<html>
    <head>
      <base href="https://bugzilla.libav.org/" />
    </head>
    <body><table border="1" cellspacing="0" cellpadding="8">
        <tr>
          <th>Bug ID</th>
          <td><a class="bz_bug_link 
          bz_status_NEW "
   title="NEW - avconv crashes -- SEGFAULT -- invalid read of size 4 in h264_slice.c"
   href="https://bugzilla.libav.org/show_bug.cgi?id=1122">1122</a>
          </td>
        </tr>

        <tr>
          <th>Summary</th>
          <td>avconv crashes -- SEGFAULT -- invalid read of size 4 in h264_slice.c
          </td>
        </tr>

        <tr>
          <th>Product</th>
          <td>Libav
          </td>
        </tr>

        <tr>
          <th>Version</th>
          <td>git HEAD
          </td>
        </tr>

        <tr>
          <th>Hardware</th>
          <td>Other
          </td>
        </tr>

        <tr>
          <th>OS</th>
          <td>Linux
          </td>
        </tr>

        <tr>
          <th>Status</th>
          <td>NEW
          </td>
        </tr>

        <tr>
          <th>Severity</th>
          <td>normal
          </td>
        </tr>

        <tr>
          <th>Priority</th>
          <td>---
          </td>
        </tr>

        <tr>
          <th>Component</th>
          <td>general
          </td>
        </tr>

        <tr>
          <th>Assignee</th>
          <td>bugzilla@libav.org
          </td>
        </tr>

        <tr>
          <th>Reporter</th>
          <td>thuanpv@comp.nus.edu.sg
          </td>
        </tr></table>
      <p>
        <div>
        <pre>Created <span class=""><a href="attachment.cgi?id=712" name="attach_712" title="crash-inducing sample file">attachment 712</a> <a href="attachment.cgi?id=712&action=edit" title="crash-inducing sample file">[details]</a></span>
crash-inducing sample file

Dear all,

This bug was found with AFLSmart, an extension of AFL. Thanks also to Marcel
Böhme, Andrew Santosa and Alexandru Razvan Caciulescu. 

This bug was found on Ubuntu 16.04 64-bit & libav revision 39f3b6 (HEAD)

To reproduce:
Download the attached file - libav_crash2.wav
avconv -i libav_crash2.wav -f null -

Error message:

avconv version v13_dev0-1538-g39f3b6f, Copyright (c) 2000-2018 the Libav
developers
  built on Apr 21 2018 14:32:15 with gcc 5.4.0 (Ubuntu 5.4.0-6ubuntu1~16.04.9)
20160609
[h264 @ 0x3de8820] FMO not supported
[h264 @ 0x3de8820] reference overflow (pps)
[h264 @ 0x3de8820] FMO not supported
[h264 @ 0x3de8820] left block unavailable for requested intra4x4 mode -1
[h264 @ 0x3de8820] error while decoding MB 1 0, bytestream 24
[h264 @ 0x3de8820] FMO not supported
[h264 @ 0x3de8820] reference overflow (pps)
[h264 @ 0x3de8820] top block unavailable for requested intra4x4 mode -1
[h264 @ 0x3de8820] error while decoding MB 0 1, bytestream 2
[h264 @ 0x3de8820] FMO not supported
[h264 @ 0x3de8820] top block unavailable for requested intra4x4 mode -1
[h264 @ 0x3de8820] error while decoding MB 1 0, bytestream 18
[h264 @ 0x3de8820] A non-intra slice in an IDR NAL unit.
[h264 @ 0x3de8820] decode_slice_header error
[h264 @ 0x3de8820] no frame!
[h264 @ 0x3dd7060] Estimating duration from bitrate, this may be inaccurate
Input #0, h264, from 'libav_crash_2.wav':
  Duration: N/A, bitrate: N/A
    Stream #0:0: Video: h264
      yuv420p, 32x128
      25 fps, 25 tbn
Stream mapping:
  Stream #0:0 -> #0:0 (h264 (native) -> wrapped_avframe (native))
Press ctrl-c to stop encoding
[h264 @ 0x3deb700] left block unavailable for requested intra4x4 mode -1
[h264 @ 0x3deb700] error while decoding MB 1 0, bytestream 24
[h264 @ 0x3e53d00] FMO not supported
[h264 @ 0x3e53d00] reference overflow (pps)
[h264 @ 0x3e53d00] top block unavailable for requested intra4x4 mode -1
[h264 @ 0x3e53d00] error while decoding MB 0 1, bytestream 2
[h264 @ 0x3de4bc0] FMO not supported
Segmentation fault (core dumped)

Valgrind says:

==5215== Thread 4:
==5215== Invalid read of size 4
==5215==    at 0x1C7DBDF: ff_h264_queue_decode_slice (h264_slice.c:1784)
==5215==    by 0xDFAAB6: h264_decode_frame (h264dec.c:579)
==5215==    by 0x141AA10: frame_worker_thread (pthread_frame.c:180)
==5215==    by 0x53646B9: start_thread (pthread_create.c:333)
==5215==  Address 0x20 is not stack'd, malloc'd or (recently) free'd
==5215== 
==5215== 
==5215== Process terminating with default action of signal 11 (SIGSEGV)
==5215==  Access not within mapped region at address 0x20
==5215==    at 0x1C7DBDF: ff_h264_queue_decode_slice (h264_slice.c:1784)
==5215==    by 0xDFAAB6: h264_decode_frame (h264dec.c:579)
==5215==    by 0x141AA10: frame_worker_thread (pthread_frame.c:180)
==5215==    by 0x53646B9: start_thread (pthread_create.c:333)


ASAN says:

ASAN:DEADLYSIGNAL
=================================================================
==19972==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000020 (pc
0x000001395cd5 bp 0x62e00002aa28 sp 0x7fa71def3af0 T3)
[h264 @ 0x61900001db80] A non-intra slice in an IDR NAL unit.
[h264 @ 0x61900001db80] decode_slice_header error
    #0 0x1395cd4  (/home/thuan/experiments/libav-asan/avconv+0x1395cd4)
    #1 0x9f20d4  (/home/thuan/experiments/libav-asan/avconv+0x9f20d4)
    #2 0xd917e9  (/home/thuan/experiments/libav-asan/avconv+0xd917e9)
    #3 0x7fa721fd76b9  (/lib/x86_64-linux-gnu/libpthread.so.0+0x76b9)
    #4 0x7fa721d0d41c  (/lib/x86_64-linux-gnu/libc.so.6+0x10741c)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV
(/home/thuan/experiments/libav-asan/avconv+0x1395cd4) 
Thread T3 created by T0 here:
    #0 0x7fa722741598  (/usr/lib/x86_64-linux-gnu/libasan.so.3+0x31598)
    #1 0xd94a39  (/home/thuan/experiments/libav-asan/avconv+0xd94a39)

==19972==ABORTING

Regards,

Thuan</pre>
        </div>
      </p>
      <hr>
      <span>You are receiving this mail because:</span>
      
      <ul>
          <li>You are watching all bug changes.</li>
      </ul>
    </body>
</html>