[FFmpeg-trac] #11592(avcodec:new): vp3 crash when using threading

FFmpeg trac at avcodec.org
Fri May 16 11:12:51 EEST 2025 

#11592: vp3 crash when using threading
-------------------------------------+-------------------------------------
             Reporter:  Mika         |                     Type:  defect
  Fischer                            |
               Status:  new          |                 Priority:  normal
            Component:  avcodec      |                  Version:  git-
                                     |  master
             Keywords:               |               Blocked By:
             Blocking:               |  Reproduced by developer:  0
Analyzed by developer:  0            |
-------------------------------------+-------------------------------------
 Summary of the bug:
 Crash in vp3 decoder when usign thread_count != 1

 How to reproduce:
 {{{
 #include <assert.h>
 extern "C" {
 #include <libavcodec/avcodec.h>
 #include <libavcodec/packet.h>
 #include <libavformat/avformat.h>
 #include <libavutil/avutil.h>
 #include <libavutil/frame.h>
 }

 static void check(int64_t ret, int64_t expected) {
     assert(ret == expected);
 }

 int main() {
     AVFormatContext* ic = NULL;
     check(avformat_open_input(&ic, "blackwhite_yuv444p.ogv", NULL, NULL),
 0);
     check(avformat_find_stream_info(ic, NULL), 0);
     check(ic->nb_streams, 1);
     AVCodecContext* avctx =
 avcodec_alloc_context3(avcodec_find_decoder(ic->streams[0]->codecpar->codec_id));
     assert(avctx);
     avctx->thread_count = 0;
     check(avcodec_parameters_to_context(avctx, ic->streams[0]->codecpar),
 0);
     check(avcodec_open2(avctx, NULL, NULL), 0);

     AVPacket *pkt = av_packet_alloc(), *pkt2 = av_packet_alloc();
     check(av_read_frame(ic, pkt), 0);
     check(av_read_frame(ic, pkt2), AVERROR_EOF);

     AVFrame* frame = av_frame_alloc();

     avcodec_flush_buffers(avctx);
     check(avcodec_send_packet(avctx, pkt), 0);
     check(avcodec_send_packet(avctx, nullptr), 0);
     check(avcodec_receive_frame(avctx, frame), 0);
     check(avcodec_receive_frame(avctx, frame), AVERROR_EOF);

     avcodec_flush_buffers(avctx);
     check(avcodec_send_packet(avctx, pkt), 0);
     check(avcodec_send_packet(avctx, nullptr), 0);
     check(avcodec_receive_frame(avctx, frame), 0);
     check(avcodec_receive_frame(avctx, frame), AVERROR_EOF);
 }
 }}}

 blackwhite_yuv444p.ogv is from the chromium test suite:
 https://github.com/chromium/chromium/raw/refs/heads/main/media/test/data/blackwhite_yuv444p.ogv

 avcodec_flush_buffers replaces the s->coeff_vlc with a nullptr:
 {{{
 #0  ff_refstruct_unref (objp=0x55555558a8a0) at libavcodec/refstruct.c:130
 #1  0x00007ffff70995fb in ff_refstruct_replace (dstp=0x55555558a8a0,
 src=0x0) at libavcodec/refstruct.c:167
 #2  0x00007ffff7267ad4 in vp3_update_thread_context (dst=0x5555556cb680,
 src=0x555555796d00) at libavcodec/vp3.c:2530
 #3  0x00007ffff7059335 in update_context_from_thread (dst=0x5555556cb680,
 src=0x555555796d00, for_user=0) at libavcodec/pthread_frame.c:420
 #4  0x00007ffff705afa1 in ff_thread_flush (avctx=0x55555555b100) at
 libavcodec/pthread_frame.c:994
 #5  0x00007ffff6967a4c in avcodec_flush_buffers (avctx=0x55555555b100) at
 libavcodec/avcodec.c:392
 #6  0x000055555555576c in main ()
 }}}

 Subsequent decoding then accesses this null pointer:
 {{{
 Thread 2 "av:theora:df0" received signal SIGSEGV, Segmentation fault.
 [Switching to Thread 0x7ffff4ffb640 (LWP 3736249)]
 unpack_dct_coeffs (s=0x5555555834c0, gb=0x7ffff4ffaca0) at
 libavcodec/vp3.c:1319
 1319        residual_eob_run = unpack_vlcs(s, gb, coeff_vlc[dc_y_table],
 0,
 (gdb) bt
 #0  unpack_dct_coeffs (s=0x5555555834c0, gb=0x7ffff4ffaca0) at
 libavcodec/vp3.c:1319
 #1  0x00007ffff7268769 in vp3_decode_frame (avctx=0x5555556cb680,
 frame=0x7fffe8021ac0, got_frame=0x7ffff4ffad00, avpkt=0x5555556cbc40) at
 libavcodec/vp3.c:2767
 #2  0x00007ffff6abb42b in decode_simple_internal (avctx=0x5555556cb680,
 frame=0x7fffe8021ac0, discarded_samples=0x7ffff4ffad70) at
 libavcodec/decode.c:442
 #3  0x00007ffff6abb99c in decode_simple_receive_frame
 (avctx=0x5555556cb680, frame=0x7fffe8021ac0) at libavcodec/decode.c:612
 #4  0x00007ffff6abbb4b in ff_decode_receive_frame_internal
 (avctx=0x5555556cb680, frame=0x7fffe8021ac0) at libavcodec/decode.c:648
 #5  0x00007ffff7058d50 in frame_worker_thread (arg=0x55555555eb00) at
 libavcodec/pthread_frame.c:295
 #6  0x00007ffff51bdac3 in start_thread (arg=<optimized out>) at
 ./nptl/pthread_create.c:442
 #7  0x00007ffff524f850 in clone3 () at
 ../sysdeps/unix/sysv/linux/x86_64/clone3.S:81
 }}}

 The crash happens in 7.1 and master
-- 
Ticket URL: <https://trac.ffmpeg.org/ticket/11592>
FFmpeg <https://ffmpeg.org>
FFmpeg issue tracker

More information about the FFmpeg-trac mailing list