crash reading M3U8 audio files playlist

[Stefano Sabatini]

Summary of the bug:
How to reproduce:

ffmpeg -f lavfi -i "aevalsrc=cos(2*PI*t)*sin(2*PI*(440+4*t)*t)::d=20" -f segment -segment_time 10 -map 0 -strict -2 -codec:a aac -segment_list list.m3u8 out-%03d.mp4

-f lavfi was used to generate the input, but any audio file will do.

The individual mp4 files generated are playable.

Then if you try to read the generated file with ffmpeg -i list.m3u8 it crashes (same with ffprobe/ffplay):

 ffmpeg -i list.m3u8 
ffmpeg version N-48948-gcb9d290 Copyright (c) 2000-2013 the FFmpeg developers
  built on Jan 16 2013 23:24:42 with gcc 4.6 (Ubuntu/Linaro 4.6.3-1ubuntu5)
  configuration: --enable-pic --enable-fontconfig --enable-libschroedinger --enable-libass --enable-version3 --prefix=/home/stefano --enable-libx264 --enable-libfaac --disable-shared --enable-static --enable-debug=3 --enable-pthreads --enable-libvorbis --enable-gpl --enable-nonfree --enable-libmp3lame --enable-libtheora --enable-gpl --enable-x11grab --enable-frei0r --enable-libspeex --enable-libcaca --enable-libflite --enable-libfreetype --enable-libopencv --enable-libopencore-amrnb --enable-libopencore-amrnb --disable-optimizations --disable-mmx
  libavutil      52. 15.100 / 52. 15.100
  libavcodec     54. 89.100 / 54. 89.100
  libavformat    54. 60.101 / 54. 60.101
  libavdevice    54.  3.102 / 54.  3.102
  libavfilter     3. 32.100 /  3. 32.100
  libswscale      2.  1.103 /  2.  1.103
  libswresample   0. 17.102 /  0. 17.102
  libpostproc    52.  2.100 / 52.  2.100
[mov,mp4,m4a,3gp,3g2,mj2 @ 0x24173e0] stream 0, offset 0x2c: partial file
[mov,mp4,m4a,3gp,3g2,mj2 @ 0x24173e0] Could not find codec parameters for stream 0 (Audio: mp3 (mp4a / 0x6134706D), 22050 Hz, 2 channels, s16p, 31 kb/s): unspecified frame size
Consider increasing the value for the 'analyzeduration' and 'probesize' options
*** glibc detected *** ffmpeg: corrupted double-linked list: 0x0000000002455390 ***

Backtrace:

#0  0x00007ffff104e425 in __GI_raise (sig=<optimized out>) at ../nptl/sysdeps/unix/sysv/linux/raise.c:64
#1  0x00007ffff1051b8b in __GI_abort () at abort.c:91
#2  0x00007ffff108c39e in __libc_message (do_abort=2, fmt=0x7ffff1196008 "*** glibc detected *** %s: %s: 0x%s ***\n") at ../sysdeps/unix/sysv/linux/libc_fatal.c:201
#3  0x00007ffff1096b96 in malloc_printerr (action=3, str=0x7ffff1196118 "double free or corruption (!prev)", ptr=<optimized out>) at malloc.c:5007
#4  0x0000000000d0d970 in av_free (ptr=0x18ae160) at libavutil/mem.c:185
#5  0x0000000000d0d995 in av_freep (arg=0x18970d0) at libavutil/mem.c:192
#6  0x00000000004f1ee8 in avio_close (s=0x18970c8) at libavformat/aviobuf.c:829
#7  0x0000000000545a59 in mov_read_close (s=0x189c2d0) at libavformat/mov.c:3075
#8  0x00000000005f4632 in avformat_close_input (ps=0x18971a0) at libavformat/utils.c:3244
#9  0x0000000000515de0 in free_variant_list (c=0x1896070) at libavformat/hls.c:137
#10 0x0000000000517e6e in hls_close (s=0x1895ab0) at libavformat/hls.c:709
#11 0x00000000005f4632 in avformat_close_input (ps=0x189de00) at libavformat/utils.c:3244
#12 0x000000000043e92a in exit_program () at ffmpeg.c:452
#13 0x00007ffff1053901 in __run_exit_handlers (status=1, listp=0x7ffff13d0688, run_list_atexit=true) at exit.c:78
#14 0x00007ffff1053985 in __GI_exit (status=<optimized out>) at exit.c:100
#15 0x000000000044aef9 in main (argc=3, argv=0x7fffffffe618) at ffmpeg.c:3235

exactly in mov_read_close(), when calling avio_close().

[Carl Eugen Hoyos]

$ valgrind ./ffmpeg_g -i list.m3u8
==18841== Memcheck, a memory error detector
==18841== Copyright (C) 2002-2011, and GNU GPL'd, by Julian Seward et al.
==18841== Using Valgrind-3.7.0 and LibVEX; rerun with -h for copyright info
==18841== Command: ./ffmpeg_g -i list.m3u8
==18841==
ffmpeg version N-48971-g641bbd9 Copyright (c) 2000-2013 the FFmpeg developers
  built on Jan 17 2013 00:19:43 with gcc 4.7 (SUSE Linux)
  configuration: --enable-gpl --disable-indev=jack
  libavutil      52. 15.100 / 52. 15.100
  libavcodec     54. 89.100 / 54. 89.100
  libavformat    54. 60.101 / 54. 60.101
  libavdevice    54.  3.102 / 54.  3.102
  libavfilter     3. 32.100 /  3. 32.100
  libswscale      2.  1.103 /  2.  1.103
  libswresample   0. 17.102 /  0. 17.102
  libpostproc    52.  2.100 / 52.  2.100
[mov,mp4,m4a,3gp,3g2,mj2 @ 0x66d6e40] stream 0, offset 0x2c: partial file
[mov,mp4,m4a,3gp,3g2,mj2 @ 0x66d6e40] stream 0, offset 0x196: partial file
Input #0, hls,applehttp, from 'list.m3u8':
  Duration: 00:00:20.00, bitrate: 0 kb/s
  Program 0
    Metadata:
      variant_bitrate : 0
    Stream #0:0: Audio: aac (mp4a / 0x6134706D), 44100 Hz, mono, fltp, 60 kb/s
At least one output file must be specified
==18841== Invalid free() / delete / delete[] / realloc()
==18841==    at 0x4C29D4E: free (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==18841==    by 0xBBDFCB: av_freep (mem.c:185)
==18841==    by 0x4DEA66: avio_close (aviobuf.c:829)
==18841==    by 0x518DEE: mov_read_close (mov.c:3075)
==18841==    by 0x59F844: avformat_close_input (utils.c:3242)
==18841==    by 0x4F8358: free_variant_list (hls.c:137)
==18841==    by 0x4F83AC: hls_close (hls.c:709)
==18841==    by 0x59F844: avformat_close_input (utils.c:3242)
==18841==    by 0x459542: exit_program (ffmpeg.c:445)
==18841==    by 0x61368B0: __run_exit_handlers (in /lib64/libc-2.15.so)
==18841==    by 0x6136934: exit (in /lib64/libc-2.15.so)
==18841==    by 0x44FEDB: main (ffmpeg.c:3200)
==18841==  Address 0x66e02a0 is 0 bytes inside a block of size 32,768 free'd
==18841==    at 0x4C29D4E: free (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==18841==    by 0x4F8324: free_variant_list (hls.c:132)
==18841==    by 0x4F83AC: hls_close (hls.c:709)
==18841==    by 0x59F844: avformat_close_input (utils.c:3242)
==18841==    by 0x459542: exit_program (ffmpeg.c:445)
==18841==    by 0x61368B0: __run_exit_handlers (in /lib64/libc-2.15.so)
==18841==    by 0x6136934: exit (in /lib64/libc-2.15.so)
==18841==    by 0x44FEDB: main (ffmpeg.c:3200)
==18841==
==18841== Invalid free() / delete / delete[] / realloc()
==18841==    at 0x4C29D4E: free (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==18841==    by 0x4DEA75: avio_close (aviobuf.c:832)
==18841==    by 0x518DEE: mov_read_close (mov.c:3075)
==18841==    by 0x59F844: avformat_close_input (utils.c:3242)
==18841==    by 0x4F8358: free_variant_list (hls.c:137)
==18841==    by 0x4F83AC: hls_close (hls.c:709)
==18841==    by 0x59F844: avformat_close_input (utils.c:3242)
==18841==    by 0x459542: exit_program (ffmpeg.c:445)
==18841==    by 0x61368B0: __run_exit_handlers (in /lib64/libc-2.15.so)
==18841==    by 0x6136934: exit (in /lib64/libc-2.15.so)
==18841==    by 0x44FEDB: main (ffmpeg.c:3200)
==18841==  Address 0x66d1aa8 is 4,104 bytes inside a block of size 8,584 alloc'd
==18841==    at 0x4C290FE: memalign (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==18841==    by 0x4C291A7: posix_memalign (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==18841==    by 0xBBE041: av_mallocz (mem.c:92)
==18841==    by 0x4F8868: parse_playlist (hls.c:158)
==18841==    by 0x4F8BA1: hls_read_header (hls.c:469)
==18841==    by 0x5A049F: avformat_open_input (utils.c:624)
==18841==    by 0x452D50: open_input_file (ffmpeg_opt.c:777)
==18841==    by 0x45165F: open_files.isra.6 (ffmpeg_opt.c:2293)
==18841==    by 0x457018: ffmpeg_parse_options (ffmpeg_opt.c:2330)
==18841==    by 0x44F537: main (ffmpeg.c:3187)
==18841==
==18841== Invalid read of size 1
==18841==    at 0x4DA132: ffurl_close (avio.c:335)
==18841==    by 0x518DEE: mov_read_close (mov.c:3075)
==18841==    by 0x59F844: avformat_close_input (utils.c:3242)
==18841==    by 0x4F8358: free_variant_list (hls.c:137)
==18841==    by 0x4F83AC: hls_close (hls.c:709)
==18841==    by 0x59F844: avformat_close_input (utils.c:3242)
==18841==    by 0x459542: exit_program (ffmpeg.c:445)
==18841==    by 0x61368B0: __run_exit_handlers (in /lib64/libc-2.15.so)
==18841==    by 0x6136934: exit (in /lib64/libc-2.15.so)
==18841==    by 0x44FEDB: main (ffmpeg.c:3200)
==18841==  Address 0x3875336da6 is not stack'd, malloc'd or (recently) free'd
==18841==
==18841==
==18841== Process terminating with default action of signal 11 (SIGSEGV)
==18841==  Access not within mapped region at address 0x3875336DA6
==18841==    at 0x4DA132: ffurl_close (avio.c:335)
==18841==    by 0x518DEE: mov_read_close (mov.c:3075)
==18841==    by 0x59F844: avformat_close_input (utils.c:3242)
==18841==    by 0x4F8358: free_variant_list (hls.c:137)
==18841==    by 0x4F83AC: hls_close (hls.c:709)
==18841==    by 0x59F844: avformat_close_input (utils.c:3242)
==18841==    by 0x459542: exit_program (ffmpeg.c:445)
==18841==    by 0x61368B0: __run_exit_handlers (in /lib64/libc-2.15.so)
==18841==    by 0x6136934: exit (in /lib64/libc-2.15.so)
==18841==    by 0x44FEDB: main (ffmpeg.c:3200)
==18841==  If you believe this happened as a result of a stack
==18841==  overflow in your program's main thread (unlikely but
==18841==  possible), you can try to increase the size of the
==18841==  main thread stack using the --main-stacksize= flag.
==18841==  The main thread stack size used in this run was 8388608.
==18841==
==18841== HEAP SUMMARY:
==18841==     in use at exit: 61,145 bytes in 51 blocks
==18841==   total heap usage: 236 allocs, 187 frees, 1,027,127 bytes allocated
==18841==
==18841== LEAK SUMMARY:
==18841==    definitely lost: 0 bytes in 0 blocks
==18841==    indirectly lost: 0 bytes in 0 blocks
==18841==      possibly lost: 0 bytes in 0 blocks
==18841==    still reachable: 61,145 bytes in 51 blocks
==18841==         suppressed: 0 bytes in 0 blocks
==18841== Rerun with --leak-check=full to see details of leaked memory
==18841==
==18841== For counts of detected and suppressed errors, rerun with: -v
==18841== ERROR SUMMARY: 3 errors from 3 contexts (suppressed: 2 from 2)
Segmentation fault