[libav-bugs] [Bug 1122] New: avconv crashes -- SEGFAULT -- invalid read of size 4 in h264_slice.c

bugzilla at libav.org bugzilla at libav.org
Sun Apr 22 16:49:54 CEST 2018


https://bugzilla.libav.org/show_bug.cgi?id=1122

            Bug ID: 1122
           Summary: avconv crashes -- SEGFAULT -- invalid read of size 4
                    in h264_slice.c
           Product: Libav
           Version: git HEAD
          Hardware: Other
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: ---
         Component: general
          Assignee: bugzilla at libav.org
          Reporter: thuanpv at comp.nus.edu.sg

Created attachment 712
  --> https://bugzilla.libav.org/attachment.cgi?id=712&action=edit
crash-inducing sample file

Dear all,

This bug was found with AFLSmart, an extension of AFL. Thanks also to Marcel
Böhme, Andrew Santosa and Alexandru Razvan Caciulescu. 

This bug was found on Ubuntu 16.04 64-bit & libav revision 39f3b6 (HEAD)

To reproduce:
Download the attached file - libav_crash2.wav
avconv -i libav_crash2.wav -f null -

Error message:

avconv version v13_dev0-1538-g39f3b6f, Copyright (c) 2000-2018 the Libav
developers
  built on Apr 21 2018 14:32:15 with gcc 5.4.0 (Ubuntu 5.4.0-6ubuntu1~16.04.9)
20160609
[h264 @ 0x3de8820] FMO not supported
[h264 @ 0x3de8820] reference overflow (pps)
[h264 @ 0x3de8820] FMO not supported
[h264 @ 0x3de8820] left block unavailable for requested intra4x4 mode -1
[h264 @ 0x3de8820] error while decoding MB 1 0, bytestream 24
[h264 @ 0x3de8820] FMO not supported
[h264 @ 0x3de8820] reference overflow (pps)
[h264 @ 0x3de8820] top block unavailable for requested intra4x4 mode -1
[h264 @ 0x3de8820] error while decoding MB 0 1, bytestream 2
[h264 @ 0x3de8820] FMO not supported
[h264 @ 0x3de8820] top block unavailable for requested intra4x4 mode -1
[h264 @ 0x3de8820] error while decoding MB 1 0, bytestream 18
[h264 @ 0x3de8820] A non-intra slice in an IDR NAL unit.
[h264 @ 0x3de8820] decode_slice_header error
[h264 @ 0x3de8820] no frame!
[h264 @ 0x3dd7060] Estimating duration from bitrate, this may be inaccurate
Input #0, h264, from 'libav_crash_2.wav':
  Duration: N/A, bitrate: N/A
    Stream #0:0: Video: h264
      yuv420p, 32x128
      25 fps, 25 tbn
Stream mapping:
  Stream #0:0 -> #0:0 (h264 (native) -> wrapped_avframe (native))
Press ctrl-c to stop encoding
[h264 @ 0x3deb700] left block unavailable for requested intra4x4 mode -1
[h264 @ 0x3deb700] error while decoding MB 1 0, bytestream 24
[h264 @ 0x3e53d00] FMO not supported
[h264 @ 0x3e53d00] reference overflow (pps)
[h264 @ 0x3e53d00] top block unavailable for requested intra4x4 mode -1
[h264 @ 0x3e53d00] error while decoding MB 0 1, bytestream 2
[h264 @ 0x3de4bc0] FMO not supported
Segmentation fault (core dumped)

Valgrind says:

==5215== Thread 4:
==5215== Invalid read of size 4
==5215==    at 0x1C7DBDF: ff_h264_queue_decode_slice (h264_slice.c:1784)
==5215==    by 0xDFAAB6: h264_decode_frame (h264dec.c:579)
==5215==    by 0x141AA10: frame_worker_thread (pthread_frame.c:180)
==5215==    by 0x53646B9: start_thread (pthread_create.c:333)
==5215==  Address 0x20 is not stack'd, malloc'd or (recently) free'd
==5215== 
==5215== 
==5215== Process terminating with default action of signal 11 (SIGSEGV)
==5215==  Access not within mapped region at address 0x20
==5215==    at 0x1C7DBDF: ff_h264_queue_decode_slice (h264_slice.c:1784)
==5215==    by 0xDFAAB6: h264_decode_frame (h264dec.c:579)
==5215==    by 0x141AA10: frame_worker_thread (pthread_frame.c:180)
==5215==    by 0x53646B9: start_thread (pthread_create.c:333)


ASAN says:

ASAN:DEADLYSIGNAL
=================================================================
==19972==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000020 (pc
0x000001395cd5 bp 0x62e00002aa28 sp 0x7fa71def3af0 T3)
[h264 @ 0x61900001db80] A non-intra slice in an IDR NAL unit.
[h264 @ 0x61900001db80] decode_slice_header error
    #0 0x1395cd4  (/home/thuan/experiments/libav-asan/avconv+0x1395cd4)
    #1 0x9f20d4  (/home/thuan/experiments/libav-asan/avconv+0x9f20d4)
    #2 0xd917e9  (/home/thuan/experiments/libav-asan/avconv+0xd917e9)
    #3 0x7fa721fd76b9  (/lib/x86_64-linux-gnu/libpthread.so.0+0x76b9)
    #4 0x7fa721d0d41c  (/lib/x86_64-linux-gnu/libc.so.6+0x10741c)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV
(/home/thuan/experiments/libav-asan/avconv+0x1395cd4) 
Thread T3 created by T0 here:
    #0 0x7fa722741598  (/usr/lib/x86_64-linux-gnu/libasan.so.3+0x31598)
    #1 0xd94a39  (/home/thuan/experiments/libav-asan/avconv+0xd94a39)

==19972==ABORTING

Regards,

Thuan

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.libav.org/pipermail/libav-bugs/attachments/20180422/32732e51/attachment-0001.html>


More information about the libav-bugs mailing list