[FFmpeg-trac] #455(avcodec:new): Crash in ff_mspel_motion

FFmpeg trac at avcodec.org
Sun Sep 11 00:09:14 CEST 2011 

#455: Crash in ff_mspel_motion
--------------------------------------+---------------------------------
               Reporter:  cehoyos     |                  Owner:
                   Type:  defect      |                 Status:  new
               Priority:  important   |              Component:  avcodec
                Version:  git-master  |               Keywords:
             Blocked By:              |               Blocking:
Reproduced by developer:  1           |  Analyzed by developer:  0
--------------------------------------+---------------------------------
 Found using fenrir's text file.
 Only happens on ia32.

 {{{
 (gdb) r -i audio-switch-z14.m2ts -f null -
 Starting program: ffmpeg_g -i audio-switch-z14.m2ts -f null -
 [Thread debugging using libthread_db enabled]
 ffmpeg version N-32449-g8fd1da5, Copyright (c) 2000-2011 the FFmpeg
 developers
   built on Sep 10 2011 23:48:36 with gcc 4.5.3
   configuration: --cc='/usr/local/gcc-4.5.3/bin/gcc -m32' --disable-
 optimizations
   libavutil    51. 16. 0 / 51. 16. 0
   libavcodec   53. 13. 0 / 53. 13. 0
   libavformat  53. 12. 0 / 53. 12. 0
   libavdevice  53.  3. 0 / 53.  3. 0
   libavfilter   2. 39. 0 /  2. 39. 0
   libswscale    2.  1. 0 /  2.  1. 0

 ...

 ...

 Program received signal SIGSEGV, Segmentation fault.
 0x08455652 in ff_mspel_motion (s=0x8e1acc0, dest_y=0xf6d16420 "",
     dest_cb=0x8ff5a80 'h' <repeats 200 times>..., dest_cr=0x90752c0 'P'
 <repeats 200 times>...,
     ref_picture=0x8e1b024, pix_op=0x8e1bd38, motion_x=128, motion_y=0,
 h=16) at libavcodec/wmv2.c:112
 112         s->dsp.put_mspel_pixels_tab[dxy](dest_y             , ptr
 , linesize);
 (gdb) bt
 #0  0x08455652 in ff_mspel_motion (s=0x8e1acc0, dest_y=0xf6d16420 "",
     dest_cb=0x8ff5a80 'h' <repeats 200 times>..., dest_cr=0x90752c0 'P'
 <repeats 200 times>...,
     ref_picture=0x8e1b024, pix_op=0x8e1bd38, motion_x=128, motion_y=0,
 h=16) at libavcodec/wmv2.c:112
 #1  0x0833a6cd in MPV_motion_internal (s=0x8e1acc0, dest_y=0xf6d16420 "",
     dest_cb=0x8ff5a80 'h' <repeats 200 times>..., dest_cr=0x90752c0 'P'
 <repeats 200 times>..., dir=0,
     ref_picture=0x8e1b024, pix_op=0x8e1bd38, qpix_op=0x8e1be98,
 is_mpeg12=0)
     at libavcodec/mpegvideo_common.h:729
 #2  0x0833b2ac in MPV_motion (s=0x8e1acc0, dest_y=0xf6d16420 "",
     dest_cb=0x8ff5a80 'h' <repeats 200 times>..., dest_cr=0x90752c0 'P'
 <repeats 200 times>..., dir=0,
     ref_picture=0x8e1b024, pix_op=0x8e1bd38, qpix_op=0x8e1be98) at
 libavcodec/mpegvideo_common.h:896
 #3  0x083433f6 in MPV_decode_mb_internal (s=0x8e1acc0, block=0x8d0a9c0,
 lowres_flag=0, is_mpeg12=0)
     at libavcodec/mpegvideo.c:2161
 #4  0x08344196 in MPV_decode_mb (s=0x8e1acc0, block=0x8d0a9c0) at
 libavcodec/mpegvideo.c:2298
 #5  0x08507bd1 in decode_mb (s=0x8e1acc0, ref=0) at
 libavcodec/error_resilience.c:62
 #6  0x08509e5b in guess_mv (s=0x8e1acc0) at
 libavcodec/error_resilience.c:584
 #7  0x0850ba43 in ff_er_frame_end (s=0x8e1acc0) at
 libavcodec/error_resilience.c:1066
 #8  0x0840f0ed in vc1_decode_frame (avctx=0x8ca1da0, data=0xffffb8f4,
 data_size=0xffffb9fc,
     avpkt=0xffffb890) at libavcodec/vc1dec.c:4009
 #9  0x083f6a10 in avcodec_decode_video2 (avctx=0x8ca1da0,
 picture=0xffffb8f4, got_picture_ptr=0xffffb9fc,
     avpkt=0xffffb890) at libavcodec/utils.c:769
 #10 0x080503d8 in output_packet (ist=0x8cbdda8, ist_index=0,
 ost_table=0x8d62308, nb_ostreams=2,
     pkt=0xffffcd18) at ffmpeg.c:1707
 #11 0x0805384e in transcode (output_files=0x8ca4ff0, nb_output_files=1,
 input_files=0x8c9ca78,
     nb_input_files=1) at ffmpeg.c:2572
 #12 0x08058eeb in main (argc=6, argv=0xffffd004) at ffmpeg.c:4489
 (gdb) disass $pc-32 $pc+32
 Dump of assembler code from 0x8455632 to 0x8455672:
 0x08455632 <ff_mspel_motion+496>:       cwtl
 0x08455633 <ff_mspel_motion+497>:       add    %al,(%eax)
 0x08455635 <ff_mspel_motion+499>:       add    %al,0x48d01c0(%ebx)
 0x0845563b <ff_mspel_motion+505>:       add    0x45c7e445(%ecx),%cl
 0x08455641 <ff_mspel_motion+511>:       aam    $0x1
 0x08455643 <ff_mspel_motion+513>:       add    %al,(%eax)
 0x08455645 <ff_mspel_motion+515>:       add    %cl,0x558b0845(%ebx)
 0x0845564b <ff_mspel_motion+521>:       loopne 0x84555ce
 <ff_mspel_motion+396>
 0x0845564d <ff_mspel_motion+523>:       ret    $0x4f4
 0x08455650 <ff_mspel_motion+526>:       add    %al,(%eax)
 0x08455652 <ff_mspel_motion+528>:       mov    0x8(%eax,%edx,4),%edx
 0x08455656 <ff_mspel_motion+532>:       mov    -0x40(%ebp),%eax
 0x08455659 <ff_mspel_motion+535>:       mov    %eax,0x8(%esp)
 0x0845565d <ff_mspel_motion+539>:       mov    -0x1c(%ebp),%eax
 0x08455660 <ff_mspel_motion+542>:       mov    %eax,0x4(%esp)
 0x08455664 <ff_mspel_motion+546>:       mov    0xc(%ebp),%eax
 0x08455667 <ff_mspel_motion+549>:       mov    %eax,(%esp)
 0x0845566a <ff_mspel_motion+552>:       call   *%edx
 0x0845566c <ff_mspel_motion+554>:       mov    0x8(%ebp),%eax
 0x0845566f <ff_mspel_motion+557>:       mov    -0x20(%ebp),%edx
 End of assembler dump.
 (gdb) info registers
 eax            0x8e1acc0        149007552
 ecx            0xf000   61440
 edx            0x84a1b39        139074361
 ebx            0x780    1920
 esp            0xffff8fe0       0xffff8fe0
 ebp            0xffff9068       0xffff9068
 esi            0x40     64
 edi            0x8      8
 eip            0x8455652        0x8455652 <ff_mspel_motion+528>
 eflags         0x210206 [ PF IF RF ID ]
 cs             0x23     35
 ss             0x2b     43
 ds             0x2b     43
 es             0x2b     43
 fs             0x0      0
 gs             0x63     99
 }}}

-- 
Ticket URL: <https://avcodec.org/trac/ffmpeg/ticket/455>
FFmpeg <http://ffmpeg.org>
FFmpeg issue tracker

More information about the FFmpeg-trac mailing list