Opened 8 years ago
Last modified 8 months ago
#6354 open defect
segfault using signature filter on some videos
| Reported by: | Stephen Marquard | Owned by: | |
|---|---|---|---|
| Priority: | important | Component: | avfilter |
| Version: | git-master | Keywords: | signature crash SIGSEGV |
| Cc: | Blocked By: | ||
| Blocking: | Reproduced by developer: | yes | |
| Analyzed by developer: | no |
Description
The attached videos produce a segfault when using the signature filter.
Using the x64 binary build for ffmpeg 3.3:
https://johnvansickle.com/ffmpeg/releases/ffmpeg-release-64bit-static.tar.xz
How to reproduce:
ffmpeg -i v1.avi -i v2.avi -filter_complex "[0:v][1:v] signature=nb_inputs=2:detectmode=full" -map :v -f null -
Most videos work fine, but these particular ones cause a segfault and core dump though the static build does not contain debugging symbols so I was not able to get a backtrace.
ffmpeg version 3.3-static http://johnvansickle.com/ffmpeg/ Copyright (c) 2000-2017 the FFmpeg developers
built with gcc 5.4.1 (Debian 5.4.1-8) 20170304
configuration: --enable-gpl --enable-version3 --enable-static --disable-debug --disable-ffplay --disable-indev=sndio --disable-outdev=sndio --cc=gcc-5 --enable-fontconfig --enable-frei0r --enable-gnutls --enable-gray --enable-libass --enable-libfreetype --enable-libfribidi --enable-libmp3lame --enable-libopencore-amrnb --enable-libopencore-amrwb --enable-libopenjpeg --enable-libopus --enable-librtmp --enable-libsoxr --enable-libspeex --enable-libtheora --enable-libvidstab --enable-libvo-amrwbenc --enable-libvorbis --enable-libvpx --enable-libwebp --enable-libx264 --enable-libx265 --enable-libxvid --enable-libzimg
libavutil 55. 58.100 / 55. 58.100
libavcodec 57. 89.100 / 57. 89.100
libavformat 57. 71.100 / 57. 71.100
libavdevice 57. 6.100 / 57. 6.100
libavfilter 6. 82.100 / 6. 82.100
libswscale 4. 6.100 / 4. 6.100
libswresample 2. 7.100 / 2. 7.100
libpostproc 54. 5.100 / 54. 5.100
Attachments (3)
Change History (8)
by , 8 years ago
comment:1 by , 8 years ago
This is the feature added here:
https://git.ffmpeg.org/gitweb/ffmpeg.git/commit/5e3a418b6047acd848698c4bb4bf0c1b73526744
by Gerion Entrup <gerion.entrup@flump.de>
comment:3 by , 8 years ago
The crash is still present with ffmpeg-git-20170417-64bit-static (https://johnvansickle.com/ffmpeg/builds/ffmpeg-git-64bit-static.tar.xz)
I don't have a source build available for testing at the moment.
comment:4 by , 8 years ago
| Keywords: | signature crash SIGSEGV added |
|---|---|
| Priority: | normal → important |
| Reproduced by developer: | set |
| Status: | new → open |
| Version: | unspecified → git-master |
Depending on compiler, this is a regression since 4cf1f68903cebcf6a6bede970f1b8f1509edf710 for the original samples but I will upload a sample for which the crash is reproducible with 5e3a418b6047acd848698c4bb4bf0c1b73526744
$ valgrind ffmpeg_g -i in.avi -filter_complex signature=nb_inputs=2:detectmode=full -f null -
==1012== Memcheck, a memory error detector
==1012== Copyright (C) 2002-2011, and GNU GPL'd, by Julian Seward et al.
==1012== Using Valgrind-3.7.0 and LibVEX; rerun with -h for copyright info
==1012== Command: ffmpeg_g -i in.avi -filter_complex signature=nb_inputs=2:detectmode=full -f null -
==1012==
ffmpeg version N-85646-g550a9c5 Copyright (c) 2000-2017 the FFmpeg developers
built with gcc 6.3.0 (GCC)
configuration: --enable-gpl
libavutil 55. 61.100 / 55. 61.100
libavcodec 57. 93.100 / 57. 93.100
libavformat 57. 72.101 / 57. 72.101
libavdevice 57. 7.100 / 57. 7.100
libavfilter 6. 87.100 / 6. 87.100
libswscale 4. 7.101 / 4. 7.101
libswresample 2. 8.100 / 2. 8.100
libpostproc 54. 6.100 / 54. 6.100
Input #0, avi, from 'in.avi':
Metadata:
encoder : Lavf57.56.100
Duration: 00:03:18.00, start: 0.000000, bitrate: 6 kb/s
Stream #0:0: Video: ffv1 (FFV1 / 0x31564646), yuv420p, 160x90, 2 kb/s, SAR 1:1 DAR 16:9, 1 fps, 1 tbr, 1 tbn, 1 tbc
Stream #0:1: Video: ffv1 (FFV1 / 0x31564646), yuv420p, 160x90, 2 kb/s, SAR 1:1 DAR 16:9, 1 fps, 1 tbr, 1 tbn, 1 tbc
Stream mapping:
Stream #0:0 (ffv1) -> signature:in0
Stream #0:1 (ffv1) -> signature:in1
signature -> Stream #0:0 (wrapped_avframe)
Press [q] to stop, [?] for help
Output #0, null, to 'pipe:':
Metadata:
encoder : Lavf57.72.101
Stream #0:0: Video: wrapped_avframe, yuv420p, 160x90 [SAR 1:1 DAR 16:9], q=2-31, 200 kb/s, 1 fps, 1 tbn, 1 tbc (default)
Metadata:
encoder : Lavc57.93.100 wrapped_avframe
==1012== Conditional jump or move depends on uninitialised value(s)eed=48.1x
==1012== at 0x5584CA: get_matching_parameters (signature_lookup.c:258)
==1012== by 0x55BCBE: request_frame (signature_lookup.c:559)
==1012== by 0x4B971E: ff_request_frame_to_filter (avfilter.c:438)
==1012== by 0x4BC53E: ff_filter_activate (avfilter.c:1288)
==1012== by 0x4C0C37: av_buffersrc_add_frame_internal (buffersrc.c:181)
==1012== by 0x4C10EC: av_buffersrc_add_frame_flags (buffersrc.c:164)
==1012== by 0x495AA3: send_filter_eof.isra.4 (ffmpeg.c:2231)
==1012== by 0x49EF60: process_input_packet.constprop.21 (ffmpeg.c:2715)
==1012== by 0x47E8C6: main (ffmpeg.c:4199)
==1012==
==1012== Conditional jump or move depends on uninitialised value(s)
==1012== at 0x5583DD: get_matching_parameters (signature_lookup.c:252)
==1012== by 0x55BCBE: request_frame (signature_lookup.c:559)
==1012== by 0x4B971E: ff_request_frame_to_filter (avfilter.c:438)
==1012== by 0x4BC53E: ff_filter_activate (avfilter.c:1288)
==1012== by 0x4C0C37: av_buffersrc_add_frame_internal (buffersrc.c:181)
==1012== by 0x4C10EC: av_buffersrc_add_frame_flags (buffersrc.c:164)
==1012== by 0x495AA3: send_filter_eof.isra.4 (ffmpeg.c:2231)
==1012== by 0x49EF60: process_input_packet.constprop.21 (ffmpeg.c:2715)
==1012== by 0x47E8C6: main (ffmpeg.c:4199)
==1012==
==1012== Conditional jump or move depends on uninitialised value(s)
==1012== at 0x558530: get_matching_parameters (signature_lookup.c:277)
==1012== by 0x55BCBE: request_frame (signature_lookup.c:559)
==1012== by 0x4B971E: ff_request_frame_to_filter (avfilter.c:438)
==1012== by 0x4BC53E: ff_filter_activate (avfilter.c:1288)
==1012== by 0x4C0C37: av_buffersrc_add_frame_internal (buffersrc.c:181)
==1012== by 0x4C10EC: av_buffersrc_add_frame_flags (buffersrc.c:164)
==1012== by 0x495AA3: send_filter_eof.isra.4 (ffmpeg.c:2231)
==1012== by 0x49EF60: process_input_packet.constprop.21 (ffmpeg.c:2715)
==1012== by 0x47E8C6: main (ffmpeg.c:4199)
==1012==
==1012== Conditional jump or move depends on uninitialised value(s)
==1012== at 0x558536: get_matching_parameters (signature_lookup.c:278)
==1012== by 0x55BCBE: request_frame (signature_lookup.c:559)
==1012== by 0x4B971E: ff_request_frame_to_filter (avfilter.c:438)
==1012== by 0x4BC53E: ff_filter_activate (avfilter.c:1288)
==1012== by 0x4C0C37: av_buffersrc_add_frame_internal (buffersrc.c:181)
==1012== by 0x4C10EC: av_buffersrc_add_frame_flags (buffersrc.c:164)
==1012== by 0x495AA3: send_filter_eof.isra.4 (ffmpeg.c:2231)
==1012== by 0x49EF60: process_input_packet.constprop.21 (ffmpeg.c:2715)
==1012== by 0x47E8C6: main (ffmpeg.c:4199)
==1012==
==1012== Conditional jump or move depends on uninitialised value(s)
==1012== at 0x558625: get_matching_parameters (signature_lookup.c:281)
==1012== by 0x55BCBE: request_frame (signature_lookup.c:559)
==1012== by 0x4B971E: ff_request_frame_to_filter (avfilter.c:438)
==1012== by 0x4BC53E: ff_filter_activate (avfilter.c:1288)
==1012== by 0x4C0C37: av_buffersrc_add_frame_internal (buffersrc.c:181)
==1012== by 0x4C10EC: av_buffersrc_add_frame_flags (buffersrc.c:164)
==1012== by 0x495AA3: send_filter_eof.isra.4 (ffmpeg.c:2231)
==1012== by 0x49EF60: process_input_packet.constprop.21 (ffmpeg.c:2715)
==1012== by 0x47E8C6: main (ffmpeg.c:4199)
==1012==
==1012== Use of uninitialised value of size 8
==1012== at 0x55C2B4: request_frame (signature_lookup.c:571)
==1012== by 0x4B971E: ff_request_frame_to_filter (avfilter.c:438)
==1012== by 0x4BC53E: ff_filter_activate (avfilter.c:1288)
==1012== by 0x4C0C37: av_buffersrc_add_frame_internal (buffersrc.c:181)
==1012== by 0x4C10EC: av_buffersrc_add_frame_flags (buffersrc.c:164)
==1012== by 0x495AA3: send_filter_eof.isra.4 (ffmpeg.c:2231)
==1012== by 0x49EF60: process_input_packet.constprop.21 (ffmpeg.c:2715)
==1012== by 0x47E8C6: main (ffmpeg.c:4199)
==1012==
==1012== Use of uninitialised value of size 8
==1012== at 0x55C2E3: request_frame (signature_lookup.c:571)
==1012== by 0x4B971E: ff_request_frame_to_filter (avfilter.c:438)
==1012== by 0x4BC53E: ff_filter_activate (avfilter.c:1288)
==1012== by 0x4C0C37: av_buffersrc_add_frame_internal (buffersrc.c:181)
==1012== by 0x4C10EC: av_buffersrc_add_frame_flags (buffersrc.c:164)
==1012== by 0x495AA3: send_filter_eof.isra.4 (ffmpeg.c:2231)
==1012== by 0x49EF60: process_input_packet.constprop.21 (ffmpeg.c:2715)
==1012== by 0x47E8C6: main (ffmpeg.c:4199)
==1012==
==1012== Invalid read of size 4
==1012== at 0x55C2E3: request_frame (signature_lookup.c:571)
==1012== by 0x4B971E: ff_request_frame_to_filter (avfilter.c:438)
==1012== by 0x4BC53E: ff_filter_activate (avfilter.c:1288)
==1012== by 0x4C0C37: av_buffersrc_add_frame_internal (buffersrc.c:181)
==1012== by 0x4C10EC: av_buffersrc_add_frame_flags (buffersrc.c:164)
==1012== by 0x495AA3: send_filter_eof.isra.4 (ffmpeg.c:2231)
==1012== by 0x49EF60: process_input_packet.constprop.21 (ffmpeg.c:2715)
==1012== by 0x47E8C6: main (ffmpeg.c:4199)
==1012== Address 0xffffffff00000018 is not stack'd, malloc'd or (recently) free'd
==1012==
==1012==
==1012== Process terminating with default action of signal 11 (SIGSEGV)
==1012== Access not within mapped region at address 0xFFFFFFFF00000018
==1012== at 0x55C2E3: request_frame (signature_lookup.c:571)
==1012== by 0x4B971E: ff_request_frame_to_filter (avfilter.c:438)
==1012== by 0x4BC53E: ff_filter_activate (avfilter.c:1288)
==1012== by 0x4C0C37: av_buffersrc_add_frame_internal (buffersrc.c:181)
==1012== by 0x4C10EC: av_buffersrc_add_frame_flags (buffersrc.c:164)
==1012== by 0x495AA3: send_filter_eof.isra.4 (ffmpeg.c:2231)
==1012== by 0x49EF60: process_input_packet.constprop.21 (ffmpeg.c:2715)
==1012== by 0x47E8C6: main (ffmpeg.c:4199)
==1012== If you believe this happened as a result of a stack
==1012== overflow in your program's main thread (unlikely but
==1012== possible), you can try to increase the size of the
==1012== main thread stack using the --main-stacksize= flag.
==1012== The main thread stack size used in this run was 8388608.
==1012==
==1012== HEAP SUMMARY:
==1012== in use at exit: 7,978,654 bytes in 3,643 blocks
==1012== total heap usage: 24,584 allocs, 20,941 frees, 16,751,810 bytes allocated
==1012==
==1012== LEAK SUMMARY:
==1012== definitely lost: 97,720 bytes in 199 blocks
==1012== indirectly lost: 5,311,665 bytes in 2,292 blocks
==1012== possibly lost: 7,776 bytes in 27 blocks
==1012== still reachable: 2,561,493 bytes in 1,125 blocks
==1012== suppressed: 0 bytes in 0 blocks
==1012== Rerun with --leak-check=full to see details of leaked memory
==1012==
==1012== For counts of detected and suppressed errors, rerun with: -v
==1012== Use --track-origins=yes to see where uninitialised values come from
==1012== ERROR SUMMARY: 50006 errors from 8 contexts (suppressed: 2 from 2)
Killed
(gdb) r -i in.avi -filter_complex signature=nb_inputs=2:detectmode=full -f null -
Starting program: ffmpeg_g -i in.avi -filter_complex signature=nb_inputs=2:detectmode=full -f null -
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib64/libthread_db.so.1".
ffmpeg version N-85646-g550a9c5 Copyright (c) 2000-2017 the FFmpeg developers
built with gcc 6.3.0 (GCC)
configuration: --enable-gpl
libavutil 55. 61.100 / 55. 61.100
libavcodec 57. 93.100 / 57. 93.100
libavformat 57. 72.101 / 57. 72.101
libavdevice 57. 7.100 / 57. 7.100
libavfilter 6. 87.100 / 6. 87.100
libswscale 4. 7.101 / 4. 7.101
libswresample 2. 8.100 / 2. 8.100
libpostproc 54. 6.100 / 54. 6.100
Input #0, avi, from 'in.avi':
Metadata:
encoder : Lavf57.56.100
Duration: 00:03:18.00, start: 0.000000, bitrate: 6 kb/s
Stream #0:0: Video: ffv1 (FFV1 / 0x31564646), yuv420p, 160x90, 2 kb/s, SAR 1:1 DAR 16:9, 1 fps, 1 tbr, 1 tbn, 1 tbc
Stream #0:1: Video: ffv1 (FFV1 / 0x31564646), yuv420p, 160x90, 2 kb/s, SAR 1:1 DAR 16:9, 1 fps, 1 tbr, 1 tbn, 1 tbc
[New Thread 0x7ffff49f6700 (LWP 1107)]
[New Thread 0x7ffff41f5700 (LWP 1108)]
[New Thread 0x7ffff39f4700 (LWP 1109)]
[New Thread 0x7ffff31f3700 (LWP 1110)]
[New Thread 0x7ffff29f2700 (LWP 1111)]
[New Thread 0x7ffff21f1700 (LWP 1112)]
[New Thread 0x7ffff19f0700 (LWP 1113)]
[New Thread 0x7ffff11ef700 (LWP 1114)]
[New Thread 0x7ffff09ee700 (LWP 1115)]
[Thread 0x7ffff11ef700 (LWP 1114) exited]
[Thread 0x7ffff09ee700 (LWP 1115) exited]
[Thread 0x7ffff19f0700 (LWP 1113) exited]
[Thread 0x7ffff31f3700 (LWP 1110) exited]
[Thread 0x7ffff21f1700 (LWP 1112) exited]
[Thread 0x7ffff29f2700 (LWP 1111) exited]
[Thread 0x7ffff49f6700 (LWP 1107) exited]
[Thread 0x7ffff39f4700 (LWP 1109) exited]
[Thread 0x7ffff41f5700 (LWP 1108) exited]
[New Thread 0x7ffff09ee700 (LWP 1116)]
[New Thread 0x7ffff11ef700 (LWP 1117)]
[New Thread 0x7ffff19f0700 (LWP 1118)]
[New Thread 0x7ffff21f1700 (LWP 1119)]
[New Thread 0x7ffff49f6700 (LWP 1120)]
[New Thread 0x7ffff41f5700 (LWP 1121)]
[New Thread 0x7ffff39f4700 (LWP 1122)]
[New Thread 0x7ffff31f3700 (LWP 1123)]
[New Thread 0x7ffff29f2700 (LWP 1124)]
[New Thread 0x7ffff01ed700 (LWP 1125)]
[New Thread 0x7fffef9ec700 (LWP 1126)]
[New Thread 0x7fffef1eb700 (LWP 1127)]
[New Thread 0x7fffee9ea700 (LWP 1128)]
[New Thread 0x7fffee1e9700 (LWP 1129)]
[New Thread 0x7fffed9e8700 (LWP 1130)]
[New Thread 0x7fffed1e7700 (LWP 1131)]
[New Thread 0x7fffec9e6700 (LWP 1132)]
[New Thread 0x7fffec1e5700 (LWP 1133)]
Stream mapping:
Stream #0:0 (ffv1) -> signature:in0
Stream #0:1 (ffv1) -> signature:in1
signature -> Stream #0:0 (wrapped_avframe)
Press [q] to stop, [?] for help
[New Thread 0x7fffabfff700 (LWP 1134)]
[New Thread 0x7fffab7fe700 (LWP 1135)]
[New Thread 0x7fffaaffd700 (LWP 1136)]
[New Thread 0x7fffaa7fc700 (LWP 1137)]
[New Thread 0x7fffa9ffb700 (LWP 1138)]
[New Thread 0x7fffa97fa700 (LWP 1139)]
[New Thread 0x7fffa8ff9700 (LWP 1140)]
[New Thread 0x7fffa3fff700 (LWP 1141)]
[New Thread 0x7fffa37fe700 (LWP 1142)]
Output #0, null, to 'pipe:':
Metadata:
encoder : Lavf57.72.101
Stream #0:0: Video: wrapped_avframe, yuv420p, 160x90 [SAR 1:1 DAR 16:9], q=2-31, 200 kb/s, 1 fps, 1 tbn, 1 tbc (default)
Metadata:
encoder : Lavc57.93.100 wrapped_avframe
Program received signal SIGSEGV, Segmentation fault.
0x000000000055c2e3 in lookup_signatures (first=0x21d19a0, second=0x21d19f8, mode=1, sc=0x21d3540,
ctx=0x21d3440) at libavfilter/signature_lookup.c:571
571 av_log(ctx, AV_LOG_DEBUG, "Stage 3: best matching pair at %"PRIu32" and %"PRIu32", "
(gdb) bt
#0 0x000000000055c2e3 in lookup_signatures (first=0x21d19a0, second=0x21d19f8, mode=1,
sc=0x21d3540, ctx=0x21d3440) at libavfilter/signature_lookup.c:571
#1 request_frame (outlink=<optimized out>) at libavfilter/vf_signature.c:623
#2 0x00000000004b971f in ff_request_frame_to_filter (link=0x21cf520)
at libavfilter/avfilter.c:438
#3 0x00000000004bc53f in forward_status_change (in=0x21cfbc0, filter=0x21d3440)
at libavfilter/avfilter.c:1288
#4 ff_filter_activate_default (filter=<optimized out>) at libavfilter/avfilter.c:1321
#5 ff_filter_activate (filter=0x21d3440) at libavfilter/avfilter.c:1476
#6 0x00000000004bfbcc in ff_filter_graph_run_once (graph=graph@entry=0x21d2660)
at libavfilter/avfiltergraph.c:1446
#7 0x00000000004c0c38 in push_frame (graph=0x21d2660) at libavfilter/buffersrc.c:181
#8 av_buffersrc_add_frame_internal (ctx=ctx@entry=0x2062600, frame=frame@entry=0x0,
flags=flags@entry=4) at libavfilter/buffersrc.c:203
#9 0x00000000004c10ed in av_buffersrc_add_frame_flags (ctx=0x2062600, frame=frame@entry=0x0,
flags=flags@entry=4) at libavfilter/buffersrc.c:164
#10 0x0000000000495aa4 in ifilter_send_eof (ifilter=<optimized out>) at ffmpeg.c:2231
#11 send_filter_eof (ist=<optimized out>, ist=<optimized out>) at ffmpeg.c:2582
#12 0x000000000049ef61 in process_input_packet (ist=0x2013a80, no_eof=no_eof@entry=0, pkt=0x0)
at ffmpeg.c:2715
#13 0x000000000047e8c7 in process_input (file_index=0) at ffmpeg.c:4199
#14 transcode_step () at ffmpeg.c:4510
#15 transcode () at ffmpeg.c:4564
#16 main (argc=<optimized out>, argv=<optimized out>) at ffmpeg.c:4769
(gdb) disass $pc-32,$pc+32
Dump of assembler code from 0x55c2c3 to 0x55c303:
0x000000000055c2c3 <request_frame+2211>: xor %al,(%rax)
0x000000000055c2c5 <request_frame+2213>: add %al,(%rax)
0x000000000055c2c7 <request_frame+2215>: push %rax
0x000000000055c2c8 <request_frame+2216>: mov 0x30(%rsp),%rax
0x000000000055c2cd <request_frame+2221>: mov 0xb4(%rsp),%r9d
0x000000000055c2d5 <request_frame+2229>: mov 0x40(%rsp),%rdi
0x000000000055c2da <request_frame+2234>: movsd 0xa8(%rsp),%xmm0
=> 0x000000000055c2e3 <request_frame+2243>: mov 0x18(%rax),%r8d
0x000000000055c2e7 <request_frame+2247>: mov $0x1,%eax
0x000000000055c2ec <request_frame+2252>: callq 0x10260d0 <av_log>
0x000000000055c2f1 <request_frame+2257>: pop %rdx
0x000000000055c2f2 <request_frame+2258>: pop %rcx
0x000000000055c2f3 <request_frame+2259>: mov 0x50(%rsp),%rbp
0x000000000055c2f8 <request_frame+2264>: mov %rbp,0xc8(%rsp)
0x000000000055c300 <request_frame+2272>: mov 0x30(%rbp),%rbp
End of assembler dump.
(gdb) info register
rax 0xffffffff00000000 -4294967296
rbx 0x0 0
rcx 0x48f9f748 1224341320
rdx 0x109f728 17430312
rsi 0x30 48
rdi 0x21d3440 35468352
rbp 0x0 0x0
rsp 0x7fffffffd130 0x7fffffffd130
r8 0x10 16
r9 0x0 0
r10 0x21dc6a2 35505826
r11 0xf2 242
r12 0x21dc680 35505792
r13 0xa2 162
r14 0x0 0
r15 0x21d3540 35468608
rip 0x55c2e3 0x55c2e3 <request_frame+2243>
eflags 0x10246 [ PF ZF IF RF ]
cs 0x33 51
ss 0x2b 43
ds 0x0 0
es 0x0 0
fs 0x0 0
gs 0x0 0
by , 8 years ago
Note:
See TracTickets
for help on using tickets.
video1