Opened 5 years ago

Closed 5 years ago

#7557 closed defect (fixed)

crash when overlaying image partially-offscreen

Reported by: kennethav Owned by:
Priority: important Component: avfilter
Version: git-master Keywords: overlay crash SIGSEGV regression
Cc: Blocked By:
Blocking: Reproduced by developer: yes
Analyzed by developer: no

Description

Summary of the bug:
What you were trying to accomplish: a vertical wipe effect by overlaying an image on to a video with a y-expression based on the current frame. The command line pasted below doesn't bother with the expression, just to simplify things but it does still crash.

Note: I'm running this on CoreOS

How to reproduce:

ffmpeg -i pig.jpg -i tooth.mp4 -filter_complex "[1:v][0:v]overlay=x=5:y=-5" output.mov

version info:
ffmpeg version 4.1-static https://johnvansickle.com/ffmpeg/  Copyright (c) 2000-2018 the FFmpeg developers
  built with gcc 6.3.0 (Debian 6.3.0-18+deb9u1) 20170516
  configuration: --enable-gpl --enable-version3 --enable-static --disable-debug --disable-ffplay --disable-indev=sndio --disable-outdev=sndio --cc=gcc-6 --enable-fontconfig --enable-frei0r --enable-gnutls --enable-gray --enable-libaom --enable-libfribidi --enable-libass --enable-libvmaf --enable-libfreetype --enable-libmp3lame --enable-libopencore-amrnb --enable-libopencore-amrwb --enable-libopenjpeg --enable-librubberband --enable-libsoxr --enable-libspeex --enable-libvorbis --enable-libopus --enable-libtheora --enable-libvidstab --enable-libvo-amrwbenc --enable-libvpx --enable-libwebp --enable-libx264 --enable-libx265 --enable-libxml2 --enable-libxvid --enable-libzimg
  libavutil      56. 22.100 / 56. 22.100
  libavcodec     58. 35.100 / 58. 35.100
  libavformat    58. 20.100 / 58. 20.100
  libavdevice    58.  5.100 / 58.  5.100
  libavfilter     7. 40.101 /  7. 40.101
  libswscale      5.  3.100 /  5.  3.100
  libswresample   3.  3.100 /  3.  3.100
  libpostproc    55.  3.100 / 55.  3.100

Patches should be submitted to the ffmpeg-devel mailing list and not this bug tracker.

Attachments (2)

pig.jpg (155.5 KB ) - added by kennethav 5 years ago.
tooth.mp4 (1.9 MB ) - added by kennethav 5 years ago.

Change History (4)

by kennethav, 5 years ago

Attachment: pig.jpg added

by kennethav, 5 years ago

Attachment: tooth.mp4 added

comment:1 by Carl Eugen Hoyos, 5 years ago

Component: undeterminedavfilter
Keywords: overlay crash SIGSEGV regression added
Priority: normalimportant
Reproduced by developer: set
Status: newopen
Version: unspecifiedgit-master

Regression since d54014d1573ec6e958e9c9e802e613c73c7f7ba5

(gdb) r -cpuflags 0 -i pig.jpg -i tooth.mp4 -filter_complex "[1:v][0:v]overlay=x=5:y=-5" -f null -
Starting program: ffmpeg_g -cpuflags 0 -i pig.jpg -i tooth.mp4 -filter_complex "[1:v][0:v]overlay=x=5:y=-5" -f null -
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib64/libthread_db.so.1".
ffmpeg version N-92494-ge3a9630 Copyright (c) 2000-2018 the FFmpeg developers
  built with gcc 6.4.0 (GCC)
  configuration: --enable-gpl --enable-gnutls --enable-libxml2
  libavutil      56. 23.101 / 56. 23.101
  libavcodec     58. 39.100 / 58. 39.100
  libavformat    58. 22.100 / 58. 22.100
  libavdevice    58.  6.100 / 58.  6.100
  libavfilter     7. 46.100 /  7. 46.100
  libswscale      5.  4.100 /  5.  4.100
  libswresample   3.  4.100 /  3.  4.100
  libpostproc    55.  4.100 / 55.  4.100
Input #0, image2, from 'pig.jpg':
  Duration: 00:00:00.04, start: 0.000000, bitrate: 31845 kb/s
    Stream #0:0: Video: mjpeg (Baseline), yuvj420p(pc, bt470bg/unknown/unknown), 1920x1080 [SAR 1:1 DAR 16:9], 25 tbr, 25 tbn, 25 tbc
Input #1, mov,mp4,m4a,3gp,3g2,mj2, from 'tooth.mp4':
  Metadata:
    major_brand     : isom
    minor_version   : 512
    compatible_brands: isomiso2avc1mp41
    encoder         : Lavf57.83.100
  Duration: 00:01:02.50, start: 0.000000, bitrate: 256 kb/s
    Stream #1:0(und): Video: h264 (High) (avc1 / 0x31637661), yuv420p, 1920x1080 [SAR 1:1 DAR 16:9], 253 kb/s, 24 fps, 24 tbr, 12288 tbn, 48 tbc (default)
    Metadata:
      handler_name    : VideoHandler
[New Thread 0x7ffff3de6700 (LWP 10127)]
[New Thread 0x7ffff35e5700 (LWP 10128)]
[New Thread 0x7ffff2de4700 (LWP 10129)]
[New Thread 0x7ffff25e3700 (LWP 10130)]
[New Thread 0x7ffff1de2700 (LWP 10131)]
[New Thread 0x7ffff15e1700 (LWP 10132)]
[New Thread 0x7ffff0de0700 (LWP 10133)]
[New Thread 0x7ffff05df700 (LWP 10134)]
[New Thread 0x7fffefdde700 (LWP 10135)]
Stream mapping:
  Stream #0:0 (mjpeg) -> overlay:overlay
  Stream #1:0 (h264) -> overlay:main
  overlay -> Stream #0:0 (wrapped_avframe)
Press [q] to stop, [?] for help
[New Thread 0x7fffef5dd700 (LWP 10136)]
[Thread 0x7fffef5dd700 (LWP 10136) exited]
[New Thread 0x7fffeeddc700 (LWP 10137)]
[New Thread 0x7fffecfe6700 (LWP 10138)]
[New Thread 0x7fffc7fff700 (LWP 10139)]
[New Thread 0x7fffc77fe700 (LWP 10140)]
[New Thread 0x7fffc6ffd700 (LWP 10141)]
[New Thread 0x7fffc67fc700 (LWP 10142)]
[New Thread 0x7fffc5ffb700 (LWP 10143)]
[New Thread 0x7fffc57fa700 (LWP 10144)]
[New Thread 0x7fffc4ff9700 (LWP 10145)]
[swscaler @ 0x2c166c0] deprecated pixel format used, make sure you did set range correctly

Program received signal SIGSEGV, Segmentation fault.
blend_plane (nb_jobs=9, jobnr=0, yuv=1, straight=1, dst_step=1, dst_offset=<optimized out>,
    dst_plane=<optimized out>, main_has_alpha=0, y=-6, x=4, vsub=0, hsub=0, i=0, dst_h=1080, dst_w=1920, src_h=1080,
    src_w=1920, src=0x2c52b00, dst=0x2191cc0, ctx=0x21918c0) at libavfilter/vf_overlay.c:534
534                     *d = FAST_DIV255(*d * (255 - alpha) + *s * alpha);
(gdb) bt
#0  blend_plane (nb_jobs=9, jobnr=0, yuv=1, straight=1, dst_step=1, dst_offset=<optimized out>,
    dst_plane=<optimized out>, main_has_alpha=0, y=-6, x=4, vsub=0, hsub=0, i=0, dst_h=1080, dst_w=1920, src_h=1080,
    src_w=1920, src=0x2c52b00, dst=0x2191cc0, ctx=0x21918c0) at libavfilter/vf_overlay.c:534
#1  blend_slice_yuv (nb_jobs=9, jobnr=0, is_straight=1, y=-6, x=4, main_has_alpha=0, vsub=1, hsub=1, src=0x2c52b00,
    dst=0x2191cc0, ctx=0x21918c0) at libavfilter/vf_overlay.c:615
#2  blend_slice_yuv420 (ctx=0x21918c0, arg=<optimized out>, jobnr=0, nb_jobs=9) at libavfilter/vf_overlay.c:662
#3  0x00000000004ddcd9 in worker_func (priv=0x28ee2c0, jobnr=0, threadnr=<optimized out>, nb_jobs=<optimized out>,
    nb_threads=<optimized out>) at libavfilter/pthread.c:50
#4  0x0000000001166db6 in run_jobs (ctx=0x2820040) at libavutil/slicethread.c:61
#5  avpriv_slicethread_execute (ctx=0x2820040, nb_jobs=<optimized out>, execute_main=<optimized out>)
    at libavutil/slicethread.c:188
#6  0x00000000004ddd22 in thread_execute (ctx=<optimized out>, func=<optimized out>, arg=<optimized out>,
    ret=<optimized out>, nb_jobs=<optimized out>) at libavfilter/pthread.c:72
#7  0x000000000057622c in do_blend (fs=<optimized out>) at libavfilter/vf_overlay.c:970
#8  0x00000000004db1c0 in ff_framesync_activate (fs=0x2191a28) at libavfilter/framesync.c:353
#9  0x00000000004c8c6c in ff_filter_activate (filter=0x21918c0) at libavfilter/avfilter.c:1429
#10 0x00000000004cc6cc in ff_filter_graph_run_once (graph=graph@entry=0x218f3c0) at libavfilter/avfiltergraph.c:1454
#11 0x00000000004cd73c in push_frame (graph=0x218f3c0) at libavfilter/buffersrc.c:181
#12 av_buffersrc_add_frame_internal (ctx=ctx@entry=0x2193900, frame=frame@entry=0x2192100, flags=flags@entry=4)
    at libavfilter/buffersrc.c:255
#13 0x00000000004cdbed in av_buffersrc_add_frame_flags (ctx=0x2193900, frame=frame@entry=0x2192100,
    flags=flags@entry=4) at libavfilter/buffersrc.c:164
#14 0x00000000004a2e61 in ifilter_send_frame (frame=0x2192100, ifilter=0x21534c0) at fftools/ffmpeg.c:2197
#15 send_frame_to_filters (ist=ist@entry=0x2140bc0, decoded_frame=decoded_frame@entry=0x2192100)
    at fftools/ffmpeg.c:2271
#16 0x00000000004a360e in decode_video (ist=ist@entry=0x2140bc0, pkt=pkt@entry=0x7fffffffd2c0,
    got_output=<optimized out>, duration_pts=<optimized out>, eof=<optimized out>, decode_failed=<optimized out>)
    at fftools/ffmpeg.c:2470
#17 0x00000000004a492b in process_input_packet (ist=0x2140bc0, pkt=0x7fffffffd6e0, no_eof=0) at fftools/ffmpeg.c:2624
#18 0x00000000004a6517 in process_input (file_index=<optimized out>) at fftools/ffmpeg.c:4514
#19 transcode_step () at fftools/ffmpeg.c:4634
#20 transcode () at fftools/ffmpeg.c:4688
#21 0x0000000000484853 in main (argc=<optimized out>, argv=0x7fffffffdcb8) at fftools/ffmpeg.c:4895
(gdb) disass $pc-32,$pc+32
Dump of assembler code from 0x56bdb5 to 0x56bdf5:
   0x000000000056bdb5 <blend_slice_yuv420+597>: (bad)
   0x000000000056bdb6 <blend_slice_yuv420+598>: cmp    0x4c(%rsp),%edx
   0x000000000056bdba <blend_slice_yuv420+602>: jge    0x56be07 <blend_slice_yuv420+679>
   0x000000000056bdbc <blend_slice_yuv420+604>: mov    0x60(%rsp),%esi
   0x000000000056bdc0 <blend_slice_yuv420+608>: xor    %ecx,%ecx
   0x000000000056bdc2 <blend_slice_yuv420+610>: sub    %edx,%esi
   0x000000000056bdc4 <blend_slice_yuv420+612>: add    $0x1,%rsi
   0x000000000056bdc8 <blend_slice_yuv420+616>: nopl   0x0(%rax,%rax,1)
   0x000000000056bdd0 <blend_slice_yuv420+624>: movzbl (%r12,%rcx,1),%edi
=> 0x000000000056bdd5 <blend_slice_yuv420+629>: movzbl (%rbx),%edx
   0x000000000056bdd8 <blend_slice_yuv420+632>: mov    %r13d,%eax
   0x000000000056bddb <blend_slice_yuv420+635>: sub    %edi,%eax
   0x000000000056bddd <blend_slice_yuv420+637>: imul   %eax,%edx
   0x000000000056bde0 <blend_slice_yuv420+640>: movzbl 0x0(%rbp,%rcx,1),%eax
   0x000000000056bde5 <blend_slice_yuv420+645>: add    $0x1,%rcx
   0x000000000056bde9 <blend_slice_yuv420+649>: imul   %edi,%eax
   0x000000000056bdec <blend_slice_yuv420+652>: lea    0x80(%rdx,%rax,1),%edx
   0x000000000056bdf3 <blend_slice_yuv420+659>: mov    %edx,%eax
End of assembler dump.
(gdb) info register
rax            0x0      0
rbx            0x7fffec4e5344   140737157944132
rcx            0x0      0
rdx            0x0      0
rsi            0x77c    1916
rdi            0xff     255
rbp            0x2c52d40        0x2c52d40
rsp            0x7fffffffccf0   0x7fffffffccf0
r8             0x0      0
r9             0x780    1920
r10            0x2f4fec0        49610432
r11            0x2c52d40        46476608
r12            0x2f4fec0        49610432
r13            0xff     255
r14            0x7fffec4e5340   140737157944128
r15            0x1      1
rip            0x56bdd5 0x56bdd5 <blend_slice_yuv420+629>
eflags         0x10202  [ IF RF ]
cs             0x33     51
ss             0x2b     43
ds             0x0      0
es             0x0      0
fs             0x0      0
gs             0x0      0

comment:2 by Carl Eugen Hoyos, 5 years ago

Resolution: fixed
Status: openclosed

I believe this issue was fixed.

Note: See TracTickets for help on using tickets.