[libav-bugs] [Bug 1042] New: Corrupt .flv file segfaults `avprobe -show_streams corrupt.flv` in ff_h264_execute_ref_pic_marking at libavcodec/h264_refs.c:701
bugzilla at libav.org
bugzilla at libav.org
Fri Mar 24 09:37:05 CET 2017
https://bugzilla.libav.org/show_bug.cgi?id=1042
Bug ID: 1042
Summary: Corrupt .flv file segfaults `avprobe -show_streams
corrupt.flv` in ff_h264_execute_ref_pic_marking at
libavcodec/h264_refs.c:701
Product: Libav
Version: git HEAD
Hardware: X86
OS: Linux
Status: NEW
Severity: normal
Priority: ---
Component: utilities
Assignee: bugzilla at libav.org
Reporter: bb5vmx7j at meo.ws
Created attachment 660
--> https://bugzilla.libav.org/attachment.cgi?id=660&action=edit
Corrupt .flv file
corrupt.flv:
00000000 46 4c 56 01 30 00 00 00 09 30 30 30 30 30 00 01 |FLV.0....00000..|
00000010 25 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 |%000000000000000|
00000020 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 |0000000000000000|
*
00000140 30 09 00 00 32 30 30 30 30 30 30 30 17 00 30 30 |0...20000000..00|
00000150 30 01 30 30 30 ff e1 00 1c 67 30 30 30 ac d9 30 |0.000....g000..0|
00000160 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 |0000000000000000|
00000170 30 30 30 30 30 01 00 06 68 eb 30 30 30 30 30 30 |00000...h.000000|
00000180 30 30 30 00 00 69 30 30 30 30 30 30 30 30 30 30 |000..i0000000000|
00000190 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 |0000000000000000|
*
000001f0 30 30 30 30 30 30 30 30 30 30 30 00 00 6a 30 30 |00000000000..j00|
00000200 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 |0000000000000000|
*
00000270 30 30 30 30 00 00 69 30 30 30 30 30 30 30 30 30 |0000..i000000000|
00000280 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 |0000000000000000|
*
000002e0 30 30 30 30 30 30 30 30 30 30 30 30 00 00 6a 30 |000000000000..j0|
000002f0 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 |0000000000000000|
*
00000360 30 30 30 30 30 00 00 69 30 30 30 30 30 30 30 30 |00000..i00000000|
00000370 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 |0000000000000000|
*
000003d0 30 30 30 30 30 30 30 30 30 30 30 30 09 30 30 30 |000000000000.000|
000003e0 30 30 30 30 30 30 30 30 30 30 30 30 00 00 02 a0 |000000000000....|
000003f0 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 |0000000000000000|
*
00000690 00 00 00 2d 65 88 d4 30 6f 30 30 00 00 01 47 30 |...-e..0o00...G0|
000006a0 30 30 b4 27 30 30 30 30 30 30 30 30 30 30 30 30 |00.'000000000000|
000006b0 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 |0000000000000000|
*
000006c1
GDB:
Program received signal SIGSEGV, Segmentation fault.
ff_h264_execute_ref_pic_marking (h=0x27eb520) at libavcodec/h264_refs.c:701
701 (h->short_ref[0] == h->cur_pic_ptr) >
h->ps.sps->ref_frame_count) {
(gdb) bt
#0 ff_h264_execute_ref_pic_marking (h=0x27eb520) at libavcodec/h264_refs.c:701
#1 0x000000000190d1b0 in ff_h264_field_end (h=0x27eb520, sl=0x27f6dc0,
in_setup=<optimized out>) at libavcodec/h264_picture.c:157
#2 0x0000000000c7b181 in h264_decode_frame (avctx=0x27dbac0, data=0x27f2910,
got_frame=0x0, avpkt=0x1) at libavcodec/h264dec.c:745
#3 0x0000000000ab82c8 in decode_simple_internal (frame=0x27dca60,
avctx=0x27dbac0) at libavcodec/decode.c:335
#4 decode_simple_receive_frame (frame=<optimized out>, avctx=<optimized out>)
at libavcodec/decode.c:386
#5 decode_receive_frame_internal (avctx=0x27dbac0, frame=0x27dca60) at
libavcodec/decode.c:404
#6 0x0000000000ab8e90 in avcodec_send_packet (avctx=avctx at entry=0x27dbac0,
avpkt=avpkt at entry=0x7fffffffe610) at libavcodec/decode.c:441
#7 0x00000000008d7de5 in try_decode_frame (st=0x27db340, avpkt=<optimized
out>, options=<optimized out>, s=<optimized out>) at libavformat/utils.c:1950
#8 0x00000000008ee085 in avformat_find_stream_info (ic=0x27da8e0,
options=0x27f2910) at libavformat/utils.c:2459
#9 0x00000000004c0763 in open_input_file (filename=<optimized out>,
ifile=<optimized out>) at avtools/avprobe.c:878
#10 probe_file (filename=<optimized out>) at avtools/avprobe.c:956
#11 main (argc=3, argv=0x7fffffffeb88) at avtools/avprobe.c:1190
(gdb) l
696 h->cur_pic_ptr->reference |= h->picture_structure;
697 }
698 }
699
700 if (h->long_ref_count + h->short_ref_count -
701 (h->short_ref[0] == h->cur_pic_ptr) >
h->ps.sps->ref_frame_count) {
702
703 /* We have too many reference frames, probably due to corrupted
704 * stream. Need to discard one frame. Prevents overrun of the
705 * short_ref and long_ref buffers.
(gdb) disass $pc-32,$pc+32
Dump of assembler code from 0x1919694 to 0x19196d4:
0x0000000001919694 <ff_h264_execute_ref_pic_marking+4916>: lea
0x98(%rsp),%rsp
0x000000000191969c <ff_h264_execute_ref_pic_marking+4924>: mov
0x7710(%rbx),%ecx
0x00000000019196a2 <ff_h264_execute_ref_pic_marking+4930>: mov
0x7714(%rbx),%r8d
0x00000000019196a9 <ff_h264_execute_ref_pic_marking+4937>: mov
0x70d8(%rbx),%rdi
0x00000000019196b0 <ff_h264_execute_ref_pic_marking+4944>: lea
(%rcx,%r8,1),%ebp
=> 0x00000000019196b4 <ff_h264_execute_ref_pic_marking+4948>: mov
0x30(%rdi),%r9d
0x00000000019196b8 <ff_h264_execute_ref_pic_marking+4952>: sub
%r10d,%ebp
0x00000000019196bb <ff_h264_execute_ref_pic_marking+4955>: cmp
%r9d,%ebp
0x00000000019196be <ff_h264_execute_ref_pic_marking+4958>: jg
0x191d6f0 <ff_h264_execute_ref_pic_marking+21392>
0x00000000019196c4 <ff_h264_execute_ref_pic_marking+4964>: lea
-0x98(%rsp),%rsp
0x00000000019196cc <ff_h264_execute_ref_pic_marking+4972>: mov
%rdx,(%rsp)
0x00000000019196d0 <ff_h264_execute_ref_pic_marking+4976>: mov
%rcx,0x8(%rsp)
End of assembler dump.
(gdb) info all-registers
rax 0x0 0
rbx 0x27eb520 41858336
rcx 0x1 1
rdx 0x0 0
rsi 0x27f2910 41888016
rdi 0x0 0
rbp 0x6 0x6
rsp 0x7fffffffe430 0x7fffffffe430
r8 0x5 5
r9 0x1 1
r10 0x0 0
r11 0x27f27b8 41887672
r12 0x0 0
r13 0x1 1
r14 0x27f2920 41888032
r15 0x27ec890 41863312
rip 0x19196b4 0x19196b4
<ff_h264_execute_ref_pic_marking+4948>
eflags 0x10287 [ CF PF SF IF RF ]
cs 0x33 51
ss 0x2b 43
ds 0x0 0
es 0x0 0
fs 0x0 0
gs 0x0 0
st0 0 (raw 0x00000000000000000000)
st1 0 (raw 0x00000000000000000000)
st2 0 (raw 0x00000000000000000000)
st3 0 (raw 0x00000000000000000000)
st4 0 (raw 0x00000000000000000000)
st5 0 (raw 0x00000000000000000000)
st6 0 (raw 0x00000000000000000000)
st7 0 (raw 0x00000000000000000000)
fctrl 0x37f 895
fstat 0x0 0
ftag 0xffff 65535
fiseg 0x0 0
fioff 0x0 0
foseg 0x0 0
fooff 0x0 0
fop 0x0 0
xmm0 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0}, uint128 =
0x00000000000000000000000000000000}
xmm1 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0x5, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0xc4,
0x0, 0x0, 0x0}, v8_int16 = {0x5, 0x0, 0x3, 0x0, 0x3, 0x0, 0xc4, 0x0}, v4_int32
= {0x5, 0x3, 0x3, 0xc4}, v2_int64 = {0x300000005, 0xc400000003}, uint128 =
0x000000c4000000030000000300000005}
xmm2 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x0, 0x4,
0x0, 0x0, 0x0}, v8_int16 = {0x0, 0x0, 0x3, 0x0, 0x1, 0x0, 0x4, 0x0}, v4_int32 =
{0x0, 0x3, 0x1, 0x4}, v2_int64 = {0x300000000, 0x400000001}, uint128 =
0x00000004000000010000000300000000}
xmm3 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0x0, 0x0, 0x0, 0x0, 0x2, 0x0 <repeats 11 times>}, v8_int16 = {0x0,
0x0, 0x2, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_int32 = {0x0, 0x2, 0x0, 0x0}, v2_int64 =
{0x200000000, 0x0}, uint128 = 0x00000000000000000000000200000000}
xmm4 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0x5, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x0, 0x2, 0x0, 0x0, 0x0, 0xc4,
0x0, 0x0, 0x0}, v8_int16 = {0x5, 0x0, 0x1, 0x0, 0x2, 0x0, 0xc4, 0x0}, v4_int32
= {0x5, 0x1, 0x2, 0xc4}, v2_int64 = {0x100000005, 0xc400000002}, uint128 =
0x000000c4000000020000000100000005}
xmm5 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0x1, 0x0, 0x0, 0x0, 0x1, 0x0 <repeats 11 times>}, v8_int16 = {0x1,
0x0, 0x1, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_int32 = {0x1, 0x1, 0x0, 0x0}, v2_int64 =
{0x100000001, 0x0}, uint128 = 0x00000000000000000000000100000001}
xmm6 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double =
{0x8000000000000000, 0x0}, v16_int8 = {0x61, 0x63, 0x6b, 0x65, 0x74, 0x73, 0x0,
0x61, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v8_int16 = {0x6361, 0x656b,
0x7374, 0x6100, 0x0, 0x0, 0x0, 0x0}, v4_int32 = {0x656b6361, 0x61007374, 0x0,
0x0}, v2_int64 = {0x61007374656b6361, 0x0},
uint128 = 0x000000000000000061007374656b6361}
xmm7 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0}, uint128 =
0x00000000000000000000000000000000}
xmm8 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0}, uint128 =
0x00000000000000000000000000000000}
xmm9 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0}, uint128 =
0x00000000000000000000000000000000}
xmm10 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0}, uint128 =
0x00000000000000000000000000000000}
xmm11 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0}, uint128 =
0x00000000000000000000000000000000}
xmm12 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double =
{0x8000000000000000, 0x8000000000000000}, v16_int8 = {0xff, 0xff, 0x0, 0xff,
0x0, 0xff, 0xff, 0xff, 0x0, 0xff, 0x0, 0x0, 0x0, 0x0, 0xff, 0xff}, v8_int16 =
{0xffff, 0xff00, 0xff00, 0xffff, 0xff00, 0x0, 0x0, 0xffff}, v4_int32 =
{0xff00ffff, 0xffffff00, 0xff00, 0xffff0000}, v2_int64 = {
0xffffff00ff00ffff, 0xffff00000000ff00}, uint128 =
0xffff00000000ff00ffffff00ff00ffff}
xmm13 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x80, 0x59, 0xbc, 0x0, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0, 0x0}, v8_int16 = {0x0, 0x0, 0x8000, 0xbc59, 0x0, 0x0, 0x0, 0x0},
v4_int32 = {0x0, 0xbc598000, 0x0, 0x0}, v2_int64 = {0xbc59800000000000, 0x0},
uint128 = 0x0000000000000000bc59800000000000}
xmm14 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0x8e, 0x85, 0x83, 0xe8, 0xf0, 0x24, 0x53, 0x3c, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0, 0x0, 0x0}, v8_int16 = {0x858e, 0xe883, 0x24f0, 0x3c53, 0x0, 0x0, 0x0,
0x0}, v4_int32 = {0xe883858e, 0x3c5324f0, 0x0, 0x0}, v2_int64 =
{0x3c5324f0e883858e, 0x0},
uint128 = 0x00000000000000003c5324f0e883858e}
xmm15 {v4_float = {0x0, 0x3, 0x0, 0x0}, v2_double = {0x2d, 0x0},
v16_int8 = {0xc0, 0x9, 0xf2, 0x16, 0xb5, 0xdf, 0x46, 0x40, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0, 0x0, 0x0}, v8_int16 = {0x9c0, 0x16f2, 0xdfb5, 0x4046, 0x0, 0x0, 0x0,
0x0}, v4_int32 = {0x16f209c0, 0x4046dfb5, 0x0, 0x0}, v2_int64 =
{0x4046dfb516f209c0, 0x0},
uint128 = 0x00000000000000004046dfb516f209c0}
mxcsr 0x1fa0 [ PE IM DM ZM OM UM PM ]
Valgrind:
==28007== Invalid read of size 4
==28007== at 0x19196B4: ff_h264_execute_ref_pic_marking (h264_refs.c:701)
==28007== by 0x190D1AF: ff_h264_field_end (h264_picture.c:157)
==28007== by 0xC7B180: h264_decode_frame (h264dec.c:745)
==28007== by 0xAB82C7: decode_simple_internal (decode.c:335)
==28007== by 0xAB82C7: decode_simple_receive_frame (decode.c:386)
==28007== by 0xAB82C7: decode_receive_frame_internal (decode.c:404)
==28007== by 0xAB8E8F: avcodec_send_packet (decode.c:441)
==28007== by 0x8D7DE4: try_decode_frame.isra.11 (utils.c:1950)
==28007== by 0x8EE084: avformat_find_stream_info (utils.c:2459)
==28007== by 0x4C0762: open_input_file (avprobe.c:878)
==28007== by 0x4C0762: probe_file (avprobe.c:956)
==28007== by 0x4C0762: main (avprobe.c:1190)
==28007== Address 0x30 is not stack'd, malloc'd or (recently) free'd
==28007==
==28007==
==28007== Process terminating with default action of signal 11 (SIGSEGV)
==28007== Access not within mapped region at address 0x30
==28007== at 0x19196B4: ff_h264_execute_ref_pic_marking (h264_refs.c:701)
==28007== by 0x190D1AF: ff_h264_field_end (h264_picture.c:157)
==28007== by 0xC7B180: h264_decode_frame (h264dec.c:745)
==28007== by 0xAB82C7: decode_simple_internal (decode.c:335)
==28007== by 0xAB82C7: decode_simple_receive_frame (decode.c:386)
==28007== by 0xAB82C7: decode_receive_frame_internal (decode.c:404)
==28007== by 0xAB8E8F: avcodec_send_packet (decode.c:441)
==28007== by 0x8D7DE4: try_decode_frame.isra.11 (utils.c:1950)
==28007== by 0x8EE084: avformat_find_stream_info (utils.c:2459)
==28007== by 0x4C0762: open_input_file (avprobe.c:878)
==28007== by 0x4C0762: probe_file (avprobe.c:956)
==28007== by 0x4C0762: main (avprobe.c:1190)
==28007== If you believe this happened as a result of a stack
==28007== overflow in your program's main thread (unlikely but
==28007== possible), you can try to increase the size of the
==28007== main thread stack using the --main-stacksize= flag.
==28007== The main thread stack size used in this run was 8388608.
==28007==
==28007== HEAP SUMMARY:
==28007== in use at exit: 3,367,291 bytes in 339 blocks
==28007== total heap usage: 609 allocs, 270 frees, 3,615,262 bytes allocated
==28007==
==28007== LEAK SUMMARY:
==28007== definitely lost: 0 bytes in 0 blocks
==28007== indirectly lost: 0 bytes in 0 blocks
==28007== possibly lost: 0 bytes in 0 blocks
==28007== still reachable: 3,367,291 bytes in 339 blocks
==28007== suppressed: 0 bytes in 0 blocks
==28007== Rerun with --leak-check=full to see details of leaked memory
==28007==
==28007== For counts of detected and suppressed errors, rerun with: -v
==28007== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)
Segmentation fault
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.libav.org/pipermail/libav-bugs/attachments/20170324/cbe23f8f/attachment-0001.html>
More information about the libav-bugs
mailing list