[FFmpeg-trac] #3721(avformat:new): crash on a valid rtp mpegts stream

[FFmpeg]

#3721: crash on a valid rtp mpegts stream
----------------------------------+--------------------------------------
             Reporter:  lavv17    |                     Type:  defect
               Status:  new       |                 Priority:  normal
            Component:  avformat  |                  Version:  git-master
             Keywords:            |               Blocked By:
             Blocking:            |  Reproduced by developer:  0
Analyzed by developer:  0         |
----------------------------------+--------------------------------------
 Summary of the bug:
 ffmpeg crashes on certain valid iptv rtp streams. It does not crash under
 valgrind, but produces errors from valgrind (below).

 How to reproduce:
 {{{
 $ /usr/local/bin/ffmpeg -ss 1 -i rtp://@224.0.91.78:1234 -t 30 -c copy
 file.avi -y
 ffmpeg version N-63863-g2351ea8 Copyright (c) 2000-2014 the FFmpeg
 developers
   built on Jun 10 2014 11:41:03 with gcc 4.8.2 (GCC) 20131212 (Red Hat
 4.8.2-7)
   configuration:
   libavutil      52. 89.100 / 52. 89.100
   libavcodec     55. 66.100 / 55. 66.100
   libavformat    55. 42.101 / 55. 42.101
   libavdevice    55. 13.101 / 55. 13.101
   libavfilter     4.  7.100 /  4.  7.100
   libswscale      2.  6.100 /  2.  6.100
   libswresample   0. 19.100 /  0. 19.100
 [mpeg2video @ 0x202a420] Invalid frame dimensions 0x0.
 Segmentation fault (core dumped)
 }}}

 {{{
 (gdb) bt
 #0  0x00000000005935e4 in rtp_parse_one_packet (len=1328,
 bufptr=0x20268c0,
     pkt=0x7fffcce06d20, s=0x20269e0) at libavformat/rtpdec.c:771
 #1  ff_rtp_parse_packet (s=0x20269e0, pkt=pkt at entry=0x7fffcce06d20,
     bufptr=bufptr at entry=0x20268c0, len=len at entry=1328)
     at libavformat/rtpdec.c:822
 #2  0x00000000005a4a1a in ff_rtsp_fetch_packet (s=0x2024c20,
     pkt=0x7fffcce06d20) at libavformat/rtsp.c:2042
 #3  0x00000000005c4436 in ff_read_packet (s=s at entry=0x2024c20,
     pkt=pkt at entry=0x7fffcce06d20) at libavformat/utils.c:791
 #4  0x00000000005c71f0 in read_frame_internal (s=s at entry=0x2024c20,
     pkt=pkt at entry=0x7fffcce06e60) at libavformat/utils.c:1454
 #5  0x00000000005cab1f in avformat_find_stream_info (ic=0x2024c20,
 options=0x0)
     at libavformat/utils.c:3240
 #6  0x000000000046fdc1 in open_input_file (o=o at entry=0x7fffcce071e0,
     filename=<optimized out>) at ffmpeg_opt.c:888
 #7  0x00000000004740df in open_files (inout=0xcc1a1f "input",
     open_file=0x46fa00 <open_input_file>, l=<optimized out>, l=<optimized
 out>)
     at ffmpeg_opt.c:2645
 #8  ffmpeg_parse_options (argc=argc at entry=11,
 argv=argv at entry=0x7fffcce07a38)
     at ffmpeg_opt.c:2682
 #9  0x0000000000463ef8 in main (argc=11, argv=0x7fffcce07a38) at
 ffmpeg.c:3787
 }}}

 {{{
 $ valgrind /usr/local/bin/ffmpeg -ss 1 -i rtp://@224.0.91.78:1234 -t 30 -c
 copy file.avi -y
 ==34163== Memcheck, a memory error detector
 ==34163== Copyright (C) 2002-2012, and GNU GPL'd, by Julian Seward et al.
 ==34163== Using Valgrind-3.8.1 and LibVEX; rerun with -h for copyright
 info
 ==34163== Command: /usr/local/bin/ffmpeg -ss 1 -i rtp://@224.0.91.78:1234
 -t 30 -c copy file.avi -y
 ==34163==
 ffmpeg version N-63863-g2351ea8 Copyright (c) 2000-2014 the FFmpeg
 developers
   built on Jun 10 2014 11:41:03 with gcc 4.8.2 (GCC) 20131212 (Red Hat
 4.8.2-7)
   configuration:
   libavutil      52. 89.100 / 52. 89.100
   libavcodec     55. 66.100 / 55. 66.100
   libavformat    55. 42.101 / 55. 42.101
   libavdevice    55. 13.101 / 55. 13.101
   libavfilter     4.  7.100 /  4.  7.100
   libswscale      2.  6.100 /  2.  6.100
   libswresample   0. 19.100 /  0. 19.100
 [mpeg2video @ 0x59b7a40] Invalid frame dimensions 0x0.
 ==34163== Invalid write of size 1s
 ==34163==    at 0x5540C8: write_section_data.isra.13 (mpegts.c:398)
 ==34163==    by 0x554793: handle_packet (mpegts.c:2095)
 ==34163==    by 0x5596CE: ff_mpegts_parse_packet (mpegts.c:2646)
 ==34163==    by 0x598994: mpegts_handle_packet (rtpdec_mpegts.c:86)
 ==34163==    by 0x592796: rtp_parse_packet_internal (rtpdec.c:645)
 ==34163==    by 0x593920: ff_rtp_parse_packet (rtpdec.c:792)
 ==34163==    by 0x5A4A19: ff_rtsp_fetch_packet (rtsp.c:2042)
 ==34163==    by 0x5C4435: ff_read_packet (utils.c:791)
 ==34163==    by 0x5C71EF: read_frame_internal (utils.c:1454)
 ==34163==    by 0x5CAB1E: avformat_find_stream_info (utils.c:3240)
 ==34163==    by 0x46FDC0: open_input_file (ffmpeg_opt.c:888)
 ==34163==    by 0x4740DE: ffmpeg_parse_options (ffmpeg_opt.c:2645)
 ==34163==  Address 0x5945828 is 40 bytes inside a block of size 96 free'd
 ==34163==    at 0x4C294C4: free (in /usr/lib64/valgrind
 /vgpreload_memcheck-amd64-linux.so)
 ==34163==    by 0xC41EDB: av_freep (mem.c:232)
 ==34163==    by 0x4EAE5F: ffurl_close (avio.c:383)
 ==34163==    by 0x5A3109: rtp_read_header (rtsp.c:2299)
 ==34163==    by 0x5CDAE6: avformat_open_input (utils.c:594)
 ==34163==    by 0x46FCB8: open_input_file (ffmpeg_opt.c:871)
 ==34163==    by 0x4740DE: ffmpeg_parse_options (ffmpeg_opt.c:2645)
 ==34163==    by 0x463EF7: main (ffmpeg.c:3787)
 ==34163==
     Last message repeated 13 times
 RTP: missed 177 packets
 [rtp @ 0x5943940] PES packet size mismatch
     Last message repeated 1 times
 RTP: missed 107 packets
 [rtp @ 0x5943940] PES packet size mismatch
     Last message repeated 1 times
 rtp://@224.0.91.78:1234: could not seek to position 93742.111
 Input #0, rtp, from 'rtp://@224.0.91.78:1234':
   Duration: N/A, start: 93741.111167, bitrate: 371 kb/s
   Program 6490
     Stream #0:0: Video: mpeg2video (Main), yuv420p(tv), 720x576 [SAR 64:45
 DAR 16:9], max. 15000 kb/s, 25 fps, 25 tbr, 90k tbn, 50 tbc
     Stream #0:2(rus): Audio: mp2, 48000 Hz, stereo, s16p, 185 kb/s
     Stream #0:1(eng): Audio: mp2, 48000 Hz, stereo, s16p, 185 kb/s
 Output #0, avi, to 'file.avi':
   Metadata:
     ISFT            : Lavf55.42.101
     Stream #0:0: Video: mpeg2video (mpg2 / 0x3267706D), yuv420p, 720x576
 [SAR 64:45 DAR 16:9], q=2-31, max. 15000 kb/s, 25 fps, 50 tbn, 50 tbc
     Stream #0:1(eng): Audio: mp2 (P[0][0][0] / 0x0050), 48000 Hz, stereo,
 185 kb/s
 Stream mapping:
   Stream #0:0 -> #0:0 (copy)
   Stream #0:1 -> #0:1 (copy)
 Press [q] to stop, [?] for help
 RTP: missed 48 packets
 [rtp @ 0x5943940] PES packet size mismatch
 frame=    0 fps=0.0 q=-1.0 size=      10kB time=00:00:01.20 bitrate=
 67.2kbits/frame=   12 fps= 11 q=-1.0 size=     232kB time=00:00:01.80
 bitrate=1054.2kbits/frame=   26 fps= 16 q=-1.0 size=     495kB
 time=00:00:02.36 bitrate=1717.5kbits/frame=   38 fps= 18 q=-1.0 size=
 716kB time=00:00:02.84 bitrate=2066.6kbits/frame=   52 fps= 20 q=-1.0
 size=    1002kB time=00:00:03.40 bitrate=2414.4kbits/frame=   65 fps= 21
 q=-1.0 size=    1301kB time=00:00:03.92 bitrate=2719.4kbits/frame=   77
 fps= 21 q=-1.0 size=    1505kB time=00:00:04.40
 bitrate=2801.5kbits/==34163== Invalid write of size 1
 ==34163==    at 0x5540C8: write_section_data.isra.13 (mpegts.c:398)
 ==34163==    by 0x554793: handle_packet (mpegts.c:2095)
 ==34163==    by 0x5596CE: ff_mpegts_parse_packet (mpegts.c:2646)
 ==34163==    by 0x598A06: mpegts_handle_packet (rtpdec_mpegts.c:75)
 ==34163==    by 0x593861: ff_rtp_parse_packet (rtpdec.c:752)
 ==34163==    by 0x5A4D63: ff_rtsp_fetch_packet (rtsp.c:1956)
 ==34163==    by 0x5C4435: ff_read_packet (utils.c:791)
 ==34163==    by 0x5C71EF: read_frame_internal (utils.c:1454)
 ==34163==    by 0x5C807C: av_read_frame (utils.c:1594)
 ==34163==    by 0x464D1E: main (ffmpeg.c:3256)
 ==34163==  Address 0x5945828 is 0 bytes after a block of size 40 free'd
 ==34163==    at 0x4C294C4: free (in /usr/lib64/valgrind
 /vgpreload_memcheck-amd64-linux.so)
 ==34163==    by 0xC41EDB: av_freep (mem.c:232)
 ==34163==    by 0xC33948: av_buffer_unref (buffer.c:116)
 ==34163==    by 0x605D26: av_free_packet (avpacket.c:285)
 ==34163==    by 0x464236: main (ffmpeg.c:3496)
 ==34163==
 frame=   91 fps= 22 q=-1.0 size=    1794kB time=00:00:04.96
 bitrate=2962.4kbits/frame=  105 fps= 22 q=-1.0 size=    2077kB
 time=00:00:05.52 bitrate=3082.1kbits/frame=  116 fps= 22 q=-1.0 size=
 2320kB time=00:00:05.96 bitrate=3188.6kbits/frame=  131 fps= 23 q=-1.0
 size=    2568kB time=00:00:06.56 bitrate=3207.2kbits/frame=  145 fps= 23
 q=-1.0 size=    2852kB time=00:00:07.12 bitrate=3281.0kbits/frame=  159
 fps= 23 q=-1.0 size=    3056kB time=00:00:07.68 bitrate=3259.9kbits/frame=
 171 fps= 23 q=-1.0 size=    3298kB time=00:00:08.16
 bitrate=3310.9kbits/frame=  181 fps= 23 q=-1.0 size=    3455kB
 time=00:00:08.56 bitrate=3306.7kbits/frame=  196 fps= 23 q=-1.0 size=
 3671kB time=00:00:09.16 bitrate=3283.4kbits/frame=  211 fps= 24 q=-1.0
 size=    3881kB time=00:00:09.76 bitrate=3257.9kbits/frame=  226 fps= 24
 q=-1.0 size=    4034kB time=00:00:10.36 bitrate=3190.1kbits/frame=  239
 fps= 24 q=-1.0 size=    4211kB time=00:00:10.88 bitrate=3170.9kbits/frame=
 250 fps= 24 q=-1.0 size=    4478kB time=00:00:11.32
 bitrate=3240.7kbits/frame=  265 fps= 24 q=-1.0 size=    4765kB
 time=00:00:11.92 bitrate=3274.9kbits/frame=  279 fps= 24 q=-1.0 size=
 5019kB time=00:00:12.48 bitrate=3294.6kbits/frame=  291 fps= 24 q=-1.0
 size=    5245kB time=00:00:12.96 bitrate=3315.4kbits/frame=  304 fps= 24
 q=-1.0 size=    5531kB time=00:00:13.48 bitrate=3361.3kbits/frame=  318
 fps= 24 q=-1.0 size=    5769kB time=00:00:14.04 bitrate=3366.2kbits/frame=
 330 fps= 24 q=-1.0 size=    5985kB time=00:00:14.52
 bitrate=3376.5kbits/frame=  346 fps= 24 q=-1.0 size=    6218kB
 time=00:00:15.16 bitrate=3360.1kbits/frame=  358 fps= 24 q=-1.0 size=
 6537kB time=00:00:15.64 bitrate=3423.7kbits/frame=  368 fps= 24 q=-1.0
 size=    6770kB time=00:00:16.04 bitrate=3457.7kbits/frame=  383 fps= 24
 q=-1.0 size=    7034kB time=00:00:16.64 bitrate=3462.8kbits/frame=  395
 fps= 24 q=-1.0 size=    7235kB time=00:00:17.12 bitrate=3462.0kbits/frame=
 409 fps= 24 q=-1.0 size=    7545kB time=00:00:17.68
 bitrate=3496.0kbits/frame=  422 fps= 24 q=-1.0 size=    7831kB
 time=00:00:18.20 bitrate=3525.0kbits/frame=  434 fps= 24 q=-1.0 size=
 8059kB time=00:00:18.68 bitrate=3534.4kbits/frame=  449 fps= 24 q=-1.0
 size=    8343kB time=00:00:19.28 bitrate=3544.7kbits/frame=  461 fps= 24
 q=-1.0 size=    8538kB time=00:00:19.76 bitrate=3539.7kbits/frame=  473
 fps= 24 q=-1.0 size=    8728kB time=00:00:20.24 bitrate=3532.6kbits/frame=
 488 fps= 24 q=-1.0 size=    8923kB time=00:00:20.84
 bitrate=3507.5kbits/frame=  502 fps= 24 q=-1.0 size=    9164kB
 time=00:00:21.40 bitrate=3508.0kbits/frame=  514 fps= 24 q=-1.0 size=
 9365kB time=00:00:21.88 bitrate=3506.3kbits/frame=  526 fps= 24 q=-1.0
 size=    9656kB time=00:00:22.36 bitrate=3537.7kbits/frame=  539 fps= 24
 q=-1.0 size=    9882kB time=00:00:22.88 bitrate=3538.3kbits/frame=  554
 fps= 24 q=-1.0 size=   10146kB time=00:00:23.48 bitrate=3539.9kbits/frame=
 568 fps= 24 q=-1.0 size=   10385kB time=00:00:24.04
 bitrate=3538.7kbits/frame=  580 fps= 24 q=-1.0 size=   10663kB
 time=00:00:24.52 bitrate=3562.3kbits/frame=  592 fps= 24 q=-1.0 size=
 10869kB time=00:00:25.00 bitrate=3561.4kbits/frame=  607 fps= 24 q=-1.0
 size=   11134kB time=00:00:25.60 bitrate=3562.9kbits/frame=  618 fps= 24
 q=-1.0 size=   11299kB time=00:00:26.04 bitrate=3554.7kbits/frame=  636
 fps= 25 q=-1.0 size=   11506kB time=00:00:26.76 bitrate=3522.3kbits/frame=
 648 fps= 25 q=-1.0 size=   11670kB time=00:00:27.24
 bitrate=3509.4kbits/frame=  659 fps= 25 q=-1.0 size=   11912kB
 time=00:00:27.68 bitrate=3525.5kbits/frame=  671 fps= 24 q=-1.0 size=
 12209kB time=00:00:28.16 bitrate=3551.8kbits/frame=  685 fps= 25 q=-1.0
 size=   12509kB time=00:00:28.72 bitrate=3567.9kbits/frame=  701 fps= 25
 q=-1.0 size=   12726kB time=00:00:29.36 bitrate=3550.7kbits/frame=  717
 fps= 25 q=-1.0 size=   12910kB time=00:00:30.00 bitrate=3525.2kbits/frame=
 717 fps= 24 q=-1.0 Lsize=   13067kB time=00:00:30.00 bitrate=3568.2kbits/s
 video:12303kB audio:690kB subtitle:0kB other streams:0kB global
 headers:0kB muxing overhead: 0.571913%
 ==34163==
 ==34163== HEAP SUMMARY:
 ==34163==     in use at exit: 80 bytes in 2 blocks
 ==34163==   total heap usage: 32,159 allocs, 32,157 frees, 194,097,256
 bytes allocated
 ==34163==
 ==34163== LEAK SUMMARY:
 ==34163==    definitely lost: 0 bytes in 0 blocks
 ==34163==    indirectly lost: 0 bytes in 0 blocks
 ==34163==      possibly lost: 0 bytes in 0 blocks
 ==34163==    still reachable: 80 bytes in 2 blocks
 ==34163==         suppressed: 0 bytes in 0 blocks
 ==34163== Rerun with --leak-check=full to see details of leaked memory
 ==34163==
 ==34163== For counts of detected and suppressed errors, rerun with: -v
 ==34163== ERROR SUMMARY: 61 errors from 2 contexts (suppressed: 2 from 2)
 }}}

--
Ticket URL: <https://trac.ffmpeg.org/ticket/3721>
FFmpeg <https://ffmpeg.org>
FFmpeg issue tracker