Opened 5 years ago
Closed 5 years ago
#7976 closed defect (fixed)
ffplay mpd file segfaults in refresh_manifest()
| Reported by: | Clem Taylor | Owned by: | |
|---|---|---|---|
| Priority: | important | Component: | avformat |
| Version: | git-master | Keywords: | dash crash SIGSEGV |
| Cc: | Blocked By: | ||
| Blocking: | Reproduced by developer: | no | |
| Analyzed by developer: | no |
Description
ffplay http://.../test.mpd plays for a while (>30s) and then segfaults with a null pointer deref in refresh_manifest() libavformat/dashdec.c:1437
ffmpeg 4154f89678 ffplay version n4.1.3 Copyright (c) 2003-2019 the FFmpeg developers built with gcc 9 (GCC) configuration: --enable-libxml2 libavutil 56. 22.100 / 56. 22.100 libavcodec 58. 35.100 / 58. 35.100 libavformat 58. 20.100 / 58. 20.100 libavdevice 58. 5.100 / 58. 5.100 libavfilter 7. 40.101 / 7. 40.101 libswscale 5. 3.100 / 5. 3.100 libswresample 3. 3.100 / 3. 3.100
0x00000000006378b0 in refresh_manifest (s=0x0) at libavformat/dashdec.c:1437
1437 DASHContext *c = s->priv_data;
(gdb) where
#0 0x00000000006378b0 in refresh_manifest (s=0x0) at libavformat/dashdec.c:1437
#1 0x0000000000638203 in get_current_fragment (pls=pls@entry=0x7fffd0005cc0)
at libavformat/dashdec.c:1542
#2 0x0000000000638669 in read_data (opaque=0x7fffd0005cc0, buf=0x7fffd0896bc0 "", buf_size=32768)
at libavformat/dashdec.c:1709
#3 0x0000000000626b01 in read_packet_wrapper (size=32768, buf=<optimized out>, s=0x7fffd0005cc8)
at libavformat/aviobuf.c:535
#4 fill_buffer (s=0x7fffd0005cc8) at libavformat/aviobuf.c:585
#5 avio_read (s=s@entry=0x7fffd0005cc8, buf=<optimized out>, size=size@entry=2048)
at libavformat/aviobuf.c:678
#6 0x0000000000650a04 in av_probe_input_buffer2 (pb=pb@entry=0x7fffd0005cc8,
fmt=fmt@entry=0x7fffdcc9dad0, filename=filename@entry=0x117939c "", logctx=logctx@entry=0x0,
offset=offset@entry=0, max_probe_size=1048576, max_probe_size@entry=0) at libavformat/format.c:262
#7 0x0000000000650bf9 in av_probe_input_buffer (pb=pb@entry=0x7fffdNcat: 0005cc8,
fmt=fmt@entry=0x7fffdcc9dad0, filename=filename@entry=0x117939c "", logctx=logctx@entry=0x0,
offset=offset@entry=0,Broken pipe.
max_probe_size=max_probe_size@entry=0) at libavformat/format.c:316
#8 0x0000000000633ec4 in reopen_demux_for_component (s=s@entry=0x7fffd0000b80,
pls=pls@entry=0x7fffd0005cc0) at libavformat/dashdec.c:1850
#9 0x00000000006355cc in dash_read_packet (s=0x7fffd0000b80, pkt=0x7fffdcc9dc60)
at libavformat/dashdec.c:2115
#10 0x0000000000732733 in ff_read_packet (s=s@entry=0x7fffd0000b80, pkt=pkt@entry=0x7fffdcc9dc60)
at libavformat/utils.c:856
#11 0x00000000007337e9 in read_frame_internal (s=0x7fffd0000b80, pkt=0x7fffdcc9ddc0)
at libavformat/utils.c:1582
#12 0x000000000073477d in av_read_frame (s=0x7fffd0000b80, pkt=pkt@entry=0x7fffdcc9ddc0)
at libavformat/utils.c:472
#13 0x000000000048c2b8 in read_thread (arg=0x45869c0) at fftools/ffplay.c:3014
#14 0x00007ffff7c126e0 in ?? () from /lib64/libSDL2-2.0.so.0
#15 0x00007ffff7c8a2ad in ?? () from /lib64/libSDL2-2.0.so.0
#16 0x00007ffff786c5a2 in start_thread () from /lib64/libpthread.so.0
#17 0x00007ffff7799163 in clone () from /lib64/libc.so.6
Attachments (1)
Change History (13)
comment:1 by , 5 years ago
| Component: | ffplay → avformat |
|---|---|
| Keywords: | dash crash SIGSEGV added; segfault removed |
comment:3 by , 5 years ago
Replying to stevenliu:
Hi can you leave the mpd link here, let me test it.
Sorry, I don't have a public source, I was just re-muxing a rtsp stream generated with ffmpeg.
The crash is related to the window expiration. With the rtsp source using 90 frame gops, the segfault happened after ~48s, which is the window size (3*16=48). Reducing the gop size to 60 frames, it would crash after 30s.
Here is the ffmpeg command to generate the mpd:
ffmpeg \
-nostats -hide_banner \
-buffer_size 1572864 \
-i rtsp://192.168.100.100/video1 \
-probesize 32 \
-c:v copy \
-an \
-copyts \
-fflags nobuffer \
-flags +global_header+low_delay \
-seg_duration 0.5 \
-window_size 16 \
-extra_window_size 2 \
-use_template 0 \
-use_timeline 0 \
-init_seg_name 'live-init-stream$RepresentationID$.m4s' \
-media_seg_name 'live-$RepresentationID$-$Number%06d$-$Time%09d$.m4s' \
-hls_playlist 1 \
-streaming 1 \
-dash_segment_type mp4 \
-f dash test.mpd
comment:6 by , 5 years ago
Replying to cehoyos:
Can't you upload what you produced?
It is a live stream, the .mpd file is constantly (every 5s) changing and the problem seems to occur when the all the segments that where present initially have fallen out of the sliding window.
Just reading the initial .mpd file is fine, the problem doesn't occur until the 16 or 17th time it reads the .mpd file.
by , 5 years ago
| Attachment: | master.mpd added |
|---|
Example mpd causing segfault with startNumber parser for segmentlist
comment:9 by , 5 years ago
I have attached an example mpd file which produces a segfault in ffprobe with the patch https://patchwork.ffmpeg.org/patch/14996/ applied.
I am about to submit a patch which should rectify this.
comment:11 by , 5 years ago
The attached sample (and patch) look unrelated to the provided bug report.
comment:12 by , 5 years ago
| Priority: | normal → important |
|---|---|
| Resolution: | → fixed |
| Status: | new → closed |
Maybe fixed by Steven Liu in e55018ee110bf42e32739b1725411dde44e70291
Please test current FFmpeg git head and provide all missing information as explained on http://ffmpeg.org/bugreports.html