[libav-bugs] [Bug 1015] New: Null deref at ff_h264_field_end at libavcodec/h264_picture.c

bugzilla at libav.org bugzilla at libav.org
Mon Jan 2 21:09:53 CET 2017


https://bugzilla.libav.org/show_bug.cgi?id=1015

            Bug ID: 1015
           Summary: Null deref at ff_h264_field_end at
                    libavcodec/h264_picture.c
           Product: Libav
           Version: git HEAD
          Hardware: Other
                OS: Linux
            Status: NEW
          Severity: enhancement
          Priority: ---
         Component: libavcodec
          Assignee: bugzilla at libav.org
          Reporter: jan.s.ruge at gmail.com

Created attachment 642
  --> https://bugzilla.libav.org/attachment.cgi?id=642&action=edit
File triggering a Null deref in ff_h264_field_end

While Fuzzing I found a Null dereference in ff_h264_field_end at
libavcodec/h264_picture.c
This error can be triggered by playing the supplied sample file using avplay.

$ /gdb/avplay crash-null-0x22fae27.flv
                                                                               
                                                                               
                              avplay version 13_dev0, Copyright (c) 2003-2016
the Libav developers
  built on Jan  2 2017 19:06:58 with gcc 5.4.0 (Ubuntu 5.4.0-6ubuntu1~16.04.4)
20160609
Segmentation fault (core dumped)
$ gdb gdb/avplay /tmp/core_avplay.18606
Reading symbols from gdb/avplay...done.
[New LWP 18606]
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Core was generated by `./gdb/avplay crash-null-0x22fae27.flv'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0  ff_h264_execute_ref_pic_marking (h=h at entry=0x189ff80) at
libavcodec/h264_refs.c:677
677            } else if (h->cur_pic_ptr->long_ref) {
gdb-peda$ bt
#0  ff_h264_execute_ref_pic_marking (h=h at entry=0x189ff80) at
libavcodec/h264_refs.c:677
#1  0x00000000009c0436 in ff_h264_field_end (h=h at entry=0x189ff80,
sl=sl at entry=0x18ab7e0, in_setup=in_setup at entry=0x1) at
libavcodec/h264_picture.c:157
#2  0x00000000009c8b95 in ff_h264_queue_decode_slice (h=h at entry=0x189ff80,
nal=nal at entry=0x18dc540) at libavcodec/h264_slice.c:1888
#3  0x00000000006255ef in decode_nal_units (buf_size=0x2c54, buf=<optimized
out>, h=0x189ff80) at libavcodec/h264dec.c:573
#4  h264_decode_frame (avctx=0x1886800, data=0x1888a60,
got_frame=0x7fffffffe024, avpkt=<optimized out>) at libavcodec/h264dec.c:742
#5  0x00000000005ab61d in decode_simple_internal (frame=0x1888a60,
avctx=0x1886800) at libavcodec/decode.c:334
#6  decode_simple_receive_frame (frame=<optimized out>, avctx=<optimized out>)
at libavcodec/decode.c:390
#7  decode_receive_frame_internal (avctx=0x1886800, frame=0x1888a60) at
libavcodec/decode.c:408
#8  0x00000000005ab9b8 in avcodec_send_packet (avctx=avctx at entry=0x1886800,
avpkt=avpkt at entry=0x7fffffffe0d0) at libavcodec/decode.c:445
#9  0x0000000000543a0d in try_decode_frame (st=st at entry=0x18735a0,
avpkt=avpkt at entry=0x7fffffffe1b0, options=0x1886c80, s=0x1872f00) at
libavformat/utils.c:1950
#10 0x0000000000547d76 in avformat_find_stream_info (ic=0x1872f00,
options=0x1886c80) at libavformat/utils.c:2459
#11 0x000000000044d1f3 in stream_setup (is=0x106ec80 <player_state>) at
avplay.c:2316
#12 stream_open (iformat=<optimized out>, filename=<optimized out>,
is=0x106ec80 <player_state>) at avplay.c:2550
#13 main (argc=argc at entry=0x2, argv=argv at entry=0x7fffffffe568) at avplay.c:3050
#14 0x00007ffff63e7830 in __libc_start_main (main=0x44cfa0 <main>, argc=0x2,
argv=0x7fffffffe568, init=<optimized out>, fini=<optimized out>,
rtld_fini=<optimized out>, stack_end=0x7fffffffe558) at ../csu/libc-start.c:291
#15 0x000000000044e589 in _start ()
gdb-peda$ disas $pc
...
   0x00000000009c2cad <+3517>:    cmp    rdx,rax
   0x00000000009c2cb0 <+3520>:    jne    0x9c2ca0
<ff_h264_execute_ref_pic_marking+3504>
   0x00000000009c2cb2 <+3522>:    mov    DWORD PTR [rsp+0x10],0x20
   0x00000000009c2cba <+3530>:    jmp    0x9c29d2
<ff_h264_execute_ref_pic_marking+2786>
   0x00000000009c2cbf <+3535>:    mov    DWORD PTR [rsp+0x18],0x0
   0x00000000009c2cc7 <+3543>:    mov    r10d,DWORD PTR [rbx+0x7704]
   0x00000000009c2cce <+3550>:    test   r10d,r10d
   0x00000000009c2cd1 <+3553>:    jne    0x9c2d1f
<ff_h264_execute_ref_pic_marking+3631>
   0x00000000009c2cd3 <+3555>:    mov    rax,QWORD PTR [rbx+0x5f60]
=> 0x00000000009c2cda <+3562>:    mov    r9d,DWORD PTR [rax+0xa8]
   0x00000000009c2ce1 <+3569>:    test   r9d,r9d
   0x00000000009c2ce4 <+3572>:    je     0x9c339b
<ff_h264_execute_ref_pic_marking+5291>
   0x00000000009c2cea <+3578>:    mov    rdi,QWORD PTR [rbx+0x8]
   0x00000000009c2cee <+3582>:    xor    eax,eax
   0x00000000009c2cf0 <+3584>:    mov    edx,0xd70240
   0x00000000009c2cf5 <+3589>:    mov    esi,0x10
   0x00000000009c2cfa <+3594>:    call   0xb3db00 <av_log>
   0x00000000009c2cff <+3599>:    xor    edx,edx

...
gdb-peda$ info all
rax            0x0    0x0
rbx            0x189ff80    0x189ff80
rcx            0xff    0xff
rdx            0x1    0x1
rsi            0x1    0x1
rdi            0x1886800    0x1886800
rbp            0x0    0x0
rsp            0x7fffffff4fb0    0x7fffffff4fb0
r8             0xfffffffe    0xfffffffe
r9             0x3    0x3
r10            0x0    0x0
r11            0xfffffff8    0xfffffff8
r12            0x18a735c    0x18a735c
r13            0x0    0x0
r14            0x0    0x0
r15            0x18dc540    0x18dc540
rip            0x9c2cda    0x9c2cda <ff_h264_execute_ref_pic_marking+3562>
eflags         0x10246    [ PF ZF IF RF ]
cs             0x33    0x33
ss             0x2b    0x2b
ds             0x0    0x0
es             0x0    0x0
fs             0x0    0x0
gs             0x0    0x0
st0            -inf    (raw 0xffff0000000000000000)
st1            -nan(0x101010101010101)    (raw 0xffff0101010101010101)
st2            -nan(0x8585858585858585)    (raw 0xffff8585858585858585)
st3            -nan(0x8585858585858585)    (raw 0xffff8585858585858585)
st4            -nan(0x8585858585858585)    (raw 0xffff8585858585858585)
st5            -nan(0x8585858585858585)    (raw 0xffff8585858585858585)
st6            -nan(0x20002000200020)    (raw 0xffff0020002000200020)
st7            -inf    (raw 0xffff0000000000000000)
fctrl          0x37f    0x37f
fstat          0x0    0x0
ftag           0xffff    0xffff
fiseg          0x0    0x0
fioff          0x0    0x0
foseg          0x0    0x0
fooff          0x0    0x0
fop            0x0    0x0
mxcsr          0x1fa0    [ PE IM DM ZM OM UM PM ]
ymm0           {
  v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 
  v4_double = {0x8000000000000000, 0x8000000000000000, 0x0, 0x0}, 
  v32_int8 = {0x0, 0x0, 0x0, 0x0, 0x0, 0xff <repeats 11 times>, 0x0 <repeats 16
times>}, 
  v16_int16 = {0x0, 0x0, 0xff00, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0x0,
0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 
  v8_int32 = {0x0, 0xffffff00, 0xffffffff, 0xffffffff, 0x0, 0x0, 0x0, 0x0}, 
  v4_int64 = {0xffffff0000000000, 0xffffffffffffffff, 0x0, 0x0}, 
  v2_int128 = {0xffffffffffffffffffffff0000000000,
0x00000000000000000000000000000000}
}
ymm1           {
  v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 
  v4_double = {0x0, 0x0, 0x0, 0x0}, 
  v32_int8 = {0x0 <repeats 32 times>}, 
  v16_int16 = {0x0 <repeats 16 times>}, 
  v8_int32 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 
  v4_int64 = {0x0, 0x0, 0x0, 0x0}, 
  v2_int128 = {0x00000000000000000000000000000000,
0x00000000000000000000000000000000}
}
ymm2           {
  v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 
  v4_double = {0x0, 0x0, 0x0, 0x0}, 
  v32_int8 = {0x0 <repeats 32 times>}, 
  v16_int16 = {0x0 <repeats 16 times>}, 
  v8_int32 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 
  v4_int64 = {0x0, 0x0, 0x0, 0x0}, 
  v2_int128 = {0x00000000000000000000000000000000,
0x00000000000000000000000000000000}
}
ymm3           {
  v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 
  v4_double = {0x0, 0x0, 0x0, 0x0}, 
  v32_int8 = {0x0 <repeats 32 times>}, 
  v16_int16 = {0x0 <repeats 16 times>}, 
  v8_int32 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 
  v4_int64 = {0x0, 0x0, 0x0, 0x0}, 
  v2_int128 = {0x00000000000000000000000000000000,
0x00000000000000000000000000000000}
}
ymm4           {
  v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 
  v4_double = {0x0, 0x0, 0x0, 0x0}, 
  v32_int8 = {0x0 <repeats 32 times>}, 
  v16_int16 = {0x0 <repeats 16 times>}, 
  v8_int32 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 
  v4_int64 = {0x0, 0x0, 0x0, 0x0}, 
  v2_int128 = {0x00000000000000000000000000000000,
0x00000000000000000000000000000000}
}
ymm5           {
  v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 
  v4_double = {0x0, 0x0, 0x0, 0x0}, 
  v32_int8 = {0x0 <repeats 32 times>}, 
  v16_int16 = {0x0 <repeats 16 times>}, 
  v8_int32 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 
  v4_int64 = {0x0, 0x0, 0x0, 0x0}, 
  v2_int128 = {0x00000000000000000000000000000000,
0x00000000000000000000000000000000}
}
ymm6           {
  v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 
  v4_double = {0x0, 0x0, 0x0, 0x0}, 
  v32_int8 = {0x0 <repeats 32 times>}, 
  v16_int16 = {0x0 <repeats 16 times>}, 
  v8_int32 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 
  v4_int64 = {0x0, 0x0, 0x0, 0x0}, 
  v2_int128 = {0x00000000000000000000000000000000,
0x00000000000000000000000000000000}
}
ymm7           {
  v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 
  v4_double = {0x0, 0x0, 0x0, 0x0}, 
  v32_int8 = {0x0 <repeats 32 times>}, 
  v16_int16 = {0x0 <repeats 16 times>}, 
  v8_int32 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 
  v4_int64 = {0x0, 0x0, 0x0, 0x0}, 
  v2_int128 = {0x00000000000000000000000000000000,
0x00000000000000000000000000000000}
}
ymm8           {
  v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 
  v4_double = {0x0, 0x0, 0x0, 0x0}, 
  v32_int8 = {0x9, 0x0, 0x0, 0x5, 0x0, 0x1, 0xce, 0x0, 0x0, 0x0, 0x0, 0x17,
0x2, 0x0 <repeats 19 times>}, 
  v16_int16 = {0x9, 0x500, 0x100, 0xce, 0x0, 0x1700, 0x2, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0, 0x0, 0x0, 0x0}, 
  v8_int32 = {0x5000009, 0xce0100, 0x17000000, 0x2, 0x0, 0x0, 0x0, 0x0}, 
  v4_int64 = {0xce010005000009, 0x217000000, 0x0, 0x0}, 
  v2_int128 = {0x000000021700000000ce010005000009,
0x00000000000000000000000000000000}
}
ymm9           {
  v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 
  v4_double = {0x8000000000000000, 0x8000000000000000, 0x0, 0x0}, 
  v32_int8 = {0xff <repeats 16 times>, 0x0 <repeats 16 times>}, 
  v16_int16 = {0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 
  v8_int32 = {0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0x0, 0x0, 0x0,
0x0}, 
  v4_int64 = {0xffffffffffffffff, 0xffffffffffffffff, 0x0, 0x0}, 
  v2_int128 = {0xffffffffffffffffffffffffffffffff,
0x00000000000000000000000000000000}
}
ymm10          {
  v8_float = {0x0, 0x0, 0xdc000000, 0x57000000, 0x0, 0x0, 0x0, 0x0}, 
  v4_double = {0x8000000000000000, 0x8000000000000000, 0x0, 0x0}, 
  v32_int8 = {0x5b, 0x54, 0x5d, 0x67, 0x6f, 0x7d, 0x83, 0x7c, 0x70, 0x5f, 0x59,
0x56, 0x57, 0x56, 0x57, 0x57, 0x0 <repeats 16 times>}, 
  v16_int16 = {0x545b, 0x675d, 0x7d6f, 0x7c83, 0x5f70, 0x5659, 0x5657, 0x5757,
0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 
  v8_int32 = {0x675d545b, 0x7c837d6f, 0x56595f70, 0x57575657, 0x0, 0x0, 0x0,
0x0}, 
  v4_int64 = {0x7c837d6f675d545b, 0x5757565756595f70, 0x0, 0x0}, 
  v2_int128 = {0x5757565756595f707c837d6f675d545b,
0x00000000000000000000000000000000}
}
ymm11          {
  v8_float = {0x0, 0x0, 0x85a00000, 0x55600000, 0x0, 0x0, 0x0, 0x0}, 
  v4_double = {0x8000000000000000, 0x8000000000000000, 0x0, 0x0}, 
  v32_int8 = {0x56, 0x55, 0x58, 0x5b, 0x5d, 0x60, 0x60, 0x5d, 0x5a, 0x58, 0x56,
0x55, 0x56, 0x55, 0x55, 0x55, 0x0 <repeats 16 times>}, 
  v16_int16 = {0x5556, 0x5b58, 0x605d, 0x5d60, 0x585a, 0x5556, 0x5556, 0x5555,
0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 
  v8_int32 = {0x5b585556, 0x5d60605d, 0x5556585a, 0x55555556, 0x0, 0x0, 0x0,
0x0}, 
  v4_int64 = {0x5d60605d5b585556, 0x555555565556585a, 0x0, 0x0}, 
  v2_int128 = {0x555555565556585a5d60605d5b585556,
0x00000000000000000000000000000000}
}
ymm12          {
  v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 
  v4_double = {0x0, 0x0, 0x0, 0x0}, 
  v32_int8 = {0x0, 0x0, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x0, 0x0, 0x1,
0x0, 0x1, 0x1, 0x0 <repeats 16 times>}, 
  v16_int16 = {0x0, 0x101, 0x101, 0x101, 0x101, 0x0, 0x1, 0x101, 0x0, 0x0, 0x0,
0x0, 0x0, 0x0, 0x0, 0x0}, 
  v8_int32 = {0x1010000, 0x1010101, 0x101, 0x1010001, 0x0, 0x0, 0x0, 0x0}, 
  v4_int64 = {0x101010101010000, 0x101000100000101, 0x0, 0x0}, 
  v2_int128 = {0x01010001000001010101010101010000,
0x00000000000000000000000000000000}
}
ymm13          {
  v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 
  v4_double = {0x8000000000000000, 0x8000000000000000, 0x0, 0x0}, 
  v32_int8 = {0xff <repeats 16 times>, 0x0 <repeats 16 times>}, 
  v16_int16 = {0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 
  v8_int32 = {0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0x0, 0x0, 0x0,
0x0}, 
  v4_int64 = {0xffffffffffffffff, 0xffffffffffffffff, 0x0, 0x0}, 
  v2_int128 = {0xffffffffffffffffffffffffffffffff,
0x00000000000000000000000000000000}
}
ymm14          {
  v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 
  v4_double = {0x0, 0x0, 0x0, 0x0}, 
  v32_int8 = {0x0 <repeats 32 times>}, 
  v16_int16 = {0x0 <repeats 16 times>}, 
  v8_int32 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 
  v4_int64 = {0x0, 0x0, 0x0, 0x0}, 
  v2_int128 = {0x00000000000000000000000000000000,
0x00000000000000000000000000000000}
}
ymm15          {
  v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 
  v4_double = {0x0, 0x0, 0x0, 0x0}, 
  v32_int8 = {0x1 <repeats 16 times>, 0x0 <repeats 16 times>}, 
  v16_int16 = {0x101, 0x101, 0x101, 0x101, 0x101, 0x101, 0x101, 0x101, 0x0,
0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 
  v8_int32 = {0x1010101, 0x1010101, 0x1010101, 0x1010101, 0x0, 0x0, 0x0, 0x0}, 
  v4_int64 = {0x101010101010101, 0x101010101010101, 0x0, 0x0}, 
  v2_int128 = {0x01010101010101010101010101010101,
0x00000000000000000000000000000000}
}

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.libav.org/pipermail/libav-bugs/attachments/20170102/a85820d8/attachment-0001.html>


More information about the libav-bugs mailing list