[libav-bugs] [Bug 952] New: NULL dereference in libavcodec/h264dec.c:499/500

bugzilla at libav.org bugzilla at libav.org
Mon Jul 18 23:41:57 CEST 2016


https://bugzilla.libav.org/show_bug.cgi?id=952

            Bug ID: 952
           Summary: NULL dereference in libavcodec/h264dec.c:499/500
           Product: Libav
           Version: git HEAD
          Hardware: Other
                OS: Linux
            Status: NEW
          Severity: enhancement
          Priority: ---
         Component: libavcodec
          Assignee: bugzilla at libav.org
          Reporter: jan.s.ruge at gmail.com

Created attachment 593
  --> https://bugzilla.libav.org/attachment.cgi?id=593&action=edit
Sample file crashing avconv

The supplied sample file triggers a NULL dereference in avconv crashing at
libavcodec/h264dec.c:499/500
The crash was caused by calling:
    avconv -i crash.mp4 out.mp4 -y

Relevant Code snippet:
499:    init_get_bits(&gb, nal->data + 1, (nal->size - 1) * 8);
500:    if (!get_ue_golomb(&gb))
501:        nals_needed = i;

libavcodec/h264dec.c:499
    init_get_bits(&gb, nal->data + 1, (nal->size - 1) * 8);

    (gdb) p nal->data+1
    $17 = (const uint8_t *) 0x1785307 #valid pointer
    (gdb) p (nal->size - 1) * 8
    $18 = -8

As bitsize < 0, the lines libavcodec/get_bits.h:368-371 are taken so, gb has
the following values:
    gb->buffer             = NULL
    gb->size_in_bits       = 0;
    gb->buffer_end         = NULL
    gb->index              = 0;


In line libavcodec/h264dec.c:500, the return value of init_get_bits is ignored
and get_ue_golomb(&gb) is called.
The UPDATE_CACHE macro in libavcodec/golomb.h:58 then references gb->buffer,
causing a NULL deref.
    libavcodec/get_bits.h:135
    #define UPDATE_CACHE(gb) _cache = AV_RL64((gb)->buffer + _index >> 3) >>
(_index & 7)

Dumps from gdb:

(gdb) bt
#0  0x0000000000614dd2 in init_get_bits (bit_size=<optimised out>, buffer=0x0, 
    s=<synthetic pointer>) at libavcodec/get_bits.h:370
#1  get_last_needed_nal (h=<optimised out>, h=<optimised out>) at
libavcodec/h264dec.c:499
#2  decode_nal_units (buf_size=1248, buf=<optimised out>, h=0x1616ca0) at
libavcodec/h264dec.c:530
#3  h264_decode_frame (avctx=0x170c4a0, data=0x1625a40, got_frame=0x170be00, 
    avpkt=<optimised out>) at libavcodec/h264dec.c:717
#4  0x00000000007560b5 in frame_worker_thread (arg=0x170bca0) at
libavcodec/pthread_frame.c:145
#5  0x00007ffff6a4f184 in start_thread (arg=0x7ffff5a3a700) at
pthread_create.c:312
#6  0x00007ffff677c37d in clone () at
../sysdeps/unix/sysv/linux/x86_64/clone.S:111

(gdb) disass $pc-32,$pc+32
Dump of assembler code from 0x614db2 to 0x614df2:
   0x0000000000614db2 <h264_decode_frame+1538>: (bad)  
   0x0000000000614db3 <h264_decode_frame+1539>: decl   -0x75(%rcx)
   0x0000000000614db6 <h264_decode_frame+1542>: push   %rdi
   0x0000000000614db7 <h264_decode_frame+1543>: or     %dh,%dh
   0x0000000000614db9 <h264_decode_frame+1545>: (bad)  
   0x0000000000614dba <h264_decode_frame+1546>: hlt    
   0x0000000000614dbb <h264_decode_frame+1547>: add    (%rax),%al
   0x0000000000614dbd <h264_decode_frame+1549>: add    %cl,(%rax)
   0x0000000000614dbf <h264_decode_frame+1551>: je     0x614a40
<h264_decode_frame+656>
   0x0000000000614dc5 <h264_decode_frame+1557>: jmpq   0x614aac
<h264_decode_frame+764>
   0x0000000000614dca <h264_decode_frame+1562>: nopw   0x0(%rax,%rax,1)
   0x0000000000614dd0 <h264_decode_frame+1568>: xor    %ecx,%ecx
=> 0x0000000000614dd2 <h264_decode_frame+1570>: mov    (%rcx),%edi
   0x0000000000614dd4 <h264_decode_frame+1572>: bswap  %edi
   0x0000000000614dd6 <h264_decode_frame+1574>: cmp    $0x7ffffff,%edi
   0x0000000000614ddc <h264_decode_frame+1580>: jbe    0x614d51
<h264_decode_frame+1441>
   0x0000000000614de2 <h264_decode_frame+1586>: shr    $0x17,%edi
   0x0000000000614de5 <h264_decode_frame+1589>: movzbl 0xb23040(%rdi),%edi
   0x0000000000614dec <h264_decode_frame+1596>: jmpq   0x614d6c
<h264_decode_frame+1468>
   0x0000000000614df1 <h264_decode_frame+1601>: nopl   0x0(%rax)
End of assembler dump.

(gdb) info all-registers
rax            0x19 25
rbx            0x17 23
rcx            0x0  0
rdx            0x21 33
rsi            0x7fffec001e18   140737152818712
rdi            0xfffffff8   4294967288
rbp            0x170bd48    0x170bd48
rsp            0x7ffff5a39e40   0x7ffff5a39e40
r8             0x1  1
r9             0x1f 31
r10            0x17 23
r11            0xc6 198
r12            0x16259a0    23222688
r13            0x170c4a0    24167584
r14            0x170c4a0    24167584
r15            0x1616ca0    23162016
rip            0x614dd2 0x614dd2 <h264_decode_frame+1570>
eflags         0x10246  [ PF ZF IF RF ]
cs             0x33 51
ss             0x2b 43
ds             0x0  0
es             0x0  0
fs             0x0  0
gs             0x0  0
st0            -inf (raw 0xffff0000000000000000)
st1            -inf (raw 0xffff0000000000000000)
st2            -nan(0x20002000200020)   (raw 0xffff0020002000200020)
st3            -inf (raw 0xffff0000000000000000)
st4            -inf (raw 0xffff0000000000000000)
st5            -nan(0x20002000200020)   (raw 0xffff0020002000200020)
st6            -inf (raw 0xffff0000000000000000)
st7            -nan(0x40004000400040)   (raw 0xffff0040004000400040)
fctrl          0x37f    895
fstat          0x0  0
ftag           0xffff   65535
fiseg          0x0  0
fioff          0x0  0
foseg          0x0  0
fooff          0x0  0
fop            0x0  0
mxcsr          0x1fa0   [ PE IM DM ZM OM UM PM ]
ymm0           {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_double
= {
    0x8000000000000000, 0x0, 0x0, 0x0}, v32_int8 = {0x0, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0, 0xff, 
    0xff, 0xff, 0xff, 0xff, 0x0 <repeats 20 times>}, v16_int16 = {0x0, 0x0,
0x0, 0xff00, 0xffff, 
    0xffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v8_int32 = {0x0,
0xff000000, 
    0xffffffff, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_int64 = {0xff00000000000000,
0xffffffff, 0x0, 0x0}, 
  v2_int128 = {0x00000000ffffffffff00000000000000,
0x00000000000000000000000000000000}}
ymm1           {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_double
= {0x0, 0x0, 0x0, 
    0x0}, v32_int8 = {0x25 <repeats 16 times>, 0x0 <repeats 16 times>},
v16_int16 = {0x2525, 
    0x2525, 0x2525, 0x2525, 0x2525, 0x2525, 0x2525, 0x2525, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0, 0x0, 
    0x0}, v8_int32 = {0x25252525, 0x25252525, 0x25252525, 0x25252525, 0x0, 0x0,
0x0, 0x0}, 
  v4_int64 = {0x2525252525252525, 0x2525252525252525, 0x0, 0x0}, v2_int128 = {
    0x25252525252525252525252525252525, 0x00000000000000000000000000000000}}
ymm2           {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_double
= {0x0, 0x0, 0x0, 
    0x0}, v32_int8 = {0xa, 0x0, 0xa3, 0xf5, 0xff, 0x7f, 0x0, 0x0, 0xd2, 0x29,
0xaa, 
    0x0 <repeats 21 times>}, v16_int16 = {0xa, 0xf5a3, 0x7fff, 0x0, 0x29d2,
0xaa, 0x0, 0x0, 0x0, 
---Type <return> to continue, or q <return> to quit---
    0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v8_int32 = {0xf5a3000a, 0x7fff,
0xaa29d2, 0x0, 0x0, 0x0, 
    0x0, 0x0}, v4_int64 = {0x7ffff5a3000a, 0xaa29d2, 0x0, 0x0}, v2_int128 = {
    0x0000000000aa29d200007ffff5a3000a, 0x00000000000000000000000000000000}}
ymm3           {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_double
= {0x0, 0x0, 0x0, 
    0x0}, v32_int8 = {0x0 <repeats 32 times>}, v16_int16 = {0x0 <repeats 16
times>}, v8_int32 = {
    0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_int64 = {0x0, 0x0, 0x0, 0x0},
v2_int128 = {
    0x00000000000000000000000000000000, 0x00000000000000000000000000000000}}
ymm4           {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_double
= {
    0x8000000000000000, 0x0, 0x0, 0x0}, v32_int8 = {0x0, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0, 0xff, 
    0xff, 0xff, 0xff, 0xff, 0x0 <repeats 20 times>}, v16_int16 = {0x0, 0x0,
0x0, 0xff00, 0xffff, 
    0xffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v8_int32 = {0x0,
0xff000000, 
    0xffffffff, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_int64 = {0xff00000000000000,
0xffffffff, 0x0, 0x0}, 
  v2_int128 = {0x00000000ffffffffff00000000000000,
0x00000000000000000000000000000000}}
ymm5           {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_double
= {0x0, 0x0, 0x0, 
    0x0}, v32_int8 = {0x0 <repeats 32 times>}, v16_int16 = {0x0 <repeats 16
times>}, v8_int32 = {
    0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_int64 = {0x0, 0x0, 0x0, 0x0},
v2_int128 = {
    0x00000000000000000000000000000000, 0x00000000000000000000000000000000}}
ymm6           {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_double
= {0x0, 0x0, 0x0, 
    0x0}, v32_int8 = {0x0 <repeats 32 times>}, v16_int16 = {0x0 <repeats 16
times>}, v8_int32 = {
    0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_int64 = {0x0, 0x0, 0x0, 0x0},
v2_int128 = {
    0x00000000000000000000000000000000, 0x00000000000000000000000000000000}}
ymm7           {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_double
= {0x0, 0x0, 0x0, 
    0x0}, v32_int8 = {0x0, 0x0, 0x0, 0x0, 0x68, 0xc8, 0xbc, 0x3b, 0x0 <repeats
24 times>}, 
  v16_int16 = {0x0, 0x0, 0xc868, 0x3bbc, 0x0 <repeats 12 times>}, v8_int32 =
{0x0, 0x3bbcc868, 
    0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_int64 = {0x3bbcc86800000000, 0x0, 0x0,
0x0}, v2_int128 = {
    0x00000000000000003bbcc86800000000, 0x00000000000000000000000000000000}}
ymm8           {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_double
= {0x0, 0x0, 0x0, 
    0x0}, v32_int8 = {0x0 <repeats 32 times>}, v16_int16 = {0x0 <repeats 16
times>}, v8_int32 = {
    0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_int64 = {0x0, 0x0, 0x0, 0x0},
v2_int128 = {
    0x00000000000000000000000000000000, 0x00000000000000000000000000000000}}
ymm9           {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_double
= {0x0, 0x0, 0x0, 
    0x0}, v32_int8 = {0x0 <repeats 32 times>}, v16_int16 = {0x0 <repeats 16
times>}, v8_int32 = {
    0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_int64 = {0x0, 0x0, 0x0, 0x0},
v2_int128 = {
    0x00000000000000000000000000000000, 0x00000000000000000000000000000000}}
ymm10          {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_double
= {0x0, 0x0, 0x0, 
    0x0}, v32_int8 = {0x0 <repeats 32 times>}, v16_int16 = {0x0 <repeats 16
times>}, v8_int32 = {
    0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_int64 = {0x0, 0x0, 0x0, 0x0},
v2_int128 = {
    0x00000000000000000000000000000000, 0x00000000000000000000000000000000}}
ymm11          {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_double
= {0x0, 0x0, 0x0, 
    0x0}, v32_int8 = {0x0 <repeats 32 times>}, v16_int16 = {0x0 <repeats 16
times>}, v8_int32 = {
    0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_int64 = {0x0, 0x0, 0x0, 0x0},
v2_int128 = {
    0x00000000000000000000000000000000, 0x00000000000000000000000000000000}}
ymm12          {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_double
= {0x0, 0x0, 0x0, 
    0x0}, v32_int8 = {0xff, 0x0, 0x0, 0x0, 0x0, 0xff, 0xff, 0x0, 0x0, 0x0,
0xff, 0xff, 0xff, 
    0xff, 0xff, 0x0 <repeats 17 times>}, v16_int16 = {0xff, 0x0, 0xff00, 0xff,
0x0, 0xffff, 
    0xffff, 0xff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v8_int32 = {0xff,
0xffff00, 
    0xffff0000, 0xffffff, 0x0, 0x0, 0x0, 0x0}, v4_int64 = {0xffff00000000ff,
0xffffffffff0000, 
    0x0, 0x0}, v2_int128 = {0x00ffffffffff000000ffff00000000ff, 
    0x00000000000000000000000000000000}}
ymm13          {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_double
= {0x0, 0x0, 0x0, 
    0x0}, v32_int8 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x80, 0x59, 0xbc, 0x0 <repeats
24 times>}, 
  v16_int16 = {0x0, 0x0, 0x8000, 0xbc59, 0x0 <repeats 12 times>}, v8_int32 =
{0x0, 0xbc598000, 
    0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_int64 = {0xbc59800000000000, 0x0, 0x0,
0x0}, v2_int128 = {
    0x0000000000000000bc59800000000000, 0x00000000000000000000000000000000}}
ymm14          {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_double
= {0x0, 0x0, 0x0, 
    0x0}, v32_int8 = {0x8e, 0x85, 0x83, 0xe8, 0xf0, 0x24, 0x53, 0x3c, 0x0
<repeats 24 times>}, 
  v16_int16 = {0x858e, 0xe883, 0x24f0, 0x3c53, 0x0 <repeats 12 times>},
v8_int32 = {0xe883858e, 
    0x3c5324f0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_int64 = {0x3c5324f0e883858e,
0x0, 0x0, 0x0}, 
  v2_int128 = {0x00000000000000003c5324f0e883858e,
0x00000000000000000000000000000000}}
ymm15          {v8_float = {0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_double
= {0x2d, 0x0, 0x0, 
    0x0}, v32_int8 = {0xc0, 0x9, 0xf2, 0x16, 0xb5, 0xdf, 0x46, 0x40, 0x0
<repeats 24 times>}, 
  v16_int16 = {0x9c0, 0x16f2, 0xdfb5, 0x4046, 0x0 <repeats 12 times>}, v8_int32
= {0x16f209c0, 
    0x4046dfb5, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_int64 = {0x4046dfb516f209c0,
0x0, 0x0, 0x0}, 
  v2_int128 = {0x00000000000000004046dfb516f209c0,
0x00000000000000000000000000000000}}

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.libav.org/pipermail/libav-bugs/attachments/20160718/2ca88204/attachment-0001.html>


More information about the libav-bugs mailing list