[libav-bugs] [Bug 1101] New: Segmentation fault on ff_vc1_mc_4mv_chroma4.

bugzilla at libav.org bugzilla at libav.org
Fri Nov 17 07:13:30 CET 2017


https://bugzilla.libav.org/show_bug.cgi?id=1101

            Bug ID: 1101
           Summary: Segmentation fault on ff_vc1_mc_4mv_chroma4.
           Product: Libav
           Version: git HEAD
          Hardware: X86
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: ---
         Component: libavcodec
          Assignee: bugzilla at libav.org
          Reporter: mgcho.minic at gmail.com

Created attachment 697
  --> https://bugzilla.libav.org/attachment.cgi?id=697&action=edit
poc file

Triggered by "./avconv -i $POC -f null -"

Segmentation fault on ff_vc1_mc_4mv_chroma4.

Test environment:

avconv version v13_dev0-1400-gb72ac6d, Copyright (c) 2000-2017 the Libav
developers
  built on Nov 14 2017 01:13:43 with gcc 5.4.0 (Ubuntu 5.4.0-6ubuntu1~16.04.5)
20160609


The GDB debugging information is as follows:

Program received signal SIGSEGV, Segmentation fault.
0x0875b1f3 in ff_emu_edge_vfix5_mmx.body_loop ()

(gdb) bt
#0  0x0875b1f3 in ff_emu_edge_vfix5_mmx.body_loop ()
#1  0x00000005 in ?? ()
#2  0x00000000 in ?? ()

(gdb) disass $pc-32,$pc+32
Dump of assembler code from 0x875b1d3 to 0x875b213:
   0x0875b1d3 <ff_emu_edge_vfix5_mmx+19>: je     0x875b1f9
<ff_emu_edge_vfix5_mmx.body_loop+6>
   0x0875b1d5 <ff_emu_edge_vfix5_mmx+21>: and    $0x29,%al
   0x0875b1d7 <ff_emu_edge_vfix5_mmx+23>: fisubr (%ecx)
   0x0875b1d9 <ff_emu_edge_vfix5_mmx+25>: roll   %cl,0xf1574d2(%ebp)
   0x0875b1df <ff_emu_edge_vfix5_mmx+31>: outsb  %ds:(%esi),(%dx)
   0x0875b1e0 <ff_emu_edge_vfix5_mmx+32>: add    %ecx,(%edi)
   0x0875b1e2 <ff_emu_edge_vfix5_mmx+34>: outsb  %ds:(%esi),(%dx)
   0x0875b1e3 <ff_emu_edge_vfix5_mmx+35>: dec    %ecx
   0x0875b1e4 <ff_emu_edge_vfix5_mmx+36>: add    %ecx,(%edi)
   0x0875b1e6 <ff_emu_edge_vfix5_mmx.top_loop+1>: jle    0x875b1e8
<ff_emu_edge_vfix5_mmx.top_loop+3>
   0x0875b1e8 <ff_emu_edge_vfix5_mmx.top_loop+3>: movd   %mm1,0x1(%eax)
   0x0875b1ec <ff_emu_edge_vfix5_mmx.top_loop+7>: add    0x14(%esp),%eax
   0x0875b1f0 <ff_emu_edge_vfix5_mmx.top_loop+11>:  dec    %edx
   0x0875b1f1 <ff_emu_edge_vfix5_mmx.top_loop+12>:  jne    0x875b1e5
<ff_emu_edge_vfix5_mmx.top_loop>
=> 0x0875b1f3 <ff_emu_edge_vfix5_mmx.body_loop+0>:  movd   (%ecx),%mm0
   0x0875b1f6 <ff_emu_edge_vfix5_mmx.body_loop+3>:  movd   0x1(%ecx),%mm1
   0x0875b1fa <ff_emu_edge_vfix5_mmx.body_loop+7>:  movd   %mm0,(%eax)
   0x0875b1fd <ff_emu_edge_vfix5_mmx.body_loop+10>: movd   %mm1,0x1(%eax)
   0x0875b201 <ff_emu_edge_vfix5_mmx.body_loop+14>: add    0x14(%esp),%eax
   0x0875b205 <ff_emu_edge_vfix5_mmx.body_loop+18>: add    0x18(%esp),%ecx
   0x0875b209 <ff_emu_edge_vfix5_mmx.body_loop+22>: dec    %ebx
   0x0875b20a <ff_emu_edge_vfix5_mmx.body_loop+23>: jne    0x875b1f3
<ff_emu_edge_vfix5_mmx.body_loop>
   0x0875b20c <ff_emu_edge_vfix5_mmx.body_loop+25>: test   %esi,%esi
   0x0875b20e <ff_emu_edge_vfix5_mmx.body_loop+27>: je     0x875b229
<ff_emu_edge_vfix5_mmx.end>
   0x0875b210 <ff_emu_edge_vfix5_mmx.body_loop+29>: sub    0x18(%esp),%ecx
End of assembler dump.

(gdb) info all-registers 
eax            0x91e6640  152987200
ecx            0x2008 8200
edx            0x0  0
ebx            0x7  7
esp            0xbfffe484 0xbfffe484
ebp            0xa  0xa
esi            0x3  3
edi            0x0  0
eip            0x875b1f3  0x875b1f3 <ff_emu_edge_vfix5_mmx.body_loop>
eflags         0x10246  [ PF ZF IF RF ]
cs             0x73 115
ss             0x7b 123
ds             0x7b 123
es             0x7b 123
fs             0x0  0
gs             0x33 51
st0            -nan(0x7a76716d6d71767a) (raw 0xffff7a76716d6d71767a)
st1            -nan(0x7a00760071006d) (raw 0xffff007a00760071006d)
st2            -nan(0x6d71767a7a76716d) (raw 0xffff6d71767a7a76716d)
st3            -nan(0x6d00710076007a) (raw 0xffff006d00710076007a)
st4            -nan(0x6d71767a7a76716d) (raw 0xffff6d71767a7a76716d)
st5            -nan(0x6d00710076007a) (raw 0xffff006d00710076007a)
st6            -nan(0x7a76716d6d71767a) (raw 0xffff7a76716d6d71767a)
st7            -nan(0x7a00760071006d) (raw 0xffff007a00760071006d)
fctrl          0x37f  895
fstat          0x4020 16416
ftag           0xaaaa 43690
fiseg          0x0  0
fioff          0x8095ccf  134831311
foseg          0x0  0
fooff          0x0  0
fop            0x0  0
mxcsr          0x1f80 [ IM DM ZM OM UM PM ]
ymm0           {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_double
= {0x0, 0x0, 0x0, 0x0}, v32_int8 = {
    0x0 <repeats 32 times>}, v16_int16 = {0x0 <repeats 16 times>}, v8_int32 =
{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 
  v4_int64 = {0x0, 0x0, 0x0, 0x0}, v2_int128 =
{0x00000000000000000000000000000000, 0x00000000000000000000000000000000}}
ymm1           {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_double
= {0x8000000000000000, 0x0, 0x0, 0x0}, 
  v32_int8 = {0x0, 0x0, 0x0, 0x0, 0xff, 0xff, 0xff, 0xff, 0x0 <repeats 24
times>}, v16_int16 = {0x0, 0x0, 0xffff, 
    0xffff, 0x0 <repeats 12 times>}, v8_int32 = {0x0, 0xffffffff, 0x0, 0x0,
0x0, 0x0, 0x0, 0x0}, v4_int64 = {
---Type <return> to continue, or q <return> to quit---
    0xffffffff00000000, 0x0, 0x0, 0x0}, v2_int128 =
{0x0000000000000000ffffffff00000000, 
    0x00000000000000000000000000000000}}
ymm2           {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_double
= {0x8000000000000000, 
    0x8000000000000000, 0x0, 0x0}, v32_int8 = {0x70, 0x72, 0x6f, 0x74, 0x6f,
0x63, 0x6f, 0x6c, 0x5f, 0x77, 0x68, 0x69, 
    0x74, 0x65, 0x6c, 0x69, 0x0 <repeats 16 times>}, v16_int16 = {0x7270,
0x746f, 0x636f, 0x6c6f, 0x775f, 0x6968, 
    0x6574, 0x696c, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v8_int32 =
{0x746f7270, 0x6c6f636f, 0x6968775f, 0x696c6574, 
    0x0, 0x0, 0x0, 0x0}, v4_int64 = {0x6c6f636f746f7270, 0x696c65746968775f,
0x0, 0x0}, v2_int128 = {
    0x696c65746968775f6c6f636f746f7270, 0x00000000000000000000000000000000}}
ymm3           {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_double
= {0x0, 0x0, 0x0, 0x0}, v32_int8 = {0x0, 
    0xbd, 0x41, 0x0, 0xc, 0xf9, 0xac, 0xc, 0xc, 0xc, 0xc, 0xc, 0xd, 0xf9, 0x56,
0x6, 0x0 <repeats 16 times>}, 
  v16_int16 = {0xbd00, 0x41, 0xf90c, 0xcac, 0xc0c, 0xc0c, 0xf90d, 0x656, 0x0,
0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 
  v8_int32 = {0x41bd00, 0xcacf90c, 0xc0c0c0c, 0x656f90d, 0x0, 0x0, 0x0, 0x0},
v4_int64 = {0xcacf90c0041bd00, 
    0x656f90d0c0c0c0c, 0x0, 0x0}, v2_int128 =
{0x0656f90d0c0c0c0c0cacf90c0041bd00, 0x00000000000000000000000000000000}}
ymm4           {v8_float = {0xfffffffa, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0},
v4_double = {0x0, 0x0, 0x0, 0x0}, 
  v32_int8 = {0x12, 0x61, 0xce, 0xc0, 0x1b, 0xab, 0xf6, 0xaf, 0xaf, 0xaf, 0xaf,
0xaf, 0xaf, 0xaf, 0xaf, 0xaf, 
    0x0 <repeats 16 times>}, v16_int16 = {0x6112, 0xc0ce, 0xab1b, 0xaff6,
0xafaf, 0xafaf, 0xafaf, 0xafaf, 0x0, 0x0, 0x0, 
    0x0, 0x0, 0x0, 0x0, 0x0}, v8_int32 = {0xc0ce6112, 0xaff6ab1b, 0xafafafaf,
0xafafafaf, 0x0, 0x0, 0x0, 0x0}, 
  v4_int64 = {0xaff6ab1bc0ce6112, 0xafafafafafafafaf, 0x0, 0x0}, v2_int128 =
{0xafafafafafafafafaff6ab1bc0ce6112, 
    0x00000000000000000000000000000000}}
ymm5           {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_double
= {0x0, 0x0, 0x0, 0x0}, v32_int8 = {0xaf, 
    0xaf, 0xaf, 0xaf, 0xaf, 0xbe <repeats 11 times>, 0x0 <repeats 16 times>},
v16_int16 = {0xafaf, 0xafaf, 0xbeaf, 
    0xbebe, 0xbebe, 0xbebe, 0xbebe, 0xbebe, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0,
0x0}, v8_int32 = {0xafafafaf, 0xbebebeaf, 
    0xbebebebe, 0xbebebebe, 0x0, 0x0, 0x0, 0x0}, v4_int64 =
{0xbebebeafafafafaf, 0xbebebebebebebebe, 0x0, 0x0}, 
  v2_int128 = {0xbebebebebebebebebebebeafafafafaf,
0x00000000000000000000000000000000}}
ymm6           {v8_float = {0x0, 0x0, 0x0, 0x12eec000, 0x0, 0x0, 0x0, 0x0},
v4_double = {0x0, 0x8000000000000000, 0x0, 
    0x0}, v32_int8 = {0xbe, 0xbe, 0xbe, 0xbe, 0xbe, 0xbe, 0xc4, 0x2b, 0xd2,
0x30, 0xa0, 0x95, 0xbb, 0x4b, 0x50, 0x52, 
    0x0 <repeats 16 times>}, v16_int16 = {0xbebe, 0xbebe, 0xbebe, 0x2bc4,
0x30d2, 0x95a0, 0x4bbb, 0x5250, 0x0, 0x0, 0x0, 
    0x0, 0x0, 0x0, 0x0, 0x0}, v8_int32 = {0xbebebebe, 0x2bc4bebe, 0x95a030d2,
0x52504bbb, 0x0, 0x0, 0x0, 0x0}, 
  v4_int64 = {0x2bc4bebebebebebe, 0x52504bbb95a030d2, 0x0, 0x0}, v2_int128 =
{0x52504bbb95a030d22bc4bebebebebebe, 
    0x00000000000000000000000000000000}}
ymm7           {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_double
= {0x8000000000000000, 0x0, 0x0, 0x0}, 
  v32_int8 = {0xc6, 0x5, 0x78, 0x16, 0x3b, 0x25, 0x1, 0xdc, 0x74, 0x25, 0xd2,
0x10, 0x65, 0x87, 0x9, 0x8, 
    0x0 <repeats 16 times>}, v16_int16 = {0x5c6, 0x1678, 0x253b, 0xdc01,
0x2574, 0x10d2, 0x8765, 0x809, 0x0, 0x0, 0x0, 
    0x0, 0x0, 0x0, 0x0, 0x0}, v8_int32 = {0x167805c6, 0xdc01253b, 0x10d22574,
0x8098765, 0x0, 0x0, 0x0, 0x0}, 
  v4_int64 = {0xdc01253b167805c6, 0x809876510d22574, 0x0, 0x0}, v2_int128 =
{0x0809876510d22574dc01253b167805c6, 
    0x00000000000000000000000000000000}}
mm0            {uint64 = 0x7a76716d6d71767a, v2_int32 = {0x6d71767a,
0x7a76716d}, v4_int16 = {0x767a, 0x6d71, 0x716d, 
    0x7a76}, v8_int8 = {0x7a, 0x76, 0x71, 0x6d, 0x6d, 0x71, 0x76, 0x7a}}
mm1            {uint64 = 0x7a00760071006d, v2_int32 = {0x71006d, 0x7a0076},
v4_int16 = {0x6d, 0x71, 0x76, 0x7a}, 
---Type <return> to continue, or q <return> to quit---
  v8_int8 = {0x6d, 0x0, 0x71, 0x0, 0x76, 0x0, 0x7a, 0x0}}
mm2            {uint64 = 0x6d71767a7a76716d, v2_int32 = {0x7a76716d,
0x6d71767a}, v4_int16 = {0x716d, 0x7a76, 0x767a, 
    0x6d71}, v8_int8 = {0x6d, 0x71, 0x76, 0x7a, 0x7a, 0x76, 0x71, 0x6d}}
mm3            {uint64 = 0x6d00710076007a, v2_int32 = {0x76007a, 0x6d0071},
v4_int16 = {0x7a, 0x76, 0x71, 0x6d}, 
  v8_int8 = {0x7a, 0x0, 0x76, 0x0, 0x71, 0x0, 0x6d, 0x0}}
mm4            {uint64 = 0x6d71767a7a76716d, v2_int32 = {0x7a76716d,
0x6d71767a}, v4_int16 = {0x716d, 0x7a76, 0x767a, 
    0x6d71}, v8_int8 = {0x6d, 0x71, 0x76, 0x7a, 0x7a, 0x76, 0x71, 0x6d}}
mm5            {uint64 = 0x6d00710076007a, v2_int32 = {0x76007a, 0x6d0071},
v4_int16 = {0x7a, 0x76, 0x71, 0x6d}, 
  v8_int8 = {0x7a, 0x0, 0x76, 0x0, 0x71, 0x0, 0x6d, 0x0}}
mm6            {uint64 = 0x7a76716d6d71767a, v2_int32 = {0x6d71767a,
0x7a76716d}, v4_int16 = {0x767a, 0x6d71, 0x716d, 
    0x7a76}, v8_int8 = {0x7a, 0x76, 0x71, 0x6d, 0x6d, 0x71, 0x76, 0x7a}}
mm7            {uint64 = 0x7a00760071006d, v2_int32 = {0x71006d, 0x7a0076},
v4_int16 = {0x6d, 0x71, 0x76, 0x7a}, 
  v8_int8 = {0x6d, 0x0, 0x71, 0x0, 0x76, 0x0, 0x7a, 0x0}}


GDB information before crash:

Breakpoint 1, 0x084e12a1 in ff_vc1_mc_4mv_chroma4 (v=0x91c69e0, dir=0, dir2=0,
avg=0) at libavcodec/vc1_mc.c:732
732             s->vdsp.emulated_edge_mc(s->sc.edge_emu_buffer, srcU,
(gdb) bt
#0  0x084e12a1 in ff_vc1_mc_4mv_chroma4 (v=0x91c69e0, dir=0, dir2=0, avg=0) at
libavcodec/vc1_mc.c:732
#1  0x084d112a in vc1_decode_p_mb_intfr (v=v at entry=0x91c69e0) at
libavcodec/vc1_block.c:1743
#2  0x084d9869 in vc1_decode_p_blocks (v=0x91c69e0) at
libavcodec/vc1_block.c:2901
#3  ff_vc1_decode_blocks (v=0x91c69e0) at libavcodec/vc1_block.c:3049
#4  0x084e7a3f in vc1_decode_frame (avctx=0x91cc480, data=0x91caa00,
got_frame=0xbfffe898, avpkt=0x91cac20)
    at libavcodec/vc1dec.c:890
#5  0x0821b4ea in decode_simple_internal (frame=<optimized out>,
avctx=0x91cc480) at libavcodec/decode.c:335
#6  decode_simple_receive_frame (frame=<optimized out>, avctx=<optimized out>)
at libavcodec/decode.c:386
#7  decode_receive_frame_internal (avctx=avctx at entry=0x91cc480,
frame=<optimized out>) at libavcodec/decode.c:404
#8  0x0821b947 in avcodec_send_packet (avctx=0x91cc480, avpkt=0xbfffeb2c) at
libavcodec/decode.c:469
#9  0x080a8da5 in decode (pkt=<optimized out>, got_frame=0xbfffeae0,
frame=<optimized out>, avctx=0x91cc480)
    at avtools/avconv.c:1309
#10 decode_video (ist=ist at entry=0x91cb200, pkt=pkt at entry=0xbfffeb2c,
got_output=got_output at entry=0xbfffeae0, 
    decode_failed=0xbfffeae4) at avtools/avconv.c:1409
#11 0x0809410d in process_input_packet (no_eof=0, pkt=0xbfffeae8,
ist=<optimized out>) at avtools/avconv.c:1528
#12 process_input () at avtools/avconv.c:2724
#13 transcode () at avtools/avconv.c:2766
#14 main (argc=6, argv=0xbffff084) at avtools/avconv.c:2940
(gdb) set disassembly-flavor att
(gdb) disass $pc-32,$pc+32
Dump of assembler code from 0x84e1281 to 0x84e12c1:
   0x084e1281 <ff_vc1_mc_4mv_chroma4+1601>: enter  $0x2,$0x0
   0x084e1285 <ff_vc1_mc_4mv_chroma4+1605>: sar    %edx
   0x084e1287 <ff_vc1_mc_4mv_chroma4+1607>: push   %edx
   0x084e1288 <ff_vc1_mc_4mv_chroma4+1608>: push   %ebp
   0x084e1289 <ff_vc1_mc_4mv_chroma4+1609>: mov    0x44(%esp),%ebx
   0x084e128d <ff_vc1_mc_4mv_chroma4+1613>: push   %ebx
   0x084e128e <ff_vc1_mc_4mv_chroma4+1614>: mov    0x50(%esp),%esi
   0x084e1292 <ff_vc1_mc_4mv_chroma4+1618>: push   %esi
   0x084e1293 <ff_vc1_mc_4mv_chroma4+1619>: push   $0x5
   0x084e1295 <ff_vc1_mc_4mv_chroma4+1621>: push   %eax
   0x084e1296 <ff_vc1_mc_4mv_chroma4+1622>: push   %eax
   0x084e1297 <ff_vc1_mc_4mv_chroma4+1623>: pushl  0x38(%esp)
   0x084e129b <ff_vc1_mc_4mv_chroma4+1627>: pushl  0x654(%edi)
=> 0x084e12a1 <ff_vc1_mc_4mv_chroma4+1633>: call   *0xb80(%edi)
   0x084e12a7 <ff_vc1_mc_4mv_chroma4+1639>: add    $0x28,%esp
   0x084e12aa <ff_vc1_mc_4mv_chroma4+1642>: mov    0x2d8(%edi),%edx
   0x084e12b0 <ff_vc1_mc_4mv_chroma4+1648>: pushl  0x28(%esp)
   0x084e12b4 <ff_vc1_mc_4mv_chroma4+1652>: mov    0x2c8(%edi),%eax
   0x084e12ba <ff_vc1_mc_4mv_chroma4+1658>: sar    %eax
   0x084e12bc <ff_vc1_mc_4mv_chroma4+1660>: push   %eax
   0x084e12bd <ff_vc1_mc_4mv_chroma4+1661>: push   %ebp
   0x084e12be <ff_vc1_mc_4mv_chroma4+1662>: push   %ebx
   0x084e12bf <ff_vc1_mc_4mv_chroma4+1663>: push   %esi
   0x084e12c0 <ff_vc1_mc_4mv_chroma4+1664>: push   $0x5
End of assembler dump.
(gdb) info all-registers 
eax            0x20 32
ecx            0x1  1
edx            0x18 24
ebx            0x8  8
esp            0xbfffe4f0 0xbfffe4f0
ebp            0x100  0x100
esi            0xa  10
edi            0x91c69e0  152857056
eip            0x84e12a1  0x84e12a1 <ff_vc1_mc_4mv_chroma4+1633>
eflags         0x206  [ PF IF ]
cs             0x73 115
ss             0x7b 123
ds             0x7b 123
es             0x7b 123
fs             0x0  0
gs             0x33 51
st0            -nan(0x7a76716d6d71767a) (raw 0xffff7a76716d6d71767a)
st1            -nan(0x7a00760071006d) (raw 0xffff007a00760071006d)
st2            -nan(0x6d71767a7a76716d) (raw 0xffff6d71767a7a76716d)
st3            -nan(0x6d00710076007a) (raw 0xffff006d00710076007a)
st4            -nan(0x6d71767a7a76716d) (raw 0xffff6d71767a7a76716d)
st5            -nan(0x6d00710076007a) (raw 0xffff006d00710076007a)
st6            -nan(0x7a76716d6d71767a) (raw 0xffff7a76716d6d71767a)
st7            -nan(0x7a00760071006d) (raw 0xffff007a00760071006d)
fctrl          0x37f  895
fstat          0x4020 16416
ftag           0xaaaa 43690
fiseg          0x0  0
fioff          0x8095ccf  134831311
foseg          0x0  0
fooff          0x0  0
fop            0x0  0
mxcsr          0x1f80 [ IM DM ZM OM UM PM ]

(gdb) si
emulated_edge_mc_sse2 (buf=0x91e6640 "", src=0x2008 <error: Cannot access
memory at address 0x2008>, buf_stride=32, 
    src_stride=32, block_w=5, block_h=10, src_x=8, src_y=256, w=24, h=263) at
libavcodec/x86/videodsp_init.c:233
233 {



ASAN output:

==17198==ERROR: AddressSanitizer: SEGV on unknown address 0x00001808 (pc
0xb7653012 bp 0xbfeb01f8 sp 0xbfeafd98 T0)
    #0 0xb7653011 
/build/glibc-KM3i_a/glibc-2.23/string/../sysdeps/i386/i686/multiarch/memcpy-sse2-unaligned.S:664
    #1 0x8116e1a in __asan_memcpy
(/home/min/fuzzing/program/libav-fast/bin/avconv+0x8116e1a)
    #2 0x91e3c4f in ff_emulated_edge_mc_8
/home/min/fuzzing/src/libav-12/libavcodec/videodsp_template.c:69:9
    #3 0x91acc11 in ff_vc1_mc_4mv_chroma4
/home/min/fuzzing/src/libav-12/libavcodec/vc1_mc.c:732:13
    #4 0x91567a9 in vc1_decode_p_mb_intfr
/home/min/fuzzing/src/libav-12/libavcodec/vc1_block.c:1743:17
    #5 0x91567a9 in vc1_decode_p_blocks
/home/min/fuzzing/src/libav-12/libavcodec/vc1_block.c:2901
    #6 0x91c8be2 in vc1_decode_frame
/home/min/fuzzing/src/libav-12/libavcodec/vc1dec.c:890:13
    #7 0x90eaefd in avcodec_decode_video2
/home/min/fuzzing/src/libav-12/libavcodec/utils.c:1588:19
    #8 0x90edc31 in do_decode
/home/min/fuzzing/src/libav-12/libavcodec/utils.c:1727:15
    #9 0x90ed7f2 in avcodec_send_packet
/home/min/fuzzing/src/libav-12/libavcodec/utils.c:1804:12
    #10 0x81a6d10 in decode /home/min/fuzzing/src/libav-12/avconv.c:1295:15
    #11 0x81a6d10 in decode_video /home/min/fuzzing/src/libav-12/avconv.c:1391
    #12 0x81a6d10 in process_input_packet
/home/min/fuzzing/src/libav-12/avconv.c:1503
    #13 0x8199ea6 in process_input
/home/min/fuzzing/src/libav-12/avconv.c:2673:5
    #14 0x8199ea6 in transcode /home/min/fuzzing/src/libav-12/avconv.c:2715
    #15 0x8199ea6 in main /home/min/fuzzing/src/libav-12/avconv.c:2888
    #16 0xb7544636 in __libc_start_main
/build/glibc-KM3i_a/glibc-2.23/csu/../csu/libc-start.c:291
    #17 0x8089b17 in _start
(/home/min/fuzzing/program/libav-fast/bin/avconv+0x8089b17)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV
/build/glibc-KM3i_a/glibc-2.23/string/../sysdeps/i386/i686/multiarch/memcpy-sse2-unaligned.S:664


Credits:

Mingi Cho and Taekyoung Kwon of the Information Security Lab, Yonsei
University.

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.libav.org/pipermail/libav-bugs/attachments/20171117/f05edc23/attachment-0001.html>


More information about the libav-bugs mailing list