[libav-bugs] [Bug 1006] New: Null pointer dereference in ff_h264_execute_ref_pic_marking()

bugzilla at libav.org bugzilla at libav.org
Fri Dec 23 10:37:56 CET 2016


            Bug ID: 1006
           Summary: Null pointer dereference in
           Product: Libav
           Version: git HEAD
          Hardware: X86
                OS: Linux
            Status: NEW
          Severity: enhancement
          Priority: ---
         Component: libavcodec
          Assignee: bugzilla at libav.org
          Reporter: fumfi.255 at gmail.com

Created attachment 634
  --> https://bugzilla.libav.org/attachment.cgi?id=634&action=edit
POC to trigger null pointer dereference (avprobe)

After some fuzz testing I found a crashing test case.

Command: avprobe libav_nullptr_ff_h264_execute_ref_pic_marking_l677

Git Head: f9edc734e0ca3f6ef06c1ad0bd2c19c0c66f1ffa

Output + ASAN:

avprobe version v13_dev0-673-gf9edc73, Copyright (c) 2007-2016 the Libav
  built on Dec 22 2016 08:45:30 with clang version 3.9.0
[h264 @ 0x619000000080] left block unavailable for requested intra4x4 mode -1
[h264 @ 0x619000000080] error while decoding MB 0 0, bytestream -3
[h264 @ 0x619000000080] data partitioning is not implemented. Update your Libav
version to the newest one from Git. If the problem still occurs, it means that
your file has a feature which has not been implemented.
[h264 @ 0x619000000080] If you want to help, upload a sample of this file to
ftp://upload.libav.org/incoming/ and contact the libav-devel mailing list.
==28027==ERROR: AddressSanitizer: SEGV on unknown address 0x0000000000a8 (pc
0x000001bc2735 bp 0x62e00000666c sp 0x7ffd2a92b2d0 T0)
==28027==The signal is caused by a READ memory access.
==28027==Hint: address points to the zero page.
    #0 0x1bc2734 in ff_h264_execute_ref_pic_marking
    #1 0x1bb999e in ff_h264_field_end
    #2 0x1bcdbe4 in ff_h264_queue_decode_slice
    #3 0xbc5f38 in decode_nal_units XYZ/libav/libavcodec/h264dec.c:573:24
    #4 0xbc5f38 in h264_decode_frame XYZ/libav/libavcodec/h264dec.c:742
    #5 0x9f22c5 in decode_simple_internal XYZ/libav/libavcodec/decode.c:334:15
    #6 0x9f22c5 in decode_simple_receive_frame
    #7 0x9f22c5 in decode_receive_frame_internal
    #8 0x9f1084 in avcodec_send_packet XYZ/libav/libavcodec/decode.c:445:15
    #9 0x82d5fb in try_decode_frame XYZ/libav/libavformat/utils.c:1950:19
    #10 0x827143 in avformat_find_stream_info
    #11 0x4f6659 in open_input_file XYZ/libav/avprobe.c:866:16
    #12 0x4f6659 in probe_file XYZ/libav/avprobe.c:944
    #13 0x4f6659 in main XYZ/libav/avprobe.c:1178
    #14 0x7f54db40482f in __libc_start_main
    #15 0x41a948 in _start (/usr/local/bin/avprobe+0x41a948)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV XYZ/libav/libavcodec/h264_refs.c:677:36 in

You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.libav.org/pipermail/libav-bugs/attachments/20161223/b18cb7e6/attachment-0001.html>

More information about the libav-bugs mailing list