[Ffmpeg-devel] [ BUG ] seg fault in libavcodec/error_resilience.c ff_er_add_slice()

Dieter freebsd
Fri Mar 3 22:52:31 CET 2006

Recent CVS of ffmpeg
FreeBSD 6.0
converting mpeg2ts to DV

The debugger says:

Program terminated with signal 11, Segmentation fault.
#0  0x0000000000693a0e in L1 ()
[New LWP 100108]
(gdb) bt
#0  0x0000000000693a0e in L1 ()
#1  0x000000000051b1b0 in ff_er_add_slice (s=0xb9a010, startx=0, starty=0, endx=-36259729, endy=-1269859056, status=14)
    at /rw/src/ffmpeg/libavcodec/error_resilience.c:649
#2  0x0000000000507fd9 in mpeg_decode_frame (avctx=0x8dd010, data=0x7fffffffe190, data_size=0x7fffffffdf98, 
    buf=0x210e010 "", buf_size=13169) at /rw/src/ffmpeg/libavcodec/mpeg12.c:3182
#3  0x000000000044b7ea in avcodec_decode_video (avctx=0x8dd010, picture=0x7fffffffe190, got_picture_ptr=0x7fffffffdf98, 
    buf=0x210e010 "", buf_size=13169) at /rw/src/ffmpeg/libavcodec/utils.c:944
#4  0x0000000000402aca in output_packet (ist=0x8c6c90, ist_index=2, ost_table=0x8c3190, nb_ostreams=2, pkt=0x7fffffffe490)
    at /rw/src/ffmpeg/ffmpeg.c:1283
#5  0x0000000000408c2c in main (argc=1245280544, argv=0x8c6c90) at /rw/src/ffmpeg/ffmpeg.c:2121

The last few debugging printfs:

DEBUG error_resilience.c ff_er_add_slice() s=0xb9a010 startx=0 starty=13 endx=5 endy=13 status=14
[mpeg2video @ 0x81b7f0]ac-tex damaged at 0 14

DEBUG error_resilience.c ff_er_add_slice() s=0xb9a010 startx=0 starty=14 endx=0 endy=14 status=14
[mpeg2video @ 0x81b7f0]00 motion_type at 5 2

DEBUG mpeg12.c mpeg_decode_frame() A s2=0xb9a010 s2->resync_mb_x=80 s2->resync_mb_y=1 s2->mb_x=5 s2->mb_y=2 AC_ERROR|DC_ERROR|MV_ERROR=14 s2->mb_num =1320 

DEBUG error_resilience.c ff_er_add_slice() s=0xb9a010 startx=80 starty=1 endx=5 endy=2 status=14

DEBUG error_resilience.c ff_er_add_slice() end_xy=95 start_xy=126 (end_xy - start_xy) * sizeof(uint8_t)=-31

The code:

 if(mask == ~0x7F){
       if ( start_xy > end_xy)
           fprintf(stderr, "\nDEBUG error_resilience.c ff_er_add_slice() end_xy=%d start_xy=%d (end_xy - start_xy) * sizeof(uint8_t)=%ld\n", end_xy, start_xy, (end_xy - start_xy) * sizeof(uint8_t));
line 649->       memset(&s->error_status_table[start_xy], 0, (end_xy - start_xy) * sizeof(uint8_t));
        int i;

I'm thinking that memset() probably doesn't enjoy being fed a negative number for length.

More information about the ffmpeg-devel mailing list