[Ffmpeg-devel] [BUG] [PATCH] RV10 crash

Diego Biurrun diego
Fri Apr 14 23:30:27 CEST 2006

A peculiar bug report arrived in Bugzilla yesterday:


It's a RM file with RV10/RV13 video that crashes MPlayer (even with
libavformat demuxer) and xine, but not ffplay.  Roberto moved it to our
samples collection already:


The bug report came with a patch to libavcodec/rv10.c that makes the
crash go away.  I've attached the patch to this mail.

I have verified the crash on PPC, Roberto on x86.

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 805494784 (LWP 15449)]
ff_er_frame_end (s=0x10716d70) at error_resilience.c:688
688             if(pic->ref_index[i])
(gdb) bt
#0  ff_er_frame_end (s=0x10716d70) at error_resilience.c:688
#1  0x1030165c in rv10_decode_frame (avctx=0x10716a00, data=0x10716920, 
    buf=0x10837b70 "??7\217?\212??A?'8\236??r\022e?\r??G\031???\v???<d~e??7\225\022$?\215D?oWx\216`CKN#Fb??\\\002??@d?\224??<?*\036?;??\002?.3H\030????W\215\\3\n?Bj\020???c?&<?Y?\215cEsCV0???\235\004\227Qt?#?0?M?O\025\203\026\0040&K\207\201pbn?\b\031?\017??J??=?p\211.?.\234<?S\215\016\005 FFB\213\001\221?hV\001\200?y\204\020`B?\200P\202\025\037?='&???\f????"..., buf_size=391) at rv10.c:741
#2  0x101c457c in avcodec_decode_video (avctx=0x10716a00, picture=0x0, 
    got_picture_ptr=0x20004482, buf=0x10 <Address 0x10 out of bounds>, 
    buf_size=391) at utils.c:946
#3  0x100d470c in decode (sh=0x106f0b40, data=0x10716920, len=391, 
    flags=277052272) at vd_ffmpeg.c:819
#4  0x100cdf88 in decode_video (sh_video=0x106f0b40, start=0x10837b60 "", 
    in_size=415, drop_frame=0, pts=-9.2233720368547758e+18) at dec_video.c:316
#5  0x1004dfa8 in main (argc=<value optimized out>, argv=<value optimized out>)
    at mplayer.c:3556

Let me know if you need more information.

-------------- next part --------------
--- libavcodec/rv10.c	2006-04-13 01:46:22.000000000 +0200
+++ libavcodec/rv10.c	2006-04-13 14:13:36.000000000 +0200
@@ -737,7 +737,7 @@
         rv10_decode_packet(avctx, buf, buf_size);
-    if(s->mb_y>=s->mb_height){
+    if(s->current_picture_ptr != NULL && s->mb_y>=s->mb_height){

More information about the ffmpeg-devel mailing list