Opened 10 years ago

Closed 10 years ago

Last modified 10 years ago

#3889 closed defect (fixed)

h264: crash in low mem situation

Reported by: ami_stuff Owned by:
Priority: important Component: avcodec
Version: git-master Keywords: h264 crash
Cc: Blocked By:
Blocking: Reproduced by developer: yes
Analyzed by developer: no

Description

I first spotted it on windows.

It crashes here with -Sv between 200000 and 800000.

http://www.datafilehost.com/d/e6b9258d

knoppix@Microknoppix:/media/sdb1$ ulimit -Sv 300000 -c unlimited
knoppix@Microknoppix:/media/sdb1$ ffmpeg_g -vcodec h264 -i dvvideo.avi -an -f null -
ffmpeg-snapshot/ffmpeg -vcodec h264 -i dvvideo.avi -an -f null -
ffmpeg version 2.3.git Copyright (c) 2000-2014 the FFmpeg developers
  built on Aug 24 2014 12:13:59 with gcc 4.7 (Debian 4.7.2-5)
  configuration: --disable-yasm --enable-gpl --disable-ffprobe --disable-ffserver
  libavutil      54.  7.100 / 54.  7.100
  libavcodec     56.  0.101 / 56.  0.101
  libavformat    56.  2.100 / 56.  2.100
  libavdevice    56.  0.100 / 56.  0.100
  libavfilter     5.  0.103 /  5.  0.103
  libswscale      3.  0.100 /  3.  0.100
  libswresample   1.  1.100 /  1.  1.100
  libpostproc    53.  0.100 / 53.  0.100
[h264 @ 0x93b8900] no frame!
    Last message repeated 6 times
[h264 @ 0x93b8900] A non-intra slice in an IDR NAL unit.
[h264 @ 0x93b8900] decode_slice_header error
[h264 @ 0x93b8900] A non-intra slice in an IDR NAL unit.
[h264 @ 0x93b8900] decode_slice_header error
[h264 @ 0x93b8900] sps_id 32 out of range
    Last message repeated 1 times
[h264 @ 0x93b8900] no frame!
[h264 @ 0x93b8900] A non-intra slice in an IDR NAL unit.
[h264 @ 0x93b8900] decode_slice_header error
[h264 @ 0x93b8900] sps_id 32 out of range
    Last message repeated 1 times
[h264 @ 0x93b8900] illegal POC type 32
[h264 @ 0x93b8900] sps_id 32 out of range
[h264 @ 0x93b8900] no frame!
[h264 @ 0x93b8900] SEI type 127 size 1192 truncated at 5
[h264 @ 0x93b8900] illegal aspect ratio
[h264 @ 0x93b8900] too many reference frames 32
[h264 @ 0x93b8900] A non-intra slice in an IDR NAL unit.
[h264 @ 0x93b8900] decode_slice_header error
[h264 @ 0x93b8900] A non-intra slice in an IDR NAL unit.
[h264 @ 0x93b8900] decode_slice_header error
[h264 @ 0x93b8900] illegal aspect ratio
[h264 @ 0x93b8900] sps_id 32 out of range
[h264 @ 0x93b8900] illegal aspect ratio
[h264 @ 0x93b8900] sps_id 32 out of range
[h264 @ 0x93b8900] SEI type 132 size 1680 truncated at 1
[h264 @ 0x93b8900] no frame!
[h264 @ 0x93b8900] sps_id 32 out of range
    Last message repeated 1 times
[h264 @ 0x93b8900] A non-intra slice in an IDR NAL unit.
[h264 @ 0x93b8900] decode_slice_header error
[h264 @ 0x93b8900] A non-intra slice in an IDR NAL unit.
[h264 @ 0x93b8900] decode_slice_header error
[h264 @ 0x93b8900] slice type 32 too large at 0 0
[h264 @ 0x93b8900] decode_slice_header error
[h264 @ 0x93b8900] no frame!
[h264 @ 0x93b8900] A non-intra slice in an IDR NAL unit.
[h264 @ 0x93b8900] decode_slice_header error
[h264 @ 0x93b8900] A non-intra slice in an IDR NAL unit.
[h264 @ 0x93b8900] decode_slice_header error
[h264 @ 0x93b8900] slice type 32 too large at 0 0
[h264 @ 0x93b8900] decode_slice_header error
[h264 @ 0x93b8900] sps_id 0 out of range
[h264 @ 0x93b8900] SEI type 52 size 1232 truncated at 4
[h264 @ 0x93b8900] SEI type 93 size 496 truncated at 7
[h264 @ 0x93b8900] Partitioned H.264 support is incomplete
[h264 @ 0x93b8900] non-existing PPS 126 referenced
[h264 @ 0x93b8900] decode_slice_header error
[...]
[h264 @ 0x96740a0] decode_slice_header error
[h264 @ 0x96740a0] Missing reference picture, default is 0
[h264 @ 0x96740a0] decode_slice_header error
[h264 @ 0x96740a0] QP 4294967217 out of range
[h264 @ 0x96740a0] decode_slice_header error
[h264 @ 0x96740a0] reference overflow 246 > 15 or 0 > 15
[h264 @ 0x96740a0] decode_slice_header error
[h264 @ 0x96740a0] reference overflow 24647 > 31 or 0 > 31
[h264 @ 0x96740a0] decode_slice_header error
[h264 @ 0x96740a0] A non-intra slice in an IDR NAL unit.
[h264 @ 0x96740a0] decode_slice_header error
[h264 @ 0x96740a0] Missing reference picture, default is 0
[h264 @ 0x96740a0] decode_slice_header error
[h264 @ 0x96740a0] Missing reference picture, default is 0
[h264 @ 0x96740a0] decode_slice_header error
[h264 @ 0x96740a0] Partitioned H.264 support is incomplete
[h264 @ 0x96740a0] Missing reference picture, default is 0
[h264 @ 0x96740a0] decode_slice_header error
[h264 @ 0x96740a0] A non-intra slice in an IDR NAL unit.
[h264 @ 0x96740a0] decode_slice_header error
[h264 @ 0x96740a0] QP 3109 out of range
[h264 @ 0x96740a0] decode_slice_header error
Input stream #0:0 frame changed from size:96x16 fmt:yuvj420p to size:32x16 fmt:yuvj420p
[h264 @ 0x93b0ba0] slice type 32 too large at 0 0
[h264 @ 0x93b0ba0] decode_slice_header error
[h264 @ 0x93b0ba0] cabac_init_idc 32 overflow
[h264 @ 0x93b0ba0] decode_slice_header error
[h264 @ 0x93b0ba0] reference picture missing during reorder
[h264 @ 0x93b0ba0] reference count overflow
[h264 @ 0x93b0ba0] decode_slice_header error
[h264 @ 0x93b0ba0] FMO not supported
[h264 @ 0x93b0ba0] reference overflow (pps)
[h264 @ 0x93b0ba0] A non-intra slice in an IDR NAL unit.
[h264 @ 0x93b0ba0] decode_slice_header error
[h264 @ 0x93b0ba0] FMO not supported
[h264 @ 0x93b0ba0] sps_id 9 out of range
[h264 @ 0x93b0ba0] A non-intra slice in an IDR NAL unit.
[h264 @ 0x93b0ba0] decode_slice_header error
[h264 @ 0x93b0ba0] slice type 13 too large at 0 1
[h264 @ 0x93b0ba0] decode_slice_header error
[h264 @ 0x93b0ba0] Partitioned H.264 support is incomplete
[h264 @ 0x93b0ba0] A non-intra slice in an IDR NAL unit.
[h264 @ 0x93b0ba0] decode_slice_header error
[h264 @ 0x93b0ba0] non-existing PPS 14 referenced
[h264 @ 0x93b0ba0] decode_slice_header error
[h264 @ 0x93b0ba0] sps_id 3 out of range
[h264 @ 0x93b0ba0] first_mb_in_slice overflow
[h264 @ 0x93b0ba0] decode_slice_header error
[swscaler @ 0xade87c00] deprecated pixel format used, make sure you did set range correctly
[h264 @ 0x93b0ba0] A non-intra slice in an IDR NAL unit.
[h264 @ 0x93b0ba0] decode_slice_header error
[h264 @ 0x93b0ba0] Missing reference picture, default is 0
[h264 @ 0x93b0ba0] decode_slice_header error
[h264 @ 0x93b0ba0] Reinit context to 32x64, pix_fmt: yuvj420p
[h264 @ 0x93b0ba0] Missing reference picture, default is 2147483647
    Last message repeated 3 times
[h264 @ 0x93b0ba0] deblocking_filter_idc 6 out of range
[h264 @ 0x93b0ba0] decode_slice_header error
[h264 @ 0x93b0ba0] Partitioned H.264 support is incomplete
[h264 @ 0x93b0ba0] A non-intra slice in an IDR NAL unit.
[h264 @ 0x93b0ba0] decode_slice_header error
[h264 @ 0x93b0ba0] non-existing PPS 21 referenced
[h264 @ 0x93b0ba0] decode_slice_header error
[h264 @ 0x93b0ba0] Reinit context to 16x256, pix_fmt: yuvj420p
[h264 @ 0x93b0ba0] QP 3109 out of range
[h264 @ 0x93b0ba0] decode_slice_header error
[h264 @ 0x9811b80] FMO not supported
[h264 @ 0x9811b80] Reinit context to 32x64, pix_fmt: yuvj420p
[h264 @ 0x9811b80] first_mb_in_slice overflow
[h264 @ 0x9811b80] decode_slice_header error
[h264 @ 0x9811b80] This stream was generated by a broken encoder, invalid 8x8 inference
[h264 @ 0x9811b80] decode_slice_header error
[h264 @ 0x9811b80] FMO not supported
[h264 @ 0x9811b80] slice type 19 too large at 0 1
[h264 @ 0x9811b80] decode_slice_header error
[h264 @ 0x9811b80] Partitioned H.264 support is incomplete
[h264 @ 0x9811b80] Reinit context to 131056x2016, pix_fmt: yuvj420p
[h264 @ 0x9811b80] [IMGUTILS @ 0xb2371004] Picture size 131056x2016 is invalid
[h264 @ 0x9811b80] video_get_buffer: image parameters invalid
[h264 @ 0x9811b80] get_buffer() failed
[h264 @ 0x9811b80] thread_get_buffer() failed
[h264 @ 0x9811b80] decode_slice_header error
[h264 @ 0x9811b80] [IMGUTILS @ 0xb2371004] Picture size 131056x2016 is invalid
[h264 @ 0x9811b80] video_get_buffer: image parameters invalid
[h264 @ 0x9811b80] get_buffer() failed
[h264 @ 0x9811b80] thread_get_buffer() failed
[h264 @ 0x9811b80] decode_slice_header error
[h264 @ 0x9811b80] [IMGUTILS @ 0xb2371004] Picture size 131056x2016 is invalid
[h264 @ 0x9811b80] video_get_buffer: image parameters invalid
[h264 @ 0x9811b80] get_buffer() failed
[h264 @ 0x9811b80] thread_get_buffer() failed
[h264 @ 0x9811b80] decode_slice_header error
[h264 @ 0x9811b80] illegal aspect ratio
[h264 @ 0x9811b80] sps_id 32 out of range
[h264 @ 0x9811b80] slice type 23 too large at 0 1
[h264 @ 0x9811b80] decode_slice_header error
[h264 @ 0x9811b80] [IMGUTILS @ 0xb2371004] Picture size 131056x2016 is invalid
[h264 @ 0x9811b80] video_get_buffer: image parameters invalid
[h264 @ 0x9811b80] get_buffer() failed
[h264 @ 0x9811b80] thread_get_buffer() failed
[h264 @ 0x9811b80] decode_slice_header error
[h264 @ 0x9811b80] Partitioned H.264 support is incomplete
[h264 @ 0x9811b80] sps_id 32 out of range
    Last message repeated 1 times
[h264 @ 0x9811b80] [IMGUTILS @ 0xb2371004] Picture size 131056x2016 is invalid
[h264 @ 0x9811b80] video_get_buffer: image parameters invalid
[h264 @ 0x9811b80] get_buffer() failed
[h264 @ 0x9811b80] thread_get_buffer() failed
[h264 @ 0x9811b80] decode_slice_header error
[h264 @ 0x9811b80] [IMGUTILS @ 0xb2371004] Picture size 131056x2016 is invalid
[h264 @ 0x9811b80] video_get_buffer: image parameters invalid
[h264 @ 0x9811b80] get_buffer() failed
[h264 @ 0x9811b80] thread_get_buffer() failed
[h264 @ 0x9811b80] decode_slice_header error
[h264 @ 0x9811b80] Partitioned H.264 support is incomplete
[h264 @ 0x9811b80] FMO not supported
[h264 @ 0x9811b80] no frame!
[h264 @ 0x966bb60] Cannot allocate memory.
[h264 @ 0x966bb60] Could not allocate memory
[h264 @ 0x966bb60] h264_slice_header_init() failedError while decoding stream #0:0: Cannot allocate memory
[h264 @ 0x966bb60] Cannot allocate memory.:00:07.24 bitrate=N/A    
[h264 @ 0x966bb60] Could not allocate memory
Error while decoding stream #0:0: Cannot allocate memory
[h264 @ 0x966bb60] Cannot allocate memory.
Segmentation fault (core dumped)

knoppix@Microknoppix:/media/sdb1$ ulimit -Sv 250000000 -c unlimited
knoppix@Microknoppix:/media/sdb1$ gdb -c core ffmpeg_g
GNU gdb (GDB) 7.4.1-debian
Copyright (C) 2012 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "i486-linux-gnu".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>...
Reading symbols from /media/sdb1/ffmpeg_g...done.
[New LWP 14117]
[New LWP 14197]
[New LWP 14196]
[New LWP 14195]
[New LWP 14199]
[New LWP 14133]
[New LWP 14192]
[New LWP 14127]
[New LWP 14194]
[New LWP 14134]
[New LWP 14198]
[New LWP 14193]
[New LWP 14200]
[New LWP 14128]
[New LWP 14131]
[New LWP 14135]
[New LWP 14132]
[New LWP 14129]
[New LWP 14130]

warning: Can't read pathname for load map: Input/output error.
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/i386-linux-gnu/libthread_db.so.1".
Failed to read a valid object file image from memory.
Core was generated by `./ffmpeg_g -vcodec h264 -i dvvideo.avi -an -f null -'.
Program terminated with signal 11, Segmentation fault.
#0  *__GI___libc_free (mem=0xadd01020) at malloc.c:3709
3709	malloc.c: No such file or directory.
(gdb) bt
#0  *__GI___libc_free (mem=0xadd01020) at malloc.c:3709
#1  0x089f3ce2 in av_free (ptr=<optimized out>) at libavutil/mem.c:232
#2  av_freep (arg=arg@entry=0xb1af11d0) at libavutil/mem.c:239
#3  0x0837fc65 in ff_h264_free_tables (h=h@entry=0xb1a8b020, free_rbsp=1)
    at libavcodec/h264.c:373
#4  0x08381cd5 in ff_h264_alloc_tables (h=h@entry=0xb1a8b020)
    at libavcodec/h264.c:485
#5  0x083c0e3c in ff_h264_update_thread_context (dst=0x966bb60, src=0x9811b80)
    at libavcodec/h264_slice.c:600
#6  0x086601c3 in update_context_from_thread (dst=0x966bb60, 
    src=<optimized out>, for_user=<optimized out>)
    at libavcodec/pthread_frame.c:246
#7  0x086606bc in submit_packet (avpkt=0xbfa04348, p=0x9811288)
    at libavcodec/pthread_frame.c:346
#8  ff_thread_decode_frame (avctx=avctx@entry=0x969c480, 
    picture=picture@entry=0x9732780, 
    got_picture_ptr=got_picture_ptr@entry=0xbfa045ac, 
    avpkt=avpkt@entry=0xbfa04348) at libavcodec/pthread_frame.c:421
#9  0x08740e82 in avcodec_decode_video2 (avctx=0x969c480, 
    picture=picture@entry=0x9732780, 
    got_picture_ptr=got_picture_ptr@entry=0xbfa045ac, 
    avpkt=avpkt@entry=0xbfa04818) at libavcodec/utils.c:2261
#10 0x080c9694 in decode_video (ist=ist@entry=0x9633980, 
---Type <return> to continue, or q <return> to quit---
    pkt=pkt@entry=0xbfa04818, got_output=got_output@entry=0xbfa045ac)
    at ffmpeg.c:1888
#11 0x080cdb9b in process_input_packet (pkt=0xbfa047d0, ist=0x9633980)
    at ffmpeg.c:2122
#12 process_input (file_index=-1080014824) at ffmpeg.c:3529
#13 0x080afd42 in transcode_step () at ffmpeg.c:3623
#14 transcode () at ffmpeg.c:3675
#15 main (argc=<optimized out>, argv=<optimized out>) at ffmpeg.c:3851
(gdb)

Change History (3)

comment:1 by Carl Eugen Hoyos, 10 years ago

Component: undeterminedavcodec
Keywords: h264 crash added
Priority: normalimportant
Reproduced by developer: set
Status: newopen
Version: unspecifiedgit-master

I can reproduce the race condition with a sufficiently high value for -threads.
ff_h264_update_thread_context() calls ff_h264_alloc_tables() with h->chroma_pred_mode_table set to freed memory. A double free happens when allocations in ff_h264_alloc_tables() fail and ff_h264_free_tables() is called.

comment:2 by Carl Eugen Hoyos, 10 years ago

Resolution: fixed
Status: openclosed

For the given sample, this ticket is not reproducible since 033a5334
It is reproducible with current git head - 5aaf5df0 - if I revert the first hunk of 033a5334:
With ulimit -Sv 385000, the double free happens with -threads 2, with ulimit -Sv 2000000 -threads 16 is needed.

comment:3 by Carl Eugen Hoyos, 10 years ago

Fixed by Michael in 547fce95

Note: See TracTickets for help on using tickets.