9e4, 0x0},
v2_int64 = {
    0x3f50624dd2f1a9fc, 0xfffee9e4}, uint128 = 
0x00000000fffee9e43f50624dd2f1a9fc}
xmm3           {v4_float = {0x0, 0x4, 0x0, 0x0}, v2_double = {0x3e8, 0x0},
v16_int8 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x40, 0x8f, 0x40, 0x1, 0x0, 0x1, 0x0, 0x1,
0x0, 0x1,
    0x0}, v8_int16 = {0x0, 0x0, 0x4000, 0x408f, 0x1, 0x1, 0x1, 0x1}, v4_int32 =
{0x0, 0x408f4000, 0x10001, 0x10001}, v2_int64 = {0x408f400000000000,
0x1000100010001},
  uint128 = 0x0001000100010001408f400000000000}
xmm4           {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0},
  v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0}, uint128 =
0x00000000000000000000000000000000}
xmm5           {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0x55, 0x5, 0x55, 0x5, 0x55, 0x5, 0x55, 0x5, 0x55, 0x5, 0x55, 0x5,
0x55, 0x5,
    0x55, 0x5}, v8_int16 = {0x555, 0x555, 0x555, 0x555, 0x555, 0x555, 0x555,
0x555}, v4_int32 = {0x5550555, 0x5550555, 0x5550555, 0x5550555}, v2_int64 = {
    0x555055505550555, 0x555055505550555}, uint128 =
0x05550555055505550555055505550555}
xmm6           {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0},
  v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0}, uint128 =
0x00000000000000000000000000000000}
xmm7           {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0},
  v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0}, uint128 =
0x00000000000000000000000000000000}
xmm8           {v4_float = {0x0, 0xd0, 0x0, 0x0}, v2_double = {0x4380663abb8000,
0x0}, v16_int8 = {0x0, 0xe0, 0xae, 0x8e, 0x19, 0xe0, 0x50, 0x43, 0x0, 0x0, 0x0, 
0x0,
    0x0, 0x0, 0x0, 0x0}, v8_int16 = {0xe000, 0x8eae, 0xe019, 0x4350, 0x0, 0x0,
0x0, 0x0}, v4_int32 = {0x8eaee000, 0x4350e019, 0x0, 0x0}, v2_int64 = {
    0x4350e0198eaee000, 0x0}, uint128 = 0x00000000000000004350e0198eaee000}
xmm9           {v4_float = {0x0, 0x8, 0x0, 0x0}, v2_double = {0x384ac, 0x0},
v16_int8 = {0x0, 0x0, 0x0, 0x0, 0x60, 0x25, 0xc, 0x41, 0x0, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0,
    0x0}, v8_int16 = {0x0, 0x0, 0x2560, 0x410c, 0x0, 0x0, 0x0, 0x0}, v4_int32 =
{0x0, 0x410c2560, 0x0, 0x0}, v2_int64 = {0x410c256000000000, 0x0},
  uint128 = 0x0000000000000000410c256000000000}
xmm10          {v4_float = {0x0, 0x4b, 0x0, 0x0}, v2_double = {0x5ffffffffff,
0x0}, v16_int8 = {0x2c, 0xfd, 0xff, 0xff, 0xff, 0xff, 0x97, 0x42, 0x0, 0x0, 0x0,
0x0,
    0x0, 0x0, 0x0, 0x0}, v8_int16 = {0xfd2c, 0xffff, 0xffff, 0x4297, 0x0, 0x0,
0x0, 0x0}, v4_int32 = {0xfffffd2c, 0x4297ffff, 0x0, 0x0}, v2_int64 = {
    0x4297fffffffffd2c, 0x0}, uint128 = 0x00000000000000004297fffffffffd2c}
xmm11          {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0x96, 0x7f, 0xf7, 0x17, 0x3b, 0xdb, 0x6f, 0x3e, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0,
    0x0, 0x0}, v8_int16 = {0x7f96, 0x17f7, 0xdb3b, 0x3e6f, 0x0, 0x0, 0x0, 0x0},
v4_int32 = {0x17f77f96, 0x3e6fdb3b, 0x0, 0x0}, v2_int64 = {0x3e6fdb3b17f77f96, 
0x0},
  uint128 = 0x00000000000000003e6fdb3b17f77f96}
xmm12          {v4_float = {0x0, 0x1, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xe0, 0x3f, 0x0, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0,
    0x0}, v8_int16 = {0x0, 0x0, 0x0, 0x3fe0, 0x0, 0x0, 0x0, 0x0}, v4_int32 =
{0x0, 0x3fe00000, 0x0, 0x0}, v2_int64 = {0x3fe0000000000000, 0x0},
  uint128 = 0x00000000000000003fe0000000000000}
xmm13          {v4_float = {0x0, 0x1, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xe0, 0x3f, 0x0, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0,
    0x0}, v8_int16 = {0x0, 0x0, 0x0, 0x3fe0, 0x0, 0x0, 0x0, 0x0}, v4_int32 =
{0x0, 0x3fe00000, 0x0, 0x0}, v2_int64 = {0x3fe0000000000000, 0x0},
  uint128 = 0x00000000000000003fe0000000000000}
xmm14          {v4_float = {0x0, 0x8, 0x0, 0x0}, v2_double = {0x384ac, 0x0},
v16_int8 = {0x0, 0x0, 0x0, 0x0, 0x60, 0x25, 0xc, 0x41, 0x0, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0,
    0x0}, v8_int16 = {0x0, 0x0, 0x2560, 0x410c, 0x0, 0x0, 0x0, 0x0}, v4_int32 =
{0x0, 0x410c2560, 0x0, 0x0}, v2_int64 = {0x410c256000000000, 0x0},
  uint128 = 0x0000000000000000410c256000000000}
xmm15          {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0},
  v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0}, uint128 =
0x00000000000000000000000000000000}
mxcsr          0x1fa0   [ PE IM DM ZM OM UM PM ]

----------
files: cmv_sanity_check.diff
messages: 13305
priority: normal
status: open
substatus: open
title: ffmpeg crashes on cmv files with invalid decode flags
type: bug

________________________________________________
FFmpeg issue tracker <[email protected]>
<https://roundup.ffmpeg.org/issue2513>
________________________________________________

cmv_sanity_check.diff
Description: Binary data

[issue2513] ffmpeg crashes on cmv files with invalid decode flags

Reply via email to