[libav-bugs] [Bug 1099] New: Null pointer dereference on vc1_decode_frame.

bugzilla at libav.org bugzilla at libav.org
Fri Nov 17 06:30:26 CET 2017


https://bugzilla.libav.org/show_bug.cgi?id=1099

            Bug ID: 1099
           Summary: Null pointer dereference on vc1_decode_frame.
           Product: Libav
           Version: git HEAD
          Hardware: X86
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: ---
         Component: libavcodec
          Assignee: bugzilla at libav.org
          Reporter: mgcho.minic at gmail.com

Created attachment 695
  --> https://bugzilla.libav.org/attachment.cgi?id=695&action=edit
vc1_decode_frame crash file

Triggered by "./avconv -i $POC -f null -"

Null pointer dereference on vc1_decode_frame.


Test environment:

avconv version v13_dev0-1400-gb72ac6d, Copyright (c) 2000-2017 the Libav
developers
  built on Nov 14 2017 01:13:43 with gcc 5.4.0 (Ubuntu 5.4.0-6ubuntu1~16.04.5)
20160609


The GDB debugging information is as follows:

(gdb) r -i $POC -f null - 

Thread 1 "avconv" received signal SIGSEGV, Segmentation fault.
0x084e7a17 in vc1_decode_frame (avctx=0x91cae20, data=0x91cc860,
got_frame=0xbfffe898, avpkt=0x91cca60)
    at libavcodec/vc1dec.c:883
883                    s->end_mb_y = (i <= n_slices1 + 1) ? mb_height :
FFMIN(mb_height, slices[i].mby_start % mb_height);
(gdb) bt
#0  0x084e7a17 in vc1_decode_frame (avctx=0x91cae20, data=0x91cc860,
got_frame=0xbfffe898, avpkt=0x91cca60)
    at libavcodec/vc1dec.c:883
#1  0x0821b4ea in decode_simple_internal (frame=<optimized out>,
avctx=0x91cae20) at libavcodec/decode.c:335
#2  decode_simple_receive_frame (frame=<optimized out>, avctx=<optimized out>)
at libavcodec/decode.c:386
#3  decode_receive_frame_internal (avctx=avctx at entry=0x91cae20,
frame=<optimized out>) at libavcodec/decode.c:404
#4  0x0821b947 in avcodec_send_packet (avctx=0x91cae20, avpkt=0xbfffeb2c) at
libavcodec/decode.c:469
#5  0x080a8da5 in decode (pkt=<optimized out>, got_frame=0xbfffeae0,
frame=<optimized out>, avctx=0x91cae20)
    at avtools/avconv.c:1309
#6  decode_video (ist=ist at entry=0x91c9f40, pkt=pkt at entry=0xbfffeb2c,
got_output=got_output at entry=0xbfffeae0, 
    decode_failed=0xbfffeae4) at avtools/avconv.c:1409
#7  0x0809410d in process_input_packet (no_eof=0, pkt=0xbfffeae8,
ist=<optimized out>) at avtools/avconv.c:1528
#8  process_input () at avtools/avconv.c:2724
#9  transcode () at avtools/avconv.c:2766
#10 main (argc=6, argv=0xbffff084) at avtools/avconv.c:2940

(gdb) disass $pc-32,$pc+32
Dump of assembler code from 0x84e79f7 to 0x84e7a37:
   0x084e79f7 <vc1_decode_frame+6295>:    add    %cl,(%edi)
   0x084e79f9 <vc1_decode_frame+6297>:    test   %bl,%dl
   0x084e79fb <vc1_decode_frame+6299>:    add    %al,(%eax)
   0x084e79fd <vc1_decode_frame+6301>:    add    %cl,0x2d08bd(%ebx)
   0x084e7a03 <vc1_decode_frame+6307>:    add    %al,-0x337af001(%ebp)
   0x084e7a09 <vc1_decode_frame+6313>:    add    %al,(%eax)
   0x084e7a0b <vc1_decode_frame+6315>:    add    %bh,(%ecx)
   0x084e7a0d <vc1_decode_frame+6317>:    je     0x84e7a33
<vc1_decode_frame+6355>
   0x084e7a0f <vc1_decode_frame+6319>:    adc    $0x8b,%al
   0x084e7a11 <vc1_decode_frame+6321>:    cmp    $0x24,%al
   0x084e7a13 <vc1_decode_frame+6323>:    mov    %edi,%edx
   0x084e7a15 <vc1_decode_frame+6325>:    jge    0x84e7a28
<vc1_decode_frame+6344>
=> 0x084e7a17 <vc1_decode_frame+6327>:    mov    (%ebx),%eax
   0x084e7a19 <vc1_decode_frame+6329>:    cltd   
   0x084e7a1a <vc1_decode_frame+6330>:    idiv   %edi
   0x084e7a1c <vc1_decode_frame+6332>:    cmp    %edi,%edx
   0x084e7a1e <vc1_decode_frame+6334>:    cmovg  %edi,%edx
   0x084e7a21 <vc1_decode_frame+6337>:    lea    0x0(%esi,%eiz,1),%esi
   0x084e7a28 <vc1_decode_frame+6344>:    cmp    %edx,%ecx
   0x084e7a2a <vc1_decode_frame+6346>:    mov    %edx,0x31c(%ebp)
   0x084e7a30 <vc1_decode_frame+6352>:    jge    0x84e82fa
<vc1_decode_frame+8602>
   0x084e7a36 <vc1_decode_frame+6358>:    sub    $0xc,%esp
End of assembler dump.

(gdb) info all-registers 
eax            0xb7de6ceb    -1210159893
ecx            0x0    0
edx            0x80    128
ebx            0x18    24
esp            0xbfffe700    0xbfffe700
ebp            0x91c61e0    0x91c61e0
esi            0x0    0
edi            0x80    128
eip            0x84e7a17    0x84e7a17 <vc1_decode_frame+6327>
eflags         0x10282    [ SF IF RF ]
cs             0x73    115
ss             0x7b    123
ds             0x7b    123
es             0x7b    123
fs             0x0    0
gs             0x33    51
st0            6.0507017199217102629282827308543347e-15    (raw
0x3fcfd9ffdf8000000000)
st1            0    (raw 0x00000000000000000000)
st2            0    (raw 0x00000000000000000000)
st3            1    (raw 0x3fff8000000000000000)
st4            1    (raw 0x3fff8000000000000000)
st5            1    (raw 0x3fff8000000000000000)
st6            46042878    (raw 0x4018afa3bf8000000000)
st7            10000000    (raw 0x40169896800000000000)
fctrl          0x37f    895
fstat          0x420    1056
ftag           0xffff    65535
fiseg          0x0    0
fioff          0x8095ccf    134831311
foseg          0x0    0
fooff          0x0    0
---Type <return> to continue, or q <return> to quit---
fop            0x0    0
mxcsr          0x1f80    [ IM DM ZM OM UM PM ]
ymm0           {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_double
= {0x8000000000000000, 
    0x8000000000000000, 0x0, 0x0}, v32_int8 = {0x7f <repeats 16 times>, 0x0
<repeats 16 times>}, v16_int16 = {
    0x7f7f, 0x7f7f, 0x7f7f, 0x7f7f, 0x7f7f, 0x7f7f, 0x7f7f, 0x7f7f, 0x0, 0x0,
0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 
  v8_int32 = {0x7f7f7f7f, 0x7f7f7f7f, 0x7f7f7f7f, 0x7f7f7f7f, 0x0, 0x0, 0x0,
0x0}, v4_int64 = {0x7f7f7f7f7f7f7f7f, 
    0x7f7f7f7f7f7f7f7f, 0x0, 0x0}, v2_int128 =
{0x7f7f7f7f7f7f7f7f7f7f7f7f7f7f7f7f, 
    0x00000000000000000000000000000000}}
ymm1           {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_double
= {0x0, 0x0, 0x0, 0x0}, v32_int8 = {
    0x0 <repeats 32 times>}, v16_int16 = {0x0 <repeats 16 times>}, v8_int32 =
{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 
    0x0}, v4_int64 = {0x0, 0x0, 0x0, 0x0}, v2_int128 =
{0x00000000000000000000000000000000, 
    0x00000000000000000000000000000000}}
ymm2           {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_double
= {0x0, 0x0, 0x0, 0x0}, v32_int8 = {
    0x0 <repeats 32 times>}, v16_int16 = {0x0 <repeats 16 times>}, v8_int32 =
{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 
    0x0}, v4_int64 = {0x0, 0x0, 0x0, 0x0}, v2_int128 =
{0x00000000000000000000000000000000, 
    0x00000000000000000000000000000000}}
ymm3           {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_double
= {0x0, 0x0, 0x0, 0x0}, v32_int8 = {
    0x0 <repeats 32 times>}, v16_int16 = {0x0 <repeats 16 times>}, v8_int32 =
{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 
    0x0}, v4_int64 = {0x0, 0x0, 0x0, 0x0}, v2_int128 =
{0x00000000000000000000000000000000, 
    0x00000000000000000000000000000000}}
ymm4           {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_double
= {0x0, 0x0, 0x0, 0x0}, v32_int8 = {
    0x0 <repeats 32 times>}, v16_int16 = {0x0 <repeats 16 times>}, v8_int32 =
{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 
    0x0}, v4_int64 = {0x0, 0x0, 0x0, 0x0}, v2_int128 =
{0x00000000000000000000000000000000, 
    0x00000000000000000000000000000000}}
ymm5           {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_double
= {0x0, 0x0, 0x0, 0x0}, v32_int8 = {
    0x0 <repeats 32 times>}, v16_int16 = {0x0 <repeats 16 times>}, v8_int32 =
{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 
    0x0}, v4_int64 = {0x0, 0x0, 0x0, 0x0}, v2_int128 =
{0x00000000000000000000000000000000, 
    0x00000000000000000000000000000000}}
ymm6           {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_double
= {0x0, 0x0, 0x0, 0x0}, v32_int8 = {
    0x0 <repeats 32 times>}, v16_int16 = {0x0 <repeats 16 times>}, v8_int32 =
{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 
    0x0}, v4_int64 = {0x0, 0x0, 0x0, 0x0}, v2_int128 =
{0x00000000000000000000000000000000, 
---Type <return> to continue, or q <return> to quit---
    000000000}}
ymm7           {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_double
= {0x0, 0x0, 0x0, 0x0}, v32_int8 = {
    0x0 <repeats 32 times>}, v16_int16 = {0x0 <repeats 16 times>}, v8_int32 =
{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 
    0x0}, v4_int64 = {0x0, 0x0, 0x0, 0x0}, v2_int128 =
{0x00000000000000000000000000000000, 
    0x00000000000000000000000000000000}}
mm0            {uint64 = 0xd9ffdf8000000000, v2_int32 = {0x0, 0xd9ffdf80},
v4_int16 = {0x0, 0x0, 0xdf80, 0xd9ff}, 
  v8_int8 = {0x0, 0x0, 0x0, 0x0, 0x80, 0xdf, 0xff, 0xd9}}
mm1            {uint64 = 0x0, v2_int32 = {0x0, 0x0}, v4_int16 = {0x0, 0x0, 0x0,
0x0}, v8_int8 = {0x0, 0x0, 0x0, 
    0x0, 0x0, 0x0, 0x0, 0x0}}
mm2            {uint64 = 0x0, v2_int32 = {0x0, 0x0}, v4_int16 = {0x0, 0x0, 0x0,
0x0}, v8_int8 = {0x0, 0x0, 0x0, 
    0x0, 0x0, 0x0, 0x0, 0x0}}
mm3            {uint64 = 0x8000000000000000, v2_int32 = {0x0, 0x80000000},
v4_int16 = {0x0, 0x0, 0x0, 0x8000}, 
  v8_int8 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x80}}
mm4            {uint64 = 0x8000000000000000, v2_int32 = {0x0, 0x80000000},
v4_int16 = {0x0, 0x0, 0x0, 0x8000}, 
  v8_int8 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x80}}
mm5            {uint64 = 0x8000000000000000, v2_int32 = {0x0, 0x80000000},
v4_int16 = {0x0, 0x0, 0x0, 0x8000}, 
  v8_int8 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x80}}
mm6            {uint64 = 0xafa3bf8000000000, v2_int32 = {0x0, 0xafa3bf80},
v4_int16 = {0x0, 0x0, 0xbf80, 0xafa3}, 
  v8_int8 = {0x0, 0x0, 0x0, 0x0, 0x80, 0xbf, 0xa3, 0xaf}}
mm7            {uint64 = 0x9896800000000000, v2_int32 = {0x0, 0x98968000},
v4_int16 = {0x0, 0x0, 0x8000, 0x9896}, 
  v8_int8 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x80, 0x96, 0x98}}


Credits:

Mingi Cho and Taekyoung Kwon of the Information Security Lab, Yonsei
University.

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.libav.org/pipermail/libav-bugs/attachments/20171117/0e797c51/attachment.html>


More information about the libav-bugs mailing list