[Ffmpeg-devel] h.264 decoder segfault

Benoit Fouet benoit.fouet
Tue Jan 23 14:10:19 CET 2007


hi,

while playing with zzuf, i created a file which causes ffmpeg to crash
in h264 decoder (or at least that's what i think)

here is the command line and the output:

$ valgrind -v --tool=memcheck ./ffmpeg_g -y -i
http://darkkben.free.fr/corrupted_h264.mp4 out_test.mp4
==19037== Memcheck, a memory error detector.
==19037== Copyright (C) 2002-2006, and GNU GPL'd, by Julian Seward et al.
==19037== Using LibVEX rev 1606, a library for dynamic binary translation.
==19037== Copyright (C) 2004-2006, and GNU GPL'd, by OpenWorks LLP.
==19037== Using valgrind-3.2.0, a dynamic binary instrumentation framework.
==19037== Copyright (C) 2000-2006, and GNU GPL'd, by Julian Seward et al.
==19037==
--19037-- Command line
--19037--    ./ffmpeg_g
--19037--    -y
--19037--    -i
--19037--    http://darkkben.free.fr/corrupted_h264.mp4
--19037--    out_test.mp4
--19037-- Startup, with flags:
--19037--    -v
--19037--    --tool=memcheck
--19037-- Contents of /proc/version:
--19037--   Linux version 2.6.16-suspend2-r8 (root at it_sample) (gcc
version 3.4.6 (Gentoo 3.4.6-r1, ssp-3.4.5-1.0, pie-8.7.9)) #8 SMP
PREEMPT Mon Oct 16 15:25:21 CEST 2006
--19037-- Arch and hwcaps: X86, x86-sse1-sse2
--19037-- Valgrind library directory: /usr/lib/valgrind
--19037-- Reading syms from /lib/ld-2.3.6.so (0x4000000)
--19037-- Reading syms from
/home/bfouet/env/open_sources/ffmpeg/ffmpeg_g (0x8048000)
--19037-- Reading syms from /usr/lib/valgrind/x86-linux/memcheck
(0x38000000)
--19037--    object doesn't have a symbol table
--19037--    object doesn't have a dynamic symbol table
--19037-- Reading suppressions file: /usr/lib/valgrind/default.supp
--19037-- REDIR: 0x4010C80 (index) redirected to 0x38028A03 (???)
--19037-- Reading syms from
/usr/lib/valgrind/x86-linux/vgpreload_core.so (0x4017000)
--19037--    object doesn't have a symbol table
--19037-- Reading syms from
/usr/lib/valgrind/x86-linux/vgpreload_memcheck.so (0x401A000)
--19037--    object doesn't have a symbol table
==19037== WARNING: new redirection conflicts with existing -- ignoring it
--19037--     new: 0x04010C80 (index     ) R-> 0x0401D3E0 index
--19037-- REDIR: 0x4010E20 (strlen) redirected to 0x401D680 (strlen)
--19037-- Reading syms from /lib/tls/libm.so (0x4040000)
--19037-- Reading syms from /lib/libz.so.1.2.3 (0x4063000)
--19037--    object doesn't have a symbol table
--19037-- Reading syms from /usr/lib/libmp3lame.so.0.0.0 (0x4074000)
--19037--    object doesn't have a symbol table
--19037-- Reading syms from /usr/lib/libogg.so.0.5.2 (0x4109000)
--19037--    object doesn't have a symbol table
--19037-- Reading syms from /usr/lib/libxvidcore.so.4.1 (0x410E000)
--19037--    object doesn't have a symbol table
--19037-- Reading syms from /usr/local/lib/libx264.so.54 (0x4224000)
--19037--    object doesn't have a symbol table
--19037-- Reading syms from /usr/lib/libfaac.so.0.0.0 (0x42AF000)
--19037--    object doesn't have a symbol table
--19037-- Reading syms from /usr/lib/libfaad.so.0.0.0 (0x42BF000)
--19037--    object doesn't have a symbol table
--19037-- Reading syms from /lib/tls/libc.so (0x42FA000)
--19037-- Reading syms from /lib/libdl-2.3.6.so (0x4415000)
--19037-- Reading syms from /lib/tls/libpthread.so (0x441A000)
--19037-- Reading syms from
/usr/lib/gcc/i686-pc-linux-gnu/3.4.6/libstdc++.so.6.0.3 (0x442C000)
--19037--    object doesn't have a symbol table
--19037-- Reading syms from /usr/lib/libmp4v2.so.0.0.0 (0x44FC000)
--19037--    object doesn't have a symbol table
--19037-- Reading syms from
/usr/lib/gcc/i686-pc-linux-gnu/3.4.6/libgcc_s.so.1 (0x45A9000)
--19037--    object doesn't have a symbol table
--19037-- REDIR: 0x4363450 (memset) redirected to 0x401DED0 (memset)
--19037-- REDIR: 0x4363970 (memcpy) redirected to 0x401DA20 (memcpy)
--19037-- REDIR: 0x4362660 (rindex) redirected to 0x401D2C0 (rindex)
--19037-- REDIR: 0x43622B0 (strlen) redirected to 0x401D660 (strlen)
--19037-- REDIR: 0x435EA00 (memalign) redirected to 0x401CE30 (memalign)
--19037-- REDIR: 0x435ED50 (realloc) redirected to 0x401CD20 (realloc)
--19037-- REDIR: 0x4361D60 (strcmp) redirected to 0x401D930 (strcmp)
FFmpeg version SVN-r7661, Copyright (c) 2000-2006 Fabrice Bellard, et al.
  configuration:  --enable-gpl --enable-mp3lame --enable-a52
--enable-xvid --enable-libogg --enable-vorbis --enable-x264
--enable-faad --enable-faac --enable-amr_nb --enable-amr_wb --enable-pp
--disable-strip --prefix=/usr --mandir=/usr/share/man --arch=amd64
  libavutil version: 49.2.0
  libavcodec version: 51.29.0
  libavformat version: 51.8.0
  built on Jan 23 2007 13:55:33, gcc: 3.4.6 (Gentoo 3.4.6-r1,
ssp-3.4.5-1.0, pie-8.7.9)
--19037-- REDIR: 0x4361DD0 (strcpy) redirected to 0x401D6C0 (strcpy)
--19037-- REDIR: 0x4361BF0 (index) redirected to 0x401D3B0 (index)
--19037-- REDIR: 0x435E790 (malloc) redirected to 0x401B4C0 (malloc)
--19037-- REDIR: 0x43624A0 (strncmp) redirected to 0x401D8D0 (strncmp)
--19037-- REDIR: 0x4362F50 (memchr) redirected to 0x401D9F0 (memchr)
--19037-- REDIR: 0x43625B0 (strncpy) redirected to 0x401D790 (strncpy)
--19037-- REDIR: 0x435CB40 (free) redirected to 0x401C2D0 (free)
Input #0, mov,mp4,m4a,3gp,3g2,mj2, from
'http://darkkben.free.fr/corrupted_h264.mp4':
  Duration: 00:00:24.0, start: 0.000000, bitrate: 247 kb/s
  Stream #0.0(und): Video: h264, yuv420p, 320x240, 30.00 fps(r)
  Stream #0.1(und): Data: mp4s / 0x7334706D
  Stream #0.2(und): Data: mp4s / 0x7334706D
Output #0, mp4, to 'out_test.mp4':
  Stream #0.0: Video: mpeg4, yuv420p, 320x240, q=2-31, 200 kb/s, 30.00
fps(c)
Stream mapping:
  Stream #0.0 -> #0.0
[mpeg4 @ 0x83c8ca0]removing common factors from framerate
Press [q] to stop encoding
--19037-- REDIR: 0x43641D0 (rawmemchr) redirected to 0x401DF70 (rawmemchr)
--19037-- REDIR: 0x43633E0 (memmove) redirected to 0x401DEF0 (memmove)
[h264 @ 0x83c8ca0]corrupted macroblock 12 5 (total_coeff<0)its/s
[h264 @ 0x83c8ca0]error while decoding MB 12 5
[h264 @ 0x83c8ca0]concealing 237 DC, 237 AC, 237 MV errors
[h264 @ 0x83c8ca0]out of range intra chroma pred mode at 6 12s/s
[h264 @ 0x83c8ca0]error while decoding MB 6 12
[h264 @ 0x83c8ca0]concealing 103 DC, 103 AC, 103 MV errors
[h264 @ 0x83c8ca0]corrupted macroblock 17 7 (total_coeff<0)its/s
[h264 @ 0x83c8ca0]error while decoding MB 17 7
[h264 @ 0x83c8ca0]concealing 192 DC, 192 AC, 192 MV errors
[h264 @ 0x83c8ca0]concealing 8 DC, 8 AC, 8 MV errors298.4kbits/s
==19037== Conditional jump or move depends on uninitialised value(s)
==19037==    at 0x821B385: get_se_golomb (golomb.h:137)
==19037==
==19037== Conditional jump or move depends on uninitialised value(s)
==19037==    at 0x821B296: get_ue_golomb (golomb.h:54)
[h264 @ 0x83c8ca0]cbp too large (107) at 16 6trate= 406.1kbits/s
[h264 @ 0x83c8ca0]error while decoding MB 16 6
[h264 @ 0x83c8ca0]concealing 213 DC, 213 AC, 213 MV errors
[h264 @ 0x83c8ca0]P sub_mb_type 31 out of range at 12 8.8kbits/s
[h264 @ 0x83c8ca0]error while decoding MB 12 8
[h264 @ 0x83c8ca0]concealing 177 DC, 177 AC, 177 MV errors
[h264 @ 0x83c8ca0]out of range intra chroma pred mode at 16 11/s
[h264 @ 0x83c8ca0]error while decoding MB 16 11
[h264 @ 0x83c8ca0]concealing 113 DC, 113 AC, 113 MV errors
[h264 @ 0x83c8ca0]cbp too large (51) at 11 6bitrate= 382.9kbits/s
[h264 @ 0x83c8ca0]error while decoding MB 11 6
[h264 @ 0x83c8ca0]concealing 218 DC, 218 AC, 218 MV errors
[h264 @ 0x83c8ca0]out of range intra chroma pred mode at 14 8s/s
[h264 @ 0x83c8ca0]error while decoding MB 14 8
[h264 @ 0x83c8ca0]concealing 175 DC, 175 AC, 175 MV errors
==19037== 0 q=3.0 size=     201kB time=4.7 bitrate= 353.0kbits/s
==19037== Invalid read of size 2
==19037==    at 0x8228682: decode_residual (bitstream.h:888)
==19037==  Address 0xE0 is not stack'd, malloc'd or (recently) free'd
==19037==
==19037== Process terminating with default action of signal 11 (SIGSEGV)
==19037==  Access not within mapped region at address 0xE0
==19037==    at 0x8228682: decode_residual (bitstream.h:888)
==19037==    by 0x38018F5F: (within /usr/lib/valgrind/x86-linux/memcheck)
==19037==
==19037== ERROR SUMMARY: 5 errors from 3 contexts (suppressed: 39 from 1)
==19037==
==19037== 1 errors in context 1 of 3:
==19037== Invalid read of size 2
==19037==    at 0x8228682: decode_residual (bitstream.h:888)
==19037==  Address 0xE0 is not stack'd, malloc'd or (recently) free'd
==19037==
==19037== 2 errors in context 2 of 3:
==19037== Conditional jump or move depends on uninitialised value(s)
==19037==    at 0x821B296: get_ue_golomb (golomb.h:54)
==19037==
==19037== 2 errors in context 3 of 3:
==19037== Conditional jump or move depends on uninitialised value(s)
==19037==    at 0x821B385: get_se_golomb (golomb.h:137)
--19037--
--19037-- supp:   39 Ubuntu-stripped-ld.so
==19037==
==19037== IN SUMMARY: 5 errors from 3 contexts (suppressed: 39 from 1)
==19037==
==19037== malloc/free: in use at exit: 2,978,168 bytes in 247 blocks.
==19037== malloc/free: 787 allocs, 540 frees, 3,860,918 bytes allocated.
==19037==
==19037== searching for pointers to 247 not-freed blocks.
==19037== checked 3,452,136 bytes.
==19037==
==19037== LEAK SUMMARY:
==19037==    definitely lost: 0 bytes in 0 blocks.
==19037==      possibly lost: 0 bytes in 0 blocks.
==19037==    still reachable: 2,978,168 bytes in 247 blocks.
==19037==         suppressed: 0 bytes in 0 blocks.
==19037== Reachable blocks (those to which a pointer was found) are not
shown.
==19037== To see them, rerun with: --show-reachable=yes
--19037--  memcheck: sanity checks: 1245 cheap, 50 expensive
--19037--  memcheck: auxmaps: 0 auxmap entries (0k, 0M) in use
--19037--  memcheck: auxmaps: 0 searches, 0 comparisons
--19037--  memcheck: SMs: n_issued      = 78 (1248k, 1M)
--19037--  memcheck: SMs: n_deissued    = 3 (48k, 0M)
--19037--  memcheck: SMs: max_noaccess  = 65535 (1048560k, 1023M)
--19037--  memcheck: SMs: max_undefined = 15 (240k, 0M)
--19037--  memcheck: SMs: max_defined   = 139 (2224k, 2M)
--19037--  memcheck: SMs: max_non_DSM   = 75 (1200k, 1M)
--19037--  memcheck: max sec V bit nodes:    723 (36k, 0M)
--19037--  memcheck: set_sec_vbits8 calls: 723 (new: 723, updates: 0)
--19037--  memcheck: max shadow mem size:   1540k, 1M
--19037-- translate:            fast SP updates identified: 8,874 ( 88.0%)
--19037-- translate:   generic_known SP updates identified: 965 (  9.5%)
--19037-- translate: generic_unknown SP updates identified: 244 (  2.4%)
--19037--     tt/tc: 156,818 tt lookups requiring 203,304 probes
--19037--     tt/tc: 156,818 fast-cache updates, 3 flushes
--19037--  transtab: new        10,246 (317,920 -> 4,627,912; ratio
145:10) [0 scs]
--19037--  transtab: dumped     0 (0 -> ??)
--19037--  transtab: discarded  8 (194 -> ??)
--19037-- scheduler: 124,538,911 jumps (bb entries).
--19037-- scheduler: 1,245/150,110 major/minor sched events.
--19037--    sanity: 1246 cheap, 50 expensive checks.
--19037--    exectx: 30,011 lists, 55 contexts (avg 0 per list)
--19037--    exectx: 1,371 searches, 1,316 full compares (959 per 1000)
--19037--    exectx: 0 cmp2, 114 cmp4, 0 cmpAll
Segmentation fault

if you need anything else from me, please ask.
and if this belongs to ffmpeg-user, i'll move it too, if you ask...

Ben





More information about the ffmpeg-devel mailing list