Context Navigation

#2668 closed defect (fixed)

h264 444 file crashes 32bit ffplay

Reported by:	Carl Eugen Hoyos	Owned by:
Priority:	important	Component:	avcodec
Version:	git-master	Keywords:	h264 crash SIGSEGV regression
Cc:		Blocked By:
Blocking:		Reproduced by developer:	no
Analyzed by developer:	no

Description (last modified by Carl Eugen Hoyos)

http://thread.gmane.org/gmane.comp.video.ffmpeg.user/46189
A user uploaded a h264 444 sample that crashes current ffplay (with both -threads 1 and -threads 2, identical backtrace) if it was compiled for x86_32, regression since 32fdfdf for -threads 2, -threads 1 already crashed before with a different backtrace since 80e9e63 / 759001c

(gdb) r -threads 2 444.h264
Starting program: ffplay_g -threads 2 444.h264
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib64/libthread_db.so.1".
ffplay version N-54024-g147adf2 Copyright (c) 2003-2013 the FFmpeg developers
  built on Jun 14 2013 11:15:12 with gcc 4.7 (SUSE Linux)
  configuration: --enable-gpl --disable-indev=jack --cc='gcc -m32'
  libavutil      52. 35.101 / 52. 35.101
  libavcodec     55. 16.100 / 55. 16.100
  libavformat    55.  8.102 / 55.  8.102
  libavdevice    55.  2.100 / 55.  2.100
  libavfilter     3. 77.101 /  3. 77.101
  libswscale      2.  3.100 /  2.  3.100
  libswresample   0. 17.102 /  0. 17.102
  libpostproc    52.  3.100 / 52.  3.100
[New Thread 0xf7a85b40 (LWP 18286)]
[New Thread 0xf7015b40 (LWP 18287)]
[New Thread 0xf6713b40 (LWP 18288)]
Input #0, h264, from '444.h264':   0KB vq=    0KB sq=    0B f=0/0
  Duration: N/A, bitrate: N/A
    Stream #0:0: Video: h264 (High 4:4:4 Predictive), yuv444p, 1550x480, 20 fps, 20 tbr, 1200k tbn, 40 tbc
[New Thread 0xf57ffb40 (LWP 18289)]
[New Thread 0xf4ffeb40 (LWP 18290)]
[New Thread 0xf47fdb40 (LWP 18291)]

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0xf57ffb40 (LWP 18289)]
0x083753a8 in xchg_mb_border (pixel_shift=0, simple=0, chroma444=1, xchg=1,
    uvlinesize=1552, linesize=1552,
    src_cr=0xf5a48a0f <Address 0xf5a48a0f out of bounds>,
    src_cb=0xf5c91a0f <Address 0xf5c91a0f out of bounds>, src_y=0xf5d48a0f "",
    h=0xf5e10b40) at libavcodec/h264.c:2240
2240                XCHG(top_border + (16 << pixel_shift), src_cb + (1 << pixel_shift), xchg);
(gdb) bt
#0  0x083753a8 in xchg_mb_border (pixel_shift=0, simple=0, chroma444=1, xchg=1,
    uvlinesize=1552, linesize=1552,
    src_cr=0xf5a48a0f <Address 0xf5a48a0f out of bounds>,
    src_cb=0xf5c91a0f <Address 0xf5c91a0f out of bounds>, src_y=0xf5d48a0f "",
    h=0xf5e10b40) at libavcodec/h264.c:2240
#1  hl_decode_mb_444_complex (h=h@entry=0xf5e10b40) at libavcodec/h264_mb_template.c:341
#2  0x08383bd2 in ff_h264_hl_decode_mb (h=0xf5e10b40) at libavcodec/h264.c:2484
#3  decode_slice (avctx=avctx@entry=0xf5e011c0, arg=arg@entry=0xf57ff24c)
    at libavcodec/h264.c:4318
#4  0x0838410f in execute_decode_slices (h=h@entry=0xf5e10b40,
    context_count=<optimized out>) at libavcodec/h264.c:4468
#5  0x0838b92f in decode_nal_units (parse_extradata=0, buf_size=297559,
    buf=0xf5c17008 "", h=0xf5e10b40) at libavcodec/h264.c:4812
#6  decode_frame (avctx=0xf5e011c0, data=0xf5e01b80, got_frame=0xf5e01d34,
    avpkt=0xf5e01b30) at libavcodec/h264.c:4947
#7  0x085c1f3e in frame_worker_thread (arg=0xf5e01a60) at libavcodec/pthread.c:338
#8  0xf7cbde32 in start_thread () from /lib/libpthread.so.0
#9  0xf7b9e7ee in clone () from /lib/libc.so.6
(gdb) disass $pc-32,$pc+32
Dump of assembler code from 0x8375388 to 0x83753c8:
   0x08375388 <hl_decode_mb_444_complex+13928>: add    %eax,(%eax)
   0x0837538a <hl_decode_mb_444_complex+13930>: add    %cl,-0x4374d3a9(%ecx)
   0x08375390 <hl_decode_mb_444_complex+13936>: and    $0x68,%al
   0x08375392 <hl_decode_mb_444_complex+13938>: add    %eax,(%eax)
   0x08375394 <hl_decode_mb_444_complex+13940>: add    %cl,0x1842494(%ebx)
   0x0837539a <hl_decode_mb_444_complex+13946>: add    %al,(%eax)
   0x0837539c <hl_decode_mb_444_complex+13948>: mov    %eax,-0x7(%edi)
   0x0837539f <hl_decode_mb_444_complex+13951>: mov    %edx,-0x3(%edi)
   0x083753a2 <hl_decode_mb_444_complex+13954>: mov    0x14(%ebx),%edx
   0x083753a5 <hl_decode_mb_444_complex+13957>: mov    0x10(%ebx),%eax
=> 0x083753a8 <hl_decode_mb_444_complex+13960>: mov    0x5(%esi),%ecx
   0x083753ab <hl_decode_mb_444_complex+13963>: mov    0x168(%esp),%edi
   0x083753b2 <hl_decode_mb_444_complex+13970>: mov    %edx,0x174(%esp)
   0x083753b9 <hl_decode_mb_444_complex+13977>: mov    0x1(%esi),%edx
   0x083753bc <hl_decode_mb_444_complex+13980>: mov    %eax,0x170(%esp)
   0x083753c3 <hl_decode_mb_444_complex+13987>: mov    0x170(%esp),%eax
End of assembler dump.
(gdb) info register
eax            0x0      0
ecx            0x0      0
edx            0x0      0
ebx            0xf59d3140       -174247616
esp            0xf57fefa0       0xf57fefa0
ebp            0xf5e10b40       0xf5e10b40
esi            0xf5c91a0f       -171369969
edi            0xfffff9ef       -1553
eip            0x83753a8        0x83753a8 <hl_decode_mb_444_complex+13960>
eflags         0x10246  [ PF ZF IF RF ]
cs             0x23     35
ss             0x2b     43
ds             0x2b     43
es             0x2b     43
fs             0x0      0
gs             0x63     99

Attachments (1)

444.h264 (422.7 KB ) - added by Carl Eugen Hoyos 11 years ago.

Download all attachments as: .zip

Change History (3)

by Carl Eugen Hoyos, 11 years ago

Attachment:	444.h264 added

comment:1 by Michael Niedermayer, 11 years ago

Resolution:	→ fixed
Status:	new → closed

Fixed in f27b22b4974c740f4c7b4140a793cac196179266

comment:2 by Carl Eugen Hoyos, 11 years ago

Description:	modified (diff)

Note: See TracTickets for help on using tickets.

Download in other formats: