Ticket #122 (closed defect: fixed)

Opened 2 years ago

Last modified 12 months ago

Kega Game Video codec broken with ffplay

Reported by: cehoyos Owned by: michael
Priority: normal Component: FFplay
Version: git-master Keywords:
Cc: Blocked By:
Blocking: Reproduced by developer: yes
Analyzed by developer: no

Description

The sample from ticket #59 plays badly with ffplay (and valgrind shows many invalid reads).

$ valgrind ./ffplay_g kgv1.avi
==13914== Memcheck, a memory error detector
==13914== Copyright (C) 2002-2009, and GNU GPL'd, by Julian Seward et al.
==13914== Using Valgrind-3.5.0 and LibVEX; rerun with -h for copyright info
==13914== Command: ./ffplay_g kgv1.avi
==13914==
ffplay version git-N-29391-gd84f191, Copyright (c) 2003-2011 the FFmpeg developers
  built on Apr 26 2011 20:33:16 with gcc 4.5.2
  configuration: --cc='/usr/local/gcc-4.5.2/bin/gcc -m32' --enable-gpl
  libavutil    51.  0. 0 / 51.  0. 0
  libavcodec   53.  1. 0 / 53.  1. 0
  libavformat  53.  0. 3 / 53.  0. 3
  libavdevice  53.  0. 0 / 53.  0. 0
  libavfilter   2.  0. 0 /  2.  0. 0
  libswscale    0. 13. 0 /  0. 13. 0

...

Input #0, avi, from 'kgv1.avi':
  Duration: 00:00:05.21, start: 0.000000, bitrate: 1633 kb/s
    Stream #0.0: Audio: pcm_s16le, 44100 Hz, 2 channels, s16, 1411 kb/s
    Stream #0.1: Video: kgv1, rgb555le, 640x480, 60 tbr, 60 tbn, 60 tbc
[ffsink @ 0xb8b7120] auto-inserting filter 'auto-inserted scaler 0' between the filter 'src' and the filter 'out'

...

[scale @ 0xb8b7770] w:640 h:480 fmt:rgb555le -> w:640 h:480 fmt:yuv420p flags:0x4
==13914== Thread 5:
==13914== Invalid read of size 1
==13914==    at 0x644C138: memcpy (in /usr/lib64/valgrind/vgpreload_memcheck-x86-linux.so)
==13914==    by 0x85BC128: av_image_copy (imgutils.c:230)
==13914==  Address 0xd63c857 is 1 bytes before a block of size 153,600 alloc'd
==13914==    at 0x644AC8C: malloc (in /usr/lib64/valgrind/vgpreload_memcheck-x86-linux.so)
==13914==    by 0x644AD16: realloc (in /usr/lib64/valgrind/vgpreload_memcheck-x86-linux.so)
==13914==    by 0x82E6684: decode_frame (kgv1dec.c:67)
==13914==
==13914== Invalid read of size 1
==13914==    at 0x644C142: memcpy (in /usr/lib64/valgrind/vgpreload_memcheck-x86-linux.so)
==13914==    by 0x85BC128: av_image_copy (imgutils.c:230)
==13914==  Address 0xd63c856 is 2 bytes before a block of size 153,600 alloc'd
==13914==    at 0x644AC8C: malloc (in /usr/lib64/valgrind/vgpreload_memcheck-x86-linux.so)
==13914==    by 0x644AD16: realloc (in /usr/lib64/valgrind/vgpreload_memcheck-x86-linux.so)
==13914==    by 0x82E6684: decode_frame (kgv1dec.c:67)
==13914==
==13914== Invalid read of size 1
==13914==    at 0x644C14B: memcpy (in /usr/lib64/valgrind/vgpreload_memcheck-x86-linux.so)
==13914==    by 0x85BC128: av_image_copy (imgutils.c:230)
==13914==  Address 0xd63c855 is 3 bytes before a block of size 153,600 alloc'd
==13914==    at 0x644AC8C: malloc (in /usr/lib64/valgrind/vgpreload_memcheck-x86-linux.so)
==13914==    by 0x644AD16: realloc (in /usr/lib64/valgrind/vgpreload_memcheck-x86-linux.so)
==13914==    by 0x82E6684: decode_frame (kgv1dec.c:67)
==13914==
==13914== Invalid read of size 1
==13914==    at 0x644C154: memcpy (in /usr/lib64/valgrind/vgpreload_memcheck-x86-linux.so)
==13914==    by 0x85BC128: av_image_copy (imgutils.c:230)
==13914==  Address 0xd63c854 is 4 bytes before a block of size 153,600 alloc'd
==13914==    at 0x644AC8C: malloc (in /usr/lib64/valgrind/vgpreload_memcheck-x86-linux.so)
==13914==    by 0x644AD16: realloc (in /usr/lib64/valgrind/vgpreload_memcheck-x86-linux.so)
==13914==    by 0x82E6684: decode_frame (kgv1dec.c:67)
==13914==
==13914== Conditional jump or move depends on uninitialised value(s)
==13914==    at 0x85977BB: swScale_MMX2 (common.h:124)
==13914==
==13914== Conditional jump or move depends on uninitialised value(s)
==13914==    at 0x8597894: swScale_MMX2 (common.h:124)
==13914==
==13914== Conditional jump or move depends on uninitialised value(s)
==13914==    at 0x85978B2: swScale_MMX2 (common.h:124)

...

Change History

comment:1 Changed 2 years ago by saste

This is expected because ffplay+libavfilter doesn't support input normalization in case of mid-stream size/format change.

The proper fix requires the implementation of dymamic filterchain re-configuration.

comment:2 Changed 2 years ago by ami_stuff 

This is expected because ffplay+libavfilter doesn't support input normalization in case of mid-stream size/format change.

The proper fix requires the implementation of dymamic filterchain re-configuration.

another sample for test

 http://samples.mplayerhq.hu/MPEG2/resolutionchange.mpg

comment:3 Changed 21 months ago by michael

  • Status changed from new to closed
  • Resolution set to fixed

ffplay supports reconfiguring the filterchain since a short while, and this seems to work, the way its handled has its issues but this bug is fixed

comment:4 Changed 21 months ago by cehoyos

  • Status changed from closed to reopened
  • Version changed from git to git-master
  • Resolution fixed deleted

ffplay still does not support playing the sample from ticket #59.
 http://samples.mplayerhq.hu/V-codecs/kgv1/kgv1.avi

comment:5 Changed 21 months ago by reimar

Seems to play fine for me?

comment:6 Changed 21 months ago by reimar

Correction, in valgrind I actually see invalid reads.
This is probably because the kgv decoder does this:

prev = av_realloc(c->prev, w * h * 2);

So that means once decoding of the following frame starts, the result data from the previous one becomes invalid.
I suspect ffplay somehow can't handle that.

comment:7 Changed 21 months ago by cehoyos

Does not crash for ia32 and ppc, crashes for x86_64

(gdb) r -i kgv1.avi
Starting program: ffplay_g -i kgv1.avi
[Thread debugging using libthread_db enabled]
ffplay version N-32138-g312645e, Copyright (c) 2003-2011 the FFmpeg developers
  built on Aug 29 2011 12:38:58 with gcc 4.5.3
  configuration: --cc=/usr/local/gcc-4.5.3/bin/gcc
  libavutil    51. 14. 0 / 51. 14. 0
  libavcodec   53. 12. 0 / 53. 12. 0
  libavformat  53. 10. 0 / 53. 10. 0
  libavdevice  53.  3. 0 / 53.  3. 0
  libavfilter   2. 35. 0 /  2. 35. 0
  libswscale    2.  0. 0 /  2.  0. 0
[New Thread 0x7ffff5299910 (LWP 16019)]
[New Thread 0x7ffff49ca910 (LWP 16020)]
[avi @ 0x1313a80] parser not found for codec pcm_s16le, packets or times may be invalid.
[avi @ 0x1313a80] parser not found for codec kgv1, packets or times may be invalid.
Input #0, avi, from 'kgv1.avi':
  Duration: 00:00:05.21, start: 0.000000, bitrate: 1633 kb/s
    Stream #0.0: Audio: pcm_s16le ([1][0][0][0] / 0x0001), 44100 Hz, 2 channels, s16, 1411 kb/s
    Stream #0.1: Video: kgv1 (KGV1 / 0x3156474B), rgb555le, 640x480, 60 tbr, 60 tbn, 60 tbc
[New Thread 0x7ffff3fc4910 (LWP 16021)]
[New Thread 0x7ffff37c3910 (LWP 16022)]
[New Thread 0x7ffff2fc2910 (LWP 16023)]
[buffersink @ 0x13145c0] auto-inserting filter 'auto-inserted scaler 0' between the filter 'src' and the filter 'out'
[scale @ 0x7fffec000ae0] w:640 h:480 fmt:rgb555le -> w:640 h:480 fmt:yuv420p flags:0x4
1314614578.13 A-V:  0.000 s:0.0 aq=  320KB vq=   47KB sq=    0B f=0/0
Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7ffff37c3910 (LWP 16022)]
0x00007ffff68b97ab in memcpy () from /lib64/libc.so.6
(gdb) bt full
#0  0x00007ffff68b97ab in memcpy () from /lib64/libc.so.6
No symbol table info available.
#1  0x0000000000958f2f in av_image_copy_plane (height=238, bytewidth=1280, src_linesize=640,
    src=<value optimized out>, dst_linesize=1280, dst=<value optimized out>) at libavutil/imgutils.c:239
No locals.
#2  av_image_copy (height=238, bytewidth=1280, src_linesize=640, src=<value optimized out>,
    dst_linesize=1280, dst=<value optimized out>) at libavutil/imgutils.c:272
        h = <value optimized out>
        bwidth = -227366336
        i = <value optimized out>
        planes_nb = 1
        desc = <value optimized out>
#3  0x0000000000408354 in input_request_frame (link=0x13144a0) at ffplay.c:1618
        priv = 0x1316740
        picref = 0x13192e0
        pts = 0
        pkt = {pts = 0, dts = 0, data = 0x1319ce0 "'\035", size = 898, stream_index = 1, flags = 1,
          side_data = 0x0, side_data_elems = 0, duration = 1, destruct = 0x4ee6c0 <av_destruct_packet>,
          priv = 0x14, pos = 3282, convergence_duration = 0}
#4  0x00000000004165ee in avfilter_request_frame (link=<value optimized out>)
    at libavfilter/avfilter.c:505
No locals.
#5  0x0000000000423c24 in av_vsink_buffer_get_video_buffer_ref (ctx=<value optimized out>,
    picref=0x7ffff37c3080, flags=0) at libavfilter/vsink_buffer.c:109
        buf = 0x1312400
        inlink = 0x1330680
        ret = <value optimized out>
#6  0x00000000004099ec in video_thread (arg=0x7ffff49cb040) at ffplay.c:1766
        picref = 0x0
        is = 0x7ffff49cb040
        frame = 0x1316500
        pts_int = -9223372036854775808
        pos = -1
        pts = <value optimized out>
        ret = <value optimized out>
        graph = 0x12ee180
        filt_out = 0x1314940
        last_w = 640
        last_h = 480
#7  0x00007ffff743f3b5 in ?? () from /usr/lib64/libSDL-1.2.so.0
No symbol table info available.
#8  0x00007ffff7482539 in ?? () from /usr/lib64/libSDL-1.2.so.0
No symbol table info available.
#9  0x00007ffff721565d in start_thread () from /lib64/libpthread.so.0
No symbol table info available.
#10 0x00007ffff690aecd in clone () from /lib64/libc.so.6
No symbol table info available.
#11 0x0000000000000000 in ?? ()
No symbol table info available.

comment:8 Changed 12 months ago by michael

  • Status changed from reopened to closed
  • Resolution set to fixed
  • Reproduced by developer set
Note: See TracTickets for help on using tickets.