ffprobe crash on broken file

[Krieger]

version N-35487-g15130b9

Media file  http://dl.dropbox.com/u/43104344/libav_loop/crash_5.ts

Program terminated with signal 11, Segmentation fault.
#0  0xb6c7558b in filter_mb_dir (h=0xb5da9020, mb_x=0, mb_y=0, 
    img_y=0xb5c0af30 "\020\020\020\020\024\027\035!", '\037' <repeats 192 times>..., 
    img_cb=0x92ea498 "\177\177\177\177\177\177\177\177", '~' <repeats 192 times>..., 
    img_cr=0x9301e28 '\177' <repeats 200 times>..., linesize=752, uvlinesize=376, mb_xy=0, 
    mb_type=168430104, mvy_limit=4, first_vertical_edge_done=0, a=48, b=48, chroma=1, dir=0)
    at h264_loopfilter.c:550
550                     qp = (s->current_picture.f.qscale_table[mb_xy] + s->current_picture.f.qscale_table[mbm_xy] + 1) >> 1;
(gdb) bt
#0  0xb6c7558b in filter_mb_dir (h=0xb5da9020, mb_x=0, mb_y=0, 
    img_y=0xb5c0af30 "\020\020\020\020\024\027\035!", '\037' <repeats 192 times>..., 
    img_cb=0x92ea498 "\177\177\177\177\177\177\177\177", '~' <repeats 192 times>..., 
    img_cr=0x9301e28 '\177' <repeats 200 times>..., linesize=752, uvlinesize=376, mb_xy=0, 
    mb_type=168430104, mvy_limit=4, first_vertical_edge_done=0, a=48, b=48, chroma=1, dir=0)
    at h264_loopfilter.c:550
#1  0xb6c76ca4 in ff_h264_filter_mb (h=0xb5da9020, mb_x=0, mb_y=0, 
    img_y=0xb5c0af30 "\020\020\020\020\024\027\035!", '\037' <repeats 192 times>..., 
    img_cb=0x92ea498 "\177\177\177\177\177\177\177\177", '~' <repeats 192 times>..., 
    img_cr=0x9301e28 '\177' <repeats 200 times>..., linesize=752, uvlinesize=376)
    at h264_loopfilter.c:794
#2  0xb6c74993 in ff_h264_filter_mb_fast (h=0xb5da9020, mb_x=0, mb_y=0, 
    img_y=0xb5c0af30 "\020\020\020\020\024\027\035!", '\037' <repeats 192 times>..., 
    img_cb=0x92ea498 "\177\177\177\177\177\177\177\177", '~' <repeats 192 times>..., 
    img_cr=0x9301e28 '\177' <repeats 200 times>..., linesize=752, uvlinesize=376)
    at h264_loopfilter.c:388
#3  0xb6c56f97 in loop_filter (h=0xb5da9020, start_x=0, end_x=45) at libavcodec/h264.c:3572
#4  0xb6c578c1 in decode_slice (avctx=0x925d8c0, arg=0xbff1e680) at libavcodec/h264.c:3722
#5  0xb6c57be7 in execute_decode_slices (h=0xb5da9020, context_count=1) at libavcodec/h264.c:3779
#6  0xb6c5890d in decode_nal_units (h=0xb5da9020, buf=0x92912d0 "", buf_size=19533)
    at libavcodec/h264.c:4040
#7  0xb6c58bb9 in decode_frame (avctx=0x925d8c0, data=0xbff1e7f4, data_size=0xbff1e904, 
    avpkt=0xbff1e7b0) at libavcodec/h264.c:4117
#8  0xb6e308a9 in avcodec_decode_video2 (avctx=0x925d8c0, picture=0xbff1e7f4, 
    got_picture_ptr=0xbff1e904, avpkt=0xbff1e7b0) at libavcodec/utils.c:960
#9  0xb7659cc7 in try_decode_frame (st=0x925d6f0, avpkt=0x9286c10, options=0x0)
    at libavformat/utils.c:2234
#10 0xb765ae4e in avformat_find_stream_info (ic=0x9259b50, options=0x0) at libavformat/utils.c:2537
#11 0x0804d0f4 in open_input_file (fmt_ctx_ptr=0xbff1ec2c, filename=0xbff200d0 "crash_5.ts")
---Type <return> to continue, or q <return> to quit---
    at ffprobe.c:1096
#12 0x0804d2e3 in probe_file (filename=0xbff200d0 "crash_5.ts") at ffprobe.c:1154
#13 0x0804d640 in main (argc=2, argv=0xbff1ed34) at ffprobe.c:1265

See bt full in attach.

[cehoyos]

I am unable to reproduce the crash and valgrind reports no invalid memory access.

Can you reproduce the crash with './configure && make'?
Does 'ffmpeg -i crash_5.ts' crash? Or 'ffmpeg -i crash_5.ts -f null'?

[Krieger]

I'll be able to do that tomorrow.
Are you sure you used exactly same revision as reported?

[cehoyos]

No, I tested N-35491.

[cehoyos]

I am unable to reproduce a crash (or an invalid memory access) with the sample.

Please test "./configure && make" (and reopen if it still crashes), if this works fine, please try to find the configure option that triggers the crash (and please try to provide a smaller sample, mpegts should allow you to cut the sample considerably).