[FFmpeg-trac] #3070(avcodec:open): hevc: invalid reads
FFmpeg
trac at avcodec.org
Thu Oct 24 22:47:34 CEST 2013
#3070: hevc: invalid reads
------------------------------------+-----------------------------------
Reporter: ami_stuff | Owner:
Type: defect | Status: open
Priority: normal | Component: avcodec
Version: git-master | Resolution:
Keywords: hevc | Blocked By:
Blocking: | Reproduced by developer: 1
Analyzed by developer: 0 |
------------------------------------+-----------------------------------
Comment (by jamal):
Had to run this like 20 times before i could reproduce the crash.
{{{
(gdb) r -threads 3 -i ../hevc1.ts -f null -
Starting program: D:\MinGW\msys\1.0\ffmpeg\build32/ffmpeg_g.exe -threads 3
-i ../hevc1.ts -f null -
[New Thread 2572.0xae4]
ffmpeg version N-57397-g6c9c636 Copyright (c) 2000-2013 the FFmpeg
developers
built on Oct 24 2013 17:33:33 with gcc 4.8.1 (GCC)
configuration: --enable-gpl --disable-optimizations --enable-debug=gdb
--enable-cross-compile --cross-prefix=x86_64-w64-mingw32- --arch=x86_64
--target-os=mingw32 --prefix=/mingw64
libavutil 52. 47.101 / 52. 47.101
libavcodec 55. 38.101 / 55. 38.101
libavformat 55. 19.104 / 55. 19.104
libavdevice 55. 5.100 / 55. 5.100
libavfilter 3. 89.100 / 3. 89.100
libswscale 2. 5.101 / 2. 5.101
libswresample 0. 17.104 / 0. 17.104
libpostproc 52. 3.100 / 52. 3.100
Input #0, mpegts, from '../hevc1.ts':
Duration: 00:00:12.60, start: 0.080000, bitrate: 348 kb/s
Program 1
Stream #0:0[0x12d]: Video: hevc (HEVC / 0x43564548), yuv420p, 320x240,
23.98 tbr, 90k tbn, 90k tbc
[New Thread 2572.0x968]
[New Thread 2572.0xd64]
[New Thread 2572.0xf50]
[New Thread 2572.0xf38]
[New Thread 2572.0x54c]
[New Thread 2572.0xf28]
Output #0, null, to 'pipe:':
Metadata:
encoder : Lavf55.19.104
Stream #0:0: Video: rawvideo (I420 / 0x30323449), yuv420p, 320x240,
q=2-31,200 kb/s, 90k tbn, 23.98 tbc
Stream mapping:
Stream #0:0 -> #0:0 (hevc -> rawvideo)
Press [q] to stop, [?] for help
[null @ 000000000644ee20] Encoder did not produce proper pts, making some
up.
frame= 288 fps=191 q=0.0 size=N/A time=00:00:12.01 bitrate=N/A
Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 2572.0xf28]
0x0000000000c3e844 in get_cabac ()
(gdb) bt
#0 0x0000000000c3e844 in get_cabac ()
#1 0x0000000000c426dd in ff_hevc_hls_mvd_coding ()
#2 0x000000000076e107 in hls_prediction_unit ()
#3 0x0000000000770678 in hls_coding_unit ()
#4 0x00000000007711be in hls_coding_quadtree ()
#5 0x00000000007710a0 in hls_coding_quadtree ()
#6 0x00000000007710a0 in hls_coding_quadtree ()
#7 0x00000000007710a0 in hls_coding_quadtree ()
#8 0x0000000000771b9a in hls_decode_entry ()
#9 0x0000000000617820 in avcodec_default_execute ()
#10 0x0000000000771cab in hls_slice_data ()
#11 0x0000000000773284 in decode_nal_unit ()
#12 0x0000000000773cf4 in decode_nal_units ()
#13 0x000000000077418b in hevc_decode_frame ()
#14 0x00000000006b6b24 in frame_worker_thread ()
#15 0x00000000006b5be9 in win32thread_worker ()
#16 0x000007feff71415f in srand () from C:\Windows\system32\msvcrt.dll
#17 0x0000000006456688 in ?? ()
#18 0x0000000000000000 in ?? ()
(gdb) disass $pc-32,$pc+32
Dump of assembler code from 0xc3e824 to 0xc3e864:
0x0000000000c3e824 <get_cabac+130>: or $0x2,%al
0x0000000000c3e826 <get_cabac+132>: shl %cl,%eax
0x0000000000c3e828 <get_cabac+134>: movzbl 0x480(%r10,%rbx,1),%r11d
0x0000000000c3e831 <get_cabac+143>: shl %cl,%edx
0x0000000000c3e833 <get_cabac+145>: mov %r11b,(%r8)
0x0000000000c3e836 <get_cabac+148>: test %dx,%dx
0x0000000000c3e839 <get_cabac+151>: jne 0xc3e86f <get_cabac+205>
0x0000000000c3e83b <get_cabac+153>: mov 0x18(%r9),%rcx
0x0000000000c3e83f <get_cabac+157>: addq $0x2,0x18(%r9)
=> 0x0000000000c3e844 <get_cabac+162>: movzwl (%rcx),%r11d
0x0000000000c3e848 <get_cabac+166>: lea -0x1(%edx),%ecx
0x0000000000c3e84c <get_cabac+170>: xor %edx,%ecx
0x0000000000c3e84e <get_cabac+172>: shr $0xf,%ecx
0x0000000000c3e851 <get_cabac+175>: bswap %r11d
0x0000000000c3e854 <get_cabac+178>: shr $0xf,%r11d
0x0000000000c3e858 <get_cabac+182>: movzbl (%r10,%rcx,1),%ecx
0x0000000000c3e85d <get_cabac+187>: sub $0xffff,%r11d
End of assembler dump.
(gdb) info all-registers
rax 0x1c6 454
rbx 0xfffffffffffffffd -3
rcx 0x6a6d000 111595520
rdx 0x15d0000 22872064
rsi 0x0 0
rdi 0x0 0
rbp 0x7667730 0x7667730
rsp 0x76676b0 0x76676b0
r8 0x689a63f 109684287
r9 0x689a6f8 109684472
r10 0xf72360 16196448
r11 0x0 0
r12 0x0 0
r13 0x0 0
r14 0x0 0
r15 0x0 0
rip 0xc3e844 0xc3e844 <get_cabac+162>
eflags 0x10202 [ IF RF ]
cs 0x33 51
ss 0x202002b 33685547
ds 0x0 0
es 0x0 0
fs 0x0 0
gs 0x2b0000 2818048
st0 -nan(0x083848583) (raw 0xffff0000000083848583)
st1 -nan(0x080828384) (raw 0xffff0000000080828384)
st2 0 (raw 0x00000000000000000000)
st3 0 (raw 0x00000000000000000000)
st4 0 (raw 0x00000000000000000000)
st5 0 (raw 0x00000000000000000000)
st6 0 (raw 0x00000000000000000000)
st7 0 (raw 0x00000000000000000000)
fctrl 0x27f 639
fstat 0xff0000 16711680
ftag 0xff 255
fiseg 0x0 0
fioff 0x0 0
foseg 0x0 0
fooff 0x0 0
fop 0x0 0
xmm0 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {
0x8000000000000000, 0x0}, v16_int8 = {0x69, 0x6a, 0x6c, 0x6c, 0x6d, 0x6e,
0x6d, 0x6c, 0x6d, 0x6b, 0x6b, 0x6d, 0x6a, 0x5e, 0x3c, 0x11}, v8_int16 = {
0x6a69, 0x6c6c, 0x6e6d, 0x6c6d, 0x6b6d, 0x6d6b, 0x5e6a, 0x113c}, v4_int32
= {0x6c6c6a69, 0x6c6d6e6d, 0x6d6b6b6d, 0x113c5e6a}, v2_int64 = {
0x6c6d6e6d6c6c6a69, 0x113c5e6a6d6b6b6d}, uint128 =
0x113c5e6a6d6b6b6d6c6d6e6d6c6c6a69}
xmm1 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0},
uint128 = 0x00000000000000000000000000000000}
xmm2 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0},
uint128 = 0x00000000000000000000000000000000}
xmm3 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0},
uint128 = 0x00000000000000000000000000000000}
xmm4 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0},
uint128 = 0x00000000000000000000000000000000}
xmm5 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0},
uint128 = 0x00000000000000000000000000000000}
xmm6 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0},
uint128 = 0x00000000000000000000000000000000}
xmm7 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0},
uint128 = 0x00000000000000000000000000000000}
xmm8 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0},
uint128 = 0x00000000000000000000000000000000}
xmm9 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0},
uint128 = 0x00000000000000000000000000000000}
xmm10 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0},
uint128 = 0x00000000000000000000000000000000}
xmm11 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0},
uint128 = 0x00000000000000000000000000000000}
xmm12 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0},
uint128 = 0x00000000000000000000000000000000}
xmm13 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0},
uint128 = 0x00000000000000000000000000000000}
xmm14 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0},
uint128 = 0x00000000000000000000000000000000}
xmm15 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0},
uint128 = 0x00000000000000000000000000000000}
mxcsr 0x1f80 [ IM DM ZM OM UM PM ]
}}}
--
Ticket URL: <https://ffmpeg.org/trac/ffmpeg/ticket/3070#comment:3>
FFmpeg <http://ffmpeg.org>
FFmpeg issue tracker
More information about the FFmpeg-trac
mailing list