Bug#783616: /usr/bin/avconv: image2pipe ppm input corrupt when header spans fifo blocks

Claude Heiland-Allen claude at mathr.co.uk
Tue Apr 28 12:37:40 UTC 2015 

Package: libav-tools
Version: 6:11.3-2
Severity: normal
File: /usr/bin/avconv

Dear Maintainer,

piping PPM streams to avconv can cause image corruption in the
(unlikely but possible) case that a frame header overlaps the fifo
block size in such a way that the partial header is almost valid

almost valid means that width and at least one (but not all)
digits of the height are parsed, and then the fifo block size
boundary occurs.  somehow the output frames remain the correct
size, but with garbled image data.

avconv does sometimes output bold red messages stating "picture
size ... is invalid" or "invalid maxval ..." when this occurs,
but some can be false-positives (ie, the output is not always
garbled when the messages occur).

here is a test case that reliably reproduces the bug on my
system:

====8<====
#!/bin/sh
input="$(mktemp 'bug.XXXXXX.ppm')"
outdir="$(mktemp -d 'bug.XXXXXX.out')"
(
   cat << EOF
P6
16 104
255
EOF
   for i in $(seq 1 192)
   do
     echo -n "26 bytes to put in the PPM"
   done
) > "${input}"
for i in $(seq 1 50)
do
   cat "${input}"
done |
avconv -f image2pipe -codec ppm -pix_fmt rgb24 -i - \
        -f image2     -codec ppm -pix_fmt rgb24 "${outdir}/%d.ppm"
for output in "${outdir}"/*.ppm
do
   diff -q "${input}" "${output}"
done
====8<====

and here is its output:

====8<====
avconv version 11.3-6:11.3-2, Copyright (c) 2000-2014 the Libav developers
   built on Apr 26 2015 11:19:40 with gcc 4.9.2 (Debian 4.9.2-10)
[ppm @ 0xebae80] [IMGUTILS @ 0x7ffe7aeffd70] Picture size 16x0 is invalid
     Last message repeated 1 times
[ppm @ 0xebae80] Invalid maxval: 0
     Last message repeated 5 times
[image2pipe @ 0xea17e0] Estimating duration from bitrate, this may be 
inaccurate
Input #0, image2pipe, from 'pipe:':
   Duration: N/A, bitrate: N/A
     Stream #0.0: Video: ppm, rgb24, 16x104, 25 fps, 25 tbn
Output #0, image2, to 'bug.qe9Tcp.out/%d.ppm':
   Metadata:
     encoder         : Lavf56.1.0
     Stream #0.0: Video: ppm, rgb24, 16x104, q=2-31, 200 kb/s, 25 tbn, 
25 tbc
     Metadata:
       encoder         : Lavc56.1.0 ppm
Stream mapping:
   Stream #0:0 -> #0:0 (ppm (native) -> ppm (native))
Press ctrl-c to stop encoding
Error while decoding stream #0:0
[ppm @ 0xebb620] Invalid maxval: 0
pipe:: Input/output error
frame=   49 fps=  0 q=0.0 Lsize=       0kB time=1.96 bitrate= 
0.0kbits/s
video:240kB audio:0kB other streams:0kB global headers:0kB muxing 
overhead: unknown
Files bug.vve493.ppm and bug.qe9Tcp.out/37.ppm differ
Files bug.vve493.ppm and bug.qe9Tcp.out/38.ppm differ
Files bug.vve493.ppm and bug.qe9Tcp.out/39.ppm differ
Files bug.vve493.ppm and bug.qe9Tcp.out/40.ppm differ
Files bug.vve493.ppm and bug.qe9Tcp.out/41.ppm differ
Files bug.vve493.ppm and bug.qe9Tcp.out/42.ppm differ
Files bug.vve493.ppm and bug.qe9Tcp.out/43.ppm differ
Files bug.vve493.ppm and bug.qe9Tcp.out/44.ppm differ
Files bug.vve493.ppm and bug.qe9Tcp.out/45.ppm differ
Files bug.vve493.ppm and bug.qe9Tcp.out/46.ppm differ
Files bug.vve493.ppm and bug.qe9Tcp.out/47.ppm differ
Files bug.vve493.ppm and bug.qe9Tcp.out/48.ppm differ
Files bug.vve493.ppm and bug.qe9Tcp.out/49.ppm differ
====8<====

the input file is 5006 bytes, and after 36 frames, the total
length modulo 4096 (the fifo block size) is -8, which means
the next block boundary occurs 8 bytes into the header, in
between the 0 and 4 of the height 104.  the 37th frame is
garbled from about 1/3 the way down (looks like 8 bytes are
missing, with the remaining data shifted).

thanks for your attention,


Claude


-- System Information:
Debian Release: 7.8
   APT prefers oldstable
   APT policy: (900, 'oldstable'), (500, 'stable-updates'), (500, 
'oldstable-updates'), (500, 'unstable'), (500, 'testing'), (500, 
'stable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.2.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages libav-tools depends on:
ii  dpkg                 1.16.15
ii  libavcodec-extra-56  6:11.3-2
ii  libavdevice55        6:11.3-2
ii  libavfilter5         6:11.3-2
ii  libavformat56        6:11.3-2
ii  libavresample2       6:11.3-2
ii  libavutil54          6:11.3-2
ii  libc6                2.19-15
ii  libsdl1.2debian      1.2.15-5
ii  libswscale3          6:11.3-2
ii  libvdpau1            0.4.1-7
ii  libx11-6             2:1.5.0-1+deb7u1

libav-tools recommends no packages.

Versions of packages libav-tools suggests:
pn  frei0r-plugins  <none>
pn  x264            <none>

-- no debconf information

More information about the pkg-multimedia-maintainers mailing list