[libav-bugs] [Bug 83] New: Illegal reads in (new) indeo3 decoder

bugzilla-daemon at aruru.libav.org bugzilla-daemon at aruru.libav.org
Wed Nov 23 03:23:59 CET 2011


http://bugzilla.libav.org/show_bug.cgi?id=83

           Summary: Illegal reads in (new) indeo3 decoder
           Product: Libav
           Version: git HEAD
          Platform: PC
        OS/Version: Linux
            Status: NEW
          Severity: enhancement
          Priority: Normal
         Component: libavcodec
        AssignedTo: bugzilla at libav.org
        ReportedBy: alex.converse at gmail.com


Sample:
http://samples.libav.org/samples/archive/extension/AVI/avi+indeo3+++1-dog.avi

The samples is a fuzzed indeo3 video.

Log:

$ ./avconv -i avi+indeo3+++1-dog.avi -f null - 2>&1 |
~/local/opt/asan/address-sanitizer/scripts/asan_symbolize.py
avconv version v0.7-1921-g963f685, Copyright (c) 2000-2011 the Libav developers
  built on Nov 22 2011 18:04:42 with clang 3.1 (trunk 144800)
[avi @ 0x7ffe95d05880] Something went wrong during header parsing, I will
ignore it and try to continue anyway.
Input #0, avi, from 'avi+indeo3+++1-dog.avi':
  Duration: 00:00:09.50, start: 0.000000, bitrate: 613 kb/s
    Stream #0.0: Video: indeo3, yuv410p, 160x120, 10 tbr, 10 tbn, 10 tbc
[buffer @ 0x7ffe96dc0f80] w:160 h:120 pixfmt:yuv410p
Output #0, null, to 'pipe:':
  Metadata:
    encoder         : Lavf53.15.0
    Stream #0.0: Video: rawvideo, yuv410p, 160x120, q=2-31, 200 kb/s, 90k tbn,
10 tbc
Stream mapping:
  Stream #0:0 -> #0:0 (indeo3 -> rawvideo)
Press ctrl-c to stop encoding
[indeo3 @ 0x7ffe95d06080] OS header checksum mismatch!
Error while decoding stream #0:0
[indeo3 @ 0x7ffe95d06080] One of the y/u/v offsets is invalid
Error while decoding stream #0:0
[indeo3 @ 0x7ffe95d06080] OS header checksum mismatch!
Error while decoding stream #0:0
[indeo3 @ 0x7ffe95d06080] OS header checksum mismatch!
Error while decoding stream #0:0
[indeo3 @ 0x7ffe95d06080] OS header checksum mismatch!
Error while decoding stream #0:0
[indeo3 @ 0x7ffe95d06080] Unsupported codec version!
Error while decoding stream #0:0
[indeo3 @ 0x7ffe95d06080] Mode 0: invalid VQ data
Error while decoding stream #0:0
[indeo3 @ 0x7ffe95d06080] Mode 0: invalid VQ data
Error while decoding stream #0:0
[indeo3 @ 0x7ffe95d06080] Mode 0: invalid VQ data
Error while decoding stream #0:0
[indeo3 @ 0x7ffe95d06080] OS header checksum mismatch!
Error while decoding stream #0:0
[indeo3 @ 0x7ffe95d06080] One of the y/u/v offsets is invalid
Error while decoding stream #0:0
[indeo3 @ 0x7ffe95d06080] OS header checksum mismatch!
Error while decoding stream #0:0
[indeo3 @ 0x7ffe95d06080] OS header checksum mismatch!
Error while decoding stream #0:0
[indeo3 @ 0x7ffe95d06080] OS header checksum mismatch!
Error while decoding stream #0:0
[indeo3 @ 0x7ffe95d06080] Unsupported coding mode: 2
Error while decoding stream #0:0
[indeo3 @ 0x7ffe95d06080] Mode 0: invalid VQ data
Error while decoding stream #0:0
[indeo3 @ 0x7ffe95d06080] Mode 0: invalid VQ data
Error while decoding stream #0:0
[indeo3 @ 0x7ffe95d06080] OS header checksum mismatch!
Error while decoding stream #0:0
=================================================================
==26853== ERROR: AddressSanitizer heap-buffer-overflow on address
0x7ffe964af354 at pc 0xbbdcc1 bp 0x7fffab4c14b0 sp 0x7fffab4c1488
READ of size 4 at 0x7ffe964af354 thread T0
    #0 0xbbdcc1 in get_bits
/usr/local/google/home/aconverse/src-ext/libav/libav/libavcodec/get_bits.h:277
    #1 0xbbab40 in decode_plane
/usr/local/google/home/aconverse/src-ext/libav/libav/libavcodec/indeo3.c:819
    #2 0xf3ffc7 in avcodec_decode_video2
/usr/local/google/home/aconverse/src-ext/libav/libav/libavcodec/utils.c:741
    #3 0x449f4f in transcode_video
/usr/local/google/home/aconverse/src-ext/libav/libav/avconv.c:1737
    #4 0x43ea0e in transcode
/usr/local/google/home/aconverse/src-ext/libav/libav/avconv.c:2519
    #5 0x7ffe97954c4d in __libc_start_main ??:0
    #6 0x434229 in _start ??:0
0x7ffe964af354 is located 852 bytes to the right of 0-byte region
[0x7ffe964af000,0x7ffe964af000)
freed by thread T0 here:
previously allocated by thread T0 here:
==26853== ABORTING
Shadow byte and word:
  0x1fffd2c95e6a: fa
  0x1fffd2c95e68: fa fa fa fa fa fa fa fa
More shadow bytes:
  0x1fffd2c95e48: fa fa fa fa fa fa fa fa
  0x1fffd2c95e50: fa fa fa fa fa fa fa fa
  0x1fffd2c95e58: fa fa fa fa fa fa fa fa
  0x1fffd2c95e60: fa fa fa fa fa fa fa fa
=>0x1fffd2c95e68: fa fa fa fa fa fa fa fa
  0x1fffd2c95e70: fa fa fa fa fa fa fa fa
  0x1fffd2c95e78: fa fa fa fa fa fa fa fa
  0x1fffd2c95e80: fa fa fa fa fa fa fa fa
  0x1fffd2c95e88: fa fa fa fa fa fa fa fa

-- 
Configure bugmail: http://bugzilla.libav.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching all bug changes.


More information about the libav-bugs mailing list