Opened 13 years ago
Closed 13 years ago
#316 closed defect (fixed)
Double free with ogg files
| Reported by: | Carl Eugen Hoyos | Owned by: | |
|---|---|---|---|
| Priority: | important | Component: | avformat |
| Version: | git-master | Keywords: | |
| Cc: | Blocked By: | ||
| Blocking: | Reproduced by developer: | yes | |
| Analyzed by developer: | no |
Description
Apart from the double free, the file also triggers a FPE if I remove the av_freeps in oggdec.c
$ valgrind ./ffmpeg_g -i multi2.ogg -f null -
==17417== Memcheck, a memory error detector
==17417== Copyright (C) 2002-2009, and GNU GPL'd, by Julian Seward et al.
==17417== Using Valgrind-3.5.0 and LibVEX; rerun with -h for copyright info
==17417== Command: ./ffmpeg_g -i multi2.ogg -f null -
==17417==
ffmpeg version N-31042-g94e59cb, Copyright (c) 2000-2011 the FFmpeg developers
built on Jun 28 2011 09:49:35 with gcc 4.5.3
configuration: --cc='/usr/local/gcc-4.5.3/bin/gcc -m32' --disable-optimizations
libavutil 51. 10. 0 / 51. 10. 0
libavcodec 53. 7. 0 / 53. 7. 0
libavformat 53. 4. 0 / 53. 4. 0
libavdevice 53. 2. 0 / 53. 2. 0
libavfilter 2. 24. 0 / 2. 24. 0
libswscale 2. 0. 0 / 2. 0. 0
==17417== Invalid read of size 4
==17417== at 0x8108AC1: theora_gptopts (oggparsetheora.c:132)
==17417== by 0x8100A82: ogg_gptopts (oggdec.h:137)
==17417== by 0x8101C48: ogg_get_length (oggdec.c:488)
==17417== by 0x8101D1D: ogg_read_header (oggdec.c:513)
==17417== by 0x8144D14: av_demuxer_open (utils.c:481)
==17417== by 0x8056350: opt_input_file (ffmpeg.c:3329)
==17417== by 0x805A004: parse_options (cmdutils.c:283)
==17417== by 0x805941C: main (ffmpeg.c:4556)
==17417== Address 0x5085600 is 0 bytes inside a block of size 12 free'd
==17417== at 0x4CA98A6: free (in /usr/lib64/valgrind/vgpreload_memcheck-x86-linux.so)
==17417== by 0x85AAAB0: av_free (mem.c:152)
==17417== by 0x85AAACB: av_freep (mem.c:159)
==17417== by 0x81011CE: ogg_read_page (oggdec.c:243)
==17417== by 0x8101B30: ogg_get_length (oggdec.c:470)
==17417== by 0x8101D1D: ogg_read_header (oggdec.c:513)
==17417== by 0x8144D14: av_demuxer_open (utils.c:481)
==17417== by 0x8056350: opt_input_file (ffmpeg.c:3329)
==17417== by 0x805A004: parse_options (cmdutils.c:283)
==17417== by 0x805941C: main (ffmpeg.c:4556)
==17417==
==17417== Invalid read of size 4
==17417== at 0x8108AE0: theora_gptopts (oggparsetheora.c:133)
==17417== by 0x8100A82: ogg_gptopts (oggdec.h:137)
==17417== by 0x8101C48: ogg_get_length (oggdec.c:488)
==17417== by 0x8101D1D: ogg_read_header (oggdec.c:513)
==17417== by 0x8144D14: av_demuxer_open (utils.c:481)
==17417== by 0x8056350: opt_input_file (ffmpeg.c:3329)
==17417== by 0x805A004: parse_options (cmdutils.c:283)
==17417== by 0x805941C: main (ffmpeg.c:4556)
==17417== Address 0x5085604 is 4 bytes inside a block of size 12 free'd
==17417== at 0x4CA98A6: free (in /usr/lib64/valgrind/vgpreload_memcheck-x86-linux.so)
==17417== by 0x85AAAB0: av_free (mem.c:152)
==17417== by 0x85AAACB: av_freep (mem.c:159)
==17417== by 0x81011CE: ogg_read_page (oggdec.c:243)
==17417== by 0x8101B30: ogg_get_length (oggdec.c:470)
==17417== by 0x8101D1D: ogg_read_header (oggdec.c:513)
==17417== by 0x8144D14: av_demuxer_open (utils.c:481)
==17417== by 0x8056350: opt_input_file (ffmpeg.c:3329)
==17417== by 0x805A004: parse_options (cmdutils.c:283)
==17417== by 0x805941C: main (ffmpeg.c:4556)
==17417==
==17417== Invalid read of size 4
==17417== at 0x8108AFB: theora_gptopts (oggparsetheora.c:135)
==17417== by 0x8100A82: ogg_gptopts (oggdec.h:137)
==17417== by 0x8101C48: ogg_get_length (oggdec.c:488)
==17417== by 0x8101D1D: ogg_read_header (oggdec.c:513)
==17417== by 0x8144D14: av_demuxer_open (utils.c:481)
==17417== by 0x8056350: opt_input_file (ffmpeg.c:3329)
==17417== by 0x805A004: parse_options (cmdutils.c:283)
==17417== by 0x805941C: main (ffmpeg.c:4556)
==17417== Address 0x5085608 is 8 bytes inside a block of size 12 free'd
==17417== at 0x4CA98A6: free (in /usr/lib64/valgrind/vgpreload_memcheck-x86-linux.so)
==17417== by 0x85AAAB0: av_free (mem.c:152)
==17417== by 0x85AAACB: av_freep (mem.c:159)
==17417== by 0x81011CE: ogg_read_page (oggdec.c:243)
==17417== by 0x8101B30: ogg_get_length (oggdec.c:470)
==17417== by 0x8101D1D: ogg_read_header (oggdec.c:513)
==17417== by 0x8144D14: av_demuxer_open (utils.c:481)
==17417== by 0x8056350: opt_input_file (ffmpeg.c:3329)
==17417== by 0x805A004: parse_options (cmdutils.c:283)
==17417== by 0x805941C: main (ffmpeg.c:4556)
==17417==
[theora @ 0x50851a0] 7 bits left in packet 82
==17417== Invalid read of size 4
==17417== at 0x8108AC1: theora_gptopts (oggparsetheora.c:132)
==17417== by 0x8100A82: ogg_gptopts (oggdec.h:137)
==17417== by 0x8101E83: ogg_calc_pts (oggdec.c:542)
==17417== by 0x8101F3E: ogg_read_packet (oggdec.c:569)
==17417== by 0x81455EF: av_read_packet (utils.c:723)
==17417== by 0x814718A: av_read_frame_internal (utils.c:1181)
==17417== by 0x814A891: av_find_stream_info (utils.c:2347)
==17417== by 0x80564BF: opt_input_file (ffmpeg.c:3365)
==17417== by 0x805A004: parse_options (cmdutils.c:283)
==17417== by 0x805941C: main (ffmpeg.c:4556)
==17417== Address 0x5085600 is 0 bytes inside a block of size 12 free'd
==17417== at 0x4CA98A6: free (in /usr/lib64/valgrind/vgpreload_memcheck-x86-linux.so)
==17417== by 0x85AAAB0: av_free (mem.c:152)
==17417== by 0x85AAACB: av_freep (mem.c:159)
==17417== by 0x81011CE: ogg_read_page (oggdec.c:243)
==17417== by 0x8101B30: ogg_get_length (oggdec.c:470)
==17417== by 0x8101D1D: ogg_read_header (oggdec.c:513)
==17417== by 0x8144D14: av_demuxer_open (utils.c:481)
==17417== by 0x8056350: opt_input_file (ffmpeg.c:3329)
==17417== by 0x805A004: parse_options (cmdutils.c:283)
==17417== by 0x805941C: main (ffmpeg.c:4556)
==17417==
==17417== Invalid read of size 4
==17417== at 0x8108AE0: theora_gptopts (oggparsetheora.c:133)
==17417== by 0x8100A82: ogg_gptopts (oggdec.h:137)
==17417== by 0x8101E83: ogg_calc_pts (oggdec.c:542)
==17417== by 0x8101F3E: ogg_read_packet (oggdec.c:569)
==17417== by 0x81455EF: av_read_packet (utils.c:723)
==17417== by 0x814718A: av_read_frame_internal (utils.c:1181)
==17417== by 0x814A891: av_find_stream_info (utils.c:2347)
==17417== by 0x80564BF: opt_input_file (ffmpeg.c:3365)
==17417== by 0x805A004: parse_options (cmdutils.c:283)
==17417== by 0x805941C: main (ffmpeg.c:4556)
==17417== Address 0x5085604 is 4 bytes inside a block of size 12 free'd
==17417== at 0x4CA98A6: free (in /usr/lib64/valgrind/vgpreload_memcheck-x86-linux.so)
==17417== by 0x85AAAB0: av_free (mem.c:152)
==17417== by 0x85AAACB: av_freep (mem.c:159)
==17417== by 0x81011CE: ogg_read_page (oggdec.c:243)
==17417== by 0x8101B30: ogg_get_length (oggdec.c:470)
==17417== by 0x8101D1D: ogg_read_header (oggdec.c:513)
==17417== by 0x8144D14: av_demuxer_open (utils.c:481)
==17417== by 0x8056350: opt_input_file (ffmpeg.c:3329)
==17417== by 0x805A004: parse_options (cmdutils.c:283)
==17417== by 0x805941C: main (ffmpeg.c:4556)
==17417==
==17417== Invalid read of size 4
==17417== at 0x8108AFB: theora_gptopts (oggparsetheora.c:135)
==17417== by 0x8100A82: ogg_gptopts (oggdec.h:137)
==17417== by 0x8101E83: ogg_calc_pts (oggdec.c:542)
==17417== by 0x8101F3E: ogg_read_packet (oggdec.c:569)
==17417== by 0x81455EF: av_read_packet (utils.c:723)
==17417== by 0x814718A: av_read_frame_internal (utils.c:1181)
==17417== by 0x814A891: av_find_stream_info (utils.c:2347)
==17417== by 0x80564BF: opt_input_file (ffmpeg.c:3365)
==17417== by 0x805A004: parse_options (cmdutils.c:283)
==17417== by 0x805941C: main (ffmpeg.c:4556)
==17417== Address 0x5085608 is 8 bytes inside a block of size 12 free'd
==17417== at 0x4CA98A6: free (in /usr/lib64/valgrind/vgpreload_memcheck-x86-linux.so)
==17417== by 0x85AAAB0: av_free (mem.c:152)
==17417== by 0x85AAACB: av_freep (mem.c:159)
==17417== by 0x81011CE: ogg_read_page (oggdec.c:243)
==17417== by 0x8101B30: ogg_get_length (oggdec.c:470)
==17417== by 0x8101D1D: ogg_read_header (oggdec.c:513)
==17417== by 0x8144D14: av_demuxer_open (utils.c:481)
==17417== by 0x8056350: opt_input_file (ffmpeg.c:3329)
==17417== by 0x805A004: parse_options (cmdutils.c:283)
==17417== by 0x805941C: main (ffmpeg.c:4556)
==17417==
Input #0, ogg, from 'multi2.ogg':
Duration: 00:00:00.-40, start: 0.000000, bitrate: -3494 kb/s
Stream #0.0: Video: theora, yuv420p, 320x240, 5 tbr, 5 tbn, 5 tbc
[buffer @ 0x5363040] w:320 h:240 pixfmt:yuv420p tb:1/1000000 sar:0/1 sws_param:
[theora @ 0x50851a0] 7 bits left in packet 82
Output #0, null, to 'pipe:':
Metadata:
encoder : Lavf53.4.0
Stream #0.0: Video: rawvideo, yuv420p, 320x240, q=2-31, 200 kb/s, 90k tbn, 5 tbc
Stream mapping:
Stream #0.0 -> #0.0
Press [q] to stop, [?] for help
==17417== Invalid free() / delete / delete[]
==17417== at 0x4CA98A6: free (in /usr/lib64/valgrind/vgpreload_memcheck-x86-linux.so)
==17417== by 0x85AAAB0: av_free (mem.c:152)
==17417== by 0x85AAACB: av_freep (mem.c:159)
==17417== by 0x81011CE: ogg_read_page (oggdec.c:243)
==17417== by 0x81014C8: ogg_packet (oggdec.c:323)
==17417== by 0x8101EDC: ogg_read_packet (oggdec.c:560)
==17417== by 0x81455EF: av_read_packet (utils.c:723)
==17417== by 0x814718A: av_read_frame_internal (utils.c:1181)
==17417== by 0x8147869: av_read_frame (utils.c:1302)
==17417== by 0x80543BB: transcode (ffmpeg.c:2708)
==17417== by 0x8059531: main (ffmpeg.c:4576)
==17417== Address 0x5085600 is 0 bytes inside a block of size 12 free'd
==17417== at 0x4CA98A6: free (in /usr/lib64/valgrind/vgpreload_memcheck-x86-linux.so)
==17417== by 0x85AAAB0: av_free (mem.c:152)
==17417== by 0x85AAACB: av_freep (mem.c:159)
==17417== by 0x81011CE: ogg_read_page (oggdec.c:243)
==17417== by 0x8101B30: ogg_get_length (oggdec.c:470)
==17417== by 0x8101D1D: ogg_read_header (oggdec.c:513)
==17417== by 0x8144D14: av_demuxer_open (utils.c:481)
==17417== by 0x8056350: opt_input_file (ffmpeg.c:3329)
==17417== by 0x805A004: parse_options (cmdutils.c:283)
==17417== by 0x805941C: main (ffmpeg.c:4556)
==17417==
[theora @ 0x50851a0] Header packet passed to frame decoder, skipping
Error while decoding stream #0.0
Error while decoding stream #0.0
Error while decoding stream #0.0
Error while decoding stream #0.0
Last message repeated 3 times
[theora @ 0x50851a0] Invalid partially coded superblock run length
[theora @ 0x50851a0] error in unpack_superblocks
Error while decoding stream #0.0
[theora @ 0x50851a0] Invalid fully coded superblock run length
[theora @ 0x50851a0] error in unpack_superblocks
Error while decoding stream #0.0
[theora @ 0x50851a0] Warning, unsupported keyframe coding type?!
[theora @ 0x50851a0] error in unpack_block_qpis
Error while decoding stream #0.0
[theora @ 0x50851a0] Header packet passed to frame decoder, skipping
Error while decoding stream #0.0
[theora @ 0x50851a0] error in unpack_block_qpis
Error while decoding stream #0.0
[theora @ 0x50851a0] Invalid partially coded superblock run length
[theora @ 0x50851a0] error in unpack_superblocks
Error while decoding stream #0.0
[theora @ 0x50851a0] Header packet passed to frame decoder, skipping
Error while decoding stream #0.0
Error while decoding stream #0.0
Error while decoding stream #0.0
Last message repeated 2 times
[theora @ 0x50851a0] Warning, unsupported keyframe coding type?!
==17417==
==17417== Process terminating with default action of signal 8 (SIGFPE)
==17417== Integer divide by zero at address 0x976B505
==17417== at 0x85B2C2C: __divdi3 (libgcc2.c:895)
==17417== by 0x804FF64: output_packet (ffmpeg.c:1599)
==17417== by 0x8054C84: transcode (ffmpeg.c:2778)
==17417== by 0x8059531: main (ffmpeg.c:4576)
==17417==
==17417== HEAP SUMMARY:
==17417== in use at exit: 2,918,795 bytes in 173 blocks
==17417== total heap usage: 718 allocs, 546 frees, 6,699,559 bytes allocated
==17417==
==17417== LEAK SUMMARY:
==17417== definitely lost: 2,743 bytes in 1 blocks
==17417== indirectly lost: 0 bytes in 0 blocks
==17417== possibly lost: 0 bytes in 0 blocks
==17417== still reachable: 2,916,052 bytes in 172 blocks
==17417== suppressed: 0 bytes in 0 blocks
==17417== Rerun with --leak-check=full to see details of leaked memory
==17417==
==17417== For counts of detected and suppressed errors, rerun with: -v
==17417== ERROR SUMMARY: 13 errors from 7 contexts (suppressed: 3 from 3)
Floating point exception
Attachments (1)
Change History (2)
by , 13 years ago
| Attachment: | multi2.ogg added |
|---|
comment:1 by , 13 years ago
| Resolution: | → fixed |
|---|---|
| Status: | new → closed |
Note:
See TracTickets
for help on using tickets.
Fixed by Ronald.