[libav-bugs] [Bug 905] New: Invalid read in ff_ivi_recompose53

bugzilla-daemon at libav.org bugzilla-daemon at libav.org
Fri Oct 23 09:02:15 CEST 2015


https://bugzilla.libav.org/show_bug.cgi?id=905

            Bug ID: 905
           Summary: Invalid read in ff_ivi_recompose53
           Product: Libav
           Version: git HEAD
          Hardware: Other
                OS: Linux
            Status: NEW
          Severity: enhancement
          Priority: ---
         Component: libavcodec
          Assignee: bugzilla at libav.org
          Reporter: attekett at gmail.com
             Flags: Security-concern?

Created attachment 559
  --> https://bugzilla.libav.org/attachment.cgi?id=559&action=edit
heap-buffer-overflow-5d4-99b-a65.media

Tested on:
OS: Ubuntu 14.04
uname -a:
Linux attekett-UX31A 3.19.0-30-generic #34~14.04.1-Ubuntu SMP Fri Oct 2
22:09:39 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux
avconv 10.7
libavutil     53.  3. 0 / 53.  3. 0
libavcodec    55. 34. 1 / 55. 34. 1
libavformat   55. 12. 0 / 55. 12. 0
libavdevice   54.  0. 0 / 54.  0. 0
libavfilter    4.  2. 0 /  4.  2. 0
libavresample  1.  1. 0 /  1.  1. 0
libswscale     2.  1. 2 /  2.  1. 2
Didn't reproduce

avconv 11.4
libavutil     54.  3. 0 / 54.  3. 0
libavcodec    56.  1. 0 / 56.  1. 0
libavformat   56.  1. 0 / 56.  1. 0
libavdevice   55.  0. 0 / 55.  0. 0
libavfilter    5.  0. 0 /  5.  0. 0
libavresample  2.  1. 0 /  2.  1. 0
libswscale     3.  0. 0 /  3.  0. 0
Didn't reproduce

Report from libav-trunk:
GNU gdb (Ubuntu 7.7.1-0ubuntu5~14.04.2) 7.7.1
Copyright (C) 2014 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
<http://www.gnu.org/software/gdb/documentation/>.
For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from /home/attekett/projects/libav-trunk/avconv...done.
Breakpoint 1 at 0x4d3090
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
avconv version v12_dev0-1977-gdca23ff, Copyright (c) 2000-2015 the Libav
developers
  built on Oct 23 2015 09:26:22 with Ubuntu clang version
3.5.0-4ubuntu2~trusty2 (tags/RELEASE_350/final) (based on LLVM 3.5.0)
  configuration: --toolchain=clang-asan
  libavutil     55.  2. 0 / 55.  2. 0
  libavcodec    57.  5. 0 / 57.  5. 0
  libavformat   57.  0. 0 / 57.  0. 0
  libavdevice   56.  0. 0 / 56.  0. 0
  libavfilter    6.  0. 0 /  6.  0. 0
  libavresample  3.  0. 0 /  3.  0. 0
  libswscale     4.  0. 0 /  4.  0. 0
Splitting the commandline.
Reading option '-v' ... matched as option 'v' (set libav* logging level) with
argument '9'.
Reading option '-loglevel' ... matched as option 'loglevel' (set libav* logging
level) with argument '99'.
Reading option '-i' ... matched as input file with argument
'./heap-buffer-overflow-5d4-99b-a65.media'.
Reading option '-f' ... matched as option 'f' (force format) with argument
'null'.
Reading option '-' ... matched as output file.
Finished splitting the commandline.
Parsing a group of options: global .
Applying option v (set libav* logging level) with argument 9.
Successfully parsed a group of options.
Parsing a group of options: input file
./heap-buffer-overflow-5d4-99b-a65.media.
Successfully parsed a group of options.
Opening an input file: ./heap-buffer-overflow-5d4-99b-a65.media.
score: 0, dvhs_score: 0, fec_score: 0 
nsv_probe(), buf_size 2048
[avi @ 0x61a00001f280] Probed with size=2048 and score=100
tag: tag=LIST size=0x15e
list: tag=hdrl size=0x0
tag: tag=avih size=0x38
tag: tag=LIST size=0x7c
list: tag=strl size=0x0
tag: tag=strh size=0x40
strh: tag=vids size=0xffffffff
st:0 removing common factor 2 from timebase
[avi @ 0x61a00001f280] 1000000 66666 0
tag: tag=strf size=0x28
video: tag=IV50 size=0x0
tag: tag=sion size=0x3420203a
[avi @ 0x61a00001f280] Something went wrong during header parsing, I will
ignore it and try to continue anyway.
[avi @ 0x61a00001f280] movi_end=0x525e78
[avi @ 0x61a00001f280] tag=FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF
FFFFFFFF FFFFFFFF 2E 228 771686143 100
[avi @ 0x61a00001f280] FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF 2E
31 229 825097983 100
[avi @ 0x61a00001f280] FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF 2E 31 4A
230 1244737023 100
[avi @ 0x61a00001f280] FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF 2E 31 4A 55 231
1430925614 100
[avi @ 0x61a00001f280] FFFFFFFF FFFFFFFF FFFFFFFF 2E 31 4A 55 4E 232 1314212401
100
[avi @ 0x61a00001f280] FFFFFFFF FFFFFFFF 2E 31 4A 55 4E 4B 233 1263424842 100
[avi @ 0x61a00001f280] FFFFFFFF 2E 31 4A 55 4E 4B 7A 234 2051755605 100
[avi @ 0x61a00001f280] 2E 31 4A 55 4E 4B 7A 8 235 142232398 100
[avi @ 0x61a00001f280] 31 4A 55 4E 4B 7A 8 0 236 555595 100
[avi @ 0x61a00001f280] 4A 55 4E 4B 7A 8 0 0 237 2170 100
[avi @ 0x61a00001f280] FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF
FFFFFFFF 4C 2408 1275002623 100
[avi @ 0x61a00001f280] FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF 4C
49 2409 1229717247 100
[avi @ 0x61a00001f280] FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF 4C 49 30
2410 810109951 100
[avi @ 0x61a00001f280] FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF 4C 49 30 30 2411
808470860 100
[avi @ 0x61a00001f280] FFFFFFFF FFFFFFFF FFFFFFFF 4C 49 30 30 64 2412
1680879689 100
[avi @ 0x61a00001f280] FFFFFFFF FFFFFFFF 4C 49 30 30 64 62 2413 1650733104 100
[avi @ 0x61a00001f280] FFFFFFFF 4C 49 30 30 64 62 A4 2414 2757911600 100
[avi @ 0x61a00001f280] 4C 49 30 30 64 62 A4 24 2415 614752868 0
[avi @ 0x61a00001f280] 49 30 30 64 62 A4 24 0 2416 2401378 100
[avi @ 0x61a00001f280] 30 30 64 62 A4 24 0 0 2417 9380 100
[avi @ 0x61a00001f280] dts:0 offset:0 66666/1000000 smpl_siz:0 base:1000000
st:0 size:9380
IN delayed:0 pts:-9223372036854775808, dts:0 cur_dts:0 st:0 pc:(nil)
OUTdelayed:0/0 pts:0, dts:0 cur_dts:1
[avi @ 0x61a00001f280] 0: start_time: 0.000 duration: 0.001
[avi @ 0x61a00001f280] stream: start_time: 0.000 duration: 45.266 bitrate=2
kb/s
Input #0, avi, from './heap-buffer-overflow-5d4-99b-a65.media':
  Duration: 00:00:45.26, start: 0.000000, bitrate: 2 kb/s
    Stream #0:0, 1, 33333/500000: Video: indeo5 [IV50 / 0x30355649]
      yuv410p, 384x288, 0/1
      15 tbn
Successfully opened the file.
Parsing a group of options: output file -.
Applying option f (force format) with argument null.
Successfully parsed a group of options.
Opening an output file: -.
Successfully opened the file.
Detected 4 logical cores.
[buffer @ 0x60e00000d940] w:384 h:288 pixfmt:yuv410p tb:33333/500000 sar:0/1
[buffersink @ 0x60e00000d860] auto-inserting filter 'auto-inserted fifo 0'
between the filter 'Parsed filter 0 null' and the filter 'output stream 0:0'
Output #0, null, to 'pipe:':
  Metadata:
    encoder         : Lavf57.0.0
    Stream #0:0, 0, 33333/500000: Video: wrapped_avframe
      yuv410p, 384x288, 33333/500000, q=2-31, 200 kb/s
      15 tbn, 15 tbc
    Metadata:
      encoder         : Lavc57.5.0 wrapped_avframe
Stream mapping:
  Stream #0:0 -> #0:0 (indeo5 (native) -> wrapped_avframe (native))
Press ctrl-c to stop encoding
[New Thread 0x7ffff34d1700 (LWP 11369)]
[New Thread 0x7ffff2cd0700 (LWP 11370)]
[New Thread 0x7ffff24cf700 (LWP 11371)]
[New Thread 0x7ffff1cce700 (LWP 11372)]
[New Thread 0x7ffff14cd700 (LWP 11373)]

Breakpoint 1, 0x00000000004d3090 in __asan_report_error ()

Thread 6 (Thread 0x7ffff14cd700 (LWP 11373)):
#0  pthread_cond_wait@@GLIBC_2.3.2 () at
../nptl/sysdeps/unix/sysv/linux/x86_64/pthread_cond_wait.S:185
#1  0x00000000005490cc in worker (v=<optimized out>) at
libavfilter/pthread.c:79
#2  0x00007ffff6a4f182 in start_thread (arg=0x7ffff14cd700) at
pthread_create.c:312
#3  0x00007ffff636147d in clone () at
../sysdeps/unix/sysv/linux/x86_64/clone.S:111

Thread 5 (Thread 0x7ffff1cce700 (LWP 11372)):
#0  pthread_cond_wait@@GLIBC_2.3.2 () at
../nptl/sysdeps/unix/sysv/linux/x86_64/pthread_cond_wait.S:185
#1  0x00000000005490cc in worker (v=<optimized out>) at
libavfilter/pthread.c:79
#2  0x00007ffff6a4f182 in start_thread (arg=0x7ffff1cce700) at
pthread_create.c:312
#3  0x00007ffff636147d in clone () at
../sysdeps/unix/sysv/linux/x86_64/clone.S:111

Thread 4 (Thread 0x7ffff24cf700 (LWP 11371)):
#0  pthread_cond_wait@@GLIBC_2.3.2 () at
../nptl/sysdeps/unix/sysv/linux/x86_64/pthread_cond_wait.S:185
#1  0x00000000005490cc in worker (v=<optimized out>) at
libavfilter/pthread.c:79
#2  0x00007ffff6a4f182 in start_thread (arg=0x7ffff24cf700) at
pthread_create.c:312
#3  0x00007ffff636147d in clone () at
../sysdeps/unix/sysv/linux/x86_64/clone.S:111

Thread 3 (Thread 0x7ffff2cd0700 (LWP 11370)):
#0  pthread_cond_wait@@GLIBC_2.3.2 () at
../nptl/sysdeps/unix/sysv/linux/x86_64/pthread_cond_wait.S:185
#1  0x00000000005490cc in worker (v=<optimized out>) at
libavfilter/pthread.c:79
#2  0x00007ffff6a4f182 in start_thread (arg=0x7ffff2cd0700) at
pthread_create.c:312
#3  0x00007ffff636147d in clone () at
../sysdeps/unix/sysv/linux/x86_64/clone.S:111

Thread 2 (Thread 0x7ffff34d1700 (LWP 11369)):
#0  pthread_cond_wait@@GLIBC_2.3.2 () at
../nptl/sysdeps/unix/sysv/linux/x86_64/pthread_cond_wait.S:185
#1  0x00000000005490cc in worker (v=<optimized out>) at
libavfilter/pthread.c:79
#2  0x00007ffff6a4f182 in start_thread (arg=0x7ffff34d1700) at
pthread_create.c:312
#3  0x00007ffff636147d in clone () at
../sysdeps/unix/sysv/linux/x86_64/clone.S:111

Thread 1 (Thread 0x7ffff7fd47c0 (LWP 11365)):
#0  0x00000000004d3090 in __asan_report_error ()
#1  0x00000000004d4857 in __asan_report_load2 ()
#2  0x0000000000d618fc in ff_ivi_recompose53 (plane=<optimized out>,
dst=<optimized out>, dst_pitch=<optimized out>) at libavcodec/ivi_dsp.c:106
#3  0x0000000000d5faa3 in ff_ivi_decode_frame (avctx=<optimized out>,
data=<optimized out>, got_frame=<optimized out>, avpkt=<optimized out>) at
libavcodec/ivi.c:1106
#4  0x00000000011d2673 in avcodec_decode_video2 (avctx=0x61900001e580,
picture=0x614000008640, got_picture_ptr=0x7fffffff8e40, avpkt=0x7fffffff8e50)
at libavcodec/utils.c:1488
#5  0x000000000051c000 in decode_video (ist=0x61300000db00, pkt=<optimized
out>, got_output=<optimized out>) at avconv.c:1197
#6  process_input_packet (ist=<optimized out>, pkt=<optimized out>,
no_eof=<optimized out>) at avconv.c:1346
#7  0x00000000005143cd in process_input () at avconv.c:2484
#8  transcode () at avconv.c:2526
#9  main (argc=<optimized out>, argv=<optimized out>) at avconv.c:2689
#2  0x0000000000d618fc in ff_ivi_recompose53 (plane=<optimized out>,
dst=<optimized out>, dst_pitch=<optimized out>) at libavcodec/ivi_dsp.c:106
106                    b0_2 = b0_ptr[pitch+indx+1];
Dump of assembler code from 0xd618dc to 0xd6191c:
   0x0000000000d618dc <ff_ivi_recompose53+2668>:    (bad)  
   0x0000000000d618dd <ff_ivi_recompose53+2669>:    cmp    %al,(%rcx)
   0x0000000000d618df <ff_ivi_recompose53+2671>:    add    %al,(%rax)
   0x0000000000d618e1 <ff_ivi_recompose53+2673>:    pop    %rbx
   0x0000000000d618e2 <ff_ivi_recompose53+2674>:    pop    %r12
   0x0000000000d618e4 <ff_ivi_recompose53+2676>:    pop    %r13
   0x0000000000d618e6 <ff_ivi_recompose53+2678>:    pop    %r14
   0x0000000000d618e8 <ff_ivi_recompose53+2680>:    pop    %r15
   0x0000000000d618ea <ff_ivi_recompose53+2682>:    pop    %rbp
   0x0000000000d618eb <ff_ivi_recompose53+2683>:    retq   
   0x0000000000d618ec <ff_ivi_recompose53+2684>:    mov    %rdx,%rdi
   0x0000000000d618ef <ff_ivi_recompose53+2687>:    callq  0x4d4830
<__asan_report_load2>
   0x0000000000d618f4 <ff_ivi_recompose53+2692>:    mov    %rdx,%rdi
   0x0000000000d618f7 <ff_ivi_recompose53+2695>:    callq  0x4d4830
<__asan_report_load2>
=> 0x0000000000d618fc <ff_ivi_recompose53+2700>:    mov    %rdx,%rdi
   0x0000000000d618ff <ff_ivi_recompose53+2703>:    callq  0x4d4830
<__asan_report_load2>
   0x0000000000d61904 <ff_ivi_recompose53+2708>:    mov    %rdx,%rdi
   0x0000000000d61907 <ff_ivi_recompose53+2711>:    callq  0x4d4830
<__asan_report_load2>
   0x0000000000d6190c <ff_ivi_recompose53+2716>:    mov    %rdx,%rdi
   0x0000000000d6190f <ff_ivi_recompose53+2719>:    callq  0x4d4830
<__asan_report_load2>
   0x0000000000d61914 <ff_ivi_recompose53+2724>:    mov    %rdx,%rdi
   0x0000000000d61917 <ff_ivi_recompose53+2727>:    callq  0x4d4830
<__asan_report_load2>
End of assembler dump.
rax            0x62f00000dc00    108782931729408
rbx            0x180    384
rcx            0x62f00000dc00    108782931729408
rdx            0x7fffffff8078    140737488322680
rsi            0x7fffffff8080    140737488322688
rdi            0xd618fc    14031100
rbp            0x0    0x0
rsp            0x7fffffff8090    0x7fffffff8090
r8             0x0    0
r9             0x2    2
r10            0x62f000037900    108782931900672
r11            0xfffffff7    4294967287
r12            0x180    384
r13            0x0    0
r14            0xfffffec2    4294966978
r15            0xfffffeb8    4294966968
rip            0xd618fc    0xd618fc <ff_ivi_recompose53+2700>
eflags         0x246    [ PF ZF IF ]
cs             0x33    51
ss             0x2b    43
ds             0x0    0
es             0x0    0
fs             0x0    0
gs             0x0    0
st0            0    (raw 0x00000000000000000000)
st1            0    (raw 0x00000000000000000000)
st2            0    (raw 0x00000000000000000000)
st3            0    (raw 0x00000000000000000000)
st4            0    (raw 0x00000000000000000000)
st5            0    (raw 0x00000000000000000000)
st6            0    (raw 0x00000000000000000000)
st7            0    (raw 0x00000000000000000000)
fctrl          0x37f    895
fstat          0x0    0
ftag           0xffff    65535
fiseg          0x0    0
fioff          0x0    0
foseg          0x0    0
fooff          0x0    0
fop            0x0    0
mxcsr          0x1fa0    [ PE IM DM ZM OM UM PM ]
ymm0           {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_double
= {0x0, 0x0, 0x0, 0x0}, v32_int8 = {0x0 <repeats 32 times>}, v16_int16 = {0x0
<repeats 16 times>}, v8_int32 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0},
v4_int64 = {0x0, 0x0, 0x0, 0x0}, v2_int128 =
{0x00000000000000000000000000000000, 0x00000000000000000000000000000000}}
ymm1           {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_double
= {0x0, 0x0, 0x0, 0x0}, v32_int8 = {0x0 <repeats 32 times>}, v16_int16 = {0x0
<repeats 16 times>}, v8_int32 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0},
v4_int64 = {0x0, 0x0, 0x0, 0x0}, v2_int128 =
{0x00000000000000000000000000000000, 0x00000000000000000000000000000000}}
ymm2           {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_double
= {0x0, 0x0, 0x0, 0x0}, v32_int8 = {0x0 <repeats 32 times>}, v16_int16 = {0x0
<repeats 16 times>}, v8_int32 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0},
v4_int64 = {0x0, 0x0, 0x0, 0x0}, v2_int128 =
{0x00000000000000000000000000000000, 0x00000000000000000000000000000000}}
ymm3           {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_double
= {0x0, 0x0, 0x0, 0x0}, v32_int8 = {0x0 <repeats 32 times>}, v16_int16 = {0x0
<repeats 16 times>}, v8_int32 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0},
v4_int64 = {0x0, 0x0, 0x0, 0x0}, v2_int128 =
{0x00000000000000000000000000000000, 0x00000000000000000000000000000000}}
ymm4           {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_double
= {0x0, 0x0, 0x0, 0x0}, v32_int8 = {0xe0, 0x23, 0xb6, 0x1, 0x0, 0x0, 0x0, 0x0,
0x20, 0x24, 0xb6, 0x1, 0x0 <repeats 20 times>}, v16_int16 = {0x23e0, 0x1b6,
0x0, 0x0, 0x2420, 0x1b6, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0},
v8_int32 = {0x1b623e0, 0x0, 0x1b62420, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_int64 =
{0x1b623e0, 0x1b62420, 0x0, 0x0}, v2_int128 =
{0x0000000001b624200000000001b623e0, 0x00000000000000000000000000000000}}
ymm5           {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_double
= {0x0, 0x0, 0x0, 0x0}, v32_int8 = {0x60, 0x23, 0xb6, 0x1, 0x0, 0x0, 0x0, 0x0,
0xa0, 0x23, 0xb6, 0x1, 0x0 <repeats 20 times>}, v16_int16 = {0x2360, 0x1b6,
0x0, 0x0, 0x23a0, 0x1b6, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0},
v8_int32 = {0x1b62360, 0x0, 0x1b623a0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_int64 =
{0x1b62360, 0x1b623a0, 0x0, 0x0}, v2_int128 =
{0x0000000001b623a00000000001b62360, 0x00000000000000000000000000000000}}
ymm6           {v8_float = {0x6, 0xfffffffe, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0},
v4_double = {0xfffffffffffffffe, 0x0, 0x0, 0x0}, v32_int8 = {0xb6, 0x4d, 0xd1,
0x40, 0x1e, 0xaa, 0x5, 0xc0, 0x0 <repeats 24 times>}, v16_int16 = {0x4db6,
0x40d1, 0xaa1e, 0xc005, 0x0 <repeats 12 times>}, v8_int32 = {0x40d14db6,
0xc005aa1e, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_int64 = {0xc005aa1e40d14db6, 0x0,
0x0, 0x0}, v2_int128 = {0x0000000000000000c005aa1e40d14db6,
0x00000000000000000000000000000000}}
ymm7           {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_double
= {0x0, 0x0, 0x0, 0x0}, v32_int8 = {0x0, 0x0, 0x0, 0x0, 0x68, 0xc8, 0xbc, 0x3b,
0x0 <repeats 24 times>}, v16_int16 = {0x0, 0x0, 0xc868, 0x3bbc, 0x0 <repeats 12
times>}, v8_int32 = {0x0, 0x3bbcc868, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_int64 =
{0x3bbcc86800000000, 0x0, 0x0, 0x0}, v2_int128 =
{0x00000000000000003bbcc86800000000, 0x00000000000000000000000000000000}}
ymm8           {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_double
= {0x0, 0x0, 0x0, 0x0}, v32_int8 = {0x0 <repeats 32 times>}, v16_int16 = {0x0
<repeats 16 times>}, v8_int32 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0},
v4_int64 = {0x0, 0x0, 0x0, 0x0}, v2_int128 =
{0x00000000000000000000000000000000, 0x00000000000000000000000000000000}}
ymm9           {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_double
= {0x0, 0x0, 0x0, 0x0}, v32_int8 = {0x0 <repeats 32 times>}, v16_int16 = {0x0
<repeats 16 times>}, v8_int32 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0},
v4_int64 = {0x0, 0x0, 0x0, 0x0}, v2_int128 =
{0x00000000000000000000000000000000, 0x00000000000000000000000000000000}}
ymm10          {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_double
= {0x0, 0x0, 0x0, 0x0}, v32_int8 = {0x0 <repeats 32 times>}, v16_int16 = {0x0
<repeats 16 times>}, v8_int32 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0},
v4_int64 = {0x0, 0x0, 0x0, 0x0}, v2_int128 =
{0x00000000000000000000000000000000, 0x00000000000000000000000000000000}}
ymm11          {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_double
= {0x0, 0x0, 0x0, 0x0}, v32_int8 = {0x0 <repeats 32 times>}, v16_int16 = {0x0
<repeats 16 times>}, v8_int32 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0},
v4_int64 = {0x0, 0x0, 0x0, 0x0}, v2_int128 =
{0x00000000000000000000000000000000, 0x00000000000000000000000000000000}}
ymm12          {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_double
= {0x0, 0x0, 0x0, 0x0}, v32_int8 = {0xff, 0x0 <repeats 31 times>}, v16_int16 =
{0xff, 0x0 <repeats 15 times>}, v8_int32 = {0xff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0,
0x0}, v4_int64 = {0xff, 0x0, 0x0, 0x0}, v2_int128 =
{0x000000000000000000000000000000ff, 0x00000000000000000000000000000000}}
ymm13          {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_double
= {0x0, 0x0, 0x0, 0x0}, v32_int8 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x80, 0x5b, 0xbc,
0x0 <repeats 24 times>}, v16_int16 = {0x0, 0x0, 0x8000, 0xbc5b, 0x0 <repeats 12
times>}, v8_int32 = {0x0, 0xbc5b8000, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_int64 =
{0xbc5b800000000000, 0x0, 0x0, 0x0}, v2_int128 =
{0x0000000000000000bc5b800000000000, 0x00000000000000000000000000000000}}
ymm14          {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_double
= {0x0, 0x0, 0x0, 0x0}, v32_int8 = {0xb8, 0x45, 0x3c, 0x33, 0xa5, 0xd, 0x48,
0x3c, 0x0 <repeats 24 times>}, v16_int16 = {0x45b8, 0x333c, 0xda5, 0x3c48, 0x0
<repeats 12 times>}, v8_int32 = {0x333c45b8, 0x3c480da5, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0}, v4_int64 = {0x3c480da5333c45b8, 0x0, 0x0, 0x0}, v2_int128 =
{0x00000000000000003c480da5333c45b8, 0x00000000000000000000000000000000}}
ymm15          {v8_float = {0x0, 0x2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_double
= {0x2, 0x0, 0x0, 0x0}, v32_int8 = {0x0, 0x38, 0xfa, 0xfe, 0x42, 0x2e, 0x6,
0x40, 0x0 <repeats 24 times>}, v16_int16 = {0x3800, 0xfefa, 0x2e42, 0x4006, 0x0
<repeats 12 times>}, v8_int32 = {0xfefa3800, 0x40062e42, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0}, v4_int64 = {0x40062e42fefa3800, 0x0, 0x0, 0x0}, v2_int128 =
{0x000000000000000040062e42fefa3800, 0x00000000000000000000000000000000}}
=================================================================
==11365==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x62f00000dc00 at pc 0x000000d618fc bp 0x7fffffff8080 sp 0x7fffffff8078
READ of size 2 at 0x62f00000dc00 thread T0
    #0 0xd618fb in ff_ivi_recompose53
/home/attekett/projects/libav-trunk/libavcodec/ivi_dsp.c:106:17
    #1 0xd5faa2 in ff_ivi_decode_frame
/home/attekett/projects/libav-trunk/libavcodec/ivi.c:1106:13
    #2 0x11d2672 in avcodec_decode_video2
/home/attekett/projects/libav-trunk/libavcodec/utils.c:1488:19
    #3 0x51bfff in decode_video
/home/attekett/projects/libav-trunk/avconv.c:1197:11
    #4 0x51bfff in process_input_packet
/home/attekett/projects/libav-trunk/avconv.c:1346
    #5 0x5143cc in process_input
/home/attekett/projects/libav-trunk/avconv.c:2484:5
    #6 0x5143cc in transcode /home/attekett/projects/libav-trunk/avconv.c:2526
    #7 0x5143cc in main /home/attekett/projects/libav-trunk/avconv.c:2689
    #8 0x7ffff6288ec4 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x21ec4)
    #9 0x4ebc6c in _start (/home/attekett/projects/libav-trunk/avconv+0x4ebc6c)

0x62f00000dc00 is located 0 bytes to the right of 55296-byte region
[0x62f000000400,0x62f00000dc00)
allocated by thread T0 here:
    #0 0x4ceeaf in __interceptor_posix_memalign
(/home/attekett/projects/libav-trunk/avconv+0x4ceeaf)
    #1 0x1969b2a in av_malloc
/home/attekett/projects/libav-trunk/libavutil/mem.c:81:9
    #2 0x1969b2a in av_mallocz
/home/attekett/projects/libav-trunk/libavutil/mem.c:213
    #3 0xd5a960 in ff_ivi_init_planes
/home/attekett/projects/libav-trunk/libavcodec/ivi.c:357:30

SUMMARY: AddressSanitizer: heap-buffer-overflow
/home/attekett/projects/libav-trunk/libavcodec/ivi_dsp.c:106 ff_ivi_recompose53
Shadow bytes around the buggy address:
  0x0c5e7fff9b30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c5e7fff9b40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c5e7fff9b50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c5e7fff9b60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c5e7fff9b70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c5e7fff9b80:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c5e7fff9b90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c5e7fff9ba0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c5e7fff9bb0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c5e7fff9bc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c5e7fff9bd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  ASan internal:           fe
==11365==ABORTING
[Thread 0x7ffff14cd700 (LWP 11373) exited]
[Thread 0x7ffff24cf700 (LWP 11371) exited]
[Thread 0x7ffff2cd0700 (LWP 11370) exited]
[Thread 0x7ffff34d1700 (LWP 11369) exited]
[Thread 0x7ffff7fd47c0 (LWP 11365) exited]
[Inferior 1 (process 11365) exited with code 01]

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.libav.org/pipermail/libav-bugs/attachments/20151023/20049452/attachment-0001.html>


More information about the libav-bugs mailing list