Opened 10 years ago
Closed 10 years ago
#3721 closed defect (fixed)
crash on a valid rtp mpegts stream
| Reported by: | Alexander V. Lukyanov | Owned by: | |
|---|---|---|---|
| Priority: | important | Component: | avformat |
| Version: | git-master | Keywords: | mpegts crash SIGSEGV |
| Cc: | Blocked By: | ||
| Blocking: | Reproduced by developer: | no | |
| Analyzed by developer: | no |
Description
Summary of the bug:
ffmpeg crashes on certain valid iptv rtp streams. It does not crash under valgrind, but produces errors from valgrind (below).
How to reproduce:
$ /usr/local/bin/ffmpeg -ss 1 -i rtp://@224.0.91.78:1234 -t 30 -c copy file.avi -y ffmpeg version N-63863-g2351ea8 Copyright (c) 2000-2014 the FFmpeg developers built on Jun 10 2014 11:41:03 with gcc 4.8.2 (GCC) 20131212 (Red Hat 4.8.2-7) configuration: libavutil 52. 89.100 / 52. 89.100 libavcodec 55. 66.100 / 55. 66.100 libavformat 55. 42.101 / 55. 42.101 libavdevice 55. 13.101 / 55. 13.101 libavfilter 4. 7.100 / 4. 7.100 libswscale 2. 6.100 / 2. 6.100 libswresample 0. 19.100 / 0. 19.100 [mpeg2video @ 0x202a420] Invalid frame dimensions 0x0. Segmentation fault (core dumped)
(gdb) bt
#0 0x00000000005935e4 in rtp_parse_one_packet (len=1328, bufptr=0x20268c0,
pkt=0x7fffcce06d20, s=0x20269e0) at libavformat/rtpdec.c:771
#1 ff_rtp_parse_packet (s=0x20269e0, pkt=pkt@entry=0x7fffcce06d20,
bufptr=bufptr@entry=0x20268c0, len=len@entry=1328)
at libavformat/rtpdec.c:822
#2 0x00000000005a4a1a in ff_rtsp_fetch_packet (s=0x2024c20,
pkt=0x7fffcce06d20) at libavformat/rtsp.c:2042
#3 0x00000000005c4436 in ff_read_packet (s=s@entry=0x2024c20,
pkt=pkt@entry=0x7fffcce06d20) at libavformat/utils.c:791
#4 0x00000000005c71f0 in read_frame_internal (s=s@entry=0x2024c20,
pkt=pkt@entry=0x7fffcce06e60) at libavformat/utils.c:1454
#5 0x00000000005cab1f in avformat_find_stream_info (ic=0x2024c20, options=0x0)
at libavformat/utils.c:3240
#6 0x000000000046fdc1 in open_input_file (o=o@entry=0x7fffcce071e0,
filename=<optimized out>) at ffmpeg_opt.c:888
#7 0x00000000004740df in open_files (inout=0xcc1a1f "input",
open_file=0x46fa00 <open_input_file>, l=<optimized out>, l=<optimized out>)
at ffmpeg_opt.c:2645
#8 ffmpeg_parse_options (argc=argc@entry=11, argv=argv@entry=0x7fffcce07a38)
at ffmpeg_opt.c:2682
#9 0x0000000000463ef8 in main (argc=11, argv=0x7fffcce07a38) at ffmpeg.c:3787
$ valgrind /usr/local/bin/ffmpeg -ss 1 -i rtp://@224.0.91.78:1234 -t 30 -c copy file.avi -y
==34163== Memcheck, a memory error detector
==34163== Copyright (C) 2002-2012, and GNU GPL'd, by Julian Seward et al.
==34163== Using Valgrind-3.8.1 and LibVEX; rerun with -h for copyright info
==34163== Command: /usr/local/bin/ffmpeg -ss 1 -i rtp://@224.0.91.78:1234 -t 30 -c copy file.avi -y
==34163==
ffmpeg version N-63863-g2351ea8 Copyright (c) 2000-2014 the FFmpeg developers
built on Jun 10 2014 11:41:03 with gcc 4.8.2 (GCC) 20131212 (Red Hat 4.8.2-7)
configuration:
libavutil 52. 89.100 / 52. 89.100
libavcodec 55. 66.100 / 55. 66.100
libavformat 55. 42.101 / 55. 42.101
libavdevice 55. 13.101 / 55. 13.101
libavfilter 4. 7.100 / 4. 7.100
libswscale 2. 6.100 / 2. 6.100
libswresample 0. 19.100 / 0. 19.100
[mpeg2video @ 0x59b7a40] Invalid frame dimensions 0x0.
==34163== Invalid write of size 1s
==34163== at 0x5540C8: write_section_data.isra.13 (mpegts.c:398)
==34163== by 0x554793: handle_packet (mpegts.c:2095)
==34163== by 0x5596CE: ff_mpegts_parse_packet (mpegts.c:2646)
==34163== by 0x598994: mpegts_handle_packet (rtpdec_mpegts.c:86)
==34163== by 0x592796: rtp_parse_packet_internal (rtpdec.c:645)
==34163== by 0x593920: ff_rtp_parse_packet (rtpdec.c:792)
==34163== by 0x5A4A19: ff_rtsp_fetch_packet (rtsp.c:2042)
==34163== by 0x5C4435: ff_read_packet (utils.c:791)
==34163== by 0x5C71EF: read_frame_internal (utils.c:1454)
==34163== by 0x5CAB1E: avformat_find_stream_info (utils.c:3240)
==34163== by 0x46FDC0: open_input_file (ffmpeg_opt.c:888)
==34163== by 0x4740DE: ffmpeg_parse_options (ffmpeg_opt.c:2645)
==34163== Address 0x5945828 is 40 bytes inside a block of size 96 free'd
==34163== at 0x4C294C4: free (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==34163== by 0xC41EDB: av_freep (mem.c:232)
==34163== by 0x4EAE5F: ffurl_close (avio.c:383)
==34163== by 0x5A3109: rtp_read_header (rtsp.c:2299)
==34163== by 0x5CDAE6: avformat_open_input (utils.c:594)
==34163== by 0x46FCB8: open_input_file (ffmpeg_opt.c:871)
==34163== by 0x4740DE: ffmpeg_parse_options (ffmpeg_opt.c:2645)
==34163== by 0x463EF7: main (ffmpeg.c:3787)
==34163==
Last message repeated 13 times
RTP: missed 177 packets
[rtp @ 0x5943940] PES packet size mismatch
Last message repeated 1 times
RTP: missed 107 packets
[rtp @ 0x5943940] PES packet size mismatch
Last message repeated 1 times
rtp://@224.0.91.78:1234: could not seek to position 93742.111
Input #0, rtp, from 'rtp://@224.0.91.78:1234':
Duration: N/A, start: 93741.111167, bitrate: 371 kb/s
Program 6490
Stream #0:0: Video: mpeg2video (Main), yuv420p(tv), 720x576 [SAR 64:45 DAR 16:9], max. 15000 kb/s, 25 fps, 25 tbr, 90k tbn, 50 tbc
Stream #0:2(rus): Audio: mp2, 48000 Hz, stereo, s16p, 185 kb/s
Stream #0:1(eng): Audio: mp2, 48000 Hz, stereo, s16p, 185 kb/s
Output #0, avi, to 'file.avi':
Metadata:
ISFT : Lavf55.42.101
Stream #0:0: Video: mpeg2video (mpg2 / 0x3267706D), yuv420p, 720x576 [SAR 64:45 DAR 16:9], q=2-31, max. 15000 kb/s, 25 fps, 50 tbn, 50 tbc
Stream #0:1(eng): Audio: mp2 (P[0][0][0] / 0x0050), 48000 Hz, stereo, 185 kb/s
Stream mapping:
Stream #0:0 -> #0:0 (copy)
Stream #0:1 -> #0:1 (copy)
Press [q] to stop, [?] for help
RTP: missed 48 packets
[rtp @ 0x5943940] PES packet size mismatch
frame= 0 fps=0.0 q=-1.0 size= 10kB time=00:00:01.20 bitrate= 67.2kbits/frame= 12 fps= 11 q=-1.0 size= 232kB time=00:00:01.80 bitrate=1054.2kbits/frame= 26 fps= 16 q=-1.0 size= 495kB time=00:00:02.36 bitrate=1717.5kbits/frame= 38 fps= 18 q=-1.0 size= 716kB time=00:00:02.84 bitrate=2066.6kbits/frame= 52 fps= 20 q=-1.0 size= 1002kB time=00:00:03.40 bitrate=2414.4kbits/frame= 65 fps= 21 q=-1.0 size= 1301kB time=00:00:03.92 bitrate=2719.4kbits/frame= 77 fps= 21 q=-1.0 size= 1505kB time=00:00:04.40 bitrate=2801.5kbits/==34163== Invalid write of size 1
==34163== at 0x5540C8: write_section_data.isra.13 (mpegts.c:398)
==34163== by 0x554793: handle_packet (mpegts.c:2095)
==34163== by 0x5596CE: ff_mpegts_parse_packet (mpegts.c:2646)
==34163== by 0x598A06: mpegts_handle_packet (rtpdec_mpegts.c:75)
==34163== by 0x593861: ff_rtp_parse_packet (rtpdec.c:752)
==34163== by 0x5A4D63: ff_rtsp_fetch_packet (rtsp.c:1956)
==34163== by 0x5C4435: ff_read_packet (utils.c:791)
==34163== by 0x5C71EF: read_frame_internal (utils.c:1454)
==34163== by 0x5C807C: av_read_frame (utils.c:1594)
==34163== by 0x464D1E: main (ffmpeg.c:3256)
==34163== Address 0x5945828 is 0 bytes after a block of size 40 free'd
==34163== at 0x4C294C4: free (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==34163== by 0xC41EDB: av_freep (mem.c:232)
==34163== by 0xC33948: av_buffer_unref (buffer.c:116)
==34163== by 0x605D26: av_free_packet (avpacket.c:285)
==34163== by 0x464236: main (ffmpeg.c:3496)
==34163==
frame= 91 fps= 22 q=-1.0 size= 1794kB time=00:00:04.96 bitrate=2962.4kbits/frame= 105 fps= 22 q=-1.0 size= 2077kB time=00:00:05.52 bitrate=3082.1kbits/frame= 116 fps= 22 q=-1.0 size= 2320kB time=00:00:05.96 bitrate=3188.6kbits/frame= 131 fps= 23 q=-1.0 size= 2568kB time=00:00:06.56 bitrate=3207.2kbits/frame= 145 fps= 23 q=-1.0 size= 2852kB time=00:00:07.12 bitrate=3281.0kbits/frame= 159 fps= 23 q=-1.0 size= 3056kB time=00:00:07.68 bitrate=3259.9kbits/frame= 171 fps= 23 q=-1.0 size= 3298kB time=00:00:08.16 bitrate=3310.9kbits/frame= 181 fps= 23 q=-1.0 size= 3455kB time=00:00:08.56 bitrate=3306.7kbits/frame= 196 fps= 23 q=-1.0 size= 3671kB time=00:00:09.16 bitrate=3283.4kbits/frame= 211 fps= 24 q=-1.0 size= 3881kB time=00:00:09.76 bitrate=3257.9kbits/frame= 226 fps= 24 q=-1.0 size= 4034kB time=00:00:10.36 bitrate=3190.1kbits/frame= 239 fps= 24 q=-1.0 size= 4211kB time=00:00:10.88 bitrate=3170.9kbits/frame= 250 fps= 24 q=-1.0 size= 4478kB time=00:00:11.32 bitrate=3240.7kbits/frame= 265 fps= 24 q=-1.0 size= 4765kB time=00:00:11.92 bitrate=3274.9kbits/frame= 279 fps= 24 q=-1.0 size= 5019kB time=00:00:12.48 bitrate=3294.6kbits/frame= 291 fps= 24 q=-1.0 size= 5245kB time=00:00:12.96 bitrate=3315.4kbits/frame= 304 fps= 24 q=-1.0 size= 5531kB time=00:00:13.48 bitrate=3361.3kbits/frame= 318 fps= 24 q=-1.0 size= 5769kB time=00:00:14.04 bitrate=3366.2kbits/frame= 330 fps= 24 q=-1.0 size= 5985kB time=00:00:14.52 bitrate=3376.5kbits/frame= 346 fps= 24 q=-1.0 size= 6218kB time=00:00:15.16 bitrate=3360.1kbits/frame= 358 fps= 24 q=-1.0 size= 6537kB time=00:00:15.64 bitrate=3423.7kbits/frame= 368 fps= 24 q=-1.0 size= 6770kB time=00:00:16.04 bitrate=3457.7kbits/frame= 383 fps= 24 q=-1.0 size= 7034kB time=00:00:16.64 bitrate=3462.8kbits/frame= 395 fps= 24 q=-1.0 size= 7235kB time=00:00:17.12 bitrate=3462.0kbits/frame= 409 fps= 24 q=-1.0 size= 7545kB time=00:00:17.68 bitrate=3496.0kbits/frame= 422 fps= 24 q=-1.0 size= 7831kB time=00:00:18.20 bitrate=3525.0kbits/frame= 434 fps= 24 q=-1.0 size= 8059kB time=00:00:18.68 bitrate=3534.4kbits/frame= 449 fps= 24 q=-1.0 size= 8343kB time=00:00:19.28 bitrate=3544.7kbits/frame= 461 fps= 24 q=-1.0 size= 8538kB time=00:00:19.76 bitrate=3539.7kbits/frame= 473 fps= 24 q=-1.0 size= 8728kB time=00:00:20.24 bitrate=3532.6kbits/frame= 488 fps= 24 q=-1.0 size= 8923kB time=00:00:20.84 bitrate=3507.5kbits/frame= 502 fps= 24 q=-1.0 size= 9164kB time=00:00:21.40 bitrate=3508.0kbits/frame= 514 fps= 24 q=-1.0 size= 9365kB time=00:00:21.88 bitrate=3506.3kbits/frame= 526 fps= 24 q=-1.0 size= 9656kB time=00:00:22.36 bitrate=3537.7kbits/frame= 539 fps= 24 q=-1.0 size= 9882kB time=00:00:22.88 bitrate=3538.3kbits/frame= 554 fps= 24 q=-1.0 size= 10146kB time=00:00:23.48 bitrate=3539.9kbits/frame= 568 fps= 24 q=-1.0 size= 10385kB time=00:00:24.04 bitrate=3538.7kbits/frame= 580 fps= 24 q=-1.0 size= 10663kB time=00:00:24.52 bitrate=3562.3kbits/frame= 592 fps= 24 q=-1.0 size= 10869kB time=00:00:25.00 bitrate=3561.4kbits/frame= 607 fps= 24 q=-1.0 size= 11134kB time=00:00:25.60 bitrate=3562.9kbits/frame= 618 fps= 24 q=-1.0 size= 11299kB time=00:00:26.04 bitrate=3554.7kbits/frame= 636 fps= 25 q=-1.0 size= 11506kB time=00:00:26.76 bitrate=3522.3kbits/frame= 648 fps= 25 q=-1.0 size= 11670kB time=00:00:27.24 bitrate=3509.4kbits/frame= 659 fps= 25 q=-1.0 size= 11912kB time=00:00:27.68 bitrate=3525.5kbits/frame= 671 fps= 24 q=-1.0 size= 12209kB time=00:00:28.16 bitrate=3551.8kbits/frame= 685 fps= 25 q=-1.0 size= 12509kB time=00:00:28.72 bitrate=3567.9kbits/frame= 701 fps= 25 q=-1.0 size= 12726kB time=00:00:29.36 bitrate=3550.7kbits/frame= 717 fps= 25 q=-1.0 size= 12910kB time=00:00:30.00 bitrate=3525.2kbits/frame= 717 fps= 24 q=-1.0 Lsize= 13067kB time=00:00:30.00 bitrate=3568.2kbits/s
video:12303kB audio:690kB subtitle:0kB other streams:0kB global headers:0kB muxing overhead: 0.571913%
==34163==
==34163== HEAP SUMMARY:
==34163== in use at exit: 80 bytes in 2 blocks
==34163== total heap usage: 32,159 allocs, 32,157 frees, 194,097,256 bytes allocated
==34163==
==34163== LEAK SUMMARY:
==34163== definitely lost: 0 bytes in 0 blocks
==34163== indirectly lost: 0 bytes in 0 blocks
==34163== possibly lost: 0 bytes in 0 blocks
==34163== still reachable: 80 bytes in 2 blocks
==34163== suppressed: 0 bytes in 0 blocks
==34163== Rerun with --leak-check=full to see details of leaked memory
==34163==
==34163== For counts of detected and suppressed errors, rerun with: -v
==34163== ERROR SUMMARY: 61 errors from 2 contexts (suppressed: 2 from 2)
Attachments (1)
Change History (10)
comment:1 by , 10 years ago
| Keywords: | mpegts added |
|---|
follow-up: 3 comment:2 by , 10 years ago
I attach pcap file, I think it is possible to replay it to network.
Yes, valgrind output looks similar.
comment:3 by , 10 years ago
Replying to lavv17:
I attach pcap file, I think it is possible to replay it to network.
Did you try? Does the pcap file allow to reproduce the crash?
comment:4 by , 10 years ago
It looks like a problem with format auto-detection. s->priv_data is not correctly allocated at util.c:577 (with priv_data_size=5912, iformat=&ff_rtp_demuxer), but later it is assumed to be MpegTSContext and sizeof(MpegTSContext) = 73848, thus it overwrites memory past allocated buffer.
When I run ffmpeg with explicit "-f mpegts" it correctly allocates priv_data_size=73848 and does not crash.
comment:7 by , 10 years ago
write_section_data assumes s->priv_data to be MpegTSContext. But s->iformat is still ff_rtp_demuxer and s->priv_data is allocated as an RTSPState.
(gdb) fr 1
#1 0x00000000005589b4 in handle_packet (ts=ts@entry=0x7fd42c52bf80,
packet=packet@entry=0x7fd42c528168 "GWx\031") at libavformat/mpegts.c:2095
2095 write_section_data(s, tss,
(gdb) p s->iformat
$4 = (struct AVInputFormat *) 0x1191060 <ff_rtp_demuxer>
BTW, -f mpegts prevents the crash, but the resulting file is not correct, so it is not the solution.
comment:8 by , 10 years ago
| Priority: | normal → important |
|---|
comment:9 by , 10 years ago
| Keywords: | crash SIGSEGV added |
|---|---|
| Resolution: | → fixed |
| Status: | new → closed |
Fixed in 86359543
Thank you for the report and the fix!
Note:
See TracTickets
for help on using tickets.
How can I reproduce this crash?
Don't you agree that the valgrind outputs indicates a similarity to ticket #3713?