Abrt in mov_seek_stream |
|||||||||||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=5950038094905344 Fuzzer: inferno_flicker Job Type: mac_asan_chrome Platform Id: mac Crash Type: Abrt Crash Address: 0x7fff900bdf06 Crash State: mov_seek_stream base::CreateThread base::internal::SchedulerWorker::Thread::Create Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=mac_asan_chrome&range=543529:543549 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5950038094905344 Issue filed automatically. See https://github.com/google/clusterfuzz-tools for more information.
,
Mar 16 2018
Automatically adding ccs based on suspected regression changelists: avformat/mov: Fix integer overflow in mov_get_stsc_samples() by michael@niedermayer.cc - https://chromium.googlesource.com/chromium/third_party/ffmpeg/+/367929bed9def1ccdd9a0f4ac5b7b98d1993782d If this is incorrect, please let us know why and apply the Test-Predator-Wrong-CLs label.
,
Mar 16 2018
,
Mar 16 2018
,
Mar 16 2018
Yes, I just confirmed it's failing locally exactly at the same point. I'll unduplicate this one just to ensure that clusterfuzz eventually verifies the fix.
,
Mar 16 2018
Today, I've sent this case along with bug 822547 upstream to Michael to get a fix to eventually cherry-pick into our downstream.
,
Mar 16 2018
,
Mar 16 2018
,
Mar 19 2018
I've confirmed locally that Michael's patch for 823009 and 822547 also fixes this issue. I'll cherry-pick into Chromium once the fix lands upstream
,
Mar 20 2018
The following revision refers to this bug: https://chromium.googlesource.com/chromium/third_party/ffmpeg/+/5baad932589a94969782df630db02ec0293d920f commit 5baad932589a94969782df630db02ec0293d920f Author: Matt Wolenetz <wolenetz@chromium.org> Date: Tue Mar 20 20:35:11 2018 avformat/mov: Check STSC and remove invalid entries Fixes assertion failure. Applied from upstream patch currently in review at https://patchwork.ffmpeg.org/patch/8051/, authored by michael@niedermayer.cc. BUG=822547,822666, 823009 Change-Id: Id9ab21dfe96c916d53b3c596d5cbaa3da27202fa Reviewed-on: https://chromium-review.googlesource.com/971356 Reviewed-by: Xiaohan Wang <xhwang@chromium.org> [modify] https://crrev.com/5baad932589a94969782df630db02ec0293d920f/libavformat/mov.c [modify] https://crrev.com/5baad932589a94969782df630db02ec0293d920f/chromium/patches/README
,
Mar 20 2018
See https://git.ffmpeg.org/gitweb/ffmpeg.git/commit/9e67447a4ffacf28af8bace33faf3ea432ddc43e for the upstream version of #10 that just now landed upstream.
,
Mar 20 2018
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/53f2cab46eacdcc6a17ed01e62acd813cca5ff44 commit 53f2cab46eacdcc6a17ed01e62acd813cca5ff44 Author: Matt Wolenetz <wolenetz@chromium.org> Date: Tue Mar 20 23:15:04 2018 Roll src/third_party/ffmpeg/ 02ec9ce5a..5baad9325 (1 commit) https://chromium.googlesource.com/chromium/third_party/ffmpeg.git/+log/02ec9ce5a9bc..5baad932589a $ git log 02ec9ce5a..5baad9325 --date=short --no-merges --format='%ad %ae %s' 2018-03-20 wolenetz avformat/mov: Check STSC and remove invalid entries Created with: roll-dep src/third_party/ffmpeg BUG= 803898 ,822547,822666, 823009 TBR=xhwang@chromium.org Change-Id: Ia530bd05a622911055e7e79f3cd37aa8c5186350 Reviewed-on: https://chromium-review.googlesource.com/971767 Reviewed-by: Matthew Wolenetz <wolenetz@chromium.org> Commit-Queue: Matthew Wolenetz <wolenetz@chromium.org> Cr-Commit-Position: refs/heads/master@{#544581} [modify] https://crrev.com/53f2cab46eacdcc6a17ed01e62acd813cca5ff44/DEPS
,
Mar 21 2018
ClusterFuzz has detected this issue as fixed in range 544553:544583. Detailed report: https://clusterfuzz.com/testcase?key=5950038094905344 Fuzzer: inferno_flicker Job Type: mac_asan_chrome Platform Id: mac Crash Type: Abrt Crash Address: 0x7fff900bdf06 Crash State: mov_seek_stream base::CreateThread base::internal::SchedulerWorker::Thread::Create Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=mac_asan_chrome&range=543529:543549 Fixed: https://clusterfuzz.com/revisions?job=mac_asan_chrome&range=544553:544583 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5950038094905344 See https://github.com/google/clusterfuzz-tools for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Apr 24 2018
,
May 14 2018
Hello! The commit to fix this: https://github.com/FFmpeg/FFmpeg/commit/9e67447a4ffacf28af8bace33faf3ea432ddc43e Seems to cause some m4a files to fail. For example episodes of this podcast: https://guiltyfeminist.libsyn.com/97-repeal-the-eighth-with-helen-linehan FFmpeg n4.0: [mov,mp4,m4a,3gp,3g2,mj2 @ 0x7f26523de600] stream 1, contradictionary STSC and STCO [mov,mp4,m4a,3gp,3g2,mj2 @ 0x7f26523de600] error reading header GF9720Repeal20the20Eighth20with20Helen20Linehan.m4a: Invalid data found when processing input FFmpeg 3.3.4 (this version for no particular reason, macosx brew ffmpeg): ffprobe version 3.3.4 Copyright (c) 2007-2017 the FFmpeg developers built with Apple LLVM version 8.1.0 (clang-802.0.42) configuration: --prefix=/usr/local/Cellar/ffmpeg/3.3.4 --enable-shared --enable-pthreads --enable-gpl --enable-version3 --enable-hardcoded-tables --enable-avresample --cc=clang --host-cflags= --host-ldflags= --enable-libmp3lame --enable-libx264 --enable-libxvid --enable-opencl --enable-videotoolbox --enable-openssl --disable-lzma --enable-nonfree --enable-vda libavutil 55. 58.100 / 55. 58.100 libavcodec 57. 89.100 / 57. 89.100 libavformat 57. 71.100 / 57. 71.100 libavdevice 57. 6.100 / 57. 6.100 libavfilter 6. 82.100 / 6. 82.100 libavresample 3. 5. 0 / 3. 5. 0 libswscale 4. 6.100 / 4. 6.100 libswresample 2. 7.100 / 2. 7.100 libpostproc 54. 5.100 / 54. 5.100 [mov,mp4,m4a,3gp,3g2,mj2 @ 0x7ff04e802a00] stream 0, timescale not set Input #0, mov,mp4,m4a,3gp,3g2,mj2, from 'GF9720Repeal20the20Eighth20with20Helen20Linehan.m4a': Metadata: major_brand : M4A minor_version : 1 compatible_brands: M4A mp42isom creation_time : 2018-05-07T09:48:25.000000Z artist : Deborah Frances-White album : The Guilty Feminist date : 2018 title : The Guilty Feminist 97. Repeal the Eighth with Helen Linehan encoder : GarageBand 4.1.2 composer : Duration: 00:46:24.68, start: -1.000000, bitrate: 197 kb/s Chapter #0:0: start 0.000000, end 300.000000 Metadata: title : I am a Feminist But... Chapter #0:1: start 300.000000, end 324.000000 Metadata: title : Opening titles Chapter #0:2: start 324.000000, end 1015.000000 Metadata: title : Introduction Chapter #0:3: start 1015.000000, end 1917.000000 Metadata: title : Helen Linehan Chapter #0:4: start 1917.000000, end 2386.000000 Metadata: title : Deborah Frances-White Chapter #0:5: start 2386.000000, end 2720.000000 Metadata: title : Plugs and announcements Chapter #0:6: start 2720.000000, end 2784.676281 Metadata: title : Closing titles Stream #0:0(eng): Data: bin_data (tx3g / 0x67337874) Metadata: creation_time : 2018-05-07T09:48:25.000000Z handler_name : Apple Text Media Handler Stream #0:1(eng): Data: bin_data (tx3g / 0x67337874) (default) Metadata: creation_time : 2018-05-07T09:48:25.000000Z handler_name : Apple Text Media Handler Stream #0:2(eng): Audio: aac (LC) (mp4a / 0x6134706D), 44100 Hz, stereo, fltp, 195 kb/s (default) Metadata: creation_time : 2018-05-07T09:48:25.000000Z handler_name : Apple Sound Media Handler Stream #0:3(eng): Video: mjpeg (jpeg / 0x6765706A), yuvj420p(pc, bt470bg/unknown/unknown), 640x640 [SAR 120:120 DAR 1:1], 0 kb/s, 0.0018 fps, 1 tbr, 44100 tbn, 44100 tbc (default) Metadata: creation_time : 2018-05-07T09:48:25.000000Z handler_name : Apple Video Media Handler Stream #0:4: Video: mjpeg, yuvj420p(pc, bt470bg/unknown/unknown), 640x640 [SAR 120:120 DAR 1:1], 90k tbr, 90k tbn, 90k tbc Unsupported codec with id 100359 for input stream 0 Unsupported codec with id 100359 for input stream 1 Looking a the sample table box:es for stream 1 they look empty. Should be ignored for this stream as it does not look like audio or?
,
May 14 2018
It should say "should it be ignored for this stream as it does not look like audio assuming it's safe"
,
May 15 2018
The following 2 patches should fix this, if they look ok then ill post them to ffmpeg-devel also what should i put in Reportedby/Foundby, your full name is not displayed in the report ... commit d25ba8cb968b1a5eff737d90c859d15df1fbecc3 (HEAD -> master) Author: Michael Niedermayer <michael@niedermayer.cc> Date: Mon May 14 23:10:15 2018 +0200 avformat/mov: Only fail for STCO/STSC contradictions if both exist Fixes regression with playback of GF9720Repeal20the20Eighth20with20Helen20Linehan.m4a See: crbug 822666 Reported-by: mattias....@gmail.com Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> diff --git a/libavformat/mov.c b/libavformat/mov.c index 4848a106f2..a078bf4712 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -4148,7 +4148,7 @@ static int mov_read_trak(MOVContext *c, AVIOContext *pb, MOVAtom atom) st->index); return 0; } - if (sc->stsc_count && sc->stsc_data[ sc->stsc_count - 1 ].first > sc->chunk_count) { + if (sc->chunk_count && sc->stsc_count && sc->stsc_data[ sc->stsc_count - 1 ].first > sc->chunk_count) { av_log(c->fc, AV_LOG_ERROR, "stream %d, contradictionary STSC and STCO\n", st->index); return AVERROR_INVALIDDATA; commit 9b831260dad13cfa0afa998e6ef0253453fef47f Author: Michael Niedermayer <michael@niedermayer.cc> Date: Mon May 14 23:07:56 2018 +0200 avformat/mov: Break out early if chunk_count is 0 in mov_build_index() Without this some operations might overflow (undefined behavior) even though the index adding loop would never execute No testcase known Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> diff --git a/libavformat/mov.c b/libavformat/mov.c index 1975011741..4848a106f2 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -3900,6 +3900,9 @@ static void mov_build_index(MOVContext *mov, AVStream *st) } else { unsigned chunk_samples, total = 0; + if (!sc->chunk_count) + return; + // compute total chunk count for (i = 0; i < sc->stsc_count; i++) { unsigned count, chunk_count;
,
May 15 2018
Hello, thanks for the fast response. You can use "Mattias Wadman <mattias.wadman@gmail.com>" as Reportedby/Foundby. The patches seem to work. Log from ffprobe using master of today with the two patches: ./ffprobe -i /bla/GF9720Repeal20the20Eighth20with20Helen20Linehan.m4a ffprobe version git-2018-05-15-e351882 Copyright (c) 2007-2018 the FFmpeg developers built with gcc 6.4.0 (Alpine 6.4.0) configuration: --toolchain=hardened --disable-shared --enable-static --pkg-config-flags=--static --extra-ldflags=-static --enable-gpl --enable-nonfree --enable-openssl --enable-iconv --disable-doc --disable-ffplay --enable-libmp3lame --enable-libfdk-aac --enable-libvorbis --enable-libopus --enable-libtheora --enable-libvpx --enable-libx264 --enable-libx265 --enable-libwebp --enable-libwavpack --enable-libspeex libavutil 56. 18.102 / 56. 18.102 libavcodec 58. 19.101 / 58. 19.101 libavformat 58. 13.102 / 58. 13.102 libavdevice 58. 4.100 / 58. 4.100 libavfilter 7. 22.100 / 7. 22.100 libswscale 5. 2.100 / 5. 2.100 libswresample 3. 2.100 / 3. 2.100 libpostproc 55. 2.100 / 55. 2.100 [mov,mp4,m4a,3gp,3g2,mj2 @ 0x7f496f0d8500] stream 0, timescale not set Input #0, mov,mp4,m4a,3gp,3g2,mj2, from '/bla/GF9720Repeal20the20Eighth20with20Helen20Linehan.m4a': Metadata: major_brand : M4A minor_version : 1 compatible_brands: M4A mp42isom creation_time : 2018-05-07T09:48:25.000000Z artist : Deborah Frances-White album : The Guilty Feminist date : 2018 title : The Guilty Feminist 97. Repeal the Eighth with Helen Linehan encoder : GarageBand 4.1.2 composer : Duration: 00:46:24.68, start: -1.000000, bitrate: 197 kb/s Chapter #0:0: start 0.000000, end 300.000000 Metadata: title : I am a Feminist But... Chapter #0:1: start 300.000000, end 324.000000 Metadata: title : Opening titles Chapter #0:2: start 324.000000, end 1015.000000 Metadata: title : Introduction Chapter #0:3: start 1015.000000, end 1917.000000 Metadata: title : Helen Linehan Chapter #0:4: start 1917.000000, end 2386.000000 Metadata: title : Deborah Frances-White Chapter #0:5: start 2386.000000, end 2720.000000 Metadata: title : Plugs and announcements Chapter #0:6: start 2720.000000, end 2784.676281 Metadata: title : Closing titles Stream #0:0(eng): Data: bin_data (tx3g / 0x67337874) Metadata: creation_time : 2018-05-07T09:48:25.000000Z handler_name : Apple Text Media Handler Stream #0:1(eng): Data: bin_data (tx3g / 0x67337874) (default) Metadata: creation_time : 2018-05-07T09:48:25.000000Z handler_name : Apple Text Media Handler Stream #0:2(eng): Audio: aac (LC) (mp4a / 0x6134706D), 44100 Hz, stereo, fltp, 195 kb/s (default) Metadata: creation_time : 2018-05-07T09:48:25.000000Z handler_name : Apple Sound Media Handler Stream #0:3(eng): Video: mjpeg (jpeg / 0x6765706A), yuvj420p(pc, bt470bg/unknown/unknown), 640x640 [SAR 120:120 DAR 1:1], 0 kb/s, 0.0018 fps, 1 tbr, 44100 tbn, 44100 tbc (default) Metadata: creation_time : 2018-05-07T09:48:25.000000Z handler_name : Apple Video Media Handler Stream #0:4: Video: mjpeg, yuvj420p(pc, bt470bg/unknown/unknown), 640x640 [SAR 120:120 DAR 1:1], 90k tbr, 90k tbn, 90k tbc Unsupported codec with id 100359 for input stream 0 Unsupported codec with id 100359 for input stream 1 bash-4.4#
,
May 15 2018
Thanks folks! +liberato to ensure we pickup the patches in c#17 for the M68 ffmpeg update.
,
May 15 2018
Frank, please see #19.
,
Jul 19
This bug has a stale milestone. Please close appropriately, update the milestone and set P1/P2, or drop the milestone and set as P3. I'll automatically punt these issues to M70 next week otherwise.
,
Jul 27
These issues have seen no update and have stale milestones, dropping priority and removing milestone. |
|||||||||||
►
Sign in to add a comment |
|||||||||||
Comment 1 by ClusterFuzz
, Mar 16 2018Labels: Test-Predator-Auto-Components