[libav-bugs] [Bug 145] signal 11 (SIGSEGV) on input from corrupted file

bugzilla-daemon at aruru.libav.org bugzilla-daemon at aruru.libav.org
Thu Jan 12 19:28:08 CET 2012


http://bugzilla.libav.org/show_bug.cgi?id=145

Ronald S. Bultje <rsbultje at gmail.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |rsbultje at gmail.com

--- Comment #4 from Ronald S. Bultje <rsbultje at gmail.com> 2012-01-12 19:28:08 CET ---
(gdb) r -threads 1 -i ~/Downloads/corruptfile\ \(3\) -f null -
Starting program: /Users/rbultje/Projects/libav/asan/avconv -threads 1 -i
~/Downloads/corruptfile\ \(3\) -f null -
Reading symbols for shared libraries
.++++++++.......................................................................................
done
avconv version v0.8b2-11-g23a9941, Copyright (c) 2000-2011 the Libav developers
  built on Jan 12 2012 10:19:58 with clang 3.1 (trunk 147338)
[h264 @ 0x10abe1080] non-existing PPS referenced
[h264 @ 0x10abe1080] non-existing PPS 0 referenced
[h264 @ 0x10abe1080] decode_slice_header error
[h264 @ 0x10abe1080] no frame!
[h264 @ 0x10abe1080] illegal reordering_of_pic_nums_idc
[h264 @ 0x10abe1080] decode_slice_header error
[h264 @ 0x10abe1080] concealing 6 DC, 6 AC, 6 MV errors
[h264 @ 0x10abe1080] illegal reordering_of_pic_nums_idc
[h264 @ 0x10abe1080] decode_slice_header error
[h264 @ 0x10abe1080] illegal short term buffer state detected
[h264 @ 0x10abe1080] concealing 6 DC, 6 AC, 6 MV errors
[h264 @ 0x10abe1080] pps_id out of range
    Last message repeated 1 times
[h264 @ 0x10abe1080] decode_slice_header error
[h264 @ 0x10abe1080] no frame!
[h264 @ 0x10abe1080] deblocking_filter_idc 5 out of range
[h264 @ 0x10abe1080] decode_slice_header error
[h264 @ 0x10abe1080] slice type too large (2) at 0 0
[h264 @ 0x10abe1080] decode_slice_header error
[h264 @ 0x10abe1080] concealing 6 DC, 6 AC, 6 MV errors
[h264 @ 0x10abe1080] abs_diff_pic_num overflow
[h264 @ 0x10abe1080] decode_slice_header error
[h264 @ 0x10abe1080] mmco: unref short failure
[h264 @ 0x10abe1080] concealing 6 DC, 6 AC, 6 MV errors
[h264 @ 0x10abe1080] Missing reference picture
    Last message repeated 2 times
[h264 @ 0x10abe1080] cabac_init_idc overflow
[h264 @ 0x10abe1080] decode_slice_header error
[h264 @ 0x10abe1080] illegal short term buffer state detected
[h264 @ 0x10abe1080] concealing 6 DC, 6 AC, 6 MV errors
[h264 @ 0x10abe1080] Missing reference picture
=================================================================
==81869== ERROR: AddressSanitizer heap-buffer-overflow on address
0x00010abddff0 at pc 0x102f5b1c9 bp 0x7fff5fbf5d50 sp 0x7fff5fbf5d48
READ of size 8 at 0x00010abddff0 thread T0
    #0 0x102f5b1c9 (/Users/rbultje/Projects/libav/asan/avconv+0x2f5b1c9)
    #1 0x102f4b92f (/Users/rbultje/Projects/libav/asan/avconv+0x2f4b92f)
    #2 0x102f48c38 (/Users/rbultje/Projects/libav/asan/avconv+0x2f48c38)
    #3 0x101c98b35 (/Users/rbultje/Projects/libav/asan/avconv+0x1c98b35)
    #4 0x102f18bf0 (/Users/rbultje/Projects/libav/asan/avconv+0x2f18bf0)
    #5 0x104e2e388 (/Users/rbultje/Projects/libav/asan/avconv+0x4e2e388)
    #6 0x100b11590 (/Users/rbultje/Projects/libav/asan/avconv+0xb11590)
    #7 0x100b08e1e (/Users/rbultje/Projects/libav/asan/avconv+0xb08e1e)
    #8 0x10001a54c (/Users/rbultje/Projects/libav/asan/avconv+0x1a54c)
    #9 0x1000adb11 (/Users/rbultje/Projects/libav/asan/avconv+0xadb11)
    #10 0x1000b0c6f (/Users/rbultje/Projects/libav/asan/avconv+0xb0c6f)
    #11 0x10002619e (/Users/rbultje/Projects/libav/asan/avconv+0x2619e)
    #12 0x100016ff4 (/Users/rbultje/Projects/libav/asan/avconv+0x16ff4)
    #13 0x8 (/Users/rbultje/Projects/libav/asan/avconv+0x8)
0x00010abddff0 is located 144 bytes to the left of 1576-byte region
[0x00010abde080,0x00010abde6a8)
allocated by thread T0 here:
    #0 0x1061895ed (/Users/rbultje/Projects/libav/asan/avconv+0x61895ed)
    #1 0x7fff8715f1cb (/usr/lib/libSystem.B.dylib+0x421cb)
    #2 0x7fff871fa620 (/usr/lib/libSystem.B.dylib+0xdd620)
    #3 0x1061207d0 (/Users/rbultje/Projects/libav/asan/avconv+0x61207d0)
    #4 0x104e1ab2c (/Users/rbultje/Projects/libav/asan/avconv+0x4e1ab2c)
    #5 0x104e18532 (/Users/rbultje/Projects/libav/asan/avconv+0x4e18532)
    #6 0x104738981 (/Users/rbultje/Projects/libav/asan/avconv+0x4738981)
    #7 0x1041ede39 (/Users/rbultje/Projects/libav/asan/avconv+0x41ede39)
    #8 0x1041e9851 (/Users/rbultje/Projects/libav/asan/avconv+0x41e9851)
    #9 0x104212a28 (/Users/rbultje/Projects/libav/asan/avconv+0x4212a28)
    #10 0x101c9ecce (/Users/rbultje/Projects/libav/asan/avconv+0x1c9ecce)
    #11 0x102f37c5e (/Users/rbultje/Projects/libav/asan/avconv+0x2f37c5e)
    #12 0x101c961c0 (/Users/rbultje/Projects/libav/asan/avconv+0x1c961c0)
    #13 0x102f18bf0 (/Users/rbultje/Projects/libav/asan/avconv+0x2f18bf0)
    #14 0x104e2e388 (/Users/rbultje/Projects/libav/asan/avconv+0x4e2e388)
    #15 0x100b11590 (/Users/rbultje/Projects/libav/asan/avconv+0xb11590)
    #16 0x100b08e1e (/Users/rbultje/Projects/libav/asan/avconv+0xb08e1e)
    #17 0x10001a54c (/Users/rbultje/Projects/libav/asan/avconv+0x1a54c)
    #18 0x1000adb11 (/Users/rbultje/Projects/libav/asan/avconv+0xadb11)
    #19 0x1000b0c6f (/Users/rbultje/Projects/libav/asan/avconv+0xb0c6f)
    #20 0x10002619e (/Users/rbultje/Projects/libav/asan/avconv+0x2619e)
==81869== ABORTING
Stats: 2M malloced (1M for red zones) by 429 calls
Stats: 0M realloced by 36 calls
Stats: 1M freed by 339 calls
Stats: 0M really freed by 0 calls
Stats: 44M (11271 full pages) mmaped in 11 calls
  mmaps   by size class: 8:16383; 9:8191; 10:4095; 11:2047; 12:1024; 13:512;
14:256; 15:128; 16:64; 17:32; 19:8; 
  mallocs by size class: 8:76; 9:21; 10:20; 11:253; 12:5; 13:10; 14:9; 15:18;
16:14; 17:1; 19:2; 
  frees   by size class: 8:28; 9:18; 10:12; 11:244; 12:3; 13:5; 14:8; 15:9;
16:11; 17:1; 
  rfrees  by size class: 
Stats: malloc large: 3 small slow: 23
Shadow byte and word:
  0x10002157bbfe: fa
  0x10002157bbf8: fa fa fa fa fa fa fa fa
More shadow bytes:
  0x10002157bbd8: fb fb fb fb fb fb fb fb
  0x10002157bbe0: fa fa fa fa fa fa fa fa
  0x10002157bbe8: fa fa fa fa fa fa fa fa
  0x10002157bbf0: fa fa fa fa fa fa fa fa
=>0x10002157bbf8: fa fa fa fa fa fa fa fa
  0x10002157bc00: fa fa fa fa fa fa fa fa
  0x10002157bc08: fa fa fa fa fa fa fa fa
  0x10002157bc10: 00 00 00 00 00 00 00 00
  0x10002157bc18: 00 00 00 00 00 00 00 00


(gdb) break __asan_report_error
warning: .o file
"/Users/rbultje/Projects/libav/asan/libavutil/libavutil.a(cpu.o)" more recent
than executable timestamp in "/Users/rbultje/Projects/libav/asan/avconv"
warning: Couldn't open object file
'/Users/rbultje/Projects/libav/asan/libavutil/libavutil.a(cpu.o)'
Breakpoint 1 at 0x100013b61
(gdb) r -threads 1 -i ~/Downloads/corruptfile\ \(3\) -f null -
Starting program: /Users/rbultje/Projects/libav/asan/avconv -threads 1 -i
~/Downloads/corruptfile\ \(3\) -f null -
Reading symbols for shared libraries
.++++++++.......................................................................................
done
avconv version v0.8b2-11-g23a9941, Copyright (c) 2000-2011 the Libav developers
  built on Jan 12 2012 10:19:58 with clang 3.1 (trunk 147338)
[h264 @ 0x10abe1080] non-existing PPS referenced
[h264 @ 0x10abe1080] non-existing PPS 0 referenced
[h264 @ 0x10abe1080] decode_slice_header error
[h264 @ 0x10abe1080] no frame!
[h264 @ 0x10abe1080] illegal reordering_of_pic_nums_idc
[h264 @ 0x10abe1080] decode_slice_header error
[h264 @ 0x10abe1080] concealing 6 DC, 6 AC, 6 MV errors
[h264 @ 0x10abe1080] illegal reordering_of_pic_nums_idc
[h264 @ 0x10abe1080] decode_slice_header error
[h264 @ 0x10abe1080] illegal short term buffer state detected
[h264 @ 0x10abe1080] concealing 6 DC, 6 AC, 6 MV errors
[h264 @ 0x10abe1080] pps_id out of range
    Last message repeated 1 times
[h264 @ 0x10abe1080] decode_slice_header error
[h264 @ 0x10abe1080] no frame!
[h264 @ 0x10abe1080] deblocking_filter_idc 5 out of range
[h264 @ 0x10abe1080] decode_slice_header error
[h264 @ 0x10abe1080] slice type too large (2) at 0 0
[h264 @ 0x10abe1080] decode_slice_header error
[h264 @ 0x10abe1080] concealing 6 DC, 6 AC, 6 MV errors
[h264 @ 0x10abe1080] abs_diff_pic_num overflow
[h264 @ 0x10abe1080] decode_slice_header error
[h264 @ 0x10abe1080] mmco: unref short failure
[h264 @ 0x10abe1080] concealing 6 DC, 6 AC, 6 MV errors
[h264 @ 0x10abe1080] Missing reference picture
    Last message repeated 2 times
[h264 @ 0x10abe1080] cabac_init_idc overflow
[h264 @ 0x10abe1080] decode_slice_header error
[h264 @ 0x10abe1080] illegal short term buffer state detected
[h264 @ 0x10abe1080] concealing 6 DC, 6 AC, 6 MV errors
[h264 @ 0x10abe1080] Missing reference picture
    Last message repeated 1 times
Breakpoint 1, 0x0000000100013b61 in __asan_report_error ()
(gdb) bt
#0  0x0000000100013b61 in __asan_report_error ()
#1  0x0000000100013f77 in __asan_report_load8 ()
#2  0x0000000102f5b1c9 in loop_filter (h=<value temporarily unavailable, due to
optimizations>, start_x=<value temporarily unavailable, due to optimizations>,
end_x=<value temporarily unavailable, due to optimizations>) at
/Users/rbultje/Projects/libav/libavcodec/h264.c:1636
#3  0x0000000102f4b92f in decode_slice (avctx=<value temporarily unavailable,
due to optimizations>, arg=<value temporarily unavailable, due to
optimizations>) at /Users/rbultje/Projects/libav/libavcodec/h264.c:3612
#4  0x0000000102f48c38 in execute_decode_slices (h=<value temporarily
unavailable, due to optimizations>, context_count=<value temporarily
unavailable, due to optimizations>) at
/Users/rbultje/Projects/libav/libavcodec/h264.c:3708
#5  0x0000000101c98b35 in decode_nal_units (h=<value temporarily unavailable,
due to optimizations>, buf=<value temporarily unavailable, due to
optimizations>, buf_size=<value temporarily unavailable, due to optimizations>)
at /Users/rbultje/Projects/libav/libavcodec/h264.c:3969
#6  0x0000000102f18bf0 in decode_frame (avctx=<value temporarily unavailable,
due to optimizations>, data=<value temporarily unavailable, due to
optimizations>, data_size=<value temporarily unavailable, due to
optimizations>, avpkt=<value temporarily unavailable, due to optimizations>) at
/Users/rbultje/Projects/libav/libavcodec/h264.c:4044
#7  0x0000000104e2e388 in avcodec_decode_video2 (avctx=<value temporarily
unavailable, due to optimizations>, picture=<value temporarily unavailable, due
to optimizations>, got_picture_ptr=<value temporarily unavailable, due to
optimizations>, avpkt=<value temporarily unavailable, due to optimizations>) at
/Users/rbultje/Projects/libav/libavcodec/utils.c:905
#8  0x0000000100b11590 in try_decode_frame (st=<value temporarily unavailable,
due to optimizations>, avpkt=<value temporarily unavailable, due to
optimizations>, options=<value temporarily unavailable, due to optimizations>)
at /Users/rbultje/Projects/libav/libavformat/utils.c:2158
#9  0x0000000100b08e1e in avformat_find_stream_info (ic=<value temporarily
unavailable, due to optimizations>, options=<value temporarily unavailable, due
to optimizations>) at /Users/rbultje/Projects/libav/libavformat/utils.c:2462
#10 0x000000010001a54c in opt_input_file (o=<value temporarily unavailable, due
to optimizations>, opt=<value temporarily unavailable, due to optimizations>,
filename=<value temporarily unavailable, due to optimizations>) at
/Users/rbultje/Projects/libav/avconv.c:3282
#11 0x00000001000adb11 in parse_option (optctx=<value temporarily unavailable,
due to optimizations>, opt=<value temporarily unavailable, due to
optimizations>, arg=<value temporarily unavailable, due to optimizations>,
options=<value temporarily unavailable, due to optimizations>) at
/Users/rbultje/Projects/libav/cmdutils.c:284
#12 0x00000001000b0c6f in parse_options (optctx=<value temporarily unavailable,
due to optimizations>, argc=<value temporarily unavailable, due to
optimizations>, argv=<value temporarily unavailable, due to optimizations>,
options=<value temporarily unavailable, due to optimizations>,
parse_arg_function=<value temporarily unavailable, due to optimizations>) at
/Users/rbultje/Projects/libav/cmdutils.c:318
#13 0x000000010002619e in main (argc=<value temporarily unavailable, due to
optimizations>, argv=<value temporarily unavailable, due to optimizations>) at
/Users/rbultje/Projects/libav/avconv.c:4484
(gdb) up
#1  0x0000000100013f77 in __asan_report_load8 ()
(gdb) up
#2  0x0000000102f5b1c9 in loop_filter (h=<value temporarily unavailable, due to
optimizations>, start_x=<value temporarily unavailable, due to optimizations>,
end_x=<value temporarily unavailable, due to optimizations>) at
/Users/rbultje/Projects/libav/libavcodec/h264.c:1636
1636                    AV_COPY64(top_border+16, src_cb+8*uvlinesize);
Current language:  auto; currently minimal
(gdb) print top_border
No symbol "top_border" in current context.
(gdb) print src_cb
No symbol "src_cb" in current context.
(gdb) list        
1631            } else {
1632                if (pixel_shift) {
1633                    AV_COPY128(top_border+32, src_cb+8*uvlinesize);
1634                    AV_COPY128(top_border+48, src_cr+8*uvlinesize);
1635                } else {
1636                    AV_COPY64(top_border+16, src_cb+8*uvlinesize);
1637                    AV_COPY64(top_border+24, src_cr+8*uvlinesize);
1638                }
1639            }
1640        }

That's about as far as I got...

-- 
Configure bugmail: http://bugzilla.libav.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching all bug changes.


More information about the libav-bugs mailing list