[libav-bugs] [Bug 1106] New: Global out-of-bound read in decode_residual

bugzilla at libav.org bugzilla at libav.org
Sat Dec 2 03:19:22 CET 2017


https://bugzilla.libav.org/show_bug.cgi?id=1106

            Bug ID: 1106
           Summary: Global out-of-bound read in decode_residual
           Product: Libav
           Version: git HEAD
          Hardware: X86
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: ---
         Component: libavcodec
          Assignee: bugzilla at libav.org
          Reporter: mgcho.minic at gmail.com

Created attachment 701
  --> https://bugzilla.libav.org/attachment.cgi?id=701&action=edit
poc file

Triggered by "./avconv -i $POC -f null -"

Global out-of-bound read in decode_residual.

ASAN report:
avconv version 12.2, Copyright (c) 2000-2017 the Libav developers
  built on Oct  9 2017 02:01:01 with clang version 3.8.0-2ubuntu4
(tags/RELEASE_380/final)
  configuration: --prefix=/home/min/fuzzing/program/libav-12.2-asan/
--toolchain=clang-asan
  libavutil     55. 20. 0 / 55. 20. 0
  libavcodec    57. 25. 0 / 57. 25. 0
  libavformat   57.  7. 2 / 57.  7. 2
  libavdevice   56.  1. 0 / 56.  1. 0
  libavfilter    6.  7. 0 /  6.  7. 0
  libavresample  3.  0. 0 /  3.  0. 0
  libswscale     4.  0. 0 /  4.  0. 0
Splitting the commandline.
Reading option '-v' ... matched as option 'v' (set libav* logging level) with
argument '9'.
Reading option '-loglevel' ... matched as option 'loglevel' (set libav* logging
level) with argument '99'.
Reading option '-i' ... matched as input file with argument
'./avconv_aac_1_afl_d/triage-12.2/h264_cavlc.c:620:9/id:000793,sig:06,src:012028,op:havoc,rep:32'.
Reading option '-f' ... matched as option 'f' (force format) with argument
'null'.
Reading option '-' ... matched as output file.
Finished splitting the commandline.
Parsing a group of options: global .
Applying option v (set libav* logging level) with argument 9.
Successfully parsed a group of options.
Parsing a group of options: input file
./avconv_aac_1_afl_d/triage-12.2/h264_cavlc.c:620:9/id:000793,sig:06,src:012028,op:havoc,rep:32.
Successfully parsed a group of options.
Opening an input file:
./avconv_aac_1_afl_d/triage-12.2/h264_cavlc.c:620:9/id:000793,sig:06,src:012028,op:havoc,rep:32.
score: 0, dvhs_score: 0, fec_score: 0 
nsv_probe(), buf_size 2048
[h264 @ 0xb3b03680] Probed with size=2048 and score=51
[h264 @ 0xb4700f80] illegal POC type 6
[h264 @ 0xb4700f80] non-existing PPS 0 referenced
IN delayed:0 pts:-9223372036854775808, dts:-9223372036854775808 cur_dts:0 st:0
pc:0xb4303a00
OUTdelayed:0/0 pts:-9223372036854775808, dts:-9223372036854775808 cur_dts:0
[h264 @ 0xb4700f80] non-existing PPS 0 referenced
IN delayed:0 pts:-9223372036854775808, dts:-9223372036854775808 cur_dts:0 st:0
pc:0xb4303a00
OUTdelayed:0/0 pts:-9223372036854775808, dts:-9223372036854775808 cur_dts:0
[h264 @ 0xb4700f80] illegal aspect ratio
[h264 @ 0xb4700f80] non-existing PPS 0 referenced
IN delayed:0 pts:-9223372036854775808, dts:-9223372036854775808 cur_dts:0 st:0
pc:0xb4303a00
OUTdelayed:0/0 pts:-9223372036854775808, dts:-9223372036854775808 cur_dts:0
IN delayed:0 pts:-9223372036854775808, dts:-9223372036854775808 cur_dts:0 st:0
pc:0xb4303a00
OUTdelayed:0/0 pts:-9223372036854775808, dts:-9223372036854775808 cur_dts:0
IN delayed:0 pts:-9223372036854775808, dts:-9223372036854775808 cur_dts:0 st:0
pc:0xb4303a00
OUTdelayed:0/0 pts:-9223372036854775808, dts:-9223372036854775808 cur_dts:0
[h264 @ 0xb4700f80] nal_unit_type: 7, nal_ref_idc: 2
[h264 @ 0xb4700f80] nal_unit_type: 1, nal_ref_idc: 0
[h264 @ 0xb4700f80] illegal POC type 6
[h264 @ 0xb4700f80] non-existing PPS 0 referenced
[h264 @ 0xb4700f80] decode_slice_header error
[h264 @ 0xb4700f80] no frame!
[h264 @ 0xb4700f80] nal_unit_type: 1, nal_ref_idc: 0
[h264 @ 0xb4700f80] non-existing PPS 0 referenced
[h264 @ 0xb4700f80] decode_slice_header error
[h264 @ 0xb4700f80] no frame!
[h264 @ 0xb4700f80] nal_unit_type: 7, nal_ref_idc: 2
[h264 @ 0xb4700f80] nal_unit_type: 1, nal_ref_idc: 2
[h264 @ 0xb4700f80] illegal aspect ratio
[h264 @ 0xb4700f80] non-existing PPS 0 referenced
[h264 @ 0xb4700f80] decode_slice_header error
[h264 @ 0xb4700f80] no frame!
[h264 @ 0xb4700f80] nal_unit_type: 8, nal_ref_idc: 2
[h264 @ 0xb4700f80] nal_unit_type: 1, nal_ref_idc: 0
[h264 @ 0xb4700f80] nal_unit_type: 1, nal_ref_idc: 2
[h264 @ 0xb4700f80] reference count overflow
[h264 @ 0xb4700f80] decode_slice_header error
    Last message repeated 1 times
[h264 @ 0xb4700f80] no frame!
[h264 @ 0xb4700f80] nal_unit_type: 1, nal_ref_idc: 2
[h264 @ 0xb4700f80] Reinit context to 48x416, pix_fmt: 70
[h264 @ 0xb4700f80] Missing reference picture
[h264 @ 0xb4700f80] decode_slice_header error
IN delayed:0 pts:-9223372036854775808, dts:-9223372036854775808 cur_dts:0 st:0
pc:0xb4303a00
OUTdelayed:0/0 pts:-9223372036854775808, dts:-9223372036854775808 cur_dts:0
IN delayed:0 pts:-9223372036854775808, dts:-9223372036854775808 cur_dts:0 st:0
pc:0xb4303a00
OUTdelayed:0/0 pts:-9223372036854775808, dts:-9223372036854775808 cur_dts:0
IN delayed:0 pts:-9223372036854775808, dts:-9223372036854775808 cur_dts:0 st:0
pc:0xb4303a00
OUTdelayed:0/0 pts:-9223372036854775808, dts:-9223372036854775808 cur_dts:0
[h264 @ 0xb4700f80] nal_unit_type: 1, nal_ref_idc: 2
[h264 @ 0xb4700f80] Missing reference picture
    Last message repeated 5 times
[h264 @ 0xb4700f80] top block unavailable for requested intra4x4 mode -1
[h264 @ 0xb4700f80] error while decoding MB 2 0
[h264 @ 0xb4700f80] number of reference frames (0+2) exceeds max (0; probably
corrupt input), discarding one
[h264 @ 0xb4700f80] nal_unit_type: 1, nal_ref_idc: 0
[h264 @ 0xb4700f80] left block unavailable for requested intra4x4 mode -1
[h264 @ 0xb4700f80] error while decoding MB 0 3
[h264 @ 0xb4700f80] nal_unit_type: 1, nal_ref_idc: 2
[h264 @ 0xb4700f80] Missing reference picture
    Last message repeated 5 times
[h264 @ 0xb4700f80] ref 32 overflow
[h264 @ 0xb4700f80] error while decoding MB 2 4
[h264 @ 0xb4700f80] illegal short term buffer state detected
[h264 @ 0xb4700f80] reference overflow (pps)
[h264 @ 0xb4700f80] missing picture in access unit
IN delayed:0 pts:-9223372036854775808, dts:-9223372036854775808 cur_dts:0 st:0
pc:0xb4303a00
OUTdelayed:0/0 pts:-9223372036854775808, dts:-9223372036854775808 cur_dts:0
IN delayed:0 pts:-9223372036854775808, dts:-9223372036854775808 cur_dts:0 st:0
pc:0xb4303a00
OUTdelayed:0/0 pts:-9223372036854775808, dts:-9223372036854775808 cur_dts:0
IN delayed:0 pts:-9223372036854775808, dts:-9223372036854775808 cur_dts:0 st:0
pc:0xb4303a00
OUTdelayed:0/0 pts:-9223372036854775808, dts:-9223372036854775808 cur_dts:0
IN delayed:0 pts:-9223372036854775808, dts:-9223372036854775808 cur_dts:0 st:0
pc:0xb4303a00
OUTdelayed:0/0 pts:-9223372036854775808, dts:-9223372036854775808 cur_dts:0
[h264 @ 0xb4700f80] Invalid NAL unit 1, skipping.
[h264 @ 0xb4700f80] nal_unit_type: 2, nal_ref_idc: 2
[h264 @ 0xb4700f80] data partitioning is not implemented. Update your Libav
version to the newest one from Git. If the problem still occurs, it means that
your file has a feature which has not been implemented.
[h264 @ 0xb4700f80] If you want to help, upload a sample of this file to
ftp://upload.libav.org/incoming/ and contact the libav-devel mailing list.
[h264 @ 0xb4700f80] nal_unit_type: 1, nal_ref_idc: 2
=================================================================
==17797==ERROR: AddressSanitizer: global-buffer-overflow on address 0x0a00e970
at pc 0x0965a257 bp 0xbfd58018 sp 0xbfd5800c
READ of size 1 at 0x0a00e970 thread T0
    #0 0x965a256 in decode_residual
/home/min/fuzzing/src/libav-12.2/libav-12.2/libavcodec/h264_cavlc.c:620:9
    #1 0x963e10e in decode_luma_residual
/home/min/fuzzing/src/libav-12.2/libav-12.2/libavcodec/h264_cavlc.c:651:25
    #2 0x963e10e in ff_h264_decode_mb_cavlc
/home/min/fuzzing/src/libav-12.2/libav-12.2/libavcodec/h264_cavlc.c:1120
    #3 0x96ddf1b in decode_slice
/home/min/fuzzing/src/libav-12.2/libav-12.2/libavcodec/h264_slice.c:2413:19
    #4 0x96dc0d8 in ff_h264_execute_decode_slices
/home/min/fuzzing/src/libav-12.2/libav-12.2/libavcodec/h264_slice.c:2510:15
    #5 0x883704f in decode_nal_units
/home/min/fuzzing/src/libav-12.2/libav-12.2/libavcodec/h264dec.c:590:27
    #6 0x883704f in h264_decode_frame
/home/min/fuzzing/src/libav-12.2/libav-12.2/libavcodec/h264dec.c:744
    #7 0x90f080a in avcodec_decode_video2
/home/min/fuzzing/src/libav-12.2/libav-12.2/libavcodec/utils.c:1588:19
    #8 0x90f3198 in do_decode
/home/min/fuzzing/src/libav-12.2/libav-12.2/libavcodec/utils.c:1727:15
    #9 0x90f2dbf in avcodec_send_packet
/home/min/fuzzing/src/libav-12.2/libav-12.2/libavcodec/utils.c:1804:12
    #10 0x8516159 in try_decode_frame
/home/min/fuzzing/src/libav-12.2/libav-12.2/libavformat/utils.c:1950:19
    #11 0x850ea4c in avformat_find_stream_info
/home/min/fuzzing/src/libav-12.2/libav-12.2/libavformat/utils.c:2356:9
    #12 0x816afb4 in open_input_file
/home/min/fuzzing/src/libav-12.2/libav-12.2/avconv_opt.c:771:11
    #13 0x8169cdc in open_files
/home/min/fuzzing/src/libav-12.2/libav-12.2/avconv_opt.c:2380:15
    #14 0x8169730 in avconv_parse_options
/home/min/fuzzing/src/libav-12.2/libav-12.2/avconv_opt.c:2417:11
    #15 0x818f46e in main
/home/min/fuzzing/src/libav-12.2/libav-12.2/avconv.c:2866:11
    #16 0xb746c636 in __libc_start_main
/build/glibc-KM3i_a/glibc-2.23/csu/../csu/libc-start.c:291
    #17 0x8089f47 in _start
(/home/min/fuzzing/program/libav-12.2-asan/bin/avconv+0x8089f47)

0x0a00e970 is located 48 bytes to the left of global variable
'zigzag_scan8x8_cavlc' defined in 'libavcodec/h264_slice.c:96:22' (0xa00e9a0)
of size 64
0x0a00e970 is located 0 bytes to the right of global variable 'field_scan'
defined in 'libavcodec/h264_slice.c:50:22' (0xa00e960) of size 16
SUMMARY: AddressSanitizer: global-buffer-overflow
/home/min/fuzzing/src/libav-12.2/libav-12.2/libavcodec/h264_cavlc.c:620:9 in
decode_residual
Shadow bytes around the buggy address:
  0x21401cd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x21401ce0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x21401cf0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x21401d00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x21401d10: f9 f9 f9 f9 00 00 00 03 f9 f9 f9 f9 00 00 00 02
=>0x21401d20: f9 f9 f9 f9 00 00 00 f9 f9 f9 f9 f9 00 00[f9]f9
  0x21401d30: f9 f9 f9 f9 00 00 00 00 00 00 00 00 f9 f9 f9 f9
  0x21401d40: 00 00 00 00 00 00 00 00 f9 f9 f9 f9 00 00 00 00
  0x21401d50: 00 00 00 00 f9 f9 f9 f9 00 00 00 07 f9 f9 f9 f9
  0x21401d60: 00 00 00 00 07 f9 f9 f9 f9 f9 f9 f9 00 00 00 f9
  0x21401d70: f9 f9 f9 f9 00 00 00 00 f9 f9 f9 f9 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==17797==ABORTING


The GDB debugging information is as follows:

  The debug information when ASAN reporting a bug.

(gdb) bt
#0  decode_residual (h=<optimized out>, sl=<optimized out>, gb=<optimized out>, 
    block=<optimized out>, n=<optimized out>, scantable=0xb3c059d0 "\001",
qmul=<optimized out>, 
    max_coeff=<optimized out>) at libavcodec/h264_cavlc.c:620
#1  0x0981700f in decode_luma_residual (h=<optimized out>, sl=<optimized out>,
gb=<optimized out>, 
    scan=<optimized out>, scan8x8=<optimized out>, pixel_shift=<optimized out>, 
    mb_type=<optimized out>, p=0, cbp=<optimized out>) at
libavcodec/h264_cavlc.c:651
#2  ff_h264_decode_mb_cavlc (h=<optimized out>, sl=<optimized out>) at
libavcodec/h264_cavlc.c:1120
#3  0x098b726c in decode_slice (avctx=<optimized out>, arg=<optimized out>)
    at libavcodec/h264_slice.c:2432
#4  0x098b5429 in ff_h264_execute_decode_slices (h=<optimized out>) at
libavcodec/h264_slice.c:2529
#5  0x088fa76f in decode_nal_units (h=<optimized out>, buf=<optimized out>, 
    buf_size=<optimized out>) at libavcodec/h264dec.c:593
#6  h264_decode_frame (avctx=<optimized out>, data=<optimized out>,
got_frame=<optimized out>, 
    avpkt=<optimized out>) at libavcodec/h264dec.c:727
#7  0x0870eb48 in decode_simple_internal (avctx=<optimized out>,
frame=<optimized out>)
    at libavcodec/decode.c:335
#8  decode_simple_receive_frame (avctx=<optimized out>, frame=<optimized out>)
    at libavcodec/decode.c:386
#9  decode_receive_frame_internal (avctx=<optimized out>, frame=<optimized
out>)
    at libavcodec/decode.c:404
#10 0x0870d9c9 in avcodec_send_packet (avctx=<optimized out>, avpkt=<optimized
out>)
    at libavcodec/decode.c:469
#11 0x0852b23a in try_decode_frame (s=<optimized out>, st=<optimized out>,
avpkt=<optimized out>, 
    options=<optimized out>) at libavformat/utils.c:1950
#12 0x085235e5 in avformat_find_stream_info (ic=<optimized out>,
options=0x17fffba0)
    at libavformat/utils.c:2459
#13 0x08160215 in open_input_file (o=<optimized out>, filename=<optimized out>)
    at avtools/avconv_opt.c:826
#14 0x0815ef3d in open_files (l=<optimized out>, inout=0x9e5caa0 <.str>
"input", 
    open_file=<optimized out>) at avtools/avconv_opt.c:2472
#15 0x0815e9a1 in avconv_parse_options (argc=<optimized out>, argv=<optimized
out>)
---Type <return> to continue, or q <return> to quit---
    at avtools/avconv_opt.c:2509
#16 0x08192553 in main (argc=<optimized out>, argv=<optimized out>) at
avtools/avconv.c:2918

(gdb) disass $pc-32,$pc+32
Dump of assembler code from 0x9830ca9 to 0x9830ce9:
   0x09830ca9 <decode_residual+6377>: cwtl   
   0x09830caa <decode_residual+6378>: mov    %eax,0x70(%esp)
   0x09830cae <decode_residual+6382>: add    $0x55d0,%ecx
   0x09830cb4 <decode_residual+6388>: mov    %ecx,%eax
   0x09830cb6 <decode_residual+6390>: shr    $0x3,%eax
   0x09830cb9 <decode_residual+6393>: mov    0x20000000(%eax),%al
   0x09830cbf <decode_residual+6399>: test   %al,%al
   0x09830cc1 <decode_residual+6401>: jne    0x9833005 <decode_residual+15429>
   0x09830cc7 <decode_residual+6407>: mov    (%ecx),%eax
=> 0x09830cc9 <decode_residual+6409>: mov    0x38(%esp),%ecx
   0x09830ccd <decode_residual+6413>: mov    0x20000000(%ecx),%cl
   0x09830cd3 <decode_residual+6419>: test   %cl,%cl
   0x09830cd5 <decode_residual+6421>: jne    0x9833022 <decode_residual+15458>
   0x09830cdb <decode_residual+6427>: mov    0x14(%ebp),%ecx
   0x09830cde <decode_residual+6430>: mov    0x70(%esp),%esi
   0x09830ce2 <decode_residual+6434>: lea    (%edx,%esi,1),%edx
   0x09830ce5 <decode_residual+6437>: lea    -0x1(%ecx,%edx,1),%edi
End of assembler dump.

(gdb) info all-registers
eax            0x1  1
ecx            0xb3c059d0 -1279239728
edx            0x7  7
ebx            0xb421440c -1272888308
esp            0xbfffd180 0xbfffd180
ebp            0xbfffd2b8 0xbfffd2b8
esi            0xb4214400 -1272888320
edi            0x1e7  487
eip            0x9830cc9  0x9830cc9 <decode_residual+6409>
eflags         0x246  [ PF ZF IF ]
cs             0x73 115
ss             0x7b 123
ds             0x7b 123
es             0x7b 123
fs             0x0  0
gs             0x33 51
st0            -inf (raw 0xffff0000000000000000)
st1            -inf (raw 0xffff0000000000000000)
st2            -inf (raw 0xffff0000000000000000)
st3            -nan(0x3000300030003)  (raw 0xffff0003000300030003)
st4            -nan(0x8000800080008)  (raw 0xffff0008000800080008)
st5            -nan(0x5000500050005)  (raw 0xffff0005000500050005)
st6            -inf (raw 0xffff0000000000000000)
st7            1  (raw 0x3fff8000000000000000)
fctrl          0x37f  895
fstat          0x20 32
ftag           0x2aaa 10922
fiseg          0x0  0
fioff          0xb7f7da27 -1208493529
foseg          0x0  0
fooff          0x0  0
---Type <return> to continue, or q <return> to quit---
fop            0x0  0
mxcsr          0x1fa0 [ PE IM DM ZM OM UM PM ]
ymm0           {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_double
= {0x0, 0x0, 0x0, 
    0x0}, v32_int8 = {0x0 <repeats 32 times>}, v16_int16 = {0x0 <repeats 16
times>}, v8_int32 = {
    0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_int64 = {0x0, 0x0, 0x0, 0x0},
v2_int128 = {
    0x00000000000000000000000000000000, 0x00000000000000000000000000000000}}
ymm1           {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_double
= {0x0, 0x0, 0x0, 
    0x0}, v32_int8 = {0x0 <repeats 32 times>}, v16_int16 = {0x0 <repeats 16
times>}, v8_int32 = {
    0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_int64 = {0x0, 0x0, 0x0, 0x0},
v2_int128 = {
    0x00000000000000000000000000000000, 0x00000000000000000000000000000000}}
ymm2           {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_double
= {0x0, 0x0, 0x0, 
    0x0}, v32_int8 = {0x0 <repeats 32 times>}, v16_int16 = {0x0 <repeats 16
times>}, v8_int32 = {
    0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_int64 = {0x0, 0x0, 0x0, 0x0},
v2_int128 = {
    0x00000000000000000000000000000000, 0x00000000000000000000000000000000}}
ymm3           {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_double
= {0x0, 0x0, 0x0, 
    0x0}, v32_int8 = {0x0 <repeats 32 times>}, v16_int16 = {0x0 <repeats 16
times>}, v8_int32 = {
    0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_int64 = {0x0, 0x0, 0x0, 0x0},
v2_int128 = {
    0x00000000000000000000000000000000, 0x00000000000000000000000000000000}}
ymm4           {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_double
= {0x0, 0x0, 0x0, 
    0x0}, v32_int8 = {0x1, 0x0, 0x1, 0x0, 0x1, 0x0, 0x1, 0x0, 0x1, 0x0, 0x1,
0x0, 0x1, 0x0, 0x1, 
    0x0 <repeats 17 times>}, v16_int16 = {0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1,
0x1, 0x0, 0x0, 0x0, 
    0x0, 0x0, 0x0, 0x0, 0x0}, v8_int32 = {0x10001, 0x10001, 0x10001, 0x10001,
0x0, 0x0, 0x0, 0x0}, 
  v4_int64 = {0x1000100010001, 0x1000100010001, 0x0, 0x0}, v2_int128 = {
    0x00010001000100010001000100010001, 0x00000000000000000000000000000000}}
ymm5           {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_double
= {0x0, 0x0, 0x0, 
    0x0}, v32_int8 = {0x7, 0x0, 0x7, 0x0, 0x7, 0x0, 0x7, 0x0, 0x7, 0x0, 0x7,
0x0, 0x7, 0x0, 0x7, 
    0x0 <repeats 17 times>}, v16_int16 = {0x7, 0x7, 0x7, 0x7, 0x7, 0x7, 0x7,
0x7, 0x0, 0x0, 0x0, 
    0x0, 0x0, 0x0, 0x0, 0x0}, v8_int32 = {0x70007, 0x70007, 0x70007, 0x70007,
0x0, 0x0, 0x0, 0x0}, 
  v4_int64 = {0x7000700070007, 0x7000700070007, 0x0, 0x0}, v2_int128 = {
    0x00070007000700070007000700070007, 0x00000000000000000000000000000000}}
ymm6           {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_double
= {0x0, 0x0, 0x0, 
---Type <return> to continue, or q <return> to quit---
    0x0}, v32_int8 = {0x4, 0x0, 0x4, 0x0, 0x4, 0x0, 0x4, 0x0, 0x4, 0x0, 0x4,
0x0, 0x4, 0x0, 0x4, 
    0x0 <repeats 17 times>}, v16_int16 = {0x4, 0x4, 0x4, 0x4, 0x4, 0x4, 0x4,
0x4, 0x0, 0x0, 0x0, 
    0x0, 0x0, 0x0, 0x0, 0x0}, v8_int32 = {0x40004, 0x40004, 0x40004, 0x40004,
0x0, 0x0, 0x0, 0x0}, 
  v4_int64 = {0x4000400040004, 0x4000400040004, 0x0, 0x0}, v2_int128 = {
    0x00040004000400040004000400040004, 0x00000000000000000000000000000000}}
ymm7           {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_double
= {0x0, 0x0, 0x0, 
    0x0}, v32_int8 = {0x6, 0x0, 0x6, 0x0, 0x6, 0x0, 0x6, 0x0, 0x6, 0x0, 0x6,
0x0, 0x6, 0x0, 0x6, 
    0x0 <repeats 17 times>}, v16_int16 = {0x6, 0x6, 0x6, 0x6, 0x6, 0x6, 0x6,
0x6, 0x0, 0x0, 0x0, 
    0x0, 0x0, 0x0, 0x0, 0x0}, v8_int32 = {0x60006, 0x60006, 0x60006, 0x60006,
0x0, 0x0, 0x0, 0x0}, 
  v4_int64 = {0x6000600060006, 0x6000600060006, 0x0, 0x0}, v2_int128 = {
    0x00060006000600060006000600060006, 0x00000000000000000000000000000000}}
mm0            {uint64 = 0x0, v2_int32 = {0x0, 0x0}, v4_int16 = {0x0, 0x0, 0x0,
0x0}, v8_int8 = {
    0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}
mm1            {uint64 = 0x0, v2_int32 = {0x0, 0x0}, v4_int16 = {0x0, 0x0, 0x0,
0x0}, v8_int8 = {
    0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}
mm2            {uint64 = 0x0, v2_int32 = {0x0, 0x0}, v4_int16 = {0x0, 0x0, 0x0,
0x0}, v8_int8 = {
    0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}
mm3            {uint64 = 0x3000300030003, v2_int32 = {0x30003, 0x30003},
v4_int16 = {0x3, 0x3, 
    0x3, 0x3}, v8_int8 = {0x3, 0x0, 0x3, 0x0, 0x3, 0x0, 0x3, 0x0}}
mm4            {uint64 = 0x8000800080008, v2_int32 = {0x80008, 0x80008},
v4_int16 = {0x8, 0x8, 
    0x8, 0x8}, v8_int8 = {0x8, 0x0, 0x8, 0x0, 0x8, 0x0, 0x8, 0x0}}
mm5            {uint64 = 0x5000500050005, v2_int32 = {0x50005, 0x50005},
v4_int16 = {0x5, 0x5, 
    0x5, 0x5}, v8_int8 = {0x5, 0x0, 0x5, 0x0, 0x5, 0x0, 0x5, 0x0}}
mm6            {uint64 = 0x0, v2_int32 = {0x0, 0x0}, v4_int16 = {0x0, 0x0, 0x0,
0x0}, v8_int8 = {
    0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}
mm7            {uint64 = 0x8000000000000000, v2_int32 = {0x0, 0x80000000},
v4_int16 = {0x0, 0x0, 
    0x0, 0x8000}, v8_int8 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x80}}


Credits:

Mingi Cho and Taekyoung Kwon of the Information Security Lab, Yonsei
University.

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.libav.org/pipermail/libav-bugs/attachments/20171202/1e899c17/attachment-0001.html>


More information about the libav-bugs mailing list