[libav-bugs] [Bug 1040] New: Corrupt .mkv file segfaults `avprobe -show_streams corrupt.mkv`

bugzilla at libav.org bugzilla at libav.org
Thu Mar 23 23:19:35 CET 2017


https://bugzilla.libav.org/show_bug.cgi?id=1040

            Bug ID: 1040
           Summary: Corrupt .mkv file segfaults `avprobe -show_streams
                    corrupt.mkv`
           Product: Libav
           Version: git HEAD
          Hardware: X86
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: ---
         Component: utilities
          Assignee: bugzilla at libav.org
          Reporter: bb5vmx7j at meo.ws

Created attachment 658
  --> https://bugzilla.libav.org/attachment.cgi?id=658&action=edit
Corrupt .mkv file

corrupt.mkv:

00000000  1a 45 df a3 01 00 00 00  00 00 00 23 42 30 81 30  |.E.........#B0.0|
00000010  42 30 81 30 42 30 81 30  42 30 81 30 42 30 88 30  |B0.0B0.0B0.0B0.0|
00000020  30 30 30 30 30 30 30 42  30 81 30 42 30 81 30 30  |0000000B0.0B0.00|
00000030  16 54 ae 6b 01 30 30 30  30 30 30 30 ae 01 30 30  |.T.k.0000000..00|
00000040  30 30 30 30 30 c5 81 30  86 8f 56 5f 4d 50 45 47  |00000..0..V_MPEG|
00000050  34 2f 49 53 4f 2f 41 56  43 83 81 01 30 30 30 84  |4/ISO/AVC...000.|
00000060  30 30 30 30 e0 01 00 00  00 00 00 00 0e b0 81 30  |0000...........0|
00000070  ba 81 30 54 30 81 30 54  30 81 30 63 a2 ad 01 30  |..0T0.0T0.0c...0|
00000080  30 30 30 e1 00 1c 67 30  30 30 ac d9 9f e5 30 30  |000...g000....00|
00000090  30 30 30 30 30 30 30 30  30 30 30 30 30 30 30 30  |0000000000000000|
000000a0  30 30 00 30 30 1f 43 b6  75 30 30                 |00.00.C.u00|
000000ab


GDB:

Program received signal SIGSEGV, Segmentation fault.
ini_escape_print (s=s at entry=0x0) at avtools/avprobe.c:161
161         while (c = s[i++]) {
(gdb) bt
#0  ini_escape_print (s=s at entry=0x0) at avtools/avprobe.c:161
#1  0x00000000004dcb6c in ini_print_string (key=<optimized out>, value=0x0) at
avtools/avprobe.c:240
#2  0x00000000004c2e68 in probe_str (value=<optimized out>, key=<optimized
out>) at avtools/avprobe.c:523
#3  show_stream (ifile=<optimized out>, ist=<optimized out>) at
avtools/avprobe.c:725
#4  probe_file (filename=<optimized out>) at avtools/avprobe.c:966
#5  main (argc=41793440, argv=0x27dbe20) at avtools/avprobe.c:1190
(gdb) l
156     static void ini_escape_print(const char *s)
157     {
158         int i = 0;
159         char c = 0;
160
161         while (c = s[i++]) {
162             switch (c) {
163             case '\r': avio_printf(probe_out, "%s", "\\r"); break;
164             case '\n': avio_printf(probe_out, "%s", "\\n"); break;
165             case '\f': avio_printf(probe_out, "%s", "\\f"); break;
(gdb) disass $pc-32,$pc+32
Dump of assembler code from 0x4dc851 to 0x4dc891:
   0x00000000004dc851 <ini_escape_print+33>:    add    %cl,-0x75(%rax)
   0x00000000004dc854 <ini_escape_print+36>:    rex.R and $0x10,%al
   0x00000000004dc857 <ini_escape_print+39>:    mov    0x8(%rsp),%rcx
   0x00000000004dc85c <ini_escape_print+44>:    mov    (%rsp),%rdx
   0x00000000004dc860 <ini_escape_print+48>:    lea    0x98(%rsp),%rsp
   0x00000000004dc868 <ini_escape_print+56>:    push   %rbp
   0x00000000004dc869 <ini_escape_print+57>:    push   %rbx
   0x00000000004dc86a <ini_escape_print+58>:    mov    %rdi,%rbp
   0x00000000004dc86d <ini_escape_print+61>:    sub    $0x8,%rsp
=> 0x00000000004dc871 <ini_escape_print+65>:    movzbl 0x0(%rbp),%ebx
   0x00000000004dc875 <ini_escape_print+69>:    test   %bl,%bl
   0x00000000004dc877 <ini_escape_print+71>:    je     0x4dca08
<ini_escape_print+472>
   0x00000000004dc87d <ini_escape_print+77>:    nopl   (%rax)
   0x00000000004dc880 <ini_escape_print+80>:    lea    -0x98(%rsp),%rsp
   0x00000000004dc888 <ini_escape_print+88>:    mov    %rdx,(%rsp)
   0x00000000004dc88c <ini_escape_print+92>:    mov    %rcx,0x8(%rsp)
End of assembler dump.
(gdb) info all-registers
rax            0x1      1
rbx            0x0      0
rcx            0x2      2
rdx            0x1      1
rsi            0x7fffffffd860   140737488345184
rdi            0x0      0
rbp            0x0      0x0
rsp            0x7fffffffe930   0x7fffffffe930
r8             0xe67    3687
r9             0x60     96
r10            0x60     96
r11            0x0      0
r12            0x27ddde0        41803232
r13            0x27da8e0        41789664
r14            0x60     96
r15            0x27ddde0        41803232
rip            0x4dc871 0x4dc871 <ini_escape_print+65>
eflags         0x10206  [ PF IF RF ]
cs             0x33     51
ss             0x2b     43
ds             0x0      0
es             0x0      0
fs             0x0      0
gs             0x0      0
st0            0        (raw 0x00000000000000000000)
st1            0        (raw 0x00000000000000000000)
st2            0        (raw 0x00000000000000000000)
st3            0        (raw 0x00000000000000000000)
st4            0        (raw 0x00000000000000000000)
st5            0        (raw 0x00000000000000000000)
st6            0        (raw 0x00000000000000000000)
st7            0        (raw 0x00000000000000000000)
fctrl          0x37f    895
fstat          0x0      0
ftag           0xffff   65535
fiseg          0x0      0
fioff          0x0      0
foseg          0x0      0
fooff          0x0      0
fop            0x0      0
xmm0           {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0x0, 0xff, 0x0 <repeats 14 times>}, v8_int16 = {0xff00, 0x0, 0x0,
0x0, 0x0, 0x0, 0x0, 0x0}, v4_int32 = {0xff00, 0x0, 0x0, 0x0}, v2_int64 =
{0xff00, 0x0}, uint128 = 0x0000000000000000000000000000ff00}
xmm1           {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0x25 <repeats 16 times>}, v8_int16 = {0x2525, 0x2525, 0x2525,
0x2525, 0x2525, 0x2525, 0x2525, 0x2525}, v4_int32 = {0x25252525, 0x25252525,
0x25252525, 0x25252525}, v2_int64 = {0x2525252525252525, 0x2525252525252525},
uint128 = 0x25252525252525252525252525252525}
xmm2           {v4_float = {0x0, 0x1, 0x0, 0x0}, v2_double = {0x1, 0x0},
v16_int8 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xf0, 0x3f, 0x0, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0, 0x0}, v8_int16 = {0x0, 0x0, 0x0, 0x3ff0, 0x0, 0x0, 0x0, 0x0},
v4_int32 = {0x0, 0x3ff00000, 0x0, 0x0}, v2_int64 = {0x3ff0000000000000, 0x0},
uint128 = 0x00000000000000003ff0000000000000}
xmm3           {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0}, uint128 =
0x00000000000000000000000000000000}
xmm4           {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0x0, 0xff, 0x0 <repeats 14 times>}, v8_int16 = {0xff00, 0x0, 0x0,
0x0, 0x0, 0x0, 0x0, 0x0}, v4_int32 = {0xff00, 0x0, 0x0, 0x0}, v2_int64 =
{0xff00, 0x0}, uint128 = 0x0000000000000000000000000000ff00}
xmm5           {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0,
0x8000000000000000}, v16_int8 = {0x70, 0x70, 0x69, 0x6e, 0x67, 0x0, 0x0, 0x0,
0x0, 0x0, 0x0, 0x54, 0x72, 0x69, 0x65, 0x64}, v8_int16 = {0x7070, 0x6e69, 0x67,
0x0, 0x0, 0x5400, 0x6972, 0x6465}, v4_int32 = {0x6e697070, 0x67, 0x54000000,
0x64656972}, v2_int64 = {0x676e697070,
    0x6465697254000000}, uint128 = 0x6465697254000000000000676e697070}
xmm6           {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double =
{0x8000000000000000, 0x8000000000000000}, v16_int8 = {0x61, 0x63, 0x6b, 0x65,
0x74, 0x73, 0x0, 0x61, 0x70, 0x70, 0x6c, 0x79, 0x5f, 0x63, 0x72, 0x6f},
v8_int16 = {0x6361, 0x656b, 0x7374, 0x6100, 0x7070, 0x796c, 0x635f, 0x6f72},
v4_int32 = {0x656b6361, 0x61007374, 0x796c7070,
    0x6f72635f}, v2_int64 = {0x61007374656b6361, 0x6f72635f796c7070}, uint128 =
0x6f72635f796c707061007374656b6361}
xmm7           {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0}, uint128 =
0x00000000000000000000000000000000}
xmm8           {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0}, uint128 =
0x00000000000000000000000000000000}
xmm9           {v4_float = {0x0, 0x1, 0x0, 0x0}, v2_double = {0x1, 0x0},
v16_int8 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xf0, 0x3f, 0x0, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0, 0x0}, v8_int16 = {0x0, 0x0, 0x0, 0x3ff0, 0x0, 0x0, 0x0, 0x0},
v4_int32 = {0x0, 0x3ff00000, 0x0, 0x0}, v2_int64 = {0x3ff0000000000000, 0x0},
uint128 = 0x00000000000000003ff0000000000000}
xmm10          {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0x0, 0x0, 0x46, 0x84, 0x24, 0x59, 0xd6, 0x3e, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0, 0x0, 0x0}, v8_int16 = {0x0, 0x8446, 0x5924, 0x3ed6, 0x0, 0x0, 0x0,
0x0}, v4_int32 = {0x84460000, 0x3ed65924, 0x0, 0x0}, v2_int64 =
{0x3ed6592484460000, 0x0},
  uint128 = 0x00000000000000003ed6592484460000}
xmm11          {v4_float = {0x9689a800, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0x6a, 0xa2, 0x65, 0x50, 0xf2, 0xea, 0x8f, 0xbd, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0, 0x0, 0x0}, v8_int16 = {0xa26a, 0x5065, 0xeaf2, 0xbd8f, 0x0, 0x0, 0x0,
0x0}, v4_int32 = {0x5065a26a, 0xbd8feaf2, 0x0, 0x0}, v2_int64 =
{0xbd8feaf25065a26a, 0x0},
  uint128 = 0x0000000000000000bd8feaf25065a26a}
xmm12          {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xc4, 0x3c, 0x0, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0, 0x0}, v8_int16 = {0x0, 0x0, 0x0, 0x3cc4, 0x0, 0x0, 0x0, 0x0},
v4_int32 = {0x0, 0x3cc40000, 0x0, 0x0}, v2_int64 = {0x3cc4000000000000, 0x0},
uint128 = 0x00000000000000003cc4000000000000}
xmm13          {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x80, 0x59, 0xbc, 0x0, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0, 0x0}, v8_int16 = {0x0, 0x0, 0x8000, 0xbc59, 0x0, 0x0, 0x0, 0x0},
v4_int32 = {0x0, 0xbc598000, 0x0, 0x0}, v2_int64 = {0xbc59800000000000, 0x0},
  uint128 = 0x0000000000000000bc59800000000000}
xmm14          {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0x8e, 0x85, 0x83, 0xe8, 0xf0, 0x24, 0x53, 0x3c, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0, 0x0, 0x0}, v8_int16 = {0x858e, 0xe883, 0x24f0, 0x3c53, 0x0, 0x0, 0x0,
0x0}, v4_int32 = {0xe883858e, 0x3c5324f0, 0x0, 0x0}, v2_int64 =
{0x3c5324f0e883858e, 0x0},
  uint128 = 0x00000000000000003c5324f0e883858e}
xmm15          {v4_float = {0x0, 0x3, 0x0, 0x0}, v2_double = {0x2d, 0x0},
v16_int8 = {0xc0, 0x9, 0xf2, 0x16, 0xb5, 0xdf, 0x46, 0x40, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0, 0x0, 0x0}, v8_int16 = {0x9c0, 0x16f2, 0xdfb5, 0x4046, 0x0, 0x0, 0x0,
0x0}, v4_int32 = {0x16f209c0, 0x4046dfb5, 0x0, 0x0}, v2_int64 =
{0x4046dfb516f209c0, 0x0},
  uint128 = 0x00000000000000004046dfb516f209c0}
mxcsr          0x1fa0   [ PE IM DM ZM OM UM PM ]


Valgrind:

==24458== Invalid read of size 1
==24458==    at 0x4DC871: ini_escape_print (avprobe.c:161)
==24458==    by 0x4DCB6B: ini_print_string (avprobe.c:240)
==24458==    by 0x4C2E67: probe_str (avprobe.c:523)
==24458==    by 0x4C2E67: show_stream (avprobe.c:725)
==24458==    by 0x4C2E67: probe_file (avprobe.c:966)
==24458==    by 0x4C2E67: main (avprobe.c:1190)
==24458==  Address 0x0 is not stack'd, malloc'd or (recently) free'd
==24458==
==24458==
==24458== Process terminating with default action of signal 11 (SIGSEGV)
==24458==  Access not within mapped region at address 0x0
==24458==    at 0x4DC871: ini_escape_print (avprobe.c:161)
==24458==    by 0x4DCB6B: ini_print_string (avprobe.c:240)
==24458==    by 0x4C2E67: probe_str (avprobe.c:523)
==24458==    by 0x4C2E67: show_stream (avprobe.c:725)
==24458==    by 0x4C2E67: probe_file (avprobe.c:966)
==24458==    by 0x4C2E67: main (avprobe.c:1190)
==24458==  If you believe this happened as a result of a stack
==24458==  overflow in your program's main thread (unlikely but
==24458==  possible), you can try to increase the size of the
==24458==  main thread stack using the --main-stacksize= flag.
==24458==  The main thread stack size used in this run was 8388608.
==24458==
==24458== HEAP SUMMARY:
==24458==     in use at exit: 171,589 bytes in 84 blocks
==24458==   total heap usage: 357 allocs, 273 frees, 396,746 bytes allocated
==24458==
==24458== LEAK SUMMARY:
==24458==    definitely lost: 0 bytes in 0 blocks
==24458==    indirectly lost: 0 bytes in 0 blocks
==24458==      possibly lost: 0 bytes in 0 blocks
==24458==    still reachable: 171,589 bytes in 84 blocks
==24458==         suppressed: 0 bytes in 0 blocks
==24458== Rerun with --leak-check=full to see details of leaked memory
==24458==
==24458== For counts of detected and suppressed errors, rerun with: -v
==24458== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)
Segmentation fault

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.libav.org/pipermail/libav-bugs/attachments/20170323/dd652ebc/attachment.html>


More information about the libav-bugs mailing list