reproducible crash on some subtitles in ff_ass_split_override_codes()

[julian]

ffmpeg crashes reproducibly when converting files with some subtitles.
i've seen the crash with self-compiled ffmpeg 1.0 as well as the Mac OS X binary (linked to from the hompage) for 1.0.1.

download the sample file:
​https://dl.dropbox.com/u/7221986/ffmpeg-bug.mkv

% ffmpeg -i ffmpeg-bug.mkv -map 0:2 -map 0:0 -map 0:1 -scodec mov_text -vcodec copy out.mp4

ffmpeg version 1.0.1-tessus Copyright (c) 2000-2012 the FFmpeg developers
  built on Dec  3 2012 23:31:08 with llvm-gcc 4.2.1 (LLVM build 2336.1.00)
  configuration: --prefix=/Users/tessus/data/ext/ffmpeg/sw --as=yasm --extra-version=tessus --disable-shared --enable-static --disable-ffplay --disable-ffserver --enable-gpl --enable-pthreads --enable-postproc --enable-libmp3lame --enable-libtheora --enable-libvorbis --enable-libx264 --enable-libxvid --enable-libspeex --enable-bzlib --enable-zlib --enable-libopencore-amrnb --enable-libopencore-amrwb --enable-libxavs --enable-version3 --enable-libvo-aacenc --enable-libvo-amrwbenc --enable-libvpx --enable-libgsm --enable-libopus --enable-fontconfig --enable-libfreetype --enable-libass --enable-filters --enable-runtime-cpudetect
  libavutil      51. 73.101 / 51. 73.101
  libavcodec     54. 59.100 / 54. 59.100
  libavformat    54. 29.104 / 54. 29.104
  libavdevice    54.  2.101 / 54.  2.101
  libavfilter     3. 17.100 /  3. 17.100
  libswscale      2.  1.101 /  2.  1.101
  libswresample   0. 15.100 /  0. 15.100
  libpostproc    52.  0.100 / 52.  0.100
Input #0, matroska,webm, from 'ffmpeg-bug.mkv':
  Metadata:
    ENCODER         : Lavf54.29.104
  Duration: 00:24:27.06, start: 0.000000, bitrate: 8 kb/s
    Stream #0:0: Subtitle: ssa (default)
    Metadata:
      title           : 简体中文
    Stream #0:1: Video: h264 (High), yuv420p, 640x360 [SAR 1:1 DAR 16:9], 23.81 fps, 23.81 tbr, 1k tbn, 47.62 tbc (default)
    Stream #0:2: Subtitle: ssa (default)
    Metadata:
      title           : 繁体中文
File 'out.mp4' already exists. Overwrite ? [y/N] y
Output #0, mp4, to 'out.mp4':
  Metadata:
    encoder         : Lavf54.29.104
    Stream #0:0: Subtitle: mov_text ([8][0][0][0] / 0x0008) (default)
    Metadata:
      title           : 繁体中文
    Stream #0:1: Subtitle: mov_text ([8][0][0][0] / 0x0008) (default)
    Metadata:
      title           : 简体中文
    Stream #0:2: Video: h264 ([33][0][0][0] / 0x0021), yuv420p, 640x360 [SAR 1:1 DAR 16:9], q=2-31, 23.81 fps, 1k tbn, 1k tbc (default)
Stream mapping:
  Stream #0:2 -> #0:0 (ass -> mov_text)
  Stream #0:0 -> #0:1 (ass -> mov_text)
  Stream #0:1 -> #0:2 (copy)
Press [q] to stop, [?] for help

Program received signal EXC_BAD_ACCESS, Could not access memory.
Reason: KERN_INVALID_ADDRESS at address: 0x0000000000000000
0x00000001002b1d06 in ff_ass_split_override_codes ()

[Carl Eugen Hoyos]

(gdb) r -i ffmpeg-bug.mkv -map 0:0 -scodec mov_text out.mp4
Starting program: ffmpeg_g -i ffmpeg-bug.mkv -map 0:0 -scodec mov_text out.mp4
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib64/libthread_db.so.1".
ffmpeg version N-48034-g174c483 Copyright (c) 2000-2012 the FFmpeg developers
  built on Dec 20 2012 10:05:56 with gcc 4.7 (SUSE Linux)
  configuration: --enable-gpl --disable-indev=jack
  libavutil      52. 12.100 / 52. 12.100
  libavcodec     54. 81.100 / 54. 81.100
  libavformat    54. 49.102 / 54. 49.102
  libavdevice    54.  3.102 / 54.  3.102
  libavfilter     3. 28.102 /  3. 28.102
  libswscale      2.  1.103 /  2.  1.103
  libswresample   0. 17.102 /  0. 17.102
  libpostproc    52.  2.100 / 52.  2.100
Input #0, matroska,webm, from 'ffmpeg-bug.mkv':
  Metadata:
    ENCODER         : Lavf54.29.104
  Duration: 00:24:27.06, start: 0.000000, bitrate: 8 kb/s
    Stream #0:0: Subtitle: ssa (default)
    Metadata:
      title           : 简体中文
    Stream #0:1: Video: h264 (High), yuv420p, 640x360 [SAR 1:1 DAR 16:9], 23.81 fps, 23.81 tbr, 1k tbn, 47.62 tbc (default)
    Stream #0:2: Subtitle: ssa (default)
    Metadata:
      title           : 繁体中文
Output #0, mp4, to 'out.mp4':
  Metadata:
    encoder         : Lavf54.49.102
    Stream #0:0: Subtitle: mov_text ([8][0][0][0] / 0x0008) (default)
    Metadata:
      title           : 简体中文
Stream mapping:
  Stream #0:0 -> #0:0 (ass -> mov_text)
Press [q] to stop, [?] for help

Program received signal SIGSEGV, Segmentation fault.
ff_ass_split_override_codes (callbacks=callbacks@entry=0xc79ee0 <mov_text_callbacks>,
    priv=priv@entry=0x15ef840, buf=0x0) at libavcodec/ass_split.c:372
372         while (*buf) {
(gdb) bt
#0  ff_ass_split_override_codes (callbacks=callbacks@entry=0xc79ee0 <mov_text_callbacks>,
    priv=priv@entry=0x15ef840, buf=0x0) at libavcodec/ass_split.c:372
#1  0x000000000086b5e1 in mov_text_encode_frame (avctx=0x15f5b00, buf=0x7ffff6463040 "",
    bufsize=1048576, sub=0x7fffffffd6f0) at libavcodec/movtextenc.c:125
#2  0x00000000009a1238 in avcodec_encode_subtitle (avctx=avctx@entry=0x15f5b00,
    buf=<optimized out>, buf_size=buf_size@entry=1048576, sub=sub@entry=0x7fffffffd6f0)
    at libavcodec/utils.c:1485
#3  0x0000000000460011 in do_subtitle_out (sub=0x7fffffffd6f0, ost=0x15eb3e0, s=0x15ec9c0,
    ist=<optimized out>) at ffmpeg.c:753
#4  transcode_subtitles (ist=ist@entry=0x15e9de0, pkt=pkt@entry=0x7fffffffdac0,
    got_output=got_output@entry=0x7fffffffd85c) at ffmpeg.c:1728
#5  0x000000000046138a in output_packet (pkt=0x7fffffffda60, ist=0x15e9de0) at ffmpeg.c:1812
#6  process_input (file_index=<optimized out>) at ffmpeg.c:2886
#7  0x00000000004515d0 in transcode_step () at ffmpeg.c:2982
#8  transcode () at ffmpeg.c:3034
#9  main (argc=<optimized out>, argv=<optimized out>) at ffmpeg.c:3209
(gdb) disass $pc-32,$pc+32
Dump of assembler code from 0xaae210 to 0xaae250:
   0x0000000000aae210 <ff_ass_split_override_codes+16>: push   %rsp
   0x0000000000aae211 <ff_ass_split_override_codes+17>: mov    %rdi,%r12
   0x0000000000aae214 <ff_ass_split_override_codes+20>: push   %rbp
   0x0000000000aae215 <ff_ass_split_override_codes+21>: push   %rbx
   0x0000000000aae216 <ff_ass_split_override_codes+22>: sub    $0x128,%rsp
   0x0000000000aae21d <ff_ass_split_override_codes+29>: lea    0xa0(%rsp),%rbp
   0x0000000000aae225 <ff_ass_split_override_codes+37>: movl   $0x0,0x2c(%rsp)
   0x0000000000aae22d <ff_ass_split_override_codes+45>: nopl   (%rax)
=> 0x0000000000aae230 <ff_ass_split_override_codes+48>: cmpb   $0x0,(%r15)
   0x0000000000aae234 <ff_ass_split_override_codes+52>: je     0xaae42c <ff_ass_split_override_codes+556>
   0x0000000000aae23a <ff_ass_split_override_codes+58>: test   %r14,%r14
   0x0000000000aae23d <ff_ass_split_override_codes+61>: je     0xaae281 <ff_ass_split_override_codes+129>
   0x0000000000aae23f <ff_ass_split_override_codes+63>: cmpq   $0x0,(%r12)
   0x0000000000aae244 <ff_ass_split_override_codes+68>: je     0xaae281 <ff_ass_split_override_codes+129>
   0x0000000000aae246 <ff_ass_split_override_codes+70>: lea    0x30(%rsp),%rdx
   0x0000000000aae24b <ff_ass_split_override_codes+75>: xor    %eax,%eax
   0x0000000000aae24d <ff_ass_split_override_codes+77>: mov    $0xd4b500,%esi
End of assembler dump.
(gdb) info register
rax            0x1      1
rbx            0x15ef840        23001152
rcx            0x0      0
rdx            0x0      0
rsi            0x15ef840        23001152
rdi            0xc79ee0 13082336
rbp            0x7fffffffd570   0x7fffffffd570
rsp            0x7fffffffd4d0   0x7fffffffd4d0
r8             0x0      0
r9             0x7      7
r10            0x0      0
r11            0x7ffff68d1d60   140737329831264
r12            0xc79ee0 13082336
r13            0x15ef840        23001152
r14            0x0      0
r15            0x0      0
rip            0xaae230 0xaae230 <ff_ass_split_override_codes+48>
eflags         0x10202  [ IF RF ]
cs             0x33     51
ss             0x2b     43
ds             0x0      0
es             0x0      0
fs             0x0      0
gs             0x0      0

[julian]

seems this crash does not only occur in "obscure" asiatic subtitles but also in german ones, e.g. in this file:

"Star-Trek-German-720p-BluRay-x264-EmpireHD" / "empire-st11-720p.mkv".

[Carl Eugen Hoyos]

Did you provide the file?

[julian]

no its the same crash. one sample should be enough and i can't upload a 7GB copyrighted file.

[Carl Eugen Hoyos]

Replying to julian:

no its the same crash. one sample should be enough

I completely agree (if it is the same crash which I don't know), I only wonder why you mentioned a second file? (A crash does not get less important if it is difficult to trigger as long as there is a sample that triggers the crash.)

[julian]

(if it is the same crash which I don't know)

i'm quite sure, its also in ff_ass_split_override_codes(). will test with this file too once a fix is available to confirm.

(A crash does not get less important if it is difficult to trigger as long as there is a sample that triggers the crash.)

ok thanks. i believed so, thats why i mentioned it. i guessed if the crash occurred /only/ in some obscure asiatic subtitles which are hard to come by it would be low priority ...

at least we know its not related to a specific language now.

[Clément Bœsch]

Thanks for the report, working on it.

[Clément Bœsch]

Should be fixed in c83002a4.

[julian]

thanks i can confirm the bug to be fixed.