[libav-bugs] Bug Report when using avconv (Version libav-12.3)

mijeff bit_wen at 163.com
Sun Nov 24 10:29:41 CET 2019


I built the libav-12.3 with clang-asan option. And when I using the command “avconv -i input_file”, the avconv crashed.

The crashed input file is the mail attachment.

The full, uncut console output provided by “avconv -v 9 -loglevel 99 -i” is as follows:

avconv version v0.2-93-ge26a9ab, Copyright (c) 2000-2018 the Libav developers

  built on Nov 22 2019 10:34:17 with clang version 3.8.0-2ubuntu4 (tags/RELEASE_380/final)

  configuration: --toolchain=clang-asan

  libavutil     55. 20. 0 / 55. 20. 0

  libavcodec    57. 25. 0 / 57. 25. 0

  libavformat   57.  7. 2 / 57.  7. 2

  libavdevice   56.  1. 0 / 56.  1. 0

  libavfilter    6.  7. 0 /  6.  7. 0

  libavresample  3.  0. 0 /  3.  0. 0

  libswscale     4.  0. 0 /  4.  0. 0

Splitting the commandline.

Reading option '-v' ... matched as option 'v' (set libav* logging level) with argument '9'.

Reading option '-loglevel' ... matched as option 'loglevel' (set libav* logging level) with argument '99'.

Reading option '-i' ... matched as input file with argument 'input_file'.

Finished splitting the commandline.

Parsing a group of options: global .

Applying option v (set libav* logging level) with argument 9.

Successfully parsed a group of options.

Parsing a group of options: input file input_file.

Successfully parsed a group of options.

Opening an input file: input_file.

score: 1, dvhs_score: 1, fec_score: 1 

nsv_probe(), buf_size 2048

[h264 @ 0x61a00001f280] Probed with size=2048 and score=51

[h264 @ 0x61900001ea80] non-existing PPS 2 referenced

IN delayed:0 pts:-9223372036854775808, dts:-9223372036854775808 cur_dts:0 st:0 pc:0x61300000db00

OUTdelayed:0/0 pts:-9223372036854775808, dts:-9223372036854775808 cur_dts:0

[h264 @ 0x61900001ea80] sps_id 0 out of range

[h264 @ 0x61900001ea80] non-existing PPS 2 referenced

IN delayed:0 pts:-9223372036854775808, dts:-9223372036854775808 cur_dts:0 st:0 pc:0x61300000db00

OUTdelayed:0/0 pts:-9223372036854775808, dts:-9223372036854775808 cur_dts:0

[h264 @ 0x61900001ea80] sps_id 25 out of range

[h264 @ 0x61900001ea80] sps_id 0 out of range

[h264 @ 0x61900001ea80] non-existing PPS 2 referenced

IN delayed:0 pts:-9223372036854775808, dts:-9223372036854775808 cur_dts:0 st:0 pc:0x61300000db00

OUTdelayed:0/0 pts:-9223372036854775808, dts:-9223372036854775808 cur_dts:0

[h264 @ 0x61900001ea80] non-existing PPS 2 referenced

IN delayed:0 pts:-9223372036854775808, dts:-9223372036854775808 cur_dts:0 st:0 pc:0x61300000db00

OUTdelayed:0/0 pts:-9223372036854775808, dts:-9223372036854775808 cur_dts:0

[h264 @ 0x61900001ea80] nal_unit_type: 5, nal_ref_idc: 2

[h264 @ 0x61900001ea80] A non-intra slice in an IDR NAL unit.

[h264 @ 0x61900001ea80] decode_slice_header error

[h264 @ 0x61900001ea80] no frame!

[h264 @ 0x61900001ea80] nal_unit_type: 8, nal_ref_idc: 2

[h264 @ 0x61900001ea80] nal_unit_type: 1, nal_ref_idc: 0

[h264 @ 0x61900001ea80] sps_id 0 out of range

[h264 @ 0x61900001ea80] non-existing PPS 2 referenced

[h264 @ 0x61900001ea80] decode_slice_header error

[h264 @ 0x61900001ea80] no frame!

[h264 @ 0x61900001ea80] nal_unit_type: 8, nal_ref_idc: 2

    Last message repeated 1 times

[h264 @ 0x61900001ea80] nal_unit_type: 1, nal_ref_idc: 0

[h264 @ 0x61900001ea80] sps_id 25 out of range

[h264 @ 0x61900001ea80] sps_id 0 out of range

[h264 @ 0x61900001ea80] non-existing PPS 2 referenced

[h264 @ 0x61900001ea80] decode_slice_header error

[h264 @ 0x61900001ea80] no frame!

[h264 @ 0x61900001ea80] nal_unit_type: 5, nal_ref_idc: 2

[h264 @ 0x61900001ea80] nal_unit_type: 1, nal_ref_idc: 0

[h264 @ 0x61900001ea80] A non-intra slice in an IDR NAL unit.

[h264 @ 0x61900001ea80] decode_slice_header error

[h264 @ 0x61900001ea80] non-existing PPS 0 referenced

[h264 @ 0x61900001ea80] decode_slice_header error

[h264 @ 0x61900001ea80] no frame!

[h264 @ 0x61900001ea80] sps_id 25 out of range

[h264 @ 0x61900001ea80] non-existing PPS 2 referenced

IN delayed:0 pts:-9223372036854775808, dts:-9223372036854775808 cur_dts:0 st:0 pc:0x61300000db00

OUTdelayed:0/0 pts:-9223372036854775808, dts:-9223372036854775808 cur_dts:0

[h264 @ 0x61900001ea80] nal_unit_type: 7, nal_ref_idc: 2

[h264 @ 0x61900001ea80] nal_unit_type: 16, nal_ref_idc: 0

[h264 @ 0x61900001ea80] nal_unit_type: 8, nal_ref_idc: 2

[h264 @ 0x61900001ea80] nal_unit_type: 1, nal_ref_idc: 0

[h264 @ 0x61900001ea80] Unknown NAL code: 16 (143 bits)

[h264 @ 0x61900001ea80] sps_id 25 out of range

[h264 @ 0x61900001ea80] non-existing PPS 2 referenced

[h264 @ 0x61900001ea80] decode_slice_header error

[h264 @ 0x61900001ea80] no frame!

[h264 @ 0x61900001ea80] sps_id 25 out of range

[h264 @ 0x61900001ea80] sps_id 23 out of range

[h264 @ 0x61900001ea80] sps_id 25 out of range

    Last message repeated 1 times

IN delayed:0 pts:-9223372036854775808, dts:-9223372036854775808 cur_dts:0 st:0 pc:0x61300000db00

OUTdelayed:0/0 pts:-9223372036854775808, dts:-9223372036854775808 cur_dts:0

[h264 @ 0x61900001ea80] nal_unit_type: 8, nal_ref_idc: 2

    Last message repeated 4 times

[h264 @ 0x61900001ea80] nal_unit_type: 1, nal_ref_idc: 0

    Last message repeated 1 times

[h264 @ 0x61900001ea80] sps_id 25 out of range

[h264 @ 0x61900001ea80] sps_id 23 out of range

[h264 @ 0x61900001ea80] sps_id 25 out of range

    Last message repeated 1 times

[h264 @ 0x61900001ea80] Reinit context to 192x2064, pix_fmt: 13

[h264 @ 0x61900001ea80] Frame num gap 14 11

[h264 @ 0x61900001ea80] Frame num gap 14 12

[h264 @ 0x61900001ea80] no picture

[h264 @ 0x61900001ea80] sps_id 25 out of range

[h264 @ 0x61900001ea80] sps_id 23 out of range

[h264 @ 0x61900001ea80] sps_id 25 out of range

IN delayed:1 pts:-9223372036854775808, dts:-9223372036854775808 cur_dts:0 st:0 pc:0x61300000db00

OUTdelayed:1/2 pts:-9223372036854775808, dts:-9223372036854775808 cur_dts:0

[h264 @ 0x61900001ea80] nal_unit_type: 8, nal_ref_idc: 2

    Last message repeated 3 times

[h264 @ 0x61900001ea80] nal_unit_type: 5, nal_ref_idc: 2

[h264 @ 0x61900001ea80] nal_unit_type: 1, nal_ref_idc: 0

[h264 @ 0x61900001ea80] sps_id 25 out of range

[h264 @ 0x61900001ea80] sps_id 23 out of range

[h264 @ 0x61900001ea80] sps_id 25 out of range

[h264 @ 0x61900001ea80] A non-intra slice in an IDR NAL unit.

[h264 @ 0x61900001ea80] decode_slice_header error

[h264 @ 0x61900001ea80] non-existing PPS 0 referenced

[h264 @ 0x61900001ea80] decode_slice_header error

[h264 @ 0x61900001ea80] no frame!

[h264 @ 0x61900001ea80] Reducing left cropping to 0 chroma samples to preserve alignment.

[h264 @ 0x61900001ea80] sps_id 25 out of range

    Last message repeated 2 times

IN delayed:0 pts:-9223372036854775808, dts:-9223372036854775808 cur_dts:0 st:0 pc:0x61300000db00

OUTdelayed:0/2 pts:-9223372036854775808, dts:-9223372036854775808 cur_dts:0

IN delayed:1 pts:-9223372036854775808, dts:-9223372036854775808 cur_dts:0 st:0 pc:0x61300000db00

OUTdelayed:1/2 pts:-9223372036854775808, dts:-9223372036854775808 cur_dts:0

[h264 @ 0x61900001ea80] nal_unit_type: 7, nal_ref_idc: 2

[h264 @ 0x61900001ea80] nal_unit_type: 8, nal_ref_idc: 2

    Last message repeated 3 times

[h264 @ 0x61900001ea80] nal_unit_type: 1, nal_ref_idc: 0

    Last message repeated 1 times

[h264 @ 0x61900001ea80] Reducing left cropping to 0 chroma samples to preserve alignment.

[h264 @ 0x61900001ea80] sps_id 25 out of range

    Last message repeated 2 times

[h264 @ 0x61900001ea80] Reinit context to 256x1024, pix_fmt: 13

[h264 @ 0x61900001ea80] Frame num gap 14 11

[h264 @ 0x61900001ea80] Frame num gap 14 12

[h264 @ 0x61900001ea80] no picture

[h264 @ 0x61900001ea80] Missing reference picture

=================================================================

==32452==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7f8f8a835770 at pc 0x0000018ec53c bp 0x7ffd2907c8e0 sp 0x7ffd2907c8d8

READ of size 1 at 0x7f8f8a835770 thread T0

    #0 0x18ec53b  (/home/mijeff/Desktop/libav/libav-12.3/mybuild/avconv+0x18ec53b)

    #1 0x18ec952  (/home/mijeff/Desktop/libav/libav-12.3/mybuild/avconv+0x18ec952)

    #2 0x1822198  (/home/mijeff/Desktop/libav/libav-12.3/mybuild/avconv+0x1822198)

    #3 0x1876676  (/home/mijeff/Desktop/libav/libav-12.3/mybuild/avconv+0x1876676)

    #4 0x18752ae  (/home/mijeff/Desktop/libav/libav-12.3/mybuild/avconv+0x18752ae)

    #5 0xabd70f  (/home/mijeff/Desktop/libav/libav-12.3/mybuild/avconv+0xabd70f)

    #6 0x1302d1a  (/home/mijeff/Desktop/libav/libav-12.3/mybuild/avconv+0x1302d1a)

    #7 0x1304dd1  (/home/mijeff/Desktop/libav/libav-12.3/mybuild/avconv+0x1304dd1)

    #8 0x7d3e16  (/home/mijeff/Desktop/libav/libav-12.3/mybuild/avconv+0x7d3e16)

    #9 0x7cf410  (/home/mijeff/Desktop/libav/libav-12.3/mybuild/avconv+0x7cf410)

    #10 0x4f6d70  (/home/mijeff/Desktop/libav/libav-12.3/mybuild/avconv+0x4f6d70)

    #11 0x4f5f77  (/home/mijeff/Desktop/libav/libav-12.3/mybuild/avconv+0x4f5f77)

    #12 0x4f59f0  (/home/mijeff/Desktop/libav/libav-12.3/mybuild/avconv+0x4f59f0)

    #13 0x51160d  (/home/mijeff/Desktop/libav/libav-12.3/mybuild/avconv+0x51160d)

    #14 0x7f8f8d03382f  (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)

    #15 0x41a708  (/home/mijeff/Desktop/libav/libav-12.3/mybuild/avconv+0x41a708)




0x7f8f8a835770 is located 144 bytes to the left of 131344-byte region [0x7f8f8a835800,0x7f8f8a855910)

allocated by thread T0 here:

    #0 0x4bb110  (/home/mijeff/Desktop/libav/libav-12.3/mybuild/avconv+0x4bb110)

    #1 0x1e490ae  (/home/mijeff/Desktop/libav/libav-12.3/mybuild/avconv+0x1e490ae)

    #2 0x1e22312  (/home/mijeff/Desktop/libav/libav-12.3/mybuild/avconv+0x1e22312)

    #3 0x1e23f51  (/home/mijeff/Desktop/libav/libav-12.3/mybuild/avconv+0x1e23f51)

    #4 0x12faaa1  (/home/mijeff/Desktop/libav/libav-12.3/mybuild/avconv+0x12faaa1)

    #5 0x12fd0c8  (/home/mijeff/Desktop/libav/libav-12.3/mybuild/avconv+0x12fd0c8)




SUMMARY: AddressSanitizer: heap-buffer-overflow (/home/mijeff/Desktop/libav/libav-12.3/mybuild/avconv+0x18ec53b) 

Shadow bytes around the buggy address:

  0x0ff2714fea90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa

  0x0ff2714feaa0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa

  0x0ff2714feab0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa

  0x0ff2714feac0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa

  0x0ff2714fead0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa

=>0x0ff2714feae0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa[fa]fa

  0x0ff2714feaf0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa

  0x0ff2714feb00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

  0x0ff2714feb10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

  0x0ff2714feb20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

  0x0ff2714feb30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Shadow byte legend (one shadow byte represents 8 application bytes):

  Addressable:           00

  Partially addressable: 01 02 03 04 05 06 07 

  Heap left redzone:       fa

  Heap right redzone:      fb

  Freed heap region:       fd

  Stack left redzone:      f1

  Stack mid redzone:       f2

  Stack right redzone:     f3

  Stack partial redzone:   f4

  Stack after return:      f5

  Stack use after scope:   f8

  Global redzone:          f9

  Global init order:       f6

  Poisoned by user:        f7

  Container overflow:      fc

  Array cookie:            ac

  Intra object redzone:    bb

  ASan internal:           fe

  Left alloca redzone:     ca

  Right alloca redzone:    cb

==32452==ABORTING


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.libav.org/pipermail/libav-bugs/attachments/20191124/e1022031/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: input_file
Type: application/octet-stream
Size: 21971 bytes
Desc: not available
URL: <http://lists.libav.org/pipermail/libav-bugs/attachments/20191124/e1022031/attachment-0001.obj>


More information about the libav-bugs mailing list