[FFmpeg-trac] #4879(avcodec:open): decoding ffv1 crashes ffmpeg

FFmpeg trac at avcodec.org
Thu Sep 24 23:52:11 CEST 2015 

#4879: decoding ffv1 crashes ffmpeg
-------------------------------------+-------------------------------------
             Reporter:  dericed      |                    Owner:
                 Type:  defect       |                   Status:  open
             Priority:  important    |                Component:  avcodec
              Version:  git-master   |               Resolution:
             Keywords:  ffv1 crash   |               Blocked By:
  SIGSEGV regression                 |  Reproduced by developer:  1
             Blocking:               |
Analyzed by developer:  0            |
-------------------------------------+-------------------------------------
Changes (by cehoyos):

 * keywords:  ffv1 => ffv1 crash SIGSEGV regression
 * priority:  normal => important
 * status:  new => open
 * reproduced:  0 => 1


Comment:

 Regression since 60217b5b9cf713b1eeb7626473eac357cde25673
 {{{
 (gdb) r -i SXS00455_ffv1_crash.mkv -f null -
 Starting program: ffmpeg_g -i SXS00455_ffv1_crash.mkv -f null -
 [Thread debugging using libthread_db enabled]
 Using host libthread_db library "/lib64/libthread_db.so.1".
 ffmpeg version N-75503-g2441842 Copyright (c) 2000-2015 the FFmpeg
 developers
   built with gcc 4.7 (SUSE Linux)
   configuration: --enable-gpl
   libavutil      55.  2.100 / 55.  2.100
   libavcodec     57.  3.100 / 57.  3.100
   libavformat    57.  2.100 / 57.  2.100
   libavdevice    57.  0.100 / 57.  0.100
   libavfilter     6.  8.100 /  6.  8.100
   libswscale      4.  0.100 /  4.  0.100
   libswresample   2.  0.100 /  2.  0.100
   libpostproc    54.  0.100 / 54.  0.100
 Guessed Channel Layout for  Input Stream #0.1 : stereo
 Input #0, matroska,webm, from 'SXS00455_ffv1_crash.mkv':
   Metadata:
     MAJOR_BRAND     : qt
     MINOR_VERSION   : 512
     COMPATIBLE_BRANDS: qt
     ENCODER         : Lavf56.40.101
   Duration: 00:00:00.30, start: 0.000000, bitrate: 54018 kb/s
     Stream #0:0(eng): Video: ffv1 (FFV1 / 0x31564646), yuv422p, 720x486,
 SAR 9:10 DAR 4:3, 29.97 fps, 29.97 tbr, 1k tbn, 1k tbc (default)
     Metadata:
       LANGUAGE        : eng
       HANDLER_NAME    : DataHandler
       ENCODER         : FFV1 version 3
       DURATION        : 00:00:00.300000000
     Stream #0:1(eng): Audio: pcm_s24le, 48000 Hz, 2 channels, s32 (24
 bit), 2304 kb/s (default)
     Metadata:
       LANGUAGE        : eng
       HANDLER_NAME    : DataHandler
       DURATION        : 00:00:00.300000000
 Output #0, null, to 'pipe:':
   Metadata:
     MAJOR_BRAND     : qt
     MINOR_VERSION   : 512
     COMPATIBLE_BRANDS: qt
     encoder         : Lavf57.2.100
     Stream #0:0(eng): Video: rawvideo (Y42B / 0x42323459), yuv422p,
 720x486 [SAR 9:10 DAR 4:3], q=2-31, 200 kb/s, 29.97 fps, 29.97 tbn, 29.97
 tbc (default)
     Metadata:
       LANGUAGE        : eng
       HANDLER_NAME    : DataHandler
       DURATION        : 00:00:00.300000000
       encoder         : Lavc57.3.100 rawvideo
     Stream #0:1(eng): Audio: pcm_s16le, 48000 Hz, stereo, s16 (24 bit),
 1536 kb/s (default)
     Metadata:
       LANGUAGE        : eng
       HANDLER_NAME    : DataHandler
       DURATION        : 00:00:00.300000000
       encoder         : Lavc57.3.100 pcm_s16le
 Stream mapping:
   Stream #0:0 -> #0:0 (ffv1 (native) -> rawvideo (native))
   Stream #0:1 -> #0:1 (pcm_s24le (native) -> pcm_s16le (native))
 Press [q] to stop, [?] for help

 Program received signal SIGSEGV, Segmentation fault.
 [Switching to Thread 0x7fffe54d8700 (LWP 10456)]
 read_header (f=0x1fb78a0) at libavcodec/ffv1dec.c:799
 799             fs->ac            = f->ac;
 (gdb) bt
 #0  read_header (f=0x1fb78a0) at libavcodec/ffv1dec.c:799
 #1  decode_frame (avctx=0x1fb7100, data=0x1fb75e0, got_frame=0x1ca6608,
 avpkt=0x1ca65b0)
     at libavcodec/ffv1dec.c:904
 #2  0x0000000000a4f2ad in frame_worker_thread (arg=0x1ca64b0)
     at libavcodec/pthread_frame.c:154
 #3  0x00007ffff626ee0e in start_thread () from /lib64/libpthread.so.0
 #4  0x00007ffff52592cd in clone () from /lib64/libc.so.6
 (gdb) disass $pc-32,$pc+32
 Dump of assembler code from 0x7402d9 to 0x740319:
    0x00000000007402d9 <decode_frame+2137>:      rex
    0x00000000007402da <decode_frame+2138>:      lea    0x3bc0(%rbx),%rcx
    0x00000000007402e1 <decode_frame+2145>:      mov    %rcx,%r13
    0x00000000007402e4 <decode_frame+2148>:      mov    0x40(%rsp),%rsi
    0x00000000007402e9 <decode_frame+2153>:      mov    0x1334(%rbx),%eax
    0x00000000007402ef <decode_frame+2159>:      cmpl   $0x2,0x12c0(%rbx)
    0x00000000007402f6 <decode_frame+2166>:      mov    (%rsi),%r14
 => 0x00000000007402f9 <decode_frame+2169>:      mov    %eax,0x1334(%r14)
    0x0000000000740300 <decode_frame+2176>:      mov    0x9744(%rbx),%eax
    0x0000000000740306 <decode_frame+2182>:      movl   $0x0,0x9738(%r14)
    0x0000000000740311 <decode_frame+2193>:      mov    %eax,0x9744(%r14)
    0x0000000000740318 <decode_frame+2200>:      je     0x740aaf
 <decode_frame+4143>
 End of assembler dump.
 (gdb) info register
 rax            0x0      0
 rbx            0x1fb78a0        33257632
 rcx            0x0      0
 rdx            0x4      4
 rsi            0x1fc1010        33296400
 rdi            0x202f5c0        33748416
 rbp            0x202ebc0        0x202ebc0
 rsp            0x7fffe54d7d00   0x7fffe54d7d00
 r8             0x21ec960        35572064
 r9             0x100    256
 r10            0x2002261        33563233
 r11            0xccccccc        214748364
 r12            0xffffffff       4294967295
 r13            0x1fbb460        33272928
 r14            0x0      0
 r15            0x2      2
 rip            0x7402f9 0x7402f9 <decode_frame+2169>
 eflags         0x10202  [ IF RF ]
 cs             0x33     51
 ss             0x2b     43
 ds             0x0      0
 es             0x0      0
 fs             0x0      0
 gs             0x0      0
 }}}

--
Ticket URL: <https://trac.ffmpeg.org/ticket/4879#comment:3>
FFmpeg <https://ffmpeg.org>
FFmpeg issue tracker

More information about the FFmpeg-trac mailing list