Opened 3 months ago

Closed 3 months ago

#6346 closed defect (fixed)

Segmentation fault, Auto-inserting h264_mp4toannexb bitstream filter

Reported by: ffmpegTV Owned by:
Priority: important Component: avformat
Version: git-master Keywords: crash regression
Cc: Blocked By:
Blocking: Reproduced by developer: yes
Analyzed by developer: no

Description

Summary of the bug: Segmentation fault: 11

How to reproduce:

% ffmpeg -f concat -safe 0 -i files.txt -c copy out.mp4
ffmpeg version N-85641-gdd49eff-tessus Copyright (c) 2000-2017 the FFmpeg developers
  built with Apple LLVM version 8.0.0 (clang-800.0.42.1)
  configuration: --cc=/usr/bin/clang --prefix=/opt/ffmpeg --extra-version=tessus --enable-avisynth --enable-fontconfig --enable-gpl --enable-libass --enable-libbluray --enable-libfreetype --enable-libgsm --enable-libmodplug --enable-libmp3lame --enable-libopencore-amrnb --enable-libopencore-amrwb --enable-libopus --enable-libschroedinger --enable-libsnappy --enable-libsoxr --enable-libspeex --enable-libtheora --enable-libvidstab --enable-libvo-amrwbenc --enable-libvorbis --enable-libvpx --enable-libwavpack --enable-libx264 --enable-libx265 --enable-libxavs --enable-libxvid --enable-libzmq --enable-libzvbi --enable-version3 --disable-ffplay --disable-indev=qtkit
  libavutil      55. 61.100 / 55. 61.100
  libavcodec     57. 93.100 / 57. 93.100
  libavformat    57. 72.101 / 57. 72.101
  libavdevice    57.  7.100 / 57.  7.100
  libavfilter     6. 86.100 /  6. 86.100
  libswscale      4.  7.101 /  4.  7.101
  libswresample   2.  8.100 /  2.  8.100
  libpostproc    54.  6.100 / 54.  6.100
[mpegts @ 0x7f9092001000] Auto-inserting h264_mp4toannexb bitstream filter
Segmentation fault: 11
# content of file list
file 'ARD_HD_2017-03-10_17-03-01.ts'
file 'ARD_HD_2017-03-10_17-04-01.ts'
file 'ARD_HD_2017-03-10_17-05-01.ts'
file 'ARD_HD_2017-03-10_17-06-01.ts'
file 'ARD_HD_2017-03-10_17-07-01.ts'
file 'ARD_HD_2017-03-10_17-08-01.ts'
file 'ARD_HD_2017-03-10_17-09-01.ts'
file 'ARD_HD_2017-03-10_17-10-01.ts'
file 'ARD_HD_2017-03-10_17-11-01.ts'

ffmpeg version: N-85641-gdd49eff-tessus
current snapshot: ffmpeg-85641-gdd49eff from https://evermeet.cx/ffmpeg/ MacOS, 64Bit, running on MacOS, 64Bit, 10.12.4 (16E195)

Attachments (2)

ARD_HD_2017-03-10_17-03-01_cut.ts (2.4 MB) - added by cehoyos 3 months ago.
files.txt (41 bytes) - added by cehoyos 3 months ago.

Change History (7)

comment:1 Changed 3 months ago by cehoyos

  • Keywords crash added
  • Priority changed from normal to important

Please provide the input files(s) needed to reproduce the issue.

comment:3 Changed 3 months ago by cehoyos

  • Keywords regression added
  • Reproduced by developer set
  • Version changed from unspecified to git-master

Regression since b8f26779d615dfb466e90627323b1a4e40639f76

$ valgrind ffmpeg_g -f concat -i files.txt
==25745== Memcheck, a memory error detector
==25745== Copyright (C) 2002-2011, and GNU GPL'd, by Julian Seward et al.
==25745== Using Valgrind-3.7.0 and LibVEX; rerun with -h for copyright info
==25745== Command: ffmpeg_g -f concat -i files.txt
==25745==
ffmpeg version N-85646-g550a9c5 Copyright (c) 2000-2017 the FFmpeg developers
  built with gcc 6.3.0 (GCC)
  configuration: --enable-gpl
  libavutil      55. 61.100 / 55. 61.100
  libavcodec     57. 93.100 / 57. 93.100
  libavformat    57. 72.101 / 57. 72.101
  libavdevice    57.  7.100 / 57.  7.100
  libavfilter     6. 87.100 /  6. 87.100
  libswscale      4.  7.101 /  4.  7.101
  libswresample   2.  8.100 /  2.  8.100
  libpostproc    54.  6.100 / 54.  6.100
[mpegts @ 0x82204a0] Auto-inserting h264_mp4toannexb bitstream filter
==25745== Invalid read of size 4
==25745==    at 0x7683D7: av_packet_copy_props (avpacket.c:562)
==25745==    by 0x768614: av_packet_ref (avpacket.c:589)
==25745==    by 0x799605: avcodec_send_packet (decode.c:647)
==25745==    by 0x709F14: try_decode_frame (utils.c:3004)
==25745==    by 0x712244: avformat_find_stream_info (utils.c:3821)
==25745==    by 0x48AEA5: open_input_file (ffmpeg_opt.c:1013)
==25745==    by 0x48DB5E: ffmpeg_parse_options (ffmpeg_opt.c:3203)
==25745==    by 0x47DA86: main (ffmpeg.c:4742)
==25745==  Address 0x821fc78 is 8 bytes inside a block of size 16 free'd
==25745==    at 0x4C29D4E: free (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==25745==    by 0x768588: av_packet_unref (avpacket.c:275)
==25745==    by 0x60CDAA: concat_read_packet (concatdec.c:565)
==25745==    by 0x70A82D: ff_read_packet (utils.c:816)
==25745==    by 0x70DB23: read_frame_internal (utils.c:1517)
==25745==    by 0x711E83: avformat_find_stream_info (utils.c:3697)
==25745==    by 0x48AEA5: open_input_file (ffmpeg_opt.c:1013)
==25745==    by 0x48DB5E: ffmpeg_parse_options (ffmpeg_opt.c:3203)
==25745==    by 0x47DA86: main (ffmpeg.c:4742)
==25745==
==25745== Invalid read of size 4
==25745==    at 0x7683E8: av_packet_copy_props (avpacket.c:561)
==25745==    by 0x768614: av_packet_ref (avpacket.c:589)
==25745==    by 0x799605: avcodec_send_packet (decode.c:647)
==25745==    by 0x709F14: try_decode_frame (utils.c:3004)
==25745==    by 0x712244: avformat_find_stream_info (utils.c:3821)
==25745==    by 0x48AEA5: open_input_file (ffmpeg_opt.c:1013)
==25745==    by 0x48DB5E: ffmpeg_parse_options (ffmpeg_opt.c:3203)
==25745==    by 0x47DA86: main (ffmpeg.c:4742)
==25745==  Address 0x821fc7c is 12 bytes inside a block of size 16 free'd
==25745==    at 0x4C29D4E: free (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==25745==    by 0x768588: av_packet_unref (avpacket.c:275)
==25745==    by 0x60CDAA: concat_read_packet (concatdec.c:565)
==25745==    by 0x70A82D: ff_read_packet (utils.c:816)
==25745==    by 0x70DB23: read_frame_internal (utils.c:1517)
==25745==    by 0x711E83: avformat_find_stream_info (utils.c:3697)
==25745==    by 0x48AEA5: open_input_file (ffmpeg_opt.c:1013)
==25745==    by 0x48DB5E: ffmpeg_parse_options (ffmpeg_opt.c:3203)
==25745==    by 0x47DA86: main (ffmpeg.c:4742)
==25745==
==25745== Invalid read of size 8
==25745==    at 0x7683EB: av_packet_copy_props (avpacket.c:563)
==25745==    by 0x768614: av_packet_ref (avpacket.c:589)
==25745==    by 0x799605: avcodec_send_packet (decode.c:647)
==25745==    by 0x709F14: try_decode_frame (utils.c:3004)
==25745==    by 0x712244: avformat_find_stream_info (utils.c:3821)
==25745==    by 0x48AEA5: open_input_file (ffmpeg_opt.c:1013)
==25745==    by 0x48DB5E: ffmpeg_parse_options (ffmpeg_opt.c:3203)
==25745==    by 0x47DA86: main (ffmpeg.c:4742)
==25745==  Address 0x821fc70 is 0 bytes inside a block of size 16 free'd
==25745==    at 0x4C29D4E: free (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==25745==    by 0x768588: av_packet_unref (avpacket.c:275)
==25745==    by 0x60CDAA: concat_read_packet (concatdec.c:565)
==25745==    by 0x70A82D: ff_read_packet (utils.c:816)
==25745==    by 0x70DB23: read_frame_internal (utils.c:1517)
==25745==    by 0x711E83: avformat_find_stream_info (utils.c:3697)
==25745==    by 0x48AEA5: open_input_file (ffmpeg_opt.c:1013)
==25745==    by 0x48DB5E: ffmpeg_parse_options (ffmpeg_opt.c:3203)
==25745==    by 0x47DA86: main (ffmpeg.c:4742)
==25745==
==25745== Invalid read of size 1
==25745==    at 0x4C2C531: memcpy@@GLIBC_2.14 (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==25745==    by 0x7684A5: av_packet_copy_props (avpacket.c:570)
==25745==    by 0x768614: av_packet_ref (avpacket.c:589)
==25745==    by 0x799605: avcodec_send_packet (decode.c:647)
==25745==    by 0x709F14: try_decode_frame (utils.c:3004)
==25745==    by 0x712244: avformat_find_stream_info (utils.c:3821)
==25745==    by 0x48AEA5: open_input_file (ffmpeg_opt.c:1013)
==25745==    by 0x48DB5E: ffmpeg_parse_options (ffmpeg_opt.c:3203)
==25745==    by 0x47DA86: main (ffmpeg.c:4742)
==25745==  Address 0x0 is not stack'd, malloc'd or (recently) free'd
==25745==
==25745==
==25745== Process terminating with default action of signal 11 (SIGSEGV)
==25745==  Access not within mapped region at address 0x0
==25745==    at 0x4C2C531: memcpy@@GLIBC_2.14 (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==25745==    by 0x7684A5: av_packet_copy_props (avpacket.c:570)
==25745==    by 0x768614: av_packet_ref (avpacket.c:589)
==25745==    by 0x799605: avcodec_send_packet (decode.c:647)
==25745==    by 0x709F14: try_decode_frame (utils.c:3004)
==25745==    by 0x712244: avformat_find_stream_info (utils.c:3821)
==25745==    by 0x48AEA5: open_input_file (ffmpeg_opt.c:1013)
==25745==    by 0x48DB5E: ffmpeg_parse_options (ffmpeg_opt.c:3203)
==25745==    by 0x47DA86: main (ffmpeg.c:4742)
==25745==  If you believe this happened as a result of a stack
==25745==  overflow in your program's main thread (unlikely but
==25745==  possible), you can try to increase the size of the
==25745==  main thread stack using the --main-stacksize= flag.
==25745==  The main thread stack size used in this run was 8388608.
==25745==
==25745== HEAP SUMMARY:
==25745==     in use at exit: 1,014,992 bytes in 206 blocks
==25745==   total heap usage: 1,357 allocs, 1,151 frees, 22,165,309 bytes allocated
==25745==
==25745== LEAK SUMMARY:
==25745==    definitely lost: 0 bytes in 0 blocks
==25745==    indirectly lost: 0 bytes in 0 blocks
==25745==      possibly lost: 0 bytes in 0 blocks
==25745==    still reachable: 1,014,992 bytes in 206 blocks
==25745==         suppressed: 0 bytes in 0 blocks
==25745== Rerun with --leak-check=full to see details of leaked memory
==25745==
==25745== For counts of detected and suppressed errors, rerun with: -v
==25745== ERROR SUMMARY: 4 errors from 4 contexts (suppressed: 2 from 2)
Segmentation fault

Changed 3 months ago by cehoyos

Changed 3 months ago by cehoyos

comment:4 Changed 3 months ago by jamrial

  • Status changed from new to open

b8f26779d615dfb466e90627323b1a4e40639f76 is not the cause. It simply exposed a latent bug, plus the fact concatdec was doing an incomplete annexb extradata check.

Fixed the wrong extradata check in b4330a0e02fcbef61d630a369abe5f4421ced659, which should prevent the crash detailed here, but as i said the actual bug is still present.

comment:5 Changed 3 months ago by jamrial

  • Component changed from undetermined to avformat
  • Resolution set to fixed
  • Status changed from open to closed

The underlying bug should be fixed in 14e092448f2ecf2e872821db13d625273c9eb33c

Note: See TracTickets for help on using tickets.