[FFmpeg-devel] ffplay segfaults on invalid h264 stream

Michael Niedermayer michaelni
Thu May 3 18:13:56 CEST 2007 

Hi

On Thu, May 03, 2007 at 05:53:47PM +0200, Panagiotis Issaris wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Hi,
> 
> ffplay segfaults on a specific stream I'm trying to decode. I'm
> using revision 8880.
> 
> takis at issaris:~/stream$ gdb /usr/local/src/ffmpeg-pi/ffplay_g
> GNU gdb 6.6-debian
> Copyright (C) 2006 Free Software Foundation, Inc.
> GDB is free software, covered by the GNU General Public License, and you are
> welcome to change it and/or distribute copies of it under certain
> conditions.
> Type "show copying" to see the conditions.
> There is absolutely no warranty for GDB.  Type "show warranty" for details.
> This GDB was configured as "i486-linux-gnu"...
> Using host libthread_db library "/lib/tls/i686/cmov/libthread_db.so.1".
> (gdb) r pi-20070503T132200-capturedgrandstream.xml.h264
> Starting program: /usr/local/src/ffmpeg-pi/ffplay_g
> pi-20070503T132200-capturedgrandstream.xml.h264
> [Thread debugging using libthread_db enabled]
> [New Thread -1213413696 (LWP 12749)]
> [New Thread -1213588592 (LWP 12752)]
> [New Thread -1222751344 (LWP 12753)]
> [h264 @ 0x8522448]reference picture missing during reorder
> [h264 @ 0x8522448]reference count overflow
> [h264 @ 0x8522448]decode_slice_header error
> [h264 @ 0x8522448]concealing 123 DC, 123 AC, 123 MV errors
> [New Thread -1231385712 (LWP 12754)]
> [h264 @ 0x8522448]reference picture missing during reorder
> [h264 @ 0x8522448]reference count overflow
> [h264 @ 0x8522448]decode_slice_header error
> [h264 @ 0x8522448]concealing 123 DC, 123 AC, 123 MV errors
> [h264 @ 0x8522448]slice type too large (1) at 7 3
> [h264 @ 0x8522448]decode_slice_header error
> [h264 @ 0x8522448]slice type too large (1) at 7 3
> [h264 @ 0x8522448]decode_slice_header error
> [h264 @ 0x8522448]non existing PPS referenced
> [h264 @ 0x8522448]decode_slice_header error
> [h264 @ 0x8522448]non existing PPS referenced
> [h264 @ 0x8522448]decode_slice_header error
> [h264 @ 0x8522448]concealing 233 DC, 233 AC, 233 MV errors
> [h264 @ 0x8522448]slice type too large (1) at 17 4
> [h264 @ 0x8522448]decode_slice_header error
> [h264 @ 0x8522448]top block unavailable for requested intra mode at 7 0
> [h264 @ 0x8522448]error while decoding MB 7 0
> [h264 @ 0x8522448]deblocking_filter_idc 7 out of range
> [h264 @ 0x8522448]decode_slice_header error
> [h264 @ 0x8522448]concealing 300 DC, 300 AC, 300 MV errors
> 
> Program received signal SIGSEGV, Segmentation fault.
> [Switching to Thread -1231385712 (LWP 12754)]
> decode_slice_header (h=0x8690500) at h264.c:4402
> 4402                    h->mmco[0].short_frame_num= h->short_ref[
> h->short_ref_count - 1 ]->frame_num;
> 
> 
> (gdb) bt
> #0  decode_slice_header (h=0x8690500) at h264.c:4402
> #1  0x083061fd in decode_nal_units (h=0x8690500, buf=0x86740e0 "",
> buf_size=637) at h264.c:8175
> #2  0x083073eb in decode_frame (avctx=0x8668760, data=0x870ae80,
> data_size=0xb69a8384, buf=0x86740e0 "", buf_size=637) at h264.c:8357
> #3  0x080c46e2 in avcodec_decode_video (avctx=0x8668760,
> picture=0x870ae80, got_picture_ptr=0xb69a8384, buf=0x86740e0 "",
> buf_size=637) at utils.c:906
> #4  0x0805fa2c in video_thread (arg=0xb71e5020) at ffplay.c:1372
> #5  0xb7d5cceb in ?? () from /usr/lib/libSDL-1.2.so.0
> #6  0xb71e5020 in ?? ()
> #7  0x0805f990 in ?? () at ffplay.c:1474
> #8  0x08668aa0 in ?? ()
> #9  0xb7db2820 in ?? () from /usr/lib/libSDL-1.2.so.0
> #10 0x00000000 in ?? ()
> (gdb)
[...]
> 
> 
> A simple fix for this is attached. I am far from sure that this is the
> correct way to fix it, but it might help illustrating the problem.
> 
> I can also provide the sample which causes the crash, although the
> previous times I haven't been successful in getting these samples were
> they belong.
[...]
> diff --git a/libavcodec/h264.c b/libavcodec/h264.c
> index f8f61d3..c7a96b4 100644
> --- a/libavcodec/h264.c
> +++ b/libavcodec/h264.c
> @@ -4397,6 +4397,7 @@ static int decode_ref_pic_marking(H264Context *h){
>          }else{
>              assert(h->long_ref_count + h->short_ref_count <= h->sps.ref_frame_count);
>  
> +            if((h->short_ref_count>0) && h->short_ref[h->short_ref_count-1] && (h->long_ref_count + h->short_ref_count == h->sps.ref_frame_count)){ //FIXME fields
>              if(h->long_ref_count + h->short_ref_count == h->sps.ref_frame_count){ //FIXME fields
>                  h->mmco[0].opcode= MMCO_SHORT2UNUSED;
>                  h->mmco[0].short_frame_num= h->short_ref[ h->short_ref_count - 1 ]->frame_num;

missmatching {

h.264 spec says:
----
adaptive_ref_pic_marking_mode_flag selects the reference picture marking mode of the currently decoded picture as
specified in Table 7-8. adaptive_ref_pic_marking_mode_flag shall be equal to 1 when the number of frames,
complementary field pairs, and non-paired fields that are currently marked as "used for long-term reference" is equal to
Max( num_ref_frames, 1 ).
----

so the h->short_ref_count>0 seems wrong its an error condition if its false
not a no-op condition

the h->short_ref[h->short_ref_count-1] check also seems wrong as 
h->short_ref_count of X implicates that there are X entries in h->short_ref

[...]
-- 
Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

Those who are too smart to engage in politics are punished by being
governed by those who are dumber. -- Plato 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <http://lists.mplayerhq.hu/pipermail/ffmpeg-devel/attachments/20070503/6a4e6cc2/attachment.pgp>

More information about the ffmpeg-devel mailing list