Diego Biurrun wrote:
> Hi,
>
> Samuel Hocevar wrote his own fuzzer and let it loose on some multimedia
> players:
>
> http://sam.zoy.org/zzuf/
>
> ffplay shows quite a few crashes, MPlayer as well, some of which are
> related to FFmpeg. No time for details right now, but it's easy enough
> to reproduce and the samples are tiny.
More data-- using current SVN, I tried the files with ffplay to
reproduce Zoy's results and then tried ffmpeg to check whether the
problem was in FFmpeg's core libs.
=====================
lol-ffplay.ac3: my ffmpeg is not set up to decode AC3
lol-ffplay.flac: ffplay fails as the fuzz page reports; not sure how to
convert 3+channel FLAC to another format
lol-ffplay.ogg: ffplay crashes but ffmpeg just reports unsupported codec
and bails; valgrind reports no invalid memory ops
=====================
lol-ffmpeg.avi, converting with ffmpeg:
Program received signal SIGSEGV, Segmentation fault.
avi_read_header (s=0x854cf90, ap=0xafe92fac) at avidec.c:471
471 st->codec->codec_type = CODEC_TYPE_DATA;
(gdb) bt
#0 avi_read_header (s=0x854cf90, ap=0xafe92fac) at avidec.c:471
#1 0x080632f2 in av_open_input_stream (ic_ptr=0xafe92fe4, pb=0xafe92ed4,
filename=0xafe9569e "lol-ffplay.avi", fmt=0x84dba80, ap=0xafe92fac)
at utils.c:400
#2 0x0806794d in av_open_input_file (ic_ptr=0xafe92fe4,
filename=0xafe9569e "lol-ffplay.avi", fmt=0x84dba80, buf_size=0,
ap=0xafe92fac)
at utils.c:513
#3 0x0805744d in opt_input_file (filename=0xafe9569e "lol-ffplay.avi")
at ffmpeg.c:2586
#4 0x0805fe6c in parse_options (argc=4, argv=0xafe937a4, options=0x8449040)
at cmdutils.c:105
#5 0x0805cf7a in main (argc=4, argv=0xafe937a4) at ffmpeg.c:3921
=====================
lol-ffplay.m2v, converting with ffmpeg:
Program received signal SIGSEGV, Segmentation fault.
0x081ce4c0 in mpeg_decode_mb (s=0x857e270, block=<value optimized out>)
at mpeg12.c:1478
1478 s->current_picture.mb_type[ s->mb_x + s->mb_y*s->mb_stride
]= mb_type;
(gdb) bt
#0 0x081ce4c0 in mpeg_decode_mb (s=0x857e270, block=<value optimized out>)
at mpeg12.c:1478
#1 0x081d0b2d in mpeg_decode_slice (s1=0x857e270, mb_y=1, buf=0xaf7edeb4,
buf_size=157530) at mpeg12.c:2603
#2 0x081d29e7 in mpeg_decode_frame (avctx=0x8556080, data=0xaf80a660,
data_size=0xaf80a8b8, buf=0xa7d4f020 "", buf_size=159930) at
mpeg12.c:3198
#3 0x080be590 in avcodec_decode_video (avctx=0x8556080, picture=0xaf80a660,
got_picture_ptr=0xaf80a8b8, buf=0xa7d4f020 "", buf_size=159930) at
utils.c:904
#4 0x0806751f in av_find_stream_info (ic=0x854cf90) at utils.c:1735
#5 0x08057470 in opt_input_file (filename=0xaf80b69e "lol-ffplay.m2v")
at ffmpeg.c:2596
#6 0x0805fe6c in parse_options (argc=4, argv=0xaf80b124, options=0x8449040)
at cmdutils.c:105
#7 0x0805cf7a in main (argc=4, argv=0xaf80b124) at ffmpeg.c:3921
=====================
lol-ffplay.mpg, converting with ffmpeg:
Program received signal SIGSEGV, Segmentation fault.
0x081ce4c0 in mpeg_decode_mb (s=0x855c600, block=<value optimized out>)
at mpeg12.c:1478
1478 s->current_picture.mb_type[ s->mb_x + s->mb_y*s->mb_stride
]= mb_type;
(gdb) bt
#0 0x081ce4c0 in mpeg_decode_mb (s=0x855c600, block=<value optimized out>)
at mpeg12.c:1478
#1 0x081d0b2d in mpeg_decode_slice (s1=0x855c600, mb_y=1,
buf=0xafee66e4, buf_size=10039)
at mpeg12.c:2603
#2 0x081d29e7 in mpeg_decode_frame (avctx=0x8556080, data=0xaff02e90,
data_size=0xaff030e8, buf=0x8559c30 "", buf_size=10690) at mpeg12.c:3198
#3 0x080be590 in avcodec_decode_video (avctx=0x8556080, picture=0xaff02e90,
got_picture_ptr=0xaff030e8, buf=0x8559c30 "", buf_size=10690) at
utils.c:904
#4 0x0806751f in av_find_stream_info (ic=0x854cf90) at utils.c:1735
#5 0x08057470 in opt_input_file (filename=0xaff0569e "lol-ffplay.mpg")
at ffmpeg.c:2596
#6 0x0805fe6c in parse_options (argc=4, argv=0xaff03954, options=0x8449040)
at cmdutils.c:105
#7 0x0805cf7a in main (argc=4, argv=0xaff03954) at ffmpeg.c:3921
=====================
lol-ffmpeg.ogm, converting with ffmpeg:
Program received signal SIGSEGV, Segmentation fault.
0x080a8b96 in ogg_read_header (s=0x854cf90, ap=0xafb756cc) at ogg2.c:452
452 if(os->codec->gptopts){
(gdb) bt
#0 0x080a8b96 in ogg_read_header (s=0x854cf90, ap=0xafb756cc) at ogg2.c:452
#1 0x080632f2 in av_open_input_stream (ic_ptr=0xafb75704, pb=0xafb755f4,
filename=0xafb7769e "lol-ffplay.ogm", fmt=0x84dcbe0, ap=0xafb756cc)
at utils.c:400
#2 0x0806794d in av_open_input_file (ic_ptr=0xafb75704,
filename=0xafb7769e "lol-ffplay.ogm", fmt=0x84dcbe0, buf_size=0,
ap=0xafb756cc)
at utils.c:513
#3 0x0805744d in opt_input_file (filename=0xafb7769e "lol-ffplay.ogm")
at ffmpeg.c:2586
#4 0x0805fe6c in parse_options (argc=4, argv=0xafb75ec4, options=0x8449040)
at cmdutils.c:105
#5 0x0805cf7a in main (argc=4, argv=0xafb75ec4) at ffmpeg.c:3921
=====================
lol-ffplay.wmv, converting with ffmpeg:
Program received signal SIGSEGV, Segmentation fault.
0xa7e95fca in memcpy () from /lib/libc.so.6
(gdb) bt
#0 0xa7e95fca in memcpy () from /lib/libc.so.6
#1 0x0806a12b in get_buffer (s=0x85554fb, buf=0x19a <Address 0x19a out
of bounds>,
size=0) at aviobuf.c:365
#2 0x0807ae9e in asf_read_packet (s=0x854cf90, pkt=0x854dea0) at asf.c:715
#3 0x08063eeb in av_read_frame_internal (s=0x854cf90, pkt=0xaffbc9c8)
at utils.c:540
#4 0x08065fe0 in av_find_stream_info (ic=0x854cf90) at utils.c:1841
#5 0x08057470 in opt_input_file (filename=0xaffbd69e "lol-ffplay.wmv")
at ffmpeg.c:2596
#6 0x0805fe6c in parse_options (argc=4, argv=0xaffbd2a4, options=0x8449040)
at cmdutils.c:105
#7 0x0805cf7a in main (argc=4, argv=0xaffbd2a4) at ffmpeg.c:3921
--
-Mike Melanson
RetroSearch is an open source project built by @garambo | Open a GitHub Issue
Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo
HTML:
3.2
| Encoding:
UTF-8
| Version:
0.7.4