[FFmpeg-trac] #1563(FFmpeg:new): ffmpeg crashes (segmentation violation) when copying time-delimited portion of .wmv file

FFmpeg trac at avcodec.org
Fri Jul 20 21:12:40 CEST 2012


#1563: ffmpeg crashes (segmentation violation) when copying time-delimited portion
of .wmv file
-------------------------------------+-------------------------------------
             Reporter:  GreyBeard    |                     Type:  defect
               Status:  new          |                 Priority:  normal
            Component:  FFmpeg       |                  Version:  0.10.4
             Keywords:  segentation  |               Blocked By:
  violation, .wmv                    |  Reproduced by developer:  0
             Blocking:               |
Analyzed by developer:  0            |
-------------------------------------+-------------------------------------
 Summary of the bug:

 ffmpeg gets a segmentation violation when I try to trim off the start of
 some .wmv files (not all).  I am using time to trim off some number of
 seconds worth of the video.  It outputs a small amount of the output
 before it crashes.  The time doesn't seem to be important.  Some .wmv
 files crash and other succeed.  Here are the particulars for the test case
 (cat flushing a toilet repeatedly).  I'm sorry the stack trace-back
 doesn't help much.  My bet is that some bug outside of malloc overwrote a
 malloc data structure with trash causing malloc to fail.  It's the usual
 problem of a bug laying a landmine for malloc to step on.  I don't have
 valgrind on my system either.  Sorry.

 The input file name is  water_leak_found.wmv; I will attempt to upload it
 by that name.  The file is 3.2 megs, larger than you allow as an
 attachment, so will try to upload it to upload.ffmpeg.org/incoming.  I
 tried to truncate it with a DD command so I could attach it here, but that
 yielded a different error altogether.  If I cannot upload it feel free to
 contact me and I'll get it to you by other means.

 Thanks,
 Jeff Barry


 How to reproduce:
 {{{
 atomik $?=0> uname -a
 Linux atomik 2.6.37.6-smp #1 SMP Sat Apr 9 14:01:14 CDT 2011 i686 Intel(R)
 Atom(TM) CPU D510   @ 1.66GHz GenuineIntel GNU/Linux

 atomik $?=0> cat /etc/slackware-version
 Slackware 13.37.0

 atomik $?=0> rm -f water_leak_found.TRIMMED.wmv

 atomik $?=0> cksum water_leak_found.wmv
 2892790208 3255612 water_leak_found.wmv

 atomik $?=0> rm -f water_leak_found.TRIMMED.wmv

 atomik $?=0> valgrind ffmpeg -ss 1 -i water_leak_found.wmv -acodec copy
 -vcodec copy  water_leak_found.TRIMMED.wmv
 -bash: valgrind: command not found

 atomik $?=0> gdb ffmpeg
 GNU gdb (GDB) 7.2
 Copyright (C) 2010 Free Software Foundation, Inc.
 License GPLv3+: GNU GPL version 3 or later
 <http://gnu.org/licenses/gpl.html>
 This is free software: you are free to change and redistribute it.
 There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
 and "show warranty" for details.
 This GDB was configured as "i486-slackware-linux".
 For bug reporting instructions, please see:
 <http://www.gnu.org/software/gdb/bugs/>...
 Reading symbols from /usr/bin/ffmpeg...(no debugging symbols
 found)...done.
 (gdb) run -ss 1 -i water_leak_found.wmv -acodec copy -vcodec copy
 water_leak_found.TRIMMED.wmv
 Starting program: /usr/bin/ffmpeg -ss 1 -i water_leak_found.wmv -acodec
 copy -vcodec copy  water_leak_found.TRIMMED.wmv
 [Thread debugging using libthread_db enabled]
 ffmpeg version 0.10.4 Copyright (c) 2000-2012 the FFmpeg developers
   built on Jul 17 2012 01:40:04 with gcc 4.5.2
   configuration: --prefix=/usr
   libavutil      51. 35.100 / 51. 35.100
   libavcodec     53. 61.100 / 53. 61.100
   libavformat    53. 32.100 / 53. 32.100
   libavdevice    53.  4.100 / 53.  4.100
   libavfilter     2. 61.100 /  2. 61.100
   libswscale      2.  1.100 /  2.  1.100
   libswresample   0.  6.100 /  0.  6.100
 Input #0, asf, from 'water_leak_found.wmv':
   Metadata:
     Application     : Windows Movie Maker 2.1.4026.0
     WMFSDKVersion   : 10.00.00.3646
     WMFSDKNeeded    : 0.0.0.0000
     IsVBR           : 0
     artist          : Will F. Whittle
   Duration: 00:02:47.73, start: 0.000000, bitrate: 155 kb/s
     Stream #0:0: Audio: wmav2 (a[1][0][0] / 0x0161), 16000 Hz, 1 channels,
 s16, 16 kb/s
     Stream #0:1: Video: wmv3 (Main) (WMV3 / 0x33564D57), yuv420p, 320x240,
 134 kb/s, 15 tbr, 1k tbn, 1k tbc
 Output #0, asf, to 'water_leak_found.TRIMMED.wmv':
   Metadata:
     Application     : Windows Movie Maker 2.1.4026.0
     WMFSDKVersion   : 10.00.00.3646
     WMFSDKNeeded    : 0.0.0.0000
     IsVBR           : 0
     Author          : Will F. Whittle
     WM/EncodingSettings: Lavf53.32.100
     Stream #0:0: Video: wmv3 (WMV3 / 0x33564D57), yuv420p, 320x240,
 q=2-31, 134 kb/s, 1k tbn, 1k tbc
     Stream #0:1: Audio: wmav2 (a[1][0][0] / 0x0161), 16000 Hz, 1 channels,
 16 kb/s
 Stream mapping:
   Stream #0:1 -> #0:0 (copy)
   Stream #0:0 -> #0:1 (copy)
 Press [q] to stop, [?] for help

 Program received signal SIGSEGV, Segmentation fault.
 0xb7cba6d6 in malloc_consolidate () from /lib/libc.so.6
 (gdb) bt
 #0  0xb7cba6d6 in malloc_consolidate () from /lib/libc.so.6
 #1  0xb7cbbe47 in _int_malloc () from /lib/libc.so.6
 #2  0xb7cbd336 in _int_memalign () from /lib/libc.so.6
 #3  0xb7cbf5b4 in memalign () from /lib/libc.so.6
 #4  0xb7cc078f in posix_memalign () from /lib/libc.so.6
 #5  0x08720b1e in ?? ()
 Backtrace stopped: previous frame inner to this frame (corrupt stack?)
 (gdb) disass $pc-32,$pc+32
 Dump of assembler code from 0xb7cba6b6 to 0xb7cba6f6:
    0xb7cba6b6 <malloc_consolidate+118>: (bad)
    0xb7cba6b7 <malloc_consolidate+119>: je     0xb7cba808
 <malloc_consolidate+456>
    0xb7cba6bd <malloc_consolidate+125>: movl   $0x0,(%eax)
    0xb7cba6c3 <malloc_consolidate+131>: jmp    0xb7cba749
 <malloc_consolidate+265>
    0xb7cba6c8 <malloc_consolidate+136>: add    %eax,%ecx
    0xb7cba6ca <malloc_consolidate+138>: mov    0x8(%edi),%eax
    0xb7cba6cd <malloc_consolidate+141>: mov    %eax,-0x1c(%ebp)
    0xb7cba6d0 <malloc_consolidate+144>: mov    -0x1c(%ebp),%edx
    0xb7cba6d3 <malloc_consolidate+147>: mov    0xc(%edi),%eax
 => 0xb7cba6d6 <malloc_consolidate+150>: cmp    0xc(%edx),%edi
    0xb7cba6d9 <malloc_consolidate+153>: jne    0xb7cba876
 <malloc_consolidate+566>
    0xb7cba6df <malloc_consolidate+159>: cmp    0x8(%eax),%edi
    0xb7cba6e2 <malloc_consolidate+162>: jne    0xb7cba876
 <malloc_consolidate+566>
    0xb7cba6e8 <malloc_consolidate+168>: mov    -0x1c(%ebp),%edx
    0xb7cba6eb <malloc_consolidate+171>: cmpl   $0x1ff,0x4(%edi)
    0xb7cba6f2 <malloc_consolidate+178>: mov    %eax,0xc(%edx)
    0xb7cba6f5 <malloc_consolidate+181>: mov    %edx,0x8(%eax)
 End of assembler dump.
 (gdb) info all-registers
 eax            0x252879a        38963098
 ecx            0x520    1312
 edx            0x45b1d064       1169281124
 ebx            0xb7da8ff4       -1210413068
 esp            0xbfffc17c       0xbfffc17c
 ebp            0xbfffc1d8       0xbfffc1d8
 esi            0x8e62748        149301064
 edi            0x8e62778        149301112
 eip            0xb7cba6d6       0xb7cba6d6 <malloc_consolidate+150>
 eflags         0x210202 [ IF RF ID ]
 cs             0x73     115
 ss             0x7b     123
 ds             0x7b     123
 es             0x7b     123
 fs             0x0      0
 gs             0x33     51
 st0            0        (raw 0x00000000000000000000)
 st1            0        (raw 0x00000000000000000000)
 st2            0        (raw 0x00000000000000000000)
 st3            -2147483648      (raw 0xc01e8000000000000000)
 st4            123456   (raw 0x400ff120000000000000)
 st5            1        (raw 0x3fff8000000000000000)
 st6            14.266999999999999459987520822323859     (raw
 0x4002e445a1cac0831000)
 st7            14333    (raw 0x400cdff4000000000000)
 fctrl          0x37f    895
 fstat          0x20     32
 ftag           0xffff   65535
 fiseg          0x73     115
 fioff          0x80849ca        134760906
 foseg          0x7b     123
 fooff          0xbfffc870       -1073756048
 fop            0x7bc    1980
 xmm0           {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
 v16_int8 = {
     0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0,
 0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0,
     0x0}, v2_int64 = {0x0, 0x0}, uint128 =
 0x00000000000000000000000000000000}
 xmm1           {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
 v16_int8 = {
     0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0,
 0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0,
     0x0}, v2_int64 = {0x0, 0x0}, uint128 =
 0x00000000000000000000000000000000}
 xmm2           {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
 v16_int8 = {
     0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0,
 0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0,
     0x0}, v2_int64 = {0x0, 0x0}, uint128 =
 0x00000000000000000000000000000000}
 ---Type <return> to continue, or q <return> to quit---
 xmm3           {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
 v16_int8 = {
     0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0,
 0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0,
     0x0}, v2_int64 = {0x0, 0x0}, uint128 =
 0x00000000000000000000000000000000}
 xmm4           {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
 v16_int8 = {
     0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0,
 0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0,
     0x0}, v2_int64 = {0x0, 0x0}, uint128 =
 0x00000000000000000000000000000000}
 xmm5           {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
 v16_int8 = {
     0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0,
 0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0,
     0x0}, v2_int64 = {0x0, 0x0}, uint128 =
 0x00000000000000000000000000000000}
 xmm6           {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
 v16_int8 = {
     0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0,
 0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0,
     0x0}, v2_int64 = {0x0, 0x0}, uint128 =
 0x00000000000000000000000000000000}
 xmm7           {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
 v16_int8 = {
     0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0,
 0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0,
     0x0}, v2_int64 = {0x0, 0x0}, uint128 =
 0x00000000000000000000000000000000}
 mxcsr          0x1f80   [ IM DM ZM OM UM PM ]
 mm0            {uint64 = 0x0, v2_int32 = {0x0, 0x0}, v4_int16 = {0x0, 0x0,
 0x0, 0x0}, v8_int8 = {0x0, 0x0,
     0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}
 mm1            {uint64 = 0x0, v2_int32 = {0x0, 0x0}, v4_int16 = {0x0, 0x0,
 0x0, 0x0}, v8_int8 = {0x0, 0x0,
     0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}
 mm2            {uint64 = 0x0, v2_int32 = {0x0, 0x0}, v4_int16 = {0x0, 0x0,
 0x0, 0x0}, v8_int8 = {0x0, 0x0,
     0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}
 mm3            {uint64 = 0x8000000000000000, v2_int32 = {0x0, 0x80000000},
 v4_int16 = {0x0, 0x0, 0x0,
     0x8000}, v8_int8 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x80}}
 mm4            {uint64 = 0xf120000000000000, v2_int32 = {0x0, 0xf1200000},
 v4_int16 = {0x0, 0x0, 0x0,
     0xf120}, v8_int8 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x20, 0xf1}}
 mm5            {uint64 = 0x8000000000000000, v2_int32 = {0x0, 0x80000000},
 v4_int16 = {0x0, 0x0, 0x0,
     0x8000}, v8_int8 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x80}}
 mm6            {uint64 = 0xe445a1cac0831000, v2_int32 = {0xc0831000,
 0xe445a1ca}, v4_int16 = {0x1000,
     0xc083, 0xa1ca, 0xe445}, v8_int8 = {0x0, 0x10, 0x83, 0xc0, 0xca, 0xa1,
 0x45, 0xe4}}
 mm7            {uint64 = 0xdff4000000000000, v2_int32 = {0x0, 0xdff40000},
 v4_int16 = {0x0, 0x0, 0x0,
     0xdff4}, v8_int8 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xf4, 0xdf}}
 (gdb) quit
 A debugging session is active.

         Inferior 1 [process 18727] will be killed.

 Quit anyway? (y or n) y^M

 atomik $?=0> cksum water_leak_found.*
 1377656358 221839 water_leak_found.TRIMMED.wmv
 2892790208 3255612 water_leak_found.wmv
 }}}

-- 
Ticket URL: <https://ffmpeg.org/trac/ffmpeg/ticket/1563>
FFmpeg <http://ffmpeg.org>
FFmpeg issue tracker


More information about the FFmpeg-trac mailing list