[libav-bugs] [Bug 1105] New: Global out-of-bound read in ff_ps_apply

bugzilla at libav.org bugzilla at libav.org
Sat Dec 2 03:11:17 CET 2017


https://bugzilla.libav.org/show_bug.cgi?id=1105

            Bug ID: 1105
           Summary: Global out-of-bound read in ff_ps_apply
           Product: Libav
           Version: git HEAD
          Hardware: X86
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: ---
         Component: libavcodec
          Assignee: bugzilla at libav.org
          Reporter: mgcho.minic at gmail.com

Created attachment 700
  --> https://bugzilla.libav.org/attachment.cgi?id=700&action=edit
poc file

Triggered by "./avconv -i $POC -f null -"

Global out-of-bound read in ff_ps_apply.


ASAN report:

avconv version v13_dev0-1400-gb72ac6d, Copyright (c) 2000-2017 the Libav
developers
  built on Dec  2 2017 01:59:32 with clang version 3.8.0-2ubuntu4
(tags/RELEASE_380/final)
  configuration: --toolchain=clang-asan
  libavutil     56.  6. 0 / 56.  6. 0
  libavcodec    58.  5. 0 / 58.  5. 0
  libavformat   58.  1. 0 / 58.  1. 0
  libavdevice   57.  0. 2 / 57.  0. 2
  libavfilter    7.  0. 0 /  7.  0. 0
  libavresample  4.  0. 0 /  4.  0. 0
  libswscale     5.  0. 0 /  5.  0. 0
Splitting the commandline.
Reading option '-v' ... matched as option 'v' (set libav* logging level) with
argument '9'.
Reading option '-loglevel' ... matched as option 'loglevel' (set libav* logging
level) with argument '99'.
Reading option '-i' ... matched as input file with argument
'./avconv_aac_1/triage-12.2/aacps.c:810:19/id:000179,sig:06,src:005251,op:havoc,rep:16'.
Reading option '-f' ... matched as option 'f' (force format) with argument
'null'.
Reading option '-' ... matched as output file.
Finished splitting the commandline.
Parsing a group of options: global .
Applying option v (set libav* logging level) with argument 9.
Successfully parsed a group of options.
Parsing a group of options: input file
./avconv_aac_1/triage-12.2/aacps.c:810:19/id:000179,sig:06,src:005251,op:havoc,rep:16.
Successfully parsed a group of options.
Opening an input file:
./avconv_aac_1/triage-12.2/aacps.c:810:19/id:000179,sig:06,src:005251,op:havoc,rep:16.
score: 0, dvhs_score: 0, fec_score: 0 
nsv_probe(), buf_size 2048
score: 0, dvhs_score: 0, fec_score: 0 
nsv_probe(), buf_size 4096
score: 0, dvhs_score: 0, fec_score: 0 
nsv_probe(), buf_size 4218
score: 0, dvhs_score: 0, fec_score: 0 
nsv_probe(), buf_size 4218
[aac @ 0xb3b03680] Format detected only with low score of 1, misdetection
possible!
IN delayed:0 pts:-9223372036854775808, dts:-9223372036854775808 cur_dts:0 st:0
pc:0xb4303a00
OUTdelayed:0/0 pts:-9223372036854775808, dts:-9223372036854775808 cur_dts:0
IN delayed:0 pts:-9223372036854775808, dts:-9223372036854775808 cur_dts:0 st:0
pc:0xb4303a00
OUTdelayed:0/0 pts:-9223372036854775808, dts:-9223372036854775808 cur_dts:0
IN delayed:0 pts:-9223372036854775808, dts:-9223372036854775808 cur_dts:0 st:0
pc:0xb4303a00
OUTdelayed:0/0 pts:-9223372036854775808, dts:-9223372036854775808 cur_dts:0
IN delayed:0 pts:-9223372036854775808, dts:-9223372036854775808 cur_dts:0 st:0
pc:0xb4303a00
OUTdelayed:0/0 pts:-9223372036854775808, dts:-9223372036854775808 cur_dts:0
[aac @ 0xb3303880] More than one AAC RDB per ADTS frame is not implemented.
Update your Libav version to the newest one from Git. If the problem still
occurs, it means that your file has a feature which has not been implemented.
[aac @ 0xb3303880] Error decoding AAC frame header.
[aac @ 0xb3303880] Reserved SBR extensions is not implemented. Update your
Libav version to the newest one from Git. If the problem still occurs, it means
that your file has a feature which has not been implemented.
[aac @ 0xb3303880] If you want to help, upload a sample of this file to
ftp://upload.libav.org/incoming/ and contact the libav-devel mailing list.
[aac @ 0xb3303880] Expected to read 6 SBR bytes actually read 47.
IN delayed:0 pts:-9223372036854775808, dts:-9223372036854775808 cur_dts:0 st:0
pc:0xb4303a00
OUTdelayed:0/0 pts:-9223372036854775808, dts:-9223372036854775808 cur_dts:0
IN delayed:0 pts:-9223372036854775808, dts:-9223372036854775808 cur_dts:0 st:0
pc:0xb4303a00
OUTdelayed:0/0 pts:-9223372036854775808, dts:-9223372036854775808 cur_dts:0
IN delayed:0 pts:-9223372036854775808, dts:-9223372036854775808 cur_dts:0 st:0
pc:0xb4303a00
OUTdelayed:0/0 pts:-9223372036854775808, dts:-9223372036854775808 cur_dts:0
IN delayed:0 pts:-9223372036854775808, dts:-9223372036854775808 cur_dts:0 st:0
pc:0xb4303a00
OUTdelayed:0/0 pts:-9223372036854775808, dts:-9223372036854775808 cur_dts:0
IN delayed:0 pts:-9223372036854775808, dts:-9223372036854775808 cur_dts:0 st:0
pc:0xb4303a00
OUTdelayed:0/0 pts:-9223372036854775808, dts:-9223372036854775808 cur_dts:0
IN delayed:0 pts:-9223372036854775808, dts:-9223372036854775808 cur_dts:0 st:0
pc:0xb4303a00
OUTdelayed:0/0 pts:-9223372036854775808, dts:-9223372036854775808 cur_dts:0
IN delayed:0 pts:-9223372036854775808, dts:-9223372036854775808 cur_dts:0 st:0
pc:0xb4303a00
OUTdelayed:0/0 pts:-9223372036854775808, dts:-9223372036854775808 cur_dts:0
IN delayed:0 pts:-9223372036854775808, dts:-9223372036854775808 cur_dts:0 st:0
pc:0xb4303a00
OUTdelayed:0/0 pts:-9223372036854775808, dts:-9223372036854775808 cur_dts:0
IN delayed:0 pts:-9223372036854775808, dts:-9223372036854775808 cur_dts:0 st:0
pc:0xb4303a00
OUTdelayed:0/0 pts:-9223372036854775808, dts:-9223372036854775808 cur_dts:0
IN delayed:0 pts:-9223372036854775808, dts:-9223372036854775808 cur_dts:0 st:0
pc:0xb4303a00
OUTdelayed:0/0 pts:-9223372036854775808, dts:-9223372036854775808 cur_dts:0
IN delayed:0 pts:-9223372036854775808, dts:-9223372036854775808 cur_dts:0 st:0
pc:0xb4303a00
OUTdelayed:0/0 pts:-9223372036854775808, dts:-9223372036854775808 cur_dts:0
IN delayed:0 pts:-9223372036854775808, dts:-9223372036854775808 cur_dts:0 st:0
pc:0xb4303a00
OUTdelayed:0/0 pts:-9223372036854775808, dts:-9223372036854775808 cur_dts:0
IN delayed:0 pts:-9223372036854775808, dts:-9223372036854775808 cur_dts:0 st:0
pc:0xb4303a00
OUTdelayed:0/0 pts:-9223372036854775808, dts:-9223372036854775808 cur_dts:0
IN delayed:0 pts:-9223372036854775808, dts:-9223372036854775808 cur_dts:0 st:0
pc:0xb4303a00
OUTdelayed:0/0 pts:-9223372036854775808, dts:-9223372036854775808 cur_dts:0
IN delayed:0 pts:-9223372036854775808, dts:-9223372036854775808 cur_dts:0 st:0
pc:0xb4303a00
OUTdelayed:0/0 pts:-9223372036854775808, dts:-9223372036854775808 cur_dts:0
IN delayed:0 pts:-9223372036854775808, dts:-9223372036854775808 cur_dts:0 st:0
pc:0xb4303a00
OUTdelayed:0/0 pts:-9223372036854775808, dts:-9223372036854775808 cur_dts:0
IN delayed:0 pts:-9223372036854775808, dts:-9223372036854775808 cur_dts:0 st:0
pc:0xb4303a00
OUTdelayed:0/0 pts:-9223372036854775808, dts:-9223372036854775808 cur_dts:0
[aac @ 0xb3b03680] Estimating duration from bitrate, this may be inaccurate
[aac @ 0xb3b03680] 0: start_time: -9223372036854.775 duration: 276.456
[aac @ 0xb3b03680] stream: start_time: -9223372036854.775 duration: 9.795
bitrate=3 kb/s
Input #0, aac, from
'./avconv_aac_1/triage-12.2/aacps.c:810:19/id:000179,sig:06,src:005251,op:havoc,rep:16':
  Duration: 00:00:09.79, bitrate: 3 kb/s
    Stream #0:0, 21, 1/28224000: Audio: aac (HE-AACv2)
      88200 Hz, stereo, fltp, 3 kb/s
Successfully opened the file.
Parsing a group of options: output file -.
Applying option f (force format) with argument null.
Successfully parsed a group of options.
Opening an output file: -.
Successfully opened the file.
Stream mapping:
  Stream #0:0 -> #0:0 (aac (native) -> pcm_s16le (native))
Press ctrl-c to stop encoding
[aac @ 0xb3303480] channel element 2.3 is not allocated
Error while decoding stream #0:0
[aac @ 0xb3303480] More than one AAC RDB per ADTS frame is not implemented.
Update your Libav version to the newest one from Git. If the problem still
occurs, it means that your file has a feature which has not been implemented.
[aac @ 0xb3303480] Error decoding AAC frame header.
Error while decoding stream #0:0
[aac @ 0xb3303480] invalid band type
Error while decoding stream #0:0
[aac @ 0xb3303480] Reserved SBR extensions is not implemented. Update your
Libav version to the newest one from Git. If the problem still occurs, it means
that your file has a feature which has not been implemented.
[aac @ 0xb3303480] If you want to help, upload a sample of this file to
ftp://upload.libav.org/incoming/ and contact the libav-devel mailing list.
[aac @ 0xb3303480] Expected to read 6 SBR bytes actually read 47.
Detected 2 logical cores.
[abuffer @ 0xb59012a0] tb:1/88200 samplefmt:(null) samplerate: 88200 ch
layout:(null)
[abuffersink @ 0xb59011a0] auto-inserting filter 'auto-inserted fifo 0' between
the filter 'audio format for output stream 0:0' and the filter 'output stream
0:0'
[aformat @ 0xb5901120] auto-inserting filter 'auto-inserted resampler 0'
between the filter 'Parsed filter 0 anull' and the filter 'audio format for
output stream 0:0'
[AVAudioResampleContext @ 0xb4d06600] audio_convert: found function: fltp to
s16  (C)
[AVAudioResampleContext @ 0xb4d06600] audio_convert: found function: fltp to
s16  (SSE2)
[AVAudioResampleContext @ 0xb4d06600] audio_convert: found function: fltp to
s16  (SSSE3)
[resample @ 0xb5901020] fmt:fltp srate:88200 cl:stereo -> fmt:s16 srate:88200
cl:stereo
[aac @ 0xb3303480] Input buffer exhausted before END element found
Error while decoding stream #0:0
Output #0, null, to 'pipe:':
  Metadata:
    encoder         : Lavf58.1.0
    Stream #0:0, 0, 1/88200: Audio: pcm_s16le
      88200 Hz, stereo, s16, 2822 kb/s
    Metadata:
      encoder         : Lavc58.5.0 pcm_s16le
request_frame   : link[0xb5702340 r:88200 cl:stereo fmt:s16              afifo 
         ->abuffersink     ]
request_frame   : link[0xb5702420 r:88200 cl:stereo fmt:s16             
aformat         ->afifo           ]
request_frame   : link[0xb5702260 r:88200 cl:stereo fmt:s16             
resample        ->aformat         ]
request_frame   : link[0xb5702500 r:88200 cl:stereo fmt:fltp             anull 
         ->resample        ]
request_frame   : link[0xb57027a0 r:88200 cl:stereo fmt:fltp            
abuffer         ->anull           ]
filter_frame    : link[0xb57027a0 r:88200 cl:stereo fmt:fltp            
abuffer         ->anull           ]
filter_frame    : link[0xb5702500 r:88200 cl:stereo fmt:fltp             anull 
         ->resample        ]
[AVAudioResampleContext @ 0xb4d06600] [start conversion]
[AVAudioResampleContext @ 0xb4d06600] [convert] input to output
[AVAudioResampleContext @ 0xb4d06600] 2048 samples - audio_convert: fltp to s16
(SSSE3)
[AVAudioResampleContext @ 0xb4d06600] [end conversion]
filter_frame    : link[0xb5702260 r:88200 cl:stereo fmt:s16             
resample        ->aformat         ]
filter_frame    : link[0xb5702420 r:88200 cl:stereo fmt:s16             
aformat         ->afifo           ]
filter_frame    : link[0xb5702340 r:88200 cl:stereo fmt:s16              afifo 
         ->abuffersink     ]
[null @ 0xb3b01e80] av_interleaved_write_frame size:8192 dts:0 pts:0
[null @ 0xb3b01e80] compute_pkt_fields2: pts:0 dts:0
cur_dts:-9223372036854775808 b:0 size:8192 st:0
[null @ 0xb3b01e80] av_write_frame: pts2:0 dts2:0
request_frame   : link[0xb5702340 r:88200 cl:stereo fmt:s16              afifo 
         ->abuffersink     ]
request_frame   : link[0xb5702420 r:88200 cl:stereo fmt:s16             
aformat         ->afifo           ]
request_frame   : link[0xb5702260 r:88200 cl:stereo fmt:s16             
resample        ->aformat         ]
request_frame   : link[0xb5702500 r:88200 cl:stereo fmt:fltp             anull 
         ->resample        ]
request_frame   : link[0xb57027a0 r:88200 cl:stereo fmt:fltp            
abuffer         ->anull           ]
[aac @ 0xb3303480] channel element 2.5 is not allocated
Error while decoding stream #0:0
request_frame   : link[0xb5702340 r:88200 cl:stereo fmt:s16              afifo 
         ->abuffersink     ]
request_frame   : link[0xb5702420 r:88200 cl:stereo fmt:s16             
aformat         ->afifo           ]
request_frame   : link[0xb5702260 r:88200 cl:stereo fmt:s16             
resample        ->aformat         ]
request_frame   : link[0xb5702500 r:88200 cl:stereo fmt:fltp             anull 
         ->resample        ]
request_frame   : link[0xb57027a0 r:88200 cl:stereo fmt:fltp            
abuffer         ->anull           ]
[aac @ 0xb3303480] Expected to read 6 SBR bytes actually read 20.
[aac @ 0xb3303480] Input buffer exhausted before END element found
Error while decoding stream #0:0
request_frame   : link[0xb5702340 r:88200 cl:stereo fmt:s16              afifo 
         ->abuffersink     ]
request_frame   : link[0xb5702420 r:88200 cl:stereo fmt:s16             
aformat         ->afifo           ]
request_frame   : link[0xb5702260 r:88200 cl:stereo fmt:s16             
resample        ->aformat         ]
request_frame   : link[0xb5702500 r:88200 cl:stereo fmt:fltp             anull 
         ->resample        ]
request_frame   : link[0xb57027a0 r:88200 cl:stereo fmt:fltp            
abuffer         ->anull           ]
filter_frame    : link[0xb57027a0 r:88200 cl:stereo fmt:fltp            
abuffer         ->anull           ]
filter_frame    : link[0xb5702500 r:88200 cl:stereo fmt:fltp             anull 
         ->resample        ]
[AVAudioResampleContext @ 0xb4d06600] [start conversion]
[AVAudioResampleContext @ 0xb4d06600] [convert] input to output
[AVAudioResampleContext @ 0xb4d06600] 2048 samples - audio_convert: fltp to s16
(SSSE3)
[AVAudioResampleContext @ 0xb4d06600] [end conversion]
filter_frame    : link[0xb5702260 r:88200 cl:stereo fmt:s16             
resample        ->aformat         ]
filter_frame    : link[0xb5702420 r:88200 cl:stereo fmt:s16             
aformat         ->afifo           ]
filter_frame    : link[0xb5702340 r:88200 cl:stereo fmt:s16              afifo 
         ->abuffersink     ]
[null @ 0xb3b01e80] av_interleaved_write_frame size:8192 dts:2048 pts:2048
[null @ 0xb3b01e80] compute_pkt_fields2: pts:2048 dts:2048 cur_dts:0 b:0
size:8192 st:0
[null @ 0xb3b01e80] av_write_frame: pts2:2048 dts2:2048
request_frame   : link[0xb5702340 r:88200 cl:stereo fmt:s16              afifo 
         ->abuffersink     ]
request_frame   : link[0xb5702420 r:88200 cl:stereo fmt:s16             
aformat         ->afifo           ]
request_frame   : link[0xb5702260 r:88200 cl:stereo fmt:s16             
resample        ->aformat         ]
request_frame   : link[0xb5702500 r:88200 cl:stereo fmt:fltp             anull 
         ->resample        ]
request_frame   : link[0xb57027a0 r:88200 cl:stereo fmt:fltp            
abuffer         ->anull           ]
[aac @ 0xb3303480] channel element 3.9 is not allocated
Error while decoding stream #0:0
request_frame   : link[0xb5702340 r:88200 cl:stereo fmt:s16              afifo 
         ->abuffersink     ]
request_frame   : link[0xb5702420 r:88200 cl:stereo fmt:s16             
aformat         ->afifo           ]
request_frame   : link[0xb5702260 r:88200 cl:stereo fmt:s16             
resample        ->aformat         ]
request_frame   : link[0xb5702500 r:88200 cl:stereo fmt:fltp             anull 
         ->resample        ]
request_frame   : link[0xb57027a0 r:88200 cl:stereo fmt:fltp            
abuffer         ->anull           ]
[aac @ 0xb3303480] Scalefactor (-2) out of range.
Error while decoding stream #0:0
request_frame   : link[0xb5702340 r:88200 cl:stereo fmt:s16              afifo 
         ->abuffersink     ]
request_frame   : link[0xb5702420 r:88200 cl:stereo fmt:s16             
aformat         ->afifo           ]
request_frame   : link[0xb5702260 r:88200 cl:stereo fmt:s16             
resample        ->aformat         ]
request_frame   : link[0xb5702500 r:88200 cl:stereo fmt:fltp             anull 
         ->resample        ]
request_frame   : link[0xb57027a0 r:88200 cl:stereo fmt:fltp            
abuffer         ->anull           ]
[aac @ 0xb3303480] Sample rate index in program config element does not match
the sample rate index configured by the container.
[aac @ 0xb3303480] channel element 2.14 is not allocated
Error while decoding stream #0:0
request_frame   : link[0xb5702340 r:88200 cl:stereo fmt:s16              afifo 
         ->abuffersink     ]
request_frame   : link[0xb5702420 r:88200 cl:stereo fmt:s16             
aformat         ->afifo           ]
request_frame   : link[0xb5702260 r:88200 cl:stereo fmt:s16             
resample        ->aformat         ]
request_frame   : link[0xb5702500 r:88200 cl:stereo fmt:fltp             anull 
         ->resample        ]
request_frame   : link[0xb57027a0 r:88200 cl:stereo fmt:fltp            
abuffer         ->anull           ]
[aac @ 0xb3303480] Number of bands (61) exceeds limit (43).
Error while decoding stream #0:0
request_frame   : link[0xb5702340 r:88200 cl:stereo fmt:s16              afifo 
         ->abuffersink     ]
request_frame   : link[0xb5702420 r:88200 cl:stereo fmt:s16             
aformat         ->afifo           ]
request_frame   : link[0xb5702260 r:88200 cl:stereo fmt:s16             
resample        ->aformat         ]
request_frame   : link[0xb5702500 r:88200 cl:stereo fmt:fltp             anull 
         ->resample        ]
request_frame   : link[0xb57027a0 r:88200 cl:stereo fmt:fltp            
abuffer         ->anull           ]
[aac @ 0xb3303480] channel element 2.6 is not allocated
Error while decoding stream #0:0
request_frame   : link[0xb5702340 r:88200 cl:stereo fmt:s16              afifo 
         ->abuffersink     ]
request_frame   : link[0xb5702420 r:88200 cl:stereo fmt:s16             
aformat         ->afifo           ]
request_frame   : link[0xb5702260 r:88200 cl:stereo fmt:s16             
resample        ->aformat         ]
request_frame   : link[0xb5702500 r:88200 cl:stereo fmt:fltp             anull 
         ->resample        ]
request_frame   : link[0xb57027a0 r:88200 cl:stereo fmt:fltp            
abuffer         ->anull           ]
[aac @ 0xb3303480] Invalid bitstream, crossover band index beyond array bounds:
7
[aac @ 0xb3303480] SBR reset failed. Switching SBR to pure upsampling mode.
[aac @ 0xb3303480] channel element 3.9 is not allocated
Error while decoding stream #0:0
request_frame   : link[0xb5702340 r:88200 cl:stereo fmt:s16              afifo 
         ->abuffersink     ]
request_frame   : link[0xb5702420 r:88200 cl:stereo fmt:s16             
aformat         ->afifo           ]
request_frame   : link[0xb5702260 r:88200 cl:stereo fmt:s16             
resample        ->aformat         ]
request_frame   : link[0xb5702500 r:88200 cl:stereo fmt:fltp             anull 
         ->resample        ]
request_frame   : link[0xb57027a0 r:88200 cl:stereo fmt:fltp            
abuffer         ->anull           ]
filter_frame    : link[0xb57027a0 r:88200 cl:stereo fmt:fltp            
abuffer         ->anull           ]
filter_frame    : link[0xb5702500 r:88200 cl:stereo fmt:fltp             anull 
         ->resample        ]
[AVAudioResampleContext @ 0xb4d06600] [start conversion]
[AVAudioResampleContext @ 0xb4d06600] [convert] input to output
[AVAudioResampleContext @ 0xb4d06600] 2048 samples - audio_convert: fltp to s16
(SSSE3)
[AVAudioResampleContext @ 0xb4d06600] [end conversion]
filter_frame    : link[0xb5702260 r:88200 cl:stereo fmt:s16             
resample        ->aformat         ]
filter_frame    : link[0xb5702420 r:88200 cl:stereo fmt:s16             
aformat         ->afifo           ]
filter_frame    : link[0xb5702340 r:88200 cl:stereo fmt:s16              afifo 
         ->abuffersink     ]
[null @ 0xb3b01e80] av_interleaved_write_frame size:8192 dts:4096 pts:4096
[null @ 0xb3b01e80] compute_pkt_fields2: pts:4096 dts:4096 cur_dts:2048 b:0
size:8192 st:0
[null @ 0xb3b01e80] av_write_frame: pts2:4096 dts2:4096
request_frame   : link[0xb5702340 r:88200 cl:stereo fmt:s16              afifo 
         ->abuffersink     ]
request_frame   : link[0xb5702420 r:88200 cl:stereo fmt:s16             
aformat         ->afifo           ]
request_frame   : link[0xb5702260 r:88200 cl:stereo fmt:s16             
resample        ->aformat         ]
request_frame   : link[0xb5702500 r:88200 cl:stereo fmt:fltp             anull 
         ->resample        ]
request_frame   : link[0xb57027a0 r:88200 cl:stereo fmt:fltp            
abuffer         ->anull           ]
[aac @ 0xb3303480] Prediction is not allowed in AAC-LC.
Error while decoding stream #0:0
request_frame   : link[0xb5702340 r:88200 cl:stereo fmt:s16              afifo 
         ->abuffersink     ]
request_frame   : link[0xb5702420 r:88200 cl:stereo fmt:s16             
aformat         ->afifo           ]
request_frame   : link[0xb5702260 r:88200 cl:stereo fmt:s16             
resample        ->aformat         ]
request_frame   : link[0xb5702500 r:88200 cl:stereo fmt:fltp             anull 
         ->resample        ]
request_frame   : link[0xb57027a0 r:88200 cl:stereo fmt:fltp            
abuffer         ->anull           ]
[aac @ 0xb3303480] Reserved SBR extensions is not implemented. Update your
Libav version to the newest one from Git. If the problem still occurs, it means
that your file has a feature which has not been implemented.
[aac @ 0xb3303480] If you want to help, upload a sample of this file to
ftp://upload.libav.org/incoming/ and contact the libav-devel mailing list.
[aac @ 0xb3303480] Expected to read 6 SBR bytes actually read 47.
=================================================================
==17600==ERROR: AddressSanitizer: global-buffer-overflow on address 0x0aecb5a0
at pc 0x09c57814 bp 0xbfc99608 sp 0xbfc995fc
READ of size 4 at 0x0aecb5a0 thread T0
    #0 0x9c57813 in ff_ps_apply
(/home/min/fuzzing/program/libav-master-asan/bin/avconv+0x9c57813)
    #1 0x9643d98 in ff_sbr_apply
(/home/min/fuzzing/program/libav-master-asan/bin/avconv+0x9643d98)
    #2 0x961baa1 in spectral_to_sample
(/home/min/fuzzing/program/libav-master-asan/bin/avconv+0x961baa1)
    #3 0x9610853 in aac_decode_frame_int
(/home/min/fuzzing/program/libav-master-asan/bin/avconv+0x9610853)
    #4 0x95fe587 in aac_decode_frame
(/home/min/fuzzing/program/libav-master-asan/bin/avconv+0x95fe587)
    #5 0x870eb47 in decode_receive_frame_internal
(/home/min/fuzzing/program/libav-master-asan/bin/avconv+0x870eb47)
    #6 0x870d9c8 in avcodec_send_packet
(/home/min/fuzzing/program/libav-master-asan/bin/avconv+0x870d9c8)
    #7 0x81a35cd in decode
/home/min/fuzzing/src/libav/libav/avtools/avconv.c:1309:15
    #8 0x81a35cd in decode_audio
/home/min/fuzzing/src/libav/libav/avtools/avconv.c:1356
    #9 0x81a35cd in process_input_packet
/home/min/fuzzing/src/libav/libav/avtools/avconv.c:1524
    #10 0x8197289 in process_input
/home/min/fuzzing/src/libav/libav/avtools/avconv.c:2724:5
    #11 0x8197289 in transcode
/home/min/fuzzing/src/libav/libav/avtools/avconv.c:2766
    #12 0x8197289 in main
/home/min/fuzzing/src/libav/libav/avtools/avconv.c:2940
    #13 0xb748f636 in __libc_start_main
/build/glibc-KM3i_a/glibc-2.23/csu/../csu/libc-start.c:291
    #14 0x808aa97 in _start
(/home/min/fuzzing/program/libav-master-asan/bin/avconv+0x808aa97)

0x0aecb5a0 is located 448 bytes to the right of global variable
'Q_fract_allpass' defined in 'libavcodec/aacps_tablegen.h:50:20' (0xaecaa80) of
size 2400
SUMMARY: AddressSanitizer: global-buffer-overflow
(/home/min/fuzzing/program/libav-master-asan/bin/avconv+0x9c57813) in
ff_ps_apply
Shadow bytes around the buggy address:
  0x215d9660: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x215d9670: 00 00 00 00 00 00 00 00 00 00 00 00 f9 f9 f9 f9
  0x215d9680: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
  0x215d9690: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
  0x215d96a0: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
=>0x215d96b0: f9 f9 f9 f9[f9]f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
  0x215d96c0: f9 f9 f9 f9 00 00 00 00 00 00 00 00 00 00 00 00
  0x215d96d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x215d96e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x215d96f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x215d9700: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==17600==ABORTING


The GDB debugging information is as follows:

  The debug information when ASAN reporting a bug.

Thread 1 "avconv" hit Breakpoint 1, stereo_processing (ps=0x42cf40ce, 
    is34=<optimized out>, l=<optimized out>, r=<optimized out>)
    at libavcodec/aacps.c:810
810             h11 = H_LUT[iid_mapped[e][b] + 7 + 23 *
ps->iid_quant][icc_mapped[e][b]][0];
(gdb) bt
#0  stereo_processing (ps=0x42cf40ce, is34=<optimized out>, l=<optimized out>,
r=<optimized out>)
    at libavcodec/aacps.c:810
#1  ff_ps_apply (avctx=<optimized out>, ps=<optimized out>, L=<optimized out>,
R=<optimized out>, 
    top=<optimized out>) at libavcodec/aacps.c:905
#2  0x09643d99 in ff_sbr_apply (ac=<optimized out>, sbr=<optimized out>,
id_aac=<optimized out>, 
    L=<optimized out>, R=<optimized out>) at libavcodec/aacsbr.c:1711
#3  0x0961baa2 in spectral_to_sample (ac=<optimized out>) at
libavcodec/aacdec.c:2691
#4  0x09610854 in aac_decode_frame_int (avctx=<optimized out>, data=<optimized
out>, 
    got_frame_ptr=<optimized out>, gb=<optimized out>) at
libavcodec/aacdec.c:2944
#5  0x095fe588 in aac_decode_frame (avctx=<optimized out>, data=0x0, 
    got_frame_ptr=<optimized out>, avpkt=<optimized out>) at
libavcodec/aacdec.c:3010
#6  0x0870eb48 in decode_simple_internal (avctx=<optimized out>,
frame=<optimized out>)
    at libavcodec/decode.c:335
#7  decode_simple_receive_frame (avctx=<optimized out>, frame=<optimized out>)
    at libavcodec/decode.c:386
#8  decode_receive_frame_internal (avctx=<optimized out>, frame=<optimized
out>)
    at libavcodec/decode.c:404
#9  0x0870d9c9 in avcodec_send_packet (avctx=<optimized out>, avpkt=<optimized
out>)
    at libavcodec/decode.c:469
#10 0x081a35ce in decode (avctx=0xb3c03480, frame=0xb4c00740, pkt=0xbfffe370, 
    got_frame=<optimized out>) at avtools/avconv.c:1309
#11 decode_audio (ist=<optimized out>, pkt=0xbfffe370, got_output=<optimized
out>, 
    decode_failed=<optimized out>) at avtools/avconv.c:1356
#12 process_input_packet (ist=<optimized out>, pkt=0xbfffe700,
no_eof=<optimized out>)
    at avtools/avconv.c:1524
#13 0x0819728a in process_input () at avtools/avconv.c:2724
#14 transcode () at avtools/avconv.c:2766
#15 main (argc=<optimized out>, argv=<optimized out>) at avtools/avconv.c:2940

(gdb) disass $pc-32,$pc+32
Dump of assembler code from 0x9c52e6b to 0x9c52eab:
   0x09c52e6b <ff_ps_apply+35307>:  add    %al,(%eax)
   0x09c52e6d <ff_ps_apply+35309>:  lea    0x10(%ecx),%eax
   0x09c52e70 <ff_ps_apply+35312>:  mov    %eax,0x280(%esi)
   0x09c52e76 <ff_ps_apply+35318>:  lea    0x14(%edi),%eax
   0x09c52e79 <ff_ps_apply+35321>:  mov    %eax,0x2c0(%esi)
   0x09c52e7f <ff_ps_apply+35327>:  lea    0x18(%edi),%eax
   0x09c52e82 <ff_ps_apply+35330>:  mov    %eax,0x2b0(%esi)
   0x09c52e88 <ff_ps_apply+35336>:  lea    0x1c(%edi),%eax
=> 0x09c52e8b <ff_ps_apply+35339>:  mov    %eax,0x2a0(%esi)
   0x09c52e91 <ff_ps_apply+35345>:  lea    0x8(%ebx),%eax
   0x09c52e94 <ff_ps_apply+35348>:  mov    %eax,0x300(%esi)
   0x09c52e9a <ff_ps_apply+35354>:  lea    0x10(%ebx),%eax
   0x09c52e9d <ff_ps_apply+35357>:  mov    %eax,0x380(%esi)
   0x09c52ea3 <ff_ps_apply+35363>:  mov    0x44(%esi),%eax
   0x09c52ea6 <ff_ps_apply+35366>:  lea    0x8(%eax),%eax
   0x09c52ea9 <ff_ps_apply+35369>:  mov    %eax,0x160(%esi)
End of assembler dump.

(gdb) info all-registers
eax            0xbffef5ac -1073810004
ecx            0xbffef5d0 -1073809968
edx            0x0  0
ebx            0xb67d5c00 -1233298432
esp            0xbffef180 0xbffef180
ebp            0xbfffd6d8 0xbfffd6d8
esi            0xbfffd280 -1073753472
edi            0xbffef590 -1073810032
eip            0x9c52e8b  0x9c52e8b <ff_ps_apply+35339>
eflags         0x246  [ PF ZF IF ]
cs             0x73 115
ss             0x7b 123
ds             0x7b 123
es             0x7b 123
fs             0x0  0
gs             0x33 51
st0            -2.6739356656884984012244583335363851e-09  (raw
0xbfe2b7c05faae8519000)
st1            0.49999998953191654438299451612692792  (raw
0x3ffdffffffa61470e800)
st2            -1.4585907351719051838756513461703435e-18  (raw
0xbfc3d740000000000000)
st3            0.22222220897674560546875  (raw 0x3ffce38e380000000000)
st4            0.22222220897674560546875  (raw 0x3ffce38e380000000000)
st5            0.22222220897674560546875  (raw 0x3ffce38e380000000000)
st6            0.22222220897674560546875  (raw 0x3ffce38e380000000000)
st7            0.289506614208221435546875 (raw 0x3ffd943a360000000000)
fctrl          0x37f  895
fstat          0x420  1056
ftag           0xffff 65535
fiseg          0x0  0
fioff          0xb7f8cc97 -1208431465
foseg          0x0  0
fooff          0x0  0
---Type <return> to continue, or q <return> to quit---
fop            0x0  0
mxcsr          0x1fa0 [ PE IM DM ZM OM UM PM ]
ymm0           {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_double
= {0x0, 0x0, 0x0, 
    0x0}, v32_int8 = {0x0 <repeats 32 times>}, v16_int16 = {0x0 <repeats 16
times>}, v8_int32 = {
    0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_int64 = {0x0, 0x0, 0x0, 0x0},
v2_int128 = {
    0x00000000000000000000000000000000, 0x00000000000000000000000000000000}}
ymm1           {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_double
= {0x0, 0x0, 0x0, 
    0x0}, v32_int8 = {0x0 <repeats 32 times>}, v16_int16 = {0x0 <repeats 16
times>}, v8_int32 = {
    0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_int64 = {0x0, 0x0, 0x0, 0x0},
v2_int128 = {
    0x00000000000000000000000000000000, 0x00000000000000000000000000000000}}
ymm2           {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_double
= {0x0, 0x0, 0x0, 
    0x0}, v32_int8 = {0x0 <repeats 32 times>}, v16_int16 = {0x0 <repeats 16
times>}, v8_int32 = {
    0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_int64 = {0x0, 0x0, 0x0, 0x0},
v2_int128 = {
    0x00000000000000000000000000000000, 0x00000000000000000000000000000000}}
ymm3           {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_double
= {0x0, 0x0, 0x0, 
    0x0}, v32_int8 = {0x0 <repeats 32 times>}, v16_int16 = {0x0 <repeats 16
times>}, v8_int32 = {
    0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_int64 = {0x0, 0x0, 0x0, 0x0},
v2_int128 = {
    0x00000000000000000000000000000000, 0x00000000000000000000000000000000}}
ymm4           {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_double
= {0x0, 0x0, 0x0, 
    0x0}, v32_int8 = {0x0 <repeats 32 times>}, v16_int16 = {0x0 <repeats 16
times>}, v8_int32 = {
    0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_int64 = {0x0, 0x0, 0x0, 0x0},
v2_int128 = {
    0x00000000000000000000000000000000, 0x00000000000000000000000000000000}}
ymm5           {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_double
= {0x0, 0x0, 0x0, 
    0x0}, v32_int8 = {0x0 <repeats 32 times>}, v16_int16 = {0x0 <repeats 16
times>}, v8_int32 = {
    0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_int64 = {0x0, 0x0, 0x0, 0x0},
v2_int128 = {
    0x00000000000000000000000000000000, 0x00000000000000000000000000000000}}
ymm6           {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_double
= {0x0, 0x0, 0x0, 
    0x0}, v32_int8 = {0x0 <repeats 32 times>}, v16_int16 = {0x0 <repeats 16
times>}, v8_int32 = {
    0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_int64 = {0x0, 0x0, 0x0, 0x0},
v2_int128 = {
    0x00000000000000000000000000000000, 0x00000000000000000000000000000000}}
ymm7           {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_double
= {0x0, 0x0, 0x0, 
---Type <return> to continue, or q <return> to quit---
    0x0}, v32_int8 = {0x0 <repeats 32 times>}, v16_int16 = {0x0 <repeats 16
times>}, v8_int32 = {
    0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_int64 = {0x0, 0x0, 0x0, 0x0},
v2_int128 = {
    0x00000000000000000000000000000000, 0x00000000000000000000000000000000}}
mm0            {uint64 = 0xb7c05faae8519000, v2_int32 = {0xe8519000,
0xb7c05faa}, v4_int16 = {
    0x9000, 0xe851, 0x5faa, 0xb7c0}, v8_int8 = {0x0, 0x90, 0x51, 0xe8, 0xaa,
0x5f, 0xc0, 0xb7}}
mm1            {uint64 = 0xffffffa61470e800, v2_int32 = {0x1470e800,
0xffffffa6}, v4_int16 = {
    0xe800, 0x1470, 0xffa6, 0xffff}, v8_int8 = {0x0, 0xe8, 0x70, 0x14, 0xa6,
0xff, 0xff, 0xff}}
mm2            {uint64 = 0xd740000000000000, v2_int32 = {0x0, 0xd7400000},
v4_int16 = {0x0, 0x0, 
    0x0, 0xd740}, v8_int8 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x40, 0xd7}}
mm3            {uint64 = 0xe38e380000000000, v2_int32 = {0x0, 0xe38e3800},
v4_int16 = {0x0, 0x0, 
    0x3800, 0xe38e}, v8_int8 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x38, 0x8e, 0xe3}}
mm4            {uint64 = 0xe38e380000000000, v2_int32 = {0x0, 0xe38e3800},
v4_int16 = {0x0, 0x0, 
    0x3800, 0xe38e}, v8_int8 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x38, 0x8e, 0xe3}}
mm5            {uint64 = 0xe38e380000000000, v2_int32 = {0x0, 0xe38e3800},
v4_int16 = {0x0, 0x0, 
    0x3800, 0xe38e}, v8_int8 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x38, 0x8e, 0xe3}}
mm6            {uint64 = 0xe38e380000000000, v2_int32 = {0x0, 0xe38e3800},
v4_int16 = {0x0, 0x0, 
    0x3800, 0xe38e}, v8_int8 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x38, 0x8e, 0xe3}}
mm7            {uint64 = 0x943a360000000000, v2_int32 = {0x0, 0x943a3600},
v4_int16 = {0x0, 0x0, 
    0x3600, 0x943a}, v8_int8 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x36, 0x3a, 0x94}}


Credits:

Mingi Cho and Taekyoung Kwon of the Information Security Lab, Yonsei
University.

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.libav.org/pipermail/libav-bugs/attachments/20171202/2975f5cf/attachment-0001.html>


More information about the libav-bugs mailing list