[FFmpeg-trac] #2921(undetermined:new): jpeg2000: invalid write 3
FFmpeg
trac at avcodec.org
Sat Aug 31 12:55:19 CEST 2013
#2921: jpeg2000: invalid write 3
-------------------------------------+-------------------------------------
Reporter: ami_stuff | Owner:
Type: defect | Status: new
Priority: normal | Component:
Version: | undetermined
unspecified | Keywords:
Blocked By: | Blocking:
Reproduced by developer: 0 | Analyzed by developer: 0
-------------------------------------+-------------------------------------
http://www.datafilehost.com/d/4b8667b1
btw. please somebody tell me if I should report signals 9 (memory
exceeded?) or ignore them
(I have found a few of them in various decoders while looking for
segfaults)
{{{
knoppix at Microknoppix:/media/sdb1$ valgrind --leak-check=full ffmpeg-
HEAD-c042684/ffmpeg_g -i jp2k_fuzz.avi -an -f null -
==8835== Memcheck, a memory error detector
==8835== Copyright (C) 2002-2011, and GNU GPL'd, by Julian Seward et al.
==8835== Using Valgrind-3.7.0 and LibVEX; rerun with -h for copyright info
==8835== Command: ffmpeg-HEAD-c042684/ffmpeg_g -i jp2k_fuzz.avi -an -f
null -
==8835==
ffmpeg version 2.0-c042684 Copyright (c) 2000-2013 the FFmpeg developers
built on Aug 30 2013 20:55:53 with gcc 4.7 (Debian 4.7.2-5)
configuration: --disable-yasm --disable-ffprobe --disable-ffserver
--enable-gpl
libavutil 52. 42.100 / 52. 42.100
libavcodec 55. 29.100 / 55. 29.100
libavformat 55. 15.100 / 55. 15.100
libavdevice 55. 3.100 / 55. 3.100
libavfilter 3. 82.102 / 3. 82.102
libswscale 2. 5.100 / 2. 5.100
libswresample 0. 17.103 / 0. 17.103
libpostproc 52. 3.100 / 52. 3.100
==8835== Conditional jump or move depends on uninitialised value(s)
==8835== at 0x850A449: jpeg2000_decode_tile (common.h:105)
==8835== by 0x850D84D: jpeg2000_decode_frame (jpeg2000dec.c:1644)
==8835== by 0x867704D: avcodec_decode_video2 (utils.c:1983)
==8835== by 0x8233FC7: try_decode_frame (utils.c:2475)
==8835==
==8835== Conditional jump or move depends on uninitialised value(s)
==8835== at 0x850A451: jpeg2000_decode_tile (common.h:105)
==8835== by 0x850D84D: jpeg2000_decode_frame (jpeg2000dec.c:1644)
==8835== by 0x867704D: avcodec_decode_video2 (utils.c:1983)
==8835== by 0x8233FC7: try_decode_frame (utils.c:2475)
==8835==
Input #0, avi, from 'jp2k_fuzz.avi':
Duration: 00:00:24.80, start: 0.000000, bitrate: 2637 kb/s
Stream #0:0: Video: jpeg2000 (JPEG 2000 codestream restriction 0)
(MJ2C / 0x43324A4D), yuv420p, 352x244, 5 tbr, 5 tbn, 5 tbc
Output #0, null, to 'pipe:':
Metadata:
encoder : Lavf55.15.100
Stream #0:0: Video: rawvideo (I420 / 0x30323449), yuv420p, 352x244,
q=2-31, 200 kb/s, 90k tbn, 5 tbc
Stream mapping:
Stream #0:0 -> #0:0 (jpeg2000 -> rawvideo)
Press [q] to stop, [?] for help
[jpeg2000 @ 0x44a7d20] error during processing marker segment ff52
==8835== Thread 12:
==8835== Conditional jump or move depends on uninitialised value(s)
==8835== at 0x850A449: jpeg2000_decode_tile (common.h:105)
==8835== by 0x850D84D: jpeg2000_decode_frame (jpeg2000dec.c:1644)
==8835== by 0x85CC83D: frame_worker_thread (pthread.c:339)
==8835== by 0x407B953: start_thread (pthread_create.c:304)
==8835== by 0x416395D: clone (clone.S:130)
==8835==
==8835== Conditional jump or move depends on uninitialised value(s)
==8835== at 0x850A451: jpeg2000_decode_tile (common.h:105)
==8835== by 0x850D84D: jpeg2000_decode_frame (jpeg2000dec.c:1644)
==8835== by 0x85CC83D: frame_worker_thread (pthread.c:339)
==8835== by 0x407B953: start_thread (pthread_create.c:304)
==8835== by 0x416395D: clone (clone.S:130)
==8835==
[null @ 0x43ce160] Encoder did not produce proper pts, making some up.
Error while decoding stream #0:0: Operation not permittedte=N/A
==8835== Thread 19: q=0.0 size=N/A time=00:00:02.20 bitrate=N/A dup=1
drop=0
==8835== Invalid write of size 1
==8835== at 0x850A45E: jpeg2000_decode_tile (jpeg2000dec.c:1288)
==8835== by 0x850D84D: jpeg2000_decode_frame (jpeg2000dec.c:1644)
==8835== by 0x85CC83D: frame_worker_thread (pthread.c:339)
==8835== by 0x407B953: start_thread (pthread_create.c:304)
==8835== by 0x416395D: clone (clone.S:130)
==8835== Address 0x107368df is 0 bytes after a block of size 27,679
alloc'd
==8835== at 0x40268A4: memalign (vg_replace_malloc.c:694)
==8835== by 0x402695E: posix_memalign (vg_replace_malloc.c:835)
==8835== by 0x886C657: av_malloc (mem.c:93)
==8835== by 0x885F022: av_buffer_allocz (buffer.c:70)
==8835== by 0x885F608: av_buffer_pool_get (buffer.c:305)
==8835== by 0x8673474: video_get_buffer (utils.c:575)
==8835== by 0x8674D10: get_buffer_internal (utils.c:865)
==8835== by 0x86752A3: ff_get_buffer (utils.c:877)
==8835== by 0x85CE0B1: ff_thread_get_buffer (pthread.c:962)
==8835== by 0x850CA70: jpeg2000_decode_frame (jpeg2000dec.c:1635)
==8835== by 0x85CC83D: frame_worker_thread (pthread.c:339)
==8835== by 0x407B953: start_thread (pthread_create.c:304)
==8835==
==8835== Thread 1:1 q=0.0 size=N/A time=00:00:03.40 bitrate=N/A dup=1
drop=0
==8835== Invalid read of size 4
==8835== at 0x885F133: av_buffer_unref (buffer.c:114)
==8835== by 0x8865FAD: av_frame_unref (frame.c:347)
==8835== by 0x80B4AEB: reap_filters (ffmpeg.c:1110)
==8835== by 0x80A2E42: main (ffmpeg.c:3190)
==8835== Address 0x80808088 is not stack'd, malloc'd or (recently) free'd
==8835==
==8835==
==8835== Process terminating with default action of signal 11 (SIGSEGV)
==8835== Access not within mapped region at address 0x80808088
==8835== at 0x885F133: av_buffer_unref (buffer.c:114)
==8835== by 0x8865FAD: av_frame_unref (frame.c:347)
==8835== by 0x80B4AEB: reap_filters (ffmpeg.c:1110)
==8835== by 0x80A2E42: main (ffmpeg.c:3190)
==8835== If you believe this happened as a result of a stack
==8835== overflow in your program's main thread (unlikely but
==8835== possible), you can try to increase the size of the
==8835== main thread stack using the --main-stacksize= flag.
==8835== The main thread stack size used in this run was 8388608.
==8835==
==8835== HEAP SUMMARY:
==8835== in use at exit: 11,811,697 bytes in 445 blocks
==8835== total heap usage: 2,661 allocs, 2,216 frees, 39,762,347 bytes
allocated
==8835==
==8835== 44 (24 direct, 20 indirect) bytes in 1 blocks are definitely lost
in loss record 59 of 126
==8835== at 0x40268A4: memalign (vg_replace_malloc.c:694)
==8835== by 0x402695E: posix_memalign (vg_replace_malloc.c:835)
==8835== by 0x886C8C7: av_mallocz (mem.c:93)
==8835== by 0x885F044: av_buffer_allocz (buffer.c:34)
==8835== by 0x885F608: av_buffer_pool_get (buffer.c:305)
==8835== by 0x8673474: video_get_buffer (utils.c:575)
==8835== by 0x8674D10: get_buffer_internal (utils.c:865)
==8835== by 0x86752A3: ff_get_buffer (utils.c:877)
==8835== by 0x85CE0B1: ff_thread_get_buffer (pthread.c:962)
==8835== by 0x850CA70: jpeg2000_decode_frame (jpeg2000dec.c:1635)
==8835== by 0x85CC83D: frame_worker_thread (pthread.c:339)
==8835== by 0x407B953: start_thread (pthread_create.c:304)
==8835==
==8835== 44 (24 direct, 20 indirect) bytes in 1 blocks are definitely lost
in loss record 60 of 126
==8835== at 0x40268A4: memalign (vg_replace_malloc.c:694)
==8835== by 0x402695E: posix_memalign (vg_replace_malloc.c:835)
==8835== by 0x886C8C7: av_mallocz (mem.c:93)
==8835== by 0x885F044: av_buffer_allocz (buffer.c:34)
==8835== by 0x885F608: av_buffer_pool_get (buffer.c:305)
==8835== by 0x86734E4: video_get_buffer (utils.c:575)
==8835== by 0x8674D10: get_buffer_internal (utils.c:865)
==8835== by 0x86752A3: ff_get_buffer (utils.c:877)
==8835== by 0x85CE0B1: ff_thread_get_buffer (pthread.c:962)
==8835== by 0x850CA70: jpeg2000_decode_frame (jpeg2000dec.c:1635)
==8835== by 0x85CC83D: frame_worker_thread (pthread.c:339)
==8835== by 0x407B953: start_thread (pthread_create.c:304)
==8835==
==8835== 1,296 bytes in 9 blocks are possibly lost in loss record 104 of
126
==8835== at 0x4026A68: calloc (vg_replace_malloc.c:566)
==8835== by 0x40111FB: _dl_allocate_tls (dl-tls.c:300)
==8835== by 0x407C2A8: pthread_create@@GLIBC_2.1 (allocatestack.c:580)
==8835== by 0x80D9591: ff_graph_thread_init (pthread.c:180)
==8835== by 0x80CD507: avfilter_graph_alloc_filter
(avfiltergraph.c:186)
==8835== by 0x80D8144: create_filter (graphparser.c:112)
==8835== by 0x80D8B99: avfilter_graph_parse2 (graphparser.c:169)
==8835==
==8835== 1,296 bytes in 9 blocks are possibly lost in loss record 105 of
126
==8835== at 0x4026A68: calloc (vg_replace_malloc.c:566)
==8835== by 0x40111FB: _dl_allocate_tls (dl-tls.c:300)
==8835== by 0x407C2A8: pthread_create@@GLIBC_2.1 (allocatestack.c:580)
==8835== by 0x85CE7BE: ff_thread_init (pthread.c:872)
==8835== by 0x867B19D: avcodec_open2 (utils.c:1223)
==8835== by 0x80B9F46: transcode_init (ffmpeg.c:1983)
==8835== by 0x80A242F: main (ffmpeg.c:3204)
==8835==
==8835== 27,679 bytes in 1 blocks are possibly lost in loss record 117 of
126
==8835== at 0x40268A4: memalign (vg_replace_malloc.c:694)
==8835== by 0x402695E: posix_memalign (vg_replace_malloc.c:835)
==8835== by 0x886C657: av_malloc (mem.c:93)
==8835== by 0x885F022: av_buffer_allocz (buffer.c:70)
==8835== by 0x885F608: av_buffer_pool_get (buffer.c:305)
==8835== by 0x8673474: video_get_buffer (utils.c:575)
==8835== by 0x8674D10: get_buffer_internal (utils.c:865)
==8835== by 0x86752A3: ff_get_buffer (utils.c:877)
==8835== by 0x85CE0B1: ff_thread_get_buffer (pthread.c:962)
==8835== by 0x850CA70: jpeg2000_decode_frame (jpeg2000dec.c:1635)
==8835== by 0x85CC83D: frame_worker_thread (pthread.c:339)
==8835== by 0x407B953: start_thread (pthread_create.c:304)
==8835==
==8835== 27,679 bytes in 1 blocks are possibly lost in loss record 118 of
126
==8835== at 0x40268A4: memalign (vg_replace_malloc.c:694)
==8835== by 0x402695E: posix_memalign (vg_replace_malloc.c:835)
==8835== by 0x886C657: av_malloc (mem.c:93)
==8835== by 0x885F022: av_buffer_allocz (buffer.c:70)
==8835== by 0x885F608: av_buffer_pool_get (buffer.c:305)
==8835== by 0x86734E4: video_get_buffer (utils.c:575)
==8835== by 0x8674D10: get_buffer_internal (utils.c:865)
==8835== by 0x86752A3: ff_get_buffer (utils.c:877)
==8835== by 0x85CE0B1: ff_thread_get_buffer (pthread.c:962)
==8835== by 0x850CA70: jpeg2000_decode_frame (jpeg2000dec.c:1635)
==8835== by 0x85CC83D: frame_worker_thread (pthread.c:339)
==8835== by 0x407B953: start_thread (pthread_create.c:304)
==8835==
==8835== LEAK SUMMARY:
==8835== definitely lost: 48 bytes in 2 blocks
==8835== indirectly lost: 40 bytes in 2 blocks
==8835== possibly lost: 57,950 bytes in 20 blocks
==8835== still reachable: 11,753,659 bytes in 421 blocks
==8835== suppressed: 0 bytes in 0 blocks
==8835== Reachable blocks (those to which a pointer was found) are not
shown.
==8835== To see them, rerun with: --leak-check=full --show-reachable=yes
==8835==
==8835== For counts of detected and suppressed errors, rerun with: -v
==8835== Use --track-origins=yes to see where uninitialised values come
from
==8835== ERROR SUMMARY: 1020033 errors from 12 contexts (suppressed: 59
from 6)
Killed
}}}
{{{
knoppix at Microknoppix:/media/sdb1$ gdb ffmpeg-HEAD-c042684/ffmpeg_g
GNU gdb (GDB) 7.4.1-debian
Copyright (C) 2012 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later
<http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law. Type "show copying"
and "show warranty" for details.
This GDB was configured as "i486-linux-gnu".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>...
Reading symbols from /media/sdb1/ffmpeg-HEAD-c042684/ffmpeg_g...done.
(gdb) r -i jp2k_fuzz.avi -an -f null -
Starting program: /media/sdb1/ffmpeg-HEAD-c042684/ffmpeg_g -i
jp2k_fuzz.avi -an -f null -
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/i386-linux-gnu/libthread_db.so.1".
ffmpeg version 2.0-c042684 Copyright (c) 2000-2013 the FFmpeg developers
built on Aug 30 2013 20:55:53 with gcc 4.7 (Debian 4.7.2-5)
configuration: --disable-yasm --disable-ffprobe --disable-ffserver
--enable-gpl
libavutil 52. 42.100 / 52. 42.100
libavcodec 55. 29.100 / 55. 29.100
libavformat 55. 15.100 / 55. 15.100
libavdevice 55. 3.100 / 55. 3.100
libavfilter 3. 82.102 / 3. 82.102
libswscale 2. 5.100 / 2. 5.100
libswresample 0. 17.103 / 0. 17.103
libpostproc 52. 3.100 / 52. 3.100
Input #0, avi, from 'jp2k_fuzz.avi':
Duration: 00:00:24.80, start: 0.000000, bitrate: 2637 kb/s
Stream #0:0: Video: jpeg2000 (JPEG 2000 codestream restriction 0)
(MJ2C / 0x43324A4D), yuv420p, 352x244, 5 tbr, 5 tbn, 5 tbc
[New Thread 0xb7df8b70 (LWP 8861)]
[New Thread 0xb75f8b70 (LWP 8862)]
[New Thread 0xb6df8b70 (LWP 8863)]
[New Thread 0xb65f8b70 (LWP 8864)]
[New Thread 0xb5df8b70 (LWP 8865)]
[New Thread 0xb55f8b70 (LWP 8866)]
[New Thread 0xb4df8b70 (LWP 8867)]
[New Thread 0xb45f8b70 (LWP 8868)]
[New Thread 0xb3df8b70 (LWP 8869)]
[New Thread 0xb35f8b70 (LWP 8870)]
[New Thread 0xb2df8b70 (LWP 8871)]
[New Thread 0xb25f8b70 (LWP 8872)]
[New Thread 0xb1df8b70 (LWP 8873)]
[New Thread 0xb15f8b70 (LWP 8874)]
[New Thread 0xb0df8b70 (LWP 8875)]
[New Thread 0xb05f8b70 (LWP 8876)]
[New Thread 0xafdf8b70 (LWP 8877)]
[New Thread 0xaf5f8b70 (LWP 8878)]
Output #0, null, to 'pipe:':
Metadata:
encoder : Lavf55.15.100
Stream #0:0: Video: rawvideo (I420 / 0x30323449), yuv420p, 352x244,
q=2-31, 200 kb/s, 90k tbn, 5 tbc
Stream mapping:
Stream #0:0 -> #0:0 (jpeg2000 -> rawvideo)
Press [q] to stop, [?] for help
[jpeg2000 @ 0x90f83c0] error during processing marker segment ff52
[null @ 0x9106fc0] Encoder did not produce proper pts, making some up.
Error while decoding stream #0:0: Operation not permitted
Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0xaf5f8b70 (LWP 8878)]
av_freep (arg=arg at entry=0x80808084) at libavutil/mem.c:217
217 av_free(*ptr);
(gdb) bt
#0 av_freep (arg=arg at entry=0x80808084) at libavutil/mem.c:217
#1 0x085091e8 in ff_jpeg2000_cleanup (comp=0xae6fbb60, codsty=0xae8b6a48)
at libavcodec/jpeg2000.c:515
#2 0x0850d95d in jpeg2000_dec_cleanup (s=<optimized out>)
at libavcodec/jpeg2000dec.c:1366
#3 jpeg2000_decode_frame (avctx=0x90f8a40, data=0x910c560,
got_frame=0x910c71c, avpkt=0x910c510) at libavcodec/jpeg2000dec.c:1647
#4 0x085cc83e in frame_worker_thread (arg=0x910c440)
at libavcodec/pthread.c:339
#5 0xb7f87954 in start_thread (arg=0xaf5f8b70) at pthread_create.c:304
#6 0xb7f0895e in clone () at ../sysdeps/unix/sysv/linux/i386/clone.S:130
(gdb)
}}}
--
Ticket URL: <https://ffmpeg.org/trac/ffmpeg/ticket/2921>
FFmpeg <http://ffmpeg.org>
FFmpeg issue tracker
More information about the FFmpeg-trac
mailing list