My favorites | Sign in
Project Home Downloads Wiki Issues Code Search
New issue   Search
for
  Advanced search   Search tips   Subscriptions
Issue 73026: dereference poisoned value in avcodec_52!ff_thread_decode_frame
3 people starred this issue and may be notified of changes. Back to list
 
Project Member Reported by taviso, Feb 15, 2011
What steps will reproduce the problem?
1. Open http://flyingmeat.com/free/flygesture-open-safari.mp4
2. AV
3.

What is the expected output? What do you see instead?


2:018> .lastevent
Last event: c2c.c24: Access violation - code c0000005 (first chance)
  debugger time: Tue Feb 15 17:23:38.291 2011 (GMT+1)
2:018> r
eax=02530b4b ebx=01439ac0 ecx=baadf00d edx=01439ac0 esi=0143dce0 edi=01439ac0
eip=6addc244 esp=0197fba0 ebp=00000000 iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010202
avcodec_52!ff_thread_decode_frame+0x44:
6addc244 898100010000    mov     dword ptr [ecx+100h],eax ds:0023:baadf10d=????????
2:018> kv
ChildEBP RetAddr  Args to Child              
WARNING: Stack unwind information not available. Following frames may be wrong.
00000000 00000000 00000000 00000000 00000000 avcodec_52!ff_thread_decode_frame+0x44

Please use labels and text to provide additional information.

Testcase attached in case it disappears.

flygesture-open-safari.mp4
1.5 MB   Download
Feb 15, 2011
#1 taviso
Here's another one from the crash logs http://file.wukangrui.com/safe/cssgaga.mp4
Feb 15, 2011
#2 suna...@chromium.org
Stack Trace with Google Chrome 9.0.597.98
-------------------------------------------
Tread 6 *CRASHED* ( EXCEPTION_ACCESS_VIOLATION_WRITE @ 0x00000100 )

0x6e6ec244	 [avcodec-52.dll	 + 0x0009c244]	
0x5d55c820	 [chrome.dll	 - message_loop.cc:388]	MessageLoop::PostTask_Helper(tracked_objects::Location const &,Task *,__int64,bool)
0x5dd85714	 [chrome.dll	 - ffmpeg_demuxer.cc:160]	media::FFmpegDemuxerStream::Read(CallbackRunner<Tuple1<media::Buffer *> > *)
0x5d4a8567	 [chrome.dll	 - allocator_shim.cc:110]	malloc
0x6e6f1117	 [avcodec-52.dll	 + 0x000a1117]	
0x5dd8e410	 [chrome.dll	 - ffmpeg_video_decode_engine.cc:219]	media::FFmpegVideoDecodeEngine::DecodeFrame(scoped_refptr<media::Buffer>)
0x5dd8e410	 [chrome.dll	 - ffmpeg_video_decode_engine.cc:219]	media::FFmpegVideoDecodeEngine::DecodeFrame(scoped_refptr<media::Buffer>)
0x5d4a7286	 [chrome.dll	 - thread_cache.h:386]	tcmalloc::ThreadCache::GetCache()
0x5d4aea6d	 [chrome.dll	 - central_freelist.cc:55]	tcmalloc::CentralFreeList::ReleaseListToSpans(void *)
0x5d4aea6d	 [chrome.dll	 - central_freelist.cc:55]	tcmalloc::CentralFreeList::ReleaseListToSpans(void *)
0x5d4aecae	 [chrome.dll	 - central_freelist.cc:193]	tcmalloc::CentralFreeList::InsertRange(void *,void *,int)
0x5d4ae5e3	 [chrome.dll	 - thread_cache.cc:219]	tcmalloc::ThreadCache::ReleaseToCentralCache(tcmalloc::ThreadCache::FreeList *,unsigned int,int)
0x5d4ae514	 [chrome.dll	 - thread_cache.cc:180]	tcmalloc::ThreadCache::ListTooLong(tcmalloc::ThreadCache::FreeList *,unsigned int)
0x5d56532c	 [chrome.dll	 - ref_counted.cc:71]	base::subtle::RefCountedThreadSafeBase::AddRef()
0x5dd8e2f9	 [chrome.dll	 - ffmpeg_video_decode_engine.cc:167]	media::FFmpegVideoDecodeEngine::ConsumeVideoSample(scoped_refptr<media::Buffer>)
0x5dd88164	 [chrome.dll	 - ffmpeg_video_decoder.cc:295]	media::FFmpegVideoDecoder::OnReadCompleteTask(scoped_refptr<media::Buffer>)
0x5dd880c8	 [chrome.dll	 - ffmpeg_video_decoder.cc:247]	media::FFmpegVideoDecoder::OnReadComplete(media::Buffer *)
0x5d90b422	 [chrome.dll	 - task.h:330]	RunnableMethod<GpuVideoDecoderHost,void ( GpuVideoDecoderHost::*)(scoped_refptr<media::VideoFrame>),Tuple1<scoped_refptr<media::VideoFrame> > >::Run()
0x5d55c8bd	 [chrome.dll	 - message_loop.cc:418]	MessageLoop::RunTask(Task *)
0x5d55c944	 [chrome.dll	 - message_loop.cc:427]	MessageLoop::DeferOrRunPendingTask(MessageLoop::PendingTask const &)
0x5d55cade	 [chrome.dll	 - message_loop.cc:534]	MessageLoop::DoWork()
0x5d64d000	 [chrome.dll	 - ref_counted.h:141]	base::RefCountedThreadSafe<PersonalDataManager,base::DefaultRefCountedThreadSafeTraits<PersonalDataManager> >::Release()
0x5d574765	 [chrome.dll	 - message_pump_default.cc:50]	base::MessagePumpDefault::Run(base::MessagePump::Delegate *)
0x5d55c50b	 [chrome.dll	 - message_loop.cc:195]	MessageLoop::AddDestructionObserver(MessageLoop::DestructionObserver *)
0x5d55c665	 [chrome.dll	 - message_loop.cc:266]	MessageLoop::RunInternal()
0x5d55c5ea	 [chrome.dll	 - message_loop.cc:238]	MessageLoop::RunHandler()
0x5d55c598	 [chrome.dll	 - message_loop.cc:216]	MessageLoop::Run()
0x5dfc7feb	 [chrome.dll	 - thread.cc:140]	base::Thread::Run(MessageLoop *)
0x5dfc8097	 [chrome.dll	 - thread.cc:164]	base::Thread::ThreadMain()

Full report @ http://crash/reportdetail?reportid=10992109f4cc70c5

Stack Trace with Google Chrome 11.0.671.0
------------------------------------------
Thread 8 *CRASHED* ( EXCEPTION_ACCESS_VIOLATION_WRITE @ 0x00000100 )

0x6f40bf77	 [avcodec-52.dll	 + 0x0008bf77]	
0x7fffffff			
0x77742ff9	 [ntdll.dll	 + 0x00032ff9]	RtlpFreeHeap
0x77742bf1	 [ntdll.dll	 + 0x00032bf1]	RtlpCoalesceFreeBlocks
0x61c1fa9a	 [chrome.dll	 - central_freelist.cc:55]	tcmalloc::CentralFreeList::ReleaseListToSpans(void *)
0x62fd7a17	 [chrome.dll	 + 0x013d7a17]	
0x61c1fcdb	 [chrome.dll	 - central_freelist.cc:193]	tcmalloc::CentralFreeList::InsertRange(void *,void *,int)
0x61c1f610	 [chrome.dll	 - thread_cache.cc:219]	tcmalloc::ThreadCache::ReleaseToCentralCache(tcmalloc::ThreadCache::FreeList *,unsigned int,int)
0x61c1f541	 [chrome.dll	 - thread_cache.cc:180]	tcmalloc::ThreadCache::ListTooLong(tcmalloc::ThreadCache::FreeList *,unsigned int)
0x61cd9d5f	 [chrome.dll	 - ref_counted.cc:76]	base::subtle::RefCountedThreadSafeBase::AddRef()
0x625af493	 [chrome.dll	 - ffmpeg_video_decode_engine.cc:167]	media::FFmpegVideoDecodeEngine::ConsumeVideoSample(scoped_refptr<media::Buffer>)
0x625a9515	 [chrome.dll	 - ffmpeg_video_decoder.cc:297]	media::FFmpegVideoDecoder::OnReadCompleteTask(scoped_refptr<media::Buffer>)
0x625a9479	 [chrome.dll	 - ffmpeg_video_decoder.cc:249]	media::FFmpegVideoDecoder::OnReadComplete(media::Buffer *)
0x620b3bd7	 [chrome.dll	 - task.h:331]	RunnableMethod<GpuVideoDecoderHost,void ( GpuVideoDecoderHost::*)(scoped_refptr<media::VideoFrame>),Tuple1<scoped_refptr<media::VideoFrame> > >::Run()
0x61cd2bf0	 [chrome.dll	 - message_loop.cc:362]	MessageLoop::RunTask(Task *)
0x61cd2c77	 [chrome.dll	 - message_loop.cc:371]	MessageLoop::DeferOrRunPendingTask(MessageLoop::PendingTask const &)
0x61cd3024	 [chrome.dll	 - message_loop.cc:564]	MessageLoop::DoWork()
0x61e16500	 [chrome.dll	 + 0x00216500]	RunnableMethod<LoginHandler,void ( LoginHandler::*)(void),Tuple0>::`scalar deleting destructor'(unsigned int)
0x61ce7f64	 [chrome.dll	 - message_pump_default.cc:50]	base::MessagePumpDefault::Run(base::MessagePump::Delegate *)
0x61cd298c	 [chrome.dll	 - message_loop.cc:203]	MessageLoop::AddDestructionObserver(MessageLoop::DestructionObserver *)
0x61cd2b71	 [chrome.dll	 - message_loop.cc:337]	MessageLoop::RunInternal()
0x61cd2af6	 [chrome.dll	 - message_loop.cc:310]	MessageLoop::RunHandler()
0x61cd29ea	 [chrome.dll	 - message_loop.cc:234]	MessageLoop::Run()
0x627f02c6	 [chrome.dll	 - thread.cc:128]	base::Thread::Run(MessageLoop *)
0x627f03d9	 [chrome.dll	 - thread.cc:164]	base::Thread::ThreadMain()

Full report @ http://crash/reportdetail?reportid=8aefe4283183f027
Status: Untriaged
Owner: ---
Cc: secur...@chromium.org lafo...@chromium.org anan...@chromium.org
Labels: -Restrict-View-SecurityTeam -Security -Pri-0 -Area-Undefined Crash OS-All Pri-1 Area-Internals Feature-Media
Feb 15, 2011
#3 infe...@chromium.org
This is definitely security 
Labels: Restrict-View-SecurityTeam Security
Feb 16, 2011
#4 jsc...@chromium.org
(No comment was entered for this change.)
Labels: SecSeverity-High
Feb 16, 2011
#5 scherkus@chromium.org
(No comment was entered for this change.)
Status: Assigned
Owner: scher...@chromium.org
Labels: Mstone-11
Feb 16, 2011
#6 infe...@chromium.org
Sorry, we cannot wait till m11 for a high severity bug.
Labels: -Mstone-11 Mstone-9
Feb 23, 2011
#7 jsc...@chromium.org
We're reaching the cutoff for m9 stable at the end of this week. Ideally we need this fixed by Friday.
Feb 24, 2011
#8 scarybea...@gmail.com
(No comment was entered for this change.)
Labels: -Mstone-9 Mstone-10
Feb 25, 2011
#9 scarybea...@gmail.com
I'm assuming that no-one started this yet, because the status isn't started. Sorry if this duplicates any work, but I'm looking into it because it reproduces on Linux.
I have a good handle on it already.
Status: Started
Owner: cev...@chromium.org
Feb 25, 2011
#10 bugdro...@chromium.org
The following revision refers to this bug:
    http://src.chromium.org/viewvc/chrome?view=rev&revision=76138

------------------------------------------------------------------------
r76138 | cevans@chromium.org | Fri Feb 25 18:09:08 PST 2011

Changed paths:
 A http://src.chromium.org/viewvc/chrome/trunk/deps/third_party/ffmpeg/patches/to_upstream/24_thread_index.patch?r1=76138&r2=76137&pathrev=76138
 M http://src.chromium.org/viewvc/chrome/trunk/deps/third_party/ffmpeg/source/patched-ffmpeg-mt/libavcodec/pthread.c?r1=76138&r2=76137&pathrev=76138
 M http://src.chromium.org/viewvc/chrome/trunk/deps/third_party/ffmpeg/README.chromium?r1=76138&r2=76137&pathrev=76138

Properly account the thread index on all exit paths from the function. Prevents
a crash with certain mp4 files.

BUG=73026
TEST=see bug

Review URL: http://codereview.chromium.org/6597005
------------------------------------------------------------------------
Feb 25, 2011
#11 bugdro...@chromium.org
The following revision refers to this bug:
    http://src.chromium.org/viewvc/chrome?view=rev&revision=76145

------------------------------------------------------------------------
r76145 | scherkus@chromium.org | Fri Feb 25 18:39:54 PST 2011

Changed paths:
 M http://src.chromium.org/viewvc/chrome/branches/ffmpeg/648/source/patched-ffmpeg-mt/libavcodec/pthread.c?r1=76145&r2=76144&pathrev=76145
 M http://src.chromium.org/viewvc/chrome/branches/ffmpeg/648/README.chromium?r1=76145&r2=76144&pathrev=76145
 A http://src.chromium.org/viewvc/chrome/branches/ffmpeg/648/patches/to_upstream/24_thread_index.patch?r1=76145&r2=76144&pathrev=76145 (from /trunk/deps/third_party/ffmpeg/patches/to_upstream/24_thread_index.patch revision 76138)

Merge 76138 - Properly account the thread index on all exit paths from the function. Prevents
a crash with certain mp4 files.

BUG=73026
TEST=see bug

Review URL: http://codereview.chromium.org/6597005

TBR=cevans@chromium.org
Review URL: http://codereview.chromium.org/6588036
------------------------------------------------------------------------
Feb 25, 2011
#12 bugdro...@chromium.org
The following revision refers to this bug:
    http://src.chromium.org/viewvc/chrome?view=rev&revision=76153

------------------------------------------------------------------------
r76153 | cevans@chromium.org | Fri Feb 25 21:08:02 PST 2011

Changed paths:
 M http://src.chromium.org/viewvc/chrome/trunk/src/DEPS?r1=76153&r2=76152&pathrev=76153

Update ffmpeg.

BUG=71788,73026
TEST=see bugs
TBR=scherkus

Review URL: http://codereview.chromium.org/6588033
------------------------------------------------------------------------
Feb 25, 2011
#13 scarybea...@gmail.com
Still a bit of merging to do.
Status: WillMerge
Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify
Feb 28, 2011
#14 scherkus@chromium.org
.......and we've merged!  please, please verify on 648 and trunk!
Status: Fixed
Feb 28, 2011
#15 scarybea...@gmail.com
(No comment was entered for this change.)
Status: FixUnreleased
Mar 10, 2011
#16 scarybea...@gmail.com
(No comment was entered for this change.)
Labels: CVE-2011-1198
Mar 18, 2011
#17 lafo...@chromium.org
What steps will reproduce the problem?
1. Open http://flyingmeat.com/free/flygesture-open-safari.mp4
2. AV
3.

What is the expected output? What do you see instead?


2:018&gt; .lastevent
Last event: c2c.c24: Access violation - code c0000005 (first chance)
  debugger time: Tue Feb 15 17:23:38.291 2011 (GMT+1)
2:018&gt; r
eax=02530b4b ebx=01439ac0 ecx=baadf00d edx=01439ac0 esi=0143dce0 edi=01439ac0
eip=6addc244 esp=0197fba0 ebp=00000000 iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010202
avcodec_52!ff_thread_decode_frame+0x44:
6addc244 898100010000    mov     dword ptr [ecx+100h],eax ds:0023:baadf10d=????????
2:018&gt; kv
ChildEBP RetAddr  Args to Child              
WARNING: Stack unwind information not available. Following frames may be wrong.
00000000 00000000 00000000 00000000 00000000 avcodec_52!ff_thread_decode_frame+0x44

Please use labels and text to provide additional information.

Testcase attached in case it disappears.
Labels: -Crash bulkmove Stability-Crash
Mar 21, 2011
#18 jsc...@chromium.org
(No comment was entered for this change.)
Labels: Type-Security
Jun 29, 2011
#19 scarybea...@gmail.com
(No comment was entered for this change.)
Cc: fbarch...@chromium.org
Jun 29, 2011
#20 scarybea...@gmail.com
(No comment was entered for this change.)
Status: Fixed
Labels: -Restrict-View-SecurityNotify
Oct 4, 2011
#21 jsc...@chromium.org
Batch update.
Labels: SecImpacts-Stable
Oct 13, 2012
#22 bugdro...@chromium.org
This issue has been closed for some time. No one will pay attention to new comments.
If you are seeing this bug or have new data, please click New Issue to start a new bug.
Labels: Restrict-AddIssueComment-Commit
Mar 9, 2013
#23 bugdro...@chromium.org
(No comment was entered for this change.)
Labels: -Area-Internals -Feature-Media -SecSeverity-High -Mstone-10 -Type-Security -SecImpacts-Stable Security-Impact-Stable Cr-Internals Cr-Internals-Media Security-Severity-High M-10 Type-Bug-Security
Mar 13, 2013
#24 bugdro...@chromium.org
(No comment was entered for this change.)
Labels: -Restrict-AddIssueComment-Commit Restrict-AddIssueComment-EditIssue
Mar 21, 2013
#25 bugdro...@chromium.org
(No comment was entered for this change.)
Labels: -Security-Severity-High Security_Severity-High
Mar 21, 2013
#26 bugdro...@chromium.org
(No comment was entered for this change.)
Labels: -Security-Impact-Stable Security_Impact-Stable
Sign in to add a comment

Powered by Google Project Hosting