[Ffmpeg-devel] [BUG] Segfault in error_resilience.c when using specific MPEG file

Panagiotis Issaris takis.issaris
Thu Feb 1 14:03:23 CET 2007


Hi,

When using a specific MPEG file with current FFmpeg a segmentation fault
occurs in ff_er_add_slice(). The file was based on lol-ffplay.mpg, but
further fuzzed with zzuf.

./ffmpeg -y -i lol-ffplay2.mpg /tmp/konijn.mpg
FFmpeg version SVN-r7796, Copyright (c) 2000-2006 Fabrice Bellard, et
al.
  configuration:  --enable-gpl --enable-x11grab 
  libavutil version: 49.3.0
  libavcodec version: 51.29.0
  libavformat version: 51.8.0
  built on Feb  1 2007 11:19:54, gcc: 4.1.2 20060928 (prerelease)
(Ubuntu 4.1.1-13ubuntu5)
[mpeg1video @ 0x84d42e0]sequence header damaged
[mpeg1video @ 0x84d42e0]current_picture not initalized
Input #0, mpegvideo, from 'lol-ffplay2.mpg':
  Duration: 00:00:04.0, start: 0.000000, bitrate: 578 kb/s
  Stream #0.0: Video: mpeg1video, yuv420p, 320x256, 579 kb/s, 25.00
fps(r)
Output #0, mpeg, to '/tmp/konijn.mpg':
  Stream #0.0: Video: mpeg1video, yuv420p, 320x256, q=2-31, 200 kb/s,
25.00 fps(c)
Stream mapping:
  Stream #0.0 -> #0.0
Press [q] to stop encoding
[mpeg1video @ 0x84d42e0]sequence header damaged
[mpeg1video @ 0x84d42e0]current_picture not initalized
Error while decoding stream #0.0
[mpeg1video @ 0x84d42e0]warning: first frame is no keyframe
[mpeg1video @ 0x84d42e0]invalid mb type in P Frame at 4 0
[mpeg1video @ 0x84d42e0]ac-tex damaged at 2 4
[mpeg1video @ 0x84d42e0]00 motion_type at 0 7
[mpeg1video @ 0x84d42e0]invalid mb type in P Frame at 9 9
[mpeg1video @ 0x84d42e0]Warning MVs not available
[mpeg1video @ 0x84d42e0]concealing 320 DC, 320 AC, 320 MV errors
[mpeg1video @ 0x84d42e0]ac-tex damaged at 10 3
...
[mpeg1video @ 0x84d42e0]invalid mb type in I Frame at 0 15
[mpeg1video @ 0x84d42e0]skipped MB in I frame at 1 1
[mpeg1video @ 0x84d42e0]skipped MB in I frame at 2 2
[mpeg1video @ 0x84d42e0]invalid mb type in I Frame at 0 4
[mpeg1video @ 0x84d42e0]slice below image (133 >= 16)
[mpeg1video @ 0x84d42e0]slice below image (70 >= 16)
[mpeg1video @ 0x84d42e0]invalid mb type in I Frame at 0 7
[mpeg1video @ 0x84d42e0]skipped MB in I frame at 1 8
[mpeg1video @ 0x84d42e0]invalid mb type in I Frame at 0 9
[mpeg1video @ 0x84d42e0]slice below image (138 >= 16)
[mpeg1video @ 0x84d42e0]invalid mb type in I Frame at 0 11
[mpeg1video @ 0x84d42e0]ac-tex damaged at 0 12
[mpeg1video @ 0x84d42e0]skipped MB in I frame at 0 14
Segmentation fault (core dumped)

Sample uploaded to:
samples.mplayerhq.hu/MPlayer/incoming/mpeg_segfault

GDB backtrace:

Program received signal SIGSEGV, Segmentation fault.
0xb7d0cea7 in memset () from /lib/tls/i686/cmov/libc.so.6
(gdb) bt
#0  0xb7d0cea7 in memset () from /lib/tls/i686/cmov/libc.so.6
#1  0x081e7ab2 in ff_er_add_slice (s=0x859a080, startx=23, starty=13,
endx=0, endy=14, status=<value optimized out>) at error_resilience.c:640
#2  0x081d1057 in mpeg_decode_frame (avctx=0x854d080, data=0xbfdd4310,
data_size=0xbfdd4474, buf=0x86b1b18 "", buf_size=15516) at mpeg12.c:3224
#3  0x080c1042 in avcodec_decode_video (avctx=0x854d080,
picture=0xbfdd4310, got_picture_ptr=0xbfdd4474, buf=0x86b1b18 "",
buf_size=15516) at utils.c:910
#4  0x0805de51 in output_packet (ist=0x8554a20, ist_index=0,
ost_table=0x8554a70, nb_ostreams=1, pkt=0xbfdd4690) at ffmpeg.c:1093
#5  0x08060290 in main (argc=Cannot access memory at address 0x3ffb7b15
) at ffmpeg.c:1937

(gdb) frame 1
#1  0x081e7ab2 in ff_er_add_slice (s=0x859a080, startx=23, starty=13,
endx=0, endy=14, status=<value optimized out>) at error_resilience.c:640
640             memset(&s->error_status_table[start_xy], 0, (end_xy -
start_xy) * sizeof(uint8_t));

(gdb) list
635         }
636
637         if(status & (AC_ERROR|DC_ERROR|MV_ERROR)) s->error_count=
INT_MAX;
638
639         if(mask == ~0x7F){
640             memset(&s->error_status_table[start_xy], 0, (end_xy -
start_xy) * sizeof(uint8_t));
641         }else{
642             int i;
643             for(i=start_xy; i<end_xy; i++){
644                 s->error_status_table[ i ] &= mask;
 
(gdb) print end_xy
$1 = 294
(gdb) print start_xy
$2 = 297
(gdb) 

So, it appears the memset gets a negative length parameter and
segfaults.


With friendly regards,
Takis

-- 
vCard: http://www.issaris.org/pi.vcf
Public key: http://www.issaris.org/pi.key
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL: <http://lists.mplayerhq.hu/pipermail/ffmpeg-devel/attachments/20070201/9ff14179/attachment.pgp>



More information about the ffmpeg-devel mailing list