[libav-bugs] [Bug 1042] New: Corrupt .flv file segfaults `avprobe -show_streams corrupt.flv` in ff_h264_execute_ref_pic_marking at libavcodec/h264_refs.c:701

bugzilla at libav.org bugzilla at libav.org
Fri Mar 24 09:37:05 CET 2017


https://bugzilla.libav.org/show_bug.cgi?id=1042

            Bug ID: 1042
           Summary: Corrupt .flv file segfaults `avprobe -show_streams
                    corrupt.flv` in ff_h264_execute_ref_pic_marking at
                    libavcodec/h264_refs.c:701
           Product: Libav
           Version: git HEAD
          Hardware: X86
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: ---
         Component: utilities
          Assignee: bugzilla at libav.org
          Reporter: bb5vmx7j at meo.ws

Created attachment 660
  --> https://bugzilla.libav.org/attachment.cgi?id=660&action=edit
Corrupt .flv file

corrupt.flv:

00000000  46 4c 56 01 30 00 00 00  09 30 30 30 30 30 00 01  |FLV.0....00000..|
00000010  25 30 30 30 30 30 30 30  30 30 30 30 30 30 30 30  |%000000000000000|
00000020  30 30 30 30 30 30 30 30  30 30 30 30 30 30 30 30  |0000000000000000|
*
00000140  30 09 00 00 32 30 30 30  30 30 30 30 17 00 30 30  |0...20000000..00|
00000150  30 01 30 30 30 ff e1 00  1c 67 30 30 30 ac d9 30  |0.000....g000..0|
00000160  30 30 30 30 30 30 30 30  30 30 30 30 30 30 30 30  |0000000000000000|
00000170  30 30 30 30 30 01 00 06  68 eb 30 30 30 30 30 30  |00000...h.000000|
00000180  30 30 30 00 00 69 30 30  30 30 30 30 30 30 30 30  |000..i0000000000|
00000190  30 30 30 30 30 30 30 30  30 30 30 30 30 30 30 30  |0000000000000000|
*
000001f0  30 30 30 30 30 30 30 30  30 30 30 00 00 6a 30 30  |00000000000..j00|
00000200  30 30 30 30 30 30 30 30  30 30 30 30 30 30 30 30  |0000000000000000|
*
00000270  30 30 30 30 00 00 69 30  30 30 30 30 30 30 30 30  |0000..i000000000|
00000280  30 30 30 30 30 30 30 30  30 30 30 30 30 30 30 30  |0000000000000000|
*
000002e0  30 30 30 30 30 30 30 30  30 30 30 30 00 00 6a 30  |000000000000..j0|
000002f0  30 30 30 30 30 30 30 30  30 30 30 30 30 30 30 30  |0000000000000000|
*
00000360  30 30 30 30 30 00 00 69  30 30 30 30 30 30 30 30  |00000..i00000000|
00000370  30 30 30 30 30 30 30 30  30 30 30 30 30 30 30 30  |0000000000000000|
*
000003d0  30 30 30 30 30 30 30 30  30 30 30 30 09 30 30 30  |000000000000.000|
000003e0  30 30 30 30 30 30 30 30  30 30 30 30 00 00 02 a0  |000000000000....|
000003f0  30 30 30 30 30 30 30 30  30 30 30 30 30 30 30 30  |0000000000000000|
*
00000690  00 00 00 2d 65 88 d4 30  6f 30 30 00 00 01 47 30  |...-e..0o00...G0|
000006a0  30 30 b4 27 30 30 30 30  30 30 30 30 30 30 30 30  |00.'000000000000|
000006b0  30 30 30 30 30 30 30 30  30 30 30 30 30 30 30 30  |0000000000000000|
*
000006c1


GDB:

Program received signal SIGSEGV, Segmentation fault.
ff_h264_execute_ref_pic_marking (h=0x27eb520) at libavcodec/h264_refs.c:701
701             (h->short_ref[0] == h->cur_pic_ptr) >
h->ps.sps->ref_frame_count) {
(gdb) bt
#0  ff_h264_execute_ref_pic_marking (h=0x27eb520) at libavcodec/h264_refs.c:701
#1  0x000000000190d1b0 in ff_h264_field_end (h=0x27eb520, sl=0x27f6dc0,
in_setup=<optimized out>) at libavcodec/h264_picture.c:157
#2  0x0000000000c7b181 in h264_decode_frame (avctx=0x27dbac0, data=0x27f2910,
got_frame=0x0, avpkt=0x1) at libavcodec/h264dec.c:745
#3  0x0000000000ab82c8 in decode_simple_internal (frame=0x27dca60,
avctx=0x27dbac0) at libavcodec/decode.c:335
#4  decode_simple_receive_frame (frame=<optimized out>, avctx=<optimized out>)
at libavcodec/decode.c:386
#5  decode_receive_frame_internal (avctx=0x27dbac0, frame=0x27dca60) at
libavcodec/decode.c:404
#6  0x0000000000ab8e90 in avcodec_send_packet (avctx=avctx at entry=0x27dbac0,
avpkt=avpkt at entry=0x7fffffffe610) at libavcodec/decode.c:441
#7  0x00000000008d7de5 in try_decode_frame (st=0x27db340, avpkt=<optimized
out>, options=<optimized out>, s=<optimized out>) at libavformat/utils.c:1950
#8  0x00000000008ee085 in avformat_find_stream_info (ic=0x27da8e0,
options=0x27f2910) at libavformat/utils.c:2459
#9  0x00000000004c0763 in open_input_file (filename=<optimized out>,
ifile=<optimized out>) at avtools/avprobe.c:878
#10 probe_file (filename=<optimized out>) at avtools/avprobe.c:956
#11 main (argc=3, argv=0x7fffffffeb88) at avtools/avprobe.c:1190
(gdb) l
696                 h->cur_pic_ptr->reference |= h->picture_structure;
697             }
698         }
699
700         if (h->long_ref_count + h->short_ref_count -
701             (h->short_ref[0] == h->cur_pic_ptr) >
h->ps.sps->ref_frame_count) {
702
703             /* We have too many reference frames, probably due to corrupted
704              * stream. Need to discard one frame. Prevents overrun of the
705              * short_ref and long_ref buffers.
(gdb) disass $pc-32,$pc+32
Dump of assembler code from 0x1919694 to 0x19196d4:
   0x0000000001919694 <ff_h264_execute_ref_pic_marking+4916>:   lea   
0x98(%rsp),%rsp
   0x000000000191969c <ff_h264_execute_ref_pic_marking+4924>:   mov   
0x7710(%rbx),%ecx
   0x00000000019196a2 <ff_h264_execute_ref_pic_marking+4930>:   mov   
0x7714(%rbx),%r8d
   0x00000000019196a9 <ff_h264_execute_ref_pic_marking+4937>:   mov   
0x70d8(%rbx),%rdi
   0x00000000019196b0 <ff_h264_execute_ref_pic_marking+4944>:   lea   
(%rcx,%r8,1),%ebp
=> 0x00000000019196b4 <ff_h264_execute_ref_pic_marking+4948>:   mov   
0x30(%rdi),%r9d
   0x00000000019196b8 <ff_h264_execute_ref_pic_marking+4952>:   sub   
%r10d,%ebp
   0x00000000019196bb <ff_h264_execute_ref_pic_marking+4955>:   cmp   
%r9d,%ebp
   0x00000000019196be <ff_h264_execute_ref_pic_marking+4958>:   jg    
0x191d6f0 <ff_h264_execute_ref_pic_marking+21392>
   0x00000000019196c4 <ff_h264_execute_ref_pic_marking+4964>:   lea   
-0x98(%rsp),%rsp
   0x00000000019196cc <ff_h264_execute_ref_pic_marking+4972>:   mov   
%rdx,(%rsp)
   0x00000000019196d0 <ff_h264_execute_ref_pic_marking+4976>:   mov   
%rcx,0x8(%rsp)
End of assembler dump.
(gdb) info all-registers
rax            0x0      0
rbx            0x27eb520        41858336
rcx            0x1      1
rdx            0x0      0
rsi            0x27f2910        41888016
rdi            0x0      0
rbp            0x6      0x6
rsp            0x7fffffffe430   0x7fffffffe430
r8             0x5      5
r9             0x1      1
r10            0x0      0
r11            0x27f27b8        41887672
r12            0x0      0
r13            0x1      1
r14            0x27f2920        41888032
r15            0x27ec890        41863312
rip            0x19196b4        0x19196b4
<ff_h264_execute_ref_pic_marking+4948>
eflags         0x10287  [ CF PF SF IF RF ]
cs             0x33     51
ss             0x2b     43
ds             0x0      0
es             0x0      0
fs             0x0      0
gs             0x0      0
st0            0        (raw 0x00000000000000000000)
st1            0        (raw 0x00000000000000000000)
st2            0        (raw 0x00000000000000000000)
st3            0        (raw 0x00000000000000000000)
st4            0        (raw 0x00000000000000000000)
st5            0        (raw 0x00000000000000000000)
st6            0        (raw 0x00000000000000000000)
st7            0        (raw 0x00000000000000000000)
fctrl          0x37f    895
fstat          0x0      0
ftag           0xffff   65535
fiseg          0x0      0
fioff          0x0      0
foseg          0x0      0
fooff          0x0      0
fop            0x0      0
xmm0           {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0}, uint128 =
0x00000000000000000000000000000000}
xmm1           {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0x5, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0xc4,
0x0, 0x0, 0x0}, v8_int16 = {0x5, 0x0, 0x3, 0x0, 0x3, 0x0, 0xc4, 0x0}, v4_int32
= {0x5, 0x3, 0x3, 0xc4}, v2_int64 = {0x300000005, 0xc400000003}, uint128 =
0x000000c4000000030000000300000005}
xmm2           {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x0, 0x4,
0x0, 0x0, 0x0}, v8_int16 = {0x0, 0x0, 0x3, 0x0, 0x1, 0x0, 0x4, 0x0}, v4_int32 =
{0x0, 0x3, 0x1, 0x4}, v2_int64 = {0x300000000, 0x400000001}, uint128 =
0x00000004000000010000000300000000}
xmm3           {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0x0, 0x0, 0x0, 0x0, 0x2, 0x0 <repeats 11 times>}, v8_int16 = {0x0,
0x0, 0x2, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_int32 = {0x0, 0x2, 0x0, 0x0}, v2_int64 =
{0x200000000, 0x0}, uint128 = 0x00000000000000000000000200000000}
xmm4           {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0x5, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x0, 0x2, 0x0, 0x0, 0x0, 0xc4,
0x0, 0x0, 0x0}, v8_int16 = {0x5, 0x0, 0x1, 0x0, 0x2, 0x0, 0xc4, 0x0}, v4_int32
= {0x5, 0x1, 0x2, 0xc4}, v2_int64 = {0x100000005, 0xc400000002}, uint128 =
0x000000c4000000020000000100000005}
xmm5           {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0x1, 0x0, 0x0, 0x0, 0x1, 0x0 <repeats 11 times>}, v8_int16 = {0x1,
0x0, 0x1, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_int32 = {0x1, 0x1, 0x0, 0x0}, v2_int64 =
{0x100000001, 0x0}, uint128 = 0x00000000000000000000000100000001}
xmm6           {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double =
{0x8000000000000000, 0x0}, v16_int8 = {0x61, 0x63, 0x6b, 0x65, 0x74, 0x73, 0x0,
0x61, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v8_int16 = {0x6361, 0x656b,
0x7374, 0x6100, 0x0, 0x0, 0x0, 0x0}, v4_int32 = {0x656b6361, 0x61007374, 0x0,
0x0}, v2_int64 = {0x61007374656b6361, 0x0},
  uint128 = 0x000000000000000061007374656b6361}
xmm7           {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0}, uint128 =
0x00000000000000000000000000000000}
xmm8           {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0}, uint128 =
0x00000000000000000000000000000000}
xmm9           {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0}, uint128 =
0x00000000000000000000000000000000}
xmm10          {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0}, uint128 =
0x00000000000000000000000000000000}
xmm11          {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0}, uint128 =
0x00000000000000000000000000000000}
xmm12          {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double =
{0x8000000000000000, 0x8000000000000000}, v16_int8 = {0xff, 0xff, 0x0, 0xff,
0x0, 0xff, 0xff, 0xff, 0x0, 0xff, 0x0, 0x0, 0x0, 0x0, 0xff, 0xff}, v8_int16 =
{0xffff, 0xff00, 0xff00, 0xffff, 0xff00, 0x0, 0x0, 0xffff}, v4_int32 =
{0xff00ffff, 0xffffff00, 0xff00, 0xffff0000}, v2_int64 = {
    0xffffff00ff00ffff, 0xffff00000000ff00}, uint128 =
0xffff00000000ff00ffffff00ff00ffff}
xmm13          {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x80, 0x59, 0xbc, 0x0, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0, 0x0}, v8_int16 = {0x0, 0x0, 0x8000, 0xbc59, 0x0, 0x0, 0x0, 0x0},
v4_int32 = {0x0, 0xbc598000, 0x0, 0x0}, v2_int64 = {0xbc59800000000000, 0x0},
  uint128 = 0x0000000000000000bc59800000000000}
xmm14          {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0x8e, 0x85, 0x83, 0xe8, 0xf0, 0x24, 0x53, 0x3c, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0, 0x0, 0x0}, v8_int16 = {0x858e, 0xe883, 0x24f0, 0x3c53, 0x0, 0x0, 0x0,
0x0}, v4_int32 = {0xe883858e, 0x3c5324f0, 0x0, 0x0}, v2_int64 =
{0x3c5324f0e883858e, 0x0},
  uint128 = 0x00000000000000003c5324f0e883858e}
xmm15          {v4_float = {0x0, 0x3, 0x0, 0x0}, v2_double = {0x2d, 0x0},
v16_int8 = {0xc0, 0x9, 0xf2, 0x16, 0xb5, 0xdf, 0x46, 0x40, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0, 0x0, 0x0}, v8_int16 = {0x9c0, 0x16f2, 0xdfb5, 0x4046, 0x0, 0x0, 0x0,
0x0}, v4_int32 = {0x16f209c0, 0x4046dfb5, 0x0, 0x0}, v2_int64 =
{0x4046dfb516f209c0, 0x0},
  uint128 = 0x00000000000000004046dfb516f209c0}
mxcsr          0x1fa0   [ PE IM DM ZM OM UM PM ]


Valgrind:

==28007== Invalid read of size 4
==28007==    at 0x19196B4: ff_h264_execute_ref_pic_marking (h264_refs.c:701)
==28007==    by 0x190D1AF: ff_h264_field_end (h264_picture.c:157)
==28007==    by 0xC7B180: h264_decode_frame (h264dec.c:745)
==28007==    by 0xAB82C7: decode_simple_internal (decode.c:335)
==28007==    by 0xAB82C7: decode_simple_receive_frame (decode.c:386)
==28007==    by 0xAB82C7: decode_receive_frame_internal (decode.c:404)
==28007==    by 0xAB8E8F: avcodec_send_packet (decode.c:441)
==28007==    by 0x8D7DE4: try_decode_frame.isra.11 (utils.c:1950)
==28007==    by 0x8EE084: avformat_find_stream_info (utils.c:2459)
==28007==    by 0x4C0762: open_input_file (avprobe.c:878)
==28007==    by 0x4C0762: probe_file (avprobe.c:956)
==28007==    by 0x4C0762: main (avprobe.c:1190)
==28007==  Address 0x30 is not stack'd, malloc'd or (recently) free'd
==28007==
==28007==
==28007== Process terminating with default action of signal 11 (SIGSEGV)
==28007==  Access not within mapped region at address 0x30
==28007==    at 0x19196B4: ff_h264_execute_ref_pic_marking (h264_refs.c:701)
==28007==    by 0x190D1AF: ff_h264_field_end (h264_picture.c:157)
==28007==    by 0xC7B180: h264_decode_frame (h264dec.c:745)
==28007==    by 0xAB82C7: decode_simple_internal (decode.c:335)
==28007==    by 0xAB82C7: decode_simple_receive_frame (decode.c:386)
==28007==    by 0xAB82C7: decode_receive_frame_internal (decode.c:404)
==28007==    by 0xAB8E8F: avcodec_send_packet (decode.c:441)
==28007==    by 0x8D7DE4: try_decode_frame.isra.11 (utils.c:1950)
==28007==    by 0x8EE084: avformat_find_stream_info (utils.c:2459)
==28007==    by 0x4C0762: open_input_file (avprobe.c:878)
==28007==    by 0x4C0762: probe_file (avprobe.c:956)
==28007==    by 0x4C0762: main (avprobe.c:1190)
==28007==  If you believe this happened as a result of a stack
==28007==  overflow in your program's main thread (unlikely but
==28007==  possible), you can try to increase the size of the
==28007==  main thread stack using the --main-stacksize= flag.
==28007==  The main thread stack size used in this run was 8388608.
==28007==
==28007== HEAP SUMMARY:
==28007==     in use at exit: 3,367,291 bytes in 339 blocks
==28007==   total heap usage: 609 allocs, 270 frees, 3,615,262 bytes allocated
==28007==
==28007== LEAK SUMMARY:
==28007==    definitely lost: 0 bytes in 0 blocks
==28007==    indirectly lost: 0 bytes in 0 blocks
==28007==      possibly lost: 0 bytes in 0 blocks
==28007==    still reachable: 3,367,291 bytes in 339 blocks
==28007==         suppressed: 0 bytes in 0 blocks
==28007== Rerun with --leak-check=full to see details of leaked memory
==28007==
==28007== For counts of detected and suppressed errors, rerun with: -v
==28007== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)
Segmentation fault

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.libav.org/pipermail/libav-bugs/attachments/20170324/cbe23f8f/attachment-0001.html>


More information about the libav-bugs mailing list