[libav-bugs] [Bug 1012] New: Null Pointer dereference at libavcodec/mpeg4videodec.c mpeg4_decode_sprite_trajectory()

bugzilla at libav.org bugzilla at libav.org
Mon Jan 2 20:21:07 CET 2017


https://bugzilla.libav.org/show_bug.cgi?id=1012

            Bug ID: 1012
           Summary: Null Pointer dereference at libavcodec/mpeg4videodec.c
                    mpeg4_decode_sprite_trajectory()
           Product: Libav
           Version: git HEAD
          Hardware: Other
                OS: Linux
            Status: NEW
          Severity: enhancement
          Priority: ---
         Component: libavcodec
          Assignee: bugzilla at libav.org
          Reporter: jan.s.ruge at gmail.com

Created attachment 639
  --> https://bugzilla.libav.org/attachment.cgi?id=639&action=edit
File causing Nullderef in mpeg4_decode_sprite_trajectory

While fuzzing the following Null pointer dereference was found.
A file triggering the crash in avplay is attached to the report:
git HEAD ee164727dd64c199b87118917e674b17c25e0da3


$ ./gdb/avplay crash-null-0x14ded72.avi                                         
avplay version 13_dev0, Copyright (c) 2003-2016 the Libav developers
  built on Jan  2 2017 19:06:58 with gcc 5.4.0 (Ubuntu 5.4.0-6ubuntu1~16.04.4)
20160609
Segmentation fault (core dumped)

Core was generated by `./gdb/avplay crash-null-0x14ded72.avi'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0  0x0000000000708270 in get_vlc2 (max_depth=0x3, bits=0x6, table=0x0,
s=0x7fffc9021610) at libavcodec/get_bits.h:501
501         GET_VLC(code, re, s, table, bits, max_depth);
gdb-peda$ bt
#0  0x0000000000708270 in get_vlc2 (max_depth=0x3, bits=0x6, table=0x0,
s=0x7fffc9021610) at libavcodec/get_bits.h:501
#1  mpeg4_decode_sprite_trajectory (ctx=ctx at entry=0x1994f70,
gb=gb at entry=0x7fffc9021610) at libavcodec/mpeg4videodec.c:193
#2  0x0000000000712712 in decode_vop_header (gb=0x7fffc9021610, ctx=0x1994f70)
at libavcodec/mpeg4videodec.c:2236
#3  ff_mpeg4_decode_picture_header (ctx=0x1994f70, gb=0x7fffc9021610) at
libavcodec/mpeg4videodec.c:2495
#4  0x0000000000707a6f in mpeg4_decode_header (s1=0x198cca0, s1=0x198cca0,
buf_size=<optimized out>, buf=<optimized out>, avctx=0x198b800) at
libavcodec/mpeg4video_parser.c:92
#5  mpeg4video_parse (s=0x198cca0, avctx=0x198b800, poutbuf=0x7fffc9021718,
poutbuf_size=0x7fffc9021720, buf=0x198ce30 "", buf_size=0x835) at
libavcodec/mpeg4video_parser.c:132
#6  0x000000000076cebe in av_parser_parse2 (s=0x198cca0, avctx=<optimized out>,
poutbuf=poutbuf at entry=0x7fffc9021718,
poutbuf_size=poutbuf_size at entry=0x7fffc9021720, buf=<optimized out>,
buf at entry=0x198ce30 "", buf_size=buf_size at entry=0x835, 
    pts=0x8000000000000000, dts=0x0, pos=0x2cd1) at libavcodec/parser.c:166
#7  0x0000000000545442 in parse_packet (s=s at entry=0x1977f00,
pkt=pkt at entry=0x7fffc9021810, stream_index=<optimized out>) at
libavformat/utils.c:834
#8  0x00000000005458bd in read_frame_internal (s=s at entry=0x1977f00,
pkt=pkt at entry=0x7fffc9021900) at libavformat/utils.c:988
#9  0x0000000000547be4 in avformat_find_stream_info (ic=0x1977f00,
options=0x197b180) at libavformat/utils.c:2336
#10 0x000000000044d1f3 in stream_setup (is=0x106ec80 <player_state>) at
avplay.c:2316
#11 stream_open (iformat=<optimized out>, filename=<optimized out>,
is=0x106ec80 <player_state>) at avplay.c:2550
#12 main (argc=argc at entry=0x2, argv=argv at entry=0x7fffc9021cb8) at avplay.c:3050
#13 0x00007fba48e8a830 in __libc_start_main (main=0x44cfa0 <main>, argc=0x2,
argv=0x7fffc9021cb8, init=<optimized out>, fini=<optimized out>,
rtld_fini=<optimized out>, stack_end=0x7fffc9021ca8) at ../csu/libc-start.c:291
#14 0x000000000044e589 in _start ()

gdb-peda$ disas $pc
...
   0x0000000000708255 <+197>:   mov    edx,eax
   0x0000000000708257 <+199>:   mov    ecx,eax
   0x0000000000708259 <+201>:   shr    edx,0x3
   0x000000000070825c <+204>:   and    ecx,0x7
   0x000000000070825f <+207>:   mov    edx,DWORD PTR [rbp+rdx*1+0x0]
   0x0000000000708263 <+211>:   bswap  edx
   0x0000000000708265 <+213>:   shl    edx,cl
   0x0000000000708267 <+215>:   shr    edx,0xfa
   0x000000000070826a <+218>:   mov    edx,edx
   0x000000000070826c <+220>:   lea    rdx,[r12+rdx*4]
=> 0x0000000000708270 <+224>:   movsx  r9d,WORD PTR [rdx]
   0x0000000000708274 <+228>:   movsx  edx,WORD PTR [rdx+0x2]
   0x0000000000708278 <+232>:   test   edx,edx
   0x000000000070827a <+234>:   mov    r13d,edx
   0x000000000070827d <+237>:   js     0x708480
<mpeg4_decode_sprite_trajectory+752>
   0x0000000000708283 <+243>:   add    eax,edx
   0x0000000000708285 <+245>:   cmp    eax,r8d
   0x0000000000708288 <+248>:   cmova  eax,r8d
   0x000000000070828c <+252>:   xor    r14d,r14d
   0x000000000070828f <+255>:   xor    edx,edx
   0x0000000000708291 <+257>:   test   r9d,r9d
   0x0000000000708294 <+260>:   mov    DWORD PTR [rsi+0x10],eax
...

gdb-peda$ info all-registers
rax            0x39     0x39
rbx            0x7fffc9021510   0x7fffc9021510
rcx            0x1      0x1
rdx            0x38     0x38
rsi            0x7fffc9021610   0x7fffc9021610
rdi            0x1994f70        0x1994f70
rbp            0x198ce30        0x198ce30
rsp            0x7fffc90214e0   0x7fffc90214e0
r8             0x41b0   0x41b0
r9             0x2      0x2
r10            0x1      0x1
r11            0x19975e4        0x19975e4
r12            0x0      0x0
r13            0x7fffc9021720   0x7fffc9021720
r14            0x198b800        0x198b800
r15            0x0      0x0
rip            0x708270 0x708270 <mpeg4_decode_sprite_trajectory+224>
eflags         0x10202  [ IF RF ]
cs             0x33     0x33
ss             0x2b     0x2b
ds             0x0      0x0
es             0x0      0x0
fs             0x0      0x0
gs             0x0      0x0
st0            0        (raw 0x00000000000000000000)
st1            0        (raw 0x00000000000000000000)
st2            0        (raw 0x00000000000000000000)
st3            0        (raw 0x00000000000000000000)
st4            0        (raw 0x00000000000000000000)
st5            0        (raw 0x00000000000000000000)
st6            0        (raw 0x00000000000000000000)
st7            0        (raw 0x00000000000000000000)
fctrl          0x37f    0x37f
fstat          0x0      0x0
ftag           0xffff   0xffff
fiseg          0x0      0x0
fioff          0x0      0x0
foseg          0x0      0x0
fooff          0x0      0x0
fop            0x0      0x0
mxcsr          0x1fa0   [ PE IM DM ZM OM UM PM ]
ymm0           {
  v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 
  v4_double = {0x0, 0x8000000000000000, 0x0, 0x0}, 
  v32_int8 = {0x0 <repeats 15 times>, 0xff, 0x0 <repeats 16 times>}, 
  v16_int16 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xff00, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0, 0x0, 0x0}, 
  v8_int32 = {0x0, 0x0, 0x0, 0xff000000, 0x0, 0x0, 0x0, 0x0}, 
  v4_int64 = {0x0, 0xff00000000000000, 0x0, 0x0}, 
  v2_int128 = {0xff000000000000000000000000000000,
0x00000000000000000000000000000000}
}
ymm1           {
  v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 
  v4_double = {0x0, 0x0, 0x0, 0x0}, 
  v32_int8 = {0x0 <repeats 32 times>}, 
  v16_int16 = {0x0 <repeats 16 times>}, 
  v8_int32 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 
  v4_int64 = {0x0, 0x0, 0x0, 0x0}, 
  v2_int128 = {0x00000000000000000000000000000000,
0x00000000000000000000000000000000}
}
ymm2           {
  v8_float = {0x2b020000, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 
  v4_double = {0x0, 0x0, 0x0, 0x0}, 
  v32_int8 = {0xfc, 0xa9, 0xf1, 0xd2, 0x4d, 0x62, 0x40, 0x3f, 0x0 <repeats 24
times>}, 
  v16_int16 = {0xa9fc, 0xd2f1, 0x624d, 0x3f40, 0x0 <repeats 12 times>}, 
  v8_int32 = {0xd2f1a9fc, 0x3f40624d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 
  v4_int64 = {0x3f40624dd2f1a9fc, 0x0, 0x0, 0x0}, 
  v2_int128 = {0x00000000000000003f40624dd2f1a9fc,
0x00000000000000000000000000000000}
}
ymm3           {
  v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 
  v4_double = {0x0, 0x0, 0x0, 0x0}, 
  v32_int8 = {0x0 <repeats 32 times>}, 
  v16_int16 = {0x0 <repeats 16 times>}, 
  v8_int32 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 
  v4_int64 = {0x0, 0x0, 0x0, 0x0}, 
  v2_int128 = {0x00000000000000000000000000000000,
0x00000000000000000000000000000000}
}
ymm4           {
  v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 
  v4_double = {0x0, 0x0, 0x0, 0x0}, 
  v32_int8 = {0xff, 0xff, 0xff, 0xff, 0x0, 0x0, 0x0, 0x0, 0xff, 0xff, 0xff,
0xff, 0x0 <repeats 20 times>}, 
  v16_int16 = {0xffff, 0xffff, 0x0, 0x0, 0xffff, 0xffff, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 
  v8_int32 = {0xffffffff, 0x0, 0xffffffff, 0x0, 0x0, 0x0, 0x0, 0x0}, 
  v4_int64 = {0xffffffff, 0xffffffff, 0x0, 0x0}, 
  v2_int128 = {0x00000000ffffffff00000000ffffffff,
0x00000000000000000000000000000000}
}
ymm5           {
  v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 
  v4_double = {0x0, 0x0, 0x0, 0x0}, 
  v32_int8 = {0x0 <repeats 32 times>}, 
  v16_int16 = {0x0 <repeats 16 times>}, 
  v8_int32 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 
  v4_int64 = {0x0, 0x0, 0x0, 0x0}, 
  v2_int128 = {0x00000000000000000000000000000000,
0x00000000000000000000000000000000}
}
ymm6           {
  v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 
  v4_double = {0x0, 0x0, 0x0, 0x0}, 
  v32_int8 = {0x0 <repeats 32 times>}, 
  v16_int16 = {0x0 <repeats 16 times>}, 
  v8_int32 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 
  v4_int64 = {0x0, 0x0, 0x0, 0x0}, 
  v2_int128 = {0x00000000000000000000000000000000,
0x00000000000000000000000000000000}
}
ymm7           {
  v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 
  v4_double = {0x0, 0x0, 0x0, 0x0}, 
  v32_int8 = {0x0 <repeats 32 times>}, 
  v16_int16 = {0x0 <repeats 16 times>}, 
  v8_int32 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 
  v4_int64 = {0x0, 0x0, 0x0, 0x0}, 
  v2_int128 = {0x00000000000000000000000000000000,
0x00000000000000000000000000000000}
}
ymm8           {
  v8_float = {0x1, 0xfffee1e8, 0x8, 0x0, 0x0, 0x0, 0x0, 0x0}, 
  v4_double = {0x8000000000000000, 0x0, 0x0, 0x0}, 
  v32_int8 = {0xd3, 0xc1, 0x9b, 0x3f, 0x1e, 0xc, 0x8f, 0xc7, 0x83, 0x49, 0x6,
0x41, 0x93, 0x8e, 0x23, 0x0 <repeats 17 times>}, 
  v16_int16 = {0xc1d3, 0x3f9b, 0xc1e, 0xc78f, 0x4983, 0x4106, 0x8e93, 0x23,
0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 
  v8_int32 = {0x3f9bc1d3, 0xc78f0c1e, 0x41064983, 0x238e93, 0x0, 0x0, 0x0,
0x0}, 
  v4_int64 = {0xc78f0c1e3f9bc1d3, 0x238e9341064983, 0x0, 0x0}, 
  v2_int128 = {0x00238e9341064983c78f0c1e3f9bc1d3,
0x00000000000000000000000000000000}
}
ymm9           {
  v8_float = {0x0, 0x1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 
  v4_double = {0x0, 0x0, 0x0, 0x0}, 
  v32_int8 = {0xf6, 0x8f, 0xee, 0x21, 0xa8, 0x74, 0xd3, 0x3f, 0x0 <repeats 24
times>}, 
  v16_int16 = {0x8ff6, 0x21ee, 0x74a8, 0x3fd3, 0x0 <repeats 12 times>}, 
  v8_int32 = {0x21ee8ff6, 0x3fd374a8, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 
  v4_int64 = {0x3fd374a821ee8ff6, 0x0, 0x0, 0x0}, 
  v2_int128 = {0x00000000000000003fd374a821ee8ff6,
0x00000000000000000000000000000000}
}
ymm10          {
  v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 
  v4_double = {0x0, 0x0, 0x0, 0x0}, 
  v32_int8 = {0x54, 0xec, 0x35, 0x16, 0xb3, 0xe9, 0x8f, 0xbd, 0x0 <repeats 24
times>}, 
  v16_int16 = {0xec54, 0x1635, 0xe9b3, 0xbd8f, 0x0 <repeats 12 times>}, 
  v8_int32 = {0x1635ec54, 0xbd8fe9b3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 
  v4_int64 = {0xbd8fe9b31635ec54, 0x0, 0x0, 0x0}, 
  v2_int128 = {0x0000000000000000bd8fe9b31635ec54,
0x00000000000000000000000000000000}
}
ymm11          {
  v8_float = {0x0, 0xfffffffd, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 
  v4_double = {0xffffffffffffffd2, 0x0, 0x0, 0x0}, 
  v32_int8 = {0xe0, 0xe6, 0x35, 0x67, 0x9e, 0x6, 0x47, 0xc0, 0x0 <repeats 24
times>}, 
  v16_int16 = {0xe6e0, 0x6735, 0x69e, 0xc047, 0x0 <repeats 12 times>}, 
  v8_int32 = {0x6735e6e0, 0xc047069e, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 
  v4_int64 = {0xc047069e6735e6e0, 0x0, 0x0, 0x0}, 
  v2_int128 = {0x0000000000000000c047069e6735e6e0,
0x00000000000000000000000000000000}
}
ymm12          {
  v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 
  v4_double = {0x0, 0x0, 0x0, 0x0}, 
  v32_int8 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xc4, 0x3c, 0x0 <repeats 24
times>}, 
  v16_int16 = {0x0, 0x0, 0x0, 0x3cc4, 0x0 <repeats 12 times>}, 
  v8_int32 = {0x0, 0x3cc40000, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 
  v4_int64 = {0x3cc4000000000000, 0x0, 0x0, 0x0}, 
  v2_int128 = {0x00000000000000003cc4000000000000,
0x00000000000000000000000000000000}
}
ymm13          {
  v8_float = {0x0, 0x1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 
  v4_double = {0x0, 0x0, 0x0, 0x0}, 
  v32_int8 = {0x0, 0x90, 0xee, 0x21, 0xa8, 0x74, 0xd3, 0x3f, 0x0 <repeats 24
times>}, 
  v16_int16 = {0x9000, 0x21ee, 0x74a8, 0x3fd3, 0x0 <repeats 12 times>}, 
  v8_int32 = {0x21ee9000, 0x3fd374a8, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 
  v4_int64 = {0x3fd374a821ee9000, 0x0, 0x0, 0x0}, 
  v2_int128 = {0x00000000000000003fd374a821ee9000,
0x00000000000000000000000000000000}
}
ymm14          {
  v8_float = {0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 
  v4_double = {0x2d, 0x0, 0x0, 0x0}, 
  v32_int8 = {0xc0, 0x9, 0xf2, 0x16, 0xb5, 0xdf, 0x46, 0x40, 0x0 <repeats 24
times>}, 
  v16_int16 = {0x9c0, 0x16f2, 0xdfb5, 0x4046, 0x0 <repeats 12 times>}, 
  v8_int32 = {0x16f209c0, 0x4046dfb5, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 
  v4_int64 = {0x4046dfb516f209c0, 0x0, 0x0, 0x0}, 
  v2_int128 = {0x00000000000000004046dfb516f209c0,
0x00000000000000000000000000000000}
}
ymm15          {
  v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 
  v4_double = {0x0, 0x0, 0x0, 0x0}, 
  v32_int8 = {0xb3, 0x35, 0xb2, 0xb0, 0x7d, 0x51, 0x53, 0x3c, 0x0 <repeats 24
times>}, 
  v16_int16 = {0x35b3, 0xb0b2, 0x517d, 0x3c53, 0x0 <repeats 12 times>}, 
  v8_int32 = {0xb0b235b3, 0x3c53517d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 
  v4_int64 = {0x3c53517db0b235b3, 0x0, 0x0, 0x0}, 
  v2_int128 = {0x00000000000000003c53517db0b235b3,
0x00000000000000000000000000000000}
}

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.libav.org/pipermail/libav-bugs/attachments/20170102/fe82d143/attachment-0001.html>


More information about the libav-bugs mailing list