Opened 9 years ago

Closed 9 years ago

#4440 closed defect (fixed)

h264 fuzz segfault

Reported by: Kieran Kunhya Owned by:
Priority: important Component: avcodec
Version: git-master Keywords: h264 crash SIGSEGV regression
Cc: Blocked By:
Blocking: Reproduced by developer: yes
Analyzed by developer: no

Description (last modified by Carl Eugen Hoyos)

Script started on Mon 06 Apr 2015 09:02:39 PM CDT
kierank@obe2:~/ffmpeg$ -thread_type slice -threads 0 -i out.264 -f null -^C
kierank@obe2:~/ffmpeg$ gd .[K[Kb ./ffmpeg_g
GNU gdb (GDB) 7.9
Copyright (C) 2015 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-unknown-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
<http://www.gnu.org/software/gdb/documentation/>.
For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from ./ffmpeg_g...done.
(gdb) run -thread_type slice -threads 0 -i out.264 -f null -[1P[1P[1P[1@f[1@u[1@z[1@z
Starting program: /home/kierank/ffmpeg/ffmpeg_g -thread_type slice -threads 0 -i fuzz.264 -f null -
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
ffmpeg version N-71320-gc4b2017 Copyright (c) 2000-2015 the FFmpeg developers
  built with gcc 4.8.0 (GCC)
  configuration: --disable-optimizations --disable-stripping --disable-everything --enable-protocol=file --enable-decoder=h264 --enable-demuxer=h264 --enable-encoder=rawvideo --enable-muxer=null --enable-parser=h264
  libavutil      54. 22.100 / 54. 22.100
  libavcodec     56. 34.100 / 56. 34.100
  libavformat    56. 29.100 / 56. 29.100
  libavdevice    56.  4.100 / 56.  4.100
  libavfilter     5. 13.101 /  5. 13.101
  libswscale      3.  1.101 /  3.  1.101
  libswresample   1.  1.100 /  1.  1.100
[0;36m[h264 @ 0xac0b60] [0m[1;31mnon-existing PPS 0 referenced
[0m    Last message repeated 1 times
    Last message repeated 1 times
[0;36m[h264 @ 0xac0b60] [0m[1;31mdecode_slice_header error
[0m[0;36m[h264 @ 0xac0b60] [0m[1;31mnon-existing PPS 0 referenced
[0m[0;36m[h264 @ 0xac0b60] [0m[1;31mdecode_slice_header error
[0m[0;36m[h264 @ 0xac0b60] [0m[1;31mnon-existing PPS 0 referenced
[0m[0;36m[h264 @ 0xac0b60] [0m[1;31mdecode_slice_header error
[0m[0;36m[h264 @ 0xac0b60] [0m[1;31mnon-existing PPS 0 referenced
[0m[0;36m[h264 @ 0xac0b60] [0m[1;31mdecode_slice_header error
[0m[0;36m[h264 @ 0xac0b60] [0m[1;31mno frame!
[0m[0;36m[h264 @ 0xac0b60] [0m[1;31mnon-existing PPS 0 referenced
[0m    Last message repeated 1 times
    Last message repeated 1 times
[0;36m[h264 @ 0xac0b60] [0m[1;31mdecode_slice_header error
[0m[0;36m[h264 @ 0xac0b60] [0m[1;31mnon-existing PPS 0 referenced
[0m[0;36m[h264 @ 0xac0b60] [0m[1;31mdecode_slice_header error
[0m[0;36m[h264 @ 0xac0b60] [0m[1;31mnon-existing PPS 0 referenced
[0m[0;36m[h264 @ 0xac0b60] [0m[1;31mdecode_slice_header error
[0m[0;36m[h264 @ 0xac0b60] [0m[1;31mnon-existing PPS 0 referenced
[0m[0;36m[h264 @ 0xac0b60] [0m[1;31mdecode_slice_header error
[0m[0;36m[h264 @ 0xac0b60] [0m[1;31mno frame!
[0m[0;36m[h264 @ 0xac0b60] [0m[1;31mSEI type 1 size 24 truncated at 16
[0m[0;36m[h264 @ 0xac0b60] [0m[1;31mnon-existing PPS 0 referenced
[0m[0;36m[h264 @ 0xac0b60] [0m[1;31mSEI type 1 size 24 truncated at 8
[0m[0;36m[h264 @ 0xac0b60] [0m[1;31mnon-existing PPS 0 referenced
[0m[0;36m[h264 @ 0xac0b60] [0m[1;31mdecode_slice_header error
[0m[0;36m[h264 @ 0xac0b60] [0m[1;31mno frame!
[0m[0;36m[h264 @ 0xac0b60] [0m[1;31mnon-existing PPS 2 referenced
[0m    Last message repeated 1 times
    Last message repeated 1 times
[0;36m[h264 @ 0xac0b60] [0m[1;31mdecode_slice_header error
[0m[0;36m[h264 @ 0xac0b60] [0m[1;31mnon-existing PPS 0 referenced
[0m[0;36m[h264 @ 0xac0b60] [0m[1;31mdecode_slice_header error
[0m[0;36m[h264 @ 0xac0b60] [0m[1;31mno frame!
[0m[0;36m[h264 @ 0xac0b60] [0m[1;31mnon-existing PPS 0 referenced
[0m    Last message repeated 1 times
    Last message repeated 1 times
[0;36m[h264 @ 0xac0b60] [0m[1;31mdecode_slice_header error
[0m[0;36m[h264 @ 0xac0b60] [0m[1;31mnon-existing PPS 0 referenced
[0m[0;36m[h264 @ 0xac0b60] [0m[1;31mdecode_slice_header error
[0m[0;36m[h264 @ 0xac0b60] [0m[1;31mnon-existing PPS 0 referenced
[0m[0;36m[h264 @ 0xac0b60] [0m[1;31mdecode_slice_header error
[0m[0;36m[h264 @ 0xac0b60] [0m[1;31mno frame!
[0m[0;36m[h264 @ 0xac0b60] [0m[1;31mnon-existing PPS 0 referenced
[0m[0;36m[h264 @ 0xac0b60] [0m[1;31mSEI type 1 size 8 truncated at 6
[0m[0;36m[h264 @ 0xac0b60] [0m[1;31mnon-existing PPS 0 referenced
[0m[0;36m[h264 @ 0xac0b60] [0m[1;31mdecode_slice_header error
[0m[0;36m[h264 @ 0xac0b60] [0m[1;31mnon-existing PPS 0 referenced
[0m[0;36m[h264 @ 0xac0b60] [0m[1;31mdecode_slice_header error
[0m[0;36m[h264 @ 0xac0b60] [0m[1;31mnon-existing PPS 0 referenced
[0m[0;36m[h264 @ 0xac0b60] [0m[1;31mdecode_slice_header error
[0m[0;36m[h264 @ 0xac0b60] [0m[1;31mnon-existing PPS 0 referenced
[0m[0;36m[h264 @ 0xac0b60] [0m[1;31mdecode_slice_header error
[0m[0;36m[h264 @ 0xac0b60] [0m[1;31mno frame!
[0m[0;36m[h264 @ 0xac0b60] [0m[1;31mleft block unavailable for requested intra4x4 mode -1 at 0 1
[0m[0;36m[h264 @ 0xac0b60] [0m[1;31merror while decoding MB 0 0, bytestream 15666
[0m[0;36m[h264 @ 0xac0b60] [0m[1;31mleft block unavailable for requested intra4x4 mode -1 at 0 5
[0m[0;36m[h264 @ 0xac0b60] [0m[1;31merror while decoding MB 0 4, bytestream 29155
[0m[0;36m[h264 @ 0xac0b60] [0m[1;31mleft block unavailable for requested intra4x4 mode -1 at 0 11
[0m[0;36m[h264 @ 0xac0b60] [0m[1;31merror while decoding MB 0 10, bytestream 17353
[0m[0;36m[h264 @ 0xac0b60] [0m[1;31mleft block unavailable for requested intra4x4 mode -1 at 0 15
[0m[0;36m[h264 @ 0xac0b60] [0m[1;31merror while decoding MB 0 14, bytestream 15471
[0m[0;36m[h264 @ 0xac0b60] [0mconcealing 396 DC, 396 AC, 396 MV errors in I frame
[0;36m[h264 @ 0xac0b60] [0m[1;31mnon-existing PPS 5 referenced
[0m[0;36m[h264 @ 0xac0b60] [0m[1;31mSEI type 10 size 1016 truncated at 848
[0m[0;36m[h264 @ 0xac0b60] [0m[1;31mSEI type 144 size 1008 truncated at 856
[0m[0;36m[h264 @ 0xac0b60] [0m[1;31mnon-existing PPS 2 referenced
[0m[0;36m[h264 @ 0xac0b60] [0m[1;31mOverread VUI by 8 bits
[0m[0;36m[h264 @ 0xac0b60] [0m[1;31mnon-existing SPS 5 referenced in buffering period
[0m[0;36m[h264 @ 0xac0b60] [0m[1;31millegal aspect ratio
[0m[0;36m[h264 @ 0xac0b60] [0m[1;31mnon-existing PPS 2 referenced
[0m[0;36m[h264 @ 0xac0b60] [0m[1;31mlog2_max_frame_num_minus4 out of range (0-12): 426
[0m[0;36m[h264 @ 0xac0b60] [0m[1;31mnon-existing SPS 32 referenced in buffering period
[0m[0;36m[h264 @ 0xac0b60] [0m[1;31mSEI type 146 size 1848 truncated at 168
[0m[0;36m[h264 @ 0xac0b60] [0m[1;31mSEI type 1 size 1032 truncated at 16
[0m[0;35m[h264 @ 0xac0200] [0m[0;33mStream #0: not enough frames to estimate rate; consider increasing probesize
[0mInput #0, h264, from 'fuzz.264':
  Duration: N/A, bitrate: N/A
    Stream #0:0: Video: h264 (High 4:2:2), yuv422p, 352x288 [SAR 128:117 DAR 1408:1053], 29.75 fps, 30 tbr, 1200k tbn, 60 tbc
Output #0, null, to 'pipe:':
  Metadata:
    encoder         : Lavf56.29.100
    Stream #0:0: Video: rawvideo (Y42B / 0x42323459), yuv422p, 352x288 [SAR 128:117 DAR 1408:1053], q=2-31, 200 kb/s, 30 fps, 30 tbn, 30 tbc
    Metadata:
      encoder         : Lavc56.34.100 rawvideo
Stream mapping:
  Stream #0:0 -> #0:0 (h264 (native) -> rawvideo (native))
Press [q] to stop, [?] for help
[0;36m[h264 @ 0xb034e0] [0m[1;31mnon-existing PPS 0 referenced
[0m[0;36m[h264 @ 0xb034e0] [0m[1;31mdecode_slice_header error
[0m[0;36m[h264 @ 0xb034e0] [0m[1;31mnon-existing PPS 0 referenced
[0m[0;36m[h264 @ 0xb034e0] [0m[1;31mdecode_slice_header error
[0m[0;36m[h264 @ 0xb034e0] [0m[1;31mnon-existing PPS 0 referenced
[0m[0;36m[h264 @ 0xb034e0] [0m[1;31mdecode_slice_header error
[0m[0;36m[h264 @ 0xb034e0] [0m[1;31mnon-existing PPS 0 referenced
[0m[0;36m[h264 @ 0xb034e0] [0m[1;31mdecode_slice_header error
[0m[0;36m[h264 @ 0xb034e0] [0m[1;31mno frame!
[0m[1;31mError while decoding stream #0:0: Invalid data found when processing input
[0m[0;36m[h264 @ 0xb034e0] [0m[1;31mnon-existing PPS 0 referenced
[0m[0;36m[h264 @ 0xb034e0] [0m[1;31mdecode_slice_header error
[0m[0;36m[h264 @ 0xb034e0] [0m[1;31mnon-existing PPS 0 referenced
[0m[0;36m[h264 @ 0xb034e0] [0m[1;31mdecode_slice_header error
[0m[0;36m[h264 @ 0xb034e0] [0m[1;31mnon-existing PPS 0 referenced
[0m[0;36m[h264 @ 0xb034e0] [0m[1;31mdecode_slice_header error
[0m[0;36m[h264 @ 0xb034e0] [0m[1;31mnon-existing PPS 0 referenced
[0m[0;36m[h264 @ 0xb034e0] [0m[1;31mdecode_slice_header error
[0m[0;36m[h264 @ 0xb034e0] [0m[1;31mno frame!
[0m[1;31mError while decoding stream #0:0: Invalid data found when processing input
[0m[0;36m[h264 @ 0xb034e0] [0m[1;31mSEI type 1 size 24 truncated at 8
[0m[0;36m[h264 @ 0xb034e0] [0m[1;31mnon-existing PPS 0 referenced
[0m[0;36m[h264 @ 0xb034e0] [0m[1;31mdecode_slice_header error
[0m[0;36m[h264 @ 0xb034e0] [0m[1;31mno frame!
[0m[1;31mError while decoding stream #0:0: Invalid data found when processing input
[0m[0;36m[h264 @ 0xb034e0] [0m[1;31mnon-existing PPS 2 referenced
[0m[0;36m[h264 @ 0xb034e0] [0m[1;31mdecode_slice_header error
[0m[0;36m[h264 @ 0xb034e0] [0m[1;31mnon-existing PPS 0 referenced
[0m[0;36m[h264 @ 0xb034e0] [0m[1;31mdecode_slice_header error
[0m[0;36m[h264 @ 0xb034e0] [0m[1;31mno frame!
[0m[1;31mError while decoding stream #0:0: Invalid data found when processing input
[0m[0;36m[h264 @ 0xb034e0] [0m[1;31mnon-existing PPS 0 referenced
[0m[0;36m[h264 @ 0xb034e0] [0m[1;31mdecode_slice_header error
[0m[0;36m[h264 @ 0xb034e0] [0m[1;31mnon-existing PPS 0 referenced
[0m[0;36m[h264 @ 0xb034e0] [0m[1;31mdecode_slice_header error
[0m[0;36m[h264 @ 0xb034e0] [0m[1;31mnon-existing PPS 0 referenced
[0m[0;36m[h264 @ 0xb034e0] [0m[1;31mdecode_slice_header error
[0m[0;36m[h264 @ 0xb034e0] [0m[1;31mno frame!
[0m[1;31mError while decoding stream #0:0: Invalid data found when processing input
[0m[0;36m[h264 @ 0xb034e0] [0m[1;31mSEI type 1 size 8 truncated at 6
[0m[0;36m[h264 @ 0xb034e0] [0m[1;31mnon-existing PPS 0 referenced
[0m[0;36m[h264 @ 0xb034e0] [0m[1;31mdecode_slice_header error
[0m[0;36m[h264 @ 0xb034e0] [0m[1;31mnon-existing PPS 0 referenced
[0m[0;36m[h264 @ 0xb034e0] [0m[1;31mdecode_slice_header error
[0m[0;36m[h264 @ 0xb034e0] [0m[1;31mnon-existing PPS 0 referenced
[0m[0;36m[h264 @ 0xb034e0] [0m[1;31mdecode_slice_header error
[0m[0;36m[h264 @ 0xb034e0] [0m[1;31mnon-existing PPS 0 referenced
[0m[0;36m[h264 @ 0xb034e0] [0m[1;31mdecode_slice_header error
[0m[0;36m[h264 @ 0xb034e0] [0m[1;31mno frame!
[0m[1;31mError while decoding stream #0:0: Invalid data found when processing input
[0m[0;36m[h264 @ 0xb034e0] [0m[1;31mleft block unavailable for requested intra4x4 mode -1 at 0 1
[0m[0;36m[h264 @ 0xb034e0] [0m[1;31merror while decoding MB 0 0, bytestream 15666
[0m[0;36m[h264 @ 0xb034e0] [0m[1;31mleft block unavailable for requested intra4x4 mode -1 at 0 5
[0m[0;36m[h264 @ 0xb034e0] [0m[1;31merror while decoding MB 0 4, bytestream 29155
[0m[0;36m[h264 @ 0xb034e0] [0m[1;31mleft block unavailable for requested intra4x4 mode -1 at 0 11
[0m[0;36m[h264 @ 0xb034e0] [0m[1;31merror while decoding MB 0 10, bytestream 17353
[0m[0;36m[h264 @ 0xb034e0] [0m[1;31mleft block unavailable for requested intra4x4 mode -1 at 0 15
[0m[0;36m[h264 @ 0xb034e0] [0m[1;31merror while decoding MB 0 14, bytestream 15471
[0m[0;36m[h264 @ 0xb034e0] [0m[1;31mMissing reference picture, default is 65536
[0m[0;36m[h264 @ 0xb034e0] [0m[1;31mChanging field mode (1 -> 1) between slices is not allowed
[0m[0;36m[h264 @ 0xb034e0] [0m[1;31mdecode_slice_header error
[0m[0;36m[h264 @ 0xb034e0] [0m[1;31mChanging field mode (1 -> 1) between slices is not allowed
[0m[0;36m[h264 @ 0xb034e0] [0m[1;31mdecode_slice_header error
[0m[0;36m[h264 @ 0xb034e0] [0m[1;31mChanging field mode (1 -> 1) between slices is not allowed
[0m[0;36m[h264 @ 0xb034e0] [0m[1;31mdecode_slice_header error
[0m[New Thread 0x7fffee8d1700 (LWP 5566)]
[New Thread 0x7fffef0d2700 (LWP 5565)]
[New Thread 0x7fffef8d3700 (LWP 5564)]
[New Thread 0x7ffff00d4700 (LWP 5563)]
[New Thread 0x7ffff08d5700 (LWP 5562)]
[New Thread 0x7ffff10d6700 (LWP 5561)]
[New Thread 0x7ffff18d7700 (LWP 5560)]
[New Thread 0x7ffff20d8700 (LWP 5559)]
[New Thread 0x7ffff28d9700 (LWP 5558)]
[New Thread 0x7ffff30da700 (LWP 5557)]
[New Thread 0x7ffff38db700 (LWP 5556)]
[New Thread 0x7ffff40dc700 (LWP 5555)]
[New Thread 0x7ffff48dd700 (LWP 5554)]
[New Thread 0x7ffff50de700 (LWP 5553)]
[New Thread 0x7ffff58df700 (LWP 5552)]
[New Thread 0x7ffff60e0700 (LWP 5551)]
[New Thread 0x7ffff68e1700 (LWP 5550)]
[New Thread 0x7ffff70e2700 (LWP 5549)]

Program received signal SIGSEGV, Segmentation fault.
ff_put_h264_qpel16_h_lowpass_l2_ssse3.loop () at libavcodec/x86/h264_qpel_8bit.asm:860
860	QPEL16_H_LOWPASS_L2_OP put
(gdb) bt all
No symbol "all" in current context.
(gdb) in[K[Kbt all[K[K[K[K full
#0  ff_put_h264_qpel16_h_lowpass_l2_ssse3.loop () at libavcodec/x86/h264_qpel_8bit.asm:860
No locals.
#1  0x00000000005fb7ae in put_h264_qpel16_mc30_ssse3 (dst=0xb8b0b0 "", src=0xf <error: Cannot access memory at address 0xf>, stride=768)
    at libavcodec/x86/h264_qpel.c:405
No locals.
#2  0x0000000000502114 in mc_dir_part (chroma_idc=2, pixel_shift=0, chroma_op=0x664260 <ff_put_h264_chroma_mc8_rnd_ssse3>, qpix_op=0xb5d830, src_y_offset=0, 
    src_x_offset=8, dest_cr=0xba6408 "", dest_cb=0xb4a368 "", dest_y=0xb8b0b0 "", list=0, delta=0, height=16, square=1, n=0, pic=0x7fffedf3f228, sl=0x7fffedf39040, 
    h=0xb5d6c0) at libavcodec/h264_mb.c:249
        my = 0
        emu = 0
        pic_width = 352
        pic_height = 144
        src_y = 0xf <error: Cannot access memory at address 0xf>
        ysh = 2
        luma_xy = 3
        src_cb = 0xbc2c86 '\200' <repeats 170 times>
        src_cr = 0xaf0ca6 '\200' <repeats 170 times>
        extra_width = -3
        extra_height = 0
        full_mx = 15
        mx = 63
        offset = 15
        full_my = 0
#3  mc_part_std (chroma_idc=2, pixel_shift=0, list1=0, list0=4096, chroma_avg=0x664700 <ff_avg_h264_chroma_mc8_rnd_ssse3>, qpix_avg=0xb5da30, 
    chroma_put=0x664260 <ff_put_h264_chroma_mc8_rnd_ssse3>, qpix_put=0xb5d830, y_offset=0, x_offset=8, dest_cr=0xba6408 "", dest_cb=0xb4a368 "", dest_y=0xb8b0b0 "", 
    delta=0, height=16, square=1, n=0, sl=0x7fffedf39040, h=0xb5d6c0) at libavcodec/h264_mb.c:353
        ref = 0x7fffedf3f228
        qpix_op = 0xb5d830
        chroma_op = 0x664260 <ff_put_h264_chroma_mc8_rnd_ssse3>
#4  mc_part_422_complex (h=0xb5d6c0, sl=0x7fffedf39040, n=0, square=1, height=16, delta=0, dest_y=0xb8b0b0 "", dest_cb=0xb4a368 "", dest_cr=0xba6408 "", x_offset=0, 
    y_offset=0, qpix_put=0xb5d830, chroma_put=0x664260 <ff_put_h264_chroma_mc8_rnd_ssse3>, qpix_avg=0xb5da30, chroma_avg=0x664700 <ff_avg_h264_chroma_mc8_rnd_ssse3>, 
    weight_op=0xb5d6e0, weight_avg=0xb5d700, list0=4096, list1=0) at libavcodec/h264_mc_template.c:59
No locals.
#5  0x0000000000503976 in hl_motion_422_complex (h=0xb5d6c0, sl=0x7fffedf39040, dest_y=0xb8b0b0 "", dest_cb=0xb4a368 "", dest_cr=0xba6408 "", qpix_put=0xb5d830, 
    chroma_put=0xb5d7f0, qpix_avg=0xb5da30, chroma_avg=0xb5d810, weight_op=0xb5d6e0, weight_avg=0xb5d700) at libavcodec/h264_mc_template.c:84
        mb_xy = 1
        mb_type = 4232
#6  0x000000000050b0cb in hl_decode_mb_complex (h=0xb5d6c0, sl=0x7fffedf39040) at libavcodec/h264_mb_template.c:176
        mb_x = 1
        mb_y = 0
        mb_xy = 1
        mb_type = 4232
        dest_y = 0xb8b0b0 ""
---Type <return> to continue, or q <return> to quit---i[K
        dest_cb = 0xb4a368 ""
        dest_cr = 0xba6408 ""
        linesize = 768
        uvlinesize = 384
        i = 0
        j = 12095696
        block_offset = 0xb5f200
        transform_bypass = 0
        is_h264 = 1
        idct_add = 0x600000001
        block_h = 16
        chroma422 = 1
#7  0x000000000051841d in ff_h264_hl_decode_mb (h=0xb5d6c0, sl=0x7fffedf39040) at libavcodec/h264_mb.c:831
        mb_xy = 1
        mb_type = 4232
        is_complex = 1
#8  0x000000000053adbb in decode_slice (avctx=0xb034e0, arg=0x7fffedf39040) at libavcodec/h264_slice.c:2366
        ret = 0
        eos = 0
        sl = 0x7fffedf39040
        h = 0xb5d6c0
        lf_x_start = 0
        ret = 0
#9  0x000000000053b747 in ff_h264_execute_decode_slices (h=0xb5d6c0, context_count=1) at libavcodec/h264_slice.c:2528
        ret = 0
        avctx = 0xb034e0
        sl = 0x114ea00000000
        i = 0
#10 0x00000000004a6da7 in decode_nal_units (h=0xb5d6c0, buf=0xbd1d80 "", buf_size=70890, parse_extradata=0) at libavcodec/h264.c:1692
        avctx = 0xb034e0
        sl = 0x7fffedf45bd0
        buf_index = 70890
        context_count = 1
        next_avc = 70890
        nals_needed = 0
        nal_index = 5
        idr_cleared = 0
        ret = 0
#11 0x00000000004a74a0 in h264_decode_frame (avctx=0xb034e0, data=0xaac8c0, got_frame=0x7fffffffd94c, avpkt=0x7fffffffd650) at libavcodec/h264.c:1829
        buf = 0xbd1d80 ""
        buf_size = 70890
        h = 0xb5d6c0
        pict = 0xaac8c0
---Type <return> to continue, or q <return> to quit---
        buf_index = 0
        out = 0xb034e0
        i = 0
        out_idx = 11192512
        ret = 11547872
#12 0x00000000005eaf29 in avcodec_decode_video2 (avctx=0xb034e0, picture=0xaac8c0, got_picture_ptr=0x7fffffffd94c, avpkt=0x7fffffffd8e0) at libavcodec/utils.c:2376
        did_split = 0
        avci = 0xaad560
        ret = 0
        tmp = {buf = 0xbc1480, pts = -9223372036854775808, dts = 111329, data = 0xbd1d80 "", size = 70890, stream_index = 0, flags = 0, side_data = 0x0, 
          side_data_elems = 0, duration = 40000, destruct = 0x498882 <dummy_destruct_packet>, priv = 0x0, pos = 444136, convergence_duration = 0}
#13 0x000000000041fa91 in decode_video (ist=0xd465a0, pkt=0x7fffffffd8e0, got_output=0x7fffffffd94c) at ffmpeg.c:1978
        decoded_frame = 0xaac8c0
        f = 0xf4240
        i = 0
        ret = 0
        err = 0
        resample_changed = 1000000
        best_effort_timestamp = 21474836480
        frame_sample_aspect = 0x7c87b5 <av_rescale_q_rnd+84>
#14 0x0000000000420b1a in process_input_packet (ist=0xd465a0, pkt=0x7fffffffda50) at ffmpeg.c:2226
        duration = 0
        ret = 0
        i = 11466528
        got_output = 0
        avpkt = {buf = 0xbc1480, pts = -9223372036854775808, dts = 111329, data = 0xbd1d80 "", size = 70890, stream_index = 0, flags = 0, side_data = 0x0, 
          side_data_elems = 0, duration = 40000, destruct = 0x498882 <dummy_destruct_packet>, priv = 0x0, pos = 444136, convergence_duration = 0}
#15 0x0000000000426dab in process_input (file_index=0) at ffmpeg.c:3735
        ifile = 0xaef720
        is = 0xac0200
        ist = 0xd465a0
        pkt = {buf = 0xbc1480, pts = -9223372036854775808, dts = -9223372036854775808, data = 0xbd1d80 "", size = 70890, stream_index = 0, flags = 0, side_data = 0x0, 
          side_data_elems = 0, duration = 40000, destruct = 0x498882 <dummy_destruct_packet>, priv = 0x0, pos = 444136, convergence_duration = 0}
        ret = 0
        i = 0
        j = 13916960
#16 0x0000000000427121 in transcode_step () at ffmpeg.c:3829
        ost = 0xd462a0
        ist = 0xd465a0
        ret = 0
#17 0x000000000042723c in transcode () at ffmpeg.c:3882
        cur_time = 206267879
        ret = 0
---Type <return> to continue, or q <return> to quit---
        i = 305
        os = 0x0
        ost = 0x0
        ist = 0x0
        timer_start = 206266827
#18 0x000000000042775c in main (argc=10, argv=0x7fffffffe0c8) at ffmpeg.c:4064
        ret = 0
        ti = 20001
(gdb) infof all[K[K[K[K[K all-registers
rax            0xb8b0b0	12103856
rbx            0xb5d6e0	11917024
rcx            0x300	768
rdx            0x10	16
rsi            0xf	15
rdi            0xb8b0b0	12103856
rbp            0x7fffffffc240	0x7fffffffc240
rsp            0x7fffffffc218	0x7fffffffc218
r8             0x300	768
r9             0x10	16
r10            0xb5d7f0	11917296
r11            0xb5d810	11917328
r12            0xb5d700	11917056
r13            0x7fffffffe0c0	140737488347328
r14            0x0	0
r15            0x0	0
rip            0x605815	0x605815 <ff_put_h264_qpel16_h_lowpass_l2_ssse3.loop>
eflags         0x10202	[ IF RF ]
cs             0x33	51
ss             0x2b	43
ds             0x0	0
es             0x0	0
fs             0x0	0
gs             0x0	0
st0            -inf	(raw 0xffff0000000000000000)
st1            -nan(0x000008080)	(raw 0xffff0000000000008080)
st2            -nan(0x80008000800080)	(raw 0xffff0080008000800080)
st3            -nan(0x080808080)	(raw 0xffff0000000080808080)
st4            -nan(0x80008000800080)	(raw 0xffff0080008000800080)
st5            -nan(0x4000000040)	(raw 0xffff0000004000000040)
st6            -inf	(raw 0xffff0000000000000000)
st7            -inf	(raw 0xffff0000000000000000)
fctrl          0x37f	895
fstat          0x0	0
ftag           0xaaaa	43690
fiseg          0x0	0
fioff          0x0	0
foseg          0x0	0
fooff          0x0	0
fop            0x0	0
mxcsr          0x1fa8	[ OE PE IM DM ZM OM UM PM ]
ymm0           {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_double = {0x0, 0x0, 0x0, 0x0}, v32_int8 = {0xff, 0xff, 0x0, 0x0, 0xff, 0xff, 0x0, 0x0, 0xff, 
    0xff, 0x0, 0x0, 0xff, 0xff, 0x0 <repeats 18 times>}, v16_int16 = {0xffff, 0x0, 0xffff, 0x0, 0xffff, 0x0, 0xffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 
---Type <return> to continue, or q <return> to quit---
  v8_int32 = {0xffff, 0xffff, 0xffff, 0xffff, 0x0, 0x0, 0x0, 0x0}, v4_int64 = {0xffff0000ffff, 0xffff0000ffff, 0x0, 0x0}, v2_int128 = {
    0x0000ffff0000ffff0000ffff0000ffff, 0x00000000000000000000000000000000}}
ymm1           {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_double = {0x0, 0x0, 0x0, 0x0}, v32_int8 = {0x80, 0x80, 0x7f, 0x80, 0x80, 0x80, 0x80, 0x80, 
    0x0 <repeats 24 times>}, v16_int16 = {0x8080, 0x807f, 0x8080, 0x8080, 0x0 <repeats 12 times>}, v8_int32 = {0x807f8080, 0x80808080, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 
  v4_int64 = {0x80808080807f8080, 0x0, 0x0, 0x0}, v2_int128 = {0x000000000000000080808080807f8080, 0x00000000000000000000000000000000}}
ymm2           {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_double = {0x0, 0x0, 0x0, 0x0}, v32_int8 = {0x0, 0x0, 0x0, 0x0, 0xff, 0xff, 
    0x0 <repeats 26 times>}, v16_int16 = {0x0, 0x0, 0xffff, 0x0 <repeats 13 times>}, v8_int32 = {0x0, 0xffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_int64 = {
    0xffff00000000, 0x0, 0x0, 0x0}, v2_int128 = {0x00000000000000000000ffff00000000, 0x00000000000000000000000000000000}}
ymm3           {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_double = {0x0, 0x0, 0x0, 0x0}, v32_int8 = {0x0 <repeats 32 times>}, v16_int16 = {
    0x0 <repeats 16 times>}, v8_int32 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_int64 = {0x0, 0x0, 0x0, 0x0}, v2_int128 = {0x00000000000000000000000000000000, 
    0x00000000000000000000000000000000}}
ymm4           {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_double = {0x0, 0x0, 0x0, 0x0}, v32_int8 = {0x80, 0x80, 0x81, 0x80, 0x80, 0x80, 0x80, 0x80, 
    0x0 <repeats 24 times>}, v16_int16 = {0x8080, 0x8081, 0x8080, 0x8080, 0x0 <repeats 12 times>}, v8_int32 = {0x80818080, 0x80808080, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 
  v4_int64 = {0x8080808080818080, 0x0, 0x0, 0x0}, v2_int128 = {0x00000000000000008080808080818080, 0x00000000000000000000000000000000}}
ymm5           {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_double = {0x0, 0x0, 0x0, 0x0}, v32_int8 = {0x0, 0x0, 0x0, 0x0, 0x1, 0x0 <repeats 27 times>}, 
  v16_int16 = {0x0, 0x0, 0x1, 0x0 <repeats 13 times>}, v8_int32 = {0x0, 0x1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_int64 = {0x100000000, 0x0, 0x0, 0x0}, v2_int128 = {
    0x00000000000000000000000100000000, 0x00000000000000000000000000000000}}
ymm6           {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_double = {0x0, 0x0, 0x0, 0x0}, v32_int8 = {0x5, 0x0, 0x5, 0x0, 0x5, 0x0, 0x5, 0x0, 0x5, 0x0, 
    0x5, 0x0, 0x5, 0x0, 0x5, 0x0 <repeats 17 times>}, v16_int16 = {0x5, 0x5, 0x5, 0x5, 0x5, 0x5, 0x5, 0x5, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v8_int32 = {
    0x50005, 0x50005, 0x50005, 0x50005, 0x0, 0x0, 0x0, 0x0}, v4_int64 = {0x5000500050005, 0x5000500050005, 0x0, 0x0}, v2_int128 = {0x00050005000500050005000500050005, 
    0x00000000000000000000000000000000}}
ymm7           {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_double = {0x0, 0x0, 0x0, 0x0}, v32_int8 = {0x0 <repeats 32 times>}, v16_int16 = {
    0x0 <repeats 16 times>}, v8_int32 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_int64 = {0x0, 0x0, 0x0, 0x0}, v2_int128 = {0x00000000000000000000000000000000, 
    0x00000000000000000000000000000000}}
ymm8           {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_double = {0x0, 0x0, 0x0, 0x0}, v32_int8 = {0xa4, 0x0, 0xa4, 0x0, 0xa2, 0x0, 0x9d, 0x0, 0x9b, 
    0x0, 0x99, 0x0, 0x9b, 0x0, 0x9b, 0x0 <repeats 17 times>}, v16_int16 = {0xa4, 0xa4, 0xa2, 0x9d, 0x9b, 0x99, 0x9b, 0x9b, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 
  v8_int32 = {0xa400a4, 0x9d00a2, 0x99009b, 0x9b009b, 0x0, 0x0, 0x0, 0x0}, v4_int64 = {0x9d00a200a400a4, 0x9b009b0099009b, 0x0, 0x0}, v2_int128 = {
    0x009b009b0099009b009d00a200a400a4, 0x00000000000000000000000000000000}}
ymm9           {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_double = {0x0, 0x0, 0x0, 0x0}, v32_int8 = {0xa4, 0x0, 0xa4, 0x0, 0xa4, 0x0, 0xa2, 0x0, 0x9d, 
    0x0, 0x9b, 0x0, 0x99, 0x0, 0x9b, 0x0 <repeats 17 times>}, v16_int16 = {0xa4, 0xa4, 0xa4, 0xa2, 0x9d, 0x9b, 0x99, 0x9b, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 
  v8_int32 = {0xa400a4, 0xa200a4, 0x9b009d, 0x9b0099, 0x0, 0x0, 0x0, 0x0}, v4_int64 = {0xa200a400a400a4, 0x9b0099009b009d, 0x0, 0x0}, v2_int128 = {
    0x009b0099009b009d00a200a400a400a4, 0x00000000000000000000000000000000}}
ymm10          {v8_float = {0x0, 0x1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_double = {0x1, 0x0, 0x0, 0x0}, v32_int8 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xf0, 0x3f, 
    0x0 <repeats 24 times>}, v16_int16 = {0x0, 0x0, 0x0, 0x3ff0, 0x0 <repeats 12 times>}, v8_int32 = {0x0, 0x3ff00000, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_int64 = {
    0x3ff0000000000000, 0x0, 0x0, 0x0}, v2_int128 = {0x00000000000000003ff0000000000000, 0x00000000000000000000000000000000}}
ymm11          {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_double = {0x0, 0x0, 0x0, 0x0}, v32_int8 = {0x42, 0x1, 0x44, 0x1, 0x46, 0x1, 0x5c, 0x1, 0x4e, 
    0x1, 0x4b, 0x1, 0x29, 0x1, 0x2c, 0x1, 0x0 <repeats 16 times>}, v16_int16 = {0x142, 0x144, 0x146, 0x15c, 0x14e, 0x14b, 0x129, 0x12c, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 
    0x0, 0x0}, v8_int32 = {0x1440142, 0x15c0146, 0x14b014e, 0x12c0129, 0x0, 0x0, 0x0, 0x0}, v4_int64 = {0x15c014601440142, 0x12c0129014b014e, 0x0, 0x0}, v2_int128 = {
    0x012c0129014b014e015c014601440142, 0x00000000000000000000000000000000}}
ymm12          {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_double = {0x0, 0x0, 0x0, 0x0}, v32_int8 = {0x9d, 0x0, 0x9b, 0x0, 0x99, 0x0, 0x9b, 0x0, 0x9b, 
    0x0, 0x9a, 0x0, 0xa8, 0x0, 0x9a, 0x0 <repeats 17 times>}, v16_int16 = {0x9d, 0x9b, 0x99, 0x9b, 0x9b, 0x9a, 0xa8, 0x9a, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 
  v8_int32 = {0x9b009d, 0x9b0099, 0x9a009b, 0x9a00a8, 0x0, 0x0, 0x0, 0x0}, v4_int64 = {0x9b0099009b009d, 0x9a00a8009a009b, 0x0, 0x0}, v2_int128 = {
    0x009a00a8009a009b009b0099009b009d, 0x00000000000000000000000000000000}}
---Type <return> to continue, or q <return> to quit---
ymm13          {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_double = {0x0, 0x0, 0x0, 0x0}, v32_int8 = {0x10, 0x0, 0x10, 0x0, 0x10, 0x0, 0x10, 0x0, 0x10, 
    0x0, 0x10, 0x0, 0x10, 0x0, 0x10, 0x0 <repeats 17 times>}, v16_int16 = {0x10, 0x10, 0x10, 0x10, 0x10, 0x10, 0x10, 0x10, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 
  v8_int32 = {0x100010, 0x100010, 0x100010, 0x100010, 0x0, 0x0, 0x0, 0x0}, v4_int64 = {0x10001000100010, 0x10001000100010, 0x0, 0x0}, v2_int128 = {
    0x00100010001000100010001000100010, 0x00000000000000000000000000000000}}
ymm14          {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_double = {0x0, 0x0, 0x0, 0x0}, v32_int8 = {0x5, 0x0, 0x5, 0x0, 0x5, 0x0, 0x5, 0x0, 0x5, 0x0, 
    0x5, 0x0, 0x5, 0x0, 0x5, 0x0 <repeats 17 times>}, v16_int16 = {0x5, 0x5, 0x5, 0x5, 0x5, 0x5, 0x5, 0x5, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v8_int32 = {
    0x50005, 0x50005, 0x50005, 0x50005, 0x0, 0x0, 0x0, 0x0}, v4_int64 = {0x5000500050005, 0x5000500050005, 0x0, 0x0}, v2_int128 = {0x00050005000500050005000500050005, 
    0x00000000000000000000000000000000}}
ymm15          {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_double = {0x0, 0x0, 0x0, 0x0}, v32_int8 = {0x0 <repeats 32 times>}, v16_int16 = {
    0x0 <repeats 16 times>}, v8_int32 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_int64 = {0x0, 0x0, 0x0, 0x0}, v2_int128 = {0x00000000000000000000000000000000, 
    0x00000000000000000000000000000000}}
(gdb) quit
A debugging session is active.

	Inferior 1 [process 5545] will be killed.

Quit anyway? (y or n) y
kierank@obe2:~/ffmpeg$ exit

Script done on Mon 06 Apr 2015 09:03:03 PM CDT

http://obe.tv/Downloads/ffmpeg/fuzz8.264

Attachments (1)

fuzz8_cut.264 (2.4 MB ) - added by Carl Eugen Hoyos 9 years ago.

Change History (3)

by Carl Eugen Hoyos, 9 years ago

Attachment: fuzz8_cut.264 added

comment:1 by Carl Eugen Hoyos, 9 years ago

Description: modified (diff)
Keywords: h264 crash SIGSEGV regression added
Priority: normalimportant
Reproduced by developer: set
Status: newopen
Version: unspecifiedgit-master

Regression since 87e46dd5 / 0652e024

comment:2 by Carl Eugen Hoyos, 9 years ago

Resolution: fixed
Status: openclosed
Note: See TracTickets for help on using tickets.