Segfault with fuzzed file (vobsub) #1420
Description
The file:
https://www.dropbox.com/s/f57xz612bn2pvw6/vobsub_crash.mkv
It's an ffmpeg bug but I'm not able to trigger the crash with ffmpeg's own tools. I let you handle it instead.
$ gdb --args ~/repository/mpv-build_vanilla_debug/mpv/build/mpv vobsub_crash.mkv
GNU gdb (Gentoo 7.7.1 p1) 7.7.1
Copyright (C) 2014 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law. Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-pc-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<http://bugs.gentoo.org/>.
Find the GDB manual and other documentation resources online at:
<http://www.gnu.org/software/gdb/documentation/>.
For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from /home/cocobo/repository/mpv-build_vanilla_debug/mpv/build/mpv...done.
(gdb) r
Starting program: /home/cocobo/repository/mpv-build_vanilla_debug/mpv/build/mpv vobsub_crash.mkv
warning: Could not load shared library symbols for linux-vdso.so.1.
Do you need "set solib-search-path" or "set sysroot"?
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib64/libthread_db.so.1".
[New Thread 0x7fffed4e7700 (LWP 9110)]
[New Thread 0x7fffecce6700 (LWP 9111)]
[New Thread 0x7fffe7fff700 (LWP 9112)]
Playing: vobsub_crash.mkv
[New Thread 0x7fffe77fe700 (LWP 9113)]
[Thread 0x7fffe77fe700 (LWP 9113) exited]
[New Thread 0x7fffe77fe700 (LWP 9114)]
[New Thread 0x7fffe6ffd700 (LWP 9115)]
[ffmpeg/demuxer] matroska,webm: Unknown EBML doctype 'matro@ka'
[ffmpeg] ?: Truncating packet of size 106212971 to 1889
[ffmpeg] ?: Truncating packet of size 11581 to 1507
[ffmpeg/video] h264: missing picture in access unit with size 84
[ffmpeg/video] h264: no frame!
[ffmpeg/video] h264: missing picture in access unit with size 186
[ffmpeg/video] h264: no frame!
[ffmpeg/video] h264: missing picture in access unit with size 130
[ffmpeg/video] h264: no frame!
[ffmpeg/video] h264: missing picture in access unit with size 384
[ffmpeg/video] h264: no frame!
[ffmpeg/demuxer] matroska,webm: Read error at pos. 1235 (0x4d3)
[ffmpeg] ?: Truncating packet of size 1056768 to 542
[ffmpeg/demuxer] matroska,webm: Read error at pos. 1758 (0x6de)
[ffmpeg/demuxer] matroska,webm: Read error at pos. 2024 (0x7e8)
[ffmpeg/demuxer] matroska,webm: Could not find codec parameters for stream 0 (Video: h264 (h264 / 0x34363268), none, 720x432): unspecified pixel format
[ffmpeg/demuxer] Consider increasing the value for the 'analyzeduration' and 'probesize' options
[Thread 0x7fffe6ffd700 (LWP 9115) exited]
[stream] Video (+) --vid=1 (*) (h264)
[stream] Subs (+) --sid=1 --slang=eng (*) (dvd_subtitle)
[New Thread 0x7fffe6ffd700 (LWP 9116)]
[New Thread 0x7fffe67fc700 (LWP 9117)]
[New Thread 0x7fffdf990700 (LWP 9118)]
[New Thread 0x7fffdef8a700 (LWP 9119)]
[New Thread 0x7fffde789700 (LWP 9120)]
[New Thread 0x7fffddf88700 (LWP 9121)]
[New Thread 0x7fffdd787700 (LWP 9122)]
[New Thread 0x7fffdcf86700 (LWP 9123)]
[New Thread 0x7fffd7fff700 (LWP 9124)]
[New Thread 0x7fffd77fe700 (LWP 9125)]
[New Thread 0x7fffd6ffd700 (LWP 9126)]
[sub/lavc] Subtitle with unknown start time.
[ffmpeg/video] h264: no frame!
[sub/lavc] Subtitle with unknown start time.
Program received signal SIGSEGV, Segmentation fault.
0x00000000009da4a8 in get_bits (s=0x7fffffffd290, n=4)
at /home/cocobo/repository/mpv-build_vanilla_debug/ffmpeg/libavcodec/get_bits.h:265
265 UPDATE_CACHE(re, s);
(gdb) bt full
#0 0x00000000009da4a8 in get_bits (s=0x7fffffffd290, n=4)
at /home/cocobo/repository/mpv-build_vanilla_debug/ffmpeg/libavcodec/get_bits.h:265
tmp = 0
re_index = 0
re_cache = 4059456702
re_size_plus8 = 1878814992
#1 0x00000000009da842 in decode_run_2bit (gb=0x7fffffffd290, color=0x7fffffffd274)
at /home/cocobo/repository/mpv-build_vanilla_debug/ffmpeg/libavcodec/dvdsubdec.c:73
v = 0
t = 1
#2 0x00000000009da9f7 in decode_rle (bitmap=0x2a8cb80 "", linesize=2, w=1, h=1, buf=0x2a8c9b0 "",
start=302019492, buf_size=453, is_8bit=0)
at /home/cocobo/repository/mpv-build_vanilla_debug/ffmpeg/libavcodec/dvdsubdec.c:123
gb = {buffer = 0x14a93d54 <error: Cannot access memory at address 0x14a93d54>,
buffer_end = 0x22a8cb75 <error: Cannot access memory at address 0x22a8cb75>, index = 0,
size_in_bits = 1878814984, size_in_bits_plus8 = 1878814992}
bit_len = 1878814984
x = 0
y = 0
len = -11600
color = 0
d = 0x2a8cb80 ""
#3 0x00000000009db85e in decode_dvd_subtitles (ctx=0x228bda0, sub_header=0x7fffffffd5a0,
buf=0x2a8c9b0 "", buf_size=453)
at /home/cocobo/repository/mpv-build_vanilla_debug/ffmpeg/libavcodec/dvdsubdec.c:362
w = 1
h = 1
bitmap = 0x2a8cb80 ""
cmd_pos = 245
pos = 264
cmd = 35
x1 = 0
y1 = 0
x2 = 0
y2 = 0
offset1 = 302019492
offset2 = -2147426757
next_cmd_pos = 24968
big_offsets = 0
offset_size = 2
is_8bit = 0
yuv_palette = 0x0
colormap = 0x228bdfc ""
alpha = 0x228be00 ""
date = 68
i = 0
is_menu = 0
#4 0x00000000009dc1dc in dvdsub_decode (avctx=0x228b8e0, data=0x7fffffffd5a0,
data_size=0x7fffffffd534, avpkt=0x7fffffffd450)
at /home/cocobo/repository/mpv-build_vanilla_debug/ffmpeg/libavcodec/dvdsubdec.c:538
ctx = 0x228bda0
buf = 0x2a8c9b0 ""
buf_size = 453
sub = 0x7fffffffd5a0
is_menu = -11
#5 0x0000000000e86904 in avcodec_decode_subtitle2 (avctx=0x228b8e0, sub=0x7fffffffd5a0,
got_sub_ptr=0x7fffffffd534, avpkt=0x7fffffffd5c0)
at /home/cocobo/repository/mpv-build_vanilla_debug/ffmpeg/libavcodec/utils.c:2751
pkt_recoded = {buf = 0x0, pts = -9223372036854775808, dts = -9223372036854775808,
data = 0x7fffd833a290 "", size = 226, stream_index = 0, flags = 0, side_data = 0x0,
side_data_elems = 0, duration = 0, destruct = 0x0, priv = 0x7fffffffd610, pos = -1,
convergence_duration = 0}
tmp = {buf = 0x0, pts = -9223372036854775808, dts = -9223372036854775808,
data = 0x7fffd833a290 "", size = 226, stream_index = 0, flags = 0, side_data = 0x0,
side_data_elems = 0, duration = 0, destruct = 0x0, priv = 0x7fffffffd610, pos = -1,
convergence_duration = 0}
did_split = 0
i = 0
ret = 0
#6 0x00000000004d83b4 in decode (sd=0x228b460, packet=0x7fffd0001350) at ../sub/sd_lavc.c:208
opts = 0x20182a0
priv = 0x228b720
ctx = 0x228b8e0
pts = -9.2233720368547758e+18
duration = -1
sub = {format = 0, start_display_time = 0, end_display_time = 0, num_rects = 1,
rects = 0x2290140, pts = -9223372036854775808}
pkt = {buf = 0x0, pts = -9223372036854775808, dts = -9223372036854775808,
data = 0x7fffd833a290 "", size = 226, stream_index = 0, flags = 0, side_data = 0x0,
side_data_elems = 0, duration = 0, destruct = 0x0, priv = 0x7fffffffd610, pos = -1,
convergence_duration = 0}
got_sub = 0
res = 0
endpts = 6.9533558072966704e-310
current = 0x100000000
__PRETTY_FUNCTION__ = "decode"
#7 0x00000000004cd8d1 in decode_chain (sd=0x22972d0, num_sd=1, packet=0x7fffd0001350)
at ../sub/dec_sub.c:255
dec = 0x228b460
#8 0x00000000004cdab0 in decode_chain_recode (sub=0x2297200, sd=0x22972d0, num_sd=1,
packet=0x7fffd0001350) at ../sub/dec_sub.c:294
recoded = 0x0
#9 0x00000000004cdaff in sub_decode (sub=0x2297200, packet=0x7fffd0001350) at ../sub/dec_sub.c:302
No locals.
#10 0x00000000004a0814 in update_subtitle (mpctx=0x2015050, order=0) at ../player/sub.c:271
subpts_s = -9.2233720368547758e+18
pkt = 0x7fffd0001350
sh_stream = 0x7fffd8339f00
interleaved = true
opts = 0x20182a0
track = 0x2274c40
dec_sub = 0x2297200
obj = 0
state = {dec_sub = 0x2297200, video_offset = 0, render_bitmap_subs = true}
refpts_s = -9.2233720368547758e+18
curpts_s = -9.2233720368547758e+18
__PRETTY_FUNCTION__ = "update_subtitle"
#11 0x00000000004a08e7 in update_subtitles (mpctx=0x2015050) at ../player/sub.c:287
No locals.
#12 0x000000000049dcd4 in run_playloop (mpctx=0x2015050) at ../player/playloop.c:963
opts = 0x20182a0
endpts = -9.2233720368547758e+18
end_is_new_segment = false
prevent_eof = false
#13 0x00000000004924ca in play_current_file (mpctx=0x2015050) at ../player/loadfile.c:1182
opts = 0x20182a0
tmp = 0x204e840
playback_start = 10.312787999999999
__PRETTY_FUNCTION__ = "play_current_file"
stream_flags = 0
startpos = -9.2233720368547758e+18
nothing_played = false
end_event = {reason = -10048, error = 32767}
#14 0x0000000000492be4 in mp_play_files (mpctx=0x2015050) at ../player/loadfile.c:1339
new_entry = 0x20182a0
#15 0x0000000000493ff3 in mpv_main (argc=2, argv=0x7fffffffda58) at ../player/main.c:550
mpctx = 0x2015050
opts = 0x20182a0
verbose_env = 0x0
r = 0
#16 0x0000000000411e6d in main (argc=2, argv=0x7fffffffda58) at ../player/main_fn.c:13
No locals.