mpeg2 decoder crash

[K.Y.H]

Lastest git version, decode "​http://pan.baidu.com/s/1kXZkD" crash.

detail desc...
static void mpeg_decode_user_data(AVCodecContext *avctx,

const uint8_t *p, int buf_size)

...
...
...

if (S3D_video_format_type == 0x03

S3D_video_format_type == 0x04 S3D_video_format_type == 0x08

S3D_video_format_type == 0x23) {
Mpeg1Context *s1 = avctx->priv_data;
MpegEncContext *s = &s1->mpeg_enc_ctx;
AVStereo3D *stereo = av_stereo3d_create_side_data(&s->current_picture_ptr->f);

s->current_picture_ptr can be NULL.
So access NULL pointer error.

[Carl Eugen Hoyos]

Regression since 1dab49c3 / bacc2869

(gdb) r -i The\ program\ crashes_cut.ts
Starting program: ffmpeg_g -i The\ program\ crashes_cut.ts
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib64/libthread_db.so.1".
ffmpeg version N-59017-g551a679 Copyright (c) 2000-2013 the FFmpeg developers
  built on Dec 12 2013 09:50:32 with gcc 4.7 (SUSE Linux)
  configuration: --enable-gpl
  libavutil      52. 58.100 / 52. 58.100
  libavcodec     55. 45.101 / 55. 45.101
  libavformat    55. 22.100 / 55. 22.100
  libavdevice    55.  5.102 / 55.  5.102
  libavfilter     3. 92.100 /  3. 92.100
  libswscale      2.  5.101 /  2.  5.101
  libswresample   0. 17.104 /  0. 17.104
  libpostproc    52.  3.100 / 52.  3.100

Program received signal SIGSEGV, Segmentation fault.
av_frame_new_side_data (frame=0x0, type=type@entry=AV_FRAME_DATA_STEREO3D, size=size@entry=8)
    at libavutil/frame.c:557
557         if (frame->nb_side_data > INT_MAX / sizeof(*frame->side_data) - 1)
(gdb) bt
#0  av_frame_new_side_data (frame=0x0, type=type@entry=AV_FRAME_DATA_STEREO3D, size=size@entry=8)
    at libavutil/frame.c:557
#1  0x0000000000cce683 in av_stereo3d_create_side_data (frame=<optimized out>)
    at libavutil/stereo3d.c:33
#2  0x0000000000906486 in mpeg_decode_user_data (buf_size=114828, p=<optimized out>,
    avctx=0x17d71a0) at libavcodec/mpeg12dec.c:2229
#3  decode_chunks (avctx=avctx@entry=0x17d71a0, picture=picture@entry=0x1809800,
    got_output=got_output@entry=0x7fffffffd1ec, buf=0x182d260 "", buf_size=115019)
    at libavcodec/mpeg12dec.c:2430
#4  0x00000000009067ab in mpeg_decode_frame (avctx=0x17d71a0, data=0x1809800,
    got_output=0x7fffffffd1ec, avpkt=<optimized out>) at libavcodec/mpeg12dec.c:2643
#5  0x0000000000a3a4d8 in avcodec_decode_video2 (avctx=0x17d71a0, picture=0x1809800,
    got_picture_ptr=got_picture_ptr@entry=0x7fffffffd1ec, avpkt=avpkt@entry=0x7fffffffd220)
    at libavcodec/utils.c:2107
#6  0x00000000005d62cd in try_decode_frame (s=s@entry=0x17d3100, st=st@entry=0x17d6ec0,
    avpkt=avpkt@entry=0x1809660, options=0x17d7ac0) at libavformat/utils.c:2508
#7  0x00000000005dec90 in avformat_find_stream_info (ic=0x17d3100, options=0x17d7ac0)
    at libavformat/utils.c:3048
#8  0x000000000046d4f2 in open_input_file (o=o@entry=0x7fffffffd6c0, filename=<optimized out>)
    at ffmpeg_opt.c:861
#9  0x000000000046b6a4 in open_files (inout=inout@entry=0xd3e9bf "input",
    open_file=open_file@entry=0x46d0b0 <open_input_file>, l=<optimized out>, l=<optimized out>)
    at ffmpeg_opt.c:2583
#10 0x0000000000473139 in ffmpeg_parse_options (argc=argc@entry=3, argv=argv@entry=0x7fffffffdd78)
    at ffmpeg_opt.c:2620
#11 0x0000000000463ef8 in main (argc=3, argv=0x7fffffffdd78) at ffmpeg.c:3521
(gdb) disass $pc-27,$pc+32
Dump of assembler code from 0xcb61e0 to 0xcb621b:
   0x0000000000cb61e0 <av_frame_new_side_data+0>:       mov    %rbx,-0x20(%rsp)
   0x0000000000cb61e5 <av_frame_new_side_data+5>:       mov    %rbp,-0x18(%rsp)
   0x0000000000cb61ea <av_frame_new_side_data+10>:      mov    %rdi,%rbx
   0x0000000000cb61ed <av_frame_new_side_data+13>:      mov    %r12,-0x10(%rsp)
   0x0000000000cb61f2 <av_frame_new_side_data+18>:      mov    %r13,-0x8(%rsp)
   0x0000000000cb61f7 <av_frame_new_side_data+23>:      sub    $0x38,%rsp
=> 0x0000000000cb61fb <av_frame_new_side_data+27>:      mov    0x228(%rdi),%eax
   0x0000000000cb6201 <av_frame_new_side_data+33>:      cmp    $0xffffffe,%eax
   0x0000000000cb6206 <av_frame_new_side_data+38>:      ja     0xcb62b8 <av_frame_new_side_data+216>
   0x0000000000cb620c <av_frame_new_side_data+44>:      mov    %esi,%r13d
   0x0000000000cb620f <av_frame_new_side_data+47>:      lea    0x1(%rax),%esi
   0x0000000000cb6212 <av_frame_new_side_data+50>:      mov    0x220(%rdi),%rdi
   0x0000000000cb6219 <av_frame_new_side_data+57>:      mov    %edx,%r12d
End of assembler dump.
(gdb) info register
rax            0x5      5
rbx            0x0      0
rcx            0x17f59c0        25123264
rdx            0x8      8
rsi            0x2      2
rdi            0x0      0
rbp            0x17d71a0        0x17d71a0
rsp            0x7fffffffcec0   0x7fffffffcec0
r8             0x17f59c0        25123264
r9             0x1c08c  114828
r10            0x1      1
r11            0x7ffff5f7b360   140737320039264
r12            0x8      8
r13            0x1c08c  114828
r14            0x17f59c0        25123264
r15            0x18493ab        25465771
rip            0xcb61fb 0xcb61fb <av_frame_new_side_data+27>
eflags         0x10206  [ PF IF RF ]
cs             0x33     51
ss             0x2b     43
ds             0x0      0
es             0x0      0
fs             0x0      0
gs             0x0      0

[Tomer Barletz]

Fixed by fe285b04bbad23ddfac164e22034b5ee76e039a6.

[Carl Eugen Hoyos]

Fixed by Tomer Barletz.