[FFmpeg-trac] #455(avcodec:open): Invalid read in ff_mspel_motion called from EC code
FFmpeg
trac at avcodec.org
Mon Oct 17 19:28:40 CEST 2011
#455: Invalid read in ff_mspel_motion called from EC code
------------------------------------+-----------------------------------
Reporter: cehoyos | Owner:
Type: defect | Status: open
Priority: important | Component: avcodec
Version: git-master | Resolution:
Keywords: | Blocked By:
Blocking: | Reproduced by developer: 1
Analyzed by developer: 0 |
------------------------------------+-----------------------------------
Comment (by DonMoir):
Originally I posted ticket #495 about a crash here:
https://ffmpeg.org/trac/ffmpeg/ticket/495
This ticket was closed but I never saw any difference in the status of the
crash on my machine. It has come to my attention that while the crash
seemed the same to me, this is most likely a different case. That is, it
may not happen with 64bit etc.
Using this file (hidef_crash_cut.wmv 20mb) it crashes everytime for me on
windows x86 32bit.
http://www.datafilehost.com/download-3cd0d3f7.html
Looking at the details below, it appears to be the same case as in
ff_mspel_motion as originally posted here.
ffmpeg_g -i c:\hidef_crash_cut.wmv -f null -
ffmpeg version 0.8.5.git, Copyright (c) 2000-2011 the FFmpeg developers
built on Oct 17 2011 12:07:23 with gcc 4.5.2
configuration: --target-os=mingw32 --disable-yasm --disable-doc
libavutil 51. 21. 0 / 51. 21. 0
libavcodec 53. 20. 1 / 53. 20. 1
libavformat 53. 16. 0 / 53. 16. 0
libavdevice 53. 4. 0 / 53. 4. 0
libavfilter 2. 43. 6 / 2. 43. 6
libswscale 2. 1. 0 / 2. 1. 0
[asf @ 03519860] Ext DRM protected stream detected, decoding will likely
fail!
[asf @ 03519860] DRM protected stream detected, decoding will likely fail!
[asf @ 03519860] Digital signature detected!
[asf @ 03519860] parser not found for codec wmapro, packets or times may
be invalid.
gdb ffmpeg_g
r -i c:\hidef_crash_cut.wmv -f null -
[wmv3 @ 03616200] Bits overconsumption: 379253 > 379232
[wmv3 @ 03616200] concealing 2246 DC, 2246 AC, 2246 MV errors
[wmv3 @ 03616200] Bits overconsumption: 197142 > 197120 at 66x35
[wmv3 @ 03616200] concealing 733 DC, 733 AC, 733 MV errors
Program received signal SIGSEGV, Segmentation fault.
0x007bdc49 in ff_mspel_motion (s=0x351b020, dest_y=0x458f470 "",
dest_cb=0x40722b8
"tvwwwwwwrrrrrrrrnmnnnnifXUQRQRRRRSSSSSTUXYYZYZhxñ\261++++
++++¦+¦+\262«\237¢\226\224\223\223\223\225\226\224\216\211\205\207\220¢¦+++++¦¦¦
\262¦¦¦¦½ª\225\221\215\215\215\215\215\215hhhhgfeddcba`^][[ZYWVUUUVVVVUUUUVVVVVV
VVWWWWWWXX[ZZZ[[[[[", 'Z' <repeats 14 times>,
"YYXXXXWWVVVWXYZ[[[JP?80;1"...,
dest_cr=0x40aa6f8 "(======(n¦", '\377' <repeats 12 times>,
"=t\300+¡¡¡¡¡¡«««
«««½¬½P\216\203\203\217\224\226umffffa\\LH", 'D' <repeats 12 times>,
"EGOJOSKNTP
WYZZZZYXUUTTTTSSSTSSSSSS\332\332\332\332\331\330\327++++---\316\314\314\313-++\3
13\316-\330¦¦G\344Fdn±)\370n", '¦' <repeats 13 times>,
"²nv\372\371\370˜)(((((((
\371÷=n²\377\377\377=======8nFa\331-\313++++¦¦mvcg"...,
ref_picture=0x351b388, pix_op=0x351c4f8, motion_x=-16, motion_y=36,
h=16)
at libavcodec/wmv2.c:112
112 s->dsp.put_mspel_pixels_tab[dxy](dest_y, ptr , linesize);
(gdb) bt
#0 0x007bdc49 in ff_mspel_motion (s=0x351b020, dest_y=0x458f470 "",
dest_cb=0x40722b8
"tvwwwwwwrrrrrrrrnmnnnnifXUQRQRRRRSSSSSTUXYYZYZhxñ\261++++
++++¦+¦+\262«\237¢\226\224\223\223\223\225\226\224\216\211\205\207\220¢¦+++++¦¦¦
\262¦¦¦¦½ª\225\221\215\215\215\215\215\215hhhhgfeddcba`^][[ZYWVUUUVVVVUUUUVVVVVV
VVWWWWWWXX[ZZZ[[[[[", 'Z' <repeats 14 times>,
"YYXXXXWWVVVWXYZ[[[JP?80;1"...,
dest_cr=0x40aa6f8 "(======(n¦", '\377' <repeats 12 times>,
"=t\300+¡¡¡¡¡¡«««
«««½¬½P\216\203\203\217\224\226umffffa\\LH", 'D' <repeats 12 times>,
"EGOJOSKNTP
WYZZZZYXUUTTTTSSSTSSSSSS\332\332\332\332\331\330\327++++---\316\314\314\313-++\3
13\316-\330¦¦G\344Fdn±)\370n", '¦' <repeats 13 times>,
"²nv\372\371\370˜)(((((((
\371÷=n²\377\377\377=======8nFa\331-\313++++¦¦mvcg"...,
ref_picture=0x351b388, pix_op=0x351c4f8, motion_x=-16, motion_y=36,
h=16)
at libavcodec/wmv2.c:112
#1 0x0057cb22 in MPV_motion_internal (s=0x351b020, dest_y=0x458f470 "",
dest_cb=0x40722b8
"tvwwwwwwrrrrrrrrnmnnnnifXUQRQRRRRSSSSSTUXYYZYZhxñ\261++++
++++¦+¦+\262«\237¢\226\224\223\223\223\225\226\224\216\211\205\207\220¢¦+++++¦¦¦
\262¦¦¦¦½ª\225\221\215\215\215\215\215\215hhhhgfeddcba`^][[ZYWVUUUVVVVUUUUVVVVVV
VVWWWWWWXX[ZZZ[[[[[", 'Z' <repeats 14 times>,
"YYXXXXWWVVVWXYZ[[[JP?80;1"...,
dest_cr=0x40aa6f8 "(======(n¦", '\377' <repeats 12 times>,
"=t\300+¡¡¡¡¡¡«««
«««½¬½P\216\203\203\217\224\226umffffa\\LH", 'D' <repeats 12 times>,
"EGOJOSKNTP
WYZZZZYXUUTTTTSSSTSSSSSS\332\332\332\332\331\330\327++++---\316\314\314\313-++\3
13\316-\330¦¦G\344Fdn±)\370n", '¦' <repeats 13 times>,
"²nv\372\371\370˜)(((((((
\371÷=n²\377\377\377=======8nFa\331-\313++++¦¦mvcg"..., dir=0,
ref_picture=0x351b388, pix_op=0x351c4f8, qpix_op=0x351c658)
at libavcodec/mpegvideo_common.h:729
#2 MPV_motion (s=0x351b020, dest_y=0x458f470 "",
dest_cb=0x40722b8
"tvwwwwwwrrrrrrrrnmnnnnifXUQRQRRRRSSSSSTUXYYZYZhxñ\261++++
++++¦+¦+\262«\237¢\226\224\223\223\223\225\226\224\216\211\205\207\220¢¦+++++¦¦¦
\262¦¦¦¦½ª\225\221\215\215\215\215\215\215hhhhgfeddcba`^][[ZYWVUUUVVVVUUUUVVVVVV
VVWWWWWWXX[ZZZ[[[[[", 'Z' <repeats 14 times>,
"YYXXXXWWVVVWXYZ[[[JP?80;1"...,
dest_cr=0x40aa6f8 "(======(n¦", '\377' <repeats 12 times>,
"=t\300+¡¡¡¡¡¡«««
«««½¬½P\216\203\203\217\224\226umffffa\\LH", 'D' <repeats 12 times>,
"EGOJOSKNTP
WYZZZZYXUUTTTTSSSTSSSSSS\332\332\332\332\331\330\327++++---\316\314\314\313-++\3
13\316-\330¦¦G\344Fdn±)\370n", '¦' <repeats 13 times>,
"²nv\372\371\370˜)(((((((
\371÷=n²\377\377\377=======8nFa\331-\313++++¦¦mvcg"..., dir=0,
ref_picture=0x351b388, pix_op=0x351c4f8, qpix_op=0x351c658)
at libavcodec/mpegvideo_common.h:896
#3 0x00584a26 in MPV_decode_mb_internal (s=0x351b020, block=0x38f53a0)
at libavcodec/mpegvideo.c:2165
#4 MPV_decode_mb (s=0x351b020, block=0x38f53a0)
at libavcodec/mpegvideo.c:2302
#5 0x007c3712 in decode_mb (s=0x351b020, ref=<value optimized out>)
at libavcodec/error_resilience.c:62
#6 0x007c4151 in guess_mv (s=<value optimized out>)
at libavcodec/error_resilience.c:584
#7 0x007c5ef2 in ff_er_frame_end (s=0x351b020)
at libavcodec/error_resilience.c:1066
#8 0x0063be93 in vc1_decode_frame (avctx=0x3616200, data=0x36a0e40,
data_size=0x23deec, avpkt=0x23de48) at libavcodec/vc1dec.c:5737
#9 0x004efc31 in avcodec_decode_video2 (avctx=0x3616200,
picture=0x36a0e40,
got_picture_ptr=0x23deec, avpkt=0x23de48) at libavcodec/utils.c:804
#10 0x004072ee in output_packet (ist=0x351a648, ist_index=1,
ost_table=0x3615010, nb_ostreams=2, pkt=0x23fbf8) at ffmpeg.c:1685
#11 0x0040ad16 in transcode (output_files=<value optimized out>,
nb_output_files=0, input_files=0x0, nb_input_files=4252759)
at ffmpeg.c:2630
#12 0x0023ff48 in ?? ()
#13 0x00000000 in ?? ()
(gdb) disass $pc-32,$pc+32
Dump of assembler code from 0x7bdc29 to 0x7bdc69:
0x007bdc29 <ff_mspel_motion+449>: (bad)
0x007bdc2a <ff_mspel_motion+450>: xchg %ax,%ax
0x007bdc2c <ff_mspel_motion+452>: movl $0x0,0x58(%esp)
0x007bdc34 <ff_mspel_motion+460>: add $0x60c,%ebp
0x007bdc3a <ff_mspel_motion+466>: mov %esi,0x8(%esp)
0x007bdc3e <ff_mspel_motion+470>: mov %edi,0x4(%esp)
0x007bdc42 <ff_mspel_motion+474>: mov 0x54(%esp),%ecx
0x007bdc46 <ff_mspel_motion+478>: mov %ecx,(%esp)
=> 0x007bdc49 <ff_mspel_motion+481>: call *0x8(%ebx,%ebp,4)
0x007bdc4d <ff_mspel_motion+485>: mov %esi,0x8(%esp)
0x007bdc51 <ff_mspel_motion+489>: lea 0x8(%edi),%eax
0x007bdc54 <ff_mspel_motion+492>: mov %eax,0x4(%esp)
0x007bdc58 <ff_mspel_motion+496>: mov 0x54(%esp),%eax
0x007bdc5c <ff_mspel_motion+500>: add $0x8,%eax
0x007bdc5f <ff_mspel_motion+503>: mov %eax,(%esp)
0x007bdc62 <ff_mspel_motion+506>: call *0x8(%ebx,%ebp,4)
0x007bdc66 <ff_mspel_motion+510>: lea 0x0(,%esi,8),%eax
End of assembler dump.
(gdb) info all-registers
eax 0x242 578
ecx 0x458f470 72938608
edx 0x253 595
ebx 0x351b020 55685152
esp 0x23c630 0x23c630
ebp 0x80a3e8 0x80a3e8
esi 0x500 1280
edi 0x44a4e68 71978600
eip 0x7bdc49 0x7bdc49 <ff_mspel_motion+481>
eflags 0x210216 [ PF AF IF RF ID ]
cs 0x1b 27
ss 0x23 35
ds 0x23 35
es 0x23 35
fs 0x3b 59
gs 0x0 0
st0 -nan(0xe0e0e0e0dfdfdfdf) (raw 0xffffe0e0e0e0dfdfdfdf)
st1 -nan(0xe1e1e1e1dfdfdfdf) (raw 0xffffe1e1e1e1dfdfdfdf)
st2 -nan(0xff00fe00fe00fe0) (raw 0xffff0ff00fe00fe00fe0)
st3 -nan(0xfffffefdfdfdfdfd) (raw 0xfffffffffefdfdfdfdfd)
st4 -nan(0xff00ff00fe00fd) (raw 0xffff00ff00ff00fe00fd)
st5 -nan(0x9000900090009) (raw 0xffff0009000900090009)
st6 -nan(0x80008000800080) (raw 0xffff0080008000800080)
st7 -nan(0xc040c040c040c040) (raw 0xffffc040c040c040c040)
fctrl 0xffff037f -64641
fstat 0xffff0020 -65504
ftag 0xffffaaaa -21846
fiseg 0x1b 27
fioff 0x40abde 4238302
foseg 0xffff0023 -65501
fooff 0x23dfd8 2351064
fop 0x7bc 1980
xmm0 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0,
0x0,
0x0, 0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0,
0x0},
uint128 = 0x00000000000000000000000000000000}
xmm1 {v4_float = {0xfffffffd, 0x3, 0xfffffffe, 0x0}, v2_double =
{
0x60, 0x0}, v16_int8 = {0x5d, 0xef, 0x73, 0xc0, 0xfb, 0x32, 0x58,
0x40,
0x7f, 0x52, 0x14, 0xc0, 0xb4, 0xc1, 0x50, 0x3f}, v8_int16 = {0xef5d,
0xc073, 0x32fb, 0x4058, 0x527f, 0xc014, 0xc1b4, 0x3f50}, v4_int32 = {
0xc073ef5d, 0x405832fb, 0xc014527f, 0x3f50c1b4}, v2_int64 = {
0x405832fbc073ef5d, 0x3f50c1b4c014527f},
uint128 = 0x3f50c1b4c014527f405832fbc073ef5d}
xmm2 {v4_float = {0x0, 0xfffffffe, 0x3, 0xfffffffd}, v2_double =
{
0xfffffffffffffffc, 0xfffffffffffffed6}, v16_int8 = {0xbb, 0x98, 0x50,
0x3f, 0x3b, 0xfb, 0x13, 0xc0, 0x23, 0x5f, 0x57, 0x40, 0xfc, 0xa0,
0x72,
0xc0}, v8_int16 = {0x98bb, 0x3f50, 0xfb3b, 0xc013, 0x5f23, 0x4057,
0xa0fc, 0xc072}, v4_int32 = {0x3f5098bb, 0xc013fb3b, 0x40575f23,
0xc072a0fc}, v2_int64 = {0xc013fb3b3f5098bb, 0xc072a0fc40575f23},
uint128 = 0xc072a0fc40575f23c013fb3b3f5098bb}
xmm3 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0x0, 0x0, 0x0, 0x80, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0,
0x80,
0x0, 0x0, 0x0, 0x0}, v8_int16 = {0x0, 0x8000, 0x0, 0x0, 0x0, 0x8000,
0x0,
0x0}, v4_int32 = {0x80000000, 0x0, 0x80000000, 0x0}, v2_int64 = {
0x80000000, 0x80000000}, uint128 = 0x00000000800000000000000080000000}
xmm4 {v4_float = {0xfffffffb, 0x4, 0xfffffffd, 0x1}, v2_double =
{
0x625, 0x0}, v16_int8 = {0xe4, 0x6, 0xac, 0xc0, 0x66, 0x95, 0x98,
0x40,
0xb8, 0x84, 0x51, 0xc0, 0x82, 0x8e, 0x93, 0x3f}, v8_int16 = {0x6e4,
0xc0ac, 0x9566, 0x4098, 0x84b8, 0xc051, 0x8e82, 0x3f93}, v4_int32 = {
0xc0ac06e4, 0x40989566, 0xc05184b8, 0x3f938e82}, v2_int64 = {
0x40989566c0ac06e4, 0x3f938e82c05184b8},
uint128 = 0x3f938e82c05184b840989566c0ac06e4}
xmm5 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0x0, 0x0, 0x0, 0x80, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0,
0x80,
0x0, 0x0, 0x0, 0x0}, v8_int16 = {0x0, 0x8000, 0x0, 0x0, 0x0, 0x8000,
0x0,
0x0}, v4_int32 = {0x80000000, 0x0, 0x80000000, 0x0}, v2_int64 = {
0x80000000, 0x80000000}, uint128 = 0x00000000800000000000000080000000}
xmm6 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0x0, 0x0, 0x0, 0x0, 0xb0, 0x52, 0x5, 0x0, 0x5d, 0x0, 0x91,
0x7c, 0x1, 0x0, 0x10, 0x0}, v8_int16 = {0x0, 0x0, 0x52b0, 0x5, 0x5d,
0x7c91, 0x1, 0x10}, v4_int32 = {0x0, 0x552b0, 0x7c91005d, 0x100001},
v2_int64 = {0x552b000000000, 0x1000017c91005d},
uint128 = 0x001000017c91005d000552b000000000}
xmm7 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0x28, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x5, 0x0,
0xa0, 0xee, 0xf8, 0x0}, v8_int16 = {0x28, 0x0, 0x0, 0x0, 0x0, 0x5,
0xeea0, 0xf8}, v4_int32 = {0x28, 0x0, 0x50000, 0xf8eea0}, v2_int64 = {
0x28, 0xf8eea000050000}, uint128 = 0x00f8eea0000500000000000000000028}
mxcsr 0x1fa0 [ PE IM DM ZM OM UM PM ]
mm0 {uint64 = 0xe0e0e0e0dfdfdfdf, v2_int32 = {0xdfdfdfdf,
0xe0e0e0e0}, v4_int16 = {0xdfdf, 0xdfdf, 0xe0e0, 0xe0e0}, v8_int8 = {
0xdf, 0xdf, 0xdf, 0xdf, 0xe0, 0xe0, 0xe0, 0xe0}}
mm1 {uint64 = 0xe1e1e1e1dfdfdfdf, v2_int32 = {0xdfdfdfdf,
0xe1e1e1e1}, v4_int16 = {0xdfdf, 0xdfdf, 0xe1e1, 0xe1e1}, v8_int8 = {
0xdf, 0xdf, 0xdf, 0xdf, 0xe1, 0xe1, 0xe1, 0xe1}}
mm2 {uint64 = 0xff00fe00fe00fe0, v2_int32 = {0xfe00fe0,
0xff00fe0}, v4_int16 = {0xfe0, 0xfe0, 0xfe0, 0xff0}, v8_int8 = {0xe0,
0xf, 0xe0, 0xf, 0xe0, 0xf, 0xf0, 0xf}}
mm3 {uint64 = 0xfffffefdfdfdfdfd, v2_int32 = {0xfdfdfdfd,
0xfffffefd}, v4_int16 = {0xfdfd, 0xfdfd, 0xfefd, 0xffff}, v8_int8 = {
0xfd, 0xfd, 0xfd, 0xfd, 0xfd, 0xfe, 0xff, 0xff}}
mm4 {uint64 = 0xff00ff00fe00fd, v2_int32 = {0xfe00fd,
0xff00ff},
v4_int16 = {0xfd, 0xfe, 0xff, 0xff}, v8_int8 = {0xfd, 0x0, 0xfe, 0x0,
0xff,
0x0, 0xff, 0x0}}
mm5 {uint64 = 0x9000900090009, v2_int32 = {0x90009, 0x90009},
v4_int16 = {0x9, 0x9, 0x9, 0x9}, v8_int8 = {0x9, 0x0, 0x9, 0x0, 0x9,
0x0,
0x9, 0x0}}
mm6 {uint64 = 0x80008000800080, v2_int32 = {0x800080,
0x800080},
v4_int16 = {0x80, 0x80, 0x80, 0x80}, v8_int8 = {0x80, 0x0, 0x80, 0x0,
0x80,
0x0, 0x80, 0x0}}
mm7 {uint64 = 0xc040c040c040c040, v2_int32 = {0xc040c040,
0xc040c040}, v4_int16 = {0xc040, 0xc040, 0xc040, 0xc040}, v8_int8 = {
0x40, 0xc0, 0x40, 0xc0, 0x40, 0xc0, 0x40, 0xc0}}
--
Ticket URL: <https://ffmpeg.org/trac/ffmpeg/ticket/455#comment:3>
FFmpeg <http://ffmpeg.org>
FFmpeg issue tracker
More information about the FFmpeg-trac
mailing list