[issue2584] VLC stack overflow in libavcodec with vc1 file

Sat, 19 Feb 2011 04:27:40 -0800 

Reinhard Tartler <[email protected]> added the comment:

patch in https://roundup.ffmpeg.org/msg13620 committed as 
http://git.ffmpeg.org/?
p=ffmpeg.git;a=commit;h=2bbec1eda46d907605772a8b6e8263caa4bc4c82

Patch results in the following valgrind issues fixed:
--- vc1-overread-old.log        2011-02-19 13:03:29.000000000 +0100
+++ vc1-overread.log    2011-02-19 12:57:50.000000000 +0100
@@ -2,13 +2,12 @@
 Copyright (C) 2002-2009, and GNU GPL'd, by Julian Seward et al.
 Using Valgrind-3.6.0.SVN-Debian and LibVEX; rerun with -h for copyright 
info
 Command: ./ffplay_g guess_mv_stack_overflow.vc1
-Parent PID: 17119
+Parent PID: 10311
 
 Thread 4:
 Invalid read of size 4
-   at 0x83BF935: vc1_decode_ac_coeff (bswap.h:42)
-   by 0x83C36E3: vc1_decode_i_blocks_adv (vc1dec.c:1693)
-   by 0x83CE2AB: vc1_decode_frame (vc1dec.c:2989)
+   at 0x83C3A21: vc1_decode_i_blocks_adv (bswap.h:42)
+   by 0x83CE2FB: vc1_decode_frame (vc1dec.c:2989)
    by 0x83B63AD: avcodec_decode_video2 (utils.c:667)
    by 0x807BDAC: input_request_frame (ffplay.c:1539)
    by 0x808945E: avfilter_request_frame (avfilter.c:369)
@@ -18,11 +17,11 @@
    by 0x41DA25C: ??? (in /usr/lib/libSDL-1.2.so.0.11.3)
    by 0x421696D: start_thread (pthread_create.c:300)
    by 0x42F7A4D: clone (clone.S:130)
- Address 0x48bcc87 is 1,687 bytes inside a block of size 1,690 alloc'd
+ Address 0x628cfec is 3,436 bytes inside a block of size 3,439 alloc'd
    at 0x4024106: memalign (vg_replace_malloc.c:581)
    by 0x4024163: posix_memalign (vg_replace_malloc.c:709)
-   by 0x859C157: av_mallocz (mem.c:83)
-   by 0x83CDB0A: vc1_decode_frame (vc1dec.c:3187)
+   by 0x859C1D7: av_mallocz (mem.c:83)
+   by 0x83CDB5A: vc1_decode_frame (vc1dec.c:3187)
    by 0x83B63AD: avcodec_decode_video2 (utils.c:667)
    by 0x807BDAC: input_request_frame (ffplay.c:1539)
    by 0x808945E: avfilter_request_frame (avfilter.c:369)
@@ -33,8 +32,9 @@
    by 0x421696D: start_thread (pthread_create.c:300)
 
 Invalid read of size 4
-   at 0x83C39D1: vc1_decode_i_blocks_adv (bswap.h:42)
-   by 0x83CE2AB: vc1_decode_frame (vc1dec.c:2989)
+   at 0x83BF933: vc1_decode_ac_coeff (bswap.h:42)
+   by 0x83C3733: vc1_decode_i_blocks_adv (vc1dec.c:1693)
+   by 0x83CE2FB: vc1_decode_frame (vc1dec.c:2989)
    by 0x83B63AD: avcodec_decode_video2 (utils.c:667)
    by 0x807BDAC: input_request_frame (ffplay.c:1539)
    by 0x808945E: avfilter_request_frame (avfilter.c:369)
@@ -44,90 +44,11 @@
    by 0x41DA25C: ??? (in /usr/lib/libSDL-1.2.so.0.11.3)
    by 0x421696D: start_thread (pthread_create.c:300)
    by 0x42F7A4D: clone (clone.S:130)
- Address 0x48bcc88 is 1,688 bytes inside a block of size 1,690 alloc'd
+ Address 0x628cfec is 3,436 bytes inside a block of size 3,439 alloc'd
    at 0x4024106: memalign (vg_replace_malloc.c:581)
    by 0x4024163: posix_memalign (vg_replace_malloc.c:709)
-   by 0x859C157: av_mallocz (mem.c:83)
-   by 0x83CDB0A: vc1_decode_frame (vc1dec.c:3187)
-   by 0x83B63AD: avcodec_decode_video2 (utils.c:667)
-   by 0x807BDAC: input_request_frame (ffplay.c:1539)
-   by 0x808945E: avfilter_request_frame (avfilter.c:369)
-   by 0x808063F: get_filtered_video_frame (cmdutils.c:853)
-   by 0x807C59E: video_thread (ffplay.c:1828)
-   by 0x418F9CD: ??? (in /usr/lib/libSDL-1.2.so.0.11.3)
-   by 0x41DA25C: ??? (in /usr/lib/libSDL-1.2.so.0.11.3)
-   by 0x421696D: start_thread (pthread_create.c:300)
-
-Invalid read of size 1
-   at 0x83BF9B3: vc1_decode_ac_coeff (get_bits.h:319)
-   by 0x83C36E3: vc1_decode_i_blocks_adv (vc1dec.c:1693)
-   by 0x83CE2AB: vc1_decode_frame (vc1dec.c:2989)
-   by 0x83B63AD: avcodec_decode_video2 (utils.c:667)
-   by 0x807BDAC: input_request_frame (ffplay.c:1539)
-   by 0x808945E: avfilter_request_frame (avfilter.c:369)
-   by 0x808063F: get_filtered_video_frame (cmdutils.c:853)
-   by 0x807C59E: video_thread (ffplay.c:1828)
-   by 0x418F9CD: ??? (in /usr/lib/libSDL-1.2.so.0.11.3)
-   by 0x41DA25C: ??? (in /usr/lib/libSDL-1.2.so.0.11.3)
-   by 0x421696D: start_thread (pthread_create.c:300)
-   by 0x42F7A4D: clone (clone.S:130)
- Address 0x48bcc8a is 0 bytes after a block of size 1,690 alloc'd
-   at 0x4024106: memalign (vg_replace_malloc.c:581)
-   by 0x4024163: posix_memalign (vg_replace_malloc.c:709)
-   by 0x859C157: av_mallocz (mem.c:83)
-   by 0x83CDB0A: vc1_decode_frame (vc1dec.c:3187)
-   by 0x83B63AD: avcodec_decode_video2 (utils.c:667)
-   by 0x807BDAC: input_request_frame (ffplay.c:1539)
-   by 0x808945E: avfilter_request_frame (avfilter.c:369)
-   by 0x808063F: get_filtered_video_frame (cmdutils.c:853)
-   by 0x807C59E: video_thread (ffplay.c:1828)
-   by 0x418F9CD: ??? (in /usr/lib/libSDL-1.2.so.0.11.3)
-   by 0x41DA25C: ??? (in /usr/lib/libSDL-1.2.so.0.11.3)
-   by 0x421696D: start_thread (pthread_create.c:300)
-
-Invalid read of size 4
-   at 0x83C330A: vc1_decode_i_blocks_adv (bswap.h:42)
-   by 0x83CE2AB: vc1_decode_frame (vc1dec.c:2989)
-   by 0x83B63AD: avcodec_decode_video2 (utils.c:667)
-   by 0x807BDAC: input_request_frame (ffplay.c:1539)
-   by 0x808945E: avfilter_request_frame (avfilter.c:369)
-   by 0x808063F: get_filtered_video_frame (cmdutils.c:853)
-   by 0x807C59E: video_thread (ffplay.c:1828)
-   by 0x418F9CD: ??? (in /usr/lib/libSDL-1.2.so.0.11.3)
-   by 0x41DA25C: ??? (in /usr/lib/libSDL-1.2.so.0.11.3)
-   by 0x421696D: start_thread (pthread_create.c:300)
-   by 0x42F7A4D: clone (clone.S:130)
- Address 0x4a9944d is 3 bytes after a block of size 2,730 alloc'd
-   at 0x4024106: memalign (vg_replace_malloc.c:581)
-   by 0x4024163: posix_memalign (vg_replace_malloc.c:709)
-   by 0x859C157: av_mallocz (mem.c:83)
-   by 0x83CDB0A: vc1_decode_frame (vc1dec.c:3187)
-   by 0x83B63AD: avcodec_decode_video2 (utils.c:667)
-   by 0x807BDAC: input_request_frame (ffplay.c:1539)
-   by 0x808945E: avfilter_request_frame (avfilter.c:369)
-   by 0x808063F: get_filtered_video_frame (cmdutils.c:853)
-   by 0x807C59E: video_thread (ffplay.c:1828)
-   by 0x418F9CD: ??? (in /usr/lib/libSDL-1.2.so.0.11.3)
-   by 0x41DA25C: ??? (in /usr/lib/libSDL-1.2.so.0.11.3)
-   by 0x421696D: start_thread (pthread_create.c:300)
-
-Invalid read of size 1
-   at 0x83C3A9D: vc1_decode_i_blocks_adv (get_bits.h:319)
-   by 0x83CE2AB: vc1_decode_frame (vc1dec.c:2989)
-   by 0x83B63AD: avcodec_decode_video2 (utils.c:667)
-   by 0x807BDAC: input_request_frame (ffplay.c:1539)
-   by 0x808945E: avfilter_request_frame (avfilter.c:369)
-   by 0x808063F: get_filtered_video_frame (cmdutils.c:853)
-   by 0x807C59E: video_thread (ffplay.c:1828)
-   by 0x418F9CD: ??? (in /usr/lib/libSDL-1.2.so.0.11.3)
-   by 0x41DA25C: ??? (in /usr/lib/libSDL-1.2.so.0.11.3)
-   by 0x421696D: start_thread (pthread_create.c:300)
-   by 0x42F7A4D: clone (clone.S:130)
- Address 0x4a9944d is 3 bytes after a block of size 2,730 alloc'd
-   at 0x4024106: memalign (vg_replace_malloc.c:581)
-   by 0x4024163: posix_memalign (vg_replace_malloc.c:709)
-   by 0x859C157: av_mallocz (mem.c:83)
-   by 0x83CDB0A: vc1_decode_frame (vc1dec.c:3187)
+   by 0x859C1D7: av_mallocz (mem.c:83)
+   by 0x83CDB5A: vc1_decode_frame (vc1dec.c:3187)
    by 0x83B63AD: avcodec_decode_video2 (utils.c:667)
    by 0x807BDAC: input_request_frame (ffplay.c:1539)
    by 0x808945E: avfilter_request_frame (avfilter.c:369)
@@ -138,9 +59,9 @@
    by 0x421696D: start_thread (pthread_create.c:300)
 
 Invalid read of size 4
-   at 0x83BFBAA: vc1_decode_ac_coeff (bswap.h:42)
-   by 0x83C36E3: vc1_decode_i_blocks_adv (vc1dec.c:1693)
-   by 0x83CE2AB: vc1_decode_frame (vc1dec.c:2989)
+   at 0x83BFBC2: vc1_decode_ac_coeff (bswap.h:42)
+   by 0x83C3733: vc1_decode_i_blocks_adv (vc1dec.c:1693)
+   by 0x83CE2FB: vc1_decode_frame (vc1dec.c:2989)
    by 0x83B63AD: avcodec_decode_video2 (utils.c:667)
    by 0x807BDAC: input_request_frame (ffplay.c:1539)
    by 0x808945E: avfilter_request_frame (avfilter.c:369)
@@ -150,11 +71,11 @@
    by 0x41DA25C: ??? (in /usr/lib/libSDL-1.2.so.0.11.3)
    by 0x421696D: start_thread (pthread_create.c:300)
    by 0x42F7A4D: clone (clone.S:130)
- Address 0x4a9944f is 5 bytes after a block of size 2,730 alloc'd
+ Address 0x4a99447 is 2,727 bytes inside a block of size 2,730 alloc'd
    at 0x4024106: memalign (vg_replace_malloc.c:581)
    by 0x4024163: posix_memalign (vg_replace_malloc.c:709)
-   by 0x859C157: av_mallocz (mem.c:83)
-   by 0x83CDB0A: vc1_decode_frame (vc1dec.c:3187)
+   by 0x859C1D7: av_mallocz (mem.c:83)
+   by 0x83CDB5A: vc1_decode_frame (vc1dec.c:3187)
    by 0x83B63AD: avcodec_decode_video2 (utils.c:667)
    by 0x807BDAC: input_request_frame (ffplay.c:1539)
    by 0x808945E: avfilter_request_frame (avfilter.c:369)
@@ -167,7 +88,7 @@
 
 HEAP SUMMARY:
     in use at exit: 93,520 bytes in 1,365 blocks
-  total heap usage: 28,510 allocs, 27,145 frees, 133,755,349 bytes 
allocated
+  total heap usage: 39,235 allocs, 37,870 frees, 134,441,153 bytes 
allocated
 
 LEAK SUMMARY:
    definitely lost: 26 bytes in 3 blocks
@@ -178,4 +99,4 @@
 Rerun with --leak-check=full to see details of leaked memory
 
 For counts of detected and suppressed errors, rerun with: -v
-ERROR SUMMARY: 474 errors from 6 contexts (suppressed: 91 from 10)
+ERROR SUMMARY: 10 errors from 3 contexts (suppressed: 91 from 10)

________________________________________________
FFmpeg issue tracker <[email protected]>
<https://roundup.ffmpeg.org/issue2584>
________________________________________________

Reply via email to