[FFmpeg-trac] #10061(undetermined:new): jpeg2000: crash with forced libopenjpeg decoder and image2 demuxer
FFmpeg
trac at avcodec.org
Tue Nov 22 04:30:31 EET 2022
#10061: jpeg2000: crash with forced libopenjpeg decoder and image2 demuxer
-------------------------------------+-------------------------------------
Reporter: ami_stuff | Type: defect
Status: new | Priority: normal
Component: | Version:
undetermined | unspecified
Keywords: | Blocked By:
Blocking: | Reproduced by developer: 0
Analyzed by developer: 0 |
-------------------------------------+-------------------------------------
https://github.com/openpreserve/jpylyzer-test-
files/raw/master/palettedImage.jp2
{{{
(gdb) r -vcodec libopenjpeg -f image2 -i palettedImage.jp2 -f null -
Starting program: ffmpeg_g -vcodec libopenjpeg -f image2 -i
palettedImage.jp2 -f null -
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
ffmpeg version N-109101-g822da7a317 Copyright (c) 2000-2022 the FFmpeg
developers
built with gcc 9 (Ubuntu 9.4.0-1ubuntu1~20.04.1)
configuration: --enable-libopenjpeg
libavutil 57. 42.100 / 57. 42.100
libavcodec 59. 52.102 / 59. 52.102
libavformat 59. 34.101 / 59. 34.101
libavdevice 59. 8.101 / 59. 8.101
libavfilter 8. 50.100 / 8. 50.100
libswscale 6. 8.112 / 6. 8.112
libswresample 4. 9.100 / 4. 9.100
Input #0, image2, from 'palettedImage.jp2':
Duration: 00:00:00.04, start: 0.000000, bitrate: N/A
Stream #0:0: Video: jpeg2000, gray, 1024x1024, 25 fps, 25 tbr, 25 tbn
[New Thread 0x7ffff6b37700 (LWP 33350)]
[New Thread 0x7ffff6336700 (LWP 33351)]
[New Thread 0x7ffff5b35700 (LWP 33352)]
[New Thread 0x7ffff5334700 (LWP 33353)]
[New Thread 0x7ffff4b33700 (LWP 33354)]
[New Thread 0x7ffff4332700 (LWP 33355)]
[New Thread 0x7ffff3b31700 (LWP 33356)]
[New Thread 0x7ffff3330700 (LWP 33357)]
[New Thread 0x7ffff2b2f700 (LWP 33358)]
Stream mapping:
Stream #0:0 -> #0:0 (jpeg2000 (libopenjpeg) -> wrapped_avframe (native))
Press [q] to stop, [?] for help
[New Thread 0x7ffff232e700 (LWP 33359)]
[Thread 0x7ffff232e700 (LWP 33359) exited]
free(): invalid pointer
Thread 2 "av:libopen:df0" received signal SIGABRT, Aborted.
[Switching to Thread 0x7ffff6b37700 (LWP 33350)]
__GI_raise (sig=sig at entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
50 ../sysdeps/unix/sysv/linux/raise.c
(gdb) bt
#0 __GI_raise (sig=sig at entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
#1 0x00007ffff7616859 in __GI_abort () at abort.c:79
#2 0x00007ffff768126e in __libc_message (action=action at entry=do_abort,
fmt=fmt at entry=0x7ffff77ab298 "%s\n") at
../sysdeps/posix/libc_fatal.c:155
#3 0x00007ffff76892fc in malloc_printerr (
str=str at entry=0x7ffff77a94c1 "free(): invalid pointer") at
malloc.c:5347
#4 0x00007ffff768ab2c in _int_free (av=<optimized out>, p=<optimized
out>,
have_lock=0) at malloc.c:4173
#5 0x00007ffff784721b in ?? () from /lib/x86_64-linux-gnu/libopenjp2.so.7
#6 0x00007ffff78205e5 in ?? () from /lib/x86_64-linux-gnu/libopenjp2.so.7
#7 0x00007ffff782864c in ?? () from /lib/x86_64-linux-gnu/libopenjp2.so.7
#8 0x00007ffff782b123 in opj_destroy_codec ()
from /lib/x86_64-linux-gnu/libopenjp2.so.7
#9 0x0000555555d4d6ea in libopenjpeg_decode_frame (avctx=<optimized out>,
picture=<optimized out>, got_frame=0x5555571535d0, avpkt=<optimized
out>)
at libavcodec/libopenjpegdec.c:483
#10 0x0000555555e47266 in frame_worker_thread (arg=0x5555571534c0)
at libavcodec/pthread_frame.c:241
#11 0x00007ffff77ee609 in start_thread (arg=<optimized out>)
at pthread_create.c:477
#12 0x00007ffff7713133 in clone ()
at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95
}}}
{{{
==33417== Invalid write of size 1
==33417== at 0x901DE1: libopenjpeg_copy_to_packed8
(libopenjpegdec.c:250)
==33417== by 0x901DE1: libopenjpeg_decode_frame (libopenjpegdec.c:445)
==33417== by 0x76E951: decode_simple_internal (decode.c:307)
==33417== by 0x76E951: decode_simple_receive_frame (decode.c:563)
==33417== by 0x76E951: decode_receive_frame_internal (decode.c:584)
==33417== by 0x76F4FF: avcodec_send_packet (decode.c:665)
==33417== by 0x56BB02: try_decode_frame (demux.c:2054)
==33417== by 0x570D98: avformat_find_stream_info (demux.c:2747)
==33417== by 0x2A3CA8: ifile_open (ffmpeg_demux.c:953)
==33417== by 0x2B3B41: open_files.isra.0 (ffmpeg_opt.c:1248)
==33417== by 0x2B4FDE: ffmpeg_parse_options (ffmpeg_opt.c:1287)
==33417== by 0x29F149: main (ffmpeg.c:4035)
==33417== Address 0x5ef254f is 0 bytes after a block of size 1,048,655
alloc'd
==33417== at 0x483E0F0: memalign (in /usr/lib/x86_64-linux-gnu/valgrind
/vgpreload_memcheck-amd64-linux.so)
==33417== by 0x483E212: posix_memalign (in /usr/lib/x86_64-linux-
gnu/valgrind/vgpreload_memcheck-amd64-linux.so)
==33417== by 0x1071DD4: av_malloc (mem.c:105)
==33417== by 0x105E6D9: av_buffer_alloc (buffer.c:82)
==33417== by 0x105E753: av_buffer_allocz (buffer.c:95)
==33417== by 0x105EEBC: pool_alloc_buffer (buffer.c:363)
==33417== by 0x105EEBC: av_buffer_pool_get (buffer.c:401)
==33417== by 0x82C173: video_get_buffer (get_buffer.c:262)
==33417== by 0x82C173: avcodec_default_get_buffer2 (get_buffer.c:298)
==33417== by 0x770BC2: ff_get_buffer (decode.c:1505)
==33417== by 0x9FADD4: thread_get_buffer_internal (pthread_frame.c:993)
==33417== by 0x9FADD4: ff_thread_get_buffer (pthread_frame.c:1074)
==33417== by 0x9018BB: libopenjpeg_decode_frame (libopenjpegdec.c:418)
==33417== by 0x76E951: decode_simple_internal (decode.c:307)
==33417== by 0x76E951: decode_simple_receive_frame (decode.c:563)
==33417== by 0x76E951: decode_receive_frame_internal (decode.c:584)
==33417== by 0x76F4FF: avcodec_send_packet (decode.c:665)
==33417==
==33417== Invalid free() / delete / delete[] / realloc()
==33417== at 0x483CA3F: free (in /usr/lib/x86_64-linux-gnu/valgrind
/vgpreload_memcheck-amd64-linux.so)
==33417== by 0x4FF439A: ??? (in /usr/lib/x86_64-linux-
gnu/libopenjp2.so.2.3.1)
==33417== by 0x4FF21DC: ??? (in /usr/lib/x86_64-linux-
gnu/libopenjp2.so.2.3.1)
==33417== by 0x4FCB5E4: ??? (in /usr/lib/x86_64-linux-
gnu/libopenjp2.so.2.3.1)
==33417== by 0x4FD364B: ??? (in /usr/lib/x86_64-linux-
gnu/libopenjp2.so.2.3.1)
==33417== by 0x4FD6122: opj_destroy_codec (in /usr/lib/x86_64-linux-
gnu/libopenjp2.so.2.3.1)
==33417== by 0x9016E9: libopenjpeg_decode_frame (libopenjpegdec.c:483)
==33417== by 0x76E951: decode_simple_internal (decode.c:307)
==33417== by 0x76E951: decode_simple_receive_frame (decode.c:563)
==33417== by 0x76E951: decode_receive_frame_internal (decode.c:584)
==33417== by 0x76F4FF: avcodec_send_packet (decode.c:665)
==33417== by 0x56BB02: try_decode_frame (demux.c:2054)
==33417== by 0x570D98: avformat_find_stream_info (demux.c:2747)
==33417== by 0x2A3CA8: ifile_open (ffmpeg_demux.c:953)
==33417== Address 0xf15000b0f00090d is not stack'd, malloc'd or
(recently) free'd
==33417==
==33417== Invalid free() / delete / delete[] / realloc()
==33417== at 0x483CA3F: free (in /usr/lib/x86_64-linux-gnu/valgrind
/vgpreload_memcheck-amd64-linux.so)
==33417== by 0x4FF439A: ??? (in /usr/lib/x86_64-linux-
gnu/libopenjp2.so.2.3.1)
==33417== by 0x4FF21ED: ??? (in /usr/lib/x86_64-linux-
gnu/libopenjp2.so.2.3.1)
==33417== by 0x4FCB5E4: ??? (in /usr/lib/x86_64-linux-
gnu/libopenjp2.so.2.3.1)
==33417== by 0x4FD364B: ??? (in /usr/lib/x86_64-linux-
gnu/libopenjp2.so.2.3.1)
==33417== by 0x4FD6122: opj_destroy_codec (in /usr/lib/x86_64-linux-
gnu/libopenjp2.so.2.3.1)
==33417== by 0x9016E9: libopenjpeg_decode_frame (libopenjpegdec.c:483)
==33417== by 0x76E951: decode_simple_internal (decode.c:307)
==33417== by 0x76E951: decode_simple_receive_frame (decode.c:563)
==33417== by 0x76E951: decode_receive_frame_internal (decode.c:584)
==33417== by 0x76F4FF: avcodec_send_packet (decode.c:665)
==33417== by 0x56BB02: try_decode_frame (demux.c:2054)
==33417== by 0x570D98: avformat_find_stream_info (demux.c:2747)
==33417== by 0x2A3CA8: ifile_open (ffmpeg_demux.c:953)
==33417== Address 0xd12000c11000b0f is not stack'd, malloc'd or
(recently) free'd
==33417==
Assertion (frame->private_ref && frame->private_ref->size ==
sizeof(FrameDecodeData)) || !(avctx->codec->capabilities & (1 << 1))
failed at libavcodec/decode.c:615
==33417==
==33417== Process terminating with default action of signal 6 (SIGABRT)
==33417== at 0x507200B: raise (raise.c:51)
==33417== by 0x5051858: abort (abort.c:79)
==33417== by 0x76F37F: decode_simple_internal (decode.c:502)
==33417== by 0x76F37F: decode_simple_receive_frame (decode.c:563)
==33417== by 0x76F37F: decode_receive_frame_internal (decode.c:584)
==33417== by 0x76F4FF: avcodec_send_packet (decode.c:665)
==33417== by 0x56BB02: try_decode_frame (demux.c:2054)
==33417== by 0x570D98: avformat_find_stream_info (demux.c:2747)
==33417== by 0x2A3CA8: ifile_open (ffmpeg_demux.c:953)
==33417== by 0x2B3B41: open_files.isra.0 (ffmpeg_opt.c:1248)
==33417== by 0x2B4FDE: ffmpeg_parse_options (ffmpeg_opt.c:1287)
==33417== by 0x29F149: main (ffmpeg.c:4035)
}}}
--
Ticket URL: <https://trac.ffmpeg.org/ticket/10061>
FFmpeg <https://ffmpeg.org>
FFmpeg issue tracker
More information about the FFmpeg-trac
mailing list