[libav-bugs] [Bug 951] New: avplay: SIGSEGV due to invalid index (read)

bugzilla at libav.org bugzilla at libav.org
Mon Jul 18 00:39:49 CEST 2016


https://bugzilla.libav.org/show_bug.cgi?id=951

            Bug ID: 951
           Summary: avplay: SIGSEGV due to invalid index (read)
           Product: Libav
           Version: git HEAD
          Hardware: Other
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: ---
         Component: utilities
          Assignee: bugzilla at libav.org
          Reporter: jan.s.ruge at gmail.com

Created attachment 592
  --> https://bugzilla.libav.org/attachment.cgi?id=592&action=edit
Sample crashing avplay

Avplay crashes due to an invalid read access, obviously sc->last_stsd_index
contains an invalid value.
The sample file was generated by fuzzing.

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7fffe47f8700 (LWP 30112)]
0x00000000004c315c in mov_change_extradata (pkt=0x7fffe47f7d20, sc=0x161c4a0)
    at libavformat/mov.c:3581
3581        extradata_size = sc->extradata_size[sc->last_stsd_index];
sc->last_stsd_index];
(gdb) p sc->last_stsd_index
$1 = -16777216

(gdb) bt
#0  0x00000000004c315c in mov_change_extradata (pkt=0x7fffe47f7d20,
sc=0x161c4a0)
    at libavformat/mov.c:3581
#1  mov_read_packet (s=0x162ece0, pkt=0x7fffe47f7d20) at libavformat/mov.c:3689
#2  0x000000000053f1f5 in ff_read_packet (s=s at entry=0x162ece0,
pkt=pkt at entry=0x7fffe47f7d20)
    at libavformat/utils.c:447
#3  0x0000000000540d53 in read_frame_internal (s=0x162ece0, pkt=0x7fffe47f7e40)
    at libavformat/utils.c:932
#4  0x000000000054150b in av_read_frame (s=s at entry=0x162ece0,
pkt=pkt at entry=0x7fffe47f7e40)
    at libavformat/utils.c:1030
#5  0x0000000000458e7d in decode_thread (arg=0xfb7c60 <player_state>) at
avplay.c:2495
#6  0x00007ffff69e1ad8 in ?? () from /usr/lib/x86_64-linux-gnu/libSDL-1.2.so.0
#7  0x00007ffff6a21109 in ?? () from /usr/lib/x86_64-linux-gnu/libSDL-1.2.so.0
#8  0x00007ffff67b9184 in start_thread (arg=0x7fffe47f8700) at
pthread_create.c:312
#9  0x00007ffff64e637d in clone () at
../sysdeps/unix/sysv/linux/x86_64/clone.S:111

(gdb) info all-registers
rax            0xffffffffff000000    -16777216
rbx            0x7fffe47f7d20    140737026948384
rcx            0x161cb80    23186304
rdx            0x162f600    23262720
rsi            0x1    1
rdi            0xc    12
rbp            0x162ece0    0x162ece0
rsp            0x7fffe47f7bf0    0x7fffe47f7bf0
r8             0x7fffe47f8700    140737026950912
r9             0x10    16
r10            0xcfbea7    13614759
r11            0x206    518
r12            0x162e5e0    23258592
r13            0x7fffe47f7c60    140737026948192
r14            0x161c4a0    23184544
r15            0x163d460    23319648
rip            0x4c315c    0x4c315c <mov_read_packet+508>
eflags         0x10286    [ PF SF IF RF ]
cs             0x33    51
ss             0x2b    43
ds             0x0    0
es             0x0    0
fs             0x0    0
gs             0x0    0
st0            0    (raw 0x00000000000000000000)
st1            0    (raw 0x00000000000000000000)
st2            0    (raw 0x00000000000000000000)
st3            0    (raw 0x00000000000000000000)
st4            0    (raw 0x00000000000000000000)
st5            0    (raw 0x00000000000000000000)
st6            0    (raw 0x00000000000000000000)
st7            0    (raw 0x00000000000000000000)
fctrl          0x37f    895
fstat          0x0    0
ftag           0xffff    65535
fiseg          0x0    0
fioff          0x0    0
foseg          0x0    0
fooff          0x0    0
fop            0x0    0
mxcsr          0x1fa0    [ PE IM DM ZM OM UM PM ]
ymm0           {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_double
= {
    0x8000000000000000, 0x0, 0x0, 0x0}, v32_int8 = {0x0, 0x0, 0x0, 0x0, 0xff,
0xff, 0xff, 0xff, 
    0xff, 0x0 <repeats 23 times>}, v16_int16 = {0x0, 0x0, 0xffff, 0xffff, 0xff, 
    0x0 <repeats 11 times>}, v8_int32 = {0x0, 0xffffffff, 0xff, 0x0, 0x0, 0x0,
0x0, 0x0}, 
  v4_int64 = {0xffffffff00000000, 0xff, 0x0, 0x0}, v2_int128 = {
    0x00000000000000ffffffffff00000000, 0x00000000000000000000000000000000}}
ymm1           {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_double
= {0x0, 0x0, 0x0, 
    0x0}, v32_int8 = {0x25 <repeats 16 times>, 0x0 <repeats 16 times>},
v16_int16 = {0x2525, 
    0x2525, 0x2525, 0x2525, 0x2525, 0x2525, 0x2525, 0x2525, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0, 0x0, 
    0x0}, v8_int32 = {0x25252525, 0x25252525, 0x25252525, 0x25252525, 0x0, 0x0,
0x0, 0x0}, 
  v4_int64 = {0x2525252525252525, 0x2525252525252525, 0x0, 0x0}, v2_int128 = {
    0x25252525252525252525252525252525, 0x00000000000000000000000000000000}}
ymm2           {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_double
= {
    0x8000000000000000, 0x0, 0x0, 0x0}, v32_int8 = {0x65, 0x63, 0x65, 0x30,
0x5d, 0x20, 0x73, 
    0x74, 0x72, 0x65, 0x61, 0x6d, 0x20, 0x30, 0x2c, 0x20, 0x0 <repeats 16
times>}, v16_int16 = {
---Type <return> to continue, or q <return> to quit---
    0x6365, 0x3065, 0x205d, 0x7473, 0x6572, 0x6d61, 0x3020, 0x202c, 0x0, 0x0,
0x0, 0x0, 0x0, 0x0, 
    0x0, 0x0}, v8_int32 = {0x30656365, 0x7473205d, 0x6d616572, 0x202c3020, 0x0,
0x0, 0x0, 0x0}, 
  v4_int64 = {0x7473205d30656365, 0x202c30206d616572, 0x0, 0x0}, v2_int128 = {
    0x202c30206d6165727473205d30656365, 0x00000000000000000000000000000000}}
ymm3           {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_double
= {0x0, 0x0, 0x0, 
    0x0}, v32_int8 = {0x0 <repeats 32 times>}, v16_int16 = {0x0 <repeats 16
times>}, v8_int32 = {
    0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_int64 = {0x0, 0x0, 0x0, 0x0},
v2_int128 = {
    0x00000000000000000000000000000000, 0x00000000000000000000000000000000}}
ymm4           {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_double
= {
    0x8000000000000000, 0x0, 0x0, 0x0}, v32_int8 = {0x0, 0x0, 0x0, 0x0, 0xff,
0xff, 0xff, 0xff, 
    0xff, 0x0 <repeats 23 times>}, v16_int16 = {0x0, 0x0, 0xffff, 0xffff, 0xff, 
    0x0 <repeats 11 times>}, v8_int32 = {0x0, 0xffffffff, 0xff, 0x0, 0x0, 0x0,
0x0, 0x0}, 
  v4_int64 = {0xffffffff00000000, 0xff, 0x0, 0x0}, v2_int128 = {
    0x00000000000000ffffffffff00000000, 0x00000000000000000000000000000000}}
ymm5           {v8_float = {0x0, 0x1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_double
= {0x1, 0x0, 0x0, 
    0x0}, v32_int8 = {0x6d, 0x7d, 0xbf, 0xbb, 0x27, 0xaf, 0xf5, 0x3f, 0x0
<repeats 24 times>}, 
  v16_int16 = {0x7d6d, 0xbbbf, 0xaf27, 0x3ff5, 0x0 <repeats 12 times>},
v8_int32 = {0xbbbf7d6d, 
    0x3ff5af27, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_int64 = {0x3ff5af27bbbf7d6d,
0x0, 0x0, 0x0}, 
  v2_int128 = {0x00000000000000003ff5af27bbbf7d6d,
0x00000000000000000000000000000000}}
ymm6           {v8_float = {0x0, 0xfffffffd, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0},
v4_double = {
    0xffffffffffffffd2, 0x0, 0x0, 0x0}, v32_int8 = {0xe0, 0xe6, 0x35, 0x67,
0x9e, 0x6, 0x47, 
    0xc0, 0x0 <repeats 24 times>}, v16_int16 = {0xe6e0, 0x6735, 0x69e, 0xc047, 
    0x0 <repeats 12 times>}, v8_int32 = {0x6735e6e0, 0xc047069e, 0x0, 0x0, 0x0,
0x0, 0x0, 0x0}, 
  v4_int64 = {0xc047069e6735e6e0, 0x0, 0x0, 0x0}, v2_int128 = {
    0x0000000000000000c047069e6735e6e0, 0x00000000000000000000000000000000}}
ymm7           {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_double
= {0x0, 0x0, 0x0, 
    0x0}, v32_int8 = {0x0, 0x0, 0x0, 0x0, 0x68, 0xc8, 0xbc, 0x3b, 0x0 <repeats
24 times>}, 
  v16_int16 = {0x0, 0x0, 0xc868, 0x3bbc, 0x0 <repeats 12 times>}, v8_int32 =
{0x0, 0x3bbcc868, 
    0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_int64 = {0x3bbcc86800000000, 0x0, 0x0,
0x0}, v2_int128 = {
    0x00000000000000003bbcc86800000000, 0x00000000000000000000000000000000}}
ymm8           {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_double
= {0x0, 0x0, 0x0, 
    0x0}, v32_int8 = {0x0 <repeats 32 times>}, v16_int16 = {0x0 <repeats 16
times>}, v8_int32 = {
    0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_int64 = {0x0, 0x0, 0x0, 0x0},
v2_int128 = {
    0x00000000000000000000000000000000, 0x00000000000000000000000000000000}}
ymm9           {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_double
= {0x0, 0x0, 0x0, 
    0x0}, v32_int8 = {0x0 <repeats 32 times>}, v16_int16 = {0x0 <repeats 16
times>}, v8_int32 = {
    0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_int64 = {0x0, 0x0, 0x0, 0x0},
v2_int128 = {
    0x00000000000000000000000000000000, 0x00000000000000000000000000000000}}
ymm10          {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_double
= {0x0, 0x0, 0x0, 
    0x0}, v32_int8 = {0x0 <repeats 32 times>}, v16_int16 = {0x0 <repeats 16
times>}, v8_int32 = {
    0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_int64 = {0x0, 0x0, 0x0, 0x0},
v2_int128 = {
    0x00000000000000000000000000000000, 0x00000000000000000000000000000000}}
ymm11          {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_double
= {0x0, 0x0, 0x0, 
    0x0}, v32_int8 = {0x0 <repeats 32 times>}, v16_int16 = {0x0 <repeats 16
times>}, v8_int32 = {
    0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_int64 = {0x0, 0x0, 0x0, 0x0},
v2_int128 = {
    0x00000000000000000000000000000000, 0x00000000000000000000000000000000}}
ymm12          {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_double
= {
    0x8000000000000000, 0x8000000000000000, 0x0, 0x0}, v32_int8 = {0xff, 0x0,
0x0, 0x0, 
    0xff <repeats 12 times>, 0x0 <repeats 16 times>}, v16_int16 = {0xff, 0x0,
0xffff, 0xffff, 
    0xffff, 0xffff, 0xffff, 0xffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0},
v8_int32 = {0xff, 
    0xffffffff, 0xffffffff, 0xffffffff, 0x0, 0x0, 0x0, 0x0}, v4_int64 =
{0xffffffff000000ff, 
    0xffffffffffffffff, 0x0, 0x0}, v2_int128 =
{0xffffffffffffffffffffffff000000ff, 
    0x00000000000000000000000000000000}}
ymm13          {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_double
= {0x0, 0x0, 0x0, 
    0x0}, v32_int8 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x80, 0x59, 0xbc, 0x0 <repeats
24 times>}, 
  v16_int16 = {0x0, 0x0, 0x8000, 0xbc59, 0x0 <repeats 12 times>}, v8_int32 =
{0x0, 0xbc598000, 
---Type <return> to continue, or q <return> to quit---
    0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_int64 = {0xbc59800000000000, 0x0, 0x0,
0x0}, v2_int128 = {
    0x0000000000000000bc59800000000000, 0x00000000000000000000000000000000}}
ymm14          {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_double
= {0x0, 0x0, 0x0, 
    0x0}, v32_int8 = {0x8e, 0x85, 0x83, 0xe8, 0xf0, 0x24, 0x53, 0x3c, 0x0
<repeats 24 times>}, 
  v16_int16 = {0x858e, 0xe883, 0x24f0, 0x3c53, 0x0 <repeats 12 times>},
v8_int32 = {0xe883858e, 
    0x3c5324f0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_int64 = {0x3c5324f0e883858e,
0x0, 0x0, 0x0}, 
  v2_int128 = {0x00000000000000003c5324f0e883858e,
0x00000000000000000000000000000000}}
ymm15          {v8_float = {0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_double
= {0x2d, 0x0, 0x0, 
    0x0}, v32_int8 = {0xc0, 0x9, 0xf2, 0x16, 0xb5, 0xdf, 0x46, 0x40, 0x0
<repeats 24 times>}, 
  v16_int16 = {0x9c0, 0x16f2, 0xdfb5, 0x4046, 0x0 <repeats 12 times>}, v8_int32
= {0x16f209c0, 
    0x4046dfb5, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_int64 = {0x4046dfb516f209c0,
0x0, 0x0, 0x0}, 
  v2_int128 = {0x00000000000000004046dfb516f209c0,
0x00000000000000000000000000000000}}

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.libav.org/pipermail/libav-bugs/attachments/20160717/7fc5a694/attachment-0001.html>


More information about the libav-bugs mailing list