[issue2521] ffmpeg crashes on roq files with invalid decoding type

Daniel Kang Sun, 09 Jan 2011 14:45:02 -0800

New submission from Daniel Kang <[email protected]>:

When ffmpeg tries to apply an incorrect decoding type on roq videos, ffmpeg
crashes. This occurs when the last_frame data is null. The patch attached adds a
check for this.


gdb run:
(gdb) r -i ../fuzzed.roq del.mkv
Starting program: /afs/csl.tjhsst.edu/students/2011/2011dkang/ffmpeg/ffmpeg_g -i
../fuzzed.roq del.mkv
[Thread debugging using libthread_db enabled]
FFmpeg version git-294ac5d, Copyright (c) 2000-2011 the FFmpeg developers
  built on Jan  9 2011 16:01:12 with gcc 4.4.5
  configuration: --enable-gpl
  libavutil     50.36. 0 / 50.36. 0
  libavcore      0.16. 0 /  0.16. 0
  libavcodec    52.108. 0 / 52.108. 0
  libavformat   52.92. 0 / 52.92. 0
  libavdevice   52. 2. 3 / 52. 2. 3
  libavfilter    1.72. 0 /  1.72. 0
  libswscale     0.12. 0 /  0.12. 0
[RoQ @ 0x1202510] Estimating duration from bitrate, this may be inaccurate
Input #0, RoQ, from '../fuzzed.roq':
  Duration: 00:00:32.83, start: 0.000000, bitrate: 705 kb/s
    Stream #0.0: Video: roqvideo, yuv444p, 512x256, 30 tbr, 30 tbn, 30 tbc
    Stream #0.1: Audio: roq_dpcm, 22050 Hz, 2 channels, s16, 705 kb/s
File 'del.mkv' already exists. Overwrite ? [y/N] y
[buffer @ 0x1208a50] w:512 h:256 pixfmt:yuv444p
[ffsink @ 0x1241fe0] auto-inserting filter 'auto-inserted scaler 0' between the
filter 'src' and the filter 'out'
[scale @ 0x12422b0] w:512 h:256 fmt:yuv444p -> w:512 h:256 fmt:yuv420p
flags:0xa0000004
Output #0, matroska, to 'del.mkv':
  Metadata:
    encoder         : Lavf52.92.0
    Stream #0.0: Video: mpeg4, yuv420p, 512x256, q=2-31, 200 kb/s, 1k tbn, 30 
tbc
    Stream #0.1: Audio: mp2, 22050 Hz, 2 channels, s16, 64 kb/s
Stream mapping:
  Stream #0.0 -> #0.0
  Stream #0.1 -> #0.1
Press [q] to stop encoding

Program received signal SIGSEGV, Segmentation fault.
apply_motion_generic (ri=0x13118a0, x=<value optimized out>, y=8, deltax=<value
optimized out>, deltay=<value optimized out>) at /usr/include/bits/string3.h:52
52        return __builtin___memcpy_chk (__dest, __src, __len, __bos0 (__dest));
(gdb) bt
#0  apply_motion_generic (ri=0x13118a0, x=<value optimized out>, y=8,
deltax=<value optimized out>, deltay=<value optimized out>) at
/usr/include/bits/string3.h:52
#1  ff_apply_motion_8x8 (ri=0x13118a0, x=<value optimized out>, y=8,
deltax=<value optimized out>, deltay=<value optimized out>) at
libavcodec/roqvideo.c:137
#2  0x00000000006da3fd in roqvideo_decode_frame (avctx=<value optimized out>,
data=<value optimized out>, data_size=<value optimized out>, avpkt=<value
optimized out>)
    at libavcodec/roqvideodec.c:91
#3  roq_decode_frame (avctx=<value optimized out>, data=<value optimized out>,
data_size=<value optimized out>, avpkt=<value optimized out>)
    at libavcodec/roqvideodec.c:189
#4  0x00000000007586f8 in avcodec_decode_video2 (avctx=0x1204ec0,
picture=0x7fffffffc4c0, got_picture_ptr=0x7fffffffc70c, avpkt=0x7fffffffc650)
    at libavcodec/utils.c:637
#5  0x0000000000434c09 in output_packet (ist=0x1206d00, ist_index=0,
ost_table=<value optimized out>, nb_ostreams=<value optimized out>,
pkt=0x7fffffffd4b0)
    at ffmpeg.c:1550
#6  0x0000000000436a07 in transcode (nb_output_files=<value optimized out>,
nb_input_files=<value optimized out>, stream_maps=<value optimized out>,
    nb_stream_maps=<value optimized out>, input_files=<value optimized out>,
output_files=<value optimized out>) at ffmpeg.c:2643
#7  0x0000000000437973 in main (argc=4, argv=<value optimized out>) at 
ffmpeg.c:4365
(gdb) disass $pc-32 $pc+32
A syntax error in expression, near `$pc+32'.
(gdb) info all-registers
rax            0x220    544
rbx            0x13139d0        20003280
rcx            0x89     137
rdx            0x8      8
rsi            0x90     144
rdi            0x13118a0        19994784
rbp            0x96     0x96
rsp            0x7fffffffc1b0   0x7fffffffc1b0
r8             0x1      1
r9             0x0      0
r10            0x89     137
r11            0x7ffff7e9d3b0   140737352684464
r12            0x244    580
r13            0x1217ad0        18971344
r14            0x0      0
r15            0x2026   8230
rip            0x8bc84b 0x8bc84b <ff_apply_motion_8x8+123>
eflags         0x10202  [ IF RF ]
cs             0x33     51
ss             0x2b     43
ds             0x0      0
es             0x0      0
fs             0x0      0
gs             0x0      0
st0            -nan(0x00000003c)        (raw 0xffff000000000000003c)
st1            -nan(0x000000004)        (raw 0xffff0000000000000004)
st2            -nan(0x000000001)        (raw 0xffff0000000000000001)
st3            -nan(0xe000000000000000) (raw 0xffffe000000000000000)
st4            0        (raw 0x00000000000000000000)
st5            0        (raw 0x00000000000000000000)
st6            -nan(0xe000000000000000) (raw 0xffffe000000000000000)
st7            -inf     (raw 0xffff0000000000000000)
fctrl          0x37f    895
fstat          0x0      0
ftag           0xffff   65535
fiseg          0x0      0
fioff          0x0      0
foseg          0x0      0
fooff          0x0      0
fop            0x0      0
xmm0           {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0x80 <repeats 16 times>}, v8_int16 = {0x8080, 0x8080, 0x8080,
0x8080, 0x8080,
    0x8080, 0x8080, 0x8080}, v4_int32 = {0x80808080, 0x80808080, 0x80808080,
0x80808080}, v2_int64 = {0x8080808080808080, 0x8080808080808080},
  uint128 = 0x80808080808080808080808080808080}
---Type <return> to continue, or q <return> to quit---
xmm1           {v4_float = {0x0, 0x0, 0x0, 0x1}, v2_double = {0x0, 0x0},
v16_int8 = {0x0 <repeats 13 times>, 0x2c, 0xc9, 0x3f}, v8_int16 = {0x0, 0x0,
0x0, 0x0, 0x0,
    0x0, 0x2c00, 0x3fc9}, v4_int32 = {0x0, 0x0, 0x0, 0x3fc92c00}, v2_int64 =
{0x0, 0x3fc92c0000000000}, uint128 = 0x3fc92c00000000000000000000000000}
xmm2           {v4_float = {0x2b020000, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0xfc, 0xa9, 0xf1, 0xd2, 0x4d, 0x62, 0x50, 0x3f, 0x0, 0x0, 0x0, 0x0, 
0x0,
    0x0, 0x0, 0x0}, v8_int16 = {0xa9fc, 0xd2f1, 0x624d, 0x3f50, 0x0, 0x0, 0x0,
0x0}, v4_int32 = {0xd2f1a9fc, 0x3f50624d, 0x0, 0x0}, v2_int64 = 
{0x3f50624dd2f1a9fc,
    0x0}, uint128 = 0x00000000000000003f50624dd2f1a9fc}
xmm3           {v4_float = {0x0, 0x4, 0x0, 0x0}, v2_double = {0x3e8, 0x0},
v16_int8 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x40, 0x8f, 0x40, 0x0, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0,
    0x0}, v8_int16 = {0x0, 0x0, 0x4000, 0x408f, 0x0, 0x0, 0x0, 0x0}, v4_int32 =
{0x0, 0x408f4000, 0x0, 0x0}, v2_int64 = {0x408f400000000000, 0x0},
  uint128 = 0x0000000000000000408f400000000000}
xmm4           {v4_float = {0x0, 0x1, 0x0, 0x0}, v2_double = {0x1, 0x0},
v16_int8 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xf0, 0x3f, 0x0, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0,
    0x0}, v8_int16 = {0x0, 0x0, 0x0, 0x3ff0, 0x0, 0x0, 0x0, 0x0}, v4_int32 =
{0x0, 0x3ff00000, 0x0, 0x0}, v2_int64 = {0x3ff0000000000000, 0x0},
  uint128 = 0x00000000000000003ff0000000000000}
xmm5           {v4_float = {0x0, 0x14, 0x0, 0x0}, v2_double = {0x8000001, 0x0},
v16_int8 = {0x0, 0x0, 0x0, 0x2, 0x0, 0x0, 0xa0, 0x41, 0x0, 0x0, 0x0, 0x0, 0x0, 
0x0,
    0x0, 0x0}, v8_int16 = {0x0, 0x200, 0x0, 0x41a0, 0x0, 0x0, 0x0, 0x0},
v4_int32 = {0x2000000, 0x41a00000, 0x0, 0x0}, v2_int64 = {0x41a0000002000000, 
0x0},
  uint128 = 0x000000000000000041a0000002000000}
xmm6           {v4_float = {0x0, 0x2, 0x0, 0x0}, v2_double = {0x14, 0x0},
v16_int8 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x34, 0x40, 0x0, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0,
    0x0}, v8_int16 = {0x0, 0x0, 0x0, 0x4034, 0x0, 0x0, 0x0, 0x0}, v4_int32 =
{0x0, 0x40340000, 0x0, 0x0}, v2_int64 = {0x4034000000000000, 0x0},
  uint128 = 0x00000000000000004034000000000000}
xmm7           {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0},
  v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0}, uint128 =
0x00000000000000000000000000000000}
xmm8           {v4_float = {0x0, 0xd0, 0x0, 0x0}, v2_double = {0x4380663abb8000,
0x0}, v16_int8 = {0x0, 0xe0, 0xae, 0x8e, 0x19, 0xe0, 0x50, 0x43, 0x0, 0x0, 0x0, 
0x0,
    0x0, 0x0, 0x0, 0x0}, v8_int16 = {0xe000, 0x8eae, 0xe019, 0x4350, 0x0, 0x0,
0x0, 0x0}, v4_int32 = {0x8eaee000, 0x4350e019, 0x0, 0x0}, v2_int64 = {
    0x4350e0198eaee000, 0x0}, uint128 = 0x00000000000000004350e0198eaee000}
xmm9           {v4_float = {0x0, 0x2, 0x0, 0x0}, v2_double = {0x2, 0x0},
v16_int8 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x40, 0x0, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0, 0x0},
  v8_int16 = {0x0, 0x0, 0x0, 0x4000, 0x0, 0x0, 0x0, 0x0}, v4_int32 = {0x0,
0x40000000, 0x0, 0x0}, v2_int64 = {0x4000000000000000, 0x0},
  uint128 = 0x00000000000000004000000000000000}
xmm10          {v4_float = {0x0, 0x4b, 0x0, 0x0}, v2_double = {0x5ffffffffff,
0x0}, v16_int8 = {0x2c, 0xfd, 0xff, 0xff, 0xff, 0xff, 0x97, 0x42, 0x0, 0x0, 0x0,
0x0,
    0x0, 0x0, 0x0, 0x0}, v8_int16 = {0xfd2c, 0xffff, 0xffff, 0x4297, 0x0, 0x0,
0x0, 0x0}, v4_int32 = {0xfffffd2c, 0x4297ffff, 0x0, 0x0}, v2_int64 = {
    0x4297fffffffffd2c, 0x0}, uint128 = 0x00000000000000004297fffffffffd2c}
xmm11          {v4_float = {0xa50e8e00, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0x47, 0x87, 0xd2, 0x4f, 0x79, 0x73, 0x64, 0xbe, 0x0, 0x0, 0x0, 0x0, 
0x0,
    0x0, 0x0, 0x0}, v8_int16 = {0x8747, 0x4fd2, 0x7379, 0xbe64, 0x0, 0x0, 0x0,
0x0}, v4_int32 = {0x4fd28747, 0xbe647379, 0x0, 0x0}, v2_int64 = 
{0xbe6473794fd28747,
    0x0}, uint128 = 0x0000000000000000be6473794fd28747}
xmm12          {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0x29, 0xf2, 0x88, 0x6c, 0xa6, 0x49, 0xde, 0x3e, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0,
    0x0, 0x0}, v8_int16 = {0xf229, 0x6c88, 0x49a6, 0x3ede, 0x0, 0x0, 0x0, 0x0},
v4_int32 = {0x6c88f229, 0x3ede49a6, 0x0, 0x0}, v2_int64 = {0x3ede49a66c88f229, 
0x0},
  uint128 = 0x00000000000000003ede49a66c88f229}
xmm13          {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0xb3, 0x12, 0x58, 0x17, 0x64, 0x46, 0xe6, 0x3b, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0,
    0x0, 0x0}, v8_int16 = {0x12b3, 0x1758, 0x4664, 0x3be6, 0x0, 0x0, 0x0, 0x0},
v4_int32 = {0x175812b3, 0x3be64664, 0x0, 0x0}, v2_int64 = {0x3be64664175812b3, 
0x0},
  uint128 = 0x00000000000000003be64664175812b3}
xmm14          {v4_float = {0x0, 0x3, 0x0, 0x0}, v2_double = {0x2d, 0x0},
v16_int8 = {0xc0, 0x9, 0xf2, 0x16, 0xb5, 0xdf, 0x46, 0x40, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0,
    0x0, 0x0}, v8_int16 = {0x9c0, 0x16f2, 0xdfb5, 0x4046, 0x0, 0x0, 0x0, 0x0},
v4_int32 = {0x16f209c0, 0x4046dfb5, 0x0, 0x0}, v2_int64 = {0x4046dfb516f209c0, 
0x0},
  uint128 = 0x00000000000000004046dfb516f209c0}
xmm15          {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0},
  v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0}, uint128 =
0x00000000000000000000000000000000}
mxcsr          0x1fa0   [ PE IM DM ZM OM UM PM ]

----------
files: roq_invalid_decode_check.diff
messages: 13326
priority: normal
status: open
substatus: open
title: ffmpeg crashes on roq files with invalid decoding type
type: bug

________________________________________________
FFmpeg issue tracker <[email protected]>
<https://roundup.ffmpeg.org/issue2521>
________________________________________________

roq_invalid_decode_check.diff
Description: Binary data

[issue2521] ffmpeg crashes on roq files with invalid decoding type

Reply via email to