[FFmpeg-trac] #4957(avformat:open): Crash in libavformat/mux.c when processing a corrupted input stream

FFmpeg trac at avcodec.org
Thu Oct 22 15:45:57 CEST 2015


#4957: Crash in libavformat/mux.c when processing a corrupted input stream
-------------------------------------+-------------------------------------
             Reporter:  jsnajdr      |                    Owner:
                 Type:  defect       |                   Status:  open
             Priority:  important    |                Component:  avformat
              Version:  git-master   |               Resolution:
             Keywords:  crash        |               Blocked By:
  SIGSEGV regression                 |  Reproduced by developer:  1
             Blocking:               |
Analyzed by developer:  0            |
-------------------------------------+-------------------------------------
Changes (by cehoyos):

 * keywords:   => crash SIGSEGV regression
 * priority:  normal => important
 * version:  unspecified => git-master
 * status:  new => open
 * reproduced:  0 => 1


Comment:

 For future tickets: Please remember to always post all requested
 information that includes the console output, disassembly and register
 content.

 The crash is a regression since b84232694ef0c6897e82b52326c9ea4027c69ec4
 {{{
 (gdb) r -i stream.mpg -c copy out.m3u8
 Starting program: ffmpeg_g -i stream.mpg -c copy out.m3u8
 [Thread debugging using libthread_db enabled]
 Using host libthread_db library "/lib64/libthread_db.so.1".
 ffmpeg version N-76179-g00efaa7 Copyright (c) 2000-2015 the FFmpeg
 developers
   built with gcc 4.7 (SUSE Linux)
   configuration: --enable-gpl
   libavutil      55.  4.100 / 55.  4.100
   libavcodec     57.  8.100 / 57.  8.100
   libavformat    57. 10.101 / 57. 10.101
   libavdevice    57.  0.100 / 57.  0.100
   libavfilter     6. 12.100 /  6. 12.100
   libswscale      4.  0.100 /  4.  0.100
   libswresample   2.  0.100 /  2.  0.100
   libpostproc    54.  0.100 / 54.  0.100
 [mpegts @ 0x1cb93c0] PES packet size mismatch
     Last message repeated 4 times
 [mpegts @ 0x1cb93c0] DTS discontinuity in stream 4: packet 5 with DTS
 2930794871, packet 6 with DTS 4731435029
 [mpeg2video @ 0x1cbd8c0] Invalid frame dimensions 0x0.
 [mpegts @ 0x1cb93c0] PES packet size mismatch
 [mpeg2video @ 0x1cbd8c0] Invalid frame dimensions 0x0.
     Last message repeated 1 times
 [mpegts @ 0x1cb93c0] PES packet size mismatch
     Last message repeated 2 times
 [mpeg2video @ 0x1cbd8c0] Invalid frame dimensions 0x0.
 [mpegts @ 0x1cb93c0] PES packet size mismatch
     Last message repeated 1 times
 [mpeg2video @ 0x1cbd8c0] Invalid frame dimensions 0x0.
     Last message repeated 1 times
 [mpegts @ 0x1cb93c0] PES packet size mismatch
 [mpeg2video @ 0x1cbd8c0] Invalid frame dimensions 0x0.
 [mpegts @ 0x1cb93c0] PES packet size mismatch
 [mpeg2video @ 0x1cbd8c0] Invalid frame dimensions 0x0.
     Last message repeated 1 times
 [mpegts @ 0x1cb93c0] DTS discontinuity in stream 4: packet 12 with DTS
 2930830871, packet 13 with DTS 7303702227
 [mpeg2video @ 0x1cbd8c0] ac-tex damaged at 18 0
 [mpeg2video @ 0x1cbd8c0] slice below image (88 >= 36)
 [mpegts @ 0x1cb93c0] PES packet size mismatch
     Last message repeated 7 times
 [mpegts @ 0x1cb93c0] DTS discontinuity in stream 4: packet 17 with DTS
 2930854052, packet 18 with DTS 10916851472
 [mpegts @ 0x1cb93c0] PES packet size mismatch
     Last message repeated 2 times
 [mpegts @ 0x1cb93c0] DTS discontinuity in stream 4: packet 21 with DTS
 2930881271, packet 22 with DTS 7081162585
 [mpegts @ 0x1cb93c0] PES packet size mismatch
 [mpegts @ 0x1cb93c0] DTS 2930920319 < 2930925911 out of order
 [mpegts @ 0x1cb93c0] PES packet size mismatch
     Last message repeated 2 times
 [mpegts @ 0x1cb93c0] DTS discontinuity in stream 4: packet 27 with DTS
 2930913671, packet 28 with DTS 9744219690
 [mpegts @ 0x1cb93c0] PES packet size mismatch
     Last message repeated 11 times
 [mpegts @ 0x1cb93c0] DTS discontinuity in stream 4: packet 36 with DTS
 2930960471, packet 37 with DTS 8428438919
 [mpegts @ 0x1cb93c0] PES packet size mismatch
     Last message repeated 13 times
 [mpegts @ 0x1cb93c0] Could not find codec parameters for stream 3
 (Unknown: none ([5][0][0][0] / 0x0005)): unknown codec
 Consider increasing the value for the 'analyzeduration' and 'probesize'
 options
 [mpegts @ 0x1cb93c0] Could not find codec parameters for stream 5
 (Unknown: none ([11][0][0][0] / 0x000B)): unknown codec
 Consider increasing the value for the 'analyzeduration' and 'probesize'
 options
 Input #0, mpegts, from 'stream.mpg':
   Duration: 00:00:07.26, start: 32564.147456, bitrate: 2519 kb/s
   Program 257
     Metadata:
       service_name    : CT 1
       service_provider: Ceska televize
     Stream #0:0[0x101]: Video: mpeg2video (Main) ([2][0][0][0] / 0x0002),
 yuv420p(tv), 720x576 [SAR 64:45 DAR 16:9], max. 15000 kb/s, 25.83 fps, 25
 tbr, 90k tbn, 50 tbc
     Stream #0:1[0x111](cze): Audio: mp2 ([3][0][0][0] / 0x0003), 48000 Hz,
 stereo, s16p, 192 kb/s
     Stream #0:2[0x113](cze): Audio: mp2 ([3][0][0][0] / 0x0003), 48000 Hz,
 mono, s16p, 64 kb/s (visual impaired)
     Stream #0:3[0x370]: Unknown: none ([5][0][0][0] / 0x0005)
     Stream #0:4[0x121](cze): Subtitle: dvb_teletext ([6][0][0][0] /
 0x0006)
     Stream #0:5[0x161]: Unknown: none ([11][0][0][0] / 0x000B)
 [webvtt @ 0x1cf1a20] Exactly one WebVTT stream is needed.
 Output #0, hls, to 'out.m3u8':
   Metadata:
     encoder         : Lavf57.10.101
     Stream #0:0: Video: mpeg2video ([2][0][0][0] / 0x0002), yuv420p,
 720x576 [SAR 64:45 DAR 16:9], q=2-31, max. 15000 kb/s, 25.83 fps, 25 tbr,
 90k tbn, 25 tbc
     Stream #0:1(cze): Audio: mp2 ([3][0][0][0] / 0x0003), 48000 Hz,
 stereo, 192 kb/s
     Stream #0:2(cze): Subtitle: dvb_teletext ([6][0][0][0] / 0x0006)
 Stream mapping:
   Stream #0:0 -> #0:0 (copy)
   Stream #0:1 -> #0:1 (copy)
   Stream #0:4 -> #0:2 (copy)
 Press [q] to stop, [?] for help
 [mpegts @ 0x1cb93c0] PES packet size mismatch
     Last message repeated 3 times
 Program received signal SIGSEGV, Segmentation fault.
 compute_pkt_fields2 (s=s at entry=0x1cf1a20, st=0x1cf3140,
 pkt=pkt at entry=0x7fffffffd260)
     at libavformat/mux.c:560
 560         st->priv_pts->val = pkt->dts;
 (gdb) bt
 #0  compute_pkt_fields2 (s=s at entry=0x1cf1a20, st=0x1cf3140,
 pkt=pkt at entry=0x7fffffffd260)
     at libavformat/mux.c:560
 #1  0x000000000061bc38 in av_write_frame (s=s at entry=0x1cf1a20,
     pkt=pkt at entry=0x7fffffffd260) at libavformat/mux.c:716
 #2  0x000000000061cab4 in ff_write_chained (dst=0x1cf1a20, dst_stream=0,
     pkt=0x7fffffffd3d0, src=0x1cfb040, interleave=0) at
 libavformat/mux.c:1063
 #3  0x000000000061a49d in write_packet (s=s at entry=0x1cfb040,
 pkt=pkt at entry=0x7fffffffd3d0)
     at libavformat/mux.c:660
 #4  0x000000000061c5be in av_interleaved_write_frame (s=s at entry=0x1cfb040,
 pkt=0x0,
     pkt at entry=0x7fffffffd610) at libavformat/mux.c:970
 #5  0x000000000048feba in write_frame (s=0x1cfb040,
 pkt=pkt at entry=0x7fffffffd610,
     ost=ost at entry=0x1cf0700) at ffmpeg.c:774
 #6  0x0000000000493e76 in do_streamcopy (ist=ist at entry=0x1d304a0,
 ost=0x1cf0700,
     pkt=pkt at entry=0x7fffffffda80) at ffmpeg.c:1905
 #7  0x00000000004966b3 in process_input_packet (no_eof=0,
 pkt=0x7fffffffda80,
     ist=0x1d304a0) at ffmpeg.c:2427
 #8  process_input (file_index=1800661758) at ffmpeg.c:3941
 #9  transcode_step () at ffmpeg.c:4029
 #10 transcode () at ffmpeg.c:4082
 #11 0x000000000047885b in main (argc=<optimized out>, argv=0x7fffffffdd28)
     at ffmpeg.c:4269
 (gdb) disass $pc-32,$pc+32
 Dump of assembler code from 0x61a6b0 to 0x61a6f0:
    0x000000000061a6b0 <compute_pkt_fields2+256>:        rolb
 (%rax,%rax,1)
    0x000000000061a6b3 <compute_pkt_fields2+259>:        add    %al,(%rcx)
    0x000000000061a6b5 <compute_pkt_fields2+261>:        jne    0x61abd8
 <compute_pkt_fields2+1576>
    0x000000000061a6bb <compute_pkt_fields2+267>:        mov
 0x8(%rbx),%rdi
    0x000000000061a6bf <compute_pkt_fields2+271>:        mov
 0x300(%rbx),%rsi
    0x000000000061a6c6 <compute_pkt_fields2+278>:        mov
 %rcx,0xf0(%rbx)
    0x000000000061a6cd <compute_pkt_fields2+285>:        mov
 0xc(%rdi),%eax
 => 0x000000000061a6d0 <compute_pkt_fields2+288>:        mov    %rcx,(%rsi)
    0x000000000061a6d3 <compute_pkt_fields2+291>:        test   %eax,%eax
    0x000000000061a6d5 <compute_pkt_fields2+293>:        jne    0x61a718
 <compute_pkt_fields2+360>
    0x000000000061a6d7 <compute_pkt_fields2+295>:        movslq
 0x8c(%rdi),%rdx
    0x000000000061a6de <compute_pkt_fields2+302>:        movslq
 0x34(%rbx),%rax
    0x000000000061a6e2 <compute_pkt_fields2+306>:        mov
 0x10(%rsi),%rdi
    0x000000000061a6e6 <compute_pkt_fields2+310>:        imul   %rdx,%rax
    0x000000000061a6ea <compute_pkt_fields2+314>:        add
 0x8(%rsi),%rax
    0x000000000061a6ee <compute_pkt_fields2+318>:        js     0x61ad60
 <compute_pkt_fields2+1968>
 End of assembler dump.
 (gdb) info register
 rax            0x3      3
 rbx            0x1cf3140        30355776
 rcx            0x0      0
 rdx            0x0      0
 rsi            0x0      0
 rdi            0x1cf3540        30356800
 rbp            0x7fffffffd260   0x7fffffffd260
 rsp            0x7fffffffd090   0x7fffffffd090
 r8             0x0      0
 r9             0x7fffffffd260   140737488343648
 r10            0x0      0
 r11            0xafc8   45000
 r12            0x8000000000000000       -9223372036854775808
 r13            0x1cfb040        30388288
 r14            0x1cf1a20        30349856
 r15            0x1ceff20        30342944
 rip            0x61a6d0 0x61a6d0 <compute_pkt_fields2+288>
 eflags         0x10246  [ PF ZF IF RF ]
 cs             0x33     51
 ss             0x2b     43
 ds             0x0      0
 es             0x0      0
 fs             0x0      0
 gs             0x0      0
 }}}

--
Ticket URL: <https://trac.ffmpeg.org/ticket/4957#comment:1>
FFmpeg <https://ffmpeg.org>
FFmpeg issue tracker


More information about the FFmpeg-trac mailing list