From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org [79.124.17.100]) by master.gitmailbox.com (Postfix) with ESMTP id 2C3D349715 for ; Mon, 17 Jun 2024 23:53:02 +0000 (UTC) Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 8B2F068D79D; Tue, 18 Jun 2024 02:52:59 +0300 (EEST) Received: from relay5-d.mail.gandi.net (relay5-d.mail.gandi.net [217.70.183.197]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 5869668D77B for ; Tue, 18 Jun 2024 02:52:53 +0300 (EEST) Received: by mail.gandi.net (Postfix) with ESMTPSA id 810541C0004 for ; Mon, 17 Jun 2024 23:52:52 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=niedermayer.cc; s=gm1; t=1718668372; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=jWbwAndUhiOAZFpgCJEN0LJrxNf0hsXkTodWMJDWiok=; b=G9yvY+FyTPy4RqzmCqOCX7V8NPz+Zvlr0aMa2cVnAGfxlgRkOvWBGzVUqYfwpNJWPTKXoo zYzj6uA0TID9Zw//WbMPKA9vEHi5vXFEVJq5Io0q70e8JOwdO5rTAQ8hRMz8JpshiACr96 UtN3UKEZyAEdk7rQWfpF2itH8bYQFuippHbKOpfIc6sjdxh+soQXEydHCj5vQCyfhNkR2j wCIH1EvwkDPz4LuM8eDl3AGJWGaEL9Js4YInmonXNP8gQoV43jApOMKkIjKkYdvjDQmTQb rtpo7tWVX8wOKnHugtNhyPd0wWvMmnd+E/v0f99oq7YQ2k/K3LPKdcoEo+xiRA== Date: Tue, 18 Jun 2024 01:52:51 +0200 From: Michael Niedermayer To: FFmpeg development discussions and patches Message-ID: <20240617235251.GF4991@pb2> References: <20240616230831.912377-1-michael@niedermayer.cc> <20240616230831.912377-8-michael@niedermayer.cc> MIME-Version: 1.0 In-Reply-To: X-GND-Sasl: michael@niedermayer.cc Subject: Re: [FFmpeg-devel] [PATCH 8/9] avcodec/smcenc: width < 4 is unsupported X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches Content-Type: multipart/mixed; boundary="===============0081425720206841028==" Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" Archived-At: List-Archive: List-Post: --===============0081425720206841028== Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="yRA+Bmk8aPhU85Qt" Content-Disposition: inline --yRA+Bmk8aPhU85Qt Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Mon, Jun 17, 2024 at 09:50:18AM +0200, Paul B Mahol wrote: > On Mon, Jun 17, 2024 at 1:09=E2=80=AFAM Michael Niedermayer > wrote: >=20 > > Fixes: out of array read > > Fixes: > > 68939/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SMC_fuzzer-5878= 04104884224 > > > > Found-by: continuous fuzzing process > > https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg > > Signed-off-by > > : > > Michael Niedermayer > > --- > > libavcodec/smcenc.c | 3 +++ > > 1 file changed, 3 insertions(+) > > > > diff --git a/libavcodec/smcenc.c b/libavcodec/smcenc.c > > index 789aef4f770..d70cce900ec 100644 > > --- a/libavcodec/smcenc.c > > +++ b/libavcodec/smcenc.c > > @@ -537,6 +537,9 @@ static int smc_encode_frame(AVCodecContext *avctx, > > AVPacket *pkt, > > uint8_t *pal; > > int ret; > > > > + if (avctx->width < 4) > > + return AVERROR_PATCHWELCOME; > > + > > >=20 > I just enabled address sanitizer for smc encoder and i do not get any > errors. > Where is log of where overread happens? log is below: +----------------------------------------Release Build Stacktrace----------= ------------------------------+ Command: /mnt/scratch0/clusterfuzz/resources/platform/linux/unshare -c -n /= mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds-i386_ffmpeg_bbf927d7= e4cde0b71897048111a2d684e48dfab7/revisions/ffmpeg_AV_CODEC_ID_SMC_fuzzer -r= ss_limit_mb=3D2560 -timeout=3D60 -runs=3D100 /mnt/scratch0/clusterfuzz/bot/= inputs/fuzzer-testcases/crash-0e842ae89cdd58a7ef107605832b8beb5821004e Time ran: 0.04435396194458008 INFO: Running with entropic power schedule (0xFF, 100). INFO: Seed: 267861690 INFO: Loaded 1 modules (65950 inline 8-bit counters): 65950 [0x8b8e570, 0= x8b9e70e), INFO: Loaded 1 PC tables (65950 PCs): 65950 [0x8a2d0d0,0x8aaddc0), /mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds-i386_ffmpeg_bbf927d= 7e4cde0b71897048111a2d684e48dfab7/revisions/ffmpeg_AV_CODEC_ID_SMC_fuzzer: = Running 1 inputs 100 time(s) each. Running: /mnt/scratch0/clusterfuzz/bot/inputs/fuzzer-testcases/crash-0e842a= e89cdd58a7ef107605832b8beb5821004e =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D =3D=3D23375=3D=3DERROR: AddressSanitizer: heap-buffer-overflow on address 0= xf76af7fe at pc 0x08141703 bp 0xffb541a8 sp 0xffb53d80 READ of size 1 at 0xf76af7fe thread T0 SCARINESS: 12 (1-byte-read-heap-buffer-overflow) #0 0x8141702 in MemcmpInterceptorCommon(void*, int (*)(void const*, voi= d const*, unsigned int), void const*, void const*, unsigned int) /src/llvm-= project/compiler-rt/lib/sanitizer_common/sanitizer_common_interceptors.inc:= 860:7 #1 0x8141c31 in memcmp /src/llvm-project/compiler-rt/lib/sanitizer_comm= on/sanitizer_common_interceptors.inc:892:10 #2 0x822ccab in smc_encode_stream /src/ffmpeg/libavcodec/smcenc.c:193:30 #3 0x822ccab in smc_encode_frame /src/ffmpeg/libavcodec/smcenc.c:560:5 #4 0x820f5cc in ff_encode_encode_cb /src/ffmpeg/libavcodec/encode.c:254= :11 #5 0x82114db in encode_simple_internal /src/ffmpeg/libavcodec/encode.c:= 340:15 #6 0x82114db in encode_simple_receive_packet /src/ffmpeg/libavcodec/enc= ode.c:354:15 #7 0x82114db in encode_receive_packet_internal /src/ffmpeg/libavcodec/e= ncode.c:388:15 #8 0x821082f in avcodec_send_frame /src/ffmpeg/libavcodec/encode.c:531:= 15 #9 0x81ef067 in encode /src/ffmpeg/tools/target_enc_fuzzer.c:56:11 #10 0x81ef067 in LLVMFuzzerTestOneInput /src/ffmpeg/tools/target_enc_fu= zzer.c:186:15 #11 0x80aefce in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, = unsigned int) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:611:15 #12 0x8099f2e in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsig= ned int) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:324:6 #13 0x809fb30 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned c= har const*, unsigned int)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerD= river.cpp:860:9 #14 0x80c9717 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMa= in.cpp:20:10 #15 0xf7c6aed4 in __libc_start_main #16 0x8091075 in _start 0xf76af7fe is located 2 bytes to the left of 264320-byte region [0xf76af800= ,0xf76f0080) allocated by thread T0 here: #0 0x81ab67a in posix_memalign /src/llvm-project/compiler-rt/lib/asan/a= san_malloc_linux.cpp:145:3 #1 0x884f02f in av_malloc /src/ffmpeg/libavutil/mem.c:107:9 #2 0x880036a in av_buffer_alloc /src/ffmpeg/libavutil/buffer.c:82:12 #3 0x8821c97 in get_video_buffer /src/ffmpeg/libavutil/frame.c:215:21 #4 0x8821c97 in av_frame_get_buffer /src/ffmpeg/libavutil/frame.c:294:16 #5 0x81eed9f in LLVMFuzzerTestOneInput /src/ffmpeg/tools/target_enc_fuz= zer.c:171:15 #6 0x80aefce in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, u= nsigned int) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:611:15 #7 0x8099f2e in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsign= ed int) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:324:6 #8 0x809fb30 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned ch= ar const*, unsigned int)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDr= iver.cpp:860:9 #9 0x80c9717 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMai= n.cpp:20:10 #10 0xf7c6aed4 in __libc_start_main SUMMARY: AddressSanitizer: heap-buffer-overflow (/mnt/scratch0/clusterfuzz/= bot/builds/clusterfuzz-builds-i386_ffmpeg_bbf927d7e4cde0b71897048111a2d684e= 48dfab7/revisions/ffmpeg_AV_CODEC_ID_SMC_fuzzer+0x8141702) Shadow bytes around the buggy address: 0x3eed5ea0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x3eed5eb0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x3eed5ec0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x3eed5ed0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x3eed5ee0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa =3D>0x3eed5ef0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa[fa] 0x3eed5f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x3eed5f10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x3eed5f20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x3eed5f30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x3eed5f40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb =3D=3D23375=3D=3DABORTING +----------------------------------------Release Build Unsymbolized Stacktr= ace (diff)----------------------------------------+ READ of size 1 at 0xf76af7fe thread T0 SCARINESS: 12 (1-byte-read-heap-buffer-overflow) #0 0x8141702 (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds-= i386_ffmpeg_bbf927d7e4cde0b71897048111a2d684e48dfab7/revisions/ffmpeg_AV_CO= DEC_ID_SMC_fuzzer+0x8141702) #1 0x8141c31 (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds-= i386_ffmpeg_bbf927d7e4cde0b71897048111a2d684e48dfab7/revisions/ffmpeg_AV_CO= DEC_ID_SMC_fuzzer+0x8141c31) #2 0x822ccab (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds-= i386_ffmpeg_bbf927d7e4cde0b71897048111a2d684e48dfab7/revisions/ffmpeg_AV_CO= DEC_ID_SMC_fuzzer+0x822ccab) #3 0x820f5cc (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds-= i386_ffmpeg_bbf927d7e4cde0b71897048111a2d684e48dfab7/revisions/ffmpeg_AV_CO= DEC_ID_SMC_fuzzer+0x820f5cc) #4 0x82114db (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds-= i386_ffmpeg_bbf927d7e4cde0b71897048111a2d684e48dfab7/revisions/ffmpeg_AV_CO= DEC_ID_SMC_fuzzer+0x82114db) #5 0x821082f (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds-= i386_ffmpeg_bbf927d7e4cde0b71897048111a2d684e48dfab7/revisions/ffmpeg_AV_CO= DEC_ID_SMC_fuzzer+0x821082f) #6 0x81ef067 (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds-= i386_ffmpeg_bbf927d7e4cde0b71897048111a2d684e48dfab7/revisions/ffmpeg_AV_CO= DEC_ID_SMC_fuzzer+0x81ef067) #7 0x80aefce (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds-= i386_ffmpeg_bbf927d7e4cde0b71897048111a2d684e48dfab7/revisions/ffmpeg_AV_CO= DEC_ID_SMC_fuzzer+0x80aefce) #8 0x8099f2e (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds-= i386_ffmpeg_bbf927d7e4cde0b71897048111a2d684e48dfab7/revisions/ffmpeg_AV_CO= DEC_ID_SMC_fuzzer+0x8099f2e) #9 0x809fb30 (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds-= i386_ffmpeg_bbf927d7e4cde0b71897048111a2d684e48dfab7/revisions/ffmpeg_AV_CO= DEC_ID_SMC_fuzzer+0x809fb30) #10 0x80c9717 (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds= -i386_ffmpeg_bbf927d7e4cde0b71897048111a2d684e48dfab7/revisions/ffmpeg_AV_C= ODEC_ID_SMC_fuzzer+0x80c9717) #11 0xf7c6aed4 (/lib32/libc.so.6+0x1aed4) (BuildId: 8c11d7b4ac6d685f0b= ba1cf2506a80f64d314582) #12 0x8091075 (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds= -i386_ffmpeg_bbf927d7e4cde0b71897048111a2d684e48dfab7/revisions/ffmpeg_AV_C= ODEC_ID_SMC_fuzzer+0x8091075) 0xf76af7fe is located 2 bytes to the left of 264320-byte region [0xf76af800= ,0xf76f0080) allocated by thread T0 here: #0 0x81ab67a (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds-= i386_ffmpeg_bbf927d7e4cde0b71897048111a2d684e48dfab7/revisions/ffmpeg_AV_CO= DEC_ID_SMC_fuzzer+0x81ab67a) #1 0x884f02f (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds-= i386_ffmpeg_bbf927d7e4cde0b71897048111a2d684e48dfab7/revisions/ffmpeg_AV_CO= DEC_ID_SMC_fuzzer+0x884f02f) #2 0x880036a (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds-= i386_ffmpeg_bbf927d7e4cde0b71897048111a2d684e48dfab7/revisions/ffmpeg_AV_CO= DEC_ID_SMC_fuzzer+0x880036a) #3 0x8821c97 (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds-= i386_ffmpeg_bbf927d7e4cde0b71897048111a2d684e48dfab7/revisions/ffmpeg_AV_CO= DEC_ID_SMC_fuzzer+0x8821c97) #4 0x81eed9f (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds-= i386_ffmpeg_bbf927d7e4cde0b71897048111a2d684e48dfab7/revisions/ffmpeg_AV_CO= DEC_ID_SMC_fuzzer+0x81eed9f) #5 0x80aefce (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds-= i386_ffmpeg_bbf927d7e4cde0b71897048111a2d684e48dfab7/revisions/ffmpeg_AV_CO= DEC_ID_SMC_fuzzer+0x80aefce) #6 0x8099f2e (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds-= i386_ffmpeg_bbf927d7e4cde0b71897048111a2d684e48dfab7/revisions/ffmpeg_AV_CO= DEC_ID_SMC_fuzzer+0x8099f2e) #7 0x809fb30 (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds-= i386_ffmpeg_bbf927d7e4cde0b71897048111a2d684e48dfab7/revisions/ffmpeg_AV_CO= DEC_ID_SMC_fuzzer+0x809fb30) #8 0x80c9717 (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds-= i386_ffmpeg_bbf927d7e4cde0b71897048111a2d684e48dfab7/revisions/ffmpeg_AV_CO= DEC_ID_SMC_fuzzer+0x80c9717) #9 0xf7c6aed4 (/lib32/libc.so.6+0x1aed4) (BuildId: 8c11d7b4ac6d685f0bb= a1cf2506a80f64d314582) ORIGINAL STACKTRACE ON REVISION 9C6C4F3D476D7A8D423EC3B954254C6A67EBC792 (1= 10 LINES) +----------------------------------------Release Build Stacktrace----------= ------------------------------+ Command: /mnt/scratch0/clusterfuzz/resources/platform/linux/unshare -c -n /= mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds-i386_ffmpeg_bbf927d7= e4cde0b71897048111a2d684e48dfab7/revisions/ffmpeg_AV_CODEC_ID_SMC_fuzzer -r= ss_limit_mb=3D2560 -timeout=3D60 -runs=3D100 /mnt/scratch0/clusterfuzz/bot/= inputs/fuzzer-testcases/e3430abcedf901dbb1adbcd2478114b79cdd58a7ef107605832= b8beb5821004e Time ran: 0.05047249794006348 INFO: Running with entropic power schedule (0xFF, 100). INFO: Seed: 2836813750 INFO: Loaded 1 modules (65781 inline 8-bit counters): 65781 [0x8b7f310, 0= x8b8f405), INFO: Loaded 1 PC tables (65781 PCs): 65781 [0x8a20d40,0x8aa14e8), /mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds-i386_ffmpeg_bbf927d= 7e4cde0b71897048111a2d684e48dfab7/revisions/ffmpeg_AV_CODEC_ID_SMC_fuzzer: = Running 1 inputs 100 time(s) each. Running: /mnt/scratch0/clusterfuzz/bot/inputs/fuzzer-testcases/e3430abcedf9= 01dbb1adbcd2478114b79cdd58a7ef107605832b8beb5821004e =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D =3D=3D1182=3D=3DERROR: AddressSanitizer: heap-buffer-overflow on address 0x= f791b7fe at pc 0x08141413 bp 0xffafff08 sp 0xffaffae0 READ of size 1 at 0xf791b7fe thread T0 #0 0x8141412 in MemcmpInterceptorCommon(void*, int (*)(void const*, voi= d const*, unsigned int), void const*, void const*, unsigned int) /src/llvm-= project/compiler-rt/lib/sanitizer_common/sanitizer_common_interceptors.inc:= 860:7 #1 0x8141941 in memcmp /src/llvm-project/compiler-rt/lib/sanitizer_comm= on/sanitizer_common_interceptors.inc:892:10 #2 0x822c60b in smc_encode_stream /src/ffmpeg/libavcodec/smcenc.c:193:30 #3 0x822c60b in smc_encode_frame /src/ffmpeg/libavcodec/smcenc.c:560:5 #4 0x820efcc in ff_encode_encode_cb /src/ffmpeg/libavcodec/encode.c:254= :11 #5 0x8210edb in encode_simple_internal /src/ffmpeg/libavcodec/encode.c:= 340:15 #6 0x8210edb in encode_simple_receive_packet /src/ffmpeg/libavcodec/enc= ode.c:354:15 #7 0x8210edb in encode_receive_packet_internal /src/ffmpeg/libavcodec/e= ncode.c:388:15 #8 0x821022f in avcodec_send_frame /src/ffmpeg/libavcodec/encode.c:531:= 15 #9 0x81eed77 in encode /src/ffmpeg/tools/target_enc_fuzzer.c:56:11 #10 0x81eed77 in LLVMFuzzerTestOneInput /src/ffmpeg/tools/target_enc_fu= zzer.c:186:15 #11 0x80aecde in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, = unsigned int) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:611:15 #12 0x8099c3e in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsig= ned int) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:324:6 #13 0x809f840 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned c= har const*, unsigned int)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerD= river.cpp:860:9 #14 0x80c9427 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMa= in.cpp:20:10 #15 0xf7bdced4 in __libc_start_main #16 0x8090d85 in _start 0xf791b7fe is located 2 bytes to the left of 296064-byte region [0xf791b800= ,0xf7963c80) allocated by thread T0 here: #0 0x81ab38a in posix_memalign /src/llvm-project/compiler-rt/lib/asan/a= san_malloc_linux.cpp:145:3 #1 0x885246f in av_malloc /src/ffmpeg/libavutil/mem.c:107:9 #2 0x88037ca in av_buffer_alloc /src/ffmpeg/libavutil/buffer.c:82:12 #3 0x88250d7 in get_video_buffer /src/ffmpeg/libavutil/frame.c:215:21 #4 0x88250d7 in av_frame_get_buffer /src/ffmpeg/libavutil/frame.c:294:16 #5 0x81eeaaf in LLVMFuzzerTestOneInput /src/ffmpeg/tools/target_enc_fuz= zer.c:171:15 #6 0x80aecde in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, u= nsigned int) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:611:15 #7 0x8099c3e in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsign= ed int) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:324:6 #8 0x809f840 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned ch= ar const*, unsigned int)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDr= iver.cpp:860:9 #9 0x80c9427 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMai= n.cpp:20:10 #10 0xf7bdced4 in __libc_start_main SUMMARY: AddressSanitizer: heap-buffer-overflow (/mnt/scratch0/clusterfuzz/= bot/builds/clusterfuzz-builds-i386_ffmpeg_bbf927d7e4cde0b71897048111a2d684e= 48dfab7/revisions/ffmpeg_AV_CODEC_ID_SMC_fuzzer+0x8141412) Shadow bytes around the buggy address: 0x3ef236a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x3ef236b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x3ef236c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x3ef236d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x3ef236e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa =3D>0x3ef236f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa[fa] 0x3ef23700: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x3ef23710: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x3ef23720: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x3ef23730: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x3ef23740: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb =3D=3D1182=3D=3DABORTING +----------------------------------------Release Build Unsymbolized Stacktr= ace (diff)----------------------------------------+ =3D=3D1182=3D=3DERROR: AddressSanitizer: heap-buffer-overflow on address 0x= f791b7fe at pc 0x08141413 bp 0xffafff08 sp 0xffaffae0 READ of size 1 at 0xf791b7fe thread T0 #0 0x8141412 (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds-= i386_ffmpeg_bbf927d7e4cde0b71897048111a2d684e48dfab7/revisions/ffmpeg_AV_CO= DEC_ID_SMC_fuzzer+0x8141412) #1 0x8141941 (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds-= i386_ffmpeg_bbf927d7e4cde0b71897048111a2d684e48dfab7/revisions/ffmpeg_AV_CO= DEC_ID_SMC_fuzzer+0x8141941) #2 0x822c60b (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds-= i386_ffmpeg_bbf927d7e4cde0b71897048111a2d684e48dfab7/revisions/ffmpeg_AV_CO= DEC_ID_SMC_fuzzer+0x822c60b) #3 0x820efcc (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds-= i386_ffmpeg_bbf927d7e4cde0b71897048111a2d684e48dfab7/revisions/ffmpeg_AV_CO= DEC_ID_SMC_fuzzer+0x820efcc) #4 0x8210edb (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds-= i386_ffmpeg_bbf927d7e4cde0b71897048111a2d684e48dfab7/revisions/ffmpeg_AV_CO= DEC_ID_SMC_fuzzer+0x8210edb) #5 0x821022f (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds-= i386_ffmpeg_bbf927d7e4cde0b71897048111a2d684e48dfab7/revisions/ffmpeg_AV_CO= DEC_ID_SMC_fuzzer+0x821022f) #6 0x81eed77 (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds-= i386_ffmpeg_bbf927d7e4cde0b71897048111a2d684e48dfab7/revisions/ffmpeg_AV_CO= DEC_ID_SMC_fuzzer+0x81eed77) #7 0x80aecde (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds-= i386_ffmpeg_bbf927d7e4cde0b71897048111a2d684e48dfab7/revisions/ffmpeg_AV_CO= DEC_ID_SMC_fuzzer+0x80aecde) #8 0x8099c3e (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds-= i386_ffmpeg_bbf927d7e4cde0b71897048111a2d684e48dfab7/revisions/ffmpeg_AV_CO= DEC_ID_SMC_fuzzer+0x8099c3e) #9 0x809f840 (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds-= i386_ffmpeg_bbf927d7e4cde0b71897048111a2d684e48dfab7/revisions/ffmpeg_AV_CO= DEC_ID_SMC_fuzzer+0x809f840) #10 0x80c9427 (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds= -i386_ffmpeg_bbf927d7e4cde0b71897048111a2d684e48dfab7/revisions/ffmpeg_AV_C= ODEC_ID_SMC_fuzzer+0x80c9427) #11 0xf7bdced4 (/lib32/libc.so.6+0x1aed4) (BuildId: 8c11d7b4ac6d685f0b= ba1cf2506a80f64d314582) #12 0x8090d85 (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds= -i386_ffmpeg_bbf927d7e4cde0b71897048111a2d684e48dfab7/revisions/ffmpeg_AV_C= ODEC_ID_SMC_fuzzer+0x8090d85) 0xf791b7fe is located 2 bytes to the left of 296064-byte region [0xf791b800= ,0xf7963c80) allocated by thread T0 here: #0 0x81ab38a (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds-= i386_ffmpeg_bbf927d7e4cde0b71897048111a2d684e48dfab7/revisions/ffmpeg_AV_CO= DEC_ID_SMC_fuzzer+0x81ab38a) #1 0x885246f (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds-= i386_ffmpeg_bbf927d7e4cde0b71897048111a2d684e48dfab7/revisions/ffmpeg_AV_CO= DEC_ID_SMC_fuzzer+0x885246f) #2 0x88037ca (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds-= i386_ffmpeg_bbf927d7e4cde0b71897048111a2d684e48dfab7/revisions/ffmpeg_AV_CO= DEC_ID_SMC_fuzzer+0x88037ca) #3 0x88250d7 (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds-= i386_ffmpeg_bbf927d7e4cde0b71897048111a2d684e48dfab7/revisions/ffmpeg_AV_CO= DEC_ID_SMC_fuzzer+0x88250d7) #4 0x81eeaaf (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds-= i386_ffmpeg_bbf927d7e4cde0b71897048111a2d684e48dfab7/revisions/ffmpeg_AV_CO= DEC_ID_SMC_fuzzer+0x81eeaaf) #5 0x80aecde (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds-= i386_ffmpeg_bbf927d7e4cde0b71897048111a2d684e48dfab7/revisions/ffmpeg_AV_CO= DEC_ID_SMC_fuzzer+0x80aecde) #6 0x8099c3e (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds-= i386_ffmpeg_bbf927d7e4cde0b71897048111a2d684e48dfab7/revisions/ffmpeg_AV_CO= DEC_ID_SMC_fuzzer+0x8099c3e) #7 0x809f840 (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds-= i386_ffmpeg_bbf927d7e4cde0b71897048111a2d684e48dfab7/revisions/ffmpeg_AV_CO= DEC_ID_SMC_fuzzer+0x809f840) #8 0x80c9427 (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds-= i386_ffmpeg_bbf927d7e4cde0b71897048111a2d684e48dfab7/revisions/ffmpeg_AV_CO= DEC_ID_SMC_fuzzer+0x80c9427) #9 0xf7bdced4 (/lib32/libc.so.6+0x1aed4) (BuildId: 8c11d7b4ac6d685f0bb= a1cf2506a80f64d314582) [...] --=20 Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB Democracy is the form of government in which you can choose your dictator --yRA+Bmk8aPhU85Qt Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iF0EABEKAB0WIQSf8hKLFH72cwut8TNhHseHBAsPqwUCZnDMUwAKCRBhHseHBAsP q/+wAJ9ncqVjOkjHko8Om6IVLVJUCPpN6ACfdDoXoN/1RC8A4LuU1GP1e4Tey7Q= =Xmen -----END PGP SIGNATURE----- --yRA+Bmk8aPhU85Qt-- --===============0081425720206841028== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-devel To unsubscribe, visit link above, or email ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe". --===============0081425720206841028==--