[Ffmpeg-devel] [BUG] Segfault in h264 decoder on corrupt input

Michael Niedermayer michaelni
Thu Mar 15 19:16:02 CET 2007 

Hi

On Thu, Mar 15, 2007 at 03:07:19PM +0100, Matthias Hopf wrote:
> On Mar 14, 07 15:58:44 +0100, Panagiotis Issaris wrote:
> > The commandline used to cause the crash:
> > ffplay_g -stats pi-20070314T154046-ffmpeg-ffplay_crash.h264
> > Input #0, h264, from 'pi-20070314T154046-ffmpeg-ffplay_crash.h264':
> >   Duration: N/A, bitrate: N/A
> >   Stream #0.0: Video: h264, yuv420p, 320x240, 25.00 fps(r)
> > [h264 @ 0x847a2dc]negative number of zero coeffs at 13 5
> > ...
> > [h264 @ 0x847a2dc]decode_slice_header error
> > [h264 @ 0x847a2dc]concealing 300 DC, 300 AC, 300 MV errors
> > Segmentation fault (core dumped)
> 
> The attached patch *might* also fix this one. Please test.
> But don't hold your breath.
[...]
> Index: h264.c
> ===================================================================
> --- h264.c	(revision 8408)
> +++ h264.c	(working copy)
> @@ -4659,8 +4659,9 @@
>          s->picture_structure= PICT_FRAME;
>      }else{
>          if(get_bits1(&s->gb)) { //field_pic_flag
> -            s->picture_structure= PICT_TOP_FIELD + get_bits1(&s->gb); //bottom_field_flag
> +            //s->picture_structure= PICT_TOP_FIELD + get_bits1(&s->gb); //bottom_field_flag
>              av_log(h->s.avctx, AV_LOG_ERROR, "PAFF interlacing is not implemented\n");
> +            return -1;
>          } else {

ok


>              s->picture_structure= PICT_FRAME;
>              h->mb_aff_frame = h->sps.mb_aff;
> @@ -4716,8 +4717,10 @@
>      if(h->slice_type == P_TYPE || h->slice_type == SP_TYPE || h->slice_type == B_TYPE){
>          if(h->slice_type == B_TYPE){
>              h->direct_spatial_mv_pred= get_bits1(&s->gb);
> -            if(h->sps.mb_aff && h->direct_spatial_mv_pred)
> +            if(h->sps.mb_aff && h->direct_spatial_mv_pred){
>                  av_log(h->s.avctx, AV_LOG_ERROR, "MBAFF + spatial direct mode is not implemented\n");
> +                return -1;
> +            }
>          }

ok


>          num_ref_idx_active_override_flag= get_bits1(&s->gb);
>  
> @@ -8175,7 +8178,7 @@
>  
>              if(decode_slice_header(h) < 0){
>                  av_log(h->s.avctx, AV_LOG_ERROR, "decode_slice_header error\n");
> -                break;
> +                return -1;
>              }
>              s->current_picture_ptr->key_frame= (h->nal_unit_type == NAL_IDR_SLICE);
>              if(h->redundant_pic_count==0 && s->hurry_up < 5

not ok


> @@ -8193,6 +8196,7 @@
>  
>              if(decode_slice_header(h) < 0){
>                  av_log(h->s.avctx, AV_LOG_ERROR, "decode_slice_header error\n");
> +                return -1;
>              }
>              break;

not ok

[...]
-- 
Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

Good people do not need laws to tell them to act responsibly, while bad
people will find a way around the laws. -- Plato
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <http://lists.mplayerhq.hu/pipermail/ffmpeg-devel/attachments/20070315/6b897b88/attachment.pgp>

More information about the ffmpeg-devel mailing list