[FFmpeg-trac] #9062(avformat:new): Segmentation Fault in dash demuxer

FFmpeg trac at avcodec.org
Mon Jan 11 02:09:24 EET 2021


#9062: Segmentation Fault in dash demuxer
------------------------------------+------------------------------------
             Reporter:  c-14        |                    Owner:
                 Type:  defect      |                   Status:  new
             Priority:  normal      |                Component:  avformat
              Version:  git-master  |               Resolution:
             Keywords:  dash crash  |               Blocked By:
             Blocking:              |  Reproduced by developer:  0
Analyzed by developer:  0           |
------------------------------------+------------------------------------
Changes (by cehoyos):

 * keywords:   => dash crash


Old description:

> Summary of the bug:
> The dash demuxer segfaults when the dash manifest contains a subtitle
> track without an initialization element in the segmenttemplate.
> {{{
>   <AdaptationSet contentType="text" mimeType="application/mp4"
> segmentAlignment="true" group="1" lang="eng">
>    <SegmentTemplate duration="8" media="$RepresentationID$/$Number$.m4s"
> startNumber="0" initialization="$RepresentationID$/init.mp4"/>
>    <Representation id="subtitlesttmleng/subtitles" codecs="stpp"
> startWithSAP="1" bandwidth="1"/>
>   </AdaptationSet>
>   <AdaptationSet contentType="text" mimeType="text/vtt"
> segmentAlignment="true" group="1" lang="eng">
>    <SegmentTemplate duration="8" media="$RepresentationID$/$Number$.m4s"
> startNumber="0"/>
>    <Representation id="subtitlesvtteng/subtitles" codecs="vtt"
> startWithSAP="1" bandwidth="1"/>
>   </AdaptationSet>
> }}}
> How to reproduce:
> {{{
> % ffmpeg -i https://<host>/Manifest.mpd
> ffmpeg version N-100605-g0fff6c039c
> }}}
>
> gdb backtrace: {{{
> #0  is_common_init_section_exist (pls=0x555557b1d820, n_pls=2) at
> libavformat/dashdec.c:1995
>         first_init_section = 0x555557b1d840
>         url = 0x555557b34100
> "https://<host>/subtitlesttmleng/subtitles/init.mp4"
>         url_offset = 0
>         size = -1
>         i = 1
> #1  0x0000555555a9713d in dash_read_header (s=0x555557ad6580) at
> libavformat/dashdec.c:2082
>         c = 0x555557b10e00
>         rep = 0x555557b33840
>         program = 0x555557ad6c78
>         ret = 0
>         stream_index = 7
>         i = 2
> #2  0x0000555555c16bf6 in avformat_open_input (ps=0x7fffffffd128,
> filename=0x7fffffffdc22 "https://<host>/Manifest.mpd", fmt=0x0,
> options=0x555557ad6468)
>     at libavformat/utils.c:596
>         s = 0x555557ad6580
>         i = 1470983424
>         ret = 0
>         tmp = 0x555557b10f40
>         id3v2_extra_meta = 0x0
> #3  0x000055555565bcc4 in open_input_file (o=0x7fffffffd230,
> filename=0x7fffffffdc22 "https://<host>/Manifest.mpd") at
> fftools/ffmpeg_opt.c:1182
>         f = 0x5555571a2078 <__sysv_signal at got.plt>
>         ic = 0x555557ad6580
>         file_iformat = 0x0
>         err = 0
>         i = 21845
>         ret = 48
>         timestamp = 140737340987888
>         unused_opts = 0x0
>         e = 0x0
>         video_codec_name = 0x0
>         audio_codec_name = 0x0
>         subtitle_codec_name = 0x0
>         data_codec_name = 0x0
>         scan_all_pmts_set = 1
> }}}
>
> The segfault occurs in the 2nd iteration of the loop over the
> init_sections because the init_section at index 1 of the subtitles array
> is NULL. From what I can tell, the init_section element should be
> allocated and initialized in parse_manifest_representation, but it only
> seems to do so if it can find an initialization element in
> fragment_templates_tab which doesn't exist for the second subtitle stream
> in the manifest.
>
> Changing the comparison in is_common_init_section_exist to check if an
> init_section exists before accessing the children fixes the segfault, but
> I'm not sure if that's the correct way to handle this or if the missing
> initialization element should be handled differently.

New description:

 Summary of the bug:
 The dash demuxer segfaults when the dash manifest contains a subtitle
 track without an initialization element in the segmenttemplate.
 {{{
   <AdaptationSet contentType="text" mimeType="application/mp4"
 segmentAlignment="true" group="1" lang="eng">
    <SegmentTemplate duration="8" media="$RepresentationID$/$Number$.m4s"
 startNumber="0" initialization="$RepresentationID$/init.mp4"/>
    <Representation id="subtitlesttmleng/subtitles" codecs="stpp"
 startWithSAP="1" bandwidth="1"/>
   </AdaptationSet>
   <AdaptationSet contentType="text" mimeType="text/vtt"
 segmentAlignment="true" group="1" lang="eng">
    <SegmentTemplate duration="8" media="$RepresentationID$/$Number$.m4s"
 startNumber="0"/>
    <Representation id="subtitlesvtteng/subtitles" codecs="vtt"
 startWithSAP="1" bandwidth="1"/>
   </AdaptationSet>
 }}}
 How to reproduce:
 {{{
 % ffmpeg -i https://<host>/Manifest.mpd
 ffmpeg version N-100605-g0fff6c039c
 }}}

 {{{
 #0  is_common_init_section_exist (pls=0x555557b1d820, n_pls=2) at
 libavformat/dashdec.c:1995
         first_init_section = 0x555557b1d840
         url = 0x555557b34100
 "https://<host>/subtitlesttmleng/subtitles/init.mp4"
         url_offset = 0
         size = -1
         i = 1
 #1  0x0000555555a9713d in dash_read_header (s=0x555557ad6580) at
 libavformat/dashdec.c:2082
         c = 0x555557b10e00
         rep = 0x555557b33840
         program = 0x555557ad6c78
         ret = 0
         stream_index = 7
         i = 2
 #2  0x0000555555c16bf6 in avformat_open_input (ps=0x7fffffffd128,
 filename=0x7fffffffdc22 "https://<host>/Manifest.mpd", fmt=0x0,
 options=0x555557ad6468)
     at libavformat/utils.c:596
         s = 0x555557ad6580
         i = 1470983424
         ret = 0
         tmp = 0x555557b10f40
         id3v2_extra_meta = 0x0
 #3  0x000055555565bcc4 in open_input_file (o=0x7fffffffd230,
 filename=0x7fffffffdc22 "https://<host>/Manifest.mpd") at
 fftools/ffmpeg_opt.c:1182
         f = 0x5555571a2078 <__sysv_signal at got.plt>
         ic = 0x555557ad6580
         file_iformat = 0x0
         err = 0
         i = 21845
         ret = 48
         timestamp = 140737340987888
         unused_opts = 0x0
         e = 0x0
         video_codec_name = 0x0
         audio_codec_name = 0x0
         subtitle_codec_name = 0x0
         data_codec_name = 0x0
         scan_all_pmts_set = 1
 }}}

 The segfault occurs in the 2nd iteration of the loop over the
 init_sections because the init_section at index 1 of the subtitles array
 is NULL. From what I can tell, the init_section element should be
 allocated and initialized in parse_manifest_representation, but it only
 seems to do so if it can find an initialization element in
 fragment_templates_tab which doesn't exist for the second subtitle stream
 in the manifest.

 Changing the comparison in is_common_init_section_exist to check if an
 init_section exists before accessing the children fixes the segfault, but
 I'm not sure if that's the correct way to handle this or if the missing
 initialization element should be handled differently.

--

Comment:

 How can I reproduce this issue?

 Please provide at least the complete, uncut console output to make this a
 valid ticket.

--
Ticket URL: <https://trac.ffmpeg.org/ticket/9062#comment:1>
FFmpeg <https://ffmpeg.org>
FFmpeg issue tracker


More information about the FFmpeg-trac mailing list