[libav-bugs] [Bug 1013] New: Null deref at vc1_decode_sprites libavcodec/vc1dec.c

bugzilla at libav.org bugzilla at libav.org
Mon Jan 2 20:30:07 CET 2017


https://bugzilla.libav.org/show_bug.cgi?id=1013

            Bug ID: 1013
           Summary: Null deref at vc1_decode_sprites libavcodec/vc1dec.c
           Product: Libav
           Version: git HEAD
          Hardware: Other
                OS: Linux
            Status: NEW
          Severity: enhancement
          Priority: ---
         Component: libavcodec
          Assignee: bugzilla at libav.org
          Reporter: jan.s.ruge at gmail.com

Created attachment 640
  --> https://bugzilla.libav.org/attachment.cgi?id=640&action=edit
Sample File causing libav to crash with a null deref

Null dereference found by fuzzing at vc1_decode_sprites.
A sample file causing avplay to crash is attached to the report
git HEAD ee164727dd64c199b87118917e674b17c25e0da3

$  ./libav/avplay crash-null-0x14ded72.avi 
avplay version v13_dev0-685-gee16472, Copyright (c) 2003-2016 the Libav
developers
  built on Jan  2 2017 00:21:26 with clang version 3.8.0-2ubuntu4
(tags/RELEASE_380/final)
Segmentation fault (core dumped)
$ gdb gdb/avplay /tmp/core_avplay.14230 
Reading symbols from gdb/avplay...done.
[New LWP 14234]
[New LWP 14237]
[New LWP 14236]
[New LWP 14230]
[New LWP 14235]
[New LWP 14238]
[New LWP 14239]
[New LWP 14240]
[New LWP 14241]
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Core was generated by `./gdb/avplay crash-null-0x1c14835.wmv'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0  0x000000000084a91a in vc1_decode_sprites (gb=<optimized out>, v=<optimized
out>) at libavcodec/vc1dec.c:273
273         if (!s->current_picture.f->data[0]) {
[Current thread is 1 (Thread 0x7f9961eb2700 (LWP 14234))]
gdb-peda$ bt
#0  0x000000000084a91a in vc1_decode_sprites (gb=<optimized out>, v=<optimized
out>) at libavcodec/vc1dec.c:273
#1  vc1_decode_frame (avctx=<optimized out>, data=0x3256000,
got_frame=0x7f9961eb1b74, avpkt=<optimized out>) at libavcodec/vc1dec.c:923
#2  0x00000000005ab61d in decode_simple_internal (frame=0x3256000,
avctx=0x324e5c0) at libavcodec/decode.c:334
#3  decode_simple_receive_frame (frame=<optimized out>, avctx=<optimized out>)
at libavcodec/decode.c:390
#4  decode_receive_frame_internal (avctx=0x324e5c0, frame=0x3256000) at
libavcodec/decode.c:408
#5  0x00000000005ab9b8 in avcodec_send_packet (avctx=avctx at entry=0x324e5c0,
avpkt=avpkt at entry=0x7f9961eb1cc0) at libavcodec/decode.c:445
#6  0x00000000005aba59 in compat_decode (avctx=0x324e5c0, frame=0x7f995c0008c0,
got_frame=0x7f9961eb1ca0, pkt=0x7f9961eb1cc0) at libavcodec/decode.c:500
#7  0x00000000004571e5 in get_video_frame (pkt=0x7f9961eb1cc0, pts=<synthetic
pointer>, frame=0x7f995c0008c0, is=0x106ec80 <player_state>) at avplay.c:1405
#8  video_thread (arg=0x106ec80 <player_state>) at avplay.c:1563
#9  0x00007f99692a70b8 in ?? () from /usr/lib/x86_64-linux-gnu/libSDL-1.2.so.0
#10 0x00007f99692e6f59 in ?? () from /usr/lib/x86_64-linux-gnu/libSDL-1.2.so.0
#11 0x00007f9967eec6ba in start_thread (arg=0x7f9961eb2700) at
pthread_create.c:333
#12 0x00007f9967c2282d in clone () at
../sysdeps/unix/sysv/linux/x86_64/clone.S:109

gdb-peda$ disas $pc
...
   0x000000000084a8fa <+2442>:    mov    esi,0x18
   0x000000000084a8ff <+2447>:    mov    rdi,rbx
   0x000000000084a902 <+2450>:    xor    eax,eax
   0x000000000084a904 <+2452>:    mov    QWORD PTR [rsp+0x8],r11
   0x000000000084a909 <+2457>:    call   0xb3db00 <av_log>
   0x000000000084a90e <+2462>:    mov    r11,QWORD PTR [rsp+0x8]
   0x000000000084a913 <+2467>:    mov    rax,QWORD PTR [r11+0x718]
=> 0x000000000084a91a <+2474>:    cmp    QWORD PTR [rax],0x0
   0x000000000084a91e <+2478>:    je     0x84c52f <vc1_decode_frame+9663>
   0x000000000084a924 <+2484>:    mov    r10d,DWORD PTR [r11+0x3c2c]
   0x000000000084a92b <+2491>:    test   r10d,r10d
   0x000000000084a92e <+2494>:    je     0x84a94f <vc1_decode_frame+2527>
   0x000000000084a930 <+2496>:    cmp    QWORD PTR [r11+0x828],0x0
   0x000000000084a938 <+2504>:    je     0x84c327 <vc1_decode_frame+9143>
   0x000000000084a93e <+2510>:    mov    rax,QWORD PTR [r11+0x3e8]
   0x000000000084a945 <+2517>:    cmp    QWORD PTR [rax],0x0
...

gdb-peda$ info all
rax            0x0    0x0
rbx            0x324e5c0    0x324e5c0
rcx            0xc0    0xc0
rdx            0x78    0x78
rsi            0x40    0x40
rdi            0x0    0x0
rbp            0x7f9961eb1a8c    0x7f9961eb1a8c
rsp            0x7f9961eb1970    0x7f9961eb1970
r8             0x3229d20    0x3229d20
r9             0x88    0x88
r10            0x0    0x0
r11            0x324e9e0    0x324e9e0
r12            0x1    0x1
r13            0x3250880    0x3250880
r14            0xd17c24    0xd17c24
r15            0x324e9e0    0x324e9e0
rip            0x84a91a    0x84a91a <vc1_decode_frame+2474>
eflags         0x10287    [ CF PF SF IF RF ]
cs             0x33    0x33
ss             0x2b    0x2b
ds             0x0    0x0
es             0x0    0x0
fs             0x0    0x0
gs             0x0    0x0
st0            0    (raw 0x00000000000000000000)
st1            0    (raw 0x00000000000000000000)
st2            0    (raw 0x00000000000000000000)
st3            0    (raw 0x00000000000000000000)
st4            0    (raw 0x00000000000000000000)
st5            0    (raw 0x00000000000000000000)
st6            0    (raw 0x00000000000000000000)
st7            0    (raw 0x00000000000000000000)
fctrl          0x37f    0x37f
fstat          0x0    0x0
ftag           0xffff    0xffff
fiseg          0x0    0x0
fioff          0x0    0x0
foseg          0x0    0x0
fooff          0x0    0x0
fop            0x0    0x0
mxcsr          0x1fa0    [ PE IM DM ZM OM UM PM ]
ymm0           {
  v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 
  v4_double = {0x0, 0x0, 0x0, 0x0}, 
  v32_int8 = {0x0 <repeats 32 times>}, 
  v16_int16 = {0x0 <repeats 16 times>}, 
  v8_int32 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 
  v4_int64 = {0x0, 0x0, 0x0, 0x0}, 
  v2_int128 = {0x00000000000000000000000000000000,
0x00000000000000000000000000000000}
}
ymm1           {
  v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 
  v4_double = {0x0, 0x0, 0x0, 0x0}, 
  v32_int8 = {0x0 <repeats 32 times>}, 
  v16_int16 = {0x0 <repeats 16 times>}, 
  v8_int32 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 
  v4_int64 = {0x0, 0x0, 0x0, 0x0}, 
  v2_int128 = {0x00000000000000000000000000000000,
0x00000000000000000000000000000000}
}
ymm2           {
  v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 
  v4_double = {0x0, 0x8000000000000000, 0x0, 0x0}, 
  v32_int8 = {0x4, 0x5, 0x6, 0x7, 0x8, 0x9, 0xa, 0xb, 0xc, 0xd, 0xe, 0xf, 0xff,
0xff, 0xff, 0xff, 0x0 <repeats 16 times>}, 
  v16_int16 = {0x504, 0x706, 0x908, 0xb0a, 0xd0c, 0xf0e, 0xffff, 0xffff, 0x0,
0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 
  v8_int32 = {0x7060504, 0xb0a0908, 0xf0e0d0c, 0xffffffff, 0x0, 0x0, 0x0, 0x0}, 
  v4_int64 = {0xb0a090807060504, 0xffffffff0f0e0d0c, 0x0, 0x0}, 
  v2_int128 = {0xffffffff0f0e0d0c0b0a090807060504,
0x00000000000000000000000000000000}
}
ymm3           {
  v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 
  v4_double = {0x0, 0x0, 0x0, 0x0}, 
  v32_int8 = {0x2c, 0x0 <repeats 31 times>}, 
  v16_int16 = {0x2c, 0x0 <repeats 15 times>}, 
  v8_int32 = {0x2c, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 
  v4_int64 = {0x2c, 0x0, 0x0, 0x0}, 
  v2_int128 = {0x0000000000000000000000000000002c,
0x00000000000000000000000000000000}
}
ymm4           {
  v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 
  v4_double = {0x8000000000000000, 0x8000000000000000, 0x0, 0x0}, 
  v32_int8 = {0x0, 0x0, 0x0, 0x0, 0xff <repeats 12 times>, 0x0 <repeats 16
times>}, 
  v16_int16 = {0x0, 0x0, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0x0,
0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 
  v8_int32 = {0x0, 0xffffffff, 0xffffffff, 0xffffffff, 0x0, 0x0, 0x0, 0x0}, 
  v4_int64 = {0xffffffff00000000, 0xffffffffffffffff, 0x0, 0x0}, 
  v2_int128 = {0xffffffffffffffffffffffff00000000,
0x00000000000000000000000000000000}
}
ymm5           {
  v8_float = {0x0, 0xfffffffd, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 
  v4_double = {0xffffffffffffffd2, 0x0, 0x0, 0x0}, 
  v32_int8 = {0x5b, 0xaa, 0xa2, 0x2a, 0x9e, 0x6, 0x47, 0xc0, 0x0 <repeats 24
times>}, 
  v16_int16 = {0xaa5b, 0x2aa2, 0x69e, 0xc047, 0x0 <repeats 12 times>}, 
  v8_int32 = {0x2aa2aa5b, 0xc047069e, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 
  v4_int64 = {0xc047069e2aa2aa5b, 0x0, 0x0, 0x0}, 
  v2_int128 = {0x0000000000000000c047069e2aa2aa5b,
0x00000000000000000000000000000000}
}
ymm6           {
  v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 
  v4_double = {0x8000000000000000, 0x0, 0x0, 0x0}, 
  v32_int8 = {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x7f, 0x0 <repeats 24
times>}, 
  v16_int16 = {0xffff, 0xffff, 0xffff, 0x7fff, 0x0 <repeats 12 times>}, 
  v8_int32 = {0xffffffff, 0x7fffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 
  v4_int64 = {0x7fffffffffffffff, 0x0, 0x0, 0x0}, 
  v2_int128 = {0x00000000000000007fffffffffffffff,
0x00000000000000000000000000000000}
}
ymm7           {
  v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 
  v4_double = {0x0, 0x0, 0x0, 0x0}, 
  v32_int8 = {0x0 <repeats 32 times>}, 
  v16_int16 = {0x0 <repeats 16 times>}, 
  v8_int32 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 
  v4_int64 = {0x0, 0x0, 0x0, 0x0}, 
  v2_int128 = {0x00000000000000000000000000000000,
0x00000000000000000000000000000000}
}
ymm8           {
  v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 
  v4_double = {0x0, 0x0, 0x0, 0x0}, 
  v32_int8 = {0x0 <repeats 32 times>}, 
  v16_int16 = {0x0 <repeats 16 times>}, 
  v8_int32 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 
  v4_int64 = {0x0, 0x0, 0x0, 0x0}, 
  v2_int128 = {0x00000000000000000000000000000000,
0x00000000000000000000000000000000}
}
ymm9           {
  v8_float = {0x0, 0x1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 
  v4_double = {0x0, 0x0, 0x0, 0x0}, 
  v32_int8 = {0xf6, 0x8f, 0xee, 0x21, 0xa8, 0x74, 0xd3, 0x3f, 0x0 <repeats 24
times>}, 
  v16_int16 = {0x8ff6, 0x21ee, 0x74a8, 0x3fd3, 0x0 <repeats 12 times>}, 
  v8_int32 = {0x21ee8ff6, 0x3fd374a8, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 
  v4_int64 = {0x3fd374a821ee8ff6, 0x0, 0x0, 0x0}, 
  v2_int128 = {0x00000000000000003fd374a821ee8ff6,
0x00000000000000000000000000000000}
}
ymm10          {
  v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 
  v4_double = {0x0, 0x0, 0x0, 0x0}, 
  v32_int8 = {0x54, 0xec, 0x35, 0x16, 0xb3, 0xe9, 0x8f, 0xbd, 0x0 <repeats 24
times>}, 
  v16_int16 = {0xec54, 0x1635, 0xe9b3, 0xbd8f, 0x0 <repeats 12 times>}, 
  v8_int32 = {0x1635ec54, 0xbd8fe9b3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 
  v4_int64 = {0xbd8fe9b31635ec54, 0x0, 0x0, 0x0}, 
  v2_int128 = {0x0000000000000000bd8fe9b31635ec54,
0x00000000000000000000000000000000}
}
ymm11          {
  v8_float = {0x0, 0xfffffffd, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 
  v4_double = {0xffffffffffffffd2, 0x0, 0x0, 0x0}, 
  v32_int8 = {0xe0, 0xe6, 0x35, 0x67, 0x9e, 0x6, 0x47, 0xc0, 0x0 <repeats 24
times>}, 
  v16_int16 = {0xe6e0, 0x6735, 0x69e, 0xc047, 0x0 <repeats 12 times>}, 
  v8_int32 = {0x6735e6e0, 0xc047069e, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 
  v4_int64 = {0xc047069e6735e6e0, 0x0, 0x0, 0x0}, 
  v2_int128 = {0x0000000000000000c047069e6735e6e0,
0x00000000000000000000000000000000}
}
ymm12          {
  v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 
  v4_double = {0x0, 0x0, 0x0, 0x0}, 
  v32_int8 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xc4, 0x3c, 0x0 <repeats 24
times>}, 
  v16_int16 = {0x0, 0x0, 0x0, 0x3cc4, 0x0 <repeats 12 times>}, 
  v8_int32 = {0x0, 0x3cc40000, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 
  v4_int64 = {0x3cc4000000000000, 0x0, 0x0, 0x0}, 
  v2_int128 = {0x00000000000000003cc4000000000000,
0x00000000000000000000000000000000}
}
ymm13          {
  v8_float = {0x0, 0x1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 
  v4_double = {0x0, 0x0, 0x0, 0x0}, 
  v32_int8 = {0x0, 0x90, 0xee, 0x21, 0xa8, 0x74, 0xd3, 0x3f, 0x0 <repeats 24
times>}, 
  v16_int16 = {0x9000, 0x21ee, 0x74a8, 0x3fd3, 0x0 <repeats 12 times>}, 
  v8_int32 = {0x21ee9000, 0x3fd374a8, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 
  v4_int64 = {0x3fd374a821ee9000, 0x0, 0x0, 0x0}, 
  v2_int128 = {0x00000000000000003fd374a821ee9000,
0x00000000000000000000000000000000}
}
ymm14          {
  v8_float = {0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 
  v4_double = {0x2d, 0x0, 0x0, 0x0}, 
  v32_int8 = {0xc0, 0x9, 0xf2, 0x16, 0xb5, 0xdf, 0x46, 0x40, 0x0 <repeats 24
times>}, 
  v16_int16 = {0x9c0, 0x16f2, 0xdfb5, 0x4046, 0x0 <repeats 12 times>}, 
  v8_int32 = {0x16f209c0, 0x4046dfb5, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 
  v4_int64 = {0x4046dfb516f209c0, 0x0, 0x0, 0x0}, 
  v2_int128 = {0x00000000000000004046dfb516f209c0,
0x00000000000000000000000000000000}
}
ymm15          {
  v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 
  v4_double = {0x0, 0x0, 0x0, 0x0}, 
  v32_int8 = {0xb3, 0x35, 0xb2, 0xb0, 0x7d, 0x51, 0x53, 0x3c, 0x0 <repeats 24
times>}, 
  v16_int16 = {0x35b3, 0xb0b2, 0x517d, 0x3c53, 0x0 <repeats 12 times>}, 
  v8_int32 = {0xb0b235b3, 0x3c53517d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 
  v4_int64 = {0x3c53517db0b235b3, 0x0, 0x0, 0x0}, 
  v2_int128 = {0x00000000000000003c53517db0b235b3,
0x00000000000000000000000000000000}
}

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.libav.org/pipermail/libav-bugs/attachments/20170102/aec0b932/attachment.html>


More information about the libav-bugs mailing list