Opened 12 years ago

Closed 12 years ago

Last modified 12 years ago

#1063 closed defect (fixed)

invalid reads with very high resolution video

Reported by: ami_stuff Owned by:
Priority: normal Component: undetermined
Version: git-master Keywords:
Cc: Blocked By:
Blocking: Reproduced by developer: yes
Analyzed by developer: no

Description

http://ffmpeg.org/trac/ffmpeg/attachment/ticket/1059/599.png

$ ffmpeg -i 599.png -s 4000x4000 -vcodec h263p out.avi
(gdb) r -i out.avi out2.avi
Starting program: d:\mingw\msys\1.0\ffmpeg\ffmpeg_g.exe -i out.avi out2.avi
[New Thread 2888.0x80c]
ffmpeg version 0.9.1.git Copyright (c) 2000-2012 the FFmpeg developers
  built on Mar 10 2012 16:15:15 with gcc 4.6.1
  configuration: --disable-yasm --disable-ffprobe
  libavutil      51. 42.100 / 51. 42.100
  libavcodec     54. 10.100 / 54. 10.100
  libavformat    54.  2.100 / 54.  2.100
  libavdevice    53.  4.100 / 53.  4.100
  libavfilter     2. 63.100 /  2. 63.100
  libswscale      2.  1.100 /  2.  1.100
  libswresample   0.  7.100 /  0.  7.100
Input #0, avi, from 'out.avi':
  Metadata:
    encoder         : Lavf54.2.100
  Duration: 00:00:00.04, start: 0.000000, bitrate: 83956 kb/s
    Stream #0:0: Video: h263 (H263 / 0x33363248), yuv420p, 4000x4000, 25 tbr, 25
 tbn, 25 tbc
[buffer @ 03871c60] w:4000 h:4000 pixfmt:yuv420p tb:1/1000000 sar:0/1 sws_param:

Output #0, avi, to 'out2.avi':
  Metadata:
    ISFT            : Lavf54.2.100
    Stream #0:0: Video: mpeg4 (FMP4 / 0x34504D46), yuv420p, 4000x4000, q=2-31, 2
00 kb/s, 25 tbn, 25 tbc
Stream mapping:
  Stream #0:0 -> #0:0 (h263 -> mpeg4)
Press [q] to stop, [?] for help

Program received signal SIGSEGV, Segmentation fault.
0x00739e7a in load_input_picture (pic_arg=0x22d9d8, s=0x3e363a0)
    at libavcodec/mpegvideo_enc.c:1036
1036                            memcpy(dst, src, w);
(gdb) bt
#0  0x00739e7a in load_input_picture (pic_arg=0x22d9d8, s=0x3e363a0)
    at libavcodec/mpegvideo_enc.c:1036
#1  ff_MPV_encode_picture (avctx=0x386f8e0, pkt=0x22db40, pic_arg=0x22d9d8,
    got_packet=0x22dc0c) at libavcodec/mpegvideo_enc.c:1429
#2  0x004f945d in avcodec_encode_video2 (avctx=0x386f8e0, avpkt=0x22db40,
    frame=0x22d9d8, got_packet_ptr=0x22dc0c) at libavcodec/utils.c:1219
#3  0x00405de0 in do_video_out (s=0x3863320, ost=0x386fcc0,
    in_picture=0x3873120, ist=<optimized out>) at ffmpeg.c:1619
#4  0x00407d6c in transcode_video (pkt_pts=<optimized out>,
    got_output=<optimized out>, pkt=<optimized out>, ist=<optimized out>)
    at ffmpeg.c:2178
#5  output_packet (ist=0x3871f40, ost_table=0x386fcc0, nb_ostreams=1,
    pkt=0x22fb28) at ffmpeg.c:2270
#6  0x0040bf3b in transcode (output_files=0x3871940, nb_output_files=1,
    input_files=0x38712e0, nb_input_files=1) at ffmpeg.c:3082
#7  0x0022ff48 in ?? ()
Backtrace stopped: Not enough registers or memory available to unwind further

Attachments (1)

out.avi (409.9 KB ) - added by ami_stuff 12 years ago.

Download all attachments as: .zip

Change History (9)

comment:1 by Michael Niedermayer, 12 years ago

cant reproduce, have you tried latest git ?

comment:2 by ami_stuff, 12 years ago

still crashes for me

C:\>ffmpeg -i out.avi out2.avi
ffmpeg version N-38862-g967bdb8 Copyright (c) 2000-2012 the FFmpeg developers
  built on Mar 18 2012 02:23:57 with gcc 4.5.0 20100414 (Fedora MinGW 4.5.0-1.fc
14)
  configuration: --prefix=/var/www/users/research/ffmpeg/snapshots/build --arch=
x86 --target-os=mingw32 --cross-prefix=i686-pc-mingw32- --cc='ccache i686-pc-min
gw32-gcc' --enable-w32threads --enable-memalign-hack --enable-runtime-cpudetect
--enable-cross-compile --enable-static --disable-shared --extra-libs='-lws2_32 -
lwinmm' --extra-cflags='--static -I/var/www/users/research/ffmpeg/snapshots/buil
d/include' --extra-ldflags='-static -L/var/www/users/research/ffmpeg/snapshots/b
uild/lib' --enable-bzlib --enable-zlib --enable-gpl --enable-version3 --enable-n
onfree --enable-libx264 --enable-libspeex --enable-libtheora --enable-libvorbis
--enable-libfaac --enable-libxvid --enable-libopencore-amrnb --enable-libopencor
e-amrwb --enable-libmp3lame --enable-libvpx --disable-decoder=libvpx
  libavutil      51. 42.100 / 51. 42.100
  libavcodec     54. 10.100 / 54. 10.100
  libavformat    54.  2.100 / 54.  2.100
  libavdevice    53.  4.100 / 53.  4.100
  libavfilter     2. 65.100 /  2. 65.100
  libswscale      2.  1.100 /  2.  1.100
  libswresample   0.  7.100 /  0.  7.100
  libpostproc    52.  0.100 / 52.  0.100
Input #0, avi, from 'out.avi':
  Metadata:
    encoder         : Lavf54.2.100
  Duration: 00:00:00.04, start: 0.000000, bitrate: 83956 kb/s
    Stream #0:0: Video: h263 (H263 / 0x33363248), yuv420p, 4000x4000, 25 tbr, 25
 tbn, 25 tbc
w:4000 h:4000 pixfmt:yuv420p tb:1/1000000 sar:0/1 sws_param:
Output #0, avi, to 'out2.avi':
  Metadata:
    ISFT            : Lavf54.2.100
    Stream #0:0: Video: mpeg4 (FMP4 / 0x34504D46), yuv420p, 4000x4000, q=2-31, 2
00 kb/s, 25 tbn, 25 tbc
Stream mapping:
  Stream #0:0 -> #0:0 (h263 -> mpeg4)
Press [q] to stop, [?] for help

C:\>

by ami_stuff, 12 years ago

Attachment: out.avi added

comment:3 by ami_stuff, 12 years ago

I attached input file.

comment:4 by Carl Eugen Hoyos, 12 years ago

Reproduced by developer: set
Status: newopen
Summary: h263p: crash with high resolution videoinvalid reads with very high resolution video
Version: unspecifiedgit-master
$ valgrind ffmpeg_g -i out.avi out2.avi
ffmpeg version N-38873-gd19d52d Copyright (c) 2000-2012 the FFmpeg developers
  built on Mar 18 2012 21:52:27 with gcc 4.3.2
  configuration: --cc=/usr/local/gcc-4.3.2/bin/gcc --enable-gpl --enable-libspeex
  libavutil      51. 42.100 / 51. 42.100
  libavcodec     54. 10.100 / 54. 10.100
  libavformat    54.  2.100 / 54.  2.100
  libavdevice    53.  4.100 / 53.  4.100
  libavfilter     2. 65.101 /  2. 65.101
  libswscale      2.  1.100 /  2.  1.100
  libswresample   0.  7.100 /  0.  7.100
  libpostproc    52.  0.100 / 52.  0.100
Input #0, avi, from 'out.avi':
  Metadata:
    encoder         : Lavf54.2.100
  Duration: 00:00:00.04, start: 0.000000, bitrate: 83956 kb/s
    Stream #0:0: Video: h263 (H263 / 0x33363248), yuv420p, 4000x4000, 25 tbr, 25 tbn, 25 tbc
[buffer @ 0x44bef40] w:4000 h:4000 pixfmt:yuv420p tb:1/1000000 sar:0/1 sws_param:
Output #0, avi, to 'out2.avi':
  Metadata:
    ISFT            : Lavf54.2.100
    Stream #0:0: Video: mpeg4 (FMP4 / 0x34504D46), yuv420p, 4000x4000, q=2-31, 200 kb/s, 25 tbn, 25 tbc
Stream mapping:
  Stream #0:0 -> #0:0 (h263 -> mpeg4)
Press [q] to stop, [?] for help
==16526== Invalid read of size 1
==16526==    at 0x40245A1: memcpy (in /usr/lib/valgrind/x86-linux/vgpreload_memcheck.so)
==16526==    by 0x849E214: ff_MPV_encode_picture (mpegvideo_enc.c:1036)
==16526==  Address 0x6462CBF is 1 bytes before a block of size 239,136 alloc'd
==16526==    at 0x4021A50: memalign (in /usr/lib/valgrind/x86-linux/vgpreload_memcheck.so)
==16526==    by 0x4021AAA: posix_memalign (in /usr/lib/valgrind/x86-linux/vgpreload_memcheck.so)
==16526==    by 0x87BDC7F: av_mallocz (mem.c:94)
==16526==
==16526== Invalid read of size 1
==16526==    at 0x40245A9: memcpy (in /usr/lib/valgrind/x86-linux/vgpreload_memcheck.so)
==16526==    by 0x849E214: ff_MPV_encode_picture (mpegvideo_enc.c:1036)
==16526==  Address 0x6462CBE is 2 bytes before a block of size 239,136 alloc'd
==16526==    at 0x4021A50: memalign (in /usr/lib/valgrind/x86-linux/vgpreload_memcheck.so)
==16526==    by 0x4021AAA: posix_memalign (in /usr/lib/valgrind/x86-linux/vgpreload_memcheck.so)
==16526==    by 0x87BDC7F: av_mallocz (mem.c:94)
==16526==
==16526== Invalid read of size 1
==16526==    at 0x40245B0: memcpy (in /usr/lib/valgrind/x86-linux/vgpreload_memcheck.so)
==16526==    by 0x849E214: ff_MPV_encode_picture (mpegvideo_enc.c:1036)
==16526==  Address 0x6462CBD is 3 bytes before a block of size 239,136 alloc'd
==16526==    at 0x4021A50: memalign (in /usr/lib/valgrind/x86-linux/vgpreload_memcheck.so)
==16526==    by 0x4021AAA: posix_memalign (in /usr/lib/valgrind/x86-linux/vgpreload_memcheck.so)
==16526==    by 0x87BDC7F: av_mallocz (mem.c:94)
==16526==
==16526== Invalid read of size 1
==16526==    at 0x40245B7: memcpy (in /usr/lib/valgrind/x86-linux/vgpreload_memcheck.so)
==16526==    by 0x849E214: ff_MPV_encode_picture (mpegvideo_enc.c:1036)
==16526==  Address 0x6462CBC is 4 bytes before a block of size 239,136 alloc'd
==16526==    at 0x4021A50: memalign (in /usr/lib/valgrind/x86-linux/vgpreload_memcheck.so)
==16526==    by 0x4021AAA: posix_memalign (in /usr/lib/valgrind/x86-linux/vgpreload_memcheck.so)
==16526==    by 0x87BDC7F: av_mallocz (mem.c:94)
==16526== Warning: set address range perms: large range 193760016 (undefined)

...

==16526==
==16526== ERROR SUMMARY: 1058532 errors from 136 contexts (suppressed: 3 from 1)
==16526== malloc/free: in use at exit: 0 bytes in 0 blocks.
==16526== malloc/free: 253 allocs, 253 frees, 267,903,354 bytes allocated.
==16526== For counts of detected errors, rerun with: -v
==16526== All heap blocks were freed -- no leaks are possible.

comment:5 by ami_stuff, 12 years ago

ffmpeg doesn't crash here anymore, but ffplay still does.

maybe the problem is related to these mpeg errors?:

C:\>ffmpeg -i 599.png -s 4000x4000 -vcodec mpeg1video out.mpg
ffmpeg version N-40584-g0159032 Copyright (c) 2000-2012 the FFmpeg developers
  built on May 11 2012 02:38:34 with gcc 4.5.0 20100414 (Fedora MinGW 4.5.0-1.fc
14)
  configuration: --prefix=/var/www/users/research/ffmpeg/snapshots/build --arch=
x86 --target-os=mingw32 --cross-prefix=i686-pc-mingw32- --cc='ccache i686-pc-min
gw32-gcc' --enable-w32threads --enable-memalign-hack --enable-runtime-cpudetect
--enable-cross-compile --enable-static --disable-shared --extra-libs='-lws2_32 -
lwinmm' --extra-cflags='--static -I/var/www/users/research/ffmpeg/snapshots/buil
d/include' --extra-ldflags='-static -L/var/www/users/research/ffmpeg/snapshots/b
uild/lib' --enable-bzlib --enable-zlib --enable-gpl --enable-version3 --enable-n
onfree --enable-libx264 --enable-libspeex --enable-libtheora --enable-libvorbis
--enable-libfaac --enable-libxvid --enable-libopencore-amrnb --enable-libopencor
e-amrwb --enable-libmp3lame --enable-libvpx --disable-decoder=libvpx
  libavutil      51. 50.100 / 51. 50.100
  libavcodec     54. 21.101 / 54. 21.101
  libavformat    54.  4.100 / 54.  4.100
  libavdevice    53.  4.100 / 53.  4.100
  libavfilter     2. 72.105 /  2. 72.105
  libswscale      2.  1.100 /  2.  1.100
  libswresample   0. 11.100 /  0. 11.100
  libpostproc    52.  0.100 / 52.  0.100
Input #0, image2, from '599.png':
  Duration: 00:00:00.04, start: 0.000000, bitrate: N/A
    Stream #0:0: Video: png, rgb24, 599x412, 25 tbr, 25 tbn, 25 tbc
w:599 h:412 pixfmt:rgb24 tb:1/1000000 sar:0/1 sws_param:flags=2
[buffersink @ 0x1dd23c0] No opaque field provided
[scale @ 0x1dd2580] w:599 h:412 fmt:rgb24 sar:0/1 -> w:4000 h:4000 fmt:yuv420p s
ar:0/1 flags:0x4
[mpeg @ 0x1dcb020] VBV buffer size not set, muxing may fail
Output #0, mpeg, to 'out.mpg':
  Metadata:
    encoder         : Lavf54.4.100
    Stream #0:0: Video: mpeg1video, yuv420p, 4000x4000, q=2-31, 200 kb/s, 90k tb
n, 25 tbc
Stream mapping:
  Stream #0:0 -> #0:0 (png -> mpeg1video)
Press [q] to stop, [?] for help
frame=    1 fps=0.1 q=3.7 Lsize=     230kB time=00:00:00.04 bitrate=47104.0kbits
/s
video:229kB audio:0kB global headers:0kB muxing overhead 0.472672%
C:\>ffmpeg -i out.mpg out.avi
ffmpeg version N-40584-g0159032 Copyright (c) 2000-2012 the FFmpeg developers
  built on May 11 2012 02:38:34 with gcc 4.5.0 20100414 (Fedora MinGW 4.5.0-1.fc
14)
  configuration: --prefix=/var/www/users/research/ffmpeg/snapshots/build --arch=
x86 --target-os=mingw32 --cross-prefix=i686-pc-mingw32- --cc='ccache i686-pc-min
gw32-gcc' --enable-w32threads --enable-memalign-hack --enable-runtime-cpudetect
--enable-cross-compile --enable-static --disable-shared --extra-libs='-lws2_32 -
lwinmm' --extra-cflags='--static -I/var/www/users/research/ffmpeg/snapshots/buil
d/include' --extra-ldflags='-static -L/var/www/users/research/ffmpeg/snapshots/b
uild/lib' --enable-bzlib --enable-zlib --enable-gpl --enable-version3 --enable-n
onfree --enable-libx264 --enable-libspeex --enable-libtheora --enable-libvorbis
--enable-libfaac --enable-libxvid --enable-libopencore-amrnb --enable-libopencor
e-amrwb --enable-libmp3lame --enable-libvpx --disable-decoder=libvpx
  libavutil      51. 50.100 / 51. 50.100
  libavcodec     54. 21.101 / 54. 21.101
  libavformat    54.  4.100 / 54.  4.100
  libavdevice    53.  4.100 / 53.  4.100
  libavfilter     2. 72.105 /  2. 72.105
  libswscale      2.  1.100 /  2.  1.100
  libswresample   0. 11.100 /  0. 11.100
  libpostproc    52.  0.100 / 52.  0.100
[mpeg @ 0x1dcc5a0] Format mpeg detected only with low score of 25, misdetection
possible!
[mpeg1video @ 0x1dc2320] qscale == 0
[mpeg1video @ 0x1dc2320] Warning MVs not available
[mpeg1video @ 0x1dc2320] concealing 62500 DC, 62500 AC, 62500 MV errors
Input #0, mpeg, from 'out.mpg':
  Duration: N/A, start: 1.000000, bitrate: N/A
    Stream #0:0[0x1e0]: Video: mpeg1video, yuv420p, 4000x4000 [SAR 1:1 DAR 1:1],
 104857 kb/s, 25 tbr, 90k tbn, 25 tbc
w:4000 h:4000 pixfmt:yuv420p tb:1/1000000 sar:1/1 sws_param:flags=2
[buffersink @ 0x1dd4e40] No opaque field provided
Output #0, avi, to 'out.avi':
  Metadata:
    ISFT            : Lavf54.4.100
    Stream #0:0: Video: mpeg4 (FMP4 / 0x34504D46), yuv420p, 4000x4000 [SAR 1:1 D
AR 1:1], q=2-31, 200 kb/s, 25 tbn, 25 tbc
Stream mapping:
  Stream #0:0 -> #0:0 (mpeg1video -> mpeg4)
Press [q] to stop, [?] for help
[mpeg1video @ 0x1dc2320] qscale == 0
[mpeg1video @ 0x1dc2320] Warning MVs not available
[mpeg1video @ 0x1dc2320] concealing 62500 DC, 62500 AC, 62500 MV errors
frame=    1 fps=0.1 q=3.7 Lsize=     174kB time=00:00:00.04 bitrate=35543.6kbits
/s
video:168kB audio:0kB global headers:0kB muxing overhead 3.362879%
C:\>ffmpeg -i 599.png -s 4000x4000 -vcodec mpeg2video out.mpg
ffmpeg version N-40584-g0159032 Copyright (c) 2000-2012 the FFmpeg developers
  built on May 11 2012 02:38:34 with gcc 4.5.0 20100414 (Fedora MinGW 4.5.0-1.fc
14)
  configuration: --prefix=/var/www/users/research/ffmpeg/snapshots/build --arch=
x86 --target-os=mingw32 --cross-prefix=i686-pc-mingw32- --cc='ccache i686-pc-min
gw32-gcc' --enable-w32threads --enable-memalign-hack --enable-runtime-cpudetect
--enable-cross-compile --enable-static --disable-shared --extra-libs='-lws2_32 -
lwinmm' --extra-cflags='--static -I/var/www/users/research/ffmpeg/snapshots/buil
d/include' --extra-ldflags='-static -L/var/www/users/research/ffmpeg/snapshots/b
uild/lib' --enable-bzlib --enable-zlib --enable-gpl --enable-version3 --enable-n
onfree --enable-libx264 --enable-libspeex --enable-libtheora --enable-libvorbis
--enable-libfaac --enable-libxvid --enable-libopencore-amrnb --enable-libopencor
e-amrwb --enable-libmp3lame --enable-libvpx --disable-decoder=libvpx
  libavutil      51. 50.100 / 51. 50.100
  libavcodec     54. 21.101 / 54. 21.101
  libavformat    54.  4.100 / 54.  4.100
  libavdevice    53.  4.100 / 53.  4.100
  libavfilter     2. 72.105 /  2. 72.105
  libswscale      2.  1.100 /  2.  1.100
  libswresample   0. 11.100 /  0. 11.100
  libpostproc    52.  0.100 / 52.  0.100
Input #0, image2, from '599.png':
  Duration: 00:00:00.04, start: 0.000000, bitrate: N/A
    Stream #0:0: Video: png, rgb24, 599x412, 25 tbr, 25 tbn, 25 tbc
w:599 h:412 pixfmt:rgb24 tb:1/1000000 sar:0/1 sws_param:flags=2
[buffersink @ 0x1dd23c0] No opaque field provided
[scale @ 0x1dd2580] w:599 h:412 fmt:rgb24 sar:0/1 -> w:4000 h:4000 fmt:yuv420p s
ar:0/1 flags:0x4
[mpeg @ 0x1dcb020] VBV buffer size not set, muxing may fail
Output #0, mpeg, to 'out.mpg':
  Metadata:
    encoder         : Lavf54.4.100
    Stream #0:0: Video: mpeg2video, yuv420p, 4000x4000, q=2-31, 200 kb/s, 90k tb
n, 25 tbc
Stream mapping:
  Stream #0:0 -> #0:0 (png -> mpeg2video)
Press [q] to stop, [?] for help
[mpeg @ 0x1dcb020] buffer underflow i=0 bufi=234684 size=236797
[mpeg @ 0x1dcb020] packet too large, ignoring buffer limits to mux it
[mpeg @ 0x1dcb020] buffer underflow i=0 bufi=234684 size=236797
[mpeg @ 0x1dcb020] buffer underflow i=0 bufi=236713 size=236797
packet too large, ignoring buffer limits to mux it
[mpeg @ 0x1dcb020] buffer underflow i=0 bufi=236713 size=236797
frame=    1 fps=0.2 q=3.7 Lsize=     234kB time=00:00:00.04 bitrate=47923.2kbits
/s
video:231kB audio:0kB global headers:0kB muxing overhead 1.190471%

comment:6 by Michael Niedermayer, 12 years ago

Resolution: fixed
Status: openclosed

comment:7 by ami_stuff, 12 years ago

Thanks, but it looks like a check that the resoultion is multiply of 4 should be added as well.

In addition to the multiples of CIF, H.263+ permits
any frame size from 4x4 to 2048x1152 pixels in
increments of 4.

ffmpeg -i 599.png -s 162x160 -vcodec h263p out.avi
ffmpeg -i out.avi out.bmp

mpeg1 should probably support resolutions up to 4095x4095

http://stason.org/TULARC/software/mpeg-mp3/64-MPEG-Myths.html

in reply to:  7 comment:8 by Michael Niedermayer, 12 years ago

Replying to ami_stuff:

Thanks, but it looks like a check that the resoultion is multiply of 4 should be added as well.

added, thanks

In addition to the multiples of CIF, H.263+ permits
any frame size from 4x4 to 2048x1152 pixels in
increments of 4.

ffmpeg -i 599.png -s 162x160 -vcodec h263p out.avi
ffmpeg -i out.avi out.bmp

mpeg1 should probably support resolutions up to 4095x4095

yes, will be fixed in my next push together with mpeg2

thanks

Note: See TracTickets for help on using tickets.