Opened 10 years ago
Closed 10 years ago
#4299 closed defect (fixed)
mpeg2: crash with fuzzed file
| Reported by: | tholin | Owned by: | |
|---|---|---|---|
| Priority: | normal | Component: | avcodec |
| Version: | git-master | Keywords: | |
| Cc: | Blocked By: | ||
| Blocking: | Reproduced by developer: | yes | |
| Analyzed by developer: | no |
Description
The attached file segfaults.
It will not segfault in valgrind or any program that links against ffmpeg. It only segfault with ffmpeg when -f null is used.
$ gdb --args ./ffmpeg -v 9 -loglevel 99 -i ~/fuzz/ffmpeg_mpeg2_crash.mpg -f null -
GNU gdb (Gentoo 7.7.1 p1) 7.7.1
Copyright (C) 2014 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law. Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-pc-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<http://bugs.gentoo.org/>.
Find the GDB manual and other documentation resources online at:
<http://www.gnu.org/software/gdb/documentation/>.
For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from ./ffmpeg...done.
(gdb) r
Starting program: /home/cocobo/repository/mpv-build_ffmpeg_vanilla/ffmpeg_build/ffmpeg -v 9 -loglevel 99 -i /home/cocobo/fuzz/ffmpeg_mpeg2_crash.mpg -f null -
warning: Could not load shared library symbols for linux-vdso.so.1.
Do you need "set solib-search-path" or "set sysroot"?
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib64/libthread_db.so.1".
ffmpeg version N-69570-g7801a54 Copyright (c) 2000-2015 the FFmpeg developers
built with gcc 4.8.3 (Gentoo 4.8.3 p1.1, pie-0.5.9)
configuration: --prefix=/home/cocobo/repository/mpv-build_ffmpeg_vanilla/build_libs --enable-static --disable-shared --enable-gpl --enable-avresample --enable-debug=gdb --disable-doc --disable-optimizations --disable-stripping
libavutil 54. 18.100 / 54. 18.100
libavcodec 56. 21.102 / 56. 21.102
libavformat 56. 19.100 / 56. 19.100
libavdevice 56. 4.100 / 56. 4.100
libavfilter 5. 9.103 / 5. 9.103
libavresample 2. 1. 0 / 2. 1. 0
libswscale 3. 1.101 / 3. 1.101
libswresample 1. 1.100 / 1. 1.100
libpostproc 53. 3.100 / 53. 3.100
Splitting the commandline.
Reading option '-v' ... matched as option 'v' (set logging level) with argument '9'.
Reading option '-loglevel' ... matched as option 'loglevel' (set logging level) with argument '99'.
Reading option '-i' ... matched as input file with argument '/home/cocobo/fuzz/ffmpeg_mpeg2_crash.mpg'.
Reading option '-f' ... matched as option 'f' (force format) with argument 'null'.
Reading option '-' ... matched as output file.
Finished splitting the commandline.
Parsing a group of options: global .
Applying option v (set logging level) with argument 9.
Successfully parsed a group of options.
Parsing a group of options: input file /home/cocobo/fuzz/ffmpeg_mpeg2_crash.mpg.
Successfully parsed a group of options.
Opening an input file: /home/cocobo/fuzz/ffmpeg_mpeg2_crash.mpg.
[mpegvideo @ 0x1e90140] Format mpegvideo probed with size=2048 and score=51
[mpegvideo @ 0x1e90140] Before avformat_find_stream_info() pos: 0 bytes read:64 seeks:0
[mpeg1video @ 0x1e90b60] frame_rate_index 0 is invalid
Last message repeated 1 times
[mpegvideo @ 0x1e90140] Estimating duration from bitrate, this may be inaccurate
[mpegvideo @ 0x1e90140] After avformat_find_stream_info() pos: 64 bytes read:64 seeks:0 frames:2
Input #0, mpegvideo, from '/home/cocobo/fuzz/ffmpeg_mpeg2_crash.mpg':
Duration: 00:00:00.00, bitrate: 19692 kb/s
Stream #0:0, 2, 1/1200000: Video: mpeg2video (Main), yuv420p(tv, center), 4099x12 [SAR 64:12297 DAR 16:9], 1001/24000, 19737 kb/s, 11.99 tbr, 1200k tbn, 23.98 tbc
Successfully opened the file.
Parsing a group of options: output file -.
Applying option f (force format) with argument null.
Successfully parsed a group of options.
Opening an output file: -.
Successfully opened the file.
detected 8 logical cores
[New Thread 0x7ffff4de9700 (LWP 24824)]
[New Thread 0x7ffff45e8700 (LWP 24825)]
[New Thread 0x7ffff3de7700 (LWP 24826)]
[New Thread 0x7ffff35e6700 (LWP 24827)]
[New Thread 0x7ffff2de5700 (LWP 24828)]
[New Thread 0x7ffff25e4700 (LWP 24829)]
[New Thread 0x7ffff1de3700 (LWP 24830)]
[New Thread 0x7ffff15e2700 (LWP 24831)]
[New Thread 0x7ffff0de1700 (LWP 24832)]
[graph 0 input from stream 0:0 @ 0x1e85440] Setting 'video_size' to value '4099x12'
[graph 0 input from stream 0:0 @ 0x1e85440] Setting 'pix_fmt' to value '0'
[graph 0 input from stream 0:0 @ 0x1e85440] Setting 'time_base' to value '1/1200000'
[graph 0 input from stream 0:0 @ 0x1e85440] Setting 'pixel_aspect' to value '64/12297'
[graph 0 input from stream 0:0 @ 0x1e85440] Setting 'sws_param' to value 'flags=2'
[graph 0 input from stream 0:0 @ 0x1e85440] Setting 'frame_rate' to value '24000/2002'
[graph 0 input from stream 0:0 @ 0x1e85440] w:4099 h:12 pixfmt:yuv420p tb:1/1200000 fr:24000/2002 sar:64/12297 sws_param:flags=2
[AVFilterGraph @ 0x1e85b60] query_formats: 3 queried, 2 merged, 0 already done, 0 delayed
Output #0, null, to 'pipe:':
Metadata:
encoder : Lavf56.19.100
Stream #0:0, 0, 1001/12000: Video: rawvideo (I420 / 0x30323449), yuv420p(center), 4099x12 [SAR 64:12297 DAR 16:9], 1001/12000, q=2-31, 200 kb/s, 11.99 fps, 11.99 tbn, 11.99 tbc
Metadata:
encoder : Lavc56.21.102 rawvideo
Stream mapping:
Stream #0:0 -> #0:0 (mpeg2video (native) -> rawvideo (native))
Press [q] to stop, [?] for help
[mpeg2video @ 0x1e912a0] frame_rate_index 0 is invalid
Last message repeated 1 times
[mpeg2video @ 0x1e912a0] Missing picture start code, guessing missing values
[mpeg2video @ 0x1e912a0] Missing picture start code
[mpeg2video @ 0x1e912a0] warning: first frame is no keyframe
Program received signal SIGSEGV, Segmentation fault.
0x0000000001054171 in ff_put_pixels16_y2_sse2.loop ()
at /home/cocobo/repository/mpv-build_ffmpeg_vanilla/ffmpeg/libavcodec/x86/hpeldsp.asm:263
263 PUT_PIXELS8_Y2
(gdb) bt
#0 0x0000000001054171 in ff_put_pixels16_y2_sse2.loop ()
at /home/cocobo/repository/mpv-build_ffmpeg_vanilla/ffmpeg/libavcodec/x86/hpeldsp.asm:263
#1 0x0000000000af2657 in mpeg_motion_internal (mb_y=0, is_mpeg12=1, h=16, motion_y=1, motion_x=0,
pix_op=0x1e94ae0, ref_picture=0x1e7c940, field_select=1, bottom_field=0, field_based=0, dest_cr=0x1e728e0 "",
dest_cb=0x1e86980 "", dest_y=0x7ffff7fd7080 '\200' <repeats 16 times>, s=0x1e93fc0)
at /home/cocobo/repository/mpv-build_ffmpeg_vanilla/ffmpeg/libavcodec/mpegvideo_motion.c:357
#2 mpeg_motion (s=0x1e93fc0, dest_y=0x7ffff7fd7080 '\200' <repeats 16 times>, dest_cb=0x1e86980 "",
dest_cr=0x1e728e0 "", field_select=1, ref_picture=0x1e7c940, pix_op=0x1e94ae0, motion_x=0, motion_y=1, h=16,
mb_y=0) at /home/cocobo/repository/mpv-build_ffmpeg_vanilla/ffmpeg/libavcodec/mpegvideo_motion.c:379
#3 0x0000000000af8221 in mpv_motion_internal (is_mpeg12=1, qpix_op=0x0, pix_op=0x1e94ae0, ref_picture=0x1e7c940,
dir=0, dest_cr=0x1e728e0 "", dest_cb=0x1e86980 "", dest_y=0x7ffff7fd7080 '\200' <repeats 16 times>, s=0x1e93fc0)
at /home/cocobo/repository/mpv-build_ffmpeg_vanilla/ffmpeg/libavcodec/mpegvideo_motion.c:951
#4 ff_mpv_motion (s=0x1e93fc0, dest_y=0x7ffff7fd7080 '\200' <repeats 16 times>, dest_cb=0x1e86980 "",
dest_cr=0x1e728e0 "", dir=0, ref_picture=0x1e7c940, pix_op=0x1e94ae0, qpix_op=0x0)
at /home/cocobo/repository/mpv-build_ffmpeg_vanilla/ffmpeg/libavcodec/mpegvideo_motion.c:981
#5 0x0000000000acfbb3 in mpv_decode_mb_internal (is_mpeg12=1, lowres_flag=0, block=0x1e7ffa0, s=0x1e93fc0)
at /home/cocobo/repository/mpv-build_ffmpeg_vanilla/ffmpeg/libavcodec/mpegvideo.c:3153
#6 ff_mpv_decode_mb (s=0x1e93fc0, block=0x1e7ffa0)
at /home/cocobo/repository/mpv-build_ffmpeg_vanilla/ffmpeg/libavcodec/mpegvideo.c:3287
#7 0x0000000000a821f3 in mpeg_decode_slice (s=0x1e93fc0, mb_y=1, buf=0x7fffffffcec8, buf_size=4)
at /home/cocobo/repository/mpv-build_ffmpeg_vanilla/ffmpeg/libavcodec/mpeg12dec.c:1879
#8 0x0000000000a84f49 in decode_chunks (avctx=0x1e912a0, picture=0x1e93460, got_output=0x7fffffffd208,
buf=0x1ea8ef0 "", buf_size=37)
at /home/cocobo/repository/mpv-build_ffmpeg_vanilla/ffmpeg/libavcodec/mpeg12dec.c:2710
#9 0x0000000000a852ec in mpeg_decode_frame (avctx=0x1e912a0, data=0x1e93460, got_output=0x7fffffffd208,
avpkt=0x7fffffffcfe0) at /home/cocobo/repository/mpv-build_ffmpeg_vanilla/ffmpeg/libavcodec/mpeg12dec.c:2787
#10 0x0000000000c29938 in avcodec_decode_video2 (avctx=0x1e912a0, picture=0x1e93460,
got_picture_ptr=0x7fffffffd208, avpkt=0x7fffffffd2a0)
at /home/cocobo/repository/mpv-build_ffmpeg_vanilla/ffmpeg/libavcodec/utils.c:2372
#11 0x0000000000424bc3 in decode_video (ist=0x1e910a0, pkt=0x7fffffffd2a0, got_output=0x7fffffffd208)
at /home/cocobo/repository/mpv-build_ffmpeg_vanilla/ffmpeg/ffmpeg.c:1958
#12 0x0000000000425d29 in process_input_packet (ist=0x1e910a0, pkt=0x7fffffffd530)
at /home/cocobo/repository/mpv-build_ffmpeg_vanilla/ffmpeg/ffmpeg.c:2206
#13 0x000000000042c5d6 in process_input (file_index=0)
at /home/cocobo/repository/mpv-build_ffmpeg_vanilla/ffmpeg/ffmpeg.c:3696
#14 0x000000000042c95f in transcode_step () at /home/cocobo/repository/mpv-build_ffmpeg_vanilla/ffmpeg/ffmpeg.c:3790
#15 0x000000000042ca6f in transcode () at /home/cocobo/repository/mpv-build_ffmpeg_vanilla/ffmpeg/ffmpeg.c:3842
#16 0x000000000042cf6b in main (argc=10, argv=0x7fffffffd998)
at /home/cocobo/repository/mpv-build_ffmpeg_vanilla/ffmpeg/ffmpeg.c:4020
Attachments (5)
Change History (10)
by , 10 years ago
| Attachment: | ffmpeg_mpeg2_crash.mpg added |
|---|
comment:1 by , 10 years ago
comment:2 by , 10 years ago
More info as requested.
$ gdb --args ~/repository/mpv-build_ffmpeg_vanilla/ffmpeg_build/ffmpeg -i ffmpeg_mpeg2_crash.mpg -f null -
GNU gdb (Gentoo 7.7.1 p1) 7.7.1
Copyright (C) 2014 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law. Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-pc-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<http://bugs.gentoo.org/>.
Find the GDB manual and other documentation resources online at:
<http://www.gnu.org/software/gdb/documentation/>.
For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from /home/cocobo/repository/mpv-build_ffmpeg_vanilla/ffmpeg_build/ffmpeg...done.
(gdb) r
Starting program: /home/cocobo/repository/mpv-build_ffmpeg_vanilla/ffmpeg_build/ffmpeg -i ffmpeg_mpeg2_crash.mpg -f null -
warning: Could not load shared library symbols for linux-vdso.so.1.
Do you need "set solib-search-path" or "set sysroot"?
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib64/libthread_db.so.1".
ffmpeg version N-69570-g7801a54 Copyright (c) 2000-2015 the FFmpeg developers
built with gcc 4.8.3 (Gentoo 4.8.3 p1.1, pie-0.5.9)
configuration: --prefix=/home/cocobo/repository/mpv-build_ffmpeg_vanilla/build_libs --enable-static --disable-shared --enable-gpl --enable-avresample --enable-debug=gdb --disable-doc --disable-optimizations --disable-stripping
libavutil 54. 18.100 / 54. 18.100
libavcodec 56. 21.102 / 56. 21.102
libavformat 56. 19.100 / 56. 19.100
libavdevice 56. 4.100 / 56. 4.100
libavfilter 5. 9.103 / 5. 9.103
libavresample 2. 1. 0 / 2. 1. 0
libswscale 3. 1.101 / 3. 1.101
libswresample 1. 1.100 / 1. 1.100
libpostproc 53. 3.100 / 53. 3.100
[mpeg1video @ 0x1e90be0] frame_rate_index 0 is invalid
Last message repeated 1 times
[mpegvideo @ 0x1e901c0] Estimating duration from bitrate, this may be inaccurate
Input #0, mpegvideo, from 'ffmpeg_mpeg2_crash.mpg':
Duration: 00:00:00.00, bitrate: 19692 kb/s
Stream #0:0: Video: mpeg2video (Main), yuv420p(tv), 4099x12 [SAR 64:12297 DAR 16:9], 19737 kb/s, 11.99 tbr, 1200k tbn, 23.98 tbc
[New Thread 0x7ffff4de9700 (LWP 17633)]
[New Thread 0x7ffff45e8700 (LWP 17634)]
[New Thread 0x7ffff3de7700 (LWP 17635)]
[New Thread 0x7ffff35e6700 (LWP 17636)]
[New Thread 0x7ffff2de5700 (LWP 17637)]
[New Thread 0x7ffff25e4700 (LWP 17638)]
[New Thread 0x7ffff1de3700 (LWP 17639)]
[New Thread 0x7ffff15e2700 (LWP 17640)]
[New Thread 0x7ffff0de1700 (LWP 17641)]
Output #0, null, to 'pipe:':
Metadata:
encoder : Lavf56.19.100
Stream #0:0: Video: rawvideo (I420 / 0x30323449), yuv420p, 4099x12 [SAR 64:12297 DAR 16:9], q=2-31, 200 kb/s, 11.99 fps, 11.99 tbn, 11.99 tbc
Metadata:
encoder : Lavc56.21.102 rawvideo
Stream mapping:
Stream #0:0 -> #0:0 (mpeg2video (native) -> rawvideo (native))
Press [q] to stop, [?] for help
[mpeg2video @ 0x1e913c0] frame_rate_index 0 is invalid
Last message repeated 1 times
[mpeg2video @ 0x1e913c0] Missing picture start code, guessing missing values
[mpeg2video @ 0x1e913c0] Missing picture start code
[mpeg2video @ 0x1e913c0] warning: first frame is no keyframe
Program received signal SIGSEGV, Segmentation fault.
0x0000000001054171 in ff_put_pixels16_y2_sse2.loop ()
at /home/cocobo/repository/mpv-build_ffmpeg_vanilla/ffmpeg/libavcodec/x86/hpeldsp.asm:263
263 PUT_PIXELS8_Y2
(gdb) info register
rax 0x1054140 17121600
rbx 0x0 0
rcx 0x4 4
rdx 0x2080 8320
rsi 0x7ffff05dd780 140737226069888
rdi 0x7ffff7fed600 140737354061312
rbp 0x7fffffffc990 0x7fffffffc990
rsp 0x7fffffffc7d8 0x7fffffffc7d8
r8 0x4100 16640
r9 0x1e7c660 31966816
r10 0x1 1
r11 0x0 0
r12 0x407320 4223776
r13 0x7fffffffd9e0 140737488345568
r14 0x0 0
r15 0x0 0
rip 0x1054171 0x1054171 <ff_put_pixels16_y2_sse2.loop+38>
eflags 0x10202 [ IF RF ]
cs 0x33 51
ss 0x2b 43
ds 0x0 0
es 0x0 0
fs 0x0 0
gs 0x0 0
(gdb) up
#1 0x0000000000af2657 in mpeg_motion_internal (mb_y=0, is_mpeg12=1, h=16, motion_y=1,
motion_x=0, pix_op=0x1e923a0, ref_picture=0x1e7c660, field_select=1,
bottom_field=0, field_based=0, dest_cr=0x1e728e0 "", dest_cb=0x1e86a20 "",
dest_y=0x7ffff7fd7080 '\200' <repeats 16 times>, s=0x1e91880)
at /home/cocobo/repository/mpv-build_ffmpeg_vanilla/ffmpeg/libavcodec/mpegvideo_motion.c:357
357 pix_op[0][dxy](dest_y, ptr_y, linesize, h);
(gdb) print dest_y
$1 = (uint8_t *) 0x7ffff7fd7080 '\200' <repeats 16 times>
(gdb) print ptr_y
$2 = (uint8_t *) 0x7ffff05c1080 '\200' <repeats 200 times>...
(gdb) print linesize
$3 = 8320
(gdb) info args
mb_y = 0
is_mpeg12 = 1
h = 16
motion_y = 1
motion_x = 0
pix_op = 0x1e923a0
ref_picture = 0x1e7c660
field_select = 1
bottom_field = 0
field_based = 0
dest_cr = 0x1e728e0 ""
dest_cb = 0x1e86a20 ""
dest_y = 0x7ffff7fd7080 '\200' <repeats 16 times>
s = 0x1e91880
(gdb) info locals
ptr_y = 0x7ffff05c1080 '\200' <repeats 200 times>...
ptr_cr = 0x1eb19c0 '\200' <repeats 200 times>...
dxy = 2
src_y = 0
mx = 0
uvsrc_x = 0
uvlinesize = 4160
linesize = 8320
ptr_cb = 0x1ea9780 '\200' <repeats 200 times>...
uvdxy = 0
my = 0
src_x = 0
uvsrc_y = 0
v_edge_pos = 16
comment:3 by , 10 years ago
Thank you.
The pointers and strides have the expected alignment, look valid, and seem to be within bounds (ie rsi/rdi are between dest_y/ptr_y and dest_y/ptr_y + 16 * linesize). Might then be an allocation problem (buffers actually not that big?).
Unfortunately, I can't reproduce the crash under Win64 or Win32.
comment:4 by , 10 years ago
I can trigger the crash on several of my systems but if I build with ASan or without pthreads it won't crash. The crashes seems to be random and I guess it's dependent of the precise layout of the address space. I did some more fuzzing with the previous file as input and got some files with valgrind warnings. I add them too.
$ valgrind ./ffmpeg -v 9 -loglevel 99 -i ~/fuzz/ffmpeg_mpeg2_crash2.mpg -f null -
==27304== Memcheck, a memory error detector
==27304== Copyright (C) 2002-2013, and GNU GPL'd, by Julian Seward et al.
==27304== Using Valgrind-3.10.1 and LibVEX; rerun with -h for copyright info
==27304== Command: ./ffmpeg -v 9 -loglevel 99 -i /home/cocobo/fuzz/ffmpeg_mpeg2_crash2.mpg -f null -
==27304==
ffmpeg version N-69683-g8b77c4d Copyright (c) 2000-2015 the FFmpeg developers
built with gcc 4.8.3 (Gentoo 4.8.3 p1.1, pie-0.5.9)
configuration: --enable-debug=gdb --disable-optimizations --disable-stripping
libavutil 54. 18.100 / 54. 18.100
libavcodec 56. 21.102 / 56. 21.102
libavformat 56. 19.100 / 56. 19.100
libavdevice 56. 4.100 / 56. 4.100
libavfilter 5. 9.104 / 5. 9.104
libswscale 3. 1.101 / 3. 1.101
libswresample 1. 1.100 / 1. 1.100
Splitting the commandline.
Reading option '-v' ... matched as option 'v' (set logging level) with argument '9'.
Reading option '-loglevel' ... matched as option 'loglevel' (set logging level) with argument '99'.
Reading option '-i' ... matched as input file with argument '/home/cocobo/fuzz/ffmpeg_mpeg2_crash2.mpg'.
Reading option '-f' ... matched as option 'f' (force format) with argument 'null'.
Reading option '-' ... matched as output file.
Finished splitting the commandline.
Parsing a group of options: global .
Applying option v (set logging level) with argument 9.
Successfully parsed a group of options.
Parsing a group of options: input file /home/cocobo/fuzz/ffmpeg_mpeg2_crash2.mpg.
Successfully parsed a group of options.
Opening an input file: /home/cocobo/fuzz/ffmpeg_mpeg2_crash2.mpg.
[mpegvideo @ 0x7e48da0] Format mpegvideo probed with size=2048 and score=51
[mpegvideo @ 0x7e48da0] Before avformat_find_stream_info() pos: 0 bytes read:122 seeks:0
[mpeg1video @ 0x7e5af40] frame_rate_index 0 is invalid
Last message repeated 1 times
[mpegvideo @ 0x7e48da0] Estimating duration from bitrate, this may be inaccurate
[mpegvideo @ 0x7e48da0] After avformat_find_stream_info() pos: 122 bytes read:122 seeks:0 frames:2
Input #0, mpegvideo, from '/home/cocobo/fuzz/ffmpeg_mpeg2_crash2.mpg':
Duration: 00:00:00.00, bitrate: 19918 kb/s
Stream #0:0, 2, 1/1200000: Video: mpeg2video (Main), yuv420p(tv, center), 4099x12 [SAR 64:12297 DAR 16:9], 1001/24000, 19737 kb/s, 11.99 tbr, 1200k tbn, 23.98 tbc
Successfully opened the file.
Parsing a group of options: output file -.
Applying option f (force format) with argument null.
Successfully parsed a group of options.
Opening an output file: -.
Successfully opened the file.
detected 8 logical cores
[graph 0 input from stream 0:0 @ 0x7e76ec0] Setting 'video_size' to value '4099x12'
[graph 0 input from stream 0:0 @ 0x7e76ec0] Setting 'pix_fmt' to value '0'
[graph 0 input from stream 0:0 @ 0x7e76ec0] Setting 'time_base' to value '1/1200000'
[graph 0 input from stream 0:0 @ 0x7e76ec0] Setting 'pixel_aspect' to value '64/12297'
[graph 0 input from stream 0:0 @ 0x7e76ec0] Setting 'sws_param' to value 'flags=2'
[graph 0 input from stream 0:0 @ 0x7e76ec0] Setting 'frame_rate' to value '24000/2002'
[graph 0 input from stream 0:0 @ 0x7e76ec0] w:4099 h:12 pixfmt:yuv420p tb:1/1200000 fr:24000/2002 sar:64/12297 sws_param:flags=2
[AVFilterGraph @ 0x7e75000] query_formats: 3 queried, 2 merged, 0 already done, 0 delayed
Output #0, null, to 'pipe:':
Metadata:
encoder : Lavf56.19.100
Stream #0:0, 0, 1001/12000: Video: rawvideo (I420 / 0x30323449), yuv420p(center), 4099x12 [SAR 64:12297 DAR 16:9], 1001/12000, q=2-31, 200 kb/s, 11.99 fps, 11.99 tbn, 11.99 tbc
Metadata:
encoder : Lavc56.21.102 rawvideo
Stream mapping:
Stream #0:0 -> #0:0 (mpeg2video (native) -> rawvideo (native))
Press [q] to stop, [?] for help
[mpeg2video @ 0x7e6ffe0] frame_rate_index 0 is invalid
Last message repeated 1 times
[mpeg2video @ 0x7e6ffe0] Missing picture start code, guessing missing values
[mpeg2video @ 0x7e6ffe0] Missing picture start code
[mpeg2video @ 0x7e6ffe0] warning: first frame is no keyframe
==27304== Invalid read of size 16
==27304== at 0x1036F9C: ??? (hpeldsp.asm:480)
==27304== by 0xACDBA4: mpv_motion_internal (mpegvideo_motion.c:951)
==27304== by 0xACDBA4: ff_mpv_motion (mpegvideo_motion.c:981)
==27304== by 0xAA5536: mpv_decode_mb_internal (mpegvideo.c:3153)
==27304== by 0xAA5536: ff_mpv_decode_mb (mpegvideo.c:3287)
==27304== by 0xA57B76: mpeg_decode_slice (mpeg12dec.c:1879)
==27304== by 0xA5A8CC: decode_chunks (mpeg12dec.c:2710)
==27304== by 0xA5AC6F: mpeg_decode_frame (mpeg12dec.c:2787)
==27304== by 0xBFF2F9: avcodec_decode_video2 (utils.c:2372)
==27304== by 0x4248A3: decode_video (ffmpeg.c:1958)
==27304== by 0x425A09: process_input_packet (ffmpeg.c:2206)
==27304== by 0x42C2B6: process_input (ffmpeg.c:3696)
==27304== by 0x42C63F: transcode_step (ffmpeg.c:3790)
==27304== by 0x42C74F: transcode (ffmpeg.c:3842)
==27304== Address 0x80ae6d0 is 1 bytes after a block of size 133,167 alloc'd
==27304== at 0x4C2B560: memalign (vg_replace_malloc.c:760)
==27304== by 0x4C2B677: posix_memalign (vg_replace_malloc.c:913)
==27304== by 0x11BBAFB: av_malloc (mem.c:95)
==27304== by 0x11AC9FC: av_buffer_alloc (buffer.c:71)
==27304== by 0x11ACA61: av_buffer_allocz (buffer.c:84)
==27304== by 0x11AD099: pool_alloc_buffer (buffer.c:330)
==27304== by 0x11AD1C7: av_buffer_pool_get (buffer.c:394)
==27304== by 0xBFA098: video_get_buffer (utils.c:670)
==27304== by 0xBFA3F2: avcodec_default_get_buffer2 (utils.c:730)
==27304== by 0x42648F: get_buffer (ffmpeg.c:2380)
==27304== by 0xBFB012: get_buffer_internal (utils.c:1019)
==27304== by 0xBFB07E: ff_get_buffer (utils.c:1032)
==27304==
[mpeg2video @ 0x7e6ffe0] invalid cbp -1 at 58 1
[output stream 0:0 @ 0x7e78d40] EOF on sink link output stream 0:0:default.
No more output streams to write to, finishing.
frame= 1 fps=0.0 q=0.0 Lsize=N/A time=00:00:00.16 bitrate=N/A
video:0kB audio:0kB subtitle:0kB other streams:0kB global headers:0kB muxing overhead: unknown
Input file #0 (/home/cocobo/fuzz/ffmpeg_mpeg2_crash2.mpg):
Input stream #0:0 (video): 2 packets read (122 bytes); 1 frames decoded;
Total: 2 packets (122 bytes) demuxed
Output file #0 (pipe:):
Output stream #0:0 (video): 0 frames encoded; 1 packets muxed (96 bytes);
Total: 1 packets (96 bytes) muxed
3 frames successfully decoded, 0 decoding errors
[AVIOContext @ 0x7e51ae0] Statistics: 122 bytes read, 0 seeks
==27304==
==27304== HEAP SUMMARY:
==27304== in use at exit: 80 bytes in 2 blocks
==27304== total heap usage: 1,171 allocs, 1,169 frees, 2,624,803 bytes allocated
==27304==
==27304== LEAK SUMMARY:
==27304== definitely lost: 0 bytes in 0 blocks
==27304== indirectly lost: 0 bytes in 0 blocks
==27304== possibly lost: 0 bytes in 0 blocks
==27304== still reachable: 80 bytes in 2 blocks
==27304== suppressed: 0 bytes in 0 blocks
==27304== Rerun with --leak-check=full to see details of leaked memory
==27304==
==27304== For counts of detected and suppressed errors, rerun with: -v
==27304== ERROR SUMMARY: 15 errors from 1 contexts (suppressed: 0 from 0)
by , 10 years ago
| Attachment: | ffmpeg_mpeg2_crash2.mpg added |
|---|
by , 10 years ago
| Attachment: | ffmpeg_mpeg2_crash3.mpg added |
|---|
by , 10 years ago
| Attachment: | ffmpeg_mpeg2_crash4.mpg added |
|---|
by , 10 years ago
| Attachment: | ffmpeg_mpeg2_crash5.mpg added |
|---|
comment:5 by , 10 years ago
| Reproduced by developer: | set |
|---|---|
| Resolution: | → fixed |
| Status: | new → closed |
Note:
See TracTickets
for help on using tickets.
Could you relaunch, and type info register? Then 'up' (to get back into mpeg_motion_internal) and then 'print dest_y', ptr_y and linesize?
The issue is most probably an unaligned address, but I'd like to see more.
This is by the way what you would have done, if you had followed:
https://www.ffmpeg.org/bugreports.html
It's not crashing here, though.