[FFmpeg-trac] #3070(avcodec:open): hevc: invalid reads

FFmpeg trac at avcodec.org
Thu Oct 24 22:47:34 CEST 2013


#3070: hevc: invalid reads
------------------------------------+-----------------------------------
             Reporter:  ami_stuff   |                    Owner:
                 Type:  defect      |                   Status:  open
             Priority:  normal      |                Component:  avcodec
              Version:  git-master  |               Resolution:
             Keywords:  hevc        |               Blocked By:
             Blocking:              |  Reproduced by developer:  1
Analyzed by developer:  0           |
------------------------------------+-----------------------------------

Comment (by jamal):

 Had to run this like 20 times before i could reproduce the crash.

 {{{
 (gdb) r -threads 3 -i ../hevc1.ts -f null -
 Starting program: D:\MinGW\msys\1.0\ffmpeg\build32/ffmpeg_g.exe -threads 3
 -i ../hevc1.ts -f null -
 [New Thread 2572.0xae4]
 ffmpeg version N-57397-g6c9c636 Copyright (c) 2000-2013 the FFmpeg
 developers
   built on Oct 24 2013 17:33:33 with gcc 4.8.1 (GCC)
   configuration: --enable-gpl --disable-optimizations --enable-debug=gdb
 --enable-cross-compile --cross-prefix=x86_64-w64-mingw32- --arch=x86_64
 --target-os=mingw32 --prefix=/mingw64
   libavutil      52. 47.101 / 52. 47.101
   libavcodec     55. 38.101 / 55. 38.101
   libavformat    55. 19.104 / 55. 19.104
   libavdevice    55.  5.100 / 55.  5.100
   libavfilter     3. 89.100 /  3. 89.100
   libswscale      2.  5.101 /  2.  5.101
   libswresample   0. 17.104 /  0. 17.104
   libpostproc    52.  3.100 / 52.  3.100
 Input #0, mpegts, from '../hevc1.ts':
   Duration: 00:00:12.60, start: 0.080000, bitrate: 348 kb/s
   Program 1
     Stream #0:0[0x12d]: Video: hevc (HEVC / 0x43564548), yuv420p, 320x240,
 23.98 tbr, 90k tbn, 90k tbc
 [New Thread 2572.0x968]
 [New Thread 2572.0xd64]
 [New Thread 2572.0xf50]
 [New Thread 2572.0xf38]
 [New Thread 2572.0x54c]
 [New Thread 2572.0xf28]
 Output #0, null, to 'pipe:':
   Metadata:
     encoder         : Lavf55.19.104
     Stream #0:0: Video: rawvideo (I420 / 0x30323449), yuv420p, 320x240,
 q=2-31,200 kb/s, 90k tbn, 23.98 tbc
 Stream mapping:
   Stream #0:0 -> #0:0 (hevc -> rawvideo)
 Press [q] to stop, [?] for help
 [null @ 000000000644ee20] Encoder did not produce proper pts, making some
 up.
 frame=  288 fps=191 q=0.0 size=N/A time=00:00:12.01 bitrate=N/A
 Program received signal SIGSEGV, Segmentation fault.
 [Switching to Thread 2572.0xf28]
 0x0000000000c3e844 in get_cabac ()
 (gdb) bt
 #0  0x0000000000c3e844 in get_cabac ()
 #1  0x0000000000c426dd in ff_hevc_hls_mvd_coding ()
 #2  0x000000000076e107 in hls_prediction_unit ()
 #3  0x0000000000770678 in hls_coding_unit ()
 #4  0x00000000007711be in hls_coding_quadtree ()
 #5  0x00000000007710a0 in hls_coding_quadtree ()
 #6  0x00000000007710a0 in hls_coding_quadtree ()
 #7  0x00000000007710a0 in hls_coding_quadtree ()
 #8  0x0000000000771b9a in hls_decode_entry ()
 #9  0x0000000000617820 in avcodec_default_execute ()
 #10 0x0000000000771cab in hls_slice_data ()
 #11 0x0000000000773284 in decode_nal_unit ()
 #12 0x0000000000773cf4 in decode_nal_units ()
 #13 0x000000000077418b in hevc_decode_frame ()
 #14 0x00000000006b6b24 in frame_worker_thread ()
 #15 0x00000000006b5be9 in win32thread_worker ()
 #16 0x000007feff71415f in srand () from C:\Windows\system32\msvcrt.dll
 #17 0x0000000006456688 in ?? ()
 #18 0x0000000000000000 in ?? ()
 (gdb) disass $pc-32,$pc+32
 Dump of assembler code from 0xc3e824 to 0xc3e864:
    0x0000000000c3e824 <get_cabac+130>:  or     $0x2,%al
    0x0000000000c3e826 <get_cabac+132>:  shl    %cl,%eax
    0x0000000000c3e828 <get_cabac+134>:  movzbl 0x480(%r10,%rbx,1),%r11d
    0x0000000000c3e831 <get_cabac+143>:  shl    %cl,%edx
    0x0000000000c3e833 <get_cabac+145>:  mov    %r11b,(%r8)
    0x0000000000c3e836 <get_cabac+148>:  test   %dx,%dx
    0x0000000000c3e839 <get_cabac+151>:  jne    0xc3e86f <get_cabac+205>
    0x0000000000c3e83b <get_cabac+153>:  mov    0x18(%r9),%rcx
    0x0000000000c3e83f <get_cabac+157>:  addq   $0x2,0x18(%r9)
 => 0x0000000000c3e844 <get_cabac+162>:  movzwl (%rcx),%r11d
    0x0000000000c3e848 <get_cabac+166>:  lea    -0x1(%edx),%ecx
    0x0000000000c3e84c <get_cabac+170>:  xor    %edx,%ecx
    0x0000000000c3e84e <get_cabac+172>:  shr    $0xf,%ecx
    0x0000000000c3e851 <get_cabac+175>:  bswap  %r11d
    0x0000000000c3e854 <get_cabac+178>:  shr    $0xf,%r11d
    0x0000000000c3e858 <get_cabac+182>:  movzbl (%r10,%rcx,1),%ecx
    0x0000000000c3e85d <get_cabac+187>:  sub    $0xffff,%r11d
 End of assembler dump.
 (gdb) info all-registers
 rax            0x1c6    454
 rbx            0xfffffffffffffffd       -3
 rcx            0x6a6d000        111595520
 rdx            0x15d0000        22872064
 rsi            0x0      0
 rdi            0x0      0
 rbp            0x7667730        0x7667730
 rsp            0x76676b0        0x76676b0
 r8             0x689a63f        109684287
 r9             0x689a6f8        109684472
 r10            0xf72360 16196448
 r11            0x0      0
 r12            0x0      0
 r13            0x0      0
 r14            0x0      0
 r15            0x0      0
 rip            0xc3e844 0xc3e844 <get_cabac+162>
 eflags         0x10202  [ IF RF ]
 cs             0x33     51
 ss             0x202002b        33685547
 ds             0x0      0
 es             0x0      0
 fs             0x0      0
 gs             0x2b0000 2818048
 st0            -nan(0x083848583)        (raw 0xffff0000000083848583)
 st1            -nan(0x080828384)        (raw 0xffff0000000080828384)
 st2            0        (raw 0x00000000000000000000)
 st3            0        (raw 0x00000000000000000000)
 st4            0        (raw 0x00000000000000000000)
 st5            0        (raw 0x00000000000000000000)
 st6            0        (raw 0x00000000000000000000)
 st7            0        (raw 0x00000000000000000000)
 fctrl          0x27f    639
 fstat          0xff0000 16711680
 ftag           0xff     255
 fiseg          0x0      0
 fioff          0x0      0
 foseg          0x0      0
 fooff          0x0      0
 fop            0x0      0
 xmm0           {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {
 0x8000000000000000, 0x0}, v16_int8 = {0x69, 0x6a, 0x6c, 0x6c, 0x6d, 0x6e,
 0x6d, 0x6c, 0x6d, 0x6b, 0x6b, 0x6d, 0x6a, 0x5e, 0x3c, 0x11}, v8_int16 = {
 0x6a69, 0x6c6c, 0x6e6d, 0x6c6d, 0x6b6d, 0x6d6b, 0x5e6a, 0x113c}, v4_int32
 = {0x6c6c6a69, 0x6c6d6e6d, 0x6d6b6b6d, 0x113c5e6a}, v2_int64 = {
 0x6c6d6e6d6c6c6a69, 0x113c5e6a6d6b6b6d}, uint128 =
 0x113c5e6a6d6b6b6d6c6d6e6d6c6c6a69}
 xmm1           {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
 v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0,
 0x0, 0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0},
 uint128 = 0x00000000000000000000000000000000}
 xmm2           {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
 v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0,
 0x0, 0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0},
 uint128 = 0x00000000000000000000000000000000}
 xmm3           {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
 v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0,
 0x0, 0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0},
 uint128 = 0x00000000000000000000000000000000}
 xmm4           {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
 v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0,
 0x0, 0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0},
 uint128 = 0x00000000000000000000000000000000}
 xmm5           {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
 v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0,
 0x0, 0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0},
 uint128 = 0x00000000000000000000000000000000}
 xmm6           {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
 v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0,
 0x0, 0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0},
 uint128 = 0x00000000000000000000000000000000}
 xmm7           {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
 v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0,
 0x0, 0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0},
 uint128 = 0x00000000000000000000000000000000}
 xmm8           {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
 v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0,
 0x0, 0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0},
 uint128 = 0x00000000000000000000000000000000}
 xmm9           {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
 v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0,
 0x0, 0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0},
 uint128 = 0x00000000000000000000000000000000}
 xmm10          {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
 v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0,
 0x0, 0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0},
 uint128 = 0x00000000000000000000000000000000}
 xmm11          {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
 v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0,
 0x0, 0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0},
 uint128 = 0x00000000000000000000000000000000}
 xmm12          {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
 v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0,
 0x0, 0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0},
 uint128 = 0x00000000000000000000000000000000}
 xmm13          {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
 v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0,
 0x0, 0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0},
 uint128 = 0x00000000000000000000000000000000}
 xmm14          {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
 v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0,
 0x0, 0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0},
 uint128 = 0x00000000000000000000000000000000}
 xmm15          {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
 v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0,
 0x0, 0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0},
 uint128 = 0x00000000000000000000000000000000}
 mxcsr          0x1f80   [ IM DM ZM OM UM PM ]
 }}}

-- 
Ticket URL: <https://ffmpeg.org/trac/ffmpeg/ticket/3070#comment:3>
FFmpeg <http://ffmpeg.org>
FFmpeg issue tracker


More information about the FFmpeg-trac mailing list