[FFmpeg-trac] #1730(avformat:open): Crash while demuxing m4a file

FFmpeg trac at avcodec.org
Thu Sep 13 18:55:35 CEST 2012 

#1730: Crash while demuxing m4a file
------------------------------------+------------------------------------
             Reporter:  Bert        |                    Owner:
                 Type:  defect      |                   Status:  open
             Priority:  important   |                Component:  avformat
              Version:  git-master  |               Resolution:
             Keywords:  mov crash   |               Blocked By:
             Blocking:              |  Reproduced by developer:  1
Analyzed by developer:  0           |
------------------------------------+------------------------------------
Changes (by cehoyos):

 * status:  new => open
 * reproduced:  0 => 1


Comment:

 Regression since 079ea6c / 79ae084
 {{{
 (gdb) r -i FFMpeg_Bug_1730_crash_demuxing_m4a.m4a
 Starting program: ffmpeg_g -i FFMpeg_Bug_1730_crash_demuxing_m4a.m4a
 [Thread debugging using libthread_db enabled]
 ffmpeg version N-44432-g59db014 Copyright (c) 2000-2012 the FFmpeg
 developers
   built on Sep 13 2012 18:43:05 with gcc 4.5.3 (GCC)
   configuration: --cc=/usr/local/gcc-4.5.3/bin/gcc
   libavutil      51. 73.100 / 51. 73.100
   libavcodec     54. 55.100 / 54. 55.100
   libavformat    54. 27.100 / 54. 27.100
   libavdevice    54.  2.100 / 54.  2.100
   libavfilter     3. 16.103 /  3. 16.103
   libswscale      2.  1.101 /  2.  1.101
   libswresample   0. 15.100 /  0. 15.100
 [mov,mp4,m4a,3gp,3g2,mj2 @ 0x148c240] Unknown cover type: 0x0.

 Program received signal SIGSEGV, Segmentation fault.
 mov_find_next_sample (st=<value optimized out>, s=<value optimized out>)
 at libavformat/mov.c:3071
 3071            if (msc->pb && msc->current_sample <
 avst->nb_index_entries) {
 (gdb) bt
 #0  mov_find_next_sample (st=<value optimized out>, s=<value optimized
 out>) at libavformat/mov.c:3071
 #1  mov_read_packet (st=<value optimized out>, s=<value optimized out>) at
 libavformat/mov.c:3098
 #2  0x00000000005118c2 in ff_read_packet (s=0x148c240, pkt=0x7fffffffd240)
 at libavformat/utils.c:750
 #3  0x0000000000511c1b in read_frame_internal (s=0x148c240,
 pkt=0x7fffffffd5e0)
     at libavformat/utils.c:1306
 #4  0x000000000051488b in avformat_find_stream_info (ic=0x148c240,
 options=0x14920e0)
     at libavformat/utils.c:2633
 #5  0x000000000040992d in opt_input_file (optctx=<value optimized out>,
 opt=<value optimized out>,
     filename=0x7fffffffe261 "FFMpeg_Bug_1730_crash_demuxing_m4a.m4a") at
 ffmpeg_opt.c:770
 #6  0x00000000004187c3 in parse_option (optctx=0x7fffffffd980,
 opt=0x7fffffffe25f "i",
     arg=0x7fffffffe261 "FFMpeg_Bug_1730_crash_demuxing_m4a.m4a",
 options=<value optimized out>)
     at cmdutils.c:319
 #7  0x0000000000418ba7 in parse_options (optctx=0x7fffffffd980, argc=3,
 argv=0x7fffffffdde8,
     options=0xac02a0, parse_arg_function=0x40a3f0 <opt_output_file>) at
 cmdutils.c:352
 #8  0x0000000000416211 in main (argc=3, argv=0x7fffffffdde8) at
 ffmpeg.c:3135
 (gdb) disass $pc-37 $pc+32
 Dump of assembler code from 0x49b15f to 0x49b1a4:
 0x000000000049b15f <mov_find_next_sample+23>:   je     0x49b4e0
 <mov_find_next_sample+920>
 0x000000000049b165 <mov_find_next_sample+29>:   nopl   (%rax)
 0x000000000049b168 <mov_find_next_sample+32>:   add    $0x1,%r12d
 0x000000000049b16c <mov_find_next_sample+36>:   cmp    %ecx,%r12d
 0x000000000049b16f <mov_find_next_sample+39>:   jae    0x49b200
 <mov_read_packet+256>
 0x000000000049b175 <mov_find_next_sample+45>:   mov    0x30(%rbx),%rax
 0x000000000049b179 <mov_find_next_sample+49>:   movslq %r12d,%rdx
 0x000000000049b17c <mov_find_next_sample+52>:   mov    (%rax,%rdx,8),%r13
 0x000000000049b180 <mov_find_next_sample+56>:   mov    0x18(%r13),%rax
 0x000000000049b184 <mov_find_next_sample+60>:   mov    (%rax),%r14
 0x000000000049b187 <mov_find_next_sample+63>:   test   %r14,%r14
 0x000000000049b18a <mov_find_next_sample+66>:   je     0x49b168
 <mov_find_next_sample+32>
 0x000000000049b18c <mov_find_next_sample+68>:   mov    0xb0(%rax),%edx
 0x000000000049b192 <mov_find_next_sample+74>:   cmp    0x1e0(%r13),%edx
 0x000000000049b199 <mov_find_next_sample+81>:   jge    0x49b168
 <mov_find_next_sample+32>
 0x000000000049b19b <mov_find_next_sample+83>:   movslq %edx,%rdx
 0x000000000049b19e <mov_find_next_sample+86>:   mov    $0xf4240,%esi
 0x000000000049b1a3 <mov_find_next_sample+91>:   lea    (%rdx,%rdx,2),%r15
 End of assembler dump.
 (gdb) info register
 rax            0x0      0
 rbx            0x148c240        21545536
 rcx            0x2      2
 rdx            0x1      1
 rsi            0xf4240  1000000
 rdi            0x0      0
 rbp            0x7ffff7f67010   0x7ffff7f67010
 rsp            0x7fffffffd140   0x7fffffffd140
 r8             0xac44   44100
 r9             0x5622   22050
 r10            0x0      0
 r11            0x1      1
 r12            0x1      1
 r13            0x1493ba0        21576608
 r14            0x1494960        21580128
 r15            0x7ffff7f67010   140737353510928
 rip            0x49b184 0x49b184 <mov_find_next_sample+60>
 eflags         0x10297  [ CF PF AF SF IF RF ]
 cs             0x33     51
 ss             0x2b     43
 ds             0x0      0
 es             0x0      0
 fs             0x0      0
 gs             0x0      0
 fctrl          0x37f    895
 fstat          0x0      0
 ftag           0xffff   65535
 fiseg          0x0      0
 fioff          0x0      0
 foseg          0x0      0
 fooff          0x0      0
 fop            0x0      0
 mxcsr          0x1fa0   [ PE IM DM ZM OM UM PM ]
 }}}

-- 
Ticket URL: <https://ffmpeg.org/trac/ffmpeg/ticket/1730#comment:3>
FFmpeg <http://ffmpeg.org>
FFmpeg issue tracker

More information about the FFmpeg-trac mailing list