Opened 12 years ago

Closed 12 years ago

#1112 closed defect (fixed)

tiff enc: invalid read with -vf vflip and -pix_fmt yuv420p

Reported by: ami_stuff Owned by:
Priority: normal Component: avcodec
Version: git-master Keywords: tif
Cc: Blocked By:
Blocking: Reproduced by developer: yes
Analyzed by developer: no

Description

http://ffmpeg.org/trac/ffmpeg/attachment/ticket/1059/599.png

(gdb) r -i 599.png -s 1111x1111 -vf vflip -pix_fmt yuv420p out.tif
Starting program: d:\mingw\msys\1.0\ffmpeg\ffmpeg_g.exe -i 599.png -s 1111x1111
-vf vflip -pix_fmt yuv420p out.tif
[New Thread 3728.0xe94]
ffmpeg version 0.9.1.git Copyright (c) 2000-2012 the FFmpeg developers
  built on Mar 10 2012 16:15:15 with gcc 4.6.1
  configuration: --disable-yasm --disable-ffprobe
  libavutil      51. 42.100 / 51. 42.100
  libavcodec     54. 10.100 / 54. 10.100
  libavformat    54.  2.100 / 54.  2.100
  libavdevice    53.  4.100 / 53.  4.100
  libavfilter     2. 63.100 /  2. 63.100
  libswscale      2.  1.100 /  2.  1.100
  libswresample   0.  7.100 /  0.  7.100
Input #0, image2, from '599.png':
  Duration: 00:00:00.04, start: 0.000000, bitrate: N/A
    Stream #0:0: Video: png, rgb24, 599x412, 25 tbr, 25 tbn, 25 tbc
[buffer @ 03871e60] w:599 h:412 pixfmt:rgb24 tb:1/1000000 sar:0/1 sws_param:
[scale @ 038715e0] w:599 h:412 fmt:rgb24 -> w:1111 h:1111 fmt:yuv420p flags:0x4
Output #0, image2, to 'out.tif':
  Metadata:
    encoder         : Lavf54.2.100
    Stream #0:0: Video: tiff, yuv420p, 1111x1111, q=2-31, 200 kb/s, 90k tbn, 25
tbc
Stream mapping:
  Stream #0:0 -> #0:0 (png -> tiff)
Press [q] to stop, [?] for help

Program received signal SIGSEGV, Segmentation fault.
0x00827ab5 in pack_yuv (s=0x38639a0,
    dst=0x3e078a2 "iiT?iiiiT?iiiiT?iiiiT?iiiiT?iiiiT?iiiiT?iiiiT?iiiiT?iiiiT?iii
iT?iiiiT?iiiiT?iiiiT?iiiiT?iiiiT?iiiiT?iiiiT?iiiiT?iiiiT?iiiiT?iiiiT?iiiiT?iiiiT
?iiiiT?iiiiT?iiiiT?iiiiT?iiiiT?iiiiT?iiiiT?iiiiT?iiiiT?iiii"..., lnum=1110)
    at libavcodec/tiffenc.c:198
198                     *dst++ = p->data[0][(lnum + j) * p->linesize[0] +
(gdb) bt
#0  0x00827ab5 in pack_yuv (s=0x38639a0,
    dst=0x3e078a2 "iiT?iiiiT?iiiiT?iiiiT?iiiiT?iiiiT?iiiiT?iiiiT?iiiiT?iiiiT?iii
iT?iiiiT?iiiiT?iiiiT?iiiiT?iiiiT?iiiiT?iiiiT?iiiiT?iiiiT?iiiiT?iiiiT?iiiiT?iiiiT
?iiiiT?iiiiT?iiiiT?iiiiT?iiiiT?iiiiT?iiiiT?iiiiT?iiiiT?iiii"..., lnum=1110)
    at libavcodec/tiffenc.c:198
#1  0x00828301 in encode_frame (avctx=0x3863320, pkt=0x22db40, pict=0x22d9d8,
    got_packet=0x22dc0c) at libavcodec/tiffenc.c:383
#2  0x004f945d in avcodec_encode_video2 (avctx=0x3863320, avpkt=0x22db40,
    frame=0x22d9d8, got_packet_ptr=0x22dc0c) at libavcodec/utils.c:1219
#3  0x00405de0 in do_video_out (s=0x386a620, ost=0x3863700,
    in_picture=0x3872b60, ist=<optimized out>) at ffmpeg.c:1619
#4  0x00407d6c in transcode_video (pkt_pts=<optimized out>,
    got_output=<optimized out>, pkt=<optimized out>, ist=<optimized out>)
    at ffmpeg.c:2178
#5  output_packet (ist=0x38718a0, ost_table=0x3863700, nb_ostreams=1,
    pkt=0x22fb28) at ffmpeg.c:2270
#6  0x0040bf3b in transcode (output_files=0x3871d80, nb_output_files=1,
    input_files=0x3871960, nb_input_files=1) at ffmpeg.c:3082
#7  0x0022ff48 in ?? ()
Backtrace stopped: Not enough registers or memory available to unwind further

Change History (2)

comment:1 by Carl Eugen Hoyos, 12 years ago

Component: undeterminedavcodec
Keywords: tif added
Reproduced by developer: set
Status: newopen
Summary: tiff enc: crash with -vf vflip and -pix_fmt yuv420ptiff enc: invalid read with -vf vflip and -pix_fmt yuv420p
Version: unspecifiedgit-master
$ valgrind ./ffmpeg_g -i tests/lena.pnm -vf vflip -pix_fmt yuv420p -s 1111x1111 out.tif
ffmpeg version N-38996-g3493390 Copyright (c) 2000-2012 the FFmpeg developers
  built on Mar 21 2012 18:23:24 with gcc 4.3.2
  configuration: --cc=/usr/local/gcc-4.3.2/bin/gcc --enable-gpl
  libavutil      51. 43.100 / 51. 43.100
  libavcodec     54. 12.100 / 54. 12.100
  libavformat    54.  2.100 / 54.  2.100
  libavdevice    53.  4.100 / 53.  4.100
  libavfilter     2. 65.102 /  2. 65.102
  libswscale      2.  1.100 /  2.  1.100
  libswresample   0.  7.100 /  0.  7.100
  libpostproc    52.  0.100 / 52.  0.100
Input #0, image2, from 'tests/lena.pnm':
  Duration: 00:00:00.04, start: 0.000000, bitrate: N/A
    Stream #0:0: Video: ppm, rgb24, 256x256, 25 tbr, 25 tbn, 25 tbc
[buffer @ 0x449b3c0] w:256 h:256 pixfmt:rgb24 tb:1/1000000 sar:0/1 sws_param:
[scale @ 0x449bcc0] w:256 h:256 fmt:rgb24 sar:0/1 -> w:1111 h:1111 fmt:yuv420p sar:0/1 flags:0x4
Output #0, image2, to 'out.tif':
  Metadata:
    encoder         : Lavf54.2.100
    Stream #0:0: Video: tiff, yuv420p, 1111x1111, q=2-31, 200 kb/s, 90k tbn, 25 tbc
Stream mapping:
  Stream #0:0 -> #0:0 (ppm -> tiff)
Press [q] to stop, [?] for help
==6125== Invalid read of size 1
==6125==    at 0x8555E13: encode_frame (tiffenc.c:198)
==6125==  Address 0x4704C00 is not stack'd, malloc'd or (recently) free'd
frame=    1 fps=0.5 q=0.0 Lsize=       0kB time=00:00:00.04 bitrate=   0.0kbits/s
video:1767kB audio:0kB global headers:0kB muxing overhead -100.000000%
==6125==
==6125== ERROR SUMMARY: 1112 errors from 1 contexts (suppressed: 3 from 1)
==6125== malloc/free: in use at exit: 0 bytes in 0 blocks.
==6125== malloc/free: 742 allocs, 742 frees, 34,057,211 bytes allocated.
==6125== For counts of detected errors, rerun with: -v
==6125== All heap blocks were freed -- no leaks are possible.

comment:2 by Michael Niedermayer, 12 years ago

Resolution: fixed
Status: openclosed
Note: See TracTickets for help on using tickets.