[FFmpeg-trac] #10795(ffmpeg:open): scale2ref filter crash

FFmpeg trac at avcodec.org
Fri Mar 8 01:39:35 EET 2024 

#10795: scale2ref filter crash
---------------------------------------+----------------------------------
             Reporter:  Axel Terizaki  |                    Owner:  (none)
                 Type:  defect         |                   Status:  open
             Priority:  important      |                Component:  ffmpeg
              Version:  git-master     |               Resolution:
             Keywords:  bounty         |               Blocked By:
             Blocking:  7.0            |  Reproduced by developer:  0
Analyzed by developer:  0              |
---------------------------------------+----------------------------------
Comment (by Niklas Haas):

 I investigated this issue. Here is a summary of the scenario:

 1. The input to scale2ref consists of infinite frames on [0] and a single
 frame on [1]
 2. vf_overlay (based on ff_framesync) tries to consumes frames from both,
 but since `shortest=0`, it will happily continue reading from even a
 single source
 3. As soon as [1] hits EOF, the default activate on scale2ref forwards
 this to the corresponding output, and the new code added in d9e41ead82
 then forwards this to the other input [0] as well
 4. However, the filter's other inputs are never properly drained after
 doing so, the way they would be on a true EOF coming from upstream
 5. This leads to a situation where the filter graph is incompletely
 activated

 The following diff appears to work for me:

 ```
 diff --git a/libavfilter/avfilter.c b/libavfilter/avfilter.c
 index 0afc9533750..f660b9fee3d 100644
 --- a/libavfilter/avfilter.c
 +++ b/libavfilter/avfilter.c
 @@ -1198,13 +1198,17 @@ static int
 ff_filter_activate_default(AVFilterContext *filter)
      unsigned i;

      for (i = 0; i < filter->nb_outputs; i++) {
 -        FilterLinkInternal *li = ff_link_internal(filter->outputs[i]);
 -        int ret = li->status_in;
 +        FilterLinkInternal * const li_out =
 ff_link_internal(filter->outputs[i]);
 +        int ret = li_out->status_in;

          if (ret) {
 -            for (int j = 0; j < filter->nb_inputs; j++)
 -                ff_inlink_set_status(filter->inputs[j], ret);
 -            return 0;
 +            for (int j = 0; j < filter->nb_inputs; j++) {
 +                FilterLinkInternal * const li_in =
 ff_link_internal(filter->inputs[i]);
 +                if (!li_in->status_out) {
 +                    ff_inlink_set_status(filter->inputs[j], ret);
 +                    return forward_status_change(filter, li_in);
 +                }
 +            }
          }
      }

 ```
-- 
Ticket URL: <https://trac.ffmpeg.org/ticket/10795#comment:6>
FFmpeg <https://ffmpeg.org>
FFmpeg issue tracker

More information about the FFmpeg-trac mailing list