[FFmpeg-devel] [PATCH 3/3] avcodec/cfhd: More strictly check tag order and multiplicity

Michael Niedermayer michael at niedermayer.cc
Fri Apr 2 01:53:14 EEST 2021 

On Fri, Apr 02, 2021 at 12:49:26AM +0200, Michael Niedermayer wrote:
> On Fri, Apr 02, 2021 at 12:25:53AM +0200, Michael Niedermayer wrote:
> > On Thu, Apr 01, 2021 at 09:22:23PM +0200, Paul B Mahol wrote:
> > > Try this attached patch. I have not looked at all samples, as some allocate
> > > too much memory for my system.
> > 
> > > But this patch points where real bugs are, unlike yours patch which hides
> > > real bugs even more.
> > 
> > I would appreciate if cfhd wouldnt have so many real bugs.
> > Your approach seems to be to fix what the fuzzer finds. What my patch was
> > moving toward is to make the code more secure and robust not to fix individual
> > bugs. My patch was never intended to be the end of such improvment, but with
> > the first stage being rejected iam of course not putting time in the next ...
> > 
> > but thats not so importrant now, whats important is the bugs here
> > and your patch eliminates all of the current group but one. Thats good!
> > Heres what remains:
> > ffmpeg -threads 1 -i dec_fuzzer-30739.nut -f null -
> 
> correction, the fuzzer found an alternative sample for 29754 which still crashes
> this seems to also use less memory than the other remaining sample
> will send the sample privatly
> 
> [cfhd @ 0x16d92180] Invalid lowpass height
> ==24087==    at 0x123322D: VALGRIND_PRINTF_BACKTRACE (valgrind.h:6303)
> ==24087==    by 0x1233DEB: av_log_default_callback (log.c:397)
> ==24087==    by 0x1234092: av_vlog (log.c:432)
> ==24087==    by 0x1233EF1: av_log (log.c:411)
> ==24087==    by 0x82FCFB: cfhd_decode (cfhd.c:721)
> ==24087==    by 0x860064: decode_simple_internal (decode.c:327)
> ==24087==    by 0x860C9B: decode_simple_receive_frame (decode.c:526)
> ==24087==    by 0x860D95: decode_receive_frame_internal (decode.c:546)
> ==24087==    by 0x861019: avcodec_send_packet (decode.c:608)
> ==24087==    by 0x2525A7: decode (ffmpeg.c:2285)
> ==24087==    by 0x252DC7: decode_video (ffmpeg.c:2425)
> ==24087==    by 0x253EF3: process_input_packet (ffmpeg.c:2672)
> ==24087==    by 0x25BB79: process_input (ffmpeg.c:4606)
> ==24087==    by 0x25C06D: transcode_step (ffmpeg.c:4746)
> ==24087==    by 0x25C1D5: transcode (ffmpeg.c:4800)
> ==24087==    by 0x25CB3F: main (ffmpeg.c:5005)
> Error while decoding stream #0:0: Invalid argument
> ==24087==    at 0x123322D: VALGRIND_PRINTF_BACKTRACE (valgrind.h:6303)
> ==24087==    by 0x1233DEB: av_log_default_callback (log.c:397)
> ==24087==    by 0x1234092: av_vlog (log.c:432)
> ==24087==    by 0x1233EF1: av_log (log.c:411)
> ==24087==    by 0x254285: process_input_packet (ffmpeg.c:2718)
> ==24087==    by 0x25BB79: process_input (ffmpeg.c:4606)
> ==24087==    by 0x25C06D: transcode_step (ffmpeg.c:4746)
> ==24087==    by 0x25C1D5: transcode (ffmpeg.c:4800)
> ==24087==    by 0x25CB3F: main (ffmpeg.c:5005)
> [cfhd @ 0x16d92180] Invalid lowpass height
> ==24087==    at 0x123322D: VALGRIND_PRINTF_BACKTRACE (valgrind.h:6303)
> ==24087==    by 0x1233DEB: av_log_default_callback (log.c:397)
> ==24087==    by 0x1234092: av_vlog (log.c:432)
> ==24087==    by 0x1233EF1: av_log (log.c:411)
> ==24087==    by 0x82FCFB: cfhd_decode (cfhd.c:721)
> ==24087==    by 0x860064: decode_simple_internal (decode.c:327)
> ==24087==    by 0x860C9B: decode_simple_receive_frame (decode.c:526)
> ==24087==    by 0x860D95: decode_receive_frame_internal (decode.c:546)
> ==24087==    by 0x861019: avcodec_send_packet (decode.c:608)
> ==24087==    by 0x2525A7: decode (ffmpeg.c:2285)
> ==24087==    by 0x252DC7: decode_video (ffmpeg.c:2425)
> ==24087==    by 0x253EF3: process_input_packet (ffmpeg.c:2672)
> ==24087==    by 0x25BB79: process_input (ffmpeg.c:4606)
> ==24087==    by 0x25C06D: transcode_step (ffmpeg.c:4746)
> ==24087==    by 0x25C1D5: transcode (ffmpeg.c:4800)
> ==24087==    by 0x25CB3F: main (ffmpeg.c:5005)
> Error while decoding stream #0:0: Invalid argument
> ==24087==    at 0x123322D: VALGRIND_PRINTF_BACKTRACE (valgrind.h:6303)
> ==24087==    by 0x1233DEB: av_log_default_callback (log.c:397)
> ==24087==    by 0x1234092: av_vlog (log.c:432)
> ==24087==    by 0x1233EF1: av_log (log.c:411)
> ==24087==    by 0x254285: process_input_packet (ffmpeg.c:2718)
> ==24087==    by 0x25BB79: process_input (ffmpeg.c:4606)
> ==24087==    by 0x25C06D: transcode_step (ffmpeg.c:4746)
> ==24087==    by 0x25C1D5: transcode (ffmpeg.c:4800)
> ==24087==    by 0x25CB3F: main (ffmpeg.c:5005)
> [cfhd @ 0x16d92180] Sample format of 1039 is not implemented. Update your FFmpeg version to the newest one from Git. If the problem still occurs, it means that your file has a feature which has not been implemented.
> Error while decoding stream #0:0: Not yet implemented in FFmpeg, patches welcome
> ==24087==    at 0x123322D: VALGRIND_PRINTF_BACKTRACE (valgrind.h:6303)
> ==24087==    by 0x1233DEB: av_log_default_callback (log.c:397)
> ==24087==    by 0x1234092: av_vlog (log.c:432)
> ==24087==    by 0x1233EF1: av_log (log.c:411)
> ==24087==    by 0x254285: process_input_packet (ffmpeg.c:2718)
> ==24087==    by 0x25BB79: process_input (ffmpeg.c:4606)
> ==24087==    by 0x25C06D: transcode_step (ffmpeg.c:4746)
> ==24087==    by 0x25C1D5: transcode (ffmpeg.c:4800)
> ==24087==    by 0x25CB3F: main (ffmpeg.c:5005)
> [cfhd @ 0x16d92180] Invalid lowpass height
> ==24087==    at 0x123322D: VALGRIND_PRINTF_BACKTRACE (valgrind.h:6303)
> ==24087==    by 0x1233DEB: av_log_default_callback (log.c:397)
> ==24087==    by 0x1234092: av_vlog (log.c:432)
> ==24087==    by 0x1233EF1: av_log (log.c:411)
> ==24087==    by 0x82FCFB: cfhd_decode (cfhd.c:721)
> ==24087==    by 0x860064: decode_simple_internal (decode.c:327)
> ==24087==    by 0x860C9B: decode_simple_receive_frame (decode.c:526)
> ==24087==    by 0x860D95: decode_receive_frame_internal (decode.c:546)
> ==24087==    by 0x861019: avcodec_send_packet (decode.c:608)
> ==24087==    by 0x2525A7: decode (ffmpeg.c:2285)
> ==24087==    by 0x252DC7: decode_video (ffmpeg.c:2425)
> ==24087==    by 0x253EF3: process_input_packet (ffmpeg.c:2672)
> ==24087==    by 0x25BB79: process_input (ffmpeg.c:4606)
> ==24087==    by 0x25C06D: transcode_step (ffmpeg.c:4746)
> ==24087==    by 0x25C1D5: transcode (ffmpeg.c:4800)
> ==24087==    by 0x25CB3F: main (ffmpeg.c:5005)
> Error while decoding stream #0:0: Invalid argument
> ==24087==    at 0x123322D: VALGRIND_PRINTF_BACKTRACE (valgrind.h:6303)
> ==24087==    by 0x1233DEB: av_log_default_callback (log.c:397)
> ==24087==    by 0x1234092: av_vlog (log.c:432)
> ==24087==    by 0x1233EF1: av_log (log.c:411)
> ==24087==    by 0x254285: process_input_packet (ffmpeg.c:2718)
> ==24087==    by 0x25BB79: process_input (ffmpeg.c:4606)
> ==24087==    by 0x25C06D: transcode_step (ffmpeg.c:4746)
> ==24087==    by 0x25C1D5: transcode (ffmpeg.c:4800)
> ==24087==    by 0x25CB3F: main (ffmpeg.c:5005)

> ==24087== Invalid read of size 16
> ==24087==    at 0x10A1385: ??? (libavcodec/x86/cfhddsp.asm:384)
> ==24087==    by 0x1FFEFFF74F: ???
> ==24087==  Address 0x0 is not stack'd, malloc'd or (recently) free'd

without asm:
==24138== Invalid read of size 2
==24138==    at 0x835536: filter (cfhddsp.c:36)
==24138==    by 0x835A68: vert_filter (cfhddsp.c:74)
==24138==    by 0x8333AE: cfhd_decode (cfhd.c:1172)
==24138==    by 0x860064: decode_simple_internal (decode.c:327)
==24138==    by 0x860C9B: decode_simple_receive_frame (decode.c:526)
==24138==    by 0x860D95: decode_receive_frame_internal (decode.c:546)
==24138==    by 0x861019: avcodec_send_packet (decode.c:608)
==24138==    by 0x2525A7: decode (ffmpeg.c:2285)
==24138==    by 0x252DC7: decode_video (ffmpeg.c:2425)
==24138==    by 0x253EF3: process_input_packet (ffmpeg.c:2672)
==24138==    by 0x25BB79: process_input (ffmpeg.c:4606)
==24138==    by 0x25C06D: transcode_step (ffmpeg.c:4746)
==24138==    by 0x25C1D5: transcode (ffmpeg.c:4800)
==24138==    by 0x25CB3F: main (ffmpeg.c:5005)
==24138==  Address 0x0 is not stack'd, malloc'd or (recently) free'd


[...]
-- 
Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

He who knows, does not speak. He who speaks, does not know. -- Lao Tsu
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 195 bytes
Desc: not available
URL: <https://ffmpeg.org/pipermail/ffmpeg-devel/attachments/20210402/0afb112f/attachment.sig>

More information about the ffmpeg-devel mailing list