[libav-bugs] [Bug 278] New: fate-motionpixel overread in ff_cropTbl

bugzilla-daemon at aruru.libav.org bugzilla-daemon at aruru.libav.org
Wed May 2 20:07:02 CEST 2012


http://bugzilla.libav.org/show_bug.cgi?id=278

           Summary: fate-motionpixel overread in ff_cropTbl
           Product: Libav
           Version: git HEAD
          Platform: All
        OS/Version: Linux
            Status: NEW
          Severity: normal
          Priority: Normal
         Component: libavcodec
        AssignedTo: bugzilla at libav.org
        ReportedBy: alex.converse at gmail.com


avconv version v0.8-1566-g732f9fc, Copyright (c) 2000-2012 the Libav developers
  built on May  2 2012 10:25:07 with clang 3.2 ((trunk 155352))
[mvi @ 0x7f3689358880] max_analyze_duration reached
[mvi @ 0x7f3689358880] Estimating duration from bitrate, this may be inaccurate
Input #0, mvi, from '/data/streams/fate-suite/motion-pixels/INTRO-partial.MVI':
  Duration: 00:01:35.13, bitrate: 176 kb/s
    Stream #0.0: Audio: pcm_u8, 22050 Hz, 1 channels, u8, 176 kb/s
    Stream #0.1: Video: motionpixels, rgb555le, 320x240, 15 fps, 15 tbr, 15 tbn
[buffer @ 0x7f3689767680] w:320 h:240 pixfmt:rgb555le
[sink @ 0x7f3689767e80] auto-inserting filter 'auto-inserted scaler 0' between
the filter 'src' and the filter 'out'
[scale @ 0x7f3689768e80] w:320 h:240 fmt:rgb555le -> w:320 h:240 fmt:rgb24
flags:0x4
#tb 0: 66667/1000000
Output #0, framecrc, to 'pipe:':
  Metadata:
    encoder         : Lavf54.2.0
    Stream #0.0: Video: rawvideo, rgb24, 320x240, q=2-31, 200 kb/s, 15 tbn, 15
tbc
Stream mapping:
  Stream #0:1 -> #0:0 (motionpixels -> rawvideo)
Press ctrl-c to stop encoding
0,          0,          0,        1,   230400, 0xee05b509
0,          1,          1,        1,   230400, 0x71048964
0,          2,          2,        1,   230400, 0x2ebe4ba1
0,          3,          3,        1,   230400, 0xeedc45a6
0,          4,          4,        1,   230400, 0x218e8656
0,          5,          5,        1,   230400, 0x5792b17e
0,          6,          6,        1,   230400, 0x51b0a062
0,          7,          7,        1,   230400, 0x5dc4fd9c
0,          8,          8,        1,   230400, 0x9b0261b1
0,          9,          9,        1,   230400, 0x35086ffc
0,         10,         10,        1,   230400, 0xcf9352ff
0,         11,         11,        1,   230400, 0x0b5139a1
0,         12,         12,        1,   230400, 0x22e8a31e
0,         13,         13,        1,   230400, 0x82f61a81
0,         14,         14,        1,   230400, 0xc5741ab5
0,         15,         15,        1,   230400, 0xb5e7b2ff
0,         16,         16,        1,   230400, 0x583289ca
0,         17,         17,        1,   230400, 0xee52afbb
0,         18,         18,        1,   230400, 0xfdb4dc1a
0,         19,         19,        1,   230400, 0xf5ce99c0
0,         20,         20,        1,   230400, 0xae222255
0,         21,         21,        1,   230400, 0xc4f4439d
0,         22,         22,        1,   230400, 0x1758f224
0,         23,         23,        1,   230400, 0x5f517926
0,         24,         24,        1,   230400, 0x73a8bed8
0,         25,         25,        1,   230400, 0x7ef8410c
0,         26,         26,        1,   230400, 0xfcb693c7
0,         27,         27,        1,   230400, 0x5292832e
0,         28,         28,        1,   230400, 0x591261d7
0,         29,         29,        1,   230400, 0x28cca691
0,         30,         30,        1,   230400, 0x22cf40ef
0,         31,         31,        1,   230400, 0x517b10f9
0,         32,         32,        1,   230400, 0x8197e939
0,         33,         33,        1,   230400, 0x9654ffdb
0,         34,         34,        1,   230400, 0x803f10dd
0,         35,         35,        1,   230400, 0xff9f67af
0,         36,         36,        1,   230400, 0x4847244c
0,         37,         37,        1,   230400, 0xff31638f
0,         38,         38,        1,   230400, 0x9692def5
0,         39,         39,        1,   230400, 0x67f0a5fb
0,         40,         40,        1,   230400, 0xce192074
0,         41,         41,        1,   230400, 0x33d6c4a5
0,         42,         42,        1,   230400, 0xaf7b5a03
0,         43,         43,        1,   230400, 0xd956b0c0
0,         44,         44,        1,   230400, 0x58ff1a65
0,         45,         45,        1,   230400, 0x044758a1
0,         46,         46,        1,   230400, 0xe8045b65
0,         47,         47,        1,   230400, 0xf504c5fb
0,         48,         48,        1,   230400, 0x17a9a2b0
0,         49,         49,        1,   230400, 0xf68bab8c
0,         50,         50,        1,   230400, 0xd06dd0cb
0,         51,         51,        1,   230400, 0xc47d2673
0,         52,         52,        1,   230400, 0x2112f291
0,         53,         53,        1,   230400, 0x4c07c83c
0,         54,         54,        1,   230400, 0x22ca0113
0,         55,         55,        1,   230400, 0x25b0c8b1
0,         56,         56,        1,   230400, 0xb6afc645
0,         57,         57,        1,   230400, 0x663b1c09
0,         58,         58,        1,   230400, 0x9006ef1f
0,         59,         59,        1,   230400, 0x54f81b11
0,         60,         60,        1,   230400, 0x456b79f2
0,         61,         61,        1,   230400, 0xb08f24d0
0,         62,         62,        1,   230400, 0x652ad875
0,         63,         63,        1,   230400, 0xc6ecd67f
0,         64,         64,        1,   230400, 0x78dad721
0,         65,         65,        1,   230400, 0x1d2a4f71
0,         66,         66,        1,   230400, 0xc71721d1
0,         67,         67,        1,   230400, 0x64e3a7df
0,         68,         68,        1,   230400, 0x3bb18e71
0,         69,         69,        1,   230400, 0xb571d58c
0,         70,         70,        1,   230400, 0xdae6ed5c
0,         71,         71,        1,   230400, 0xdd91504b
0,         72,         72,        1,   230400, 0xd5a807a5
0,         73,         73,        1,   230400, 0x39a67b03
0,         74,         74,        1,   230400, 0xe245c8ac
0,         75,         75,        1,   230400, 0x5b0d7858
0,         76,         76,        1,   230400, 0x501b8097
0,         77,         77,        1,   230400, 0xf7b10d48
0,         78,         78,        1,   230400, 0x769db0bd
0,         79,         79,        1,   230400, 0x600f1086
0,         80,         80,        1,   230400, 0x874f5565
0,         81,         81,        1,   230400, 0x14322f73
0,         82,         82,        1,   230400, 0x0eaa36a5
0,         83,         83,        1,   230400, 0x97178d13
0,         84,         84,        1,   230400, 0xd4c7a0d1
0,         85,         85,        1,   230400, 0x1d424ec8
0,         86,         86,        1,   230400, 0x695ad8d9
0,         87,         87,        1,   230400, 0xe7cc3ecf
0,         88,         88,        1,   230400, 0xfd25fd8c
0,         89,         89,        1,   230400, 0xef4bc203
0,         90,         90,        1,   230400, 0x2a113bec
0,         91,         91,        1,   230400, 0x6e7ad403
0,         92,         92,        1,   230400, 0xc6714d2b
0,         93,         93,        1,   230400, 0x77df8ba6
0,         94,         94,        1,   230400, 0xcd283106
0,         95,         95,        1,   230400, 0xcb95676f
0,         96,         96,        1,   230400, 0xb0b70393
0,         97,         97,        1,   230400, 0x4c40bd63
0,         98,         98,        1,   230400, 0x557e8ccf
0,         99,         99,        1,   230400, 0x9d5934b2
0,        100,        100,        1,   230400, 0x43c1793f
0,        101,        101,        1,   230400, 0x0232361e
0,        102,        102,        1,   230400, 0x92ed91e4
0,        103,        103,        1,   230400, 0x99769789
0,        104,        104,        1,   230400, 0xd49c2c5b
0,        105,        105,        1,   230400, 0x66b03495
0,        106,        106,        1,   230400, 0xb88a4658
0,        107,        107,        1,   230400, 0x9c21e4c2
0,        108,        108,        1,   230400, 0xb343f372
0,        109,        109,        1,   230400, 0xf7f1e588
0,        110,        110,        1,   230400, 0x9682bdb2
=================================================================
==22741== ERROR: AddressSanitizer global-buffer-overflow on address
0x0000045b49c8 at pc 0x21d7d6f bp 0x7fff571edf10 sp 0x7fff571edf08
READ of size 1 at 0x0000045b49c8 thread T0
    #0 0x21d7d6f in mp_yuv_to_rgb
/usr/local/google/home/aconverse/src-ext/libav/libav/libavcodec/motionpixels_tablegen.h:40
    #1 0x21d344b in mp_set_rgb_from_yuv
/usr/local/google/home/aconverse/src-ext/libav/libav/libavcodec/motionpixels.c:153
    #2 0x21d5b8c in mp_decode_line
/usr/local/google/home/aconverse/src-ext/libav/libav/libavcodec/motionpixels.c:204
    #3 0x21d15f4 in mp_decode_frame_helper
/usr/local/google/home/aconverse/src-ext/libav/libav/libavcodec/motionpixels.c:229
    #4 0x21cb221 in mp_decode_frame
/usr/local/google/home/aconverse/src-ext/libav/libav/libavcodec/motionpixels.c:289
    #5 0x2d10ea7 in avcodec_decode_video2
/usr/local/google/home/aconverse/src-ext/libav/libav/libavcodec/utils.c:1219
    #6 0x486590 in transcode_video
/usr/local/google/home/aconverse/src-ext/libav/libav/avconv.c:2260
    #7 0x46ce58 in output_packet
/usr/local/google/home/aconverse/src-ext/libav/libav/avconv.c:2402
    #8 0x455282 in transcode
/usr/local/google/home/aconverse/src-ext/libav/libav/avconv.c:3126
    #9 0x442382 in main
/usr/local/google/home/aconverse/src-ext/libav/libav/avconv.c:5056
    #10 0x7f368a1a376d in __libc_start_main
/build/buildd/eglibc-2.15/csu/libc-start.c:258
0x0000045b49c8 is located 24 bytes to the left of global variable 'ff_cropTbl
(/usr/local/google/home/aconverse/src-ext/libav/libav/libavcodec/dsputil.c)'
(0x45b49e0) of size 2304
0x0000045b49c8 is located 16 bytes to the right of global variable
'dca_init_vlcs.dca_table
(/usr/local/google/home/aconverse/src-ext/libav/libav/libavcodec/dca.c)'
(0x459d8a0) of size 94488
  'dca_init_vlcs.dca_table
(/usr/local/google/home/aconverse/src-ext/libav/libav/libavcodec/dca.c)' is
ascii string ''
==22741== ABORTING
Stats: 76M malloced (12M for red zones) by 2569 calls
Stats: 24M realloced by 258 calls
Stats: 76M freed by 2486 calls
Stats: 0M really freed by 0 calls
Stats: 124M (31771 full pages) mmaped in 31 calls
  mmaps   by size class: 8:16383; 9:8191; 10:4095; 11:2047; 12:1024; 13:512;
14:256; 15:128; 16:64; 17:32; 18:336;
  mallocs by size class: 8:1038; 9:821; 10:9; 11:118; 12:7; 13:58; 14:98;
15:79; 16:4; 17:2; 18:335;
  frees   by size class: 8:987; 9:816; 10:1; 11:112; 12:7; 13:56; 14:95; 15:76;
16:2; 17:1; 18:333;
  rfrees  by size class:
Stats: malloc large: 337 small slow: 50
Shadow byte and word:
  0x1000008b6939: f9
  0x1000008b6938: f9 f9 f9 f9 00 00 00 00
More shadow bytes:
  0x1000008b6918: 00 00 00 00 00 00 00 00
  0x1000008b6920: 00 00 00 00 00 00 00 00
  0x1000008b6928: 00 00 00 00 00 00 00 00
  0x1000008b6930: 00 00 00 00 00 00 00 f9
=>0x1000008b6938: f9 f9 f9 f9 00 00 00 00
  0x1000008b6940: 00 00 00 00 00 00 00 00
  0x1000008b6948: 00 00 00 00 00 00 00 00
  0x1000008b6950: 00 00 00 00 00 00 00 00
  0x1000008b6958: 00 00 00 00 00 00 00 00


The offending values are y -102 u -33 v -27 causing r -120 g -86 b -131
   Causing a read of -1048 into the offset crop table, but the maximum negative
read is -1024.

-- 
Configure bugmail: http://bugzilla.libav.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching all bug changes.


More information about the libav-bugs mailing list