Opened 6 years ago

Closed 6 years ago

Last modified 6 years ago

#14 closed defect (fixed)

Crash when reading mkv file

Reported by: cehoyos Owned by: michael
Priority: important Component: avformat
Version: Keywords:
Cc: Blocked By:
Blocking: Reproduced by developer: no
Analyzed by developer: no


Attached file crashes current FFmpeg in metadata.c.

(gdb) r -i crash.mkv
FFmpeg version git-N-28581-g4fa0e24, Copyright (c) 2000-2011 the FFmpeg developers
  built on Mar 23 2011 06:04:48 with gcc 4.5.2
  configuration: --cc=/usr/local/gcc-4.5.2/bin/gcc --enable-gpl
  libavutil    50. 40. 0 / 50. 40. 0
  libavcodec   52.114. 0 / 52.114. 0
  libavformat  52.103. 0 / 52.103. 0
  libavdevice  52.  3. 0 / 52.  3. 0
  libavfilter   1. 76. 0 /  1. 76. 0
  libswscale    0. 12. 0 /  0. 12. 0

Program received signal SIGSEGV, Segmentation fault.
av_metadata_set2 (pm=0x188, key=0x7fffffffd470 "LANGUAGE", value=0x11ef000 "fra", flags=0)
    at libavformat/metadata.c:51
51          AVMetadata *m= *pm;
(gdb) bt
#0  av_metadata_set2 (pm=0x188, key=0x7fffffffd470 "LANGUAGE", value=0x11ef000 "fra", flags=0)
    at libavformat/metadata.c:51
#1  0x0000000000488507 in matroska_convert_tag (s=0x11ed650, list=0x11eef68, metadata=0x188, prefix=0x0)
    at libavformat/matroskadec.c:1063
#2  0x000000000048a4c2 in matroska_convert_tags (s=0x11ed650) at libavformat/matroskadec.c:1101
#3  matroska_read_header (s=0x11ed650) at libavformat/matroskadec.c:1547
#4  0x00000000004e9c11 in av_open_input_stream (ic_ptr=0x7fffffffdbb8, pb=0x11f66f0,
    filename=0x7fffffffe28c "crash.mkv", fmt=0xc86980, ap=0x7fffffffdb80) at libavformat/utils.c:491
#5  0x00000000004ea129 in av_open_input_file (ic_ptr=<value optimized out>,
    filename=<value optimized out>, fmt=0xc86980, buf_size=<value optimized out>,
    ap=<value optimized out>) at libavformat/utils.c:647
#6  0x000000000040c758 in opt_input_file (filename=0x7fffffffe28c "crash.mkv") at ffmpeg.c:3148
#7  0x0000000000410702 in parse_options (argc=3, argv=0x7fffffffde18, options=0x8efc60,
    parse_arg_function=0x40edf0 <opt_output_file>) at cmdutils.c:220
#8  0x000000000040f9b2 in main (argc=3, argv=0x7fffffffde18) at ffmpeg.c:4324
(gdb) disass $pc-32 $pc+32
Dump of assembler code from 0x494727 to 0x494767:
0x0000000000494727 <av_metadata_set2+7>:        fs
0x0000000000494728 <av_metadata_set2+8>:        and    $0xe0,%al
0x000000000049472a <av_metadata_set2+10>:       mov    %ecx,%ebp
0x000000000049472c <av_metadata_set2+12>:       mov    %r13,-0x18(%rsp)
0x0000000000494731 <av_metadata_set2+17>:       mov    %r14,-0x10(%rsp)
0x0000000000494736 <av_metadata_set2+22>:       mov    %rdi,%r13
0x0000000000494739 <av_metadata_set2+25>:       mov    %r15,-0x8(%rsp)
0x000000000049473e <av_metadata_set2+30>:       mov    %rbx,-0x30(%rsp)
0x0000000000494743 <av_metadata_set2+35>:       sub    $0x48,%rsp
0x0000000000494747 <av_metadata_set2+39>:       mov    (%rdi),%rbx
0x000000000049474a <av_metadata_set2+42>:       mov    %rdx,%r14
0x000000000049474d <av_metadata_set2+45>:       xor    %edx,%edx
0x000000000049474f <av_metadata_set2+47>:       mov    %rsi,%r12
0x0000000000494752 <av_metadata_set2+50>:       mov    %rbx,%rdi
0x0000000000494755 <av_metadata_set2+53>:       callq  0x4945d0 <av_metadata_get>
0x000000000049475a <av_metadata_set2+58>:       test   %rbx,%rbx
0x000000000049475d <av_metadata_set2+61>:       mov    %rax,%r15
0x0000000000494760 <av_metadata_set2+64>:       je     0x494878 <av_metadata_set2+344>
0x0000000000494766 <av_metadata_set2+70>:       test   %r15,%r15
End of assembler dump.
(gdb) info registers
rax            0x8      8
rbx            0x11eef80        18804608
rcx            0x0      0
rdx            0x11ef000        18804736
rsi            0x7fffffffd470   140737488344176
rdi            0x188    392
rbp            0x0      0x0
rsp            0x7fffffffd410   0x7fffffffd410
r8             0xfeff7efef6047cff       -72199435500356353
r9             0x101010101010101        72340172838076673
r10            0x0      0
r11            0x7ffff6d7edd6   140737334734294
r12            0x7fffffffd470   140737488344176
r13            0x188    392
r14            0x0      0
r15            0x11eef68        18804584
rip            0x494747 0x494747 <av_metadata_set2+39>
eflags         0x10202  [ IF RF ]
cs             0x33     51
ss             0x2b     43
ds             0x0      0
es             0x0      0
fs             0x0      0
gs             0x0      0
fctrl          0x37f    895
fstat          0x0      0
ftag           0xffff   65535
fiseg          0x0      0
fioff          0x0      0
foseg          0x0      0
fooff          0x0      0
fop            0x0      0
mxcsr          0x1fa0   [ PE IM DM ZM OM UM PM ]

Attachments (1)

crash.mkv (1.0 MB) - added by cehoyos 6 years ago.

Download all attachments as: .zip

Change History (5)

Changed 6 years ago by cehoyos

comment:1 Changed 6 years ago by aurel

  • Status changed from new to open

comment:2 Changed 6 years ago by aurel

Interesting broken sample which seems to have been generated by lavf.
It would be useful to know exactly how this sample was generated to
fix the muxer.

Anyway, I fixed the demuxer crash in git-N-28583-g2851b1f

I don't have permission to assign the ticket to myself (and to close it).

comment:3 Changed 6 years ago by cehoyos

  • Resolution set to fixed
  • Status changed from open to closed

I produced the sample (by accident, possibly setting all codec_tags to 0 in mpegts.c and copying all streams) when I tried to understand ticket #8. (I currently believe that the MPEG-TS demuxer should never set codec_tag and especially not for private streams 0x6.)

Thank you for the quick fix!

comment:4 Changed 6 years ago by aurel

OK. I think I found and fixed the bug in the muxer too.

Note: See TracTickets for help on using tickets.