Opened 13 years ago
Closed 13 years ago
#74 closed defect (fixed)
Fuzzed sample crashes avfilter
| Reported by: | Carl Eugen Hoyos | Owned by: | Michael Niedermayer |
|---|---|---|---|
| Priority: | important | Component: | avfilter |
| Version: | git | Keywords: | |
| Cc: | Blocked By: | ||
| Blocking: | Reproduced by developer: | yes | |
| Analyzed by developer: | no |
Description
The sample from issue 2441 now crashes avfilter.
(gdb) r -i crash_pirateszz_2_s25_r003.fuzz.sample -f null -
FFmpeg version git-N-29196-ge61b83d, Copyright (c) 2000-2011 the FFmpeg developers
built on Apr 19 2011 19:44:16 with gcc 4.4.5
configuration: --cc='/usr/local/gcc-4.4.5/bin/gcc -m32' --disable-asm
libavutil 50. 40. 1 / 50. 40. 1
libavcodec 52.120. 0 / 52.120. 0
libavformat 52.108. 0 / 52.108. 0
libavdevice 52. 4. 0 / 52. 4. 0
libavfilter 1. 79. 1 / 1. 79. 1
libswscale 0. 13. 0 / 0. 13. 0
[mpeg1video @ 0x8c696d0] matrix damaged
[mpeg1video @ 0x8c696d0] sequence header damaged
[mpeg1video @ 0x8c696d0] matrix damaged
[mpeg1video @ 0x8c696d0] sequence header damaged
[mpeg1video @ 0x8c696d0] matrix damaged
[mpeg1video @ 0x8c696d0] sequence header damaged
[mpeg1video @ 0x8c696d0] Missing picture start code
Last message repeated 15 times
[mpegvideo @ 0x8c66de0] max_analyze_duration reached
[mpegvideo @ 0x8c66de0] Estimating duration from bitrate, this may be inaccurate
Seems stream 0 codec frame rate differs from container frame rate: 6.66 (60000/9009) -> 3.33 (60000/18018)
Input #0, mpegvideo, from 'crash_pirateszz_2_s25_r003.fuzz.sample':
Duration: 00:00:08.35, bitrate: 9800 kb/s
Stream #0.0: Video: mpeg2video (4:2:2), yuv420p, 720x4576 [PAR 4576:405 DAR 16:9], 9800 kb/s, 17.53 fps, 3.33 tbr, 1200k tbn, 6.66 tbc
[buffer @ 0x8d865e0] w:720 h:4576 pixfmt:yuv420p
Output #0, null, to 'pipe:':
Metadata:
encoder : Lavf52.108.0
Stream #0.0: Video: rawvideo, yuv420p, 720x4576 [PAR 4576:405 DAR 16:9], q=2-31, 200 kb/s, 90k tbn, 3.33 tbc
Stream mapping:
Stream #0.0 -> #0.0
Press [q] to stop encoding
mpeg2video @ 0x8c696d0] matrix damaged
[mpeg2video @ 0x8c696d0] sequence header damaged
[mpeg2video @ 0x8c696d0] matrix damaged
[mpeg2video @ 0x8c696d0] sequence header damaged
[mpeg2video @ 0x8c696d0] matrix damaged
[mpeg2video @ 0x8c696d0] sequence header damaged
[mpeg2video @ 0x8c696d0] Missing picture start code
Last message repeated 15 times
[mpeg2video @ 0x8c696d0] matrix damaged
[mpeg2video @ 0x8c696d0] sequence header damaged
[mpeg2video @ 0x8c696d0] matrix damaged
[mpeg2video @ 0x8c696d0] sequence header damaged
[mpeg2video @ 0x8c696d0] ignoring pic cod ext after 0
[mpeg2video @ 0x8c696d0] matrix damaged
[mpeg2video @ 0x8c696d0] sequence header damaged
[mpeg2video @ 0x8c696d0] matrix damaged
[mpeg2video @ 0x8c696d0] sequence header damaged
[mpeg2video @ 0x8c696d0] warning: first frame is no keyframe
[mpeg2video @ 0x8c696d0] invalid mb type in P Frame at 4 131
[mpeg2video @ 0x8c696d0] invalid mb type in P Frame at 27 3
...
Program received signal SIGSEGV, Segmentation fault.
0x0806d489 in av_vsrc_buffer_add_frame2 (buffer_filter=0x8d865e0, frame=0xffffbe68, pts=1101100, pixel_aspect=..., width=721, height=480, pix_fmt=PIX_FMT_YUV420P, sws_param=0x85c6d2e "0:0") at libavfilter/vsrc_buffer.c:60
60 av_log(buffer_filter, AV_LOG_INFO, "Changing filter graph input to accept %dx%d %d (%d %d)\n",
(gdb) bt
#0 0x0806d489 in av_vsrc_buffer_add_frame2 (buffer_filter=0x8d865e0, frame=0xffffbe68, pts=1101100, pixel_aspect=..., width=721, height=480, pix_fmt=PIX_FMT_YUV420P, sws_param=0x85c6d2e "0:0") at libavfilter/vsrc_buffer.c:60
#1 0x08052295 in output_packet (ist=<value optimized out>, ist_index=<value optimized out>, ost_table=0x8d86570, nb_ostreams=1, pkt=0xffffcdac) at ffmpeg.c:1644
#2 0x08054743 in transcode (nb_output_files=<value optimized out>, nb_input_files=<value optimized out>, stream_maps=<value optimized out>, nb_stream_maps=0, input_files=<value optimized out>, output_files=<value optimized out>)
at ffmpeg.c:2719
#3 0x08055cab in main (argc=6, argv=0xffffcfe4) at ffmpeg.c:4463
(gdb) disass $pc-32 $pc+32
Dump of assembler code from 0x806d469 to 0x806d4a9:
0x0806d469 <av_vsrc_buffer_add_frame2+89>: mov 0x100(%ebx),%ecx
0x0806d46f <av_vsrc_buffer_add_frame2+95>: mov 0x70(%esp),%edx
0x0806d473 <av_vsrc_buffer_add_frame2+99>: mov 0x20(%edx),%eax
0x0806d476 <av_vsrc_buffer_add_frame2+102>: mov 0x88(%esp),%edx
0x0806d47d <av_vsrc_buffer_add_frame2+109>: mov (%eax),%eax
0x0806d47f <av_vsrc_buffer_add_frame2+111>: mov 0x8(%eax),%eax
0x0806d482 <av_vsrc_buffer_add_frame2+114>: mov %eax,0x4c(%esp)
0x0806d486 <av_vsrc_buffer_add_frame2+118>: mov 0x20(%eax),%eax
0x0806d489 <av_vsrc_buffer_add_frame2+121>: mov (%eax),%eax
0x0806d48b <av_vsrc_buffer_add_frame2+123>: mov 0x38(%eax),%eax
0x0806d48e <av_vsrc_buffer_add_frame2+126>: mov %ecx,0x18(%esp)
0x0806d492 <av_vsrc_buffer_add_frame2+130>: mov 0x90(%esp),%ecx
0x0806d499 <av_vsrc_buffer_add_frame2+137>: mov %edx,0xc(%esp)
0x0806d49d <av_vsrc_buffer_add_frame2+141>: movl $0x85cb56c,0x8(%esp)
0x0806d4a5 <av_vsrc_buffer_add_frame2+149>: mov %eax,0x1c(%esp)
End of assembler dump.
(gdb) info register
eax 0x0 0
ecx 0x0 0
edx 0x2d1 721
ebx 0x8d86670 148399728
esp 0xffffbc20 0xffffbc20
ebp 0xffffbe68 0xffffbe68
esi 0x8d86570 148399472
edi 0x10cd2c 1101100
eip 0x806d489 0x806d489 <av_vsrc_buffer_add_frame2+121>
eflags 0x10297 [ CF PF AF SF IF RF ]
cs 0x23 35
ss 0x2b 43
ds 0x2b 43
es 0x2b 43
fs 0x0 0
gs 0x63 99
Attachments (1)
Change History (2)
by , 13 years ago
| Attachment: | crash_pirateszz_2_s25_r003.fuzz.sample added |
|---|
comment:1 by , 13 years ago
| Resolution: | → fixed |
|---|---|
| Status: | new → closed |
Note:
See TracTickets
for help on using tickets.
