[libav-bugs] [Bug 1100] Heap buffer overflow on vc1_decode_i_blocks_adv.

bugzilla at libav.org bugzilla at libav.org
Wed Jan 17 02:17:04 CET 2018


https://bugzilla.libav.org/show_bug.cgi?id=1100

--- Comment #2 from Sean McGovern <gseanmcg at gmail.com> ---
valgrind's interpretation:

$ valgrind /build/libav/avconv -i
/build/libav/bz1100/heap_vc1_decode_i_blocks_adv.aac -f null -
==23748== Memcheck, a memory error detector
==23748== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al.
==23748== Using Valgrind-3.11.0 and LibVEX; rerun with -h for copyright info
==23748== Command: /build/libav/avconv -i
/build/libav/bz1100/heap_vc1_decode_i_blocks_adv.aac -f null -
==23748== 
--23748-- WARNING: Serious error when reading debug info
--23748-- When reading debug info from /build/libav/avconv:
--23748-- get_Form_contents: DW_FORM_strp points outside .debug_str
avconv version v13_dev0-1442-g85e10c0, Copyright (c) 2000-2018 the Libav
developers
  built on Jan 16 2018 17:59:25 with gcc 5.4.0 (Ubuntu 5.4.0-6ubuntu1~16.04.5)
20160609
[mpeg @ 0x742b0c0] Format detected only with low score of 25, misdetection
possible!
[mpeg @ 0x742b0c0] Invalid timestamps stream=0, pts=4004220339, dts=4008364198,
size=2448
Input #0, mpeg, from '/build/libav/bz1100/heap_vc1_decode_i_blocks_adv.aac':
  Duration: N/A, start: 44491.337100, bitrate: N/A
    Stream #0:0[0xfd5f]: Video: vc1 (Advanced)
      yuv420p, 34x516
      90k tbn
Stream mapping:
  Stream #0:0 -> #0:0 (vc1 (native) -> wrapped_avframe (native))
Press ctrl-c to stop encoding
[mpeg @ 0x742b0c0] Invalid timestamps stream=0, pts=4004220339, dts=4008364198,
size=2448
[vc1 @ 0x7478b20] warning: first frame is no keyframe
Output #0, null, to 'pipe:':
  Metadata:
    encoder         : Lavf58.1.0
    Stream #0:0: Video: wrapped_avframe
      yuv420p, 34x516, q=2-31, 200 kb/s
      90k tbn
    Metadata:
      encoder         : Lavc58.8.0 wrapped_avframe
[vc1 @ 0x7478b20] Field header damaged
==23748== Invalid write of size 4
==23748==    at 0x864DEA: vc1_decode_i_blocks_adv (vc1_block.c:2778)
==23748==    by 0x871694: ff_vc1_decode_blocks (vc1_block.c:3041)
==23748==    by 0x8800CD: vc1_decode_frame (vc1dec.c:891)
==23748==    by 0x5C7EFA: decode_receive_frame_internal (decode.c:336)
==23748==    by 0x5C82C7: avcodec_send_packet (decode.c:470)
==23748==    by 0x463C7F: decode (avconv.c:1309)
==23748==    by 0x463C7F: decode_video (avconv.c:1409)
==23748==    by 0x44F966: process_input_packet (avconv.c:1528)
==23748==    by 0x44F966: process_input (avconv.c:2756)
==23748==    by 0x44F966: transcode (avconv.c:2798)
==23748==    by 0x44F966: main (avconv.c:2972)
==23748==  Address 0x75239d4 is 0 bytes after a block of size 564 alloc'd
==23748==    at 0x4C2FFC6: memalign (in
/usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==23748==    by 0x4C300D1: posix_memalign (in
/usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==23748==    by 0xB9E66A: av_malloc (mem.c:71)
==23748==    by 0xB8DA35: av_buffer_make_writable (buffer.c:72)
==23748==    by 0x75379A: ff_alloc_picture (mpegpicture.c:46)
==23748==    by 0x756E38: ff_mpv_frame_start (mpegvideo.c:319)
==23748==    by 0x87EA48: vc1_decode_frame (vc1dec.c:796)
==23748==    by 0x5C7EFA: decode_receive_frame_internal (decode.c:336)
==23748==    by 0x5C82C7: avcodec_send_packet (decode.c:470)
==23748==    by 0x463C7F: decode (avconv.c:1309)
==23748==    by 0x463C7F: decode_video (avconv.c:1409)
==23748==    by 0x44F966: process_input_packet (avconv.c:1528)
==23748==    by 0x44F966: process_input (avconv.c:2756)
==23748==    by 0x44F966: transcode (avconv.c:2798)
==23748==    by 0x44F966: main (avconv.c:2972)
==23748== 
frame=    3 fps=  0 q=-0.0 Lsize=       0kB time=46.04 bitrate=   0.0kbits/s    
video:1kB audio:0kB other streams:0kB global headers:0kB muxing overhead:
unknown
==23748== 
==23748== HEAP SUMMARY:
==23748==     in use at exit: 0 bytes in 0 blocks
==23748==   total heap usage: 1,329 allocs, 1,329 frees, 1,047,771 bytes
allocated
==23748== 
==23748== All heap blocks were freed -- no leaks are possible
==23748== 
==23748== For counts of detected and suppressed errors, rerun with: -v
==23748== ERROR SUMMARY: 3 errors from 1 contexts (suppressed: 0 from 0)

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.libav.org/pipermail/libav-bugs/attachments/20180117/6b2442b3/attachment.html>


More information about the libav-bugs mailing list