search

acidburn0zzz / webm

Automatically exported from code.google.com/p/webm
1 stars 0 forks source link

sample: mkvparser.cpp:8340: const mkvparser::Block::Frame& mkvparser::Block::GetFrame(int) const: Assertion `f.len > 0' failed. #950

Open GoogleCodeExporter opened 9 years ago

GoogleCodeExporter commented 9 years ago 
This bug was found with american fuzzy lop (http://lcamtuf.coredump.cx/afl). 

I cloned https://chromium.googlesource.com/webm/libwebm and compiled this with 
afl-g++ and used AFL_HARDEN=1 make. I then fed afl a valid webm video file and 
let it go to work. Here are the results:

gdb output:
gdb-peda$ file ~/libwebm/sample
gdb-peda$ set args test01.webm
gdb-peda$ r
         libmkv verison: 1.0.0.29
                EBML Header
        EBML Version        : 1
        EBML MaxIDLength    : 4
        EBML MaxSizeLength  : 8
        Doc Type        : webm
        Pos         : 43

               Segment Info
        TimeCodeScale       : 1000000 
        Duration        : 5568000000
        Duration(secs)      :   5.568
        Track Name      : NULL
        Muxing App      : Lavf53.17.0
        Writing App     : Lavf53.17.0
        Position(Segment)   : 55
        Size(Segment)       : 229400

               Track Info
        Track Type      : 1
        Track Number        : 1
        Track Uid       : 1
        Track Name      : NULL
        Codec Id        : V_VP8
        Codec Name      : NULL
        Video Width     : 560
        Video Height        : 320
        Video Rate      : 0.000000
        Track Type      : 2
        Track Number        : 2
        Track Uid       : 2
        Track Name      : NULL
        Codec Id        : A_VORBIS
        Codec Name      : NULL
        Audio Channels      : 1
        Audio BitDepth      : 16
        Addio Sample Rate   : 48000.000
        Audio Codec Delay       : 0
        Audio Seek Pre Roll     : 0

               Cluster Info
        Cluster Count   : 2

        Cluster Time Code   : 0
        Cluster Time (ns)   : 0
            Block       :V,I,              0,0
                          77,           12dd
                           1,           132a
                         157,           132b
                           1,           13c8
                          42,           13c9
                          48,           13f3
                           2,           1423
                          64,           1425
                           1,           1465
sample: mkvparser.cpp:8340: const mkvparser::Block::Frame& 
mkvparser::Block::GetFrame(int) const: Assertion `f.len > 0' failed.

Program received signal SIGABRT, Aborted.
[----------------------------------registers-----------------------------------]
RAX: 0x0 
RBX: 0x7fffffffe618 --> 0x6900656c706d6173 ('sample')
RCX: 0xffffffffffffffff 
RDX: 0x6 
RSI: 0x76ee 
RDI: 0x76ee 
RBP: 0x7ffff73fea07 --> 0x257325732500203a (': ')
RSP: 0x7fffffffdfe8 --> 0x7ffff72e73e0 (<*__GI_abort+384>:  mov    rdx,QWORD PTR 
fs:0x10)
RIP: 0x7ffff72e4165 (<*__GI_raise+53>:  cmp    rax,0xfffffffffffff000)
R8 : 0x7ffff7fdd720 (0x00007ffff7fdd720)
R9 : 0x202730203e206e65 ("en > 0' ")
R10: 0x8 
R11: 0x246 
R12: 0x478f55 ("f.len > 0")
R13: 0x479380 ("const mkvparser::Block::Frame& mkvparser::Block::GetFrame(int) 
const")
R14: 0x7ffff73fea07 --> 0x257325732500203a (': ')
R15: 0x2094
EFLAGS: 0x246 (carry PARITY adjust ZERO sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
   0x7ffff72e415b <*__GI_raise+43>: movsxd rdi,eax
   0x7ffff72e415e <*__GI_raise+46>: mov    eax,0xea
   0x7ffff72e4163 <*__GI_raise+51>: syscall 
=> 0x7ffff72e4165 <*__GI_raise+53>: cmp    rax,0xfffffffffffff000
   0x7ffff72e416b <*__GI_raise+59>: ja     0x7ffff72e4182 <*__GI_raise+82>
   0x7ffff72e416d <*__GI_raise+61>: repz ret 
   0x7ffff72e416f <*__GI_raise+63>: nop
   0x7ffff72e4170 <*__GI_raise+64>: test   eax,eax
[------------------------------------stack-------------------------------------]
0000| 0x7fffffffdfe8 --> 0x7ffff72e73e0 (<*__GI_abort+384>: mov    rdx,QWORD 
PTR fs:0x10)
0008| 0x7fffffffdff0 --> 0x478f55 ("f.len > 0")
0016| 0x7fffffffdff8 --> 0x7ffff74009c1 --> 0x706c6568007325 ('%s')
0024| 0x7fffffffe000 --> 0x7fffffffe020 --> 0x3000000018 
0032| 0x7fffffffe008 --> 0x2094 
0040| 0x7fffffffe010 --> 0x7fffffffe110 --> 0x7fffffffe618 --> 
0x6900656c706d6173 ('sample')
0048| 0x7fffffffe018 --> 0x7ffff7318fe6 (<__fxprintf+310>:  lea    
rsp,[rbp-0x20])
0056| 0x7fffffffe020 --> 0x3000000018 
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGABRT
0x00007ffff72e4165 in *__GI_raise (sig=<optimized out>) at 
../nptl/sysdeps/unix/sysv/linux/raise.c:64
64  ../nptl/sysdeps/unix/sysv/linux/raise.c: No such file or directory.

Debian 7, kernel v3.2.63-2+deb7u2 x86_64, libc6 v2.13-38+deb7u7, GCC 4.9.2

Test case and core are attached to this report.

Original issue reported on code.google.com by brian.carpenter on 10 Feb 2015 at 8:53

Attachments:

GoogleCodeExporter commented 9 years ago

Original comment by fgalli...@google.com on 12 Feb 2015 at 10:54