[FFmpeg-devel] ffplay segfaults on invalid h264 stream
Panagiotis Issaris
takis.issaris
Thu May 3 17:53:47 CEST 2007
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi,
ffplay segfaults on a specific stream I'm trying to decode. I'm
using revision 8880.
takis at issaris:~/stream$ gdb /usr/local/src/ffmpeg-pi/ffplay_g
GNU gdb 6.6-debian
Copyright (C) 2006 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain
conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB. Type "show warranty" for details.
This GDB was configured as "i486-linux-gnu"...
Using host libthread_db library "/lib/tls/i686/cmov/libthread_db.so.1".
(gdb) r pi-20070503T132200-capturedgrandstream.xml.h264
Starting program: /usr/local/src/ffmpeg-pi/ffplay_g
pi-20070503T132200-capturedgrandstream.xml.h264
[Thread debugging using libthread_db enabled]
[New Thread -1213413696 (LWP 12749)]
[New Thread -1213588592 (LWP 12752)]
[New Thread -1222751344 (LWP 12753)]
[h264 @ 0x8522448]reference picture missing during reorder
[h264 @ 0x8522448]reference count overflow
[h264 @ 0x8522448]decode_slice_header error
[h264 @ 0x8522448]concealing 123 DC, 123 AC, 123 MV errors
[New Thread -1231385712 (LWP 12754)]
[h264 @ 0x8522448]reference picture missing during reorder
[h264 @ 0x8522448]reference count overflow
[h264 @ 0x8522448]decode_slice_header error
[h264 @ 0x8522448]concealing 123 DC, 123 AC, 123 MV errors
[h264 @ 0x8522448]slice type too large (1) at 7 3
[h264 @ 0x8522448]decode_slice_header error
[h264 @ 0x8522448]slice type too large (1) at 7 3
[h264 @ 0x8522448]decode_slice_header error
[h264 @ 0x8522448]non existing PPS referenced
[h264 @ 0x8522448]decode_slice_header error
[h264 @ 0x8522448]non existing PPS referenced
[h264 @ 0x8522448]decode_slice_header error
[h264 @ 0x8522448]concealing 233 DC, 233 AC, 233 MV errors
[h264 @ 0x8522448]slice type too large (1) at 17 4
[h264 @ 0x8522448]decode_slice_header error
[h264 @ 0x8522448]top block unavailable for requested intra mode at 7 0
[h264 @ 0x8522448]error while decoding MB 7 0
[h264 @ 0x8522448]deblocking_filter_idc 7 out of range
[h264 @ 0x8522448]decode_slice_header error
[h264 @ 0x8522448]concealing 300 DC, 300 AC, 300 MV errors
Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread -1231385712 (LWP 12754)]
decode_slice_header (h=0x8690500) at h264.c:4402
4402 h->mmco[0].short_frame_num= h->short_ref[
h->short_ref_count - 1 ]->frame_num;
(gdb) bt
#0 decode_slice_header (h=0x8690500) at h264.c:4402
#1 0x083061fd in decode_nal_units (h=0x8690500, buf=0x86740e0 "",
buf_size=637) at h264.c:8175
#2 0x083073eb in decode_frame (avctx=0x8668760, data=0x870ae80,
data_size=0xb69a8384, buf=0x86740e0 "", buf_size=637) at h264.c:8357
#3 0x080c46e2 in avcodec_decode_video (avctx=0x8668760,
picture=0x870ae80, got_picture_ptr=0xb69a8384, buf=0x86740e0 "",
buf_size=637) at utils.c:906
#4 0x0805fa2c in video_thread (arg=0xb71e5020) at ffplay.c:1372
#5 0xb7d5cceb in ?? () from /usr/lib/libSDL-1.2.so.0
#6 0xb71e5020 in ?? ()
#7 0x0805f990 in ?? () at ffplay.c:1474
#8 0x08668aa0 in ?? ()
#9 0xb7db2820 in ?? () from /usr/lib/libSDL-1.2.so.0
#10 0x00000000 in ?? ()
(gdb)
(gdb) disass $pc-32 $pc+32
Dump of assembler code from 0x82fcb91 to 0x82fcbd1:
0x082fcb91 <decode_slice_header+10481>: sbb %esp,%edi
0x082fcb93 <decode_slice_header+10483>: (bad)
0x082fcb94 <decode_slice_header+10484>: inc %ecx
0x082fcb96 <decode_slice_header+10486>: ljmp $0x84e9,$0x8c68308
0x082fcb9d <decode_slice_header+10493>: std
0x082fcb9e <decode_slice_header+10494>: (bad)
0x082fcb9f <decode_slice_header+10495>: decl 0x9c809584(%ebx)
0x082fcba5 <decode_slice_header+10501>: add (%eax),%al
0x082fcba7 <decode_slice_header+10503>: movl $0x1,0x39a50(%ebp)
0x082fcbb1 <decode_slice_header+10513>: mov 0xe4(%eax),%eax
0x082fcbb7 <decode_slice_header+10519>: movl $0x1,0x39d68(%ebp)
0x082fcbc1 <decode_slice_header+10529>: mov %eax,0x39a54(%ebp)
0x082fcbc7 <decode_slice_header+10535>: jmp 0x82fad5f
<decode_slice_header+2751>
0x082fcbcc <decode_slice_header+10540>: movl $0x0,0xc8(%esp)
End of assembler dump.
(gdb) info all-registers
eax 0x1 1
ecx 0x86925e8 141108712
edx 0x0 0
ebx 0x12 18
esp 0xb69a4b10 0xb69a4b10
ebp 0x8690500 0x8690500
esi 0x3 3
edi 0x1 1
eip 0x82fcbb1 0x82fcbb1 <decode_slice_header+10513>
eflags 0x210246 [ PF ZF IF RF ID ]
cs 0x73 115
ss 0x7b 123
ds 0x7b 123
es 0x7b 123
fs 0x0 0
gs 0x33 51
st0 -nan(0x7272727272727272) (raw 0xffff7272727272727272)
st1 -nan(0x7272727272727272) (raw 0xffff7272727272727272)
st2 -nan(0x7272727272727275) (raw 0xffff7272727272727275)
st3 -nan(0x72007200720072) (raw 0xffff0072007200720072)
st4 -nan(0x72007300740075) (raw 0xffff0072007300740075)
st5 0.019999999999999999999593424185317936 (raw
0x3ff9a3d70a3d70a3d70a)
st6 0 (raw 0x00000000000000000000)
st7 1.1999999999999999555910790149937384 (raw
0x3fff9999999999999800)
fctrl 0x37f 895
fstat 0x20 32
ftag 0xffff 65535
fiseg 0x73 115
fioff 0x805fcb4 134610100
foseg 0x7b 123
fooff 0xb726b714 -1222199532
fop 0x400 1024
xmm0 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0,
0x0, 0x0, 0x0, 0x0}, v4_int32 = {
0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0}, uint128 =
0x00000000000000000000000000000000}
xmm1 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0,
0x0, 0x0, 0x0, 0x0}, v4_int32 = {
0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0}, uint128 =
0x00000000000000000000000000000000}
xmm2 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0,
0x0, 0x0, 0x0, 0x0}, v4_int32 = {
0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0}, uint128 =
0x00000000000000000000000000000000}
xmm3 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0,
0x0, 0x0, 0x0, 0x0}, v4_int32 = {
0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0}, uint128 =
0x00000000000000000000000000000000}
xmm4 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0,
0x0, 0x0, 0x0, 0x0}, v4_int32 = {
0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0}, uint128 =
0x00000000000000000000000000000000}
xmm5 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0,
0x0, 0x0, 0x0, 0x0}, v4_int32 = {
0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0}, uint128 =
0x00000000000000000000000000000000}
xmm6 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0,
0x0, 0x0, 0x0, 0x0}, v4_int32 = {
0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0}, uint128 =
0x00000000000000000000000000000000}
xmm7 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0,
0x0, 0x0, 0x0, 0x0}, v4_int32 = {
0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0}, uint128 =
0x00000000000000000000000000000000}
mxcsr 0x1f80 [ IM DM ZM OM UM PM ]
mm0 {uint64 = 0x7272727272727272, v2_int32 = {0x72727272,
0x72727272}, v4_int16 = {0x7272, 0x7272, 0x7272, 0x7272}, v8_int8 =
{0x72, 0x72, 0x72, 0x72, 0x72, 0x72,
0x72, 0x72}}
mm1 {uint64 = 0x7272727272727272, v2_int32 = {0x72727272,
0x72727272}, v4_int16 = {0x7272, 0x7272, 0x7272, 0x7272}, v8_int8 =
{0x72, 0x72, 0x72, 0x72, 0x72, 0x72,
0x72, 0x72}}
mm2 {uint64 = 0x7272727272727275, v2_int32 = {0x72727275,
0x72727272}, v4_int16 = {0x7275, 0x7272, 0x7272, 0x7272}, v8_int8 =
{0x75, 0x72, 0x72, 0x72, 0x72, 0x72,
0x72, 0x72}}
mm3 {uint64 = 0x72007200720072, v2_int32 = {0x720072,
0x720072}, v4_int16 = {0x72, 0x72, 0x72, 0x72}, v8_int8 = {0x72, 0x0,
0x72, 0x0, 0x72, 0x0, 0x72, 0x0}}
mm4 {uint64 = 0x72007300740075, v2_int32 = {0x740075,
0x720073}, v4_int16 = {0x75, 0x74, 0x73, 0x72}, v8_int8 = {0x75, 0x0,
0x74, 0x0, 0x73, 0x0, 0x72, 0x0}}
- ---Type <return> to continue, or q <return> to quit---
mm5 {uint64 = 0xa3d70a3d70a3d70a, v2_int32 = {0x70a3d70a,
0xa3d70a3d}, v4_int16 = {0xd70a, 0x70a3, 0xa3d, 0xa3d7}, v8_int8 = {0xa,
0xd7, 0xa3, 0x70, 0x3d, 0xa, 0xd7,
0xa3}}
mm6 {uint64 = 0x0, v2_int32 = {0x0, 0x0}, v4_int16 = {0x0,
0x0, 0x0, 0x0}, v8_int8 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}
mm7 {uint64 = 0x9999999999999800, v2_int32 = {0x99999800,
0x99999999}, v4_int16 = {0x9800, 0x9999, 0x9999, 0x9999}, v8_int8 =
{0x0, 0x98, 0x99, 0x99, 0x99, 0x99,
0x99, 0x99}}
(gdb)
A simple fix for this is attached. I am far from sure that this is the
correct way to fix it, but it might help illustrating the problem.
I can also provide the sample which causes the crash, although the
previous times I haven't been successful in getting these samples were
they belong.
With friendly regards,
Takis
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFGOgWL9kOxLuzz4CkRAi7JAJ9D0tNvzwjoDNRPxy3/1IzqrNwTQgCfU8p9
z5PmJl1V0UfKXeDWnvwcJCc=
=Qyr1
-----END PGP SIGNATURE-----
-------------- next part --------------
A non-text attachment was scrubbed...
Name: pi-20070503T174821-ffmpeg-sf.diff
Type: text/x-patch
Size: 720 bytes
Desc: not available
URL: <http://lists.mplayerhq.hu/pipermail/ffmpeg-devel/attachments/20070503/c1c04b17/attachment.bin>
More information about the ffmpeg-devel
mailing list