[FFmpeg-trac] #3889(undetermined:new): h264: crash in low mem situation

FFmpeg trac at avcodec.org
Sun Aug 24 12:44:40 CEST 2014 

#3889: h264: crash in low mem situation
-------------------------------------+-------------------------------------
               Reporter:  ami_stuff  |                  Owner:
                   Type:  defect     |                 Status:  new
               Priority:  normal     |              Component:
                Version:             |  undetermined
  unspecified                        |               Keywords:
             Blocked By:             |               Blocking:
Reproduced by developer:  0          |  Analyzed by developer:  0
-------------------------------------+-------------------------------------
 I first spotted it on windows.

 It crashes here with -Sv between 200000 and 800000.

 http://www.datafilehost.com/d/e6b9258d

 {{{
 knoppix at Microknoppix:/media/sdb1$ ulimit -Sv 300000 -c unlimited
 knoppix at Microknoppix:/media/sdb1$ ffmpeg_g -vcodec h264 -i dvvideo.avi -an
 -f null -
 ffmpeg-snapshot/ffmpeg -vcodec h264 -i dvvideo.avi -an -f null -
 ffmpeg version 2.3.git Copyright (c) 2000-2014 the FFmpeg developers
   built on Aug 24 2014 12:13:59 with gcc 4.7 (Debian 4.7.2-5)
   configuration: --disable-yasm --enable-gpl --disable-ffprobe --disable-
 ffserver
   libavutil      54.  7.100 / 54.  7.100
   libavcodec     56.  0.101 / 56.  0.101
   libavformat    56.  2.100 / 56.  2.100
   libavdevice    56.  0.100 / 56.  0.100
   libavfilter     5.  0.103 /  5.  0.103
   libswscale      3.  0.100 /  3.  0.100
   libswresample   1.  1.100 /  1.  1.100
   libpostproc    53.  0.100 / 53.  0.100
 [h264 @ 0x93b8900] no frame!
     Last message repeated 6 times
 [h264 @ 0x93b8900] A non-intra slice in an IDR NAL unit.
 [h264 @ 0x93b8900] decode_slice_header error
 [h264 @ 0x93b8900] A non-intra slice in an IDR NAL unit.
 [h264 @ 0x93b8900] decode_slice_header error
 [h264 @ 0x93b8900] sps_id 32 out of range
     Last message repeated 1 times
 [h264 @ 0x93b8900] no frame!
 [h264 @ 0x93b8900] A non-intra slice in an IDR NAL unit.
 [h264 @ 0x93b8900] decode_slice_header error
 [h264 @ 0x93b8900] sps_id 32 out of range
     Last message repeated 1 times
 [h264 @ 0x93b8900] illegal POC type 32
 [h264 @ 0x93b8900] sps_id 32 out of range
 [h264 @ 0x93b8900] no frame!
 [h264 @ 0x93b8900] SEI type 127 size 1192 truncated at 5
 [h264 @ 0x93b8900] illegal aspect ratio
 [h264 @ 0x93b8900] too many reference frames 32
 [h264 @ 0x93b8900] A non-intra slice in an IDR NAL unit.
 [h264 @ 0x93b8900] decode_slice_header error
 [h264 @ 0x93b8900] A non-intra slice in an IDR NAL unit.
 [h264 @ 0x93b8900] decode_slice_header error
 [h264 @ 0x93b8900] illegal aspect ratio
 [h264 @ 0x93b8900] sps_id 32 out of range
 [h264 @ 0x93b8900] illegal aspect ratio
 [h264 @ 0x93b8900] sps_id 32 out of range
 [h264 @ 0x93b8900] SEI type 132 size 1680 truncated at 1
 [h264 @ 0x93b8900] no frame!
 [h264 @ 0x93b8900] sps_id 32 out of range
     Last message repeated 1 times
 [h264 @ 0x93b8900] A non-intra slice in an IDR NAL unit.
 [h264 @ 0x93b8900] decode_slice_header error
 [h264 @ 0x93b8900] A non-intra slice in an IDR NAL unit.
 [h264 @ 0x93b8900] decode_slice_header error
 [h264 @ 0x93b8900] slice type 32 too large at 0 0
 [h264 @ 0x93b8900] decode_slice_header error
 [h264 @ 0x93b8900] no frame!
 [h264 @ 0x93b8900] A non-intra slice in an IDR NAL unit.
 [h264 @ 0x93b8900] decode_slice_header error
 [h264 @ 0x93b8900] A non-intra slice in an IDR NAL unit.
 [h264 @ 0x93b8900] decode_slice_header error
 [h264 @ 0x93b8900] slice type 32 too large at 0 0
 [h264 @ 0x93b8900] decode_slice_header error
 [h264 @ 0x93b8900] sps_id 0 out of range
 [h264 @ 0x93b8900] SEI type 52 size 1232 truncated at 4
 [h264 @ 0x93b8900] SEI type 93 size 496 truncated at 7
 [h264 @ 0x93b8900] Partitioned H.264 support is incomplete
 [h264 @ 0x93b8900] non-existing PPS 126 referenced
 [h264 @ 0x93b8900] decode_slice_header error
 [...]
 [h264 @ 0x96740a0] decode_slice_header error
 [h264 @ 0x96740a0] Missing reference picture, default is 0
 [h264 @ 0x96740a0] decode_slice_header error
 [h264 @ 0x96740a0] QP 4294967217 out of range
 [h264 @ 0x96740a0] decode_slice_header error
 [h264 @ 0x96740a0] reference overflow 246 > 15 or 0 > 15
 [h264 @ 0x96740a0] decode_slice_header error
 [h264 @ 0x96740a0] reference overflow 24647 > 31 or 0 > 31
 [h264 @ 0x96740a0] decode_slice_header error
 [h264 @ 0x96740a0] A non-intra slice in an IDR NAL unit.
 [h264 @ 0x96740a0] decode_slice_header error
 [h264 @ 0x96740a0] Missing reference picture, default is 0
 [h264 @ 0x96740a0] decode_slice_header error
 [h264 @ 0x96740a0] Missing reference picture, default is 0
 [h264 @ 0x96740a0] decode_slice_header error
 [h264 @ 0x96740a0] Partitioned H.264 support is incomplete
 [h264 @ 0x96740a0] Missing reference picture, default is 0
 [h264 @ 0x96740a0] decode_slice_header error
 [h264 @ 0x96740a0] A non-intra slice in an IDR NAL unit.
 [h264 @ 0x96740a0] decode_slice_header error
 [h264 @ 0x96740a0] QP 3109 out of range
 [h264 @ 0x96740a0] decode_slice_header error
 Input stream #0:0 frame changed from size:96x16 fmt:yuvj420p to size:32x16
 fmt:yuvj420p
 [h264 @ 0x93b0ba0] slice type 32 too large at 0 0
 [h264 @ 0x93b0ba0] decode_slice_header error
 [h264 @ 0x93b0ba0] cabac_init_idc 32 overflow
 [h264 @ 0x93b0ba0] decode_slice_header error
 [h264 @ 0x93b0ba0] reference picture missing during reorder
 [h264 @ 0x93b0ba0] reference count overflow
 [h264 @ 0x93b0ba0] decode_slice_header error
 [h264 @ 0x93b0ba0] FMO not supported
 [h264 @ 0x93b0ba0] reference overflow (pps)
 [h264 @ 0x93b0ba0] A non-intra slice in an IDR NAL unit.
 [h264 @ 0x93b0ba0] decode_slice_header error
 [h264 @ 0x93b0ba0] FMO not supported
 [h264 @ 0x93b0ba0] sps_id 9 out of range
 [h264 @ 0x93b0ba0] A non-intra slice in an IDR NAL unit.
 [h264 @ 0x93b0ba0] decode_slice_header error
 [h264 @ 0x93b0ba0] slice type 13 too large at 0 1
 [h264 @ 0x93b0ba0] decode_slice_header error
 [h264 @ 0x93b0ba0] Partitioned H.264 support is incomplete
 [h264 @ 0x93b0ba0] A non-intra slice in an IDR NAL unit.
 [h264 @ 0x93b0ba0] decode_slice_header error
 [h264 @ 0x93b0ba0] non-existing PPS 14 referenced
 [h264 @ 0x93b0ba0] decode_slice_header error
 [h264 @ 0x93b0ba0] sps_id 3 out of range
 [h264 @ 0x93b0ba0] first_mb_in_slice overflow
 [h264 @ 0x93b0ba0] decode_slice_header error
 [swscaler @ 0xade87c00] deprecated pixel format used, make sure you did
 set range correctly
 [h264 @ 0x93b0ba0] A non-intra slice in an IDR NAL unit.
 [h264 @ 0x93b0ba0] decode_slice_header error
 [h264 @ 0x93b0ba0] Missing reference picture, default is 0
 [h264 @ 0x93b0ba0] decode_slice_header error
 [h264 @ 0x93b0ba0] Reinit context to 32x64, pix_fmt: yuvj420p
 [h264 @ 0x93b0ba0] Missing reference picture, default is 2147483647
     Last message repeated 3 times
 [h264 @ 0x93b0ba0] deblocking_filter_idc 6 out of range
 [h264 @ 0x93b0ba0] decode_slice_header error
 [h264 @ 0x93b0ba0] Partitioned H.264 support is incomplete
 [h264 @ 0x93b0ba0] A non-intra slice in an IDR NAL unit.
 [h264 @ 0x93b0ba0] decode_slice_header error
 [h264 @ 0x93b0ba0] non-existing PPS 21 referenced
 [h264 @ 0x93b0ba0] decode_slice_header error
 [h264 @ 0x93b0ba0] Reinit context to 16x256, pix_fmt: yuvj420p
 [h264 @ 0x93b0ba0] QP 3109 out of range
 [h264 @ 0x93b0ba0] decode_slice_header error
 [h264 @ 0x9811b80] FMO not supported
 [h264 @ 0x9811b80] Reinit context to 32x64, pix_fmt: yuvj420p
 [h264 @ 0x9811b80] first_mb_in_slice overflow
 [h264 @ 0x9811b80] decode_slice_header error
 [h264 @ 0x9811b80] This stream was generated by a broken encoder, invalid
 8x8 inference
 [h264 @ 0x9811b80] decode_slice_header error
 [h264 @ 0x9811b80] FMO not supported
 [h264 @ 0x9811b80] slice type 19 too large at 0 1
 [h264 @ 0x9811b80] decode_slice_header error
 [h264 @ 0x9811b80] Partitioned H.264 support is incomplete
 [h264 @ 0x9811b80] Reinit context to 131056x2016, pix_fmt: yuvj420p
 [h264 @ 0x9811b80] [IMGUTILS @ 0xb2371004] Picture size 131056x2016 is
 invalid
 [h264 @ 0x9811b80] video_get_buffer: image parameters invalid
 [h264 @ 0x9811b80] get_buffer() failed
 [h264 @ 0x9811b80] thread_get_buffer() failed
 [h264 @ 0x9811b80] decode_slice_header error
 [h264 @ 0x9811b80] [IMGUTILS @ 0xb2371004] Picture size 131056x2016 is
 invalid
 [h264 @ 0x9811b80] video_get_buffer: image parameters invalid
 [h264 @ 0x9811b80] get_buffer() failed
 [h264 @ 0x9811b80] thread_get_buffer() failed
 [h264 @ 0x9811b80] decode_slice_header error
 [h264 @ 0x9811b80] [IMGUTILS @ 0xb2371004] Picture size 131056x2016 is
 invalid
 [h264 @ 0x9811b80] video_get_buffer: image parameters invalid
 [h264 @ 0x9811b80] get_buffer() failed
 [h264 @ 0x9811b80] thread_get_buffer() failed
 [h264 @ 0x9811b80] decode_slice_header error
 [h264 @ 0x9811b80] illegal aspect ratio
 [h264 @ 0x9811b80] sps_id 32 out of range
 [h264 @ 0x9811b80] slice type 23 too large at 0 1
 [h264 @ 0x9811b80] decode_slice_header error
 [h264 @ 0x9811b80] [IMGUTILS @ 0xb2371004] Picture size 131056x2016 is
 invalid
 [h264 @ 0x9811b80] video_get_buffer: image parameters invalid
 [h264 @ 0x9811b80] get_buffer() failed
 [h264 @ 0x9811b80] thread_get_buffer() failed
 [h264 @ 0x9811b80] decode_slice_header error
 [h264 @ 0x9811b80] Partitioned H.264 support is incomplete
 [h264 @ 0x9811b80] sps_id 32 out of range
     Last message repeated 1 times
 [h264 @ 0x9811b80] [IMGUTILS @ 0xb2371004] Picture size 131056x2016 is
 invalid
 [h264 @ 0x9811b80] video_get_buffer: image parameters invalid
 [h264 @ 0x9811b80] get_buffer() failed
 [h264 @ 0x9811b80] thread_get_buffer() failed
 [h264 @ 0x9811b80] decode_slice_header error
 [h264 @ 0x9811b80] [IMGUTILS @ 0xb2371004] Picture size 131056x2016 is
 invalid
 [h264 @ 0x9811b80] video_get_buffer: image parameters invalid
 [h264 @ 0x9811b80] get_buffer() failed
 [h264 @ 0x9811b80] thread_get_buffer() failed
 [h264 @ 0x9811b80] decode_slice_header error
 [h264 @ 0x9811b80] Partitioned H.264 support is incomplete
 [h264 @ 0x9811b80] FMO not supported
 [h264 @ 0x9811b80] no frame!
 [h264 @ 0x966bb60] Cannot allocate memory.
 [h264 @ 0x966bb60] Could not allocate memory
 [h264 @ 0x966bb60] h264_slice_header_init() failedError while decoding
 stream #0:0: Cannot allocate memory
 [h264 @ 0x966bb60] Cannot allocate memory.:00:07.24 bitrate=N/A
 [h264 @ 0x966bb60] Could not allocate memory
 Error while decoding stream #0:0: Cannot allocate memory
 [h264 @ 0x966bb60] Cannot allocate memory.
 Segmentation fault (core dumped)
 }}}

 {{{
 knoppix at Microknoppix:/media/sdb1$ ulimit -Sv 250000000 -c unlimited
 knoppix at Microknoppix:/media/sdb1$ gdb -c core ffmpeg_g
 GNU gdb (GDB) 7.4.1-debian
 Copyright (C) 2012 Free Software Foundation, Inc.
 License GPLv3+: GNU GPL version 3 or later
 <http://gnu.org/licenses/gpl.html>
 This is free software: you are free to change and redistribute it.
 There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
 and "show warranty" for details.
 This GDB was configured as "i486-linux-gnu".
 For bug reporting instructions, please see:
 <http://www.gnu.org/software/gdb/bugs/>...
 Reading symbols from /media/sdb1/ffmpeg_g...done.
 [New LWP 14117]
 [New LWP 14197]
 [New LWP 14196]
 [New LWP 14195]
 [New LWP 14199]
 [New LWP 14133]
 [New LWP 14192]
 [New LWP 14127]
 [New LWP 14194]
 [New LWP 14134]
 [New LWP 14198]
 [New LWP 14193]
 [New LWP 14200]
 [New LWP 14128]
 [New LWP 14131]
 [New LWP 14135]
 [New LWP 14132]
 [New LWP 14129]
 [New LWP 14130]

 warning: Can't read pathname for load map: Input/output error.
 [Thread debugging using libthread_db enabled]
 Using host libthread_db library "/lib/i386-linux-gnu/libthread_db.so.1".
 Failed to read a valid object file image from memory.
 Core was generated by `./ffmpeg_g -vcodec h264 -i dvvideo.avi -an -f null
 -'.
 Program terminated with signal 11, Segmentation fault.
 #0  *__GI___libc_free (mem=0xadd01020) at malloc.c:3709
 3709    malloc.c: No such file or directory.
 (gdb) bt
 #0  *__GI___libc_free (mem=0xadd01020) at malloc.c:3709
 #1  0x089f3ce2 in av_free (ptr=<optimized out>) at libavutil/mem.c:232
 #2  av_freep (arg=arg at entry=0xb1af11d0) at libavutil/mem.c:239
 #3  0x0837fc65 in ff_h264_free_tables (h=h at entry=0xb1a8b020, free_rbsp=1)
     at libavcodec/h264.c:373
 #4  0x08381cd5 in ff_h264_alloc_tables (h=h at entry=0xb1a8b020)
     at libavcodec/h264.c:485
 #5  0x083c0e3c in ff_h264_update_thread_context (dst=0x966bb60,
 src=0x9811b80)
     at libavcodec/h264_slice.c:600
 #6  0x086601c3 in update_context_from_thread (dst=0x966bb60,
     src=<optimized out>, for_user=<optimized out>)
     at libavcodec/pthread_frame.c:246
 #7  0x086606bc in submit_packet (avpkt=0xbfa04348, p=0x9811288)
     at libavcodec/pthread_frame.c:346
 #8  ff_thread_decode_frame (avctx=avctx at entry=0x969c480,
     picture=picture at entry=0x9732780,
     got_picture_ptr=got_picture_ptr at entry=0xbfa045ac,
     avpkt=avpkt at entry=0xbfa04348) at libavcodec/pthread_frame.c:421
 #9  0x08740e82 in avcodec_decode_video2 (avctx=0x969c480,
     picture=picture at entry=0x9732780,
     got_picture_ptr=got_picture_ptr at entry=0xbfa045ac,
     avpkt=avpkt at entry=0xbfa04818) at libavcodec/utils.c:2261
 #10 0x080c9694 in decode_video (ist=ist at entry=0x9633980,
 ---Type <return> to continue, or q <return> to quit---
     pkt=pkt at entry=0xbfa04818, got_output=got_output at entry=0xbfa045ac)
     at ffmpeg.c:1888
 #11 0x080cdb9b in process_input_packet (pkt=0xbfa047d0, ist=0x9633980)
     at ffmpeg.c:2122
 #12 process_input (file_index=-1080014824) at ffmpeg.c:3529
 #13 0x080afd42 in transcode_step () at ffmpeg.c:3623
 #14 transcode () at ffmpeg.c:3675
 #15 main (argc=<optimized out>, argv=<optimized out>) at ffmpeg.c:3851
 (gdb)
 }}}

--
Ticket URL: <https://trac.ffmpeg.org/ticket/3889>
FFmpeg <https://ffmpeg.org>
FFmpeg issue tracker

More information about the FFmpeg-trac mailing list