Opened 4 years ago

Closed 4 years ago

#3721 closed defect (fixed)

crash on a valid rtp mpegts stream

Reported by: lavv17 Owned by:
Priority: important Component: avformat
Version: git-master Keywords: mpegts crash SIGSEGV
Cc: Blocked By:
Blocking: Reproduced by developer: no
Analyzed by developer: no

Description

Summary of the bug:
ffmpeg crashes on certain valid iptv rtp streams. It does not crash under valgrind, but produces errors from valgrind (below).

How to reproduce:

$ /usr/local/bin/ffmpeg -ss 1 -i rtp://@224.0.91.78:1234 -t 30 -c copy file.avi -y
ffmpeg version N-63863-g2351ea8 Copyright (c) 2000-2014 the FFmpeg developers
  built on Jun 10 2014 11:41:03 with gcc 4.8.2 (GCC) 20131212 (Red Hat 4.8.2-7)
  configuration: 
  libavutil      52. 89.100 / 52. 89.100
  libavcodec     55. 66.100 / 55. 66.100
  libavformat    55. 42.101 / 55. 42.101
  libavdevice    55. 13.101 / 55. 13.101
  libavfilter     4.  7.100 /  4.  7.100
  libswscale      2.  6.100 /  2.  6.100
  libswresample   0. 19.100 /  0. 19.100
[mpeg2video @ 0x202a420] Invalid frame dimensions 0x0.
Segmentation fault (core dumped)
(gdb) bt
#0  0x00000000005935e4 in rtp_parse_one_packet (len=1328, bufptr=0x20268c0, 
    pkt=0x7fffcce06d20, s=0x20269e0) at libavformat/rtpdec.c:771
#1  ff_rtp_parse_packet (s=0x20269e0, pkt=pkt@entry=0x7fffcce06d20, 
    bufptr=bufptr@entry=0x20268c0, len=len@entry=1328)
    at libavformat/rtpdec.c:822
#2  0x00000000005a4a1a in ff_rtsp_fetch_packet (s=0x2024c20, 
    pkt=0x7fffcce06d20) at libavformat/rtsp.c:2042
#3  0x00000000005c4436 in ff_read_packet (s=s@entry=0x2024c20, 
    pkt=pkt@entry=0x7fffcce06d20) at libavformat/utils.c:791
#4  0x00000000005c71f0 in read_frame_internal (s=s@entry=0x2024c20, 
    pkt=pkt@entry=0x7fffcce06e60) at libavformat/utils.c:1454
#5  0x00000000005cab1f in avformat_find_stream_info (ic=0x2024c20, options=0x0)
    at libavformat/utils.c:3240
#6  0x000000000046fdc1 in open_input_file (o=o@entry=0x7fffcce071e0, 
    filename=<optimized out>) at ffmpeg_opt.c:888
#7  0x00000000004740df in open_files (inout=0xcc1a1f "input", 
    open_file=0x46fa00 <open_input_file>, l=<optimized out>, l=<optimized out>)
    at ffmpeg_opt.c:2645
#8  ffmpeg_parse_options (argc=argc@entry=11, argv=argv@entry=0x7fffcce07a38)
    at ffmpeg_opt.c:2682
#9  0x0000000000463ef8 in main (argc=11, argv=0x7fffcce07a38) at ffmpeg.c:3787
$ valgrind /usr/local/bin/ffmpeg -ss 1 -i rtp://@224.0.91.78:1234 -t 30 -c copy file.avi -y
==34163== Memcheck, a memory error detector
==34163== Copyright (C) 2002-2012, and GNU GPL'd, by Julian Seward et al.
==34163== Using Valgrind-3.8.1 and LibVEX; rerun with -h for copyright info
==34163== Command: /usr/local/bin/ffmpeg -ss 1 -i rtp://@224.0.91.78:1234 -t 30 -c copy file.avi -y
==34163== 
ffmpeg version N-63863-g2351ea8 Copyright (c) 2000-2014 the FFmpeg developers
  built on Jun 10 2014 11:41:03 with gcc 4.8.2 (GCC) 20131212 (Red Hat 4.8.2-7)
  configuration: 
  libavutil      52. 89.100 / 52. 89.100
  libavcodec     55. 66.100 / 55. 66.100
  libavformat    55. 42.101 / 55. 42.101
  libavdevice    55. 13.101 / 55. 13.101
  libavfilter     4.  7.100 /  4.  7.100
  libswscale      2.  6.100 /  2.  6.100
  libswresample   0. 19.100 /  0. 19.100
[mpeg2video @ 0x59b7a40] Invalid frame dimensions 0x0.
==34163== Invalid write of size 1s
==34163==    at 0x5540C8: write_section_data.isra.13 (mpegts.c:398)
==34163==    by 0x554793: handle_packet (mpegts.c:2095)
==34163==    by 0x5596CE: ff_mpegts_parse_packet (mpegts.c:2646)
==34163==    by 0x598994: mpegts_handle_packet (rtpdec_mpegts.c:86)
==34163==    by 0x592796: rtp_parse_packet_internal (rtpdec.c:645)
==34163==    by 0x593920: ff_rtp_parse_packet (rtpdec.c:792)
==34163==    by 0x5A4A19: ff_rtsp_fetch_packet (rtsp.c:2042)
==34163==    by 0x5C4435: ff_read_packet (utils.c:791)
==34163==    by 0x5C71EF: read_frame_internal (utils.c:1454)
==34163==    by 0x5CAB1E: avformat_find_stream_info (utils.c:3240)
==34163==    by 0x46FDC0: open_input_file (ffmpeg_opt.c:888)
==34163==    by 0x4740DE: ffmpeg_parse_options (ffmpeg_opt.c:2645)
==34163==  Address 0x5945828 is 40 bytes inside a block of size 96 free'd
==34163==    at 0x4C294C4: free (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==34163==    by 0xC41EDB: av_freep (mem.c:232)
==34163==    by 0x4EAE5F: ffurl_close (avio.c:383)
==34163==    by 0x5A3109: rtp_read_header (rtsp.c:2299)
==34163==    by 0x5CDAE6: avformat_open_input (utils.c:594)
==34163==    by 0x46FCB8: open_input_file (ffmpeg_opt.c:871)
==34163==    by 0x4740DE: ffmpeg_parse_options (ffmpeg_opt.c:2645)
==34163==    by 0x463EF7: main (ffmpeg.c:3787)
==34163== 
    Last message repeated 13 times
RTP: missed 177 packets
[rtp @ 0x5943940] PES packet size mismatch
    Last message repeated 1 times
RTP: missed 107 packets
[rtp @ 0x5943940] PES packet size mismatch
    Last message repeated 1 times
rtp://@224.0.91.78:1234: could not seek to position 93742.111
Input #0, rtp, from 'rtp://@224.0.91.78:1234':
  Duration: N/A, start: 93741.111167, bitrate: 371 kb/s
  Program 6490 
    Stream #0:0: Video: mpeg2video (Main), yuv420p(tv), 720x576 [SAR 64:45 DAR 16:9], max. 15000 kb/s, 25 fps, 25 tbr, 90k tbn, 50 tbc
    Stream #0:2(rus): Audio: mp2, 48000 Hz, stereo, s16p, 185 kb/s
    Stream #0:1(eng): Audio: mp2, 48000 Hz, stereo, s16p, 185 kb/s
Output #0, avi, to 'file.avi':
  Metadata:
    ISFT            : Lavf55.42.101
    Stream #0:0: Video: mpeg2video (mpg2 / 0x3267706D), yuv420p, 720x576 [SAR 64:45 DAR 16:9], q=2-31, max. 15000 kb/s, 25 fps, 50 tbn, 50 tbc
    Stream #0:1(eng): Audio: mp2 (P[0][0][0] / 0x0050), 48000 Hz, stereo, 185 kb/s
Stream mapping:
  Stream #0:0 -> #0:0 (copy)
  Stream #0:1 -> #0:1 (copy)
Press [q] to stop, [?] for help
RTP: missed 48 packets
[rtp @ 0x5943940] PES packet size mismatch
frame=    0 fps=0.0 q=-1.0 size=      10kB time=00:00:01.20 bitrate=  67.2kbits/frame=   12 fps= 11 q=-1.0 size=     232kB time=00:00:01.80 bitrate=1054.2kbits/frame=   26 fps= 16 q=-1.0 size=     495kB time=00:00:02.36 bitrate=1717.5kbits/frame=   38 fps= 18 q=-1.0 size=     716kB time=00:00:02.84 bitrate=2066.6kbits/frame=   52 fps= 20 q=-1.0 size=    1002kB time=00:00:03.40 bitrate=2414.4kbits/frame=   65 fps= 21 q=-1.0 size=    1301kB time=00:00:03.92 bitrate=2719.4kbits/frame=   77 fps= 21 q=-1.0 size=    1505kB time=00:00:04.40 bitrate=2801.5kbits/==34163== Invalid write of size 1
==34163==    at 0x5540C8: write_section_data.isra.13 (mpegts.c:398)
==34163==    by 0x554793: handle_packet (mpegts.c:2095)
==34163==    by 0x5596CE: ff_mpegts_parse_packet (mpegts.c:2646)
==34163==    by 0x598A06: mpegts_handle_packet (rtpdec_mpegts.c:75)
==34163==    by 0x593861: ff_rtp_parse_packet (rtpdec.c:752)
==34163==    by 0x5A4D63: ff_rtsp_fetch_packet (rtsp.c:1956)
==34163==    by 0x5C4435: ff_read_packet (utils.c:791)
==34163==    by 0x5C71EF: read_frame_internal (utils.c:1454)
==34163==    by 0x5C807C: av_read_frame (utils.c:1594)
==34163==    by 0x464D1E: main (ffmpeg.c:3256)
==34163==  Address 0x5945828 is 0 bytes after a block of size 40 free'd
==34163==    at 0x4C294C4: free (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==34163==    by 0xC41EDB: av_freep (mem.c:232)
==34163==    by 0xC33948: av_buffer_unref (buffer.c:116)
==34163==    by 0x605D26: av_free_packet (avpacket.c:285)
==34163==    by 0x464236: main (ffmpeg.c:3496)
==34163== 
frame=   91 fps= 22 q=-1.0 size=    1794kB time=00:00:04.96 bitrate=2962.4kbits/frame=  105 fps= 22 q=-1.0 size=    2077kB time=00:00:05.52 bitrate=3082.1kbits/frame=  116 fps= 22 q=-1.0 size=    2320kB time=00:00:05.96 bitrate=3188.6kbits/frame=  131 fps= 23 q=-1.0 size=    2568kB time=00:00:06.56 bitrate=3207.2kbits/frame=  145 fps= 23 q=-1.0 size=    2852kB time=00:00:07.12 bitrate=3281.0kbits/frame=  159 fps= 23 q=-1.0 size=    3056kB time=00:00:07.68 bitrate=3259.9kbits/frame=  171 fps= 23 q=-1.0 size=    3298kB time=00:00:08.16 bitrate=3310.9kbits/frame=  181 fps= 23 q=-1.0 size=    3455kB time=00:00:08.56 bitrate=3306.7kbits/frame=  196 fps= 23 q=-1.0 size=    3671kB time=00:00:09.16 bitrate=3283.4kbits/frame=  211 fps= 24 q=-1.0 size=    3881kB time=00:00:09.76 bitrate=3257.9kbits/frame=  226 fps= 24 q=-1.0 size=    4034kB time=00:00:10.36 bitrate=3190.1kbits/frame=  239 fps= 24 q=-1.0 size=    4211kB time=00:00:10.88 bitrate=3170.9kbits/frame=  250 fps= 24 q=-1.0 size=    4478kB time=00:00:11.32 bitrate=3240.7kbits/frame=  265 fps= 24 q=-1.0 size=    4765kB time=00:00:11.92 bitrate=3274.9kbits/frame=  279 fps= 24 q=-1.0 size=    5019kB time=00:00:12.48 bitrate=3294.6kbits/frame=  291 fps= 24 q=-1.0 size=    5245kB time=00:00:12.96 bitrate=3315.4kbits/frame=  304 fps= 24 q=-1.0 size=    5531kB time=00:00:13.48 bitrate=3361.3kbits/frame=  318 fps= 24 q=-1.0 size=    5769kB time=00:00:14.04 bitrate=3366.2kbits/frame=  330 fps= 24 q=-1.0 size=    5985kB time=00:00:14.52 bitrate=3376.5kbits/frame=  346 fps= 24 q=-1.0 size=    6218kB time=00:00:15.16 bitrate=3360.1kbits/frame=  358 fps= 24 q=-1.0 size=    6537kB time=00:00:15.64 bitrate=3423.7kbits/frame=  368 fps= 24 q=-1.0 size=    6770kB time=00:00:16.04 bitrate=3457.7kbits/frame=  383 fps= 24 q=-1.0 size=    7034kB time=00:00:16.64 bitrate=3462.8kbits/frame=  395 fps= 24 q=-1.0 size=    7235kB time=00:00:17.12 bitrate=3462.0kbits/frame=  409 fps= 24 q=-1.0 size=    7545kB time=00:00:17.68 bitrate=3496.0kbits/frame=  422 fps= 24 q=-1.0 size=    7831kB time=00:00:18.20 bitrate=3525.0kbits/frame=  434 fps= 24 q=-1.0 size=    8059kB time=00:00:18.68 bitrate=3534.4kbits/frame=  449 fps= 24 q=-1.0 size=    8343kB time=00:00:19.28 bitrate=3544.7kbits/frame=  461 fps= 24 q=-1.0 size=    8538kB time=00:00:19.76 bitrate=3539.7kbits/frame=  473 fps= 24 q=-1.0 size=    8728kB time=00:00:20.24 bitrate=3532.6kbits/frame=  488 fps= 24 q=-1.0 size=    8923kB time=00:00:20.84 bitrate=3507.5kbits/frame=  502 fps= 24 q=-1.0 size=    9164kB time=00:00:21.40 bitrate=3508.0kbits/frame=  514 fps= 24 q=-1.0 size=    9365kB time=00:00:21.88 bitrate=3506.3kbits/frame=  526 fps= 24 q=-1.0 size=    9656kB time=00:00:22.36 bitrate=3537.7kbits/frame=  539 fps= 24 q=-1.0 size=    9882kB time=00:00:22.88 bitrate=3538.3kbits/frame=  554 fps= 24 q=-1.0 size=   10146kB time=00:00:23.48 bitrate=3539.9kbits/frame=  568 fps= 24 q=-1.0 size=   10385kB time=00:00:24.04 bitrate=3538.7kbits/frame=  580 fps= 24 q=-1.0 size=   10663kB time=00:00:24.52 bitrate=3562.3kbits/frame=  592 fps= 24 q=-1.0 size=   10869kB time=00:00:25.00 bitrate=3561.4kbits/frame=  607 fps= 24 q=-1.0 size=   11134kB time=00:00:25.60 bitrate=3562.9kbits/frame=  618 fps= 24 q=-1.0 size=   11299kB time=00:00:26.04 bitrate=3554.7kbits/frame=  636 fps= 25 q=-1.0 size=   11506kB time=00:00:26.76 bitrate=3522.3kbits/frame=  648 fps= 25 q=-1.0 size=   11670kB time=00:00:27.24 bitrate=3509.4kbits/frame=  659 fps= 25 q=-1.0 size=   11912kB time=00:00:27.68 bitrate=3525.5kbits/frame=  671 fps= 24 q=-1.0 size=   12209kB time=00:00:28.16 bitrate=3551.8kbits/frame=  685 fps= 25 q=-1.0 size=   12509kB time=00:00:28.72 bitrate=3567.9kbits/frame=  701 fps= 25 q=-1.0 size=   12726kB time=00:00:29.36 bitrate=3550.7kbits/frame=  717 fps= 25 q=-1.0 size=   12910kB time=00:00:30.00 bitrate=3525.2kbits/frame=  717 fps= 24 q=-1.0 Lsize=   13067kB time=00:00:30.00 bitrate=3568.2kbits/s    
video:12303kB audio:690kB subtitle:0kB other streams:0kB global headers:0kB muxing overhead: 0.571913%
==34163== 
==34163== HEAP SUMMARY:
==34163==     in use at exit: 80 bytes in 2 blocks
==34163==   total heap usage: 32,159 allocs, 32,157 frees, 194,097,256 bytes allocated
==34163== 
==34163== LEAK SUMMARY:
==34163==    definitely lost: 0 bytes in 0 blocks
==34163==    indirectly lost: 0 bytes in 0 blocks
==34163==      possibly lost: 0 bytes in 0 blocks
==34163==    still reachable: 80 bytes in 2 blocks
==34163==         suppressed: 0 bytes in 0 blocks
==34163== Rerun with --leak-check=full to see details of leaked memory
==34163== 
==34163== For counts of detected and suppressed errors, rerun with: -v
==34163== ERROR SUMMARY: 61 errors from 2 contexts (suppressed: 2 from 2)

Attachments (1)

dump2.pcap (586.1 KB) - added by lavv17 4 years ago.
pcap

Download all attachments as: .zip

Change History (10)

comment:1 Changed 4 years ago by cehoyos

  • Keywords mpegts added

How can I reproduce this crash?

Don't you agree that the valgrind outputs indicates a similarity to ticket #3713?

comment:2 follow-up: Changed 4 years ago by lavv17

I attach pcap file, I think it is possible to replay it to network.

Yes, valgrind output looks similar.

Changed 4 years ago by lavv17

pcap

comment:3 in reply to: ↑ 2 Changed 4 years ago by cehoyos

Replying to lavv17:

I attach pcap file, I think it is possible to replay it to network.

Did you try? Does the pcap file allow to reproduce the crash?

comment:4 Changed 4 years ago by lavv17

It looks like a problem with format auto-detection. s->priv_data is not correctly allocated at util.c:577 (with priv_data_size=5912, iformat=&ff_rtp_demuxer), but later it is assumed to be MpegTSContext and sizeof(MpegTSContext) = 73848, thus it overwrites memory past allocated buffer.

When I run ffmpeg with explicit "-f mpegts" it correctly allocates priv_data_size=73848 and does not crash.

Last edited 4 years ago by lavv17 (previous) (diff)

comment:5 follow-up: Changed 4 years ago by cehoyos

Does it crash without -f mpegts?

comment:6 in reply to: ↑ 5 Changed 4 years ago by lavv17

Replying to cehoyos:

Does it crash without -f mpegts?

Yes it does.

comment:7 Changed 4 years ago by lavv17

write_section_data assumes s->priv_data to be MpegTSContext. But s->iformat is still ff_rtp_demuxer and s->priv_data is allocated as an RTSPState.

(gdb) fr 1
#1  0x00000000005589b4 in handle_packet (ts=ts@entry=0x7fd42c52bf80, 
    packet=packet@entry=0x7fd42c528168 "GWx\031") at libavformat/mpegts.c:2095
2095                    write_section_data(s, tss,
(gdb) p s->iformat 
$4 = (struct AVInputFormat *) 0x1191060 <ff_rtp_demuxer>

BTW, -f mpegts prevents the crash, but the resulting file is not correct, so it is not the solution.

comment:8 Changed 4 years ago by cehoyos

  • Priority changed from normal to important

comment:9 Changed 4 years ago by cehoyos

  • Keywords crash SIGSEGV added
  • Resolution set to fixed
  • Status changed from new to closed

Fixed in 86359543
Thank you for the report and the fix!

Note: See TracTickets for help on using tickets.