Opened 3 months ago

Last modified 3 months ago

#6379 new defect

vaapi_encode_check_config invalid free

Reported by: serafean Owned by:
Priority: important Component: avcodec
Version: 3.2.4 Keywords: crash vaapi
Cc: Blocked By:
Blocking: Reproduced by developer: no
Analyzed by developer: no


Invalid free in vaapi_encode_check_config ( vaapi_encode_config_attributes in 3.3 branch - manually checked source code )
How to reproduce:

% MALLOC_CHECK_=2 ffmpeg -loglevel debug -hwaccel vaapi -vaapi_device /dev/dri/renderD128 -i Elephants_Dream_HD.avi -vf format=nv12,hwupload -map 0:0 -map 0:1 -y -f matroska -bf 0 -c:v h264_vaapi ~/test.mkv
built on Gentoo
(gdb) bt
#0  0x00007f0fbeb1eeb8 in __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:54
#1  0x00007f0fbeb2044a in __GI_abort () at abort.c:89
#2  0x00007f0fbeb63890 in malloc_printerr (action=<optimized out>, str=0x7f0fbec55c27 "free(): invalid pointer", ptr=<optimized out>, 
    ar_ptr=<optimized out>) at malloc.c:5008
#3  0x00007f0fc01e88b2 in vaapi_encode_check_config (avctx=0x55e6562a3620) at src/libavcodec/vaapi_encode.c:1024
#4  ff_vaapi_encode_init (avctx=0x55e6562a3620, type=<optimized out>) at src/libavcodec/vaapi_encode.c:1076
#5  0x00007f0fc06353f0 in avcodec_open2 (avctx=0x55e6562a3620, codec=0x7f0fc1043cc0 <ff_h264_vaapi_encoder>, options=0x55e65624f888)
    at src/libavcodec/utils.c:1608
#6  0x000055e655ab58ca in init_output_stream (error_len=1024, error=0x7ffde9fa30e0 "", ost=0x55e65624f740) at src/ffmpeg.c:3024
#7  transcode_init () at src/ffmpeg.c:3482
#8  0x000055e655a98352 in transcode () at src/ffmpeg.c:4358
#9  main (argc=23, argv=0x7ffde9fa3a48) at src/ffmpeg.c:4592

The issue is that every "goto fail" tries to free both "profiles" and "entrypoints", when entrypoints might not even be allocated yet.

Change History (4)

comment:1 Changed 3 months ago by jkqxz

What is the actual error that you get here?

I don't see anything wrong with the entrypoints variable - it's initialised to NULL and then possibly overwritten by the return value of av_malloc_array(). Both of those are always valid things to pass to free().

comment:2 Changed 3 months ago by serafean

Ah, my bad, I forgot about the free behaviour.

with MALLOC_CHECK_=1 segfault :

#0  _int_malloc (av=av@entry=0x7f8429308aa0 <main_arena>, bytes=bytes@entry=9) at malloc.c:3414
#1  0x00007f8428fe635b in malloc_check (sz=sz@entry=8, caller=caller@entry=0x0) at hooks.c:295
#2  0x00007f8428fe6d86 in realloc_check (oldmem=0x0, bytes=8, caller=<optimized out>) at hooks.c:355
#3  0x00007f8429a80c4f in av_frame_new_side_data (frame=frame@entry=0x563b5c49d7a0, type=AV_FRAME_DATA_MATRIXENCODING, size=4) at src/libavutil/frame.c:634
#4  0x00007f8429a80f40 in frame_copy_props (dst=dst@entry=0x563b5c49d7a0, src=0x563b5c4af0e0, force_copy=force_copy@entry=1) at src/libavutil/frame.c:339
#5  0x00007f8429a810a9 in av_frame_copy_props (dst=dst@entry=0x563b5c49d7a0, src=<optimized out>) at src/libavutil/frame.c:591
#6  0x00007f842be92141 in ff_filter_frame_needs_framing (frame=0x563b5c4af0e0, link=0x563b5c36c6c0) at src/libavfilter/avfilter.c:1162
#7  ff_filter_frame (link=0x563b5c36c6c0, frame=0x563b5c4af0e0) at src/libavfilter/avfilter.c:1230
#8  0x00007f842be90d9a in ff_filter_frame_framed (link=link@entry=0x563b5c36c540, frame=0x563b5c4af0e0) at src/libavfilter/avfilter.c:1134
#9  0x00007f842be920c0 in ff_filter_frame (link=0x563b5c36c540, frame=0x563b5c4af0e0) at src/libavfilter/avfilter.c:1232
#10 0x00007f842be90d9a in ff_filter_frame_framed (link=link@entry=0x563b5c36c2c0, frame=0x563b5c4af0e0) at src/libavfilter/avfilter.c:1134
#11 0x00007f842be920c0 in ff_filter_frame (link=link@entry=0x563b5c36c2c0, frame=0x563b5c4af0e0) at src/libavfilter/avfilter.c:1232
#12 0x00007f842be9658f in request_frame (link=0x563b5c36c2c0) at src/libavfilter/buffersrc.c:450
#13 0x00007f842be96244 in av_buffersrc_add_frame_internal (ctx=ctx@entry=0x563b5c36b840, frame=frame@entry=0x563b5c45db60, flags=flags@entry=4)
    at src/libavfilter/buffersrc.c:239
#14 0x00007f842be967ed in av_buffersrc_add_frame_flags (ctx=0x563b5c36b840, frame=0x563b5c45db60, flags=4) at src/libavfilter/buffersrc.c:164
#15 0x0000563b5c065a7d in decode_audio (got_output=0x7ffdb8e80c0c, pkt=0x7ffdb8e80c30, ist=0x563b5c342ee0) at src/ffmpeg.c:2164
#16 process_input_packet (ist=<optimized out>, pkt=0x7ffdb8e80f00, no_eof=0) at src/ffmpeg.c:2466
#17 0x0000563b5c046daa in process_input (file_index=<optimized out>) at src/ffmpeg.c:4245
#18 transcode_step () at src/ffmpeg.c:4333
#19 transcode () at src/ffmpeg.c:4387
#20 main (argc=<optimized out>, argv=<optimized out>) at src/ffmpeg.c:4592

Without MALLOC_CHECK_, sometimes SIGABRT:

*** Error in `ffmpeg': corrupted double-linked list: 0x000055ad35f86170 ***
======= Backtrace: =========

running it through Valgrind throws out SIGILL.

SIGSEGV in malloc is the most common.
MALLOC_CHECK_=2 is the only one which is deterministic, so I thought that could be it...
I'll try with ffmpeg 3.3 tomorrow.
Do you think it could be in the r600 driver?

comment:3 Changed 3 months ago by cehoyos

  • Keywords crash vaapi added
  • Priority changed from normal to important

Please test current FFmpeg git head.

comment:4 Changed 3 months ago by serafean

ffmpeg version : N-85962-g164e277
valgrind still raises SIGILL
MALLOC_CHECK_=2 still crashes with

(gdb) bt
#0  0x00007ffabdfc6eb8 in __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:54
#1  0x00007ffabdfc844a in __GI_abort () at abort.c:89
#2  0x00007ffabe00b890 in malloc_printerr (action=<optimized out>, str=0x7ffabe0fdc27 "free(): invalid pointer", ptr=<optimized out>, ar_ptr=<optimized out>) at malloc.c:5008
#3  0x00007ffabf470411 in vaapi_encode_config_attributes (avctx=0x55ef16408aa0) at src/libavcodec/vaapi_encode.c:1107
#4  ff_vaapi_encode_init (avctx=0x55ef16408aa0) at src/libavcodec/vaapi_encode.c:1377
#5  0x00007ffabf8d78f9 in avcodec_open2 (avctx=0x55ef16408aa0, codec=0x7ffac0304ce0 <ff_h264_vaapi_encoder>, options=0x55ef163a67f8) at src/libavcodec/utils.c:1020
#6  0x000055ef142c8dde in init_output_stream (ost=<optimized out>, error=0x7fff49d94c20 "", error_len=1024) at src/ffmpeg.c:3438
#7  0x000055ef142ca9c1 in reap_filters (flush=0) at src/ffmpeg.c:1443
#8  0x000055ef142acd94 in transcode_step () at src/ffmpeg.c:4522
#9  transcode () at src/ffmpeg.c:4566
#10 main (argc=<optimized out>, argv=<optimized out>) at src/ffmpeg.c:477

The other two cases appear to work (albeit slowly, but that might be an r600 issue).


*** Error in `ffmpeg': free(): invalid pointer: 0x0000560c61308b20 ***
======= Backtrace: =========
======= Memory map: ========
Note: See TracTickets for help on using tickets.