Opened 5 weeks ago

Last modified 2 weeks ago

#7094 new defect

Assertion in AVIO fill_buffer

Reported by: redeemarr Owned by:
Priority: normal Component: avformat
Version: git-master Keywords: avio, abort, crash
Cc: Blocked By:
Blocking: Reproduced by developer: no
Analyzed by developer: no


It happens sometimes while demuxing mpegts stream using custom IO operations via AVIOContext, assertion fails in function 'fill_buffer' in aviobuf.c:
av_assert0(len >= s->orig_buffer_size);
Seems like something goes wrong when AVIOContext decides to reduce it's internal buffer size.

This issue can be easily reproduced in my case, when AVFormatContext.probesize equals initial buffer size for AVIOContext.
Sample code to reproduce:

int read_handler(void* opaque, uint8_t* dst, int dst_size)
        bytes_t* input = (bytes_t*)opaque;
        size_t available = input->size();
        size_t size = available < dst_size ? available : dst_size;
        if (size > 0)
                memcpy(dst, input->data(), size);
                input->erase(input->begin(), input->begin() + size);
        return size > 0 ? size : AVERROR_EOF;

void test_avio(char const* path)
        std::ifstream ifs(path, std::ios::binary);
        ifs.seekg(0, std::ios::end);
        size_t size = ifs.tellg();
        ifs.seekg(0, std::ios::beg);
        std::vector<char> input(size);, input.size());

        AVInputFormat* m_format = av_find_input_format("mpegts");
        AVFormatContext* m_fc = avformat_alloc_context();

        size_t buffer_size = 16 * 1024;
        uint8_t* avio_buffer = (uint8_t*)av_malloc(buffer_size + FF_INPUT_BUFFER_PADDING_SIZE);

        m_fc = avformat_alloc_context();
        m_fc->probesize = buffer_size;
        m_fc->pb = avio_alloc_context(avio_buffer, buffer_size, 0, &input, &read_handler, NULL, NULL);
        m_fc->pb->seekable = 0;
        m_fc->pb->write_flag = 0;

        int err = avformat_open_input(&m_fc, NULL, m_format, NULL);
        err = avformat_find_stream_info(m_fc, NULL); // In this case it fails even at this point

        // ...

Change History (3)

comment:1 Changed 5 weeks ago by redeemarr

Unfortunately I could not attach sample TS file since it's size is beyond 2.5MB

comment:2 Changed 2 weeks ago by cehoyos

Please use a file hoster of your choice and post a download link here.

comment:3 Changed 2 weeks ago by redeemarr

Original TS file had been lost, so here's new one -
It requires buffer_size = 64*4096 to reproduce

