[libav-bugs] [Bug 906] New: Invalid read in get_vlc2

bugzilla-daemon at libav.org bugzilla-daemon at libav.org
Fri Oct 23 09:05:05 CEST 2015


https://bugzilla.libav.org/show_bug.cgi?id=906

            Bug ID: 906
           Summary: Invalid read in get_vlc2
           Product: Libav
           Version: git HEAD
          Hardware: Other
                OS: Linux
            Status: NEW
          Severity: enhancement
          Priority: ---
         Component: libavcodec
          Assignee: bugzilla at libav.org
          Reporter: attekett at gmail.com
             Flags: Security-concern?

Created attachment 560
  --> https://bugzilla.libav.org/attachment.cgi?id=560&action=edit
heap-buffer-overflow-5fc-a65-931.media

Tested on:
OS: Ubuntu 14.04
uname -a:
Linux attekett-UX31A 3.19.0-30-generic #34~14.04.1-Ubuntu SMP Fri Oct 2
22:09:39 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux
avconv 10.7
libavutil     53.  3. 0 / 53.  3. 0
libavcodec    55. 34. 1 / 55. 34. 1
libavformat   55. 12. 0 / 55. 12. 0
libavdevice   54.  0. 0 / 54.  0. 0
libavfilter    4.  2. 0 /  4.  2. 0
libavresample  1.  1. 0 /  1.  1. 0
libswscale     2.  1. 2 /  2.  1. 2
Didn't reproduce

avconv 11.4
libavutil     54.  3. 0 / 54.  3. 0
libavcodec    56.  1. 0 / 56.  1. 0
libavformat   56.  1. 0 / 56.  1. 0
libavdevice   55.  0. 0 / 55.  0. 0
libavfilter    5.  0. 0 /  5.  0. 0
libavresample  2.  1. 0 /  2.  1. 0
libswscale     3.  0. 0 /  3.  0. 0
Didn't reproduce

Report from libav-trunk:
GNU gdb (Ubuntu 7.7.1-0ubuntu5~14.04.2) 7.7.1
Copyright (C) 2014 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
<http://www.gnu.org/software/gdb/documentation/>.
For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from /home/attekett/projects/libav-trunk/avconv...done.
Breakpoint 1 at 0x4d3090
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
avconv version v12_dev0-1977-gdca23ff, Copyright (c) 2000-2015 the Libav
developers
  built on Oct 23 2015 09:26:22 with Ubuntu clang version
3.5.0-4ubuntu2~trusty2 (tags/RELEASE_350/final) (based on LLVM 3.5.0)
  configuration: --toolchain=clang-asan
  libavutil     55.  2. 0 / 55.  2. 0
  libavcodec    57.  5. 0 / 57.  5. 0
  libavformat   57.  0. 0 / 57.  0. 0
  libavdevice   56.  0. 0 / 56.  0. 0
  libavfilter    6.  0. 0 /  6.  0. 0
  libavresample  3.  0. 0 /  3.  0. 0
  libswscale     4.  0. 0 /  4.  0. 0
Splitting the commandline.
Reading option '-v' ... matched as option 'v' (set libav* logging level) with
argument '9'.
Reading option '-loglevel' ... matched as option 'loglevel' (set libav* logging
level) with argument '99'.
Reading option '-i' ... matched as input file with argument
'./heap-buffer-overflow-5fc-a65-931.media'.
Reading option '-f' ... matched as option 'f' (force format) with argument
'null'.
Reading option '-' ... matched as output file.
Finished splitting the commandline.
Parsing a group of options: global .
Applying option v (set libav* logging level) with argument 9.
Successfully parsed a group of options.
Parsing a group of options: input file
./heap-buffer-overflow-5fc-a65-931.media.
Successfully parsed a group of options.
Opening an input file: ./heap-buffer-overflow-5fc-a65-931.media.
nsv_probe(), buf_size 1003
[avi @ 0x61a00001f280] Probed with size=2048 and score=100
tag: tag=LIST size=0x134
list: tag=hdrl size=0x0
tag: tag=avih size=0x38
tag: tag=LIST size=0x7c
list: tag=strl size=0x0
tag: tag=strh size=0x40
strh: tag=vids size=0xffffffff
[avi @ 0x61a00001f280] 15 1 0
tag: tag=strf size=0x28
video: tag=TM20 size=0x0
tag: tag=LIST size=0x64
list: tag=strl size=0x0
tag: tag=strh size=0x40
strh: tag=auds size=0xffffffff
st:1 removing common factor 2 from timebase
[avi @ 0x61a00001f280] 44100 2 2
tag: tag=ÚÁs size=0x75017213
[avi @ 0x61a00001f280] Something went wrong during header parsing, I will
ignore it and try to continue anyway.
[avi @ 0x61a00001f280] movi_end=0x1cf430
[avi @ 0x61a00001f280] tag=FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF
FFFFFFFF FFFFFFFF 0 312 4294901503 100
[avi @ 0x61a00001f280] FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF 0
80 313 2147483391 100
[avi @ 0x61a00001f280] FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF 0 80 14 314
343932927 100
[avi @ 0x61a00001f280] FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF 0 80 14 66 315
1712619520 100
[avi @ 0x61a00001f280] FFFFFFFF FFFFFFFF FFFFFFFF 0 80 14 66 0 316 6689920 100
[avi @ 0x61a00001f280] FFFFFFFF FFFFFFFF 0 80 14 66 0 0 317 26132 100
[avi @ 0x61a00001f280] FFFFFFFF 0 80 14 66 0 0 0 318 102 100
[avi @ 0x61a00001f280] 0 80 14 66 0 0 0 0 319 0 100
[avi @ 0x61a00001f280] 80 14 66 0 0 0 0 0 320 0 100
[avi @ 0x61a00001f280] 14 66 0 0 0 0 0 0 321 0 100
[avi @ 0x61a00001f280] 66 0 0 0 0 0 0 0 322 0 100
[avi @ 0x61a00001f280] 0 0 0 0 0 0 0 0 323 0 100
[avi @ 0x61a00001f280] 0 0 0 0 0 0 0 0 324 0 100
[avi @ 0x61a00001f280] 0 0 0 0 0 0 0 0 325 0 100
[avi @ 0x61a00001f280] 0 0 0 0 0 0 0 0 326 0 100
[avi @ 0x61a00001f280] 0 0 0 0 0 0 0 0 327 0 100
[avi @ 0x61a00001f280] 0 0 0 0 0 0 0 0 328 0 100
[avi @ 0x61a00001f280] 0 0 0 0 0 0 0 0 329 0 100
[avi @ 0x61a00001f280] 0 0 0 0 0 0 0 0 330 0 100
[avi @ 0x61a00001f280] 0 0 0 0 0 0 0 0 331 0 100
[avi @ 0x61a00001f280] 0 0 0 0 0 0 0 0 332 0 100
[avi @ 0x61a00001f280] 0 0 0 0 0 0 0 0 333 0 100
[avi @ 0x61a00001f280] 0 0 0 0 0 0 0 0 334 0 100
[avi @ 0x61a00001f280] 0 0 0 0 0 0 0 0 335 0 100
[avi @ 0x61a00001f280] 0 0 0 0 0 0 0 0 336 0 100
[avi @ 0x61a00001f280] 0 0 0 0 0 0 0 0 337 0 100
[avi @ 0x61a00001f280] 0 0 0 0 0 0 0 0 338 0 100
[avi @ 0x61a00001f280] 0 0 0 0 0 0 0 0 339 0 100
[avi @ 0x61a00001f280] 0 0 0 0 0 0 0 7 340 117440512 100
[avi @ 0x61a00001f280] 0 0 0 0 0 0 7 0 341 458752 100
[avi @ 0x61a00001f280] 0 0 0 0 0 7 0 0 342 1792 100
[avi @ 0x61a00001f280] 0 0 0 0 7 0 0 0 343 7 100
[avi @ 0x61a00001f280] 0 0 0 7 0 0 0 80 344 2147483648 100
[avi @ 0x61a00001f280] 0 0 7 0 0 0 80 25 345 629145600 100
[avi @ 0x61a00001f280] 0 7 0 0 0 80 25 0 346 2457600 100
[avi @ 0x61a00001f280] 7 0 0 0 80 25 0 0 347 9600 100
[avi @ 0x61a00001f280] 0 0 0 80 25 0 0 0 348 37 100
[avi @ 0x61a00001f280] 0 0 80 25 0 0 0 0 349 0 100
[avi @ 0x61a00001f280] 0 80 25 0 0 0 0 0 350 0 100
[avi @ 0x61a00001f280] 80 25 0 0 0 0 0 80 351 2147483648 100
[avi @ 0x61a00001f280] 25 0 0 0 0 0 80 3 352 58720256 100
[avi @ 0x61a00001f280] 0 0 0 0 0 80 3 0 353 229376 100
[avi @ 0x61a00001f280] 0 0 0 0 80 3 0 0 354 896 100
[avi @ 0x61a00001f280] 0 0 0 80 3 0 0 40 355 1073741827 100
[avi @ 0x61a00001f280] 0 0 80 3 0 0 40 0 356 4194304 100
[avi @ 0x61a00001f280] 0 80 3 0 0 40 0 1 357 16793600 100
[avi @ 0x61a00001f280] 80 3 0 0 40 0 1 0 358 65600 100
[avi @ 0x61a00001f280] 3 0 0 40 0 1 0 0 359 256 100
[avi @ 0x61a00001f280] 0 0 40 0 1 0 0 1 360 16777217 100
[avi @ 0x61a00001f280] 0 40 0 1 0 0 1 0 361 65536 100
[avi @ 0x61a00001f280] 40 0 1 0 0 1 0 0 362 256 100
[avi @ 0x61a00001f280] 0 1 0 0 1 0 0 10 363 268435457 100
[avi @ 0x61a00001f280] 1 0 0 1 0 0 10 0 364 1048576 100
[avi @ 0x61a00001f280] 0 0 1 0 0 10 0 0 365 4096 100
[avi @ 0x61a00001f280] 0 1 0 0 10 0 0 0 366 16 100
[avi @ 0x61a00001f280] 1 0 0 10 0 0 0 60 367 1610612736 100
[avi @ 0x61a00001f280] 0 0 10 0 0 0 60 0 368 6291456 100
[avi @ 0x61a00001f280] 0 10 0 0 0 60 0 0 369 24576 100
[avi @ 0x61a00001f280] 10 0 0 0 60 0 0 0 370 96 100
[avi @ 0x61a00001f280] 0 0 0 60 0 0 0 0 371 0 100
[avi @ 0x61a00001f280] 0 0 60 0 0 0 0 30 372 805306368 100
[avi @ 0x61a00001f280] 0 60 0 0 0 0 30 30 373 808452096 100
[avi @ 0x61a00001f280] 60 0 0 0 0 30 30 64 374 1680879616 100
[avi @ 0x61a00001f280] 0 0 0 0 30 30 64 63 375 1667510320 100
[avi @ 0x61a00001f280] 0 0 0 30 30 64 63 98 376 2556650544 100
[avi @ 0x61a00001f280] 0 0 30 30 64 63 98 3 377 60318564 0
[avi @ 0x61a00001f280] 0 30 30 64 63 98 3 0 378 235619 100
[avi @ 0x61a00001f280] 30 30 64 63 98 3 0 0 379 920 100
[avi @ 0x61a00001f280] dts:0 offset:0 1/15 smpl_siz:0 base:1000000 st:0
size:920
IN delayed:0 pts:-9223372036854775808, dts:0 cur_dts:0 st:0 pc:(nil)
OUTdelayed:0/0 pts:0, dts:0 cur_dts:1
[avi @ 0x61a00001f280] Could not find codec parameters (Invalid Codec type -1)
[avi @ 0x61a00001f280] 0: start_time: 0.000 duration: 0.000
[avi @ 0x61a00001f280] 1: start_time: 0.000 duration: -9223372036854.775
[avi @ 0x61a00001f280] stream: start_time: 0.000 duration: 10.133 bitrate=0
kb/s
Input #0, avi, from './heap-buffer-overflow-5fc-a65-931.media':
  Duration: 00:00:10.13, start: 0.000000, bitrate: 0 kb/s
    Stream #0:0, 1, 1/15: Video: truemotion2 [TM20 / 0x30324D54]
      bgr24, 320x240, 0/1
      15 tbn
    Stream #0:1, 0, 1/22050: Invalid Codec type -1
Successfully opened the file.
Parsing a group of options: output file -.
Applying option f (force format) with argument null.
Successfully parsed a group of options.
Opening an output file: -.
Successfully opened the file.
Detected 4 logical cores.
[buffer @ 0x60e00000d940] w:320 h:240 pixfmt:bgr24 tb:1/15 sar:0/1
[buffersink @ 0x60e00000d860] auto-inserting filter 'auto-inserted fifo 0'
between the filter 'Parsed filter 0 null' and the filter 'output stream 0:0'
Output #0, null, to 'pipe:':
  Metadata:
    encoder         : Lavf57.0.0
    Stream #0:0, 0, 1/15: Video: wrapped_avframe
      bgr24, 320x240, 1/15, q=2-31, 200 kb/s
      15 tbn, 15 tbc
    Metadata:
      encoder         : Lavc57.5.0 wrapped_avframe
Stream mapping:
  Stream #0:0 -> #0:0 (truemotion2 (native) -> wrapped_avframe (native))
Press ctrl-c to stop encoding
[New Thread 0x7ffff34d1700 (LWP 11402)]
[New Thread 0x7ffff2cd0700 (LWP 11403)]
[New Thread 0x7ffff24cf700 (LWP 11404)]
[New Thread 0x7ffff1cce700 (LWP 11405)]
[New Thread 0x7ffff14b0700 (LWP 11406)]

Breakpoint 1, 0x00000000004d3090 in __asan_report_error ()

Thread 6 (Thread 0x7ffff14b0700 (LWP 11406)):
#0  pthread_cond_wait@@GLIBC_2.3.2 () at
../nptl/sysdeps/unix/sysv/linux/x86_64/pthread_cond_wait.S:185
#1  0x00000000005490cc in worker (v=<optimized out>) at
libavfilter/pthread.c:79
#2  0x00007ffff6a4f182 in start_thread (arg=0x7ffff14b0700) at
pthread_create.c:312
#3  0x00007ffff636147d in clone () at
../sysdeps/unix/sysv/linux/x86_64/clone.S:111

Thread 5 (Thread 0x7ffff1cce700 (LWP 11405)):
#0  pthread_cond_wait@@GLIBC_2.3.2 () at
../nptl/sysdeps/unix/sysv/linux/x86_64/pthread_cond_wait.S:185
#1  0x00000000005490cc in worker (v=<optimized out>) at
libavfilter/pthread.c:79
#2  0x00007ffff6a4f182 in start_thread (arg=0x7ffff1cce700) at
pthread_create.c:312
#3  0x00007ffff636147d in clone () at
../sysdeps/unix/sysv/linux/x86_64/clone.S:111

Thread 4 (Thread 0x7ffff24cf700 (LWP 11404)):
#0  pthread_cond_wait@@GLIBC_2.3.2 () at
../nptl/sysdeps/unix/sysv/linux/x86_64/pthread_cond_wait.S:185
#1  0x00000000005490cc in worker (v=<optimized out>) at
libavfilter/pthread.c:79
#2  0x00007ffff6a4f182 in start_thread (arg=0x7ffff24cf700) at
pthread_create.c:312
#3  0x00007ffff636147d in clone () at
../sysdeps/unix/sysv/linux/x86_64/clone.S:111

Thread 3 (Thread 0x7ffff2cd0700 (LWP 11403)):
#0  pthread_cond_wait@@GLIBC_2.3.2 () at
../nptl/sysdeps/unix/sysv/linux/x86_64/pthread_cond_wait.S:185
#1  0x00000000005490cc in worker (v=<optimized out>) at
libavfilter/pthread.c:79
#2  0x00007ffff6a4f182 in start_thread (arg=0x7ffff2cd0700) at
pthread_create.c:312
#3  0x00007ffff636147d in clone () at
../sysdeps/unix/sysv/linux/x86_64/clone.S:111

Thread 2 (Thread 0x7ffff34d1700 (LWP 11402)):
#0  pthread_cond_wait@@GLIBC_2.3.2 () at
../nptl/sysdeps/unix/sysv/linux/x86_64/pthread_cond_wait.S:185
#1  0x00000000005490cc in worker (v=<optimized out>) at
libavfilter/pthread.c:79
#2  0x00007ffff6a4f182 in start_thread (arg=0x7ffff34d1700) at
pthread_create.c:312
#3  0x00007ffff636147d in clone () at
../sysdeps/unix/sysv/linux/x86_64/clone.S:111

Thread 1 (Thread 0x7ffff7fd47c0 (LWP 11398)):
#0  0x00000000004d3090 in __asan_report_error ()
#1  0x00000000004d4a04 in __asan_report_load_n ()
#2  0x00000000011a71b1 in get_vlc2 (max_depth=1, s=<optimized out>,
table=<optimized out>, bits=<optimized out>) at libavcodec/get_bits.h:529
#3  tm2_get_token (gb=<optimized out>, code=<optimized out>) at
libavcodec/truemotion2.c:228
#4  tm2_read_stream (buf=<optimized out>, buf_size=<optimized out>,
ctx=<optimized out>, stream_id=<optimized out>) at libavcodec/truemotion2.c:351
#5  decode_frame (avctx=<optimized out>, data=<optimized out>,
got_frame=<optimized out>, avpkt=<optimized out>) at
libavcodec/truemotion2.c:884
#6  0x00000000011d2673 in avcodec_decode_video2 (avctx=0x61900001db80,
picture=0x614000008240, got_picture_ptr=0x7fffffff8e40, avpkt=0x7fffffff8e50)
at libavcodec/utils.c:1488
#7  0x000000000051c000 in decode_video (ist=0x61300000db00, pkt=<optimized
out>, got_output=<optimized out>) at avconv.c:1197
#8  process_input_packet (ist=<optimized out>, pkt=<optimized out>,
no_eof=<optimized out>) at avconv.c:1346
#9  0x00000000005143cd in process_input () at avconv.c:2484
#10 transcode () at avconv.c:2526
#11 main (argc=<optimized out>, argv=<optimized out>) at avconv.c:2689
#2  0x00000000011a71b1 in get_vlc2 (max_depth=1, s=<optimized out>,
table=<optimized out>, bits=<optimized out>) at libavcodec/get_bits.h:529
529        UPDATE_CACHE(re, s);
Dump of assembler code from 0x11a7191 to 0x11a71d1:
   0x00000000011a7191 <decode_frame+54753>:    sti    
   0x00000000011a7192 <decode_frame+54754>:    (bad)  
   0x00000000011a7193 <decode_frame+54755>:    xor    %bh,%bh
   0x00000000011a7195 <decode_frame+54757>:    callq  0x4d4860
<__asan_report_load4>
   0x00000000011a719a <decode_frame+54762>:    mov    $0x4,%esi
   0x00000000011a719f <decode_frame+54767>:    callq  0x4d49e0
<__asan_report_load_n>
   0x00000000011a71a4 <decode_frame+54772>:    mov    $0x4,%esi
   0x00000000011a71a9 <decode_frame+54777>:    mov    %rcx,%rdi
   0x00000000011a71ac <decode_frame+54780>:    callq  0x4d49e0
<__asan_report_load_n>
=> 0x00000000011a71b1 <decode_frame+54785>:    callq  0x4d4830
<__asan_report_load2>
   0x00000000011a71b6 <decode_frame+54790>:    mov    %rax,%rdi
   0x00000000011a71b9 <decode_frame+54793>:    callq  0x4d4830
<__asan_report_load2>
   0x00000000011a71be <decode_frame+54798>:    mov    %r11,%rdi
   0x00000000011a71c1 <decode_frame+54801>:    callq  0x4d4950
<__asan_report_store4>
   0x00000000011a71c6 <decode_frame+54806>:    callq  0x4d4860
<__asan_report_load4>
   0x00000000011a71cb <decode_frame+54811>:    callq  0x4d4950
<__asan_report_store4>
   0x00000000011a71d0 <decode_frame+54816>:    mov    0x348(%rsp),%rdi
End of assembler dump.
rax            0x4    4
rbx            0x4    4
rcx            0x61700000bff4    107133664280564
rdx            0x7fffffff8328    140737488323368
rsi            0x7fffffff8330    140737488323376
rdi            0x11a71b1    18510257
rbp            0x7fffffff8810    0x7fffffff8810
rsp            0x7fffffff8340    0x7fffffff8340
r8             0x0    0
r9             0x4    4
r10            0x5e9    1513
r11            0x5e8    1512
r12            0x60200000e490    105690555278480
r13            0xc3a00002a9e    13443247647390
r14            0x17a0    6048
r15            0x61d0000154a8    107545981179048
rip            0x11a71b1    0x11a71b1 <decode_frame+54785>
eflags         0x246    [ PF ZF IF ]
cs             0x33    51
ss             0x2b    43
ds             0x0    0
es             0x0    0
fs             0x0    0
gs             0x0    0
st0            0    (raw 0x00000000000000000000)
st1            0    (raw 0x00000000000000000000)
st2            0    (raw 0x00000000000000000000)
st3            0    (raw 0x00000000000000000000)
st4            0    (raw 0x00000000000000000000)
st5            0    (raw 0x00000000000000000000)
st6            0    (raw 0x00000000000000000000)
st7            0    (raw 0x00000000000000000000)
fctrl          0x37f    895
fstat          0x0    0
ftag           0xffff    65535
fiseg          0x0    0
fioff          0x0    0
foseg          0x0    0
fooff          0x0    0
fop            0x0    0
mxcsr          0x1fa0    [ PE IM DM ZM OM UM PM ]
ymm0           {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_double
= {0x0, 0x0, 0x0, 0x0}, v32_int8 = {0x42, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0,
0xcf, 0xe4, 0x26, 0x0 <repeats 21 times>}, v16_int16 = {0x342, 0x0, 0x0, 0x0,
0xe4cf, 0x26, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v8_int32 =
{0x342, 0x0, 0x26e4cf, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_int64 = {0x342, 0x26e4cf,
0x0, 0x0}, v2_int128 = {0x000000000026e4cf0000000000000342,
0x00000000000000000000000000000000}}
ymm1           {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_double
= {0x0, 0x0, 0x0, 0x0}, v32_int8 = {0x0, 0x4b, 0x0 <repeats 30 times>},
v16_int16 = {0x4b00, 0x0 <repeats 15 times>}, v8_int32 = {0x4b00, 0x0, 0x0,
0x0, 0x0, 0x0, 0x0, 0x0}, v4_int64 = {0x4b00, 0x0, 0x0, 0x0}, v2_int128 =
{0x00000000000000000000000000004b00, 0x00000000000000000000000000000000}}
ymm2           {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_double
= {0x0, 0x0, 0x0, 0x0}, v32_int8 = {0x43, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0,
0xcf, 0x2f, 0x27, 0x0 <repeats 21 times>}, v16_int16 = {0x343, 0x0, 0x0, 0x0,
0x2fcf, 0x27, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v8_int32 =
{0x343, 0x0, 0x272fcf, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_int64 = {0x343, 0x272fcf,
0x0, 0x0}, v2_int128 = {0x0000000000272fcf0000000000000343,
0x00000000000000000000000000000000}}
ymm3           {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_double
= {0x0, 0x0, 0x0, 0x0}, v32_int8 = {0x0 <repeats 32 times>}, v16_int16 = {0x0
<repeats 16 times>}, v8_int32 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0},
v4_int64 = {0x0, 0x0, 0x0, 0x0}, v2_int128 =
{0x00000000000000000000000000000000, 0x00000000000000000000000000000000}}
ymm4           {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_double
= {0x8000000000000000, 0x8000000000000000, 0x0, 0x0}, v32_int8 = {0xff <repeats
16 times>, 0x0 <repeats 16 times>}, v16_int16 = {0xffff, 0xffff, 0xffff,
0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0,
0x0}, v8_int32 = {0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0x0, 0x0,
0x0, 0x0}, v4_int64 = {0xffffffffffffffff, 0xffffffffffffffff, 0x0, 0x0},
v2_int128 = {0xffffffffffffffffffffffffffffffff,
0x00000000000000000000000000000000}}
ymm5           {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_double
= {0x0, 0x0, 0x0, 0x0}, v32_int8 = {0x20, 0xb2, 0x0, 0x0, 0x80, 0x60, 0x0
<repeats 26 times>}, v16_int16 = {0xb220, 0x0, 0x6080, 0x0 <repeats 13 times>},
v8_int32 = {0xb220, 0x6080, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_int64 =
{0x60800000b220, 0x0, 0x0, 0x0}, v2_int128 =
{0x0000000000000000000060800000b220, 0x00000000000000000000000000000000}}
ymm6           {v8_float = {0xc, 0xfffffffe, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0},
v4_double = {0xfffffffffffffffe, 0x0, 0x0, 0x0}, v32_int8 = {0x34, 0x46, 0x4d,
0x41, 0x16, 0xaa, 0x5, 0xc0, 0x0 <repeats 24 times>}, v16_int16 = {0x4634,
0x414d, 0xaa16, 0xc005, 0x0 <repeats 12 times>}, v8_int32 = {0x414d4634,
0xc005aa16, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_int64 = {0xc005aa16414d4634, 0x0,
0x0, 0x0}, v2_int128 = {0x0000000000000000c005aa16414d4634,
0x00000000000000000000000000000000}}
ymm7           {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_double
= {0x0, 0x0, 0x0, 0x0}, v32_int8 = {0x0, 0x0, 0x0, 0x0, 0x68, 0xc8, 0xbc, 0x3b,
0x0 <repeats 24 times>}, v16_int16 = {0x0, 0x0, 0xc868, 0x3bbc, 0x0 <repeats 12
times>}, v8_int32 = {0x0, 0x3bbcc868, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_int64 =
{0x3bbcc86800000000, 0x0, 0x0, 0x0}, v2_int128 =
{0x00000000000000003bbcc86800000000, 0x00000000000000000000000000000000}}
ymm8           {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_double
= {0x0, 0x0, 0x0, 0x0}, v32_int8 = {0xbe <repeats 16 times>, 0x0 <repeats 16
times>}, v16_int16 = {0xbebe, 0xbebe, 0xbebe, 0xbebe, 0xbebe, 0xbebe, 0xbebe,
0xbebe, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v8_int32 = {0xbebebebe,
0xbebebebe, 0xbebebebe, 0xbebebebe, 0x0, 0x0, 0x0, 0x0}, v4_int64 =
{0xbebebebebebebebe, 0xbebebebebebebebe, 0x0, 0x0}, v2_int128 =
{0xbebebebebebebebebebebebebebebebe, 0x00000000000000000000000000000000}}
ymm9           {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_double
= {0x0, 0x0, 0x0, 0x0}, v32_int8 = {0x0 <repeats 32 times>}, v16_int16 = {0x0
<repeats 16 times>}, v8_int32 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0},
v4_int64 = {0x0, 0x0, 0x0, 0x0}, v2_int128 =
{0x00000000000000000000000000000000, 0x00000000000000000000000000000000}}
ymm10          {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_double
= {0x0, 0x0, 0x0, 0x0}, v32_int8 = {0x0 <repeats 32 times>}, v16_int16 = {0x0
<repeats 16 times>}, v8_int32 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0},
v4_int64 = {0x0, 0x0, 0x0, 0x0}, v2_int128 =
{0x00000000000000000000000000000000, 0x00000000000000000000000000000000}}
ymm11          {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_double
= {0x0, 0x0, 0x0, 0x0}, v32_int8 = {0x0 <repeats 32 times>}, v16_int16 = {0x0
<repeats 16 times>}, v8_int32 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0},
v4_int64 = {0x0, 0x0, 0x0, 0x0}, v2_int128 =
{0x00000000000000000000000000000000, 0x00000000000000000000000000000000}}
ymm12          {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_double
= {0x0, 0x0, 0x0, 0x0}, v32_int8 = {0xff, 0x0 <repeats 31 times>}, v16_int16 =
{0xff, 0x0 <repeats 15 times>}, v8_int32 = {0xff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0,
0x0}, v4_int64 = {0xff, 0x0, 0x0, 0x0}, v2_int128 =
{0x000000000000000000000000000000ff, 0x00000000000000000000000000000000}}
ymm13          {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_double
= {0x0, 0x0, 0x0, 0x0}, v32_int8 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x20, 0x56, 0x3c,
0x0 <repeats 24 times>}, v16_int16 = {0x0, 0x0, 0x2000, 0x3c56, 0x0 <repeats 12
times>}, v8_int32 = {0x0, 0x3c562000, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_int64 =
{0x3c56200000000000, 0x0, 0x0, 0x0}, v2_int128 =
{0x00000000000000003c56200000000000, 0x00000000000000000000000000000000}}
ymm14          {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_double
= {0x0, 0x0, 0x0, 0x0}, v32_int8 = {0xb8, 0x45, 0x3c, 0x33, 0xa5, 0xd, 0x48,
0x3c, 0x0 <repeats 24 times>}, v16_int16 = {0x45b8, 0x333c, 0xda5, 0x3c48, 0x0
<repeats 12 times>}, v8_int32 = {0x333c45b8, 0x3c480da5, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0}, v4_int64 = {0x3c480da5333c45b8, 0x0, 0x0, 0x0}, v2_int128 =
{0x00000000000000003c480da5333c45b8, 0x00000000000000000000000000000000}}
ymm15          {v8_float = {0x0, 0x2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_double
= {0x2, 0x0, 0x0, 0x0}, v32_int8 = {0x0, 0x38, 0xfa, 0xfe, 0x42, 0x2e, 0x6,
0x40, 0x0 <repeats 24 times>}, v16_int16 = {0x3800, 0xfefa, 0x2e42, 0x4006, 0x0
<repeats 12 times>}, v8_int32 = {0xfefa3800, 0x40062e42, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0}, v4_int64 = {0x40062e42fefa3800, 0x0, 0x0, 0x0}, v2_int128 =
{0x000000000000000040062e42fefa3800, 0x00000000000000000000000000000000}}
=================================================================
==11398==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x61700000bff4 at pc 0x0000011a71b1 bp 0x7fffffff8330 sp 0x7fffffff8328
READ of size 4 at 0x61700000bff4 thread T0
    #0 0x11a71b0 in get_vlc2
/home/attekett/projects/libav-trunk/libavcodec/get_bits.h:529:5
    #1 0x11a71b0 in tm2_get_token
/home/attekett/projects/libav-trunk/libavcodec/truemotion2.c:228
    #2 0x11a71b0 in tm2_read_stream
/home/attekett/projects/libav-trunk/libavcodec/truemotion2.c:351
    #3 0x11a71b0 in decode_frame
/home/attekett/projects/libav-trunk/libavcodec/truemotion2.c:884
    #4 0x11d2672 in avcodec_decode_video2
/home/attekett/projects/libav-trunk/libavcodec/utils.c:1488:19
    #5 0x51bfff in decode_video
/home/attekett/projects/libav-trunk/avconv.c:1197:11
    #6 0x51bfff in process_input_packet
/home/attekett/projects/libav-trunk/avconv.c:1346
    #7 0x5143cc in process_input
/home/attekett/projects/libav-trunk/avconv.c:2484:5
    #8 0x5143cc in transcode /home/attekett/projects/libav-trunk/avconv.c:2526
    #9 0x5143cc in main /home/attekett/projects/libav-trunk/avconv.c:2689
    #10 0x7ffff6288ec4 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x21ec4)
    #11 0x4ebc6c in _start
(/home/attekett/projects/libav-trunk/avconv+0x4ebc6c)

0x61700000bff4 is located 0 bytes to the right of 628-byte region
[0x61700000bd80,0x61700000bff4)
allocated by thread T0 here:
    #0 0x4ceeaf in __interceptor_posix_memalign
(/home/attekett/projects/libav-trunk/avconv+0x4ceeaf)
    #1 0x19694aa in av_malloc
/home/attekett/projects/libav-trunk/libavutil/mem.c:81:9
    #2 0x1199d2e in decode_frame
/home/attekett/projects/libav-trunk/libavcodec/truemotion2.c:859:13
    #3 0x11d2672 in avcodec_decode_video2
/home/attekett/projects/libav-trunk/libavcodec/utils.c:1488:19

SUMMARY: AddressSanitizer: heap-buffer-overflow
/home/attekett/projects/libav-trunk/libavcodec/get_bits.h:529 get_vlc2
Shadow bytes around the buggy address:
  0x0c2e7fff97a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c2e7fff97b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c2e7fff97c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c2e7fff97d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c2e7fff97e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c2e7fff97f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00[04]fa
  0x0c2e7fff9800: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c2e7fff9810: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c2e7fff9820: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c2e7fff9830: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c2e7fff9840: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  ASan internal:           fe
==11398==ABORTING
[Thread 0x7ffff14b0700 (LWP 11406) exited]
[Thread 0x7ffff24cf700 (LWP 11404) exited]
[Thread 0x7ffff2cd0700 (LWP 11403) exited]
[Thread 0x7ffff34d1700 (LWP 11402) exited]
[Thread 0x7ffff7fd47c0 (LWP 11398) exited]
[Inferior 1 (process 11398) exited with code 01]

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.libav.org/pipermail/libav-bugs/attachments/20151023/7793ae6b/attachment-0001.html>


More information about the libav-bugs mailing list