[libav-bugs] [Bug 1043] New: Corrupt .avi file segfaults `avprobe corrupt.avi` in get_vlc2 at libavcodec/get_bits.h:501

bugzilla at libav.org bugzilla at libav.org
Fri Mar 24 12:43:46 CET 2017


https://bugzilla.libav.org/show_bug.cgi?id=1043

            Bug ID: 1043
           Summary: Corrupt .avi file segfaults `avprobe corrupt.avi` in
                    get_vlc2 at libavcodec/get_bits.h:501
           Product: Libav
           Version: git HEAD
          Hardware: X86
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: ---
         Component: utilities
          Assignee: bugzilla at libav.org
          Reporter: bb5vmx7j at meo.ws

Created attachment 661
  --> https://bugzilla.libav.org/attachment.cgi?id=661&action=edit
Corrupt .avi file

corrupt.avi:

00000000  52 49 46 46 30 30 30 30  41 56 49 20 4c 49 53 54  |RIFF0000AVI LIST|
00000010  30 30 30 30 30 30 30 30  30 30 30 30 30 00 00 00  |0000000000000...|
00000020  30 30 30 30 30 30 30 30  30 30 30 30 30 30 30 30  |0000000000000000|
*
00000050  4c 49 53 54 74 00 00 00  30 30 30 30 73 74 72 68  |LISTt...0000strh|
00000060  30 00 00 00 76 69 64 73  30 30 30 30 30 30 30 30  |0...vids00000000|
00000070  30 30 30 30 30 30 30 30  30 30 30 30 30 30 30 30  |0000000000000000|
*
00000090  30 30 30 30 30 30 30 30  00 00 00 00 73 74 72 66  |00000000....strf|
000000a0  30 30 30 30 30 30 30 30  30 30 30 30 30 30 30 30  |0000000000000000|
000000b0  30 30 30 30 49 4a 50 47  30 30 30 30 30 30 30 30  |0000IJPG00000000|
000000c0  30 30 30 30 30 30 30 30  30 30 30 30 30 30 30 30  |0000000000000000|
000000d0  30 30 30 30 30 30 30 30  30 30 30 00 ff c3 30 30  |00000000000...00|
000000e0  30 30 30 30 30 03 30 11  00 30 11 01 30 11 01 ff  |00000.0..0..0...|
000000f0  da 00 0c 03 30 00 30 30  ff da 00 08 01 30        |....0.00.....0|
000000fe


GDB:

Program received signal SIGSEGV, Segmentation fault.
0x0000000000fba940 in get_vlc2 (max_depth=2, bits=9, table=0x0, s=0x27dd4d0) at
libavcodec/get_bits.h:501
501         GET_VLC(code, re, s, table, bits, max_depth);
(gdb) bt
#0  0x0000000000fba940 in get_vlc2 (max_depth=2, bits=9, table=0x0,
s=0x27dd4d0) at libavcodec/get_bits.h:501
#1  mjpeg_decode_dc (dc_index=3, s=0x27dd4c0) at libavcodec/mjpegdec.c:452
#2  ljpeg_decode_rgb_scan (point_transform=<optimized out>,
predictor=<optimized out>, s=0x27dd4c0) at libavcodec/mjpegdec.c:738
#3  ff_mjpeg_decode_sos (s=0x27dd4c0, mb_bitmask=0x0, reference=0x0) at
libavcodec/mjpegdec.c:1146
#4  0x0000000000fc3334 in ff_mjpeg_decode_frame (avctx=0x27db9e0,
data=0x27dd0e0, got_frame=0x0, avpkt=0x0) at libavcodec/mjpegdec.c:1640
#5  0x0000000000ab82c8 in decode_simple_internal (frame=0x27dd0e0,
avctx=0x27db9e0) at libavcodec/decode.c:335
#6  decode_simple_receive_frame (frame=<optimized out>, avctx=<optimized out>)
at libavcodec/decode.c:386
#7  decode_receive_frame_internal (avctx=0x27db9e0, frame=0x27dd0e0) at
libavcodec/decode.c:404
#8  0x0000000000ab8e90 in avcodec_send_packet (avctx=avctx at entry=0x27db9e0,
avpkt=avpkt at entry=0x7fffffffe630) at libavcodec/decode.c:441
#9  0x00000000008d7de5 in try_decode_frame (st=0x27db260, avpkt=<optimized
out>, options=<optimized out>, s=<optimized out>) at libavformat/utils.c:1950
#10 0x00000000008ee085 in avformat_find_stream_info (ic=0x27da8e0,
options=0x28) at libavformat/utils.c:2459
#11 0x00000000004c0763 in open_input_file (filename=<optimized out>,
ifile=<optimized out>) at avtools/avprobe.c:878
#12 probe_file (filename=<optimized out>) at avtools/avprobe.c:956
#13 main (argc=2, argv=0x7fffffffeba8) at avtools/avprobe.c:1190
(gdb) l
496         int code;
497
498         OPEN_READER(re, s);
499         UPDATE_CACHE(re, s);
500
501         GET_VLC(code, re, s, table, bits, max_depth);
502
503         CLOSE_READER(re, s);
504
505         return code;
(gdb) disass $pc-32,$pc+32
Dump of assembler code from 0xfba920 to 0xfba960:
   0x0000000000fba920 <ff_mjpeg_decode_sos+20096>:      mov    %r9,%r8
   0x0000000000fba923 <ff_mjpeg_decode_sos+20099>:      mov   
0x248(%r13,%r11,8),%r15
   0x0000000000fba92b <ff_mjpeg_decode_sos+20107>:      mov    0x10(%r13),%r11
   0x0000000000fba92f <ff_mjpeg_decode_sos+20111>:      mov   
(%r11,%r10,1),%edx
   0x0000000000fba933 <ff_mjpeg_decode_sos+20115>:      bswap  %edx
   0x0000000000fba935 <ff_mjpeg_decode_sos+20117>:      shl    %cl,%edx
   0x0000000000fba937 <ff_mjpeg_decode_sos+20119>:      shr    $0xf7,%edx
   0x0000000000fba93a <ff_mjpeg_decode_sos+20122>:      mov    %edx,%edi
   0x0000000000fba93c <ff_mjpeg_decode_sos+20124>:      lea   
(%r15,%rdi,4),%r10
=> 0x0000000000fba940 <ff_mjpeg_decode_sos+20128>:      movswl 0x2(%r10),%edi
   0x0000000000fba945 <ff_mjpeg_decode_sos+20133>:      movswl (%r10),%edx
   0x0000000000fba949 <ff_mjpeg_decode_sos+20137>:      test   %edi,%edi
   0x0000000000fba94b <ff_mjpeg_decode_sos+20139>:      js     0xfbae70
<ff_mjpeg_decode_sos+21456>
   0x0000000000fba951 <ff_mjpeg_decode_sos+20145>:      nopl   (%rax)
   0x0000000000fba954 <ff_mjpeg_decode_sos+20148>:      lea    -0x98(%rsp),%rsp
   0x0000000000fba95c <ff_mjpeg_decode_sos+20156>:      mov    %rdx,(%rsp)
End of assembler dump.
(gdb) info all-registers
rax            0x28     40
rbx            0x8000   32768
rcx            0x0      0
rdx            0x0      0
rsi            0x28     40
rdi            0x0      0
rbp            0x2      0x2
rsp            0x7fffffffe340   0x7fffffffe340
r8             0x3      3
r9             0x3      3
r10            0x0      0
r11            0x27ddfc0        41803712
r12            0x1      1
r13            0x27dd4c0        41800896
r14            0x27ec500        41862400
r15            0x0      0
rip            0xfba940 0xfba940 <ff_mjpeg_decode_sos+20128>
eflags         0x10246  [ PF ZF IF RF ]
cs             0x33     51
ss             0x2b     43
ds             0x0      0
es             0x0      0
fs             0x0      0
gs             0x0      0
st0            0        (raw 0x00000000000000000000)
st1            0        (raw 0x00000000000000000000)
st2            0        (raw 0x00000000000000000000)
st3            0        (raw 0x00000000000000000000)
st4            0        (raw 0x00000000000000000000)
st5            0        (raw 0x00000000000000000000)
st6            0        (raw 0x00000000000000000000)
st7            0        (raw 0x00000000000000000000)
fctrl          0x37f    895
fstat          0x0      0
ftag           0xffff   65535
fiseg          0x0      0
fioff          0x0      0
foseg          0x0      0
fooff          0x0      0
fop            0x0      0
xmm0           {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0x0, 0xff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xff, 0x0, 0x0, 0xff,
0x0, 0x0, 0x0}, v8_int16 = {0xff00, 0x0, 0x0, 0x0, 0xff00, 0x0, 0xff, 0x0},
v4_int32 = {0xff00, 0x0, 0xff00, 0xff}, v2_int64 = {0xff00, 0xff0000ff00},
  uint128 = 0x000000ff0000ff00000000000000ff00}
xmm1           {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0x25 <repeats 16 times>}, v8_int16 = {0x2525, 0x2525, 0x2525,
0x2525, 0x2525, 0x2525, 0x2525, 0x2525}, v4_int32 = {0x25252525, 0x25252525,
0x25252525, 0x25252525}, v2_int64 = {0x2525252525252525, 0x2525252525252525},
uint128 = 0x25252525252525252525252525252525}
xmm2           {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0x3, 0x4, 0x5, 0x6, 0x7, 0x8, 0x9, 0xa, 0x0, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0, 0x0}, v8_int16 = {0x403, 0x605, 0x807, 0xa09, 0x0, 0x0, 0x0, 0x0},
v4_int32 = {0x6050403, 0xa090807, 0x0, 0x0}, v2_int64 = {0xa09080706050403,
0x0},
  uint128 = 0x00000000000000000a09080706050403}
xmm3           {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0}, uint128 =
0x00000000000000000000000000000000}
xmm4           {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0x0, 0xff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xff,
0x0, 0x0, 0x0}, v8_int16 = {0xff00, 0x0, 0x0, 0x0, 0x0, 0x0, 0xff, 0x0},
v4_int32 = {0xff00, 0x0, 0x0, 0xff}, v2_int64 = {0xff00, 0xff00000000}, uint128
= 0x000000ff00000000000000000000ff00}
xmm5           {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double =
{0x8000000000000000, 0x0}, v16_int8 = {0x64, 0x3d, 0x30, 0x78, 0x25, 0x30,
0x34, 0x78, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v8_int16 = {0x3d64,
0x7830, 0x3025, 0x7834, 0x0, 0x0, 0x0, 0x0}, v4_int32 = {0x78303d64,
0x78343025, 0x0, 0x0}, v2_int64 = {0x7834302578303d64, 0x0},
  uint128 = 0x00000000000000007834302578303d64}
xmm6           {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double =
{0x8000000000000000, 0x0}, v16_int8 = {0x61, 0x0, 0x6e, 0x65, 0x77, 0x5f, 0x70,
0x72, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v8_int16 = {0x61, 0x656e,
0x5f77, 0x7270, 0x0, 0x0, 0x0, 0x0}, v4_int32 = {0x656e0061, 0x72705f77, 0x0,
0x0}, v2_int64 = {0x72705f77656e0061, 0x0},
  uint128 = 0x000000000000000072705f77656e0061}
xmm7           {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0}, uint128 =
0x00000000000000000000000000000000}
xmm8           {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0}, uint128 =
0x00000000000000000000000000000000}
xmm9           {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0}, uint128 =
0x00000000000000000000000000000000}
xmm10          {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0}, uint128 =
0x00000000000000000000000000000000}
xmm11          {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0}, uint128 =
0x00000000000000000000000000000000}
xmm12          {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0xff, 0x0, 0x0, 0xff, 0xff, 0xff, 0xff, 0x0, 0xff, 0xff, 0xff,
0xff, 0xff, 0xff, 0xff, 0x0}, v8_int16 = {0xff, 0xff00, 0xffff, 0xff, 0xffff,
0xffff, 0xffff, 0xff}, v4_int32 = {0xff0000ff, 0xffffff, 0xffffffff, 0xffffff},
v2_int64 = {0xffffffff0000ff,
    0xffffffffffffff}, uint128 = 0x00ffffffffffffff00ffffffff0000ff}
xmm13          {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x80, 0x59, 0xbc, 0x0, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0, 0x0}, v8_int16 = {0x0, 0x0, 0x8000, 0xbc59, 0x0, 0x0, 0x0, 0x0},
v4_int32 = {0x0, 0xbc598000, 0x0, 0x0}, v2_int64 = {0xbc59800000000000, 0x0},
  uint128 = 0x0000000000000000bc59800000000000}
xmm14          {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0x8e, 0x85, 0x83, 0xe8, 0xf0, 0x24, 0x53, 0x3c, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0, 0x0, 0x0}, v8_int16 = {0x858e, 0xe883, 0x24f0, 0x3c53, 0x0, 0x0, 0x0,
0x0}, v4_int32 = {0xe883858e, 0x3c5324f0, 0x0, 0x0}, v2_int64 =
{0x3c5324f0e883858e, 0x0},
  uint128 = 0x00000000000000003c5324f0e883858e}
xmm15          {v4_float = {0x0, 0x3, 0x0, 0x0}, v2_double = {0x2d, 0x0},
v16_int8 = {0xc0, 0x9, 0xf2, 0x16, 0xb5, 0xdf, 0x46, 0x40, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0, 0x0, 0x0}, v8_int16 = {0x9c0, 0x16f2, 0xdfb5, 0x4046, 0x0, 0x0, 0x0,
0x0}, v4_int32 = {0x16f209c0, 0x4046dfb5, 0x0, 0x0}, v2_int64 =
{0x4046dfb516f209c0, 0x0},
  uint128 = 0x00000000000000004046dfb516f209c0}
mxcsr          0x1fa0   [ PE IM DM ZM OM UM PM ]


Valgrind:

==21704== Warning: set address range perms: large range [0x5afe080, 0x29f80490)
(undefined)
==21704== Invalid read of size 2
==21704==    at 0xFBA940: get_vlc2 (get_bits.h:501)
==21704==    by 0xFBA940: mjpeg_decode_dc (mjpegdec.c:452)
==21704==    by 0xFBA940: ljpeg_decode_rgb_scan (mjpegdec.c:738)
==21704==    by 0xFBA940: ff_mjpeg_decode_sos (mjpegdec.c:1146)
==21704==    by 0xFC3333: ff_mjpeg_decode_frame (mjpegdec.c:1640)
==21704==    by 0xAB82C7: decode_simple_internal (decode.c:335)
==21704==    by 0xAB82C7: decode_simple_receive_frame (decode.c:386)
==21704==    by 0xAB82C7: decode_receive_frame_internal (decode.c:404)
==21704==    by 0xAB8E8F: avcodec_send_packet (decode.c:441)
==21704==    by 0x8D7DE4: try_decode_frame.isra.11 (utils.c:1950)
==21704==    by 0x8EE084: avformat_find_stream_info (utils.c:2459)
==21704==    by 0x4C0762: open_input_file (avprobe.c:878)
==21704==    by 0x4C0762: probe_file (avprobe.c:956)
==21704==    by 0x4C0762: main (avprobe.c:1190)
==21704==  Address 0x2 is not stack'd, malloc'd or (recently) free'd
==21704==
==21704==
==21704== Process terminating with default action of signal 11 (SIGSEGV)
==21704==  Access not within mapped region at address 0x2
==21704==    at 0xFBA940: get_vlc2 (get_bits.h:501)
==21704==    by 0xFBA940: mjpeg_decode_dc (mjpegdec.c:452)
==21704==    by 0xFBA940: ljpeg_decode_rgb_scan (mjpegdec.c:738)
==21704==    by 0xFBA940: ff_mjpeg_decode_sos (mjpegdec.c:1146)
==21704==    by 0xFC3333: ff_mjpeg_decode_frame (mjpegdec.c:1640)
==21704==    by 0xAB82C7: decode_simple_internal (decode.c:335)
==21704==    by 0xAB82C7: decode_simple_receive_frame (decode.c:386)
==21704==    by 0xAB82C7: decode_receive_frame_internal (decode.c:404)
==21704==    by 0xAB8E8F: avcodec_send_packet (decode.c:441)
==21704==    by 0x8D7DE4: try_decode_frame.isra.11 (utils.c:1950)
==21704==    by 0x8EE084: avformat_find_stream_info (utils.c:2459)
==21704==    by 0x4C0762: open_input_file (avprobe.c:878)
==21704==    by 0x4C0762: probe_file (avprobe.c:956)
==21704==    by 0x4C0762: main (avprobe.c:1190)
==21704==  If you believe this happened as a result of a stack
==21704==  overflow in your program's main thread (unlikely but
==21704==  possible), you can try to increase the size of the
==21704==  main thread stack using the --main-stacksize= flag.
==21704==  The main thread stack size used in this run was 8388608.
==21704==
==21704== HEAP SUMMARY:
==21704==     in use at exit: 608,906,556 bytes in 61 blocks
==21704==   total heap usage: 281 allocs, 220 frees, 612,208,131 bytes
allocated
==21704==
==21704== LEAK SUMMARY:
==21704==    definitely lost: 0 bytes in 0 blocks
==21704==    indirectly lost: 0 bytes in 0 blocks
==21704==      possibly lost: 0 bytes in 0 blocks
==21704==    still reachable: 608,906,556 bytes in 61 blocks
==21704==         suppressed: 0 bytes in 0 blocks
==21704== Rerun with --leak-check=full to see details of leaked memory
==21704==
==21704== For counts of detected and suppressed errors, rerun with: -v
==21704== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)
Segmentation fault

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.libav.org/pipermail/libav-bugs/attachments/20170324/6f791900/attachment-0001.html>


More information about the libav-bugs mailing list