Crash when reading mkv file

[cehoyos]

Attached file crashes current FFmpeg in metadata.c.

(gdb) r -i crash.mkv
FFmpeg version git-N-28581-g4fa0e24, Copyright (c) 2000-2011 the FFmpeg developers
  built on Mar 23 2011 06:04:48 with gcc 4.5.2
  configuration: --cc=/usr/local/gcc-4.5.2/bin/gcc --enable-gpl
  libavutil    50. 40. 0 / 50. 40. 0
  libavcodec   52.114. 0 / 52.114. 0
  libavformat  52.103. 0 / 52.103. 0
  libavdevice  52.  3. 0 / 52.  3. 0
  libavfilter   1. 76. 0 /  1. 76. 0
  libswscale    0. 12. 0 /  0. 12. 0

Program received signal SIGSEGV, Segmentation fault.
av_metadata_set2 (pm=0x188, key=0x7fffffffd470 "LANGUAGE", value=0x11ef000 "fra", flags=0)
    at libavformat/metadata.c:51
51          AVMetadata *m= *pm;
(gdb) bt
#0  av_metadata_set2 (pm=0x188, key=0x7fffffffd470 "LANGUAGE", value=0x11ef000 "fra", flags=0)
    at libavformat/metadata.c:51
#1  0x0000000000488507 in matroska_convert_tag (s=0x11ed650, list=0x11eef68, metadata=0x188, prefix=0x0)
    at libavformat/matroskadec.c:1063
#2  0x000000000048a4c2 in matroska_convert_tags (s=0x11ed650) at libavformat/matroskadec.c:1101
#3  matroska_read_header (s=0x11ed650) at libavformat/matroskadec.c:1547
#4  0x00000000004e9c11 in av_open_input_stream (ic_ptr=0x7fffffffdbb8, pb=0x11f66f0,
    filename=0x7fffffffe28c "crash.mkv", fmt=0xc86980, ap=0x7fffffffdb80) at libavformat/utils.c:491
#5  0x00000000004ea129 in av_open_input_file (ic_ptr=<value optimized out>,
    filename=<value optimized out>, fmt=0xc86980, buf_size=<value optimized out>,
    ap=<value optimized out>) at libavformat/utils.c:647
#6  0x000000000040c758 in opt_input_file (filename=0x7fffffffe28c "crash.mkv") at ffmpeg.c:3148
#7  0x0000000000410702 in parse_options (argc=3, argv=0x7fffffffde18, options=0x8efc60,
    parse_arg_function=0x40edf0 <opt_output_file>) at cmdutils.c:220
#8  0x000000000040f9b2 in main (argc=3, argv=0x7fffffffde18) at ffmpeg.c:4324
(gdb) disass $pc-32 $pc+32
Dump of assembler code from 0x494727 to 0x494767:
0x0000000000494727 <av_metadata_set2+7>:        fs
0x0000000000494728 <av_metadata_set2+8>:        and    $0xe0,%al
0x000000000049472a <av_metadata_set2+10>:       mov    %ecx,%ebp
0x000000000049472c <av_metadata_set2+12>:       mov    %r13,-0x18(%rsp)
0x0000000000494731 <av_metadata_set2+17>:       mov    %r14,-0x10(%rsp)
0x0000000000494736 <av_metadata_set2+22>:       mov    %rdi,%r13
0x0000000000494739 <av_metadata_set2+25>:       mov    %r15,-0x8(%rsp)
0x000000000049473e <av_metadata_set2+30>:       mov    %rbx,-0x30(%rsp)
0x0000000000494743 <av_metadata_set2+35>:       sub    $0x48,%rsp
0x0000000000494747 <av_metadata_set2+39>:       mov    (%rdi),%rbx
0x000000000049474a <av_metadata_set2+42>:       mov    %rdx,%r14
0x000000000049474d <av_metadata_set2+45>:       xor    %edx,%edx
0x000000000049474f <av_metadata_set2+47>:       mov    %rsi,%r12
0x0000000000494752 <av_metadata_set2+50>:       mov    %rbx,%rdi
0x0000000000494755 <av_metadata_set2+53>:       callq  0x4945d0 <av_metadata_get>
0x000000000049475a <av_metadata_set2+58>:       test   %rbx,%rbx
0x000000000049475d <av_metadata_set2+61>:       mov    %rax,%r15
0x0000000000494760 <av_metadata_set2+64>:       je     0x494878 <av_metadata_set2+344>
0x0000000000494766 <av_metadata_set2+70>:       test   %r15,%r15
End of assembler dump.
(gdb) info registers
rax            0x8      8
rbx            0x11eef80        18804608
rcx            0x0      0
rdx            0x11ef000        18804736
rsi            0x7fffffffd470   140737488344176
rdi            0x188    392
rbp            0x0      0x0
rsp            0x7fffffffd410   0x7fffffffd410
r8             0xfeff7efef6047cff       -72199435500356353
r9             0x101010101010101        72340172838076673
r10            0x0      0
r11            0x7ffff6d7edd6   140737334734294
r12            0x7fffffffd470   140737488344176
r13            0x188    392
r14            0x0      0
r15            0x11eef68        18804584
rip            0x494747 0x494747 <av_metadata_set2+39>
eflags         0x10202  [ IF RF ]
cs             0x33     51
ss             0x2b     43
ds             0x0      0
es             0x0      0
fs             0x0      0
gs             0x0      0
fctrl          0x37f    895
fstat          0x0      0
ftag           0xffff   65535
fiseg          0x0      0
fioff          0x0      0
foseg          0x0      0
fooff          0x0      0
fop            0x0      0
mxcsr          0x1fa0   [ PE IM DM ZM OM UM PM ]

[aurel]

Interesting broken sample which seems to have been generated by lavf.
It would be useful to know exactly how this sample was generated to
fix the muxer.

Anyway, I fixed the demuxer crash in git-N-28583-g2851b1f

I don't have permission to assign the ticket to myself (and to close it).

[cehoyos]

I produced the sample (by accident, possibly setting all codec_tags to 0 in mpegts.c and copying all streams) when I tried to understand ticket #8. (I currently believe that the MPEG-TS demuxer should never set codec_tag and especially not for private streams 0x6.)

Thank you for the quick fix!

[aurel]

OK. I think I found and fixed the bug in the muxer too.