[FFmpeg-trac] #8972(avcodec:new): Segfault looping PNG

FFmpeg trac at avcodec.org
Sat Mar 20 01:49:48 EET 2021 

#8972: Segfault looping PNG
-------------------------------------+-------------------------------------
             Reporter:  Yorwba       |                    Owner:
                 Type:  defect       |                   Status:  new
             Priority:  important    |                Component:  avcodec
              Version:  git-master   |               Resolution:
             Keywords:  crash race   |               Blocked By:
  png regression                     |
             Blocking:               |  Reproduced by developer:  1
Analyzed by developer:  0            |
-------------------------------------+-------------------------------------

Comment (by cehoyos):

 {{{
 $ valgrind ./ffmpeg_g -loop 1 -i black.png -vcodec rawvideo -f null -
 ==26730== Memcheck, a memory error detector
 ==26730== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
 ==26730== Using Valgrind-3.16.1 and LibVEX; rerun with -h for copyright
 info
 ==26730== Command: ./ffmpeg_g -loop 1 -i black.png -vcodec rawvideo -f
 null -
 ==26730==
 ffmpeg version N-101634-g4892060f50 Copyright (c) 2000-2021 the FFmpeg
 developers
   built with gcc 10 (SUSE Linux)
   configuration: --enable-gpl
   libavutil      56. 69.100 / 56. 69.100
   libavcodec     58.133.100 / 58.133.100
   libavformat    58. 75.100 / 58. 75.100
   libavdevice    58. 12.100 / 58. 12.100
   libavfilter     7.109.100 /  7.109.100
   libswscale      5.  8.100 /  5.  8.100
   libswresample   3.  8.100 /  3.  8.100
   libpostproc    55.  8.100 / 55.  8.100
 Input #0, png_pipe, from 'black.png':
   Duration: N/A, bitrate: N/A
   Stream #0:0: Video: png, monob(pc), 2x2, 25 fps, 25 tbr, 25 tbn, 25 tbc
 Stream mapping:
   Stream #0:0 -> #0:0 (png (native) -> rawvideo (native))
 Press [q] to stop, [?] for help
 The bitrate parameter is set too low. It takes bits/s as argument, not
 kbits/s
 Output #0, null, to 'pipe:':
   Metadata:
     encoder         : Lavf58.75.100
   Stream #0:0: Video: rawvideo (B0W1 / 0x31573042), monob(pc,
 progressive), 2x2, q=2-31, 0 kb/s, 25 fps, 25 tbn
     Metadata:
       encoder         : Lavc58.133.100 rawvideo
 ==26730== Invalid read of size 8
 ==26730==    at 0x120EDA3: av_dict_copy (dict.c:222)
 ==26730==    by 0x12159F7: frame_copy_props (frame.c:390)
 ==26730==    by 0x12170C8: av_frame_ref (frame.c:457)
 ==26730==    by 0xC73756: ff_thread_ref_frame (utils.c:910)
 ==26730==    by 0xB73568: update_thread_context (pngdec.c:1622)
 ==26730==    by 0xB86A92: submit_packet (pthread_frame.c:434)
 ==26730==    by 0xB86A92: ff_thread_decode_frame (pthread_frame.c:515)
 ==26730==    by 0x923042: decode_simple_internal (decode.c:325)
 ==26730==    by 0x923042: decode_simple_receive_frame (decode.c:526)
 ==26730==    by 0x923042: decode_receive_frame_internal (decode.c:546)
 ==26730==    by 0x9238D7: avcodec_send_packet (decode.c:608)
 ==26730==    by 0x4B5CC0: decode (ffmpeg.c:2285)
 ==26730==    by 0x4B5CC0: decode_video (ffmpeg.c:2425)
 ==26730==    by 0x4B5CC0: process_input_packet (ffmpeg.c:2672)
 ==26730==    by 0x4B871E: process_input (ffmpeg.c:4606)
 ==26730==    by 0x4B871E: transcode_step (ffmpeg.c:4746)
 ==26730==    by 0x4B871E: transcode (ffmpeg.c:4800)
 ==26730==    by 0x49519D: main (ffmpeg.c:5005)
 ==26730==  Address 0x1e68cf70 is 0 bytes inside a block of size 16 free'd
 ==26730==    at 0x4840D7B: realloc (in /usr/lib64/valgrind
 /vgpreload_memcheck-amd64-linux.so)
 ==26730==    by 0x120E70A: av_dict_set (dict.c:106)
 ==26730==    by 0xB73730: decode_text_chunk.isra.0 (pngdec.c:555)
 ==26730==    by 0xB749FD: decode_frame_common (pngdec.c:1293)
 ==26730==    by 0xB77769: decode_frame_png (pngdec.c:1495)
 ==26730==    by 0xB873AE: frame_worker_thread (pthread_frame.c:211)
 ==26730==    by 0x4E98298: start_thread (in /lib64/libpthread-2.33.so)
 ==26730==    by 0x4FB0AF2: clone (in /lib64/libc-2.33.so)
 ==26730==  Block was alloc'd at
 ==26730==    at 0x483E6AF: malloc (in /usr/lib64/valgrind
 /vgpreload_memcheck-amd64-linux.so)
 ==26730==    by 0x120E70A: av_dict_set (dict.c:106)
 ==26730==    by 0xB73730: decode_text_chunk.isra.0 (pngdec.c:555)
 ==26730==    by 0xB749FD: decode_frame_common (pngdec.c:1293)
 ==26730==    by 0xB77769: decode_frame_png (pngdec.c:1495)
 ==26730==    by 0xB873AE: frame_worker_thread (pthread_frame.c:211)
 ==26730==    by 0x4E98298: start_thread (in /lib64/libpthread-2.33.so)
 ==26730==    by 0x4FB0AF2: clone (in /lib64/libc-2.33.so)
 ==26730==
 ==26730== Invalid read of size 8
 ==26730==    at 0x120EDA6: av_dict_copy (dict.c:222)
 ==26730==    by 0x12159F7: frame_copy_props (frame.c:390)
 ==26730==    by 0x12170C8: av_frame_ref (frame.c:457)
 ==26730==    by 0xC73756: ff_thread_ref_frame (utils.c:910)
 ==26730==    by 0xB73568: update_thread_context (pngdec.c:1622)
 ==26730==    by 0xB86A92: submit_packet (pthread_frame.c:434)
 ==26730==    by 0xB86A92: ff_thread_decode_frame (pthread_frame.c:515)
 ==26730==    by 0x923042: decode_simple_internal (decode.c:325)
 ==26730==    by 0x923042: decode_simple_receive_frame (decode.c:526)
 ==26730==    by 0x923042: decode_receive_frame_internal (decode.c:546)
 ==26730==    by 0x9238D7: avcodec_send_packet (decode.c:608)
 ==26730==    by 0x4B5CC0: decode (ffmpeg.c:2285)
 ==26730==    by 0x4B5CC0: decode_video (ffmpeg.c:2425)
 ==26730==    by 0x4B5CC0: process_input_packet (ffmpeg.c:2672)
 ==26730==    by 0x4B871E: process_input (ffmpeg.c:4606)
 ==26730==    by 0x4B871E: transcode_step (ffmpeg.c:4746)
 ==26730==    by 0x4B871E: transcode (ffmpeg.c:4800)
 ==26730==    by 0x49519D: main (ffmpeg.c:5005)
 ==26730==  Address 0x1e68cf78 is 8 bytes inside a block of size 16 free'd
 ==26730==    at 0x4840D7B: realloc (in /usr/lib64/valgrind
 /vgpreload_memcheck-amd64-linux.so)
 ==26730==    by 0x120E70A: av_dict_set (dict.c:106)
 ==26730==    by 0xB73730: decode_text_chunk.isra.0 (pngdec.c:555)
 ==26730==    by 0xB749FD: decode_frame_common (pngdec.c:1293)
 ==26730==    by 0xB77769: decode_frame_png (pngdec.c:1495)
 ==26730==    by 0xB873AE: frame_worker_thread (pthread_frame.c:211)
 ==26730==    by 0x4E98298: start_thread (in /lib64/libpthread-2.33.so)
 ==26730==    by 0x4FB0AF2: clone (in /lib64/libc-2.33.so)
 ==26730==  Block was alloc'd at
 ==26730==    at 0x483E6AF: malloc (in /usr/lib64/valgrind
 /vgpreload_memcheck-amd64-linux.so)
 ==26730==    by 0x120E70A: av_dict_set (dict.c:106)
 ==26730==    by 0xB73730: decode_text_chunk.isra.0 (pngdec.c:555)
 ==26730==    by 0xB749FD: decode_frame_common (pngdec.c:1293)
 ==26730==    by 0xB77769: decode_frame_png (pngdec.c:1495)
 ==26730==    by 0xB873AE: frame_worker_thread (pthread_frame.c:211)
 ==26730==    by 0x4E98298: start_thread (in /lib64/libpthread-2.33.so)
 ==26730==    by 0x4FB0AF2: clone (in /lib64/libc-2.33.so)
 }}}
 {{{
 (gdb) bt
 #0  0x00007ffff7830d0a in __strlen_sse2 () from /lib64/libc.so.6
 #1  0x0000000001223a04 in av_strdup (s=s at entry=0x7ff827fc8901 <error:
 Cannot access memory at address 0x7ff827fc8901>) at libavutil/mem.c:257
 #2  0x000000000120f2a0 in av_dict_set (flags=0, value=0x7fffd80025d0
 "\006", key=0x7ff827fc8901 <error: Cannot access memory at address
 0x7ff827fc8901>,
     pm=0x208db70) at libavutil/dict.c:83
 #3  av_dict_copy (dst=dst at entry=0x208db70, src=0x7fffd8008880,
 flags=flags at entry=0) at libavutil/dict.c:222
 #4  0x0000000001215d48 in frame_copy_props (dst=dst at entry=0x208d9c0,
 src=src at entry=0x208c700, force_copy=force_copy at entry=0) at
 libavutil/frame.c:390
 #5  0x0000000001217419 in av_frame_ref (dst=0x208d9c0, src=0x208c700) at
 libavutil/frame.c:457
 #6  0x0000000000c73357 in ff_thread_ref_frame (dst=dst at entry=0x208d430,
 src=src at entry=0x208bed0) at libavcodec/utils.c:1727
 #7  0x0000000000b713a9 in update_thread_context (dst=<optimized out>,
 src=<optimized out>) at libavcodec/pngdec.c:1622
 #8  0x0000000000b847e3 in submit_packet (avpkt=<optimized out>,
 user_avctx=0x1fe7440, p=0x2083d60) at libavcodec/pthread_frame.c:434
 #9  ff_thread_decode_frame (avctx=avctx at entry=0x1fe7440,
 picture=picture at entry=0x2082ec0,
 got_picture_ptr=got_picture_ptr at entry=0x7fffffffd3c8,
     avpkt=avpkt at entry=0x1febcc0) at libavcodec/pthread_frame.c:515
 #10 0x0000000000920e83 in decode_simple_internal
 (discarded_samples=<synthetic pointer>, frame=0x2082ec0, avctx=0x1fe7440)
 at libavcodec/decode.c:325
 #11 decode_simple_receive_frame (frame=<optimized out>, avctx=<optimized
 out>) at libavcodec/decode.c:526
 #12 decode_receive_frame_internal (avctx=avctx at entry=0x1fe7440,
 frame=0x2082ec0) at libavcodec/decode.c:546
 #13 0x0000000000921718 in avcodec_send_packet
 (avctx=avctx at entry=0x1fe7440, avpkt=avpkt at entry=0x208f880) at
 libavcodec/decode.c:608
 #14 0x00000000004b5cd1 in decode (pkt=0x208f880, got_frame=0x7fffffffd4bc,
 frame=<optimized out>, avctx=0x1fe7440) at fftools/ffmpeg.c:2285
 #15 decode_video (decode_failed=<optimized out>, eof=<optimized out>,
 duration_pts=<optimized out>, got_output=<optimized out>, pkt=<optimized
 out>,
     ist=<optimized out>) at fftools/ffmpeg.c:2425
 #16 process_input_packet (ist=ist at entry=0x1fe6bc0,
 pkt=pkt at entry=0x207e040, no_eof=no_eof at entry=0) at fftools/ffmpeg.c:2672
 #17 0x00000000004b872f in process_input (file_index=<optimized out>) at
 fftools/ffmpeg.c:4606
 #18 transcode_step () at fftools/ffmpeg.c:4746
 #19 transcode () at fftools/ffmpeg.c:4800
 #20 0x00000000004951ae in main (argc=10, argv=0x7fffffffdc88) at
 fftools/ffmpeg.c:5005
 }}}

--
Ticket URL: <https://trac.ffmpeg.org/ticket/8972#comment:7>
FFmpeg <https://ffmpeg.org>
FFmpeg issue tracker

More information about the FFmpeg-trac mailing list