Open techno-disaster opened 3 years ago
Opening file: /mnt/c/Downloads/73d9313d64b0ddf1542bc3521d19cc8a601967fbbb8ee8eb3e6d03c53d7b55d9.mpg
File seems to be a transport stream, enabling TS mode
Notice: PAT changed, clearing all variables.
VBI/teletext stream ID 272 (0x110) for SID 1 (0x1)
==549== Invalid read of size 1
==549== at 0x17A399: set_tlt_delta (telxcc.c:1261)
==549== by 0x1814F8: general_loop (general_loop.c:1024)
==549== by 0x141EE8: api_start (ccextractor.c:204)
==549== by 0x142C3E: main (ccextractor.c:462)
==549== Address 0x7ea5339 is 5,273 bytes inside a block of size 17,023 free'd
==549== at 0x483D74F: operator delete[](void*) (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so)
==549== by 0x4B99B74: tesseract::LSTMRecognizer::RecognizeLine(tesseract::ImageData const&, bool, bool, double, TBOX const&,
tesseract::PointerVector<WERD_RES>*, int) (in /usr/lib/x86_64-linux-gnu/libtesseract.so.4.0.1)
==549== by 0x4A60CD7: tesseract::Tesseract::LSTMRecognizeWord(BLOCK const&, ROW*, WERD_RES*, tesseract::PointerVector<WERD_RE
S>*) (in /usr/lib/x86_64-linux-gnu/libtesseract.so.4.0.1)
There's a lot more. Clearly when we do clean up we're deallocating stuff we later need (and keeping a pointer to it too).
Update: Bugs still happening
=================================================================
==1550755==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6070000017c9 at pc 0x55cfb6bb60e7 bp 0x7ffe73d39980 sp 0x7ffe73d39970
READ of size 1 at 0x6070000017c9 thread T0
#0 0x55cfb6bb60e6 in set_tlt_delta ../src/lib_ccx/telxcc.c:1261
#1 0x55cfb6bd2f40 in process_non_multiprogram_general_loop ../src/lib_ccx/general_loop.c:967
#2 0x55cfb6bd3bf3 in general_loop ../src/lib_ccx/general_loop.c:1062
#3 0x55cfb6ad1986 in api_start ../src/ccextractor.c:205
#4 0x55cfb6ad3cdb in main ../src/ccextractor.c:463
#5 0x7f79b822350f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
#6 0x7f79b82235c8 in __libc_start_main_impl ../csu/libc-start.c:381
#7 0x55cfb6ad0cc4 in _start (/home/cfsmp3/codebase/ccex/ccextractor/linux/ccextractor+0x17acc4)
0x6070000017c9 is located 1057 bytes to the right of 72-byte region [0x607000001360,0x6070000013a8)
freed by thread T0 here:
#0 0x7f79b8ec1530 in operator delete(void*, unsigned long) ../../../../src/libsanitizer/asan/asan_new_delete.cpp:164
#1 0x7f79b8c19327 in tesseract::ELIST::internal_clear(void (*)(void*)) (/lib/x86_64-linux-gnu/libtesseract.so.5+0x219327)
previously allocated by thread T0 here:
#0 0x7f79b8ec0488 in operator new(unsigned long) ../../../../src/libsanitizer/asan/asan_new_delete.cpp:95
#1 0x7f79b8ba35fa in tesseract::complete_edge(tesseract::CRACKEDGE*, tesseract::C_OUTLINE_IT*) (/lib/x86_64-linux-gnu/libtesseract.so.5+0x1a35fa)
#2 0x7ffe73d38247 ([stack]+0x1c247)
SUMMARY: AddressSanitizer: heap-buffer-overflow ../src/lib_ccx/telxcc.c:1261 in set_tlt_delta
Shadow bytes around the buggy address:
0x0c0e7fff82a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0e7fff82b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0e7fff82c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0e7fff82d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0e7fff82e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c0e7fff82f0: fa fa fa fa fa fa fa fa fa[fa]fa fa fa fa fa fa
0x0c0e7fff8300: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0e7fff8310: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0e7fff8320: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0e7fff8330: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0e7fff8340: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==1550755==ABORTING
CCExtractor version: 0.93
In raising this issue, I confirm the following:
Necessary information
Video links
Additional information
Happened with several other files when ccx runs together on them, All were from sample platform.
Logs -