[FFmpeg-trac] #316(avformat:new): Double free with ogg files

FFmpeg trac at avcodec.org
Tue Jun 28 10:06:57 CEST 2011


#316: Double free with ogg files
-------------------------+----------------------
  Reporter:  cehoyos     |      Owner:
      Type:  defect      |     Status:  new
  Priority:  important   |  Component:  avformat
   Version:  git-master  |   Keywords:
Blocked By:              |   Blocking:
Reproduced:  1           |   Analyzed:  0
-------------------------+----------------------
 Apart from the double free, the file also triggers a FPE if I remove the
 av_freeps in oggdec.c
 {{{
 $ valgrind ./ffmpeg_g -i multi2.ogg -f null -
 ==17417== Memcheck, a memory error detector
 ==17417== Copyright (C) 2002-2009, and GNU GPL'd, by Julian Seward et al.
 ==17417== Using Valgrind-3.5.0 and LibVEX; rerun with -h for copyright
 info
 ==17417== Command: ./ffmpeg_g -i multi2.ogg -f null -
 ==17417==
 ffmpeg version N-31042-g94e59cb, Copyright (c) 2000-2011 the FFmpeg
 developers
   built on Jun 28 2011 09:49:35 with gcc 4.5.3
   configuration: --cc='/usr/local/gcc-4.5.3/bin/gcc -m32' --disable-
 optimizations
   libavutil    51. 10. 0 / 51. 10. 0
   libavcodec   53.  7. 0 / 53.  7. 0
   libavformat  53.  4. 0 / 53.  4. 0
   libavdevice  53.  2. 0 / 53.  2. 0
   libavfilter   2. 24. 0 /  2. 24. 0
   libswscale    2.  0. 0 /  2.  0. 0
 ==17417== Invalid read of size 4
 ==17417==    at 0x8108AC1: theora_gptopts (oggparsetheora.c:132)
 ==17417==    by 0x8100A82: ogg_gptopts (oggdec.h:137)
 ==17417==    by 0x8101C48: ogg_get_length (oggdec.c:488)
 ==17417==    by 0x8101D1D: ogg_read_header (oggdec.c:513)
 ==17417==    by 0x8144D14: av_demuxer_open (utils.c:481)
 ==17417==    by 0x8056350: opt_input_file (ffmpeg.c:3329)
 ==17417==    by 0x805A004: parse_options (cmdutils.c:283)
 ==17417==    by 0x805941C: main (ffmpeg.c:4556)
 ==17417==  Address 0x5085600 is 0 bytes inside a block of size 12 free'd
 ==17417==    at 0x4CA98A6: free (in
 /usr/lib64/valgrind/vgpreload_memcheck-x86-linux.so)
 ==17417==    by 0x85AAAB0: av_free (mem.c:152)
 ==17417==    by 0x85AAACB: av_freep (mem.c:159)
 ==17417==    by 0x81011CE: ogg_read_page (oggdec.c:243)
 ==17417==    by 0x8101B30: ogg_get_length (oggdec.c:470)
 ==17417==    by 0x8101D1D: ogg_read_header (oggdec.c:513)
 ==17417==    by 0x8144D14: av_demuxer_open (utils.c:481)
 ==17417==    by 0x8056350: opt_input_file (ffmpeg.c:3329)
 ==17417==    by 0x805A004: parse_options (cmdutils.c:283)
 ==17417==    by 0x805941C: main (ffmpeg.c:4556)
 ==17417==
 ==17417== Invalid read of size 4
 ==17417==    at 0x8108AE0: theora_gptopts (oggparsetheora.c:133)
 ==17417==    by 0x8100A82: ogg_gptopts (oggdec.h:137)
 ==17417==    by 0x8101C48: ogg_get_length (oggdec.c:488)
 ==17417==    by 0x8101D1D: ogg_read_header (oggdec.c:513)
 ==17417==    by 0x8144D14: av_demuxer_open (utils.c:481)
 ==17417==    by 0x8056350: opt_input_file (ffmpeg.c:3329)
 ==17417==    by 0x805A004: parse_options (cmdutils.c:283)
 ==17417==    by 0x805941C: main (ffmpeg.c:4556)
 ==17417==  Address 0x5085604 is 4 bytes inside a block of size 12 free'd
 ==17417==    at 0x4CA98A6: free (in
 /usr/lib64/valgrind/vgpreload_memcheck-x86-linux.so)
 ==17417==    by 0x85AAAB0: av_free (mem.c:152)
 ==17417==    by 0x85AAACB: av_freep (mem.c:159)
 ==17417==    by 0x81011CE: ogg_read_page (oggdec.c:243)
 ==17417==    by 0x8101B30: ogg_get_length (oggdec.c:470)
 ==17417==    by 0x8101D1D: ogg_read_header (oggdec.c:513)
 ==17417==    by 0x8144D14: av_demuxer_open (utils.c:481)
 ==17417==    by 0x8056350: opt_input_file (ffmpeg.c:3329)
 ==17417==    by 0x805A004: parse_options (cmdutils.c:283)
 ==17417==    by 0x805941C: main (ffmpeg.c:4556)
 ==17417==
 ==17417== Invalid read of size 4
 ==17417==    at 0x8108AFB: theora_gptopts (oggparsetheora.c:135)
 ==17417==    by 0x8100A82: ogg_gptopts (oggdec.h:137)
 ==17417==    by 0x8101C48: ogg_get_length (oggdec.c:488)
 ==17417==    by 0x8101D1D: ogg_read_header (oggdec.c:513)
 ==17417==    by 0x8144D14: av_demuxer_open (utils.c:481)
 ==17417==    by 0x8056350: opt_input_file (ffmpeg.c:3329)
 ==17417==    by 0x805A004: parse_options (cmdutils.c:283)
 ==17417==    by 0x805941C: main (ffmpeg.c:4556)
 ==17417==  Address 0x5085608 is 8 bytes inside a block of size 12 free'd
 ==17417==    at 0x4CA98A6: free (in
 /usr/lib64/valgrind/vgpreload_memcheck-x86-linux.so)
 ==17417==    by 0x85AAAB0: av_free (mem.c:152)
 ==17417==    by 0x85AAACB: av_freep (mem.c:159)
 ==17417==    by 0x81011CE: ogg_read_page (oggdec.c:243)
 ==17417==    by 0x8101B30: ogg_get_length (oggdec.c:470)
 ==17417==    by 0x8101D1D: ogg_read_header (oggdec.c:513)
 ==17417==    by 0x8144D14: av_demuxer_open (utils.c:481)
 ==17417==    by 0x8056350: opt_input_file (ffmpeg.c:3329)
 ==17417==    by 0x805A004: parse_options (cmdutils.c:283)
 ==17417==    by 0x805941C: main (ffmpeg.c:4556)
 ==17417==
 [theora @ 0x50851a0] 7 bits left in packet 82
 ==17417== Invalid read of size 4
 ==17417==    at 0x8108AC1: theora_gptopts (oggparsetheora.c:132)
 ==17417==    by 0x8100A82: ogg_gptopts (oggdec.h:137)
 ==17417==    by 0x8101E83: ogg_calc_pts (oggdec.c:542)
 ==17417==    by 0x8101F3E: ogg_read_packet (oggdec.c:569)
 ==17417==    by 0x81455EF: av_read_packet (utils.c:723)
 ==17417==    by 0x814718A: av_read_frame_internal (utils.c:1181)
 ==17417==    by 0x814A891: av_find_stream_info (utils.c:2347)
 ==17417==    by 0x80564BF: opt_input_file (ffmpeg.c:3365)
 ==17417==    by 0x805A004: parse_options (cmdutils.c:283)
 ==17417==    by 0x805941C: main (ffmpeg.c:4556)
 ==17417==  Address 0x5085600 is 0 bytes inside a block of size 12 free'd
 ==17417==    at 0x4CA98A6: free (in
 /usr/lib64/valgrind/vgpreload_memcheck-x86-linux.so)
 ==17417==    by 0x85AAAB0: av_free (mem.c:152)
 ==17417==    by 0x85AAACB: av_freep (mem.c:159)
 ==17417==    by 0x81011CE: ogg_read_page (oggdec.c:243)
 ==17417==    by 0x8101B30: ogg_get_length (oggdec.c:470)
 ==17417==    by 0x8101D1D: ogg_read_header (oggdec.c:513)
 ==17417==    by 0x8144D14: av_demuxer_open (utils.c:481)
 ==17417==    by 0x8056350: opt_input_file (ffmpeg.c:3329)
 ==17417==    by 0x805A004: parse_options (cmdutils.c:283)
 ==17417==    by 0x805941C: main (ffmpeg.c:4556)
 ==17417==
 ==17417== Invalid read of size 4
 ==17417==    at 0x8108AE0: theora_gptopts (oggparsetheora.c:133)
 ==17417==    by 0x8100A82: ogg_gptopts (oggdec.h:137)
 ==17417==    by 0x8101E83: ogg_calc_pts (oggdec.c:542)
 ==17417==    by 0x8101F3E: ogg_read_packet (oggdec.c:569)
 ==17417==    by 0x81455EF: av_read_packet (utils.c:723)
 ==17417==    by 0x814718A: av_read_frame_internal (utils.c:1181)
 ==17417==    by 0x814A891: av_find_stream_info (utils.c:2347)
 ==17417==    by 0x80564BF: opt_input_file (ffmpeg.c:3365)
 ==17417==    by 0x805A004: parse_options (cmdutils.c:283)
 ==17417==    by 0x805941C: main (ffmpeg.c:4556)
 ==17417==  Address 0x5085604 is 4 bytes inside a block of size 12 free'd
 ==17417==    at 0x4CA98A6: free (in
 /usr/lib64/valgrind/vgpreload_memcheck-x86-linux.so)
 ==17417==    by 0x85AAAB0: av_free (mem.c:152)
 ==17417==    by 0x85AAACB: av_freep (mem.c:159)
 ==17417==    by 0x81011CE: ogg_read_page (oggdec.c:243)
 ==17417==    by 0x8101B30: ogg_get_length (oggdec.c:470)
 ==17417==    by 0x8101D1D: ogg_read_header (oggdec.c:513)
 ==17417==    by 0x8144D14: av_demuxer_open (utils.c:481)
 ==17417==    by 0x8056350: opt_input_file (ffmpeg.c:3329)
 ==17417==    by 0x805A004: parse_options (cmdutils.c:283)
 ==17417==    by 0x805941C: main (ffmpeg.c:4556)
 ==17417==
 ==17417== Invalid read of size 4
 ==17417==    at 0x8108AFB: theora_gptopts (oggparsetheora.c:135)
 ==17417==    by 0x8100A82: ogg_gptopts (oggdec.h:137)
 ==17417==    by 0x8101E83: ogg_calc_pts (oggdec.c:542)
 ==17417==    by 0x8101F3E: ogg_read_packet (oggdec.c:569)
 ==17417==    by 0x81455EF: av_read_packet (utils.c:723)
 ==17417==    by 0x814718A: av_read_frame_internal (utils.c:1181)
 ==17417==    by 0x814A891: av_find_stream_info (utils.c:2347)
 ==17417==    by 0x80564BF: opt_input_file (ffmpeg.c:3365)
 ==17417==    by 0x805A004: parse_options (cmdutils.c:283)
 ==17417==    by 0x805941C: main (ffmpeg.c:4556)
 ==17417==  Address 0x5085608 is 8 bytes inside a block of size 12 free'd
 ==17417==    at 0x4CA98A6: free (in
 /usr/lib64/valgrind/vgpreload_memcheck-x86-linux.so)
 ==17417==    by 0x85AAAB0: av_free (mem.c:152)
 ==17417==    by 0x85AAACB: av_freep (mem.c:159)
 ==17417==    by 0x81011CE: ogg_read_page (oggdec.c:243)
 ==17417==    by 0x8101B30: ogg_get_length (oggdec.c:470)
 ==17417==    by 0x8101D1D: ogg_read_header (oggdec.c:513)
 ==17417==    by 0x8144D14: av_demuxer_open (utils.c:481)
 ==17417==    by 0x8056350: opt_input_file (ffmpeg.c:3329)
 ==17417==    by 0x805A004: parse_options (cmdutils.c:283)
 ==17417==    by 0x805941C: main (ffmpeg.c:4556)
 ==17417==
 Input #0, ogg, from 'multi2.ogg':
   Duration: 00:00:00.-40, start: 0.000000, bitrate: -3494 kb/s
     Stream #0.0: Video: theora, yuv420p, 320x240, 5 tbr, 5 tbn, 5 tbc
 [buffer @ 0x5363040] w:320 h:240 pixfmt:yuv420p tb:1/1000000 sar:0/1
 sws_param:
 [theora @ 0x50851a0] 7 bits left in packet 82
 Output #0, null, to 'pipe:':
   Metadata:
     encoder         : Lavf53.4.0
     Stream #0.0: Video: rawvideo, yuv420p, 320x240, q=2-31, 200 kb/s, 90k
 tbn, 5 tbc
 Stream mapping:
   Stream #0.0 -> #0.0
 Press [q] to stop, [?] for help
 ==17417== Invalid free() / delete / delete[]
 ==17417==    at 0x4CA98A6: free (in
 /usr/lib64/valgrind/vgpreload_memcheck-x86-linux.so)
 ==17417==    by 0x85AAAB0: av_free (mem.c:152)
 ==17417==    by 0x85AAACB: av_freep (mem.c:159)
 ==17417==    by 0x81011CE: ogg_read_page (oggdec.c:243)
 ==17417==    by 0x81014C8: ogg_packet (oggdec.c:323)
 ==17417==    by 0x8101EDC: ogg_read_packet (oggdec.c:560)
 ==17417==    by 0x81455EF: av_read_packet (utils.c:723)
 ==17417==    by 0x814718A: av_read_frame_internal (utils.c:1181)
 ==17417==    by 0x8147869: av_read_frame (utils.c:1302)
 ==17417==    by 0x80543BB: transcode (ffmpeg.c:2708)
 ==17417==    by 0x8059531: main (ffmpeg.c:4576)
 ==17417==  Address 0x5085600 is 0 bytes inside a block of size 12 free'd
 ==17417==    at 0x4CA98A6: free (in
 /usr/lib64/valgrind/vgpreload_memcheck-x86-linux.so)
 ==17417==    by 0x85AAAB0: av_free (mem.c:152)
 ==17417==    by 0x85AAACB: av_freep (mem.c:159)
 ==17417==    by 0x81011CE: ogg_read_page (oggdec.c:243)
 ==17417==    by 0x8101B30: ogg_get_length (oggdec.c:470)
 ==17417==    by 0x8101D1D: ogg_read_header (oggdec.c:513)
 ==17417==    by 0x8144D14: av_demuxer_open (utils.c:481)
 ==17417==    by 0x8056350: opt_input_file (ffmpeg.c:3329)
 ==17417==    by 0x805A004: parse_options (cmdutils.c:283)
 ==17417==    by 0x805941C: main (ffmpeg.c:4556)
 ==17417==
 [theora @ 0x50851a0] Header packet passed to frame decoder, skipping
 Error while decoding stream #0.0
 Error while decoding stream #0.0
 Error while decoding stream #0.0
 Error while decoding stream #0.0
     Last message repeated 3 times
 [theora @ 0x50851a0] Invalid partially coded superblock run length
 [theora @ 0x50851a0] error in unpack_superblocks
 Error while decoding stream #0.0
 [theora @ 0x50851a0] Invalid fully coded superblock run length
 [theora @ 0x50851a0] error in unpack_superblocks
 Error while decoding stream #0.0
 [theora @ 0x50851a0] Warning, unsupported keyframe coding type?!
 [theora @ 0x50851a0] error in unpack_block_qpis
 Error while decoding stream #0.0
 [theora @ 0x50851a0] Header packet passed to frame decoder, skipping
 Error while decoding stream #0.0
 [theora @ 0x50851a0] error in unpack_block_qpis
 Error while decoding stream #0.0
 [theora @ 0x50851a0] Invalid partially coded superblock run length
 [theora @ 0x50851a0] error in unpack_superblocks
 Error while decoding stream #0.0
 [theora @ 0x50851a0] Header packet passed to frame decoder, skipping
 Error while decoding stream #0.0
 Error while decoding stream #0.0
 Error while decoding stream #0.0
     Last message repeated 2 times
 [theora @ 0x50851a0] Warning, unsupported keyframe coding type?!
 ==17417==
 ==17417== Process terminating with default action of signal 8 (SIGFPE)
 ==17417==  Integer divide by zero at address 0x976B505
 ==17417==    at 0x85B2C2C: __divdi3 (libgcc2.c:895)
 ==17417==    by 0x804FF64: output_packet (ffmpeg.c:1599)
 ==17417==    by 0x8054C84: transcode (ffmpeg.c:2778)
 ==17417==    by 0x8059531: main (ffmpeg.c:4576)
 ==17417==
 ==17417== HEAP SUMMARY:
 ==17417==     in use at exit: 2,918,795 bytes in 173 blocks
 ==17417==   total heap usage: 718 allocs, 546 frees, 6,699,559 bytes
 allocated
 ==17417==
 ==17417== LEAK SUMMARY:
 ==17417==    definitely lost: 2,743 bytes in 1 blocks
 ==17417==    indirectly lost: 0 bytes in 0 blocks
 ==17417==      possibly lost: 0 bytes in 0 blocks
 ==17417==    still reachable: 2,916,052 bytes in 172 blocks
 ==17417==         suppressed: 0 bytes in 0 blocks
 ==17417== Rerun with --leak-check=full to see details of leaked memory
 ==17417==
 ==17417== For counts of detected and suppressed errors, rerun with: -v
 ==17417== ERROR SUMMARY: 13 errors from 7 contexts (suppressed: 3 from 3)
 Floating point exception
 }}}

-- 
Ticket URL: <https://avcodec.org/trac/ffmpeg/ticket/316>
FFmpeg <http://ffmpeg.org>
FFmpeg issue tracker


More information about the FFmpeg-trac mailing list