[FFmpeg-trac] #3115(avcodec:open): hevc: crash with threads 1 (fuzzed file)

FFmpeg trac at avcodec.org
Tue Nov 19 11:34:40 CET 2013 

#3115: hevc: crash with threads 1 (fuzzed file)
------------------------------------+-----------------------------------
             Reporter:  ami_stuff   |                    Owner:
                 Type:  defect      |                   Status:  open
             Priority:  important   |                Component:  avcodec
              Version:  git-master  |               Resolution:
             Keywords:  hevc crash  |               Blocked By:
             Blocking:              |  Reproduced by developer:  1
Analyzed by developer:  0           |
------------------------------------+-----------------------------------

Comment (by cehoyos):

 Only reproducible with {{{--disable-yasm}}} (and {{{--disable-asm}}}),
 valgrind shows no problem, threads > 2 also works fine here.
 Depending on the exact configure options, it crashes or works with
 -threads 1 here.
 Different backtraces possible with the same command line and the same
 configure options.
 {{{
 (gdb) r -threads 2 -i fahevc2.ts -f null -
 ffmpeg version N-58263-g1f7b7d5 Copyright (c) 2000-2013 the FFmpeg
 developers
   built on Nov 19 2013 11:25:41 with gcc 4.7 (SUSE Linux)
   configuration: --disable-yasm
   libavutil      52. 53.100 / 52. 53.100
   libavcodec     55. 43.101 / 55. 43.101
   libavformat    55. 21.100 / 55. 21.100
   libavdevice    55.  5.100 / 55.  5.100
   libavfilter     3. 91.100 /  3. 91.100
   libswscale      2.  5.101 /  2.  5.101
   libswresample   0. 17.104 /  0. 17.104

 ...

 *** glibc detected *** ffmpeg_g: free(): invalid pointer:
 0x00007fffec007760 ***

 ...

 (gdb) bt
 #0  0x00007ffff6048d25 in raise () from /lib64/libc.so.6
 #1  0x00007ffff604a1a8 in abort () from /lib64/libc.so.6
 #2  0x00007ffff6086fcb in __libc_message () from /lib64/libc.so.6
 #3  0x00007ffff608cb66 in malloc_printerr () from /lib64/libc.so.6
 #4  0x0000000000c01dec in av_free (ptr=<optimized out>) at
 libavutil/mem.c:231
 #5  av_freep (arg=arg at entry=0x1806f98) at libavutil/mem.c:238
 #6  0x0000000000bf571e in av_buffer_unref (buf=buf at entry=0x1806f98) at
 libavutil/buffer.c:112
 #7  0x0000000000bfbb51 in av_frame_unref (frame=frame at entry=0x1806dc0) at
 libavutil/frame.c:363
 #8  0x00000000004689e0 in reap_filters () at ffmpeg.c:1127
 #9  0x00000000004590c8 in transcode_step () at ffmpeg.c:3235
 #10 transcode () at ffmpeg.c:3278
 #11 main (argc=<optimized out>, argv=<optimized out>) at ffmpeg.c:3456
 }}}
 {{{
 (gdb) bt
 #0  0x00007ffff6104c0b in __lll_lock_wait_private () from /lib64/libc.so.6
 #1  0x00007ffff6092b5e in _L_lock_11285 () from /lib64/libc.so.6
 #2  0x00007ffff6090c22 in malloc () from /lib64/libc.so.6
 #3  0x00007ffff7de01d2 in local_strdup () from /lib64/ld-linux-x86-64.so.2
 #4  0x00007ffff7de33c7 in _dl_map_object () from /lib64/ld-
 linux-x86-64.so.2
 #5  0x00007ffff7ded81e in dl_open_worker () from /lib64/ld-
 linux-x86-64.so.2
 #6  0x00007ffff7de95f6 in _dl_catch_error () from /lib64/ld-
 linux-x86-64.so.2
 #7  0x00007ffff7ded28c in _dl_open () from /lib64/ld-linux-x86-64.so.2
 #8  0x00007ffff612e332 in do_dlopen () from /lib64/libc.so.6
 #9  0x00007ffff7de95f6 in _dl_catch_error () from /lib64/ld-
 linux-x86-64.so.2
 #10 0x00007ffff612e3cf in dlerror_run () from /lib64/libc.so.6
 #11 0x00007ffff612e441 in __libc_dlopen_mode () from /lib64/libc.so.6
 #12 0x00007ffff6109ed5 in init () from /lib64/libc.so.6
 #13 0x00007ffff6ce9c80 in pthread_once () from /lib64/libpthread.so.0
 #14 0x00007ffff6109ff4 in backtrace () from /lib64/libc.so.6
 #15 0x00007ffff6086fe5 in __libc_message () from /lib64/libc.so.6
 #16 0x00007ffff608cb66 in malloc_printerr () from /lib64/libc.so.6
 #17 0x00007ffff608cecb in malloc_consolidate () from /lib64/libc.so.6
 #18 0x00007ffff608de47 in _int_malloc () from /lib64/libc.so.6
 #19 0x00007ffff6090c30 in malloc () from /lib64/libc.so.6
 #20 0x0000000000bf5a4a in av_buffer_realloc
 (pbuf=pbuf at entry=0x7fffffffd440, size=8193)
     at libavutil/buffer.c:164
 #21 0x00000000005de453 in copy_packet_data (dup=1, src=<synthetic
 pointer>, pkt=0x7fffffffd440)
     at libavcodec/avpacket.c:204
 #22 av_dup_packet (pkt=pkt at entry=0x7fffffffd440) at
 libavcodec/avpacket.c:259
 #23 0x000000000059fd5f in parse_packet (s=s at entry=0x16fd9e0,
 pkt=pkt at entry=0x7fffffffd620,
     stream_index=<optimized out>) at libavformat/utils.c:1273
 #24 0x00000000005a0764 in read_frame_internal (s=0x16fd9e0,
 pkt=0x7fffffffd9e0)
     at libavformat/utils.c:1384
 #25 0x00000000005a1526 in av_read_frame (s=0x16fd9e0,
 pkt=pkt at entry=0x7fffffffd9e0)
     at libavformat/utils.c:1425
 #26 0x000000000046b1e4 in get_input_packet (pkt=0x7fffffffd9e0,
 f=0x183a4c0) at ffmpeg.c:2919
 #27 process_input (file_index=0) at ffmpeg.c:2956
 #28 0x00000000004590b0 in transcode_step () at ffmpeg.c:3226
 #29 transcode () at ffmpeg.c:3278
 #30 main (argc=<optimized out>, argv=<optimized out>) at ffmpeg.c:3456
 }}}
 {{{
 (gdb) bt
 #0  0x00007ffff608ce03 in malloc_consolidate () from /lib64/libc.so.6
 #1  0x00007ffff608de47 in _int_malloc () from /lib64/libc.so.6
 #2  0x00007ffff608f101 in _int_memalign () from /lib64/libc.so.6
 #3  0x00007ffff6091534 in memalign () from /lib64/libc.so.6
 #4  0x00007ffff609261c in posix_memalign () from /lib64/libc.so.6
 #5  0x0000000000c01bca in av_malloc (size=size at entry=1040) at
 libavutil/mem.c:94
 #6  0x0000000000bf5398 in av_buffer_alloc (size=1040) at
 libavutil/buffer.c:70
 #7  0x0000000000537946 in mpegts_push_data (filter=<optimized out>,
 buf=<optimized out>,
     buf_size=170, is_start=<optimized out>, pos=<optimized out>,
 pcr=<optimized out>)
     at libavformat/mpegts.c:911
 #8  0x0000000000535176 in handle_packet (ts=ts at entry=0x170e1a0,
 packet=0x170a56c "GA-7\ap")
     at libavformat/mpegts.c:1920
 #9  0x00000000005356d2 in handle_packets (ts=ts at entry=0x170e1a0,
 nb_packets=nb_packets at entry=0)
     at libavformat/mpegts.c:2059
 #10 0x0000000000535754 in mpegts_read_packet (s=<optimized out>,
 pkt=0x7fffffffd620)
     at libavformat/mpegts.c:2294
 #11 0x000000000059e7d2 in ff_read_packet (s=s at entry=0x16fd9e0,
 pkt=pkt at entry=0x7fffffffd620)
     at libavformat/utils.c:680
 #12 0x00000000005a06d0 in read_frame_internal (s=0x16fd9e0,
 pkt=0x7fffffffd9e0)
     at libavformat/utils.c:1321
 #13 0x00000000005a1526 in av_read_frame (s=0x16fd9e0,
 pkt=pkt at entry=0x7fffffffd9e0)
     at libavformat/utils.c:1425
 #14 0x000000000046b1e4 in get_input_packet (pkt=0x7fffffffd9e0,
 f=0x183a4c0) at ffmpeg.c:2919
 #15 process_input (file_index=0) at ffmpeg.c:2956
 #16 0x00000000004590b0 in transcode_step () at ffmpeg.c:3226
 #17 transcode () at ffmpeg.c:3278
 #18 main (argc=<optimized out>, argv=<optimized out>) at ffmpeg.c:3456
 }}}

-- 
Ticket URL: <https://ffmpeg.org/trac/ffmpeg/ticket/3115#comment:3>
FFmpeg <http://ffmpeg.org>
FFmpeg issue tracker

More information about the FFmpeg-trac mailing list