Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Segfault with fuzzed file (mkv demuxer) #1448

Closed
tholin opened this issue Jan 8, 2015 · 2 comments
Closed

Segfault with fuzzed file (mkv demuxer) #1448

tholin opened this issue Jan 8, 2015 · 2 comments

Comments

@tholin
Copy link

tholin commented Jan 8, 2015

The following file segfaults
https://www.dropbox.com/s/rctoxhkff2e005r/demux_mkv_segfault.mkv

$ gdb --args ~/repository/mpv-build_vanilla_debug/mpv/build/mpv --cache=no --no-config --untimed --no-audio --demuxer-thread=no --vd-lavc-threads=1 --ad-lavc-threads=1 --no-input-terminal --vo null demux_mkv_segfault.mkv          
GNU gdb (Gentoo 7.7.1 p1) 7.7.1
Copyright (C) 2014 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-pc-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<http://bugs.gentoo.org/>.
Find the GDB manual and other documentation resources online at:
<http://www.gnu.org/software/gdb/documentation/>.
For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from /home/cocobo/repository/mpv-build_vanilla_debug/mpv/build/mpv...done.
(gdb) r
Starting program: /home/cocobo/repository/mpv-build_vanilla_debug/mpv/build/mpv --cache=no --no-config --untimed --no-audio --demuxer-thread=no --vd-lavc-threads=1 --ad-lavc-threads=1 --no-input-terminal --vo null demux_mkv_segfault.mkv
warning: Could not load shared library symbols for linux-vdso.so.1.
Do you need "set solib-search-path" or "set sysroot"?
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib64/libthread_db.so.1".
[New Thread 0x7fffed4e7700 (LWP 23738)]
[New Thread 0x7fffecce6700 (LWP 23739)]
Playing: demux_mkv_segfault.mkv
[New Thread 0x7fffe7fff700 (LWP 23740)]
[Thread 0x7fffe7fff700 (LWP 23740) exited]
[New Thread 0x7fffe7fff700 (LWP 23741)]
[mkv] SeekHead position beyond end of file - incomplete file?
[mkv] Error parsing element Tracks
[mkv] Invalid EBML length at position 4477
...
[mkv] Invalid EBML length at position 5674                                                              
[Thread 0x7fffe7fff700 (LWP 23741) exited]
[stream] Video (+) --vid=1 (vp9)
[New Thread 0x7fffe7fff700 (LWP 23742)]
[ffmpeg/video] vp9: Superframe packet size too big: 10670239 > 80

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff1f7ba40 in __memcpy_sse2_unaligned () from /lib64/libc.so.6
(gdb) bt full
#0  0x00007ffff1f7ba40 in __memcpy_sse2_unaligned () from /lib64/libc.so.6
No symbol table info available.
#1  0x0000000000981a00 in av_packet_ref (dst=0x20780b0, src=0x7fffffffce40)
    at /home/cocobo/repository/mpv-build_vanilla_debug/ffmpeg/libavcodec/avpacket.c:548
        ret = 0
#2  0x0000000000457ed5 in new_demux_packet_from_avpacket (avpkt=0x7fffffffce40) at ../demux/packet.c:60
        dp = 0x2077fc0
        r = -1
#3  0x0000000000457fab in new_demux_packet_from (data=0xff11d510, len=32767) at ../demux/packet.c:80
        pkt = {buf = 0x0, pts = 0, dts = 0, 
          data = 0xff11d510 <error: Cannot access memory at address 0xff11d510>, size = 32767, 
          stream_index = 0, flags = 0, side_data = 0x0, side_data_elems = 0, duration = 0, 
          destruct = 0x0, priv = 0x0, pos = 0, convergence_duration = 0}
#4  0x000000000044f829 in handle_block (demuxer=0x7fffdc2032b0, block_info=0x7fffffffd390)
    at ../demux/demux_mkv.c:2444
        dp = 0x0
        raw = {start = 0x2093b04 "", len = 0}
        buffer = {start = 0xff11d510 <error: Cannot access memory at address 0xff11d510>, len = 32767}
        block = {start = 0x2093ab4 "\032\300\230\201", len = 80}
        i = 0
        p = 0
        mkv_d = 0x7fffdc2038c0
        laces = 1
        current_pts = 0.055
        data = {start = 0x2093ab4 "\032\300\230\201", len = 80}
        keyframe = false
        block_duration = 0
        tc = 55000000
        track = 0x7fffdc2039c0
        stream = 0x7fffdc203c30
        lace_size = {80, 0 <repeats 45 times>, 128, 0, 6, 0, 0, 0, 4294955104, 32767, 5411048, 0, 91, 
          0, 0, 0, 110, 0, 0, 0, 4294955152, 32767, 5411078, 0, 0, 0, 0, 0, 0, 0, 0, 0, 4294955216, 
          32767, 5411310, 0, 0, 0, 34042768, 0, 0, 0, 34042704, 0, 4294955248, 32767, 5411048, 0, 
          4294955264, 32767, 0, 0, 4294955280, 32767, 5411048, 0, 4294955296, 32767, 0, 0, 26939232, 
          0, 0, 0, 4294955328, 32767, 768, 0, 46, 32767, 0, 0, 59, 0, 1, 0, 92, 32767, 0, 0, 1, 0, 0, 
          0, 0, 0, 119, 124, 8, 0, 768, 0, 46, 32767, 32, 0, 34158576, 0, 656, 0, 4062742048, 32767, 
          688, 0, 0, 0, 4059456702, 32767, 32, 0, 4062742048, 32767, 640, 0, 144, 0, 7, 0, 4059461492, 
          32767, 49, 32767, 0, 0, 91, 0, 0, 0, 110, 2147483648, 4915163, 0, 0, 0, 119, 84, 34159280, 
          0, 3690990112, 32767, 4294955664, 32767, 4062742048, 84, 4294955664, 32767, 4915253, 0, 
          4294957424, 32767, 4294955960, 32767, 34159364, 0, 0, 128, 0, 1, 1, 0, 4294955760, 32767, 
          4518494, 0, 4294955760, 32767, 4294955920, 32767, 6257, 0, 3693097648, 32767, 4294955760, 
          3637247, 1, 0, 3693099200, 32767, 3690990112, 32767, 84, 0, 1, 0, 4294955872, 32767, 
          4521707, 0, 4294955920, 32767, 3693097648...}
        use_this_block = true
#5  0x000000000045010d in demux_mkv_fill_buffer (demuxer=0x7fffdc2032b0) at ../demux/demux_mkv.c:2636
        res = 1
        block = {duration = 0, discardpadding = 0, simple = true, keyframe = false, 
          timecode = 55000000, track = 0x7fffdc2039c0, data = {
            start = 0x2093ab3 "\021\032\300\230\201", len = 81}, alloc = 0x2093ab0, filepos = 6173}
#6  0x000000000043f069 in read_packet (in=0x7fffdc203150) at ../demux/demux.c:398
        active = true
        read_more = true
        packs = 0
        bytes = 0
        demux = 0x7fffdc2032b0
        eof = false
#7  0x000000000043f26b in ds_get_packets (ds=0x7fffdc203ce0) at ../demux/demux.c:436
        t = 0x1354548 "video"
        in = 0x7fffdc203150
#8  0x000000000043f7ca in demux_read_packet (sh=0x7fffdc203c30) at ../demux/demux.c:553
        ds = 0x7fffdc203ce0
        pkt = 0x0
#9  0x000000000043f908 in demux_read_packet_async (sh=0x7fffdc203c30, out_pkt=0x7fffffffd520)
    at ../demux/demux.c:585
        ds = 0x7fffdc203ce0
        r = -1
#10 0x00000000004a6315 in decode_image (mpctx=0x2019050) at ../player/video.c:383
        d_video = 0x2077480
        pkt = 0x0
        hrseek = 32
        framedrop_type = 33554431
        had_packet = 220
#11 0x00000000004a6723 in video_decode_and_filter (mpctx=0x2019050) at ../player/video.c:487
        d_video = 0x2077480
        r = 1
        eof = 246
#12 0x00000000004a6d7d in video_output_image (mpctx=0x2019050, endpts=-9.2233720368547758e+18)
    at ../player/video.c:608
        img = 0x2077480
        hrseek = false
        r = 1
#13 0x00000000004a74f8 in write_video (mpctx=0x2019050, endpts=-9.2233720368547758e+18)
    at ../player/video.c:756
        opts = 0x201c2b0
        vo = 0x2076ea0
        r = 5302340
        p = {imgfmt = 4294956672, w = 32767, h = 4572244, d_w = -3, d_h = 34041504, 
          colorspace = MP_CSP_AUTO, colorlevels = 5307764, primaries = MP_CSP_PRIM_AUTO, 
          chroma_location = 4294956707, outputlevels = 10, rotate = 34041504, 
          stereo_in = MP_STEREO3D_MONO, stereo_out = -10560}
        time_frame = 6.9533558073077375e-310
        pts = 140737488344739
        duration = 140737488344672
        diff = 1.2648080533535912e-321
        vpts0 = 3.3951932655444357e-313
        vpts1 = 1.6818737659167378e-316
#14 0x000000000049dac1 in run_playloop (mpctx=0x2019050) at ../player/playloop.c:917
        opts = 0x201c2b0
        endpts = -9.2233720368547758e+18
        end_is_new_segment = false
        prevent_eof = false
#15 0x00000000004924d8 in play_current_file (mpctx=0x2019050) at ../player/loadfile.c:1182
        opts = 0x201c2b0
        tmp = 0x20525a0
        playback_start = 10.015781
        __PRETTY_FUNCTION__ = "play_current_file"
        stream_flags = 0
        startpos = -9.2233720368547758e+18
        nothing_played = false
        end_event = {reason = -10272, error = 32767}
#16 0x0000000000492bf2 in mp_play_files (mpctx=0x2019050) at ../player/loadfile.c:1339
        new_entry = 0x201c2b0
#17 0x0000000000494001 in mpv_main (argc=12, argv=0x7fffffffd978) at ../player/main.c:550
        mpctx = 0x2019050
        opts = 0x201c2b0
        verbose_env = 0x0
        r = 0
#18 0x0000000000411dcd in main (argc=12, argv=0x7fffffffd978) at ../player/main_fn.c:13
No locals.

$ valgrind ~/repository/mpv-build_vanilla_debug/mpv/build/mpv  --cache=no --no-config --untimed --no-audio --demuxer-thread=no --vd-lavc-threads=1 --ad-lavc-threads=1 --no-input-terminal --vo null demux_mkv_segfault.mkv
...
[ffmpeg/video] vp9: Superframe packet size too big: 10670239 > 80
==23926== Conditional jump or move depends on uninitialised value(s)
==23926==    at 0xD88F72: av_parser_parse2 (parser.c:167)
==23926==    by 0x44EFBB: mkv_parse_packet (demux_mkv.c:2277)
==23926==    by 0x44FABB: handle_block (demux_mkv.c:2443)
==23926==    by 0x45010C: demux_mkv_fill_buffer (demux_mkv.c:2636)
==23926==    by 0x43F068: read_packet (demux.c:398)
==23926==    by 0x43F26A: ds_get_packets (demux.c:436)
==23926==    by 0x43F7C9: demux_read_packet (demux.c:553)
==23926==    by 0x43F907: demux_read_packet_async (demux.c:585)
==23926==    by 0x4A6314: decode_image (video.c:383)
==23926==    by 0x4A6722: video_decode_and_filter (video.c:487)
==23926==    by 0x4A6D7C: video_output_image (video.c:608)
==23926==    by 0x4A74F7: write_video (video.c:756)
==23926== 
==23926== Conditional jump or move depends on uninitialised value(s)
==23926==    at 0x44F001: mkv_parse_packet (demux_mkv.c:2283)
==23926==    by 0x44FABB: handle_block (demux_mkv.c:2443)
==23926==    by 0x45010C: demux_mkv_fill_buffer (demux_mkv.c:2636)
==23926==    by 0x43F068: read_packet (demux.c:398)
==23926==    by 0x43F26A: ds_get_packets (demux.c:436)
==23926==    by 0x43F7C9: demux_read_packet (demux.c:553)
==23926==    by 0x43F907: demux_read_packet_async (demux.c:585)
==23926==    by 0x4A6314: decode_image (video.c:383)
==23926==    by 0x4A6722: video_decode_and_filter (video.c:487)
==23926==    by 0x4A6D7C: video_output_image (video.c:608)
==23926==    by 0x4A74F7: write_video (video.c:756)
==23926==    by 0x49DAC0: run_playloop (playloop.c:917)
==23926== 
==23926== Conditional jump or move depends on uninitialised value(s)
==23926==    at 0x457F70: new_demux_packet_from (packet.c:77)
==23926==    by 0x44F828: handle_block (demux_mkv.c:2444)
==23926==    by 0x45010C: demux_mkv_fill_buffer (demux_mkv.c:2636)
==23926==    by 0x43F068: read_packet (demux.c:398)
==23926==    by 0x43F26A: ds_get_packets (demux.c:436)
==23926==    by 0x43F7C9: demux_read_packet (demux.c:553)
==23926==    by 0x43F907: demux_read_packet_async (demux.c:585)
==23926==    by 0x4A6314: decode_image (video.c:383)
==23926==    by 0x4A6722: video_decode_and_filter (video.c:487)
==23926==    by 0x4A6D7C: video_output_image (video.c:608)
==23926==    by 0x4A74F7: write_video (video.c:756)
==23926==    by 0x49DAC0: run_playloop (playloop.c:917)
==23926== 
==23926== Conditional jump or move depends on uninitialised value(s)
==23926==    at 0x457DB3: new_demux_packet_from_avpacket (packet.c:43)
==23926==    by 0x457FAA: new_demux_packet_from (packet.c:80)
==23926==    by 0x44F828: handle_block (demux_mkv.c:2444)
==23926==    by 0x45010C: demux_mkv_fill_buffer (demux_mkv.c:2636)
==23926==    by 0x43F068: read_packet (demux.c:398)
==23926==    by 0x43F26A: ds_get_packets (demux.c:436)
==23926==    by 0x43F7C9: demux_read_packet (demux.c:553)
==23926==    by 0x43F907: demux_read_packet_async (demux.c:585)
==23926==    by 0x4A6314: decode_image (video.c:383)
==23926==    by 0x4A6722: video_decode_and_filter (video.c:487)
==23926==    by 0x4A6D7C: video_output_image (video.c:608)
==23926==    by 0x4A74F7: write_video (video.c:756)
==23926== 
==23926== Conditional jump or move depends on uninitialised value(s)
==23926==    at 0x457EBC: new_demux_packet_from_avpacket (packet.c:57)
==23926==    by 0x457FAA: new_demux_packet_from (packet.c:80)
==23926==    by 0x44F828: handle_block (demux_mkv.c:2444)
==23926==    by 0x45010C: demux_mkv_fill_buffer (demux_mkv.c:2636)
==23926==    by 0x43F068: read_packet (demux.c:398)
==23926==    by 0x43F26A: ds_get_packets (demux.c:436)
==23926==    by 0x43F7C9: demux_read_packet (demux.c:553)
==23926==    by 0x43F907: demux_read_packet_async (demux.c:585)
==23926==    by 0x4A6314: decode_image (video.c:383)
==23926==    by 0x4A6722: video_decode_and_filter (video.c:487)
==23926==    by 0x4A6D7C: video_output_image (video.c:608)
==23926==    by 0x4A74F7: write_video (video.c:756)
==23926== 
==23926== Conditional jump or move depends on uninitialised value(s)
==23926==    at 0x980271: packet_alloc (avpacket.c:71)
==23926==    by 0x9819CC: av_packet_ref (avpacket.c:545)
==23926==    by 0x457ED4: new_demux_packet_from_avpacket (packet.c:60)
==23926==    by 0x457FAA: new_demux_packet_from (packet.c:80)
==23926==    by 0x44F828: handle_block (demux_mkv.c:2444)
==23926==    by 0x45010C: demux_mkv_fill_buffer (demux_mkv.c:2636)
==23926==    by 0x43F068: read_packet (demux.c:398)
==23926==    by 0x43F26A: ds_get_packets (demux.c:436)
==23926==    by 0x43F7C9: demux_read_packet (demux.c:553)
==23926==    by 0x43F907: demux_read_packet_async (demux.c:585)
==23926==    by 0x4A6314: decode_image (video.c:383)
==23926==    by 0x4A6722: video_decode_and_filter (video.c:487)
==23926== 
==23926== Conditional jump or move depends on uninitialised value(s)
==23926==    at 0x1304871: av_realloc (mem.c:150)
==23926==    by 0x12F5A30: av_buffer_realloc (buffer.c:165)
==23926==    by 0x98028D: packet_alloc (avpacket.c:74)
==23926==    by 0x9819CC: av_packet_ref (avpacket.c:545)
==23926==    by 0x457ED4: new_demux_packet_from_avpacket (packet.c:60)
==23926==    by 0x457FAA: new_demux_packet_from (packet.c:80)
==23926==    by 0x44F828: handle_block (demux_mkv.c:2444)
==23926==    by 0x45010C: demux_mkv_fill_buffer (demux_mkv.c:2636)
==23926==    by 0x43F068: read_packet (demux.c:398)
==23926==    by 0x43F26A: ds_get_packets (demux.c:436)
==23926==    by 0x43F7C9: demux_read_packet (demux.c:553)
==23926==    by 0x43F907: demux_read_packet_async (demux.c:585)
==23926== 
==23926== Conditional jump or move depends on uninitialised value(s)
==23926==    at 0x4C28F7D: malloc (vg_replace_malloc.c:296)
==23926==    by 0x4C2B36F: realloc (vg_replace_malloc.c:692)
==23926==    by 0x130489A: av_realloc (mem.c:166)
==23926==    by 0x12F5A30: av_buffer_realloc (buffer.c:165)
==23926==    by 0x98028D: packet_alloc (avpacket.c:74)
==23926==    by 0x9819CC: av_packet_ref (avpacket.c:545)
==23926==    by 0x457ED4: new_demux_packet_from_avpacket (packet.c:60)
==23926==    by 0x457FAA: new_demux_packet_from (packet.c:80)
==23926==    by 0x44F828: handle_block (demux_mkv.c:2444)
==23926==    by 0x45010C: demux_mkv_fill_buffer (demux_mkv.c:2636)
==23926==    by 0x43F068: read_packet (demux.c:398)
==23926==    by 0x43F26A: ds_get_packets (demux.c:436)
==23926== 
==23926== Conditional jump or move depends on uninitialised value(s)
==23926==    at 0x4C2F7BC: memset (vg_replace_strmem.c:1094)
==23926==    by 0x9802C0: packet_alloc (avpacket.c:78)
==23926==    by 0x9819CC: av_packet_ref (avpacket.c:545)
==23926==    by 0x457ED4: new_demux_packet_from_avpacket (packet.c:60)
==23926==    by 0x457FAA: new_demux_packet_from (packet.c:80)
==23926==    by 0x44F828: handle_block (demux_mkv.c:2444)
==23926==    by 0x45010C: demux_mkv_fill_buffer (demux_mkv.c:2636)
==23926==    by 0x43F068: read_packet (demux.c:398)
==23926==    by 0x43F26A: ds_get_packets (demux.c:436)
==23926==    by 0x43F7C9: demux_read_packet (demux.c:553)
==23926==    by 0x43F907: demux_read_packet_async (demux.c:585)
==23926==    by 0x4A6314: decode_image (video.c:383)
==23926== 
==23926== Use of uninitialised value of size 8
==23926==    at 0x4C2F7D5: memset (vg_replace_strmem.c:1094)
==23926==    by 0x9802C0: packet_alloc (avpacket.c:78)
==23926==    by 0x9819CC: av_packet_ref (avpacket.c:545)
==23926==    by 0x457ED4: new_demux_packet_from_avpacket (packet.c:60)
==23926==    by 0x457FAA: new_demux_packet_from (packet.c:80)
==23926==    by 0x44F828: handle_block (demux_mkv.c:2444)
==23926==    by 0x45010C: demux_mkv_fill_buffer (demux_mkv.c:2636)
==23926==    by 0x43F068: read_packet (demux.c:398)
==23926==    by 0x43F26A: ds_get_packets (demux.c:436)
==23926==    by 0x43F7C9: demux_read_packet (demux.c:553)
==23926==    by 0x43F907: demux_read_packet_async (demux.c:585)
==23926==    by 0x4A6314: decode_image (video.c:383)
==23926== 
==23926== Conditional jump or move depends on uninitialised value(s)
==23926==    at 0x4C2DB1E: is_overlap (vg_replace_strmem.c:119)
==23926==    by 0x4C2DB1E: memcpy@@GLIBC_2.14 (vg_replace_strmem.c:915)
==23926==    by 0x9819FF: av_packet_ref (avpacket.c:548)
==23926==    by 0x457ED4: new_demux_packet_from_avpacket (packet.c:60)
==23926==    by 0x457FAA: new_demux_packet_from (packet.c:80)
==23926==    by 0x44F828: handle_block (demux_mkv.c:2444)
==23926==    by 0x45010C: demux_mkv_fill_buffer (demux_mkv.c:2636)
==23926==    by 0x43F068: read_packet (demux.c:398)
==23926==    by 0x43F26A: ds_get_packets (demux.c:436)
==23926==    by 0x43F7C9: demux_read_packet (demux.c:553)
==23926==    by 0x43F907: demux_read_packet_async (demux.c:585)
==23926==    by 0x4A6314: decode_image (video.c:383)
==23926==    by 0x4A6722: video_decode_and_filter (video.c:487)
==23926== 
==23926== Conditional jump or move depends on uninitialised value(s)
==23926==    at 0x4C2DB27: is_overlap (vg_replace_strmem.c:128)
==23926==    by 0x4C2DB27: memcpy@@GLIBC_2.14 (vg_replace_strmem.c:915)
==23926==    by 0x9819FF: av_packet_ref (avpacket.c:548)
==23926==    by 0x457ED4: new_demux_packet_from_avpacket (packet.c:60)
==23926==    by 0x457FAA: new_demux_packet_from (packet.c:80)
==23926==    by 0x44F828: handle_block (demux_mkv.c:2444)
==23926==    by 0x45010C: demux_mkv_fill_buffer (demux_mkv.c:2636)
==23926==    by 0x43F068: read_packet (demux.c:398)
==23926==    by 0x43F26A: ds_get_packets (demux.c:436)
==23926==    by 0x43F7C9: demux_read_packet (demux.c:553)
==23926==    by 0x43F907: demux_read_packet_async (demux.c:585)
==23926==    by 0x4A6314: decode_image (video.c:383)
==23926==    by 0x4A6722: video_decode_and_filter (video.c:487)
==23926== 
==23926== Conditional jump or move depends on uninitialised value(s)
==23926==    at 0x4C2DB2D: is_overlap (vg_replace_strmem.c:131)
==23926==    by 0x4C2DB2D: memcpy@@GLIBC_2.14 (vg_replace_strmem.c:915)
==23926==    by 0x9819FF: av_packet_ref (avpacket.c:548)
==23926==    by 0x457ED4: new_demux_packet_from_avpacket (packet.c:60)
==23926==    by 0x457FAA: new_demux_packet_from (packet.c:80)
==23926==    by 0x44F828: handle_block (demux_mkv.c:2444)
==23926==    by 0x45010C: demux_mkv_fill_buffer (demux_mkv.c:2636)
==23926==    by 0x43F068: read_packet (demux.c:398)
==23926==    by 0x43F26A: ds_get_packets (demux.c:436)
==23926==    by 0x43F7C9: demux_read_packet (demux.c:553)
==23926==    by 0x43F907: demux_read_packet_async (demux.c:585)
==23926==    by 0x4A6314: decode_image (video.c:383)
==23926==    by 0x4A6722: video_decode_and_filter (video.c:487)
==23926== 
==23926== Conditional jump or move depends on uninitialised value(s)
==23926==    at 0x4C2DB3A: memcpy@@GLIBC_2.14 (vg_replace_strmem.c:915)
==23926==    by 0x9819FF: av_packet_ref (avpacket.c:548)
==23926==    by 0x457ED4: new_demux_packet_from_avpacket (packet.c:60)
==23926==    by 0x457FAA: new_demux_packet_from (packet.c:80)
==23926==    by 0x44F828: handle_block (demux_mkv.c:2444)
==23926==    by 0x45010C: demux_mkv_fill_buffer (demux_mkv.c:2636)
==23926==    by 0x43F068: read_packet (demux.c:398)
==23926==    by 0x43F26A: ds_get_packets (demux.c:436)
==23926==    by 0x43F7C9: demux_read_packet (demux.c:553)
==23926==    by 0x43F907: demux_read_packet_async (demux.c:585)
==23926==    by 0x4A6314: decode_image (video.c:383)
==23926==    by 0x4A6722: video_decode_and_filter (video.c:487)
==23926== 
==23926== Conditional jump or move depends on uninitialised value(s)
==23926==    at 0x4C2DB87: memcpy@@GLIBC_2.14 (vg_replace_strmem.c:915)
==23926==    by 0x9819FF: av_packet_ref (avpacket.c:548)
==23926==    by 0x457ED4: new_demux_packet_from_avpacket (packet.c:60)
==23926==    by 0x457FAA: new_demux_packet_from (packet.c:80)
==23926==    by 0x44F828: handle_block (demux_mkv.c:2444)
==23926==    by 0x45010C: demux_mkv_fill_buffer (demux_mkv.c:2636)
==23926==    by 0x43F068: read_packet (demux.c:398)
==23926==    by 0x43F26A: ds_get_packets (demux.c:436)
==23926==    by 0x43F7C9: demux_read_packet (demux.c:553)
==23926==    by 0x43F907: demux_read_packet_async (demux.c:585)
==23926==    by 0x4A6314: decode_image (video.c:383)
==23926==    by 0x4A6722: video_decode_and_filter (video.c:487)
==23926== 
==23926== Conditional jump or move depends on uninitialised value(s)
==23926==    at 0x4C2DB90: memcpy@@GLIBC_2.14 (vg_replace_strmem.c:915)
==23926==    by 0x9819FF: av_packet_ref (avpacket.c:548)
==23926==    by 0x457ED4: new_demux_packet_from_avpacket (packet.c:60)
==23926==    by 0x457FAA: new_demux_packet_from (packet.c:80)
==23926==    by 0x44F828: handle_block (demux_mkv.c:2444)
==23926==    by 0x45010C: demux_mkv_fill_buffer (demux_mkv.c:2636)
==23926==    by 0x43F068: read_packet (demux.c:398)
==23926==    by 0x43F26A: ds_get_packets (demux.c:436)
==23926==    by 0x43F7C9: demux_read_packet (demux.c:553)
==23926==    by 0x43F907: demux_read_packet_async (demux.c:585)
==23926==    by 0x4A6314: decode_image (video.c:383)
==23926==    by 0x4A6722: video_decode_and_filter (video.c:487)
==23926== 
==23926== Conditional jump or move depends on uninitialised value(s)
==23926==    at 0x4C2DBA1: memcpy@@GLIBC_2.14 (vg_replace_strmem.c:915)
==23926==    by 0x9819FF: av_packet_ref (avpacket.c:548)
==23926==    by 0x457ED4: new_demux_packet_from_avpacket (packet.c:60)
==23926==    by 0x457FAA: new_demux_packet_from (packet.c:80)
==23926==    by 0x44F828: handle_block (demux_mkv.c:2444)
==23926==    by 0x45010C: demux_mkv_fill_buffer (demux_mkv.c:2636)
==23926==    by 0x43F068: read_packet (demux.c:398)
==23926==    by 0x43F26A: ds_get_packets (demux.c:436)
==23926==    by 0x43F7C9: demux_read_packet (demux.c:553)
==23926==    by 0x43F907: demux_read_packet_async (demux.c:585)
==23926==    by 0x4A6314: decode_image (video.c:383)
==23926==    by 0x4A6722: video_decode_and_filter (video.c:487)
==23926== 
==23926== Conditional jump or move depends on uninitialised value(s)
==23926==    at 0x4C2DBA7: memcpy@@GLIBC_2.14 (vg_replace_strmem.c:915)
==23926==    by 0x9819FF: av_packet_ref (avpacket.c:548)
==23926==    by 0x457ED4: new_demux_packet_from_avpacket (packet.c:60)
==23926==    by 0x457FAA: new_demux_packet_from (packet.c:80)
==23926==    by 0x44F828: handle_block (demux_mkv.c:2444)
==23926==    by 0x45010C: demux_mkv_fill_buffer (demux_mkv.c:2636)
==23926==    by 0x43F068: read_packet (demux.c:398)
==23926==    by 0x43F26A: ds_get_packets (demux.c:436)
==23926==    by 0x43F7C9: demux_read_packet (demux.c:553)
==23926==    by 0x43F907: demux_read_packet_async (demux.c:585)
==23926==    by 0x4A6314: decode_image (video.c:383)
==23926==    by 0x4A6722: video_decode_and_filter (video.c:487)
==23926== 
==23926== Conditional jump or move depends on uninitialised value(s)
==23926==    at 0x4C2DBD6: memcpy@@GLIBC_2.14 (vg_replace_strmem.c:915)
==23926==    by 0x9819FF: av_packet_ref (avpacket.c:548)
==23926==    by 0x457ED4: new_demux_packet_from_avpacket (packet.c:60)
==23926==    by 0x457FAA: new_demux_packet_from (packet.c:80)
==23926==    by 0x44F828: handle_block (demux_mkv.c:2444)
==23926==    by 0x45010C: demux_mkv_fill_buffer (demux_mkv.c:2636)
==23926==    by 0x43F068: read_packet (demux.c:398)
==23926==    by 0x43F26A: ds_get_packets (demux.c:436)
==23926==    by 0x43F7C9: demux_read_packet (demux.c:553)
==23926==    by 0x43F907: demux_read_packet_async (demux.c:585)
==23926==    by 0x4A6314: decode_image (video.c:383)
==23926==    by 0x4A6722: video_decode_and_filter (video.c:487)
==23926== 
==23926== Use of uninitialised value of size 8
==23926==    at 0x4C2DBF0: memcpy@@GLIBC_2.14 (vg_replace_strmem.c:915)
==23926==    by 0x9819FF: av_packet_ref (avpacket.c:548)
==23926==    by 0x457ED4: new_demux_packet_from_avpacket (packet.c:60)
==23926==    by 0x457FAA: new_demux_packet_from (packet.c:80)
==23926==    by 0x44F828: handle_block (demux_mkv.c:2444)
==23926==    by 0x45010C: demux_mkv_fill_buffer (demux_mkv.c:2636)
==23926==    by 0x43F068: read_packet (demux.c:398)
==23926==    by 0x43F26A: ds_get_packets (demux.c:436)
==23926==    by 0x43F7C9: demux_read_packet (demux.c:553)
==23926==    by 0x43F907: demux_read_packet_async (demux.c:585)
==23926==    by 0x4A6314: decode_image (video.c:383)
==23926==    by 0x4A6722: video_decode_and_filter (video.c:487)
==23926== 
==23926== Invalid read of size 8
==23926==    at 0x4C2DBF0: memcpy@@GLIBC_2.14 (vg_replace_strmem.c:915)
==23926==    by 0x9819FF: av_packet_ref (avpacket.c:548)
==23926==    by 0x457ED4: new_demux_packet_from_avpacket (packet.c:60)
==23926==    by 0x457FAA: new_demux_packet_from (packet.c:80)
==23926==    by 0x44F828: handle_block (demux_mkv.c:2444)
==23926==    by 0x45010C: demux_mkv_fill_buffer (demux_mkv.c:2636)
==23926==    by 0x43F068: read_packet (demux.c:398)
==23926==    by 0x43F26A: ds_get_packets (demux.c:436)
==23926==    by 0x43F7C9: demux_read_packet (demux.c:553)
==23926==    by 0x43F907: demux_read_packet_async (demux.c:585)
==23926==    by 0x4A6314: decode_image (video.c:383)
==23926==    by 0x4A6722: video_decode_and_filter (video.c:487)
==23926==  Address 0xfe11f490 is not stack'd, malloc'd or (recently) free'd
==23926== 
==23926== 
==23926== Process terminating with default action of signal 11 (SIGSEGV)
==23926==  Access not within mapped region at address 0xFE11F490
==23926==    at 0x4C2DBF0: memcpy@@GLIBC_2.14 (vg_replace_strmem.c:915)
==23926==    by 0x9819FF: av_packet_ref (avpacket.c:548)
==23926==    by 0x457ED4: new_demux_packet_from_avpacket (packet.c:60)
==23926==    by 0x457FAA: new_demux_packet_from (packet.c:80)
==23926==    by 0x44F828: handle_block (demux_mkv.c:2444)
==23926==    by 0x45010C: demux_mkv_fill_buffer (demux_mkv.c:2636)
==23926==    by 0x43F068: read_packet (demux.c:398)
==23926==    by 0x43F26A: ds_get_packets (demux.c:436)
==23926==    by 0x43F7C9: demux_read_packet (demux.c:553)
==23926==    by 0x43F907: demux_read_packet_async (demux.c:585)
==23926==    by 0x4A6314: decode_image (video.c:383)
==23926==    by 0x4A6722: video_decode_and_filter (video.c:487)
==23926==  If you believe this happened as a result of a stack
==23926==  overflow in your program's main thread (unlikely but
==23926==  possible), you can try to increase the size of the
==23926==  main thread stack using the --main-stacksize= flag.
==23926==  The main thread stack size used in this run was 8388608.
==23926== 
==23926== HEAP SUMMARY:
==23926==     in use at exit: 3,048,593 bytes in 6,863 blocks
==23926==   total heap usage: 13,937 allocs, 7,074 frees, 12,775,097 bytes allocated
==23926== 
==23926== LEAK SUMMARY:
==23926==    definitely lost: 128 bytes in 2 blocks
==23926==    indirectly lost: 80 bytes in 1 blocks
==23926==      possibly lost: 2,629,301 bytes in 2,240 blocks
==23926==    still reachable: 419,084 bytes in 4,620 blocks
==23926==         suppressed: 0 bytes in 0 blocks
==23926== Rerun with --leak-check=full to see details of leaked memory
==23926== 
==23926== For counts of detected and suppressed errors, rerun with: -v
==23926== Use --track-origins=yes to see where uninitialised values come from
==23926== ERROR SUMMARY: 21 errors from 21 contexts (suppressed: 0 from 0)
Killed
ghost pushed a commit that referenced this issue Jan 9, 2015
demux_mkv: improve robustness against broken libavcodec parsers
33dd914 
The VP9 codec parser has a bug: it doesn't set the data/size pointers
passed to it. As I understand, it must always do this, and in fact, if
it doesn't some libavcodec generic code would be in trouble too.

This helps with #1448, but is not the full fix for it. The codec parser
must be fixed in libavcodec itself.
@ghost
Copy link

ghost commented Jan 9, 2015

This is not mpv's fault. Patch to ffmpeg sent. I painted it over anyway with the commit above.

@ghost
Copy link

ghost commented Jan 9, 2015

Oh well may as well close this.

@ghost ghost closed this as completed Jan 9, 2015
ghost pushed a commit that referenced this issue Jan 25, 2015
demux_mkv: improve robustness against broken libavcodec parsers
ac06ba0 
The VP9 codec parser has a bug: it doesn't set the data/size pointers
passed to it. As I understand, it must always do this, and in fact, if
it doesn't some libavcodec generic code would be in trouble too.

This helps with #1448, but is not the full fix for it. The codec parser
must be fixed in libavcodec itself.
This issue was closed.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@tholin