Opened 9 years ago

Closed 9 years ago

#4777 closed defect (fixed)

Double free for -reset_timestamps 1 -f segment

Reported by: tommes Owned by:
Priority: important Component: undetermined
Version: git-master Keywords: crash regression
Cc: Blocked By:
Blocking: Reproduced by developer: yes
Analyzed by developer: no

Description

Summary of the bug:
How to reproduce:

% There are two steps required to produce the crash with ffconcat in use.

Step1:
./ffmpeg -i anyMpeg4Movie.mp4 -an -f segment -segment_list_type ffconcat -segment_list out.txt -vcodec copy -reset_timestamps 1 -map 0:0 seg%1d.mp4

Step2:
./ffmpeg -isync -i out.txt -s 640x480 -vcodec libx264 -preset fast -b:v 1300k -g 25 -map 0:v -f segment -segment_list_type ffconcat -segment_list out2.txt newSeg%1d.mp4

Stream mapping:
  Stream #0:0 -> #0:0 (h264 (native) -> h264 (libx264))
Press [q] to stop, [?] for help
ffmpeg(51439,0x7fff78860300) malloc: *** error for object 0x7fde79602d60: pointer being freed was not allocated
*** set a breakpoint in malloc_error_break to debug

ffmpeg version ffmpeg version N-74447-g767d780 
built on 16. August 2015

Patches should be submitted to the ffmpeg-devel mailing list and not this bug tracker.

Change History (4)

comment:1 by tommes, 9 years ago

I figured out that it only came to the malloc error when i use a second time the -reset_timestamps.

Step1:
./ffmpeg -i anyMpeg4Movie.mp4 -an -f segment -segment_list_type ffconcat -segment_list out.txt -vcodec copy -reset_timestamps 1 -map 0:0 seg%1d.mp4

Step2:
./ffmpeg -isync -i out.txt -s 640x480 -vcodec libx264 -preset fast -b:v 1300k -g 25 -map 0:v -reset_timestamps 1 -f segment -segment_list_type ffconcat -segment_list out2.txt newSeg%1d.mp4

comment:2 by Carl Eugen Hoyos, 9 years ago

Component: ffmpegundetermined
Keywords: crash added
Priority: normalimportant
Reproduced by developer: unset

Is the issue only reproducible with -vcodec libx264 or also with -vcodec mpeg4?
To make this a valid ticket, please provide the command line that crashes together with the complete, uncut console output and backtrace etc. as explained on https://ffmpeg.org/bugreports.html

comment:3 by Carl Eugen Hoyos, 9 years ago

Keywords: regression added
Reproduced by developer: set
Status: newopen
Summary: FFMPEG Malloc crash, all versions OS X,lnx, windowsDouble free for -reset_timestamps 1 -f segment

Regression since e5bae39f46e55843c025d280ed5441e358e59f2e

$ valgrind ./ffmpeg_g -i fate-suite/lena.pnm -reset_timestamps 1 -f segment out%1d.avi
==21072== Memcheck, a memory error detector
==21072== Copyright (C) 2002-2011, and GNU GPL'd, by Julian Seward et al.
==21072== Using Valgrind-3.7.0 and LibVEX; rerun with -h for copyright info
==21072== Command: ./ffmpeg_g -i fate-suite/lena.pnm -reset_timestamps 1 -f segment out%1d.avi
==21072==
ffmpeg version N-74483-gb807f7e Copyright (c) 2000-2015 the FFmpeg developers
  built with gcc 4.7 (SUSE Linux)
  configuration: --enable-gpl
  libavutil      54. 30.100 / 54. 30.100
  libavcodec     56. 57.100 / 56. 57.100
  libavformat    56. 40.101 / 56. 40.101
  libavdevice    56.  4.100 / 56.  4.100
  libavfilter     5. 34.100 /  5. 34.100
  libswscale      3.  1.101 /  3.  1.101
  libswresample   1.  2.101 /  1.  2.101
  libpostproc    53.  3.100 / 53.  3.100
Input #0, image2, from 'fate-suite/lena.pnm':
  Duration: 00:00:00.04, start: 0.000000, bitrate: 39333 kb/s
    Stream #0:0: Video: ppm, rgb24, 256x256, 25 tbr, 25 tbn, 25 tbc
==21072== Invalid read of size 8
==21072==    at 0x777A59F: __GI___strncasecmp_l (in /lib64/libc-2.15.so)
==21072==    by 0x772E8A5: ____strtod_l_internal (in /lib64/libc-2.15.so)
==21072==    by 0xF78FCE: av_strtod (eval.c:100)
==21072==    by 0xF79814: parse_primary (eval.c:333)
==21072==    by 0xF7A2C0: parse_factor (eval.c:493)
==21072==    by 0xF7A4BB: parse_term (eval.c:542)
==21072==    by 0xF7955E: parse_expr (eval.c:566)
==21072==    by 0xF7A6C5: av_expr_parse (eval.c:684)
==21072==    by 0xF7A893: av_expr_parse_and_eval (eval.c:725)
==21072==    by 0x5167CE: config_props (vf_scale.c:267)
==21072==    by 0x4A5B80: avfilter_config_links (avfilter.c:262)
==21072==    by 0x4A5B63: avfilter_config_links (avfilter.c:251)
==21072==  Address 0xb814fc0 is 0 bytes inside a block of size 3 alloc'd
==21072==    at 0x4C290FE: memalign (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==21072==    by 0x4C291A7: posix_memalign (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==21072==    by 0xF82B09: av_malloc (mem.c:97)
==21072==    by 0xF7A608: av_expr_parse (eval.c:661)
==21072==    by 0xF7A893: av_expr_parse_and_eval (eval.c:725)
==21072==    by 0x5167CE: config_props (vf_scale.c:267)
==21072==    by 0x4A5B80: avfilter_config_links (avfilter.c:262)
==21072==    by 0x4A5B63: avfilter_config_links (avfilter.c:251)
==21072==    by 0x4A9FE6: avfilter_graph_config (avfiltergraph.c:275)
==21072==    by 0x486CD4: configure_filtergraph (ffmpeg_filter.c:1042)
==21072==    by 0x48C25A: transcode_init (ffmpeg.c:2996)
==21072==    by 0x491E05: transcode (ffmpeg.c:3928)
==21072==
==21072== Invalid read of size 8
==21072==    at 0x777A5A7: __GI___strncasecmp_l (in /lib64/libc-2.15.so)
==21072==    by 0x772E8A5: ____strtod_l_internal (in /lib64/libc-2.15.so)
==21072==    by 0xF78FCE: av_strtod (eval.c:100)
==21072==    by 0xF79814: parse_primary (eval.c:333)
==21072==    by 0xF7A2C0: parse_factor (eval.c:493)
==21072==    by 0xF7A4BB: parse_term (eval.c:542)
==21072==    by 0xF7955E: parse_expr (eval.c:566)
==21072==    by 0xF7A6C5: av_expr_parse (eval.c:684)
==21072==    by 0xF7A893: av_expr_parse_and_eval (eval.c:725)
==21072==    by 0x5167CE: config_props (vf_scale.c:267)
==21072==    by 0x4A5B80: avfilter_config_links (avfilter.c:262)
==21072==    by 0x4A5B63: avfilter_config_links (avfilter.c:251)
==21072==  Address 0xb814fc8 is 5 bytes after a block of size 3 alloc'd
==21072==    at 0x4C290FE: memalign (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==21072==    by 0x4C291A7: posix_memalign (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==21072==    by 0xF82B09: av_malloc (mem.c:97)
==21072==    by 0xF7A608: av_expr_parse (eval.c:661)
==21072==    by 0xF7A893: av_expr_parse_and_eval (eval.c:725)
==21072==    by 0x5167CE: config_props (vf_scale.c:267)
==21072==    by 0x4A5B80: avfilter_config_links (avfilter.c:262)
==21072==    by 0x4A5B63: avfilter_config_links (avfilter.c:251)
==21072==    by 0x4A9FE6: avfilter_graph_config (avfiltergraph.c:275)
==21072==    by 0x486CD4: configure_filtergraph (ffmpeg_filter.c:1042)
==21072==    by 0x48C25A: transcode_init (ffmpeg.c:2996)
==21072==    by 0x491E05: transcode (ffmpeg.c:3928)
==21072==
Output #0, segment, to 'out%1d.avi':
  Metadata:
    encoder         : Lavf56.40.101
    Stream #0:0: Video: mpeg4, yuv420p, 256x256, q=2-31, 200 kb/s, 25 fps, 25 tbn, 25 tbc
    Metadata:
      encoder         : Lavc56.57.100 mpeg4
Stream mapping:
  Stream #0:0 -> #0:0 (ppm (native) -> mpeg4 (native))
Press [q] to stop, [?] for help
==21072== Invalid read of size 8
==21072==    at 0xF82D23: av_freep (mem.c:247)
==21072==    by 0x6BC9A3: av_free_packet (avpacket.c:275)
==21072==    by 0x605869: av_interleaved_write_frame (mux.c:955)
==21072==    by 0x48D101: write_frame (ffmpeg.c:781)
==21072==    by 0x48E3D2: do_video_out (ffmpeg.c:1220)
==21072==    by 0x48F5D6: reap_filters (ffmpeg.c:1383)
==21072==    by 0x4927FD: transcode (ffmpeg.c:3914)
==21072==    by 0x475DBA: main (ffmpeg.c:4140)
==21072==  Address 0xb83bdf0 is 0 bytes inside a block of size 16 free'd
==21072==    at 0x4C29D4E: free (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==21072==    by 0x6BC9B4: av_free_packet (avpacket.c:276)
==21072==    by 0x605869: av_interleaved_write_frame (mux.c:955)
==21072==    by 0x605E44: ff_write_chained (mux.c:1043)
==21072==    by 0x65B596: seg_write_packet (segment.c:836)
==21072==    by 0x6042BC: write_packet (mux.c:641)
==21072==    by 0x60591D: av_interleaved_write_frame (mux.c:951)
==21072==    by 0x48D101: write_frame (ffmpeg.c:781)
==21072==    by 0x48E3D2: do_video_out (ffmpeg.c:1220)
==21072==    by 0x48F5D6: reap_filters (ffmpeg.c:1383)
==21072==    by 0x4927FD: transcode (ffmpeg.c:3914)
==21072==    by 0x475DBA: main (ffmpeg.c:4140)
==21072==
==21072== Invalid write of size 8
==21072==    at 0xF82D26: av_freep (mem.c:248)
==21072==    by 0x6BC9A3: av_free_packet (avpacket.c:275)
==21072==    by 0x605869: av_interleaved_write_frame (mux.c:955)
==21072==    by 0x48D101: write_frame (ffmpeg.c:781)
==21072==    by 0x48E3D2: do_video_out (ffmpeg.c:1220)
==21072==    by 0x48F5D6: reap_filters (ffmpeg.c:1383)
==21072==    by 0x4927FD: transcode (ffmpeg.c:3914)
==21072==    by 0x475DBA: main (ffmpeg.c:4140)
==21072==  Address 0xb83bdf0 is 0 bytes inside a block of size 16 free'd
==21072==    at 0x4C29D4E: free (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==21072==    by 0x6BC9B4: av_free_packet (avpacket.c:276)
==21072==    by 0x605869: av_interleaved_write_frame (mux.c:955)
==21072==    by 0x605E44: ff_write_chained (mux.c:1043)
==21072==    by 0x65B596: seg_write_packet (segment.c:836)
==21072==    by 0x6042BC: write_packet (mux.c:641)
==21072==    by 0x60591D: av_interleaved_write_frame (mux.c:951)
==21072==    by 0x48D101: write_frame (ffmpeg.c:781)
==21072==    by 0x48E3D2: do_video_out (ffmpeg.c:1220)
==21072==    by 0x48F5D6: reap_filters (ffmpeg.c:1383)
==21072==    by 0x4927FD: transcode (ffmpeg.c:3914)
==21072==    by 0x475DBA: main (ffmpeg.c:4140)
==21072==
==21072== Invalid free() / delete / delete[] / realloc()
==21072==    at 0x4C29D4E: free (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==21072==    by 0x6BC9B4: av_free_packet (avpacket.c:276)
==21072==    by 0x605869: av_interleaved_write_frame (mux.c:955)
==21072==    by 0x48D101: write_frame (ffmpeg.c:781)
==21072==    by 0x48E3D2: do_video_out (ffmpeg.c:1220)
==21072==    by 0x48F5D6: reap_filters (ffmpeg.c:1383)
==21072==    by 0x4927FD: transcode (ffmpeg.c:3914)
==21072==    by 0x475DBA: main (ffmpeg.c:4140)
==21072==  Address 0xb83bdf0 is 0 bytes inside a block of size 16 free'd
==21072==    at 0x4C29D4E: free (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==21072==    by 0x6BC9B4: av_free_packet (avpacket.c:276)
==21072==    by 0x605869: av_interleaved_write_frame (mux.c:955)
==21072==    by 0x605E44: ff_write_chained (mux.c:1043)
==21072==    by 0x65B596: seg_write_packet (segment.c:836)
==21072==    by 0x6042BC: write_packet (mux.c:641)
==21072==    by 0x60591D: av_interleaved_write_frame (mux.c:951)
==21072==    by 0x48D101: write_frame (ffmpeg.c:781)
==21072==    by 0x48E3D2: do_video_out (ffmpeg.c:1220)
==21072==    by 0x48F5D6: reap_filters (ffmpeg.c:1383)
==21072==    by 0x4927FD: transcode (ffmpeg.c:3914)
==21072==    by 0x475DBA: main (ffmpeg.c:4140)
==21072==
frame=    1 fps=0.0 q=3.8 Lsize=N/A time=00:00:00.04 bitrate=N/A
video:11kB audio:0kB subtitle:0kB other streams:0kB global headers:0kB muxing overhead: unknown
==21072==
==21072== HEAP SUMMARY:
==21072==     in use at exit: 97 bytes in 3 blocks
==21072==   total heap usage: 2,019 allocs, 2,017 frees, 4,749,723 bytes allocated
==21072==
==21072== LEAK SUMMARY:
==21072==    definitely lost: 9 bytes in 1 blocks
==21072==    indirectly lost: 0 bytes in 0 blocks
==21072==      possibly lost: 0 bytes in 0 blocks
==21072==    still reachable: 88 bytes in 2 blocks
==21072==         suppressed: 0 bytes in 0 blocks
==21072== Rerun with --leak-check=full to see details of leaked memory
==21072==
==21072== For counts of detected and suppressed errors, rerun with: -v
==21072== ERROR SUMMARY: 9 errors from 5 contexts (suppressed: 2 from 2)

comment:4 by Michael Niedermayer, 9 years ago

Resolution: fixed
Status: openclosed
Note: See TracTickets for help on using tickets.