#5981 closed defect (needs_more_info)

avformat_open_input() crashed in ios pad

Reported by: shamessss2012 Owned by:
Priority: normal Component: avformat
Version: git-master Keywords: crash regression
Cc: Blocked By:
Blocking: Reproduced by developer: no
Analyzed by developer: no

Description (last modified by cehoyos)

Summary of the bug:avformat_open_input() crashed
How to reproduce:build the latest version of ffmpeg, run it on

iOs9.3.2(13F69),trace inside the url_alloc_for_protocol(); crash happened at av_opt_set_defaults()

working on ffmpeg-2.6.3

crashed on ffmpeg-3.1.1 and later release

static int url_alloc_for_protocol(URLContext **puc, const URLProtocol *up,
                                  const char *filename, int flags,
                                  const AVIOInterruptCB *int_cb)
{
    URLContext *uc;
    int err;

#if CONFIG_NETWORK
    if (up->flags & URL_PROTOCOL_FLAG_NETWORK && !ff_network_init())
        return AVERROR(EIO);
#endif
    if ((flags & AVIO_FLAG_READ) && !up->url_read) {
        av_log(NULL, AV_LOG_ERROR,
               "Impossible to open the '%s' protocol for reading\n", up->name);
        return AVERROR(EIO);
    }
    if ((flags & AVIO_FLAG_WRITE) && !up->url_write) {
        av_log(NULL, AV_LOG_ERROR,
               "Impossible to open the '%s' protocol for writing\n", up->name);
        return AVERROR(EIO);
    }
    uc = av_mallocz(sizeof(URLContext) + strlen(filename) + 1);
    if (!uc) {
        err = AVERROR(ENOMEM);
        goto fail;
    }
    uc->av_class = &ffurl_context_class;
    uc->filename = (char *)&uc[1];
    strcpy(uc->filename, filename);
    uc->prot            = up;
    uc->flags           = flags;
    uc->is_streamed     = 0; /* default = not streamed */
    uc->max_packet_size = 0; /* default: stream file */
    if (up->priv_data_size) {
        uc->priv_data = av_mallocz(up->priv_data_size);
        if (!uc->priv_data) {
            err = AVERROR(ENOMEM);
            goto fail;
        }
        if (up->priv_data_class) {
            int proto_len= strlen(up->name);
            char *start = strchr(uc->filename, ',');
            *(const AVClass **)uc->priv_data = up->priv_data_class;
            av_opt_set_defaults(uc->priv_data);
            if(!strncmp(up->name, uc->filename, proto_len) && uc->filename + proto_len == start){
                int ret= 0;
                char *p= start;
                char sep= *++p;
                char *key, *val;
                p++;

                if (strcmp(up->name, "subfile"))
                    ret = AVERROR(EINVAL);

                while(ret >= 0 && (key= strchr(p, sep)) && p<key && (val = strchr(key+1, sep))){
                    *val= *key= 0;
                    if (strcmp(p, "start") && strcmp(p, "end")) {
                        ret = AVERROR_OPTION_NOT_FOUND;
                    } else
                        ret= av_opt_set(uc->priv_data, p, key+1, 0);
                    if (ret == AVERROR_OPTION_NOT_FOUND)
                        av_log(uc, AV_LOG_ERROR, "Key '%s' not found.\n", p);
                    *val= *key= sep;
                    p= val+1;
                }
                if(ret<0 || p!=key){
                    av_log(uc, AV_LOG_ERROR, "Error parsing options string %s\n", start);
                    av_freep(&uc->priv_data);
                    av_freep(&uc);
                    err = AVERROR(EINVAL);
                    goto fail;
                }
                memmove(start, key+1, strlen(key));
            }
        }
    }
    if (int_cb)
        uc->interrupt_callback = *int_cb;

    *puc = uc;
    return 0;
fail:
    *puc = NULL;
    if (uc)
        av_freep(&uc->priv_data);
    av_freep(&uc);
#if CONFIG_NETWORK
    if (up->flags & URL_PROTOCOL_FLAG_NETWORK)
        ff_network_close();
#endif
    return err;
}

Attachments (2)

20161128144759.png (65.3 KB) - added by shamessss2012 20 months ago.
debug info1
20161128144708.png (11.2 KB) - added by shamessss2012 20 months ago.
debug info2

Download all attachments as: .zip

Change History (9)

Changed 20 months ago by shamessss2012

debug info1

Changed 20 months ago by shamessss2012

debug info2

comment:1 follow-up: Changed 20 months ago by cehoyos

  • Description modified (diff)
  • Keywords crash regression added; fatal crashed removed
  • Priority changed from critical to normal

Please test current FFmpeg git head and provide a backtrace.
Or find out which commit introduced the regression you see.

comment:2 Changed 20 months ago by shamessss2012

  • Component changed from undetermined to avformat
  • Keywords fatal crashed added; crash regression removed
  • Priority changed from normal to critical

comment:3 Changed 20 months ago by cehoyos

  • Keywords crash regression added; fatal crashed removed
  • Priority changed from critical to normal

comment:4 in reply to: ↑ 1 ; follow-up: Changed 20 months ago by shamessss2012

Replying to cehoyos:

Please test current FFmpeg git head and provide a backtrace.
Or find out which commit introduced the regression you see.

Actually I am using the latest ffmpeg release. I can't provide the backtrace for the function av_opt_set_defaults()can't be stepped in even if I re-compile it many times with debug info open.

comment:5 in reply to: ↑ 4 Changed 20 months ago by cehoyos

Replying to shamessss2012:

Replying to cehoyos:

Please test current FFmpeg git head and provide a backtrace.
Or find out which commit introduced the regression you see.

Actually I am using the latest ffmpeg release.

But on this bug tracker only current FFmpeg git head is supported (and this is even more true for osx - and Windows).

I can't provide the backtrace for the function av_opt_set_defaults()can't be stepped in even if I re-compile it many times with debug info open.

You don't have to step in, the backtrace may be sufficient.

comment:6 Changed 20 months ago by shamessss2012

sorry, our ios developer is too busy for implementing. So I can't provide the trace so far.we have changed the version back to 2.9.3. it's OK. problem still permanent on 3.2.

comment:7 Changed 20 months ago by cehoyos

  • Resolution set to needs_more_info
  • Status changed from new to closed
Note: See TracTickets for help on using tickets.