Opened 12 months ago

Last modified 12 months ago

#5970 new defect

No valid multicast port obtained from RTSP

Reported by: ioeir2 Owned by:
Priority: important Component: undetermined
Version: unspecified Keywords: rtsp crash
Cc: Blocked By:
Blocking: Reproduced by developer: no
Analyzed by developer: no

Description

Summary of the bug:
Cannot get multicast RTSP stream from camera via ffmpeg/ffplay. ffmpeg/ffplay tries to connect to UDP port 0 instead of 40000.

It sends in SETUP:
Transport: RTP/AVP/UDP;multicast
But should something like
Transport: RTP/AVP;multicast;destination=224.1.2.4;port=40000-40001

How to reproduce:
IP camera: Amcrest IPM-HX1, sw. version 2.420.AC00.15.R, build : 2016-09-08. Very popular at the moment IP camera.

./ffplay-3.2 -rtsp_transport udp_multicast 'rtsp://admin:password@10.0.1.20/cam/realmonitor?channel=1&subtype=0&proto=Dahua3&unicast=false'
ffplay version 3.2 Copyright (c) 2003-2016 the FFmpeg developers
  built with Apple LLVM version 8.0.0 (clang-800.0.42.1)
  configuration: 
  libavutil      55. 34.100 / 55. 34.100
  libavcodec     57. 64.100 / 57. 64.100
  libavformat    57. 56.100 / 57. 56.100
  libavdevice    57.  1.100 / 57.  1.100
  libavfilter     6. 65.100 /  6. 65.100
  libswscale      4.  2.100 /  4.  2.100
  libswresample   2.  3.100 /  2.  3.100
[udp @ 0x7fb20bc9d500] bind failed: Permission denied    0B f=0/0   
[udp @ 0x7fb20bc9b1a0] bind failed: Permission denied
[udp @ 0x7fb20bc9b220] bind failed: Permission denied
Segmentation fault: 11

Attachments (3)

browser_rtsp_port_multicat_success.pcapng (234.1 KB) - added by ioeir2 12 months ago.
ffplay_rtsp_port_multicast_failed.pcapng (5.1 KB) - added by ioeir2 12 months ago.
RTSP stream via ffplay
amcrest_hx1_multicast_settings.png (347.8 KB) - added by ioeir2 12 months ago.
Amcrest IPM-HX1 multicast settings

Download all attachments as: .zip

Change History (12)

Changed 12 months ago by ioeir2

Changed 12 months ago by ioeir2

RTSP stream via ffplay

Changed 12 months ago by ioeir2

Amcrest IPM-HX1 multicast settings

comment:1 Changed 12 months ago by ioeir2

  • Keywords rtsp multicast added

comment:2 Changed 12 months ago by cehoyos

  • Keywords crash added; multicast removed
  • Priority changed from normal to important

Is the issue reproducible with current FFmpeg?
Please provide backtrace, disassembly and register dump as explained on https://ffmpeg.org/bugreports.html

comment:3 Changed 12 months ago by ioeir2

Yes, the issue is reproducible on the latest master ffmpeg.

The problem is that ffmpeg/ffplay incorrectly obtains port for udp multicast from SDP. Actually it cannot obtain it all and uses port 0, which causes the crash.

comment:4 Changed 12 months ago by ioeir2

Yes, the issue is reproducible on the latest master ffmpeg.
The problem is that ffmpeg/ffplay incorrectly obtains port for udp multicast from SDP. Actually it cannot obtain it all and uses port 0, which causes the crash.

comment:5 Changed 12 months ago by cehoyos

Please provide backtrace, disassembly and register dump as explained on https://ffmpeg.org/bugreports.html

comment:6 follow-up: Changed 12 months ago by ioeir2

I was not able to make gdb debugging on Mac OS Sierra due to some gdb signing issues.

I recompiled ffplay on Ubuntu and reproduced the problem. On Linux crash happens only if the ffplay is running as regular user. There is no crash if it is running via sudo.

On Mac OS crash happens all the time regardless sudo or regular user used.

(gdb) run
Starting program: /home/user/1/ffplay_g -rtsp_transport udp_multicast rtsp://admin:password@10.0.1.150/cam/realmonitor\?channel=1\&subtype=0\&proto=Dahua3\&unicast=false
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
ffplay version N-82572-gac206bb Copyright (c) 2003-2016 the FFmpeg developers
  built with gcc 5.4.0 (Ubuntu 5.4.0-6ubuntu1~16.04.4) 20160609
  configuration: 
  libavutil      55. 40.100 / 55. 40.100
  libavcodec     57. 66.105 / 57. 66.105
  libavformat    57. 58.100 / 57. 58.100
  libavdevice    57.  2.100 / 57.  2.100
  libavfilter     6. 67.100 /  6. 67.100
  libswscale      4.  3.101 /  4.  3.101
  libswresample   2.  4.100 /  2.  4.100
[New Thread 0x7ffff0f96700 (LWP 21439)]
[New Thread 0x7fffeef91700 (LWP 21440)]
[New Thread 0x7fffee790700 (LWP 21441)]
[Thread 0x7fffeef91700 (LWP 21440) exited]
[New Thread 0x7fffeef91700 (LWP 21442)]
[New Thread 0x7fffee10c700 (LWP 21443)]
[udp @ 0x7fffd0003520] bind failed: Permission denied    0B f=0/0   
[udp @ 0x7fffd00293c0] bind failed: Permission denied
[udp @ 0x7fffd00395c0] bind failed: Permission denied

Thread 6 "read_thread" received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7fffee10c700 (LWP 21443)]
ffurl_get_file_handle (h=0x0) at libavformat/avio.c:628
628	    if (!h->prot->url_get_file_handle)

(gdb) info frame
Stack level 0, frame at 0x7fffee103f40:
 rip = 0x6eb8b0 in ffurl_get_file_handle (libavformat/avio.c:628); saved rip = 0x694df4
 called by frame at 0x7fffee1050e0
 source language c.
 Arglist at 0x7fffee103f30, args: h=0x0
 Locals at 0x7fffee103f30, Previous frame's sp is 0x7fffee103f40
 Saved registers:
  rip at 0x7fffee103f38

 bt
#0  ffurl_get_file_handle (h=0x0) at libavformat/avio.c:628
#1  0x0000000000694df4 in rtp_open (h=0x7fffd00032e0, uri=<optimized out>, flags=3) at libavformat/rtpproto.c:455
#2  0x00000000006e9256 in ffurl_connect (uc=0x7fffd00032e0, options=options@entry=0x7fffee105118)
    at libavformat/avio.c:209
#3  0x00000000006e98fb in ffurl_open_whitelist (puc=puc@entry=0x7fffd0003680, 
    filename=filename@entry=0x7fffee106da0 "rtp://224.1.2.4:0?ttl=64", flags=flags@entry=3, 
    int_cb=int_cb@entry=0x7fffd0000de0, options=0x7fffee105118, options@entry=0x0, whitelist=0x0, blacklist=0x0, 
    parent=0x0) at libavformat/avio.c:347
#4  0x000000000069c286 in ff_rtsp_make_setup_request (s=s@entry=0x7fffd0000920, 
    host=host@entry=0x7fffee109ef0 "10.0.1.150", port=<optimized out>, lower_transport=lower_transport@entry=2, 
    real_challenge=0x0) at libavformat/rtsp.c:1621
#5  0x000000000069ccb0 in ff_rtsp_connect (s=s@entry=0x7fffd0000920) at libavformat/rtsp.c:1891
#6  0x000000000069f048 in rtsp_read_header (s=0x7fffd0000920) at libavformat/rtspdec.c:728
#7  0x00000000006cba7e in avformat_open_input (ps=ps@entry=0x7fffee10bc30, filename=<optimized out>, 
    fmt=<optimized out>, options=0x1c6e3c8 <format_opts>) at libavformat/utils.c:593
#8  0x000000000048acd6 in read_thread (arg=0x7fffee10d040) at ffplay.c:2776
#9  0x00007ffff66ac09c in ?? () from /usr/lib/x86_64-linux-gnu/libSDL2-2.0.so.0
#10 0x00007ffff66fa399 in ?? () from /usr/lib/x86_64-linux-gnu/libSDL2-2.0.so.0
#11 0x00007ffff5ef870a in start_thread (arg=0x7fffee10c700) at pthread_create.c:333
#12 0x00007ffff5c2e82d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:109
(gdb) disass $pc-32,$pc+32
Dump of assembler code from 0x6eb890 to 0x6eb8d0:
   0x00000000006eb890 <ffurl_size+144>:	mov    %r12,%rsi
   0x00000000006eb893 <ffurl_size+147>:	mov    %rbx,%rdi
   0x00000000006eb896 <ffurl_size+150>:	xor    %edx,%edx
   0x00000000006eb898 <ffurl_size+152>:	callq  *%rcx
   0x00000000006eb89a <ffurl_size+154>:	mov    %rbp,%rax
   0x00000000006eb89d <ffurl_size+157>:	pop    %rbx
   0x00000000006eb89e <ffurl_size+158>:	pop    %rbp
   0x00000000006eb89f <ffurl_size+159>:	pop    %r12
   0x00000000006eb8a1 <ffurl_size+161>:	retq   
   0x00000000006eb8a2 <ffurl_size+162>:	mov    %rax,%rbp
   0x00000000006eb8a5 <ffurl_size+165>:	jmpq   0x6eb825 <ffurl_size+37>
   0x00000000006eb8aa:	nopw   0x0(%rax,%rax,1)
=> 0x00000000006eb8b0 <ffurl_get_file_handle+0>:	mov    0x8(%rdi),%rax
   0x00000000006eb8b4 <ffurl_get_file_handle+4>:	mov    0x58(%rax),%rax
   0x00000000006eb8b8 <ffurl_get_file_handle+8>:	test   %rax,%rax
   0x00000000006eb8bb <ffurl_get_file_handle+11>:	je     0x6eb8c0 <ffurl_get_file_handle+16>
   0x00000000006eb8bd <ffurl_get_file_handle+13>:	jmpq   *%rax
   0x00000000006eb8bf <ffurl_get_file_handle+15>:	nop
   0x00000000006eb8c0 <ffurl_get_file_handle+16>:	mov    $0xffffffff,%eax
   0x00000000006eb8c5 <ffurl_get_file_handle+21>:	retq   
   0x00000000006eb8c6:	nopw   %cs:0x0(%rax,%rax,1)
End of assembler dump.

(gdb) info all-registers
rax            0xe	14
rbx            0x7fffd0008d40	140736683085120
rcx            0x0	0
rdx            0x0	0
rsi            0x0	0
rdi            0x0	0
rbp            0x7fffee104890	0x7fffee104890
rsp            0x7fffee103f38	0x7fffee103f38
r8             0xffffffff	4294967295
r9             0x1	1
r10            0x7fffd0000078	140736683049080
r11            0x7fffd0000078	140736683049080
r12            0x7fffd00032e0	140736683061984
r13            0x0	0
r14            0x3	3
r15            0x0	0
rip            0x6eb8b0	0x6eb8b0 <ffurl_get_file_handle>
eflags         0x10202	[ IF RF ]
cs             0x33	51
ss             0x2b	43
ds             0x0	0
es             0x0	0
fs             0x0	0
gs             0x0	0
st0            0	(raw 0x00000000000000000000)
st1            0	(raw 0x00000000000000000000)
st2            0	(raw 0x00000000000000000000)
st3            0	(raw 0x00000000000000000000)
st4            0	(raw 0x00000000000000000000)
st5            0	(raw 0x00000000000000000000)
st6            0	(raw 0x00000000000000000000)
st7            0	(raw 0x00000000000000000000)
fctrl          0x37f	895
fstat          0x0	0
ftag           0xffff	65535
fiseg          0x0	0
fioff          0x0	0
foseg          0x0	0
fooff          0x0	0
---Type <return> to continue, or q <return> to quit---
fop            0x0	0
mxcsr          0x1fa4	[ ZE PE IM DM ZM OM UM PM ]
ymm0           {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_double = {0x0, 0x0, 0x0, 0x0}, v32_int8 = {
    0x0 <repeats 32 times>}, v16_int16 = {0x0 <repeats 16 times>}, v8_int32 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 
    0x0}, v4_int64 = {0x0, 0x0, 0x0, 0x0}, v2_int128 = {0x00000000000000000000000000000000, 
    0x00000000000000000000000000000000}}
ymm1           {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_double = {0x0, 0x8000000000000000, 0x0, 
    0x0}, v32_int8 = {0x0 <repeats 11 times>, 0xff, 0xff, 0xff, 0xff, 0xff, 0x0 <repeats 16 times>}, v16_int16 = {
    0x0, 0x0, 0x0, 0x0, 0x0, 0xff00, 0xffff, 0xffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v8_int32 = {0x0, 0x0, 
    0xff000000, 0xffffffff, 0x0, 0x0, 0x0, 0x0}, v4_int64 = {0x0, 0xffffffffff000000, 0x0, 0x0}, v2_int128 = {
    0xffffffffff0000000000000000000000, 0x00000000000000000000000000000000}}
ymm2           {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_double = {0x8000000000000000, 
    0x8000000000000000, 0x0, 0x0}, v32_int8 = {0x0, 0x0, 0x0, 0x0, 0xff, 0xff, 0xff, 0xff, 0x0, 0x0, 0x0, 0xff, 
    0xff, 0xff, 0xff, 0xff, 0x0 <repeats 16 times>}, v16_int16 = {0x0, 0x0, 0xffff, 0xffff, 0x0, 0xff00, 0xffff, 
    0xffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v8_int32 = {0x0, 0xffffffff, 0xff000000, 0xffffffff, 0x0, 0x0, 
    0x0, 0x0}, v4_int64 = {0xffffffff00000000, 0xffffffffff000000, 0x0, 0x0}, v2_int128 = {
    0xffffffffff000000ffffffff00000000, 0x00000000000000000000000000000000}}
ymm3           {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_double = {0x8000000000000000, 
    0x8000000000000000, 0x0, 0x0}, v32_int8 = {0x0, 0x0, 0x0, 0x0, 0xff, 0xff, 0xff, 0xff, 0x0, 0x0, 0x0, 0xff, 
    0xff, 0xff, 0xff, 0xff, 0x0 <repeats 16 times>}, v16_int16 = {0x0, 0x0, 0xffff, 0xffff, 0x0, 0xff00, 0xffff, 
    0xffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v8_int32 = {0x0, 0xffffffff, 0xff000000, 0xffffffff, 0x0, 0x0, 
    0x0, 0x0}, v4_int64 = {0xffffffff00000000, 0xffffffffff000000, 0x0, 0x0}, v2_int128 = {
    0xffffffffff000000ffffffff00000000, 0x00000000000000000000000000000000}}
ymm4           {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_double = {0x0, 0x0, 0x0, 0x0}, v32_int8 = {
    0x0 <repeats 32 times>}, v16_int16 = {0x0 <repeats 16 times>}, v8_int32 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 
    0x0}, v4_int64 = {0x0, 0x0, 0x0, 0x0}, v2_int128 = {0x00000000000000000000000000000000, 
    0x00000000000000000000000000000000}}
ymm5           {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_double = {0x8000000000000000, 
    0x8000000000000000, 0x0, 0x0}, v32_int8 = {0x65, 0x64, 0x3a, 0x20, 0x50, 0x65, 0x72, 0x6d, 0x69, 0x73, 0x73, 
    0x69, 0x6f, 0x
Last edited 12 months ago by ioeir2 (previous) (diff)

comment:7 Changed 12 months ago by cehoyos

Does lldb not work?

Last edited 12 months ago by cehoyos (previous) (diff)

comment:8 in reply to: ↑ 6 Changed 12 months ago by cehoyos

Replying to ioeir2:

I recompiled ffplay on Ubuntu and reproduced the problem. Crash happens only if the ffplay is running as regular user. There is no crash if it is running via sudo.

The issue is only reproducible with ffplay, not with ffmpeg?

comment:9 Changed 12 months ago by ioeir2

lldb works - my fault.

ffmpeg crashing as well.

Note: See TracTickets for help on using tickets.