Ticket #1730 (closed defect: fixed)

Opened 8 months ago

Last modified 8 months ago

Crash while demuxing m4a file

Reported by: Bert Owned by:
Priority: important Component: avformat
Version: git-master Keywords: mov crash SIGSEGV apic id3
Cc: donmoir@… Blocked By:
Blocking: Reproduced by developer: yes
Analyzed by developer: no

Description

Summary of the bug:
How to reproduce:

ffmpeg -v 9 -loglevel 99 -i 05.m4a
ffmpeg version 0.11.1.git Copyright (c) 2000-2012 the FFmpeg developers
  built on Sep 10 2012 13:52:16 with gcc 4.1.2 (GCC) 20061115 (prerelease) (SUSE Linux)
  configuration: --enable-debug=3 --disable-asm --disable-stripping --enable-gpl --disable-shared --enable-static --disable-encoders --disable-decoders --disable-bsfs --disable-filters --disable-muxers --disable-hwaccels --disable-indevs --disable-outdevs --disable-devices --disable-protocols --disable-demuxers --disable-parsers --disable-altivec --disable-decoder=vorbis --enable-decoder=alac --enable-decoder=mp3 --enable-decoder=aac --enable-parser=aac --enable-parser=alac --enable-parser=mpegaudio --enable-demuxer=aac --enable-demuxer=alac --enable-demuxer=aiff --enable-demuxer=asf --enable-demuxer=mov --enable-demuxer=mp3 --enable-demuxer=pcm_alaw --enable-demuxer=pcm_f32be --enable-demuxer=pcm_f32le --enable-demuxer=pcm_f64be --enable-demuxer=pcm_f64le --enable-demuxer=pcm_mulaw --enable-demuxer=pcm_s16be --enable-demuxer=pcm_s16le --enable-demuxer=pcm_s24be --enable-demuxer=pcm_s24le --enable-demuxer=pcm_s32be --enable-demuxer=pcm_s32le --enable-demuxer=pcm_s8 --enable-demuxer=pcm_u16be --enable-demuxer  libavutil      51. 72.100 / 51. 72.100
  libavcodec     54. 55.100 / 54. 55.100
  libavformat    54. 25.105 / 54. 25.105
  libavdevice    54.  2.100 / 54.  2.100
  libavfilter     3. 16.101 /  3. 16.101
  libswscale      2.  1.101 /  2.  1.101
  libswresample   0. 15.100 /  0. 15.100
  libpostproc    52.  0.100 / 52.  0.100
[mov,mp4,m4a,3gp,3g2,mj2 @ 0x83364e0] Format mov,mp4,m4a,3gp,3g2,mj2 probed with size=32768 and score=100
[mov,mp4,m4a,3gp,3g2,mj2 @ 0x83364e0] ISO: File Type Major Brand: M4A
[mov,mp4,m4a,3gp,3g2,mj2 @ 0x83364e0] Unknown cover type: 0x0.
[mov,mp4,m4a,3gp,3g2,mj2 @ 0x83364e0] File position before avformat_find_stream_info() is 9597458
Segmentation fault

This FFmpeg was build on Ubuntu 10.04.
We are demux a m4a file which is actually corrupted and its not played by iTunes or VLC. FFmpeg 0.8.6 was able to demux correctly but FFmpeg Trunk is crashing for the same file.
We are also providing a patch which solves this problem.

Change History

comment:1 Changed 8 months ago by cehoyos

  • Keywords mov crash added; m4a segmentation fault removed

Please provide the sample.

comment:3 Changed 8 months ago by cehoyos

  • Status changed from new to open
  • Reproduced by developer set

Regression since 079ea6c / 79ae084

(gdb) r -i FFMpeg_Bug_1730_crash_demuxing_m4a.m4a
Starting program: ffmpeg_g -i FFMpeg_Bug_1730_crash_demuxing_m4a.m4a
[Thread debugging using libthread_db enabled]
ffmpeg version N-44432-g59db014 Copyright (c) 2000-2012 the FFmpeg developers
  built on Sep 13 2012 18:43:05 with gcc 4.5.3 (GCC)
  configuration: --cc=/usr/local/gcc-4.5.3/bin/gcc
  libavutil      51. 73.100 / 51. 73.100
  libavcodec     54. 55.100 / 54. 55.100
  libavformat    54. 27.100 / 54. 27.100
  libavdevice    54.  2.100 / 54.  2.100
  libavfilter     3. 16.103 /  3. 16.103
  libswscale      2.  1.101 /  2.  1.101
  libswresample   0. 15.100 /  0. 15.100
[mov,mp4,m4a,3gp,3g2,mj2 @ 0x148c240] Unknown cover type: 0x0.

Program received signal SIGSEGV, Segmentation fault.
mov_find_next_sample (st=<value optimized out>, s=<value optimized out>) at libavformat/mov.c:3071
3071            if (msc->pb && msc->current_sample < avst->nb_index_entries) {
(gdb) bt
#0  mov_find_next_sample (st=<value optimized out>, s=<value optimized out>) at libavformat/mov.c:3071
#1  mov_read_packet (st=<value optimized out>, s=<value optimized out>) at libavformat/mov.c:3098
#2  0x00000000005118c2 in ff_read_packet (s=0x148c240, pkt=0x7fffffffd240) at libavformat/utils.c:750
#3  0x0000000000511c1b in read_frame_internal (s=0x148c240, pkt=0x7fffffffd5e0)
    at libavformat/utils.c:1306
#4  0x000000000051488b in avformat_find_stream_info (ic=0x148c240, options=0x14920e0)
    at libavformat/utils.c:2633
#5  0x000000000040992d in opt_input_file (optctx=<value optimized out>, opt=<value optimized out>,
    filename=0x7fffffffe261 "FFMpeg_Bug_1730_crash_demuxing_m4a.m4a") at ffmpeg_opt.c:770
#6  0x00000000004187c3 in parse_option (optctx=0x7fffffffd980, opt=0x7fffffffe25f "i",
    arg=0x7fffffffe261 "FFMpeg_Bug_1730_crash_demuxing_m4a.m4a", options=<value optimized out>)
    at cmdutils.c:319
#7  0x0000000000418ba7 in parse_options (optctx=0x7fffffffd980, argc=3, argv=0x7fffffffdde8,
    options=0xac02a0, parse_arg_function=0x40a3f0 <opt_output_file>) at cmdutils.c:352
#8  0x0000000000416211 in main (argc=3, argv=0x7fffffffdde8) at ffmpeg.c:3135
(gdb) disass $pc-37 $pc+32
Dump of assembler code from 0x49b15f to 0x49b1a4:
0x000000000049b15f <mov_find_next_sample+23>:   je     0x49b4e0 <mov_find_next_sample+920>
0x000000000049b165 <mov_find_next_sample+29>:   nopl   (%rax)
0x000000000049b168 <mov_find_next_sample+32>:   add    $0x1,%r12d
0x000000000049b16c <mov_find_next_sample+36>:   cmp    %ecx,%r12d
0x000000000049b16f <mov_find_next_sample+39>:   jae    0x49b200 <mov_read_packet+256>
0x000000000049b175 <mov_find_next_sample+45>:   mov    0x30(%rbx),%rax
0x000000000049b179 <mov_find_next_sample+49>:   movslq %r12d,%rdx
0x000000000049b17c <mov_find_next_sample+52>:   mov    (%rax,%rdx,8),%r13
0x000000000049b180 <mov_find_next_sample+56>:   mov    0x18(%r13),%rax
0x000000000049b184 <mov_find_next_sample+60>:   mov    (%rax),%r14
0x000000000049b187 <mov_find_next_sample+63>:   test   %r14,%r14
0x000000000049b18a <mov_find_next_sample+66>:   je     0x49b168 <mov_find_next_sample+32>
0x000000000049b18c <mov_find_next_sample+68>:   mov    0xb0(%rax),%edx
0x000000000049b192 <mov_find_next_sample+74>:   cmp    0x1e0(%r13),%edx
0x000000000049b199 <mov_find_next_sample+81>:   jge    0x49b168 <mov_find_next_sample+32>
0x000000000049b19b <mov_find_next_sample+83>:   movslq %edx,%rdx
0x000000000049b19e <mov_find_next_sample+86>:   mov    $0xf4240,%esi
0x000000000049b1a3 <mov_find_next_sample+91>:   lea    (%rdx,%rdx,2),%r15
End of assembler dump.
(gdb) info register
rax            0x0      0
rbx            0x148c240        21545536
rcx            0x2      2
rdx            0x1      1
rsi            0xf4240  1000000
rdi            0x0      0
rbp            0x7ffff7f67010   0x7ffff7f67010
rsp            0x7fffffffd140   0x7fffffffd140
r8             0xac44   44100
r9             0x5622   22050
r10            0x0      0
r11            0x1      1
r12            0x1      1
r13            0x1493ba0        21576608
r14            0x1494960        21580128
r15            0x7ffff7f67010   140737353510928
rip            0x49b184 0x49b184 <mov_find_next_sample+60>
eflags         0x10297  [ CF PF AF SF IF RF ]
cs             0x33     51
ss             0x2b     43
ds             0x0      0
es             0x0      0
fs             0x0      0
gs             0x0      0
fctrl          0x37f    895
fstat          0x0      0
ftag           0xffff   65535
fiseg          0x0      0
fioff          0x0      0
foseg          0x0      0
fooff          0x0      0
fop            0x0      0
mxcsr          0x1fa0   [ PE IM DM ZM OM UM PM ]

comment:4 Changed 8 months ago by DonMoir

  • Cc donmoir@… added

comment:5 Changed 8 months ago by cehoyos

  • Keywords SIGSEGV added

comment:6 Changed 8 months ago by michael

  • Keywords apic id3 added
  • Status changed from open to closed
  • Resolution set to fixed
Note: See TracTickets for help on using tickets.