[FFmpeg-trac] #600(avcodec:new): Crash (segmentation fault) decoding a bad flac (my fix incl.)
FFmpeg
trac at avcodec.org
Sun Oct 30 16:06:40 CET 2011
#600: Crash (segmentation fault) decoding a bad flac (my fix incl.)
-------------------------------------+-----------------------------------
Reporter: BJoe | Owner:
Type: defect | Status: new
Priority: normal | Component: avcodec
Version: unspecified | Resolution:
Keywords: | Blocked By:
Blocking: | Reproduced by developer: 0
Analyzed by developer: 0 |
-------------------------------------+-----------------------------------
Old description:
> I am trying to decode a bad flac file
> ffmpeg crashed (segmentation fault)
>
> ffmpeg -i fileEEmUGd.flac output.wav
>
> NOTE: I tried to provide a sample flac file for this, but when cut down
> to 10MB, I can't reproduce the crash. (currently I can cut it to 30MB for
> recreating the error)
>
> MY FIX:
> File: golomb.h
> Function: get_ur_golomb_jpegls
>
> Before:
> }else{
> int i;
> for(i=0; SHOW_UBITS(re, gb, 1) == 0; i++){
> LAST_SKIP_BITS(re, gb, 1);
> UPDATE_CACHE(re, gb);
> }
> After:
> }else{
> int i;
> for(i=0; SHOW_UBITS(re, gb, 1) == 0; i++){
> if (get_bits_left(gb)<=0) return -1;
> LAST_SKIP_BITS(re, gb, 1);
> UPDATE_CACHE(re, gb);
> }
>
> EXPLANATION:
> The for loop keeps reading bits with value '0' until value '1' appears,
> on a corrupted file, it keeps reading values until segmentation fault
> occurred.
> If reading beyond the buffer size, return -1, as in case as the limit
> check (afterwards) fails.
>
> linux at linux-VirtualBox:~/ffmpegtest/ffmpegnew/ffmpeg$ ./ffmpeg -v 9
> -loglevel 99 -i fileEEmUGd.flac output.wav
> ffmpeg version N-34109-g3e43758, Copyright (c) 2000-2011 the FFmpeg
> developers
> built on Oct 27 2011 11:45:37 with gcc 4.6.1
> configuration:
> libavutil 51. 22. 0 / 51. 22. 0
> libavcodec 53. 23. 0 / 53. 23. 0
> libavformat 53. 17. 0 / 53. 17. 0
> libavdevice 53. 4. 0 / 53. 4. 0
> libavfilter 2. 45. 0 / 2. 45. 0
> libswscale 2. 1. 0 / 2. 1. 0
> [flac @ 0x2a32760] Format flac probed with size=2048 and score=50
> [NULL @ 0x2a38ae0] Max Blocksize: 4096
> [NULL @ 0x2a38ae0] Max Framesize: 12667
> [NULL @ 0x2a38ae0] Samplerate: 44100
> [NULL @ 0x2a38ae0] Channels: 2
> [NULL @ 0x2a38ae0] Bits: 16
> [flac @ 0x2a38ae0] err{or,}_recognition separate: 1; 1
> [flac @ 0x2a38ae0] err{or,}_recognition combined: 1; 1
> [flac @ 0x2a38ae0] Max Blocksize: 4096
> [flac @ 0x2a38ae0] Max Framesize: 12667
> [flac @ 0x2a38ae0] Samplerate: 44100
> [flac @ 0x2a38ae0] Channels: 2
> [flac @ 0x2a38ae0] Bits: 16
> [flac @ 0x2a38ae0] sample/frame number mismatch in adjacent frames
> Last message repeated 65 times
> [flac @ 0x2a38ae0] crc check failed from offset 57299 (frame 34) to
> 12121033 (frame 1251)
> [flac @ 0x2a38ae0] sample/frame number mismatch in adjacent frames
> [flac @ 0x2a38ae0] crc check failed from offset 50123 (frame 33) to
> 12121033 (frame 1251)
> [flac @ 0x2a38ae0] sample/frame number mismatch in adjacent frames
> [flac @ 0x2a38ae0] crc check failed from offset 42311 (frame 32) to
> 12121033 (frame 1251)
> [flac @ 0x2a38ae0] sample/frame number mismatch in adjacent frames
> [flac @ 0x2a38ae0] crc check failed from offset 51442 (frame 34) to
> 12126800 (frame 1252)
> [flac @ 0x2a38ae0] sample/frame number mismatch in adjacent frames
> [flac @ 0x2a38ae0] crc check failed from offset 44266 (frame 33) to
> 12126800 (frame 1252)
> [flac @ 0x2a38ae0] sample/frame number mismatch in adjacent frames
> Last message repeated 1 times
> [flac @ 0x2a38ae0] crc check failed from offset 44584 (frame 34) to
> 12131506 (frame 1253)
> [flac @ 0x2a38ae0] sample/frame number mismatch in adjacent frames
> Last message repeated 5 times
> [flac @ 0x2a38ae0] Junk frame till offset 12085549
> [flac @ 0x2a32760] Probe buffer size limit 5000000 reached
> Input #0, flac, from 'fileEEmUGd.flac':
> Metadata:
> track : 4
> TITLE : Blackest Eyes
> ARTIST : Porcupine Tree
> ALBUM : 2007-10-26 New Orleans, LA (tooligan Matrix) [FINAL
> MIX]
> DATE : 2007
> GENRE : Progressive Rock
> Duration: 00:05:33.69, bitrate: 819 kb/s
> Stream #0:0, 32, 1/44100: Audio: flac, 44100 Hz, stereo, s16
> File 'output.wav' already exists. Overwrite ? [y/N] y
> err{or,}_recognition separate: 1; 1
> [pcm_s16le @ 0x2a2d5a0] err{or,}_recognition combined: 1; 1
> [flac @ 0x2a38ae0] err{or,}_recognition separate: 1; 1
> [flac @ 0x2a38ae0] err{or,}_recognition combined: 1; 1
> [flac @ 0x2a38ae0] Max Blocksize: 4096
> [flac @ 0x2a38ae0] Max Framesize: 12667
> [flac @ 0x2a38ae0] Samplerate: 44100
> [flac @ 0x2a38ae0] Channels: 2
> [flac @ 0x2a38ae0] Bits: 16
> Output #0, wav, to 'output.wav':
> Metadata:
> track : 4
> TITLE : Blackest Eyes
> ARTIST : Porcupine Tree
> ALBUM : 2007-10-26 New Orleans, LA (tooligan Matrix) [FINAL
> MIX]
> DATE : 2007
> GENRE : Progressive Rock
> encoder : Lavf53.17.0
> Stream #0:0, 0, 1/44100: Audio: pcm_s16le ([1][0][0][0] / 0x0001),
> 44100 Hz, stereo, s16, 1411 kb/s
> Stream mapping:
> Stream #0.0 -> #0.0 (flac -> pcm_s16le)
> Press [q] to stop, [?] for help
> [flac @ 0x2a38ae0] underread: 12078722 orig size: 12085549
> Multiple frames in a packet from stream 0
> [flac @ 0x2a38ae0] underread: 12070910 orig size: 12078722
> Multiple frames in a packet from stream 0
> [flac @ 0x2a38ae0] underread: 12063734 orig size: 12070910
> Multiple frames in a packet from stream 0
> [flac @ 0x2a38ae0] overread: 266206
> Error while decoding stream #0.0
> [flac @ 0x2a38ae0] dropping low score 43 frame header from offset 0 to
> 6827
> [flac @ 0x2a38ae0] dropping low score 33 frame header from offset 6827 to
> 14639
> [flac @ 0x2a38ae0] dropping low score 23 frame header from offset 14639
> to 21815
> [flac @ 0x2a38ae0] dropping low score 13 frame header from offset 21815
> to 12085549
> [flac @ 0x2a38ae0] sample/frame number mismatch in adjacent frames
> Last message repeated 35 times
> Segmentation faultme=00:00:04.73 bitrate=1383.6kbits/s
> linux at linux-VirtualBox:~/ffmpegtest/ffmpegnew/ffmpeg$
>
>
>
> (gdb) bt
> #0 get_ur_golomb_jpegls (esc_len=0, limit=2147483647, k=9, gb=<optimized
> out>) at libavcodec/golomb.h:306
> #1 get_sr_golomb_flac (esc_len=0, limit=2147483647, k=9, gb=0x13695a8)
> at libavcodec/golomb.h:348
> #2 decode_residuals (s=0x1369580, channel=1, pred_order=<optimized out>)
> at libavcodec/flacdec.c:274
> #3 0x0000000000601bf2 in decode_subframe_lpc (pred_order=6, channel=1,
> s=0x1369580) at libavcodec/flacdec.c:361
> #4 decode_subframe (channel=1, s=0x1369580) at libavcodec/flacdec.c:443
> #5 decode_frame (s=0x1369580) at libavcodec/flacdec.c:533
> #6 flac_decode_frame (avctx=<optimized out>, data=0x7ffff4c59040,
> data_size=0x7fffffffc35c, avpkt=<optimized out>) at
> libavcodec/flacdec.c:583
> #7 0x0000000000854d8a in avcodec_decode_audio3 (avctx=0x1373ae0,
> samples=<optimized out>, frame_size_ptr=<optimized out>, avpkt=<optimized
> out>)
> at libavcodec/utils.c:875
> #8 0x0000000000438dd6 in output_packet (ist=<optimized out>,
> ist_index=0, ost_table=0x1368a70, nb_ostreams=1, pkt=<optimized out>) at
> ffmpeg.c:1666
> #9 0x000000000043be01 in transcode (output_files=0x1368ce0,
> nb_output_files=1, input_files=0x1375110, nb_input_files=1) at
> ffmpeg.c:2635
> #10 0x0000000000433ff2 in main (argc=<optimized out>,
> argv=0x7fffffffe658) at ffmpeg.c:4486
> (gdb) disass $pc-32,$pc+32
> Dump of assembler code from 0x601398 to 0x6013d8:
> 0x0000000000601398 <decode_residuals+456>: xor %esi,%esi
> 0x000000000060139a <decode_residuals+458>: shr $0xff,%ecx
> 0x000000000060139d <decode_residuals+461>: test %ecx,%ecx
> 0x000000000060139f <decode_residuals+463>: jne 0x601464
> <decode_residuals+660>
> 0x00000000006013a5 <decode_residuals+469>: nopl (%rax)
> 0x00000000006013a8 <decode_residuals+472>: add $0x1,%eax
> 0x00000000006013ab <decode_residuals+475>: add $0x1,%esi
> 0x00000000006013ae <decode_residuals+478>: mov %eax,%edx
> 0x00000000006013b0 <decode_residuals+480>: mov %eax,%ecx
> 0x00000000006013b2 <decode_residuals+482>: and $0x7,%ecx
> 0x00000000006013b5 <decode_residuals+485>: shr $0x3,%edx
> => 0x00000000006013b8 <decode_residuals+488>: mov (%r8,%rdx,1),%edx
> 0x00000000006013bc <decode_residuals+492>: bswap %edx
> 0x00000000006013be <decode_residuals+494>: shl %cl,%edx
> 0x00000000006013c0 <decode_residuals+496>: mov %edx,%ecx
> 0x00000000006013c2 <decode_residuals+498>: shr $0xff,%ecx
> 0x00000000006013c5 <decode_residuals+501>: test %ecx,%ecx
> 0x00000000006013c7 <decode_residuals+503>: je 0x6013a8
> <decode_residuals+472>
> 0x00000000006013c9 <decode_residuals+505>: add %edx,%edx
> 0x00000000006013cb <decode_residuals+507>: add $0x1,%eax
> 0x00000000006013ce <decode_residuals+510>: cmp $0x7ffffffd,%esi
> 0x00000000006013d4 <decode_residuals+516>: jle 0x6013f8
> <decode_residuals+552>
> 0x00000000006013d6 <decode_residuals+518>: xor %ecx,%ecx
> End of assembler dump.
> (gdb) info all-registers
> rax 0xa6130a8 174141608
> rbx 0x0 0
> rcx 0x0 0
> rdx 0x14c2615 21767701
> rsi 0x107e08 1080840
> rdi 0x1369580 20354432
> rbp 0x1396050 0x1396050
> rsp 0x7fffffffbdd0 0x7fffffffbdd0
> r8 0x20049e8 33573352
> r9 0xa50b2a0 173060768
> r10 0xf4 244
> r11 0x9 9
> r12 0x200 512
> r13 0x1f 31
> r14 0x500 1280
> r15 0x0 0
> rip 0x6013b8 0x6013b8 <decode_residuals+488>
> eflags 0x10202 [ IF RF ]
> cs 0x33 51
> ss 0x2b 43
> ds 0x0 0
> es 0x0 0
> fs 0x0 0
> gs 0x0 0
> st0 0 (raw 0x00000000000000000000)
> st1 0 (raw 0x00000000000000000000)
> st2 0 (raw 0x00000000000000000000)
> st3 0 (raw 0x00000000000000000000)
> st4 0 (raw 0x00000000000000000000)
> st5 0 (raw 0x00000000000000000000)
> st6 0 (raw 0x00000000000000000000)
> st7 0 (raw 0x00000000000000000000)
> fctrl 0x37f 895
> fstat 0x0 0
> ftag 0xffff 65535
> fiseg 0x0 0
> fioff 0x0 0
> foseg 0x0 0
> fooff 0x0 0
> fop 0x0 0
> xmm0 {v4_float = {0x0, 0x8, 0x0, 0x0}, v2_double = {0x36000,
> 0x0}, v16_int8 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xb, 0x41, 0x0, 0x0, 0x0,
> 0x0, 0x0,
> 0x0, 0x0, 0x0}, v8_int16 = {0x0, 0x0, 0x0, 0x410b, 0x0, 0x0, 0x0,
> 0x0}, v4_int32 = {0x0, 0x410b0000, 0x0, 0x0}, v2_int64 =
> {0x410b000000000000, 0x0},
> uint128 = 0x0000000000000000410b000000000000}
> xmm1 {v4_float = {0x0, 0x4d680000, 0x0, 0x0}, v2_double =
> {0x8000000000000000, 0x0}, v16_int8 = {0x7d, 0xc3, 0x94, 0x25, 0xad,
> 0x49, 0xb2, 0x54,
> 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v8_int16 = {0xc37d, 0x2594,
> 0x49ad, 0x54b2, 0x0, 0x0, 0x0, 0x0}, v4_int32 = {0x2594c37d, 0x54b249ad,
> 0x0,
> 0x0}, v2_int64 = {0x54b249ad2594c37d, 0x0}, uint128 =
> 0x000000000000000054b249ad2594c37d}
> xmm2 {v4_float = {0x0, 0x7, 0x0, 0x0}, v2_double = {0xac44,
> 0x8000000000000000}, v16_int8 = {0x0, 0x0, 0x0, 0x0, 0x80, 0x88, 0xe5,
> 0x40, 0xb,
> 0xf0, 0x2c, 0xff, 0xa6, 0xe0, 0xf7, 0xf1}, v8_int16 = {0x0, 0x0,
> 0x8880, 0x40e5, 0xf00b, 0xff2c, 0xe0a6, 0xf1f7}, v4_int32 = {0x0,
> 0x40e58880,
> 0xff2cf00b, 0xf1f7e0a6}, v2_int64 = {0x40e5888000000000,
> 0xf1f7e0a6ff2cf00b}, uint128 = 0xf1f7e0a6ff2cf00b40e5888000000000}
> xmm3 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double =
> {0x8000000000000000, 0x0}, v16_int8 = {0x5d, 0xe5, 0xce, 0xef, 0x6b,
> 0xe8, 0xac, 0xef, 0xbd,
> 0xf3, 0xac, 0xf5, 0xd3, 0x1, 0x6f, 0x2}, v8_int16 = {0xe55d, 0xefce,
> 0xe86b, 0xefac, 0xf3bd, 0xf5ac, 0x1d3, 0x26f}, v4_int32 = {0xefcee55d,
> 0xeface86b,
> 0xf5acf3bd, 0x26f01d3}, v2_int64 = {0xeface86befcee55d,
> 0x26f01d3f5acf3bd}, uint128 = 0x026f01d3f5acf3bdeface86befcee55d}
> xmm4 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double =
> {0x8000000000000000, 0x8000000000000000}, v16_int8 = {0xb1, 0x0, 0x52,
> 0xfc, 0x96, 0xff, 0xa4,
> 0xfa, 0xd0, 0xf8, 0xaa, 0xf7, 0x1b, 0xed, 0x73, 0xf3}, v8_int16 =
> {0xb1, 0xfc52, 0xff96, 0xfaa4, 0xf8d0, 0xf7aa, 0xed1b, 0xf373}, v4_int32
> = {
> 0xfc5200b1, 0xfaa4ff96, 0xf7aaf8d0, 0xf373ed1b}, v2_int64 =
> {0xfaa4ff96fc5200b1, 0xf373ed1bf7aaf8d0}, uint128 =
> 0xf373ed1bf7aaf8d0faa4ff96fc5200b1}
> xmm5 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double =
> {0x8000000000000000, 0x8000000000000000}, v16_int8 = {0x1e, 0xa, 0x7c,
> 0xff, 0x8b, 0x4, 0xaf,
> 0xf8, 0x7c, 0xfb, 0x49, 0xec, 0x6f, 0xf4, 0x6f, 0xe2}, v8_int16 =
> {0xa1e, 0xff7c, 0x48b, 0xf8af, 0xfb7c, 0xec49, 0xf46f, 0xe26f}, v4_int32
> = {
> 0xff7c0a1e, 0xf8af048b, 0xec49fb7c, 0xe26ff46f}, v2_int64 =
> {0xf8af048bff7c0a1e, 0xe26ff46fec49fb7c}, uint128 =
> 0xe26ff46fec49fb7cf8af048bff7c0a1e}
> xmm6 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double =
> {0x8000000000000000, 0x8000000000000000}, v16_int8 = {0x7c, 0xec, 0x2c,
> 0xf2, 0x73, 0xe7,
> ---Type <return> to continue, or q <return> to quit---
> 0xc4, 0xed, 0x1b, 0xe5, 0xf4, 0xe9, 0x2a, 0xe5, 0x4b, 0xe6}, v8_int16
> = {0xec7c, 0xf22c, 0xe773, 0xedc4, 0xe51b, 0xe9f4, 0xe52a, 0xe64b},
> v4_int32 = {
> 0xf22cec7c, 0xedc4e773, 0xe9f4e51b, 0xe64be52a}, v2_int64 =
> {0xedc4e773f22cec7c, 0xe64be52ae9f4e51b}, uint128 =
> 0xe64be52ae9f4e51bedc4e773f22cec7c}
> xmm7 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double =
> {0x8000000000000000, 0x8000000000000000}, v16_int8 = {0x7d, 0xe4, 0xac,
> 0xe4, 0x2d, 0xe3,
> 0x4d, 0xe5, 0x78, 0xe1, 0xd9, 0xe3, 0x16, 0xe0, 0xf8, 0xdd}, v8_int16
> = {0xe47d, 0xe4ac, 0xe32d, 0xe54d, 0xe178, 0xe3d9, 0xe016, 0xddf8},
> v4_int32 = {
> 0xe4ace47d, 0xe54de32d, 0xe3d9e178, 0xddf8e016}, v2_int64 =
> {0xe54de32de4ace47d, 0xddf8e016e3d9e178}, uint128 =
> 0xddf8e016e3d9e178e54de32de4ace47d}
> xmm8 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
> v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0,
> 0x0,
> 0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0},
> uint128 = 0x00000000000000000000000000000000}
> xmm9 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
> v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0,
> 0x0,
> 0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0},
> uint128 = 0x00000000000000000000000000000000}
> xmm10 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
> v16_int8 = {0x0, 0x0, 0x46, 0x84, 0x24, 0x59, 0xd6, 0x3e, 0x0, 0x0, 0x0,
> 0x0, 0x0,
> 0x0, 0x0, 0x0}, v8_int16 = {0x0, 0x8446, 0x5924, 0x3ed6, 0x0, 0x0,
> 0x0, 0x0}, v4_int32 = {0x84460000, 0x3ed65924, 0x0, 0x0}, v2_int64 = {
> 0x3ed6592484460000, 0x0}, uint128 =
> 0x00000000000000003ed6592484460000}
> xmm11 {v4_float = {0x9689a800, 0x0, 0x0, 0x0}, v2_double = {0x0,
> 0x0}, v16_int8 = {0x6a, 0xa2, 0x65, 0x50, 0xf2, 0xea, 0x8f, 0xbd, 0xff,
> 0xff,
> 0xff, 0x0, 0x0, 0x0, 0xff, 0x0}, v8_int16 = {0xa26a, 0x5065, 0xeaf2,
> 0xbd8f, 0xffff, 0xff, 0x0, 0xff}, v4_int32 = {0x5065a26a, 0xbd8feaf2,
> 0xffffff,
> 0xff0000}, v2_int64 = {0xbd8feaf25065a26a, 0xff000000ffffff}, uint128
> = 0x00ff000000ffffffbd8feaf25065a26a}
> xmm12 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
> v16_int8 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xc4, 0x3c, 0x0, 0x0, 0x0, 0x0,
> 0x0,
> 0x0, 0x0, 0x0}, v8_int16 = {0x0, 0x0, 0x0, 0x3cc4, 0x0, 0x0, 0x0,
> 0x0}, v4_int32 = {0x0, 0x3cc40000, 0x0, 0x0}, v2_int64 =
> {0x3cc4000000000000, 0x0},
> uint128 = 0x00000000000000003cc4000000000000}
> xmm13 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
> v16_int8 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x80, 0x59, 0xbc, 0x0, 0x0, 0x0,
> 0x0, 0x0,
> 0x0, 0x0, 0x0}, v8_int16 = {0x0, 0x0, 0x8000, 0xbc59, 0x0, 0x0, 0x0,
> 0x0}, v4_int32 = {0x0, 0xbc598000, 0x0, 0x0}, v2_int64 =
> {0xbc59800000000000,
> 0x0}, uint128 = 0x0000000000000000bc59800000000000}
> xmm14 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
> v16_int8 = {0x8e, 0x85, 0x83, 0xe8, 0xf0, 0x24, 0x53, 0x3c, 0x0, 0x0,
> 0x0, 0x0,
> 0x0, 0x0, 0x0, 0x0}, v8_int16 = {0x858e, 0xe883, 0x24f0, 0x3c53, 0x0,
> 0x0, 0x0, 0x0}, v4_int32 = {0xe883858e, 0x3c5324f0, 0x0, 0x0}, v2_int64 =
> {
> 0x3c5324f0e883858e, 0x0}, uint128 =
> 0x00000000000000003c5324f0e883858e}
> xmm15 {v4_float = {0x0, 0x3, 0x0, 0x0}, v2_double = {0x2d, 0x0},
> v16_int8 = {0xc0, 0x9, 0xf2, 0x16, 0xb5, 0xdf, 0x46, 0x40, 0x0, 0x0, 0x0,
> 0x0,
> 0x0, 0x0, 0x0, 0x0}, v8_int16 = {0x9c0, 0x16f2, 0xdfb5, 0x4046, 0x0,
> 0x0, 0x0, 0x0}, v4_int32 = {0x16f209c0, 0x4046dfb5, 0x0, 0x0}, v2_int64 =
> {
> 0x4046dfb516f209c0, 0x0}, uint128 =
> 0x00000000000000004046dfb516f209c0}
> mxcsr 0x1fa0 [ PE IM DM ZM OM UM PM ]
> (gdb)
New description:
I am trying to decode a bad flac file
ffmpeg crashed (segmentation fault)
ffmpeg -i fileEEmUGd.flac output.wav
NOTE: I tried to provide a sample flac file for this, but when cut down to
10MB, I can't reproduce the crash. (currently I can cut it to 30MB for
recreating the error)
MY FIX:
File: golomb.h
Function: get_ur_golomb_jpegls
Before:
}else{
int i;
for(i=0; SHOW_UBITS(re, gb, 1) == 0; i++){
LAST_SKIP_BITS(re, gb, 1);
UPDATE_CACHE(re, gb);
}
After:
}else{
int i;
for(i=0; SHOW_UBITS(re, gb, 1) == 0; i++){
if (get_bits_left(gb)<=0) return -1;
LAST_SKIP_BITS(re, gb, 1);
UPDATE_CACHE(re, gb);
}
EXPLANATION:
The for loop keeps reading bits with value '0' until value '1' appears, on
a corrupted file, it keeps reading values until segmentation fault
occurred.
If reading beyond the buffer size, return -1, as in case as the limit
check (afterwards) fails.
{{{
linux at linux-VirtualBox:~/ffmpegtest/ffmpegnew/ffmpeg$ ./ffmpeg -v 9
-loglevel 99 -i fileEEmUGd.flac output.wav
ffmpeg version N-34109-g3e43758, Copyright (c) 2000-2011 the FFmpeg
developers
built on Oct 27 2011 11:45:37 with gcc 4.6.1
configuration:
libavutil 51. 22. 0 / 51. 22. 0
libavcodec 53. 23. 0 / 53. 23. 0
libavformat 53. 17. 0 / 53. 17. 0
libavdevice 53. 4. 0 / 53. 4. 0
libavfilter 2. 45. 0 / 2. 45. 0
libswscale 2. 1. 0 / 2. 1. 0
[flac @ 0x2a32760] Format flac probed with size=2048 and score=50
[NULL @ 0x2a38ae0] Max Blocksize: 4096
[NULL @ 0x2a38ae0] Max Framesize: 12667
[NULL @ 0x2a38ae0] Samplerate: 44100
[NULL @ 0x2a38ae0] Channels: 2
[NULL @ 0x2a38ae0] Bits: 16
[flac @ 0x2a38ae0] err{or,}_recognition separate: 1; 1
[flac @ 0x2a38ae0] err{or,}_recognition combined: 1; 1
[flac @ 0x2a38ae0] Max Blocksize: 4096
[flac @ 0x2a38ae0] Max Framesize: 12667
[flac @ 0x2a38ae0] Samplerate: 44100
[flac @ 0x2a38ae0] Channels: 2
[flac @ 0x2a38ae0] Bits: 16
[flac @ 0x2a38ae0] sample/frame number mismatch in adjacent frames
Last message repeated 65 times
[flac @ 0x2a38ae0] crc check failed from offset 57299 (frame 34) to
12121033 (frame 1251)
[flac @ 0x2a38ae0] sample/frame number mismatch in adjacent frames
[flac @ 0x2a38ae0] crc check failed from offset 50123 (frame 33) to
12121033 (frame 1251)
[flac @ 0x2a38ae0] sample/frame number mismatch in adjacent frames
[flac @ 0x2a38ae0] crc check failed from offset 42311 (frame 32) to
12121033 (frame 1251)
[flac @ 0x2a38ae0] sample/frame number mismatch in adjacent frames
[flac @ 0x2a38ae0] crc check failed from offset 51442 (frame 34) to
12126800 (frame 1252)
[flac @ 0x2a38ae0] sample/frame number mismatch in adjacent frames
[flac @ 0x2a38ae0] crc check failed from offset 44266 (frame 33) to
12126800 (frame 1252)
[flac @ 0x2a38ae0] sample/frame number mismatch in adjacent frames
Last message repeated 1 times
[flac @ 0x2a38ae0] crc check failed from offset 44584 (frame 34) to
12131506 (frame 1253)
[flac @ 0x2a38ae0] sample/frame number mismatch in adjacent frames
Last message repeated 5 times
[flac @ 0x2a38ae0] Junk frame till offset 12085549
[flac @ 0x2a32760] Probe buffer size limit 5000000 reached
Input #0, flac, from 'fileEEmUGd.flac':
Metadata:
track : 4
TITLE : Blackest Eyes
ARTIST : Porcupine Tree
ALBUM : 2007-10-26 New Orleans, LA (tooligan Matrix) [FINAL
MIX]
DATE : 2007
GENRE : Progressive Rock
Duration: 00:05:33.69, bitrate: 819 kb/s
Stream #0:0, 32, 1/44100: Audio: flac, 44100 Hz, stereo, s16
File 'output.wav' already exists. Overwrite ? [y/N] y
err{or,}_recognition separate: 1; 1
[pcm_s16le @ 0x2a2d5a0] err{or,}_recognition combined: 1; 1
[flac @ 0x2a38ae0] err{or,}_recognition separate: 1; 1
[flac @ 0x2a38ae0] err{or,}_recognition combined: 1; 1
[flac @ 0x2a38ae0] Max Blocksize: 4096
[flac @ 0x2a38ae0] Max Framesize: 12667
[flac @ 0x2a38ae0] Samplerate: 44100
[flac @ 0x2a38ae0] Channels: 2
[flac @ 0x2a38ae0] Bits: 16
Output #0, wav, to 'output.wav':
Metadata:
track : 4
TITLE : Blackest Eyes
ARTIST : Porcupine Tree
ALBUM : 2007-10-26 New Orleans, LA (tooligan Matrix) [FINAL
MIX]
DATE : 2007
GENRE : Progressive Rock
encoder : Lavf53.17.0
Stream #0:0, 0, 1/44100: Audio: pcm_s16le ([1][0][0][0] / 0x0001),
44100 Hz, stereo, s16, 1411 kb/s
Stream mapping:
Stream #0.0 -> #0.0 (flac -> pcm_s16le)
Press [q] to stop, [?] for help
[flac @ 0x2a38ae0] underread: 12078722 orig size: 12085549
Multiple frames in a packet from stream 0
[flac @ 0x2a38ae0] underread: 12070910 orig size: 12078722
Multiple frames in a packet from stream 0
[flac @ 0x2a38ae0] underread: 12063734 orig size: 12070910
Multiple frames in a packet from stream 0
[flac @ 0x2a38ae0] overread: 266206
Error while decoding stream #0.0
[flac @ 0x2a38ae0] dropping low score 43 frame header from offset 0 to
6827
[flac @ 0x2a38ae0] dropping low score 33 frame header from offset 6827 to
14639
[flac @ 0x2a38ae0] dropping low score 23 frame header from offset 14639 to
21815
[flac @ 0x2a38ae0] dropping low score 13 frame header from offset 21815 to
12085549
[flac @ 0x2a38ae0] sample/frame number mismatch in adjacent frames
Last message repeated 35 times
Segmentation faultme=00:00:04.73 bitrate=1383.6kbits/s
linux at linux-VirtualBox:~/ffmpegtest/ffmpegnew/ffmpeg$
(gdb) bt
#0 get_ur_golomb_jpegls (esc_len=0, limit=2147483647, k=9, gb=<optimized
out>) at libavcodec/golomb.h:306
#1 get_sr_golomb_flac (esc_len=0, limit=2147483647, k=9, gb=0x13695a8) at
libavcodec/golomb.h:348
#2 decode_residuals (s=0x1369580, channel=1, pred_order=<optimized out>)
at libavcodec/flacdec.c:274
#3 0x0000000000601bf2 in decode_subframe_lpc (pred_order=6, channel=1,
s=0x1369580) at libavcodec/flacdec.c:361
#4 decode_subframe (channel=1, s=0x1369580) at libavcodec/flacdec.c:443
#5 decode_frame (s=0x1369580) at libavcodec/flacdec.c:533
#6 flac_decode_frame (avctx=<optimized out>, data=0x7ffff4c59040,
data_size=0x7fffffffc35c, avpkt=<optimized out>) at
libavcodec/flacdec.c:583
#7 0x0000000000854d8a in avcodec_decode_audio3 (avctx=0x1373ae0,
samples=<optimized out>, frame_size_ptr=<optimized out>, avpkt=<optimized
out>)
at libavcodec/utils.c:875
#8 0x0000000000438dd6 in output_packet (ist=<optimized out>, ist_index=0,
ost_table=0x1368a70, nb_ostreams=1, pkt=<optimized out>) at ffmpeg.c:1666
#9 0x000000000043be01 in transcode (output_files=0x1368ce0,
nb_output_files=1, input_files=0x1375110, nb_input_files=1) at
ffmpeg.c:2635
#10 0x0000000000433ff2 in main (argc=<optimized out>, argv=0x7fffffffe658)
at ffmpeg.c:4486
(gdb) disass $pc-32,$pc+32
Dump of assembler code from 0x601398 to 0x6013d8:
0x0000000000601398 <decode_residuals+456>: xor %esi,%esi
0x000000000060139a <decode_residuals+458>: shr $0xff,%ecx
0x000000000060139d <decode_residuals+461>: test %ecx,%ecx
0x000000000060139f <decode_residuals+463>: jne 0x601464
<decode_residuals+660>
0x00000000006013a5 <decode_residuals+469>: nopl (%rax)
0x00000000006013a8 <decode_residuals+472>: add $0x1,%eax
0x00000000006013ab <decode_residuals+475>: add $0x1,%esi
0x00000000006013ae <decode_residuals+478>: mov %eax,%edx
0x00000000006013b0 <decode_residuals+480>: mov %eax,%ecx
0x00000000006013b2 <decode_residuals+482>: and $0x7,%ecx
0x00000000006013b5 <decode_residuals+485>: shr $0x3,%edx
=> 0x00000000006013b8 <decode_residuals+488>: mov (%r8,%rdx,1),%edx
0x00000000006013bc <decode_residuals+492>: bswap %edx
0x00000000006013be <decode_residuals+494>: shl %cl,%edx
0x00000000006013c0 <decode_residuals+496>: mov %edx,%ecx
0x00000000006013c2 <decode_residuals+498>: shr $0xff,%ecx
0x00000000006013c5 <decode_residuals+501>: test %ecx,%ecx
0x00000000006013c7 <decode_residuals+503>: je 0x6013a8
<decode_residuals+472>
0x00000000006013c9 <decode_residuals+505>: add %edx,%edx
0x00000000006013cb <decode_residuals+507>: add $0x1,%eax
0x00000000006013ce <decode_residuals+510>: cmp $0x7ffffffd,%esi
0x00000000006013d4 <decode_residuals+516>: jle 0x6013f8
<decode_residuals+552>
0x00000000006013d6 <decode_residuals+518>: xor %ecx,%ecx
End of assembler dump.
(gdb) info all-registers
rax 0xa6130a8 174141608
rbx 0x0 0
rcx 0x0 0
rdx 0x14c2615 21767701
rsi 0x107e08 1080840
rdi 0x1369580 20354432
rbp 0x1396050 0x1396050
rsp 0x7fffffffbdd0 0x7fffffffbdd0
r8 0x20049e8 33573352
r9 0xa50b2a0 173060768
r10 0xf4 244
r11 0x9 9
r12 0x200 512
r13 0x1f 31
r14 0x500 1280
r15 0x0 0
rip 0x6013b8 0x6013b8 <decode_residuals+488>
eflags 0x10202 [ IF RF ]
cs 0x33 51
ss 0x2b 43
ds 0x0 0
es 0x0 0
fs 0x0 0
gs 0x0 0
st0 0 (raw 0x00000000000000000000)
st1 0 (raw 0x00000000000000000000)
st2 0 (raw 0x00000000000000000000)
st3 0 (raw 0x00000000000000000000)
st4 0 (raw 0x00000000000000000000)
st5 0 (raw 0x00000000000000000000)
st6 0 (raw 0x00000000000000000000)
st7 0 (raw 0x00000000000000000000)
fctrl 0x37f 895
fstat 0x0 0
ftag 0xffff 65535
fiseg 0x0 0
fioff 0x0 0
foseg 0x0 0
fooff 0x0 0
fop 0x0 0
xmm0 {v4_float = {0x0, 0x8, 0x0, 0x0}, v2_double = {0x36000,
0x0}, v16_int8 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xb, 0x41, 0x0, 0x0, 0x0,
0x0, 0x0,
0x0, 0x0, 0x0}, v8_int16 = {0x0, 0x0, 0x0, 0x410b, 0x0, 0x0, 0x0,
0x0}, v4_int32 = {0x0, 0x410b0000, 0x0, 0x0}, v2_int64 =
{0x410b000000000000, 0x0},
uint128 = 0x0000000000000000410b000000000000}
xmm1 {v4_float = {0x0, 0x4d680000, 0x0, 0x0}, v2_double =
{0x8000000000000000, 0x0}, v16_int8 = {0x7d, 0xc3, 0x94, 0x25, 0xad, 0x49,
0xb2, 0x54,
0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v8_int16 = {0xc37d, 0x2594,
0x49ad, 0x54b2, 0x0, 0x0, 0x0, 0x0}, v4_int32 = {0x2594c37d, 0x54b249ad,
0x0,
0x0}, v2_int64 = {0x54b249ad2594c37d, 0x0}, uint128 =
0x000000000000000054b249ad2594c37d}
xmm2 {v4_float = {0x0, 0x7, 0x0, 0x0}, v2_double = {0xac44,
0x8000000000000000}, v16_int8 = {0x0, 0x0, 0x0, 0x0, 0x80, 0x88, 0xe5,
0x40, 0xb,
0xf0, 0x2c, 0xff, 0xa6, 0xe0, 0xf7, 0xf1}, v8_int16 = {0x0, 0x0,
0x8880, 0x40e5, 0xf00b, 0xff2c, 0xe0a6, 0xf1f7}, v4_int32 = {0x0,
0x40e58880,
0xff2cf00b, 0xf1f7e0a6}, v2_int64 = {0x40e5888000000000,
0xf1f7e0a6ff2cf00b}, uint128 = 0xf1f7e0a6ff2cf00b40e5888000000000}
xmm3 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double =
{0x8000000000000000, 0x0}, v16_int8 = {0x5d, 0xe5, 0xce, 0xef, 0x6b, 0xe8,
0xac, 0xef, 0xbd,
0xf3, 0xac, 0xf5, 0xd3, 0x1, 0x6f, 0x2}, v8_int16 = {0xe55d, 0xefce,
0xe86b, 0xefac, 0xf3bd, 0xf5ac, 0x1d3, 0x26f}, v4_int32 = {0xefcee55d,
0xeface86b,
0xf5acf3bd, 0x26f01d3}, v2_int64 = {0xeface86befcee55d,
0x26f01d3f5acf3bd}, uint128 = 0x026f01d3f5acf3bdeface86befcee55d}
xmm4 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double =
{0x8000000000000000, 0x8000000000000000}, v16_int8 = {0xb1, 0x0, 0x52,
0xfc, 0x96, 0xff, 0xa4,
0xfa, 0xd0, 0xf8, 0xaa, 0xf7, 0x1b, 0xed, 0x73, 0xf3}, v8_int16 =
{0xb1, 0xfc52, 0xff96, 0xfaa4, 0xf8d0, 0xf7aa, 0xed1b, 0xf373}, v4_int32 =
{
0xfc5200b1, 0xfaa4ff96, 0xf7aaf8d0, 0xf373ed1b}, v2_int64 =
{0xfaa4ff96fc5200b1, 0xf373ed1bf7aaf8d0}, uint128 =
0xf373ed1bf7aaf8d0faa4ff96fc5200b1}
xmm5 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double =
{0x8000000000000000, 0x8000000000000000}, v16_int8 = {0x1e, 0xa, 0x7c,
0xff, 0x8b, 0x4, 0xaf,
0xf8, 0x7c, 0xfb, 0x49, 0xec, 0x6f, 0xf4, 0x6f, 0xe2}, v8_int16 =
{0xa1e, 0xff7c, 0x48b, 0xf8af, 0xfb7c, 0xec49, 0xf46f, 0xe26f}, v4_int32 =
{
0xff7c0a1e, 0xf8af048b, 0xec49fb7c, 0xe26ff46f}, v2_int64 =
{0xf8af048bff7c0a1e, 0xe26ff46fec49fb7c}, uint128 =
0xe26ff46fec49fb7cf8af048bff7c0a1e}
xmm6 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double =
{0x8000000000000000, 0x8000000000000000}, v16_int8 = {0x7c, 0xec, 0x2c,
0xf2, 0x73, 0xe7,
---Type <return> to continue, or q <return> to quit---
0xc4, 0xed, 0x1b, 0xe5, 0xf4, 0xe9, 0x2a, 0xe5, 0x4b, 0xe6}, v8_int16
= {0xec7c, 0xf22c, 0xe773, 0xedc4, 0xe51b, 0xe9f4, 0xe52a, 0xe64b},
v4_int32 = {
0xf22cec7c, 0xedc4e773, 0xe9f4e51b, 0xe64be52a}, v2_int64 =
{0xedc4e773f22cec7c, 0xe64be52ae9f4e51b}, uint128 =
0xe64be52ae9f4e51bedc4e773f22cec7c}
xmm7 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double =
{0x8000000000000000, 0x8000000000000000}, v16_int8 = {0x7d, 0xe4, 0xac,
0xe4, 0x2d, 0xe3,
0x4d, 0xe5, 0x78, 0xe1, 0xd9, 0xe3, 0x16, 0xe0, 0xf8, 0xdd}, v8_int16
= {0xe47d, 0xe4ac, 0xe32d, 0xe54d, 0xe178, 0xe3d9, 0xe016, 0xddf8},
v4_int32 = {
0xe4ace47d, 0xe54de32d, 0xe3d9e178, 0xddf8e016}, v2_int64 =
{0xe54de32de4ace47d, 0xddf8e016e3d9e178}, uint128 =
0xddf8e016e3d9e178e54de32de4ace47d}
xmm8 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0,
0x0,
0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0},
uint128 = 0x00000000000000000000000000000000}
xmm9 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0,
0x0,
0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0},
uint128 = 0x00000000000000000000000000000000}
xmm10 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0x0, 0x0, 0x46, 0x84, 0x24, 0x59, 0xd6, 0x3e, 0x0, 0x0, 0x0,
0x0, 0x0,
0x0, 0x0, 0x0}, v8_int16 = {0x0, 0x8446, 0x5924, 0x3ed6, 0x0, 0x0,
0x0, 0x0}, v4_int32 = {0x84460000, 0x3ed65924, 0x0, 0x0}, v2_int64 = {
0x3ed6592484460000, 0x0}, uint128 =
0x00000000000000003ed6592484460000}
xmm11 {v4_float = {0x9689a800, 0x0, 0x0, 0x0}, v2_double = {0x0,
0x0}, v16_int8 = {0x6a, 0xa2, 0x65, 0x50, 0xf2, 0xea, 0x8f, 0xbd, 0xff,
0xff,
0xff, 0x0, 0x0, 0x0, 0xff, 0x0}, v8_int16 = {0xa26a, 0x5065, 0xeaf2,
0xbd8f, 0xffff, 0xff, 0x0, 0xff}, v4_int32 = {0x5065a26a, 0xbd8feaf2,
0xffffff,
0xff0000}, v2_int64 = {0xbd8feaf25065a26a, 0xff000000ffffff}, uint128
= 0x00ff000000ffffffbd8feaf25065a26a}
xmm12 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xc4, 0x3c, 0x0, 0x0, 0x0, 0x0,
0x0,
0x0, 0x0, 0x0}, v8_int16 = {0x0, 0x0, 0x0, 0x3cc4, 0x0, 0x0, 0x0,
0x0}, v4_int32 = {0x0, 0x3cc40000, 0x0, 0x0}, v2_int64 =
{0x3cc4000000000000, 0x0},
uint128 = 0x00000000000000003cc4000000000000}
xmm13 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x80, 0x59, 0xbc, 0x0, 0x0, 0x0, 0x0,
0x0,
0x0, 0x0, 0x0}, v8_int16 = {0x0, 0x0, 0x8000, 0xbc59, 0x0, 0x0, 0x0,
0x0}, v4_int32 = {0x0, 0xbc598000, 0x0, 0x0}, v2_int64 =
{0xbc59800000000000,
0x0}, uint128 = 0x0000000000000000bc59800000000000}
xmm14 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0x8e, 0x85, 0x83, 0xe8, 0xf0, 0x24, 0x53, 0x3c, 0x0, 0x0, 0x0,
0x0,
0x0, 0x0, 0x0, 0x0}, v8_int16 = {0x858e, 0xe883, 0x24f0, 0x3c53, 0x0,
0x0, 0x0, 0x0}, v4_int32 = {0xe883858e, 0x3c5324f0, 0x0, 0x0}, v2_int64 =
{
0x3c5324f0e883858e, 0x0}, uint128 =
0x00000000000000003c5324f0e883858e}
xmm15 {v4_float = {0x0, 0x3, 0x0, 0x0}, v2_double = {0x2d, 0x0},
v16_int8 = {0xc0, 0x9, 0xf2, 0x16, 0xb5, 0xdf, 0x46, 0x40, 0x0, 0x0, 0x0,
0x0,
0x0, 0x0, 0x0, 0x0}, v8_int16 = {0x9c0, 0x16f2, 0xdfb5, 0x4046, 0x0,
0x0, 0x0, 0x0}, v4_int32 = {0x16f209c0, 0x4046dfb5, 0x0, 0x0}, v2_int64 =
{
0x4046dfb516f209c0, 0x0}, uint128 =
0x00000000000000004046dfb516f209c0}
mxcsr 0x1fa0 [ PE IM DM ZM OM UM PM ]
(gdb)
}}}
--
Comment (by cehoyos):
Please upload your 30MB sample to http://www.datafilehost.com and post the
download link here.
--
Ticket URL: <https://ffmpeg.org/trac/ffmpeg/ticket/600#comment:1>
FFmpeg <http://ffmpeg.org>
FFmpeg issue tracker
More information about the FFmpeg-trac
mailing list