FFMPEG Issue1240

1. FFMPEG Issue1240
2.  
3. Title Multiple crashing bugs in processing of malformed files
4. Type bug
5. Priority important Status closed invalid
6. Superseder Nosy List
7. Depends On Crash in Indeo3 decoder, Invalid reads in VP3 decoder
8. View: 1482, 1483
9. Assigned To Topics
10.  
11. Created on 2009-06-30.18:28:54 by WD, last changed 2010-01-09.23:39:29 by cehoyos.
12. Files
13. File name Uploaded Type Edit Remove
14. crashdetails_noopt.zip WD, 2009-07-01.20:08:38 application/zip
15. ffmpeg_crashers.zip WD, 2009-06-30.18:28:54 application/x-zip
16.  
17. Please provide full uncut output from "ffmpeg -i" if you are reporting issues with unplayable files.
18.  
19. Messages
20. msg6282 (view) Author: WD Date: 2009-06-30.18:28:54
21.  
22. Attached is a zip file with multiple (73) files that cause ffmpeg to crash. The
23. crashers are in a subset of various codecs. Included with each codec/directory are:
24. 1) The seed/good file
25. 2) Variations of the file that cause crashes (basename.x.y)
26. 3) GDB output for the crashing testcases
27. 4) Valgrind output for the crashing testcases
28. 5) tabriffdump output for the crashing testcases
29. 6) A diff summary of what is different between the crashing testcase and the
30. original file, RIFF-header-wise.
31.  
32. About half of the crashers are something that is in a RIFF header for the file
33. (e.g. ImageHeight, ImageWidth, dsScale, etc.) The other half appear to be
34. something specific decoding of the codec.
35.  
36. msg6287 (view) Author: Vitor1001 Date: 2009-06-30.19:53:09
37.  
38. Ideally one would open an issue for each file that crashes in a different way,
39. but since it is a lot of work I'd say to open at least a different issue for the
40. division-by-zero crash in AVI demuxer.
41.  
42. msg6288 (view) Author: WD Date: 2009-06-30.21:02:46
43.  
44. This is a pretty detailed report and it would be impractical for me to create
45. separate bug reports for each flaw. You should have all the info that you need
46. right here. If creating a separate report for each flaw helps you in tracking
47. the bugs and the fixes, then go right ahead.
48.  
49. msg6292 (view) Author: cehoyos Date: 2009-06-30.23:39:12
50.  
51. This issue is simply invalid.
52.  
53. Since somebody should test those 73 files, I mark it as important.
54.  
55. msg6306 (view) Author: Vitor1001 Date: 2009-07-01.18:06:47
56.  
57. Opened issue 1245 for the division by zero in av_rescale_rnd().
58.  
59. msg6310 (view) Author: michaelni Date: 2009-07-01.19:26:53
60.  
61. On Tue, Jun 30, 2009 at 06:28:54PM +0000, WD wrote:
62. > Attached is a zip file with multiple (73) files that cause ffmpeg to crash. The
63. > crashers are in a subset of various codecs. Included with each codec/directory are:
64. > 1) The seed/good file
65. > 2) Variations of the file that cause crashes (basename.x.y)
66. > 3) GDB output for the crashing testcases
67.  
68. stuff like
69. decode_frame (avctx=0x8a25700, data=0xbfffe138,
70. data_size=0xbfffe318, avpkt=0xbfffe240) at /usr/include/bits/string3.h:52
71.  
72. yeah it surely is in /usr/include/bits/string3.h
73.  
74. or
75. #1 0x084acdd9 in av_rescale_rnd (a=0, b=0, c=0, rnd=AV_ROUND_NEAR_INF)
76. #2 0x084ace2f in av_rescale (a=1, b=1, c=1) at libavutil/mathematics.c:111
77. they obviously match and 1 != 0
78.  
79. or
80. i = <value optimized out>
81.  
82. IMHO, if you do such large scale testing, it would be nice if it was actually
83. producing correct and useable output, as is, for some cases i cant even guess
84. what happened, like:
85. smclockmpeg1.avi.1.0
86. it doesnt point to any file from ffmpeg and valgrinds backtraces are pretty
87. terse ...
88.  
89. maybe you should recompile without -fomit-frame-pointer and without any
90. inlining and minimum optimizations and rerun these tests (x86 directory
91. might need more agressive flags to compile)
92.  
93. [...]
94. --
95. Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB
96.  
97. The bravest are surely those who have the clearest vision
98. of what is before them, glory and danger alike, and yet
99. notwithstanding go out to meet it. -- Thucydides
100.  
101. msg6311 (view) Author: michaelni Date: 2009-07-01.20:01:32
102.  
103. On Wed, Jul 01, 2009 at 07:26:53PM +0000, Michael Niedermayer wrote:
104. > On Tue, Jun 30, 2009 at 06:28:54PM +0000, WD wrote:
105. > > Attached is a zip file with multiple (73) files that cause ffmpeg to crash. The
106. > > crashers are in a subset of various codecs. Included with each codec/directory are:
107. > > 1) The seed/good file
108. > > 2) Variations of the file that cause crashes (basename.x.y)
109. > > 3) GDB output for the crashing testcases
110. >
111. > stuff like
112. > decode_frame (avctx=0x8a25700, data=0xbfffe138,
113. > data_size=0xbfffe318, avpkt=0xbfffe240) at /usr/include/bits/string3.h:52
114. >
115. > yeah it surely is in /usr/include/bits/string3.h
116.  
117. ive tried ~10 files and none of them crashes for me, also the gdb and
118. valgrind files are just not decipherable as they are
119.  
120. if someone has a reproduceable crash left a full bugreport about it is very
121. welcome or having these gdb/valgrind dumps regenerated with sensible compiler
122. flags used is welcome as well.
123.  
124. Except that i can just close this because i cant to anything when i cant
125. reproduce the problem and the information provided is junk.
126.  
127. [...]
128. --
129. Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB
130.  
131. When the tyrant has disposed of foreign enemies by conquest or treaty, and
132. there is nothing more to fear from them, then he is always stirring up
133. some war or other, in order that the people may require a leader. -- Plato
134.  
135. msg6312 (view) Author: WD Date: 2009-07-01.20:08:38
136.  
137. Sorry about the compiler optimization. ffmpeg wouldn't compile by default,
138. complaining about impossible register constraints. I was able to build it with
139. the --disable-mmx flag added, though.
140.  
141. Attached is a zip of the gdb and valgrind output with this build. Should be
142. able to just unzip this over top of the first zip to get a valid set of files.
143.  
144. msg6333 (view) Author: reimar Date: 2009-07-03.11:55:02
145.  
146. On Tue, Jun 30, 2009 at 06:28:54PM +0000, WD wrote:
147. > Attached is a zip file with multiple (73) files that cause ffmpeg to crash.
148.  
149. A lot of these file crash no longer with SVN, please get rid of those
150. that work now, 73 files are simply too much to handle.
151.  
152. msg6375 (view) Author: WD Date: 2009-07-07.20:33:33
153.  
154. ffmpeg SVN-r19367 crashes with these still:
155.  
156. ./h261/smclockh261.avi.1.0
157. ./h261/smclockh261.avi.2.0
158. ./h263/smclockh263.avi.1.0
159. ./h263/smclockh263.avi.2.0
160. ./h264/smclockh264.avi.1.0
161. ./h264/smclockh264.avi.1.12
162. ./h264/smclockh264.avi.2.0
163. ./huffyuv/smclockhuffyuv.avi.1.205
164. ./i32/smclocki32.avi.1.1
165. ./i32/smclocki32.avi.1.201
166. ./i32/smclocki32.avi.1.209
167. ./i32/smclocki32.avi.1.213
168. ./i32/smclocki32.avi.1.219
169. ./i32/smclocki32.avi.3.1000
170. ./i32/smclocki32.avi.3.173
171. ./mjpeg/smclockmjpeg.avi.1.552
172. ./mpeg1/smclockmpeg1.avi.2.1
173. ./mpeg1/smclockmpeg1.avi.3.100
174. ./mpeg1/smclockmpeg1.avi.3.54
175. ./mpeg2/smclockmpeg2.avi.2.1
176. ./mpeg2/smclockmpeg2.avi.3.54
177. ./ogv/smclock.ogv.1.1.ogv
178. ./ogv/smclock.ogv.1.1001.ogv
179. ./ogv/smclock.ogv.1.101.ogv
180. ./ogv/smclock.ogv.1.181.ogv
181. ./ogv/smclock.ogv.2.164.ogv
182. ./vp62/smclockvp62hsp.avi.1.0
183. ./vp62/smclockvp62hsp.avi.3.118
184. ./xvid/smclockxvid.avi.1.172
185.  
186. msg6393 (view) Author: WD Date: 2009-07-08.14:05:49
187.  
188. re-opening
189.  
190. msg6396 (view) Author: cehoyos Date: 2009-07-08.16:11:30
191.  
192. Since it obviously describes more than one problem, this issue is (still)
193. invalid. Please do not reopen, but open one new issue per crash if you care.