Opened 17 months ago

Last modified 13 months ago

#10061 new defect

jpeg2000: crash with forced libopenjpeg decoder and image2 demuxer

Reported by: ami_stuff Owned by:
Priority: normal Component: undetermined
Version: unspecified Keywords:
Cc: Blocked By:
Blocking: Reproduced by developer: no
Analyzed by developer: no

Description

https://github.com/openpreserve/jpylyzer-test-files/raw/master/palettedImage.jp2

(gdb) r -vcodec libopenjpeg -f image2 -i palettedImage.jp2 -f null -
Starting program: ffmpeg_g -vcodec libopenjpeg -f image2 -i palettedImage.jp2 -f null -
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
ffmpeg version N-109101-g822da7a317 Copyright (c) 2000-2022 the FFmpeg developers
  built with gcc 9 (Ubuntu 9.4.0-1ubuntu1~20.04.1)
  configuration: --enable-libopenjpeg
  libavutil      57. 42.100 / 57. 42.100
  libavcodec     59. 52.102 / 59. 52.102
  libavformat    59. 34.101 / 59. 34.101
  libavdevice    59.  8.101 / 59.  8.101
  libavfilter     8. 50.100 /  8. 50.100
  libswscale      6.  8.112 /  6.  8.112
  libswresample   4.  9.100 /  4.  9.100
Input #0, image2, from 'palettedImage.jp2':
  Duration: 00:00:00.04, start: 0.000000, bitrate: N/A
  Stream #0:0: Video: jpeg2000, gray, 1024x1024, 25 fps, 25 tbr, 25 tbn
[New Thread 0x7ffff6b37700 (LWP 33350)]
[New Thread 0x7ffff6336700 (LWP 33351)]
[New Thread 0x7ffff5b35700 (LWP 33352)]
[New Thread 0x7ffff5334700 (LWP 33353)]
[New Thread 0x7ffff4b33700 (LWP 33354)]
[New Thread 0x7ffff4332700 (LWP 33355)]
[New Thread 0x7ffff3b31700 (LWP 33356)]
[New Thread 0x7ffff3330700 (LWP 33357)]
[New Thread 0x7ffff2b2f700 (LWP 33358)]
Stream mapping:
  Stream #0:0 -> #0:0 (jpeg2000 (libopenjpeg) -> wrapped_avframe (native))
Press [q] to stop, [?] for help
[New Thread 0x7ffff232e700 (LWP 33359)]
[Thread 0x7ffff232e700 (LWP 33359) exited]
free(): invalid pointer

Thread 2 "av:libopen:df0" received signal SIGABRT, Aborted.
[Switching to Thread 0x7ffff6b37700 (LWP 33350)]
__GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
50	../sysdeps/unix/sysv/linux/raise.c
(gdb) bt
#0  __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
#1  0x00007ffff7616859 in __GI_abort () at abort.c:79
#2  0x00007ffff768126e in __libc_message (action=action@entry=do_abort, 
    fmt=fmt@entry=0x7ffff77ab298 "%s\n") at ../sysdeps/posix/libc_fatal.c:155
#3  0x00007ffff76892fc in malloc_printerr (
    str=str@entry=0x7ffff77a94c1 "free(): invalid pointer") at malloc.c:5347
#4  0x00007ffff768ab2c in _int_free (av=<optimized out>, p=<optimized out>, 
    have_lock=0) at malloc.c:4173
#5  0x00007ffff784721b in ?? () from /lib/x86_64-linux-gnu/libopenjp2.so.7
#6  0x00007ffff78205e5 in ?? () from /lib/x86_64-linux-gnu/libopenjp2.so.7
#7  0x00007ffff782864c in ?? () from /lib/x86_64-linux-gnu/libopenjp2.so.7
#8  0x00007ffff782b123 in opj_destroy_codec ()
   from /lib/x86_64-linux-gnu/libopenjp2.so.7
#9  0x0000555555d4d6ea in libopenjpeg_decode_frame (avctx=<optimized out>, 
    picture=<optimized out>, got_frame=0x5555571535d0, avpkt=<optimized out>)
    at libavcodec/libopenjpegdec.c:483
#10 0x0000555555e47266 in frame_worker_thread (arg=0x5555571534c0)
    at libavcodec/pthread_frame.c:241
#11 0x00007ffff77ee609 in start_thread (arg=<optimized out>)
    at pthread_create.c:477
#12 0x00007ffff7713133 in clone ()
    at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95

==33417== Invalid write of size 1
==33417==    at 0x901DE1: libopenjpeg_copy_to_packed8 (libopenjpegdec.c:250)
==33417==    by 0x901DE1: libopenjpeg_decode_frame (libopenjpegdec.c:445)
==33417==    by 0x76E951: decode_simple_internal (decode.c:307)
==33417==    by 0x76E951: decode_simple_receive_frame (decode.c:563)
==33417==    by 0x76E951: decode_receive_frame_internal (decode.c:584)
==33417==    by 0x76F4FF: avcodec_send_packet (decode.c:665)
==33417==    by 0x56BB02: try_decode_frame (demux.c:2054)
==33417==    by 0x570D98: avformat_find_stream_info (demux.c:2747)
==33417==    by 0x2A3CA8: ifile_open (ffmpeg_demux.c:953)
==33417==    by 0x2B3B41: open_files.isra.0 (ffmpeg_opt.c:1248)
==33417==    by 0x2B4FDE: ffmpeg_parse_options (ffmpeg_opt.c:1287)
==33417==    by 0x29F149: main (ffmpeg.c:4035)
==33417==  Address 0x5ef254f is 0 bytes after a block of size 1,048,655 alloc'd
==33417==    at 0x483E0F0: memalign (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so)
==33417==    by 0x483E212: posix_memalign (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so)
==33417==    by 0x1071DD4: av_malloc (mem.c:105)
==33417==    by 0x105E6D9: av_buffer_alloc (buffer.c:82)
==33417==    by 0x105E753: av_buffer_allocz (buffer.c:95)
==33417==    by 0x105EEBC: pool_alloc_buffer (buffer.c:363)
==33417==    by 0x105EEBC: av_buffer_pool_get (buffer.c:401)
==33417==    by 0x82C173: video_get_buffer (get_buffer.c:262)
==33417==    by 0x82C173: avcodec_default_get_buffer2 (get_buffer.c:298)
==33417==    by 0x770BC2: ff_get_buffer (decode.c:1505)
==33417==    by 0x9FADD4: thread_get_buffer_internal (pthread_frame.c:993)
==33417==    by 0x9FADD4: ff_thread_get_buffer (pthread_frame.c:1074)
==33417==    by 0x9018BB: libopenjpeg_decode_frame (libopenjpegdec.c:418)
==33417==    by 0x76E951: decode_simple_internal (decode.c:307)
==33417==    by 0x76E951: decode_simple_receive_frame (decode.c:563)
==33417==    by 0x76E951: decode_receive_frame_internal (decode.c:584)
==33417==    by 0x76F4FF: avcodec_send_packet (decode.c:665)
==33417== 
==33417== Invalid free() / delete / delete[] / realloc()
==33417==    at 0x483CA3F: free (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so)
==33417==    by 0x4FF439A: ??? (in /usr/lib/x86_64-linux-gnu/libopenjp2.so.2.3.1)
==33417==    by 0x4FF21DC: ??? (in /usr/lib/x86_64-linux-gnu/libopenjp2.so.2.3.1)
==33417==    by 0x4FCB5E4: ??? (in /usr/lib/x86_64-linux-gnu/libopenjp2.so.2.3.1)
==33417==    by 0x4FD364B: ??? (in /usr/lib/x86_64-linux-gnu/libopenjp2.so.2.3.1)
==33417==    by 0x4FD6122: opj_destroy_codec (in /usr/lib/x86_64-linux-gnu/libopenjp2.so.2.3.1)
==33417==    by 0x9016E9: libopenjpeg_decode_frame (libopenjpegdec.c:483)
==33417==    by 0x76E951: decode_simple_internal (decode.c:307)
==33417==    by 0x76E951: decode_simple_receive_frame (decode.c:563)
==33417==    by 0x76E951: decode_receive_frame_internal (decode.c:584)
==33417==    by 0x76F4FF: avcodec_send_packet (decode.c:665)
==33417==    by 0x56BB02: try_decode_frame (demux.c:2054)
==33417==    by 0x570D98: avformat_find_stream_info (demux.c:2747)
==33417==    by 0x2A3CA8: ifile_open (ffmpeg_demux.c:953)
==33417==  Address 0xf15000b0f00090d is not stack'd, malloc'd or (recently) free'd
==33417== 
==33417== Invalid free() / delete / delete[] / realloc()
==33417==    at 0x483CA3F: free (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so)
==33417==    by 0x4FF439A: ??? (in /usr/lib/x86_64-linux-gnu/libopenjp2.so.2.3.1)
==33417==    by 0x4FF21ED: ??? (in /usr/lib/x86_64-linux-gnu/libopenjp2.so.2.3.1)
==33417==    by 0x4FCB5E4: ??? (in /usr/lib/x86_64-linux-gnu/libopenjp2.so.2.3.1)
==33417==    by 0x4FD364B: ??? (in /usr/lib/x86_64-linux-gnu/libopenjp2.so.2.3.1)
==33417==    by 0x4FD6122: opj_destroy_codec (in /usr/lib/x86_64-linux-gnu/libopenjp2.so.2.3.1)
==33417==    by 0x9016E9: libopenjpeg_decode_frame (libopenjpegdec.c:483)
==33417==    by 0x76E951: decode_simple_internal (decode.c:307)
==33417==    by 0x76E951: decode_simple_receive_frame (decode.c:563)
==33417==    by 0x76E951: decode_receive_frame_internal (decode.c:584)
==33417==    by 0x76F4FF: avcodec_send_packet (decode.c:665)
==33417==    by 0x56BB02: try_decode_frame (demux.c:2054)
==33417==    by 0x570D98: avformat_find_stream_info (demux.c:2747)
==33417==    by 0x2A3CA8: ifile_open (ffmpeg_demux.c:953)
==33417==  Address 0xd12000c11000b0f is not stack'd, malloc'd or (recently) free'd
==33417== 
Assertion (frame->private_ref && frame->private_ref->size == sizeof(FrameDecodeData)) || !(avctx->codec->capabilities & (1 << 1)) failed at libavcodec/decode.c:615
==33417== 
==33417== Process terminating with default action of signal 6 (SIGABRT)
==33417==    at 0x507200B: raise (raise.c:51)
==33417==    by 0x5051858: abort (abort.c:79)
==33417==    by 0x76F37F: decode_simple_internal (decode.c:502)
==33417==    by 0x76F37F: decode_simple_receive_frame (decode.c:563)
==33417==    by 0x76F37F: decode_receive_frame_internal (decode.c:584)
==33417==    by 0x76F4FF: avcodec_send_packet (decode.c:665)
==33417==    by 0x56BB02: try_decode_frame (demux.c:2054)
==33417==    by 0x570D98: avformat_find_stream_info (demux.c:2747)
==33417==    by 0x2A3CA8: ifile_open (ffmpeg_demux.c:953)
==33417==    by 0x2B3B41: open_files.isra.0 (ffmpeg_opt.c:1248)
==33417==    by 0x2B4FDE: ffmpeg_parse_options (ffmpeg_opt.c:1287)
==33417==    by 0x29F149: main (ffmpeg.c:4035)

Change History (2)

comment:1 by Balling, 17 months ago

Moreover, out2123.png is complete garbage:

ffmpeg -c:v libopenjpeg -f image2 -i L:\palettedImage.jp2 out2123.png

As you said jpeg2000 is good:

ffmpeg -c:v jpeg2000 -f image2 -i palettedImage.jp2 out2123.bmp

comment:2 by Balling, 13 months ago

libopenjpeg decoder was just removed. 60ccb3fe787be3bb10fc4545b3593cd1e0b769ed

Note: See TracTickets for help on using tickets.