[libav-bugs] [Bug 1040] New: Corrupt .mkv file segfaults `avprobe -show_streams corrupt.mkv`
bugzilla at libav.org
bugzilla at libav.org
Thu Mar 23 23:19:35 CET 2017
https://bugzilla.libav.org/show_bug.cgi?id=1040
Bug ID: 1040
Summary: Corrupt .mkv file segfaults `avprobe -show_streams
corrupt.mkv`
Product: Libav
Version: git HEAD
Hardware: X86
OS: Linux
Status: NEW
Severity: normal
Priority: ---
Component: utilities
Assignee: bugzilla at libav.org
Reporter: bb5vmx7j at meo.ws
Created attachment 658
--> https://bugzilla.libav.org/attachment.cgi?id=658&action=edit
Corrupt .mkv file
corrupt.mkv:
00000000 1a 45 df a3 01 00 00 00 00 00 00 23 42 30 81 30 |.E.........#B0.0|
00000010 42 30 81 30 42 30 81 30 42 30 81 30 42 30 88 30 |B0.0B0.0B0.0B0.0|
00000020 30 30 30 30 30 30 30 42 30 81 30 42 30 81 30 30 |0000000B0.0B0.00|
00000030 16 54 ae 6b 01 30 30 30 30 30 30 30 ae 01 30 30 |.T.k.0000000..00|
00000040 30 30 30 30 30 c5 81 30 86 8f 56 5f 4d 50 45 47 |00000..0..V_MPEG|
00000050 34 2f 49 53 4f 2f 41 56 43 83 81 01 30 30 30 84 |4/ISO/AVC...000.|
00000060 30 30 30 30 e0 01 00 00 00 00 00 00 0e b0 81 30 |0000...........0|
00000070 ba 81 30 54 30 81 30 54 30 81 30 63 a2 ad 01 30 |..0T0.0T0.0c...0|
00000080 30 30 30 e1 00 1c 67 30 30 30 ac d9 9f e5 30 30 |000...g000....00|
00000090 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 |0000000000000000|
000000a0 30 30 00 30 30 1f 43 b6 75 30 30 |00.00.C.u00|
000000ab
GDB:
Program received signal SIGSEGV, Segmentation fault.
ini_escape_print (s=s at entry=0x0) at avtools/avprobe.c:161
161 while (c = s[i++]) {
(gdb) bt
#0 ini_escape_print (s=s at entry=0x0) at avtools/avprobe.c:161
#1 0x00000000004dcb6c in ini_print_string (key=<optimized out>, value=0x0) at
avtools/avprobe.c:240
#2 0x00000000004c2e68 in probe_str (value=<optimized out>, key=<optimized
out>) at avtools/avprobe.c:523
#3 show_stream (ifile=<optimized out>, ist=<optimized out>) at
avtools/avprobe.c:725
#4 probe_file (filename=<optimized out>) at avtools/avprobe.c:966
#5 main (argc=41793440, argv=0x27dbe20) at avtools/avprobe.c:1190
(gdb) l
156 static void ini_escape_print(const char *s)
157 {
158 int i = 0;
159 char c = 0;
160
161 while (c = s[i++]) {
162 switch (c) {
163 case '\r': avio_printf(probe_out, "%s", "\\r"); break;
164 case '\n': avio_printf(probe_out, "%s", "\\n"); break;
165 case '\f': avio_printf(probe_out, "%s", "\\f"); break;
(gdb) disass $pc-32,$pc+32
Dump of assembler code from 0x4dc851 to 0x4dc891:
0x00000000004dc851 <ini_escape_print+33>: add %cl,-0x75(%rax)
0x00000000004dc854 <ini_escape_print+36>: rex.R and $0x10,%al
0x00000000004dc857 <ini_escape_print+39>: mov 0x8(%rsp),%rcx
0x00000000004dc85c <ini_escape_print+44>: mov (%rsp),%rdx
0x00000000004dc860 <ini_escape_print+48>: lea 0x98(%rsp),%rsp
0x00000000004dc868 <ini_escape_print+56>: push %rbp
0x00000000004dc869 <ini_escape_print+57>: push %rbx
0x00000000004dc86a <ini_escape_print+58>: mov %rdi,%rbp
0x00000000004dc86d <ini_escape_print+61>: sub $0x8,%rsp
=> 0x00000000004dc871 <ini_escape_print+65>: movzbl 0x0(%rbp),%ebx
0x00000000004dc875 <ini_escape_print+69>: test %bl,%bl
0x00000000004dc877 <ini_escape_print+71>: je 0x4dca08
<ini_escape_print+472>
0x00000000004dc87d <ini_escape_print+77>: nopl (%rax)
0x00000000004dc880 <ini_escape_print+80>: lea -0x98(%rsp),%rsp
0x00000000004dc888 <ini_escape_print+88>: mov %rdx,(%rsp)
0x00000000004dc88c <ini_escape_print+92>: mov %rcx,0x8(%rsp)
End of assembler dump.
(gdb) info all-registers
rax 0x1 1
rbx 0x0 0
rcx 0x2 2
rdx 0x1 1
rsi 0x7fffffffd860 140737488345184
rdi 0x0 0
rbp 0x0 0x0
rsp 0x7fffffffe930 0x7fffffffe930
r8 0xe67 3687
r9 0x60 96
r10 0x60 96
r11 0x0 0
r12 0x27ddde0 41803232
r13 0x27da8e0 41789664
r14 0x60 96
r15 0x27ddde0 41803232
rip 0x4dc871 0x4dc871 <ini_escape_print+65>
eflags 0x10206 [ PF IF RF ]
cs 0x33 51
ss 0x2b 43
ds 0x0 0
es 0x0 0
fs 0x0 0
gs 0x0 0
st0 0 (raw 0x00000000000000000000)
st1 0 (raw 0x00000000000000000000)
st2 0 (raw 0x00000000000000000000)
st3 0 (raw 0x00000000000000000000)
st4 0 (raw 0x00000000000000000000)
st5 0 (raw 0x00000000000000000000)
st6 0 (raw 0x00000000000000000000)
st7 0 (raw 0x00000000000000000000)
fctrl 0x37f 895
fstat 0x0 0
ftag 0xffff 65535
fiseg 0x0 0
fioff 0x0 0
foseg 0x0 0
fooff 0x0 0
fop 0x0 0
xmm0 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0x0, 0xff, 0x0 <repeats 14 times>}, v8_int16 = {0xff00, 0x0, 0x0,
0x0, 0x0, 0x0, 0x0, 0x0}, v4_int32 = {0xff00, 0x0, 0x0, 0x0}, v2_int64 =
{0xff00, 0x0}, uint128 = 0x0000000000000000000000000000ff00}
xmm1 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0x25 <repeats 16 times>}, v8_int16 = {0x2525, 0x2525, 0x2525,
0x2525, 0x2525, 0x2525, 0x2525, 0x2525}, v4_int32 = {0x25252525, 0x25252525,
0x25252525, 0x25252525}, v2_int64 = {0x2525252525252525, 0x2525252525252525},
uint128 = 0x25252525252525252525252525252525}
xmm2 {v4_float = {0x0, 0x1, 0x0, 0x0}, v2_double = {0x1, 0x0},
v16_int8 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xf0, 0x3f, 0x0, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0, 0x0}, v8_int16 = {0x0, 0x0, 0x0, 0x3ff0, 0x0, 0x0, 0x0, 0x0},
v4_int32 = {0x0, 0x3ff00000, 0x0, 0x0}, v2_int64 = {0x3ff0000000000000, 0x0},
uint128 = 0x00000000000000003ff0000000000000}
xmm3 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0}, uint128 =
0x00000000000000000000000000000000}
xmm4 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0x0, 0xff, 0x0 <repeats 14 times>}, v8_int16 = {0xff00, 0x0, 0x0,
0x0, 0x0, 0x0, 0x0, 0x0}, v4_int32 = {0xff00, 0x0, 0x0, 0x0}, v2_int64 =
{0xff00, 0x0}, uint128 = 0x0000000000000000000000000000ff00}
xmm5 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0,
0x8000000000000000}, v16_int8 = {0x70, 0x70, 0x69, 0x6e, 0x67, 0x0, 0x0, 0x0,
0x0, 0x0, 0x0, 0x54, 0x72, 0x69, 0x65, 0x64}, v8_int16 = {0x7070, 0x6e69, 0x67,
0x0, 0x0, 0x5400, 0x6972, 0x6465}, v4_int32 = {0x6e697070, 0x67, 0x54000000,
0x64656972}, v2_int64 = {0x676e697070,
0x6465697254000000}, uint128 = 0x6465697254000000000000676e697070}
xmm6 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double =
{0x8000000000000000, 0x8000000000000000}, v16_int8 = {0x61, 0x63, 0x6b, 0x65,
0x74, 0x73, 0x0, 0x61, 0x70, 0x70, 0x6c, 0x79, 0x5f, 0x63, 0x72, 0x6f},
v8_int16 = {0x6361, 0x656b, 0x7374, 0x6100, 0x7070, 0x796c, 0x635f, 0x6f72},
v4_int32 = {0x656b6361, 0x61007374, 0x796c7070,
0x6f72635f}, v2_int64 = {0x61007374656b6361, 0x6f72635f796c7070}, uint128 =
0x6f72635f796c707061007374656b6361}
xmm7 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0}, uint128 =
0x00000000000000000000000000000000}
xmm8 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0}, uint128 =
0x00000000000000000000000000000000}
xmm9 {v4_float = {0x0, 0x1, 0x0, 0x0}, v2_double = {0x1, 0x0},
v16_int8 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xf0, 0x3f, 0x0, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0, 0x0}, v8_int16 = {0x0, 0x0, 0x0, 0x3ff0, 0x0, 0x0, 0x0, 0x0},
v4_int32 = {0x0, 0x3ff00000, 0x0, 0x0}, v2_int64 = {0x3ff0000000000000, 0x0},
uint128 = 0x00000000000000003ff0000000000000}
xmm10 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0x0, 0x0, 0x46, 0x84, 0x24, 0x59, 0xd6, 0x3e, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0, 0x0, 0x0}, v8_int16 = {0x0, 0x8446, 0x5924, 0x3ed6, 0x0, 0x0, 0x0,
0x0}, v4_int32 = {0x84460000, 0x3ed65924, 0x0, 0x0}, v2_int64 =
{0x3ed6592484460000, 0x0},
uint128 = 0x00000000000000003ed6592484460000}
xmm11 {v4_float = {0x9689a800, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0x6a, 0xa2, 0x65, 0x50, 0xf2, 0xea, 0x8f, 0xbd, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0, 0x0, 0x0}, v8_int16 = {0xa26a, 0x5065, 0xeaf2, 0xbd8f, 0x0, 0x0, 0x0,
0x0}, v4_int32 = {0x5065a26a, 0xbd8feaf2, 0x0, 0x0}, v2_int64 =
{0xbd8feaf25065a26a, 0x0},
uint128 = 0x0000000000000000bd8feaf25065a26a}
xmm12 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xc4, 0x3c, 0x0, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0, 0x0}, v8_int16 = {0x0, 0x0, 0x0, 0x3cc4, 0x0, 0x0, 0x0, 0x0},
v4_int32 = {0x0, 0x3cc40000, 0x0, 0x0}, v2_int64 = {0x3cc4000000000000, 0x0},
uint128 = 0x00000000000000003cc4000000000000}
xmm13 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x80, 0x59, 0xbc, 0x0, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0, 0x0}, v8_int16 = {0x0, 0x0, 0x8000, 0xbc59, 0x0, 0x0, 0x0, 0x0},
v4_int32 = {0x0, 0xbc598000, 0x0, 0x0}, v2_int64 = {0xbc59800000000000, 0x0},
uint128 = 0x0000000000000000bc59800000000000}
xmm14 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0x8e, 0x85, 0x83, 0xe8, 0xf0, 0x24, 0x53, 0x3c, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0, 0x0, 0x0}, v8_int16 = {0x858e, 0xe883, 0x24f0, 0x3c53, 0x0, 0x0, 0x0,
0x0}, v4_int32 = {0xe883858e, 0x3c5324f0, 0x0, 0x0}, v2_int64 =
{0x3c5324f0e883858e, 0x0},
uint128 = 0x00000000000000003c5324f0e883858e}
xmm15 {v4_float = {0x0, 0x3, 0x0, 0x0}, v2_double = {0x2d, 0x0},
v16_int8 = {0xc0, 0x9, 0xf2, 0x16, 0xb5, 0xdf, 0x46, 0x40, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0, 0x0, 0x0}, v8_int16 = {0x9c0, 0x16f2, 0xdfb5, 0x4046, 0x0, 0x0, 0x0,
0x0}, v4_int32 = {0x16f209c0, 0x4046dfb5, 0x0, 0x0}, v2_int64 =
{0x4046dfb516f209c0, 0x0},
uint128 = 0x00000000000000004046dfb516f209c0}
mxcsr 0x1fa0 [ PE IM DM ZM OM UM PM ]
Valgrind:
==24458== Invalid read of size 1
==24458== at 0x4DC871: ini_escape_print (avprobe.c:161)
==24458== by 0x4DCB6B: ini_print_string (avprobe.c:240)
==24458== by 0x4C2E67: probe_str (avprobe.c:523)
==24458== by 0x4C2E67: show_stream (avprobe.c:725)
==24458== by 0x4C2E67: probe_file (avprobe.c:966)
==24458== by 0x4C2E67: main (avprobe.c:1190)
==24458== Address 0x0 is not stack'd, malloc'd or (recently) free'd
==24458==
==24458==
==24458== Process terminating with default action of signal 11 (SIGSEGV)
==24458== Access not within mapped region at address 0x0
==24458== at 0x4DC871: ini_escape_print (avprobe.c:161)
==24458== by 0x4DCB6B: ini_print_string (avprobe.c:240)
==24458== by 0x4C2E67: probe_str (avprobe.c:523)
==24458== by 0x4C2E67: show_stream (avprobe.c:725)
==24458== by 0x4C2E67: probe_file (avprobe.c:966)
==24458== by 0x4C2E67: main (avprobe.c:1190)
==24458== If you believe this happened as a result of a stack
==24458== overflow in your program's main thread (unlikely but
==24458== possible), you can try to increase the size of the
==24458== main thread stack using the --main-stacksize= flag.
==24458== The main thread stack size used in this run was 8388608.
==24458==
==24458== HEAP SUMMARY:
==24458== in use at exit: 171,589 bytes in 84 blocks
==24458== total heap usage: 357 allocs, 273 frees, 396,746 bytes allocated
==24458==
==24458== LEAK SUMMARY:
==24458== definitely lost: 0 bytes in 0 blocks
==24458== indirectly lost: 0 bytes in 0 blocks
==24458== possibly lost: 0 bytes in 0 blocks
==24458== still reachable: 171,589 bytes in 84 blocks
==24458== suppressed: 0 bytes in 0 blocks
==24458== Rerun with --leak-check=full to see details of leaked memory
==24458==
==24458== For counts of detected and suppressed errors, rerun with: -v
==24458== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)
Segmentation fault
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.libav.org/pipermail/libav-bugs/attachments/20170323/dd652ebc/attachment.html>
More information about the libav-bugs
mailing list