Opened 3 years ago

Closed 3 years ago

#1986 closed defect (fixed)

ffserver crashes while playing h264 video from matroska container over rtsp

Reported by: sonntex Owned by:
Priority: important Component: ffserver
Version: git-master Keywords: crash SIGSEGV regression
Cc: Blocked By:
Blocking: Reproduced by developer: yes
Analyzed by developer: no

Description

Summary of the bug:

I'm trying to play h264 video from matroska container over rtsp using ffserver and ffplay, and ffserver crashes on ffplay executing.

How to reproduce:

  1. Configuration file for ffserver:
    Port 8090
    RTSPPort 8554
    BindAddress 0.0.0.0
    MaxHTTPConnections 2000
    MaxClients 1000
    MaxBandwidth 1000
    CustomLog -
    NoDaemon
    
    <Stream h264-cut.mkv>
    Format rtp
    File "h264-cut.mkv"
    </Stream>
    
  2. Execute ffserver:
    % ./ffserver_g -v 9 -loglevel 99 -f ffserver.conf
    ffserver version 1.0 Copyright (c) 2000-2012 the FFmpeg developers
      built on Dec  3 2012 23:47:06 with gcc 4.7 (Debian 4.7.2-4)
      configuration: --disable-optimizations --enable-debug=3
      libavutil      51. 73.101 / 51. 73.101
      libavcodec     54. 59.100 / 54. 59.100
      libavformat    54. 29.104 / 54. 29.104
      libavdevice    54.  2.101 / 54.  2.101
      libavfilter     3. 17.100 /  3. 17.100
      libswscale      2.  1.101 /  2.  1.101
      libswresample   0. 15.100 /  0. 15.100
    Tue Dec  4 00:14:57 2012 Opening file 'h264-cut.mkv'
    Tue Dec  4 00:14:57 2012 [matroska,webm @ 0x359af40]Format matroska,webm probed with size=2048 and score=100
    Tue Dec  4 00:14:57 2012 st:0 removing common factor 1000000 from timebase
    Tue Dec  4 00:14:57 2012 [matroska,webm @ 0x359af40]File position before avformat_find_stream_info() is 574
    Tue Dec  4 00:14:57 2012 [h264 @ 0x35a1de0]Using externally provided dimensions
    Tue Dec  4 00:14:57 2012 [h264 @ 0x35a1de0]no picture 
    Tue Dec  4 00:14:57 2012 [matroska,webm @ 0x359af40]All info found
    Tue Dec  4 00:14:57 2012 [matroska,webm @ 0x359af40]File position after avformat_find_stream_info() is 113333
    Tue Dec  4 00:14:57 2012 [AVIOContext @ 0x359b4c0]Statistics: 139214 bytes read, 0 seeks
    Tue Dec  4 00:14:57 2012 FFserver started.
    Segmentation fault (core dumped)
    
  3. Execute ffplay:
    % ./ffplay_g -v 9 -loglevel 99 rtsp://localhost:8554/h264-cut.mkv
    ffplay version 1.0 Copyright (c) 2003-2012 the FFmpeg developers
      built on Dec  3 2012 23:47:06 with gcc 4.7 (Debian 4.7.2-4)
      configuration: --disable-optimizations --enable-debug=3
      libavutil      51. 73.101 / 51. 73.101
      libavcodec     54. 59.100 / 54. 59.100
      libavformat    54. 29.104 / 54. 29.104
      libavdevice    54.  2.101 / 54.  2.101
      libavfilter     3. 17.100 /  3. 17.100
      libswscale      2.  1.101 /  2.  1.101
      libswresample   0. 15.100 /  0. 15.100
    rtsp://localhost:8554/h264-cut.mkv: Invalid data found when processing input
    
    

Gdb:

%  gdb ./ffserver_g core 
GNU gdb (GDB) 7.4.1-debian
Copyright (C) 2012 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>...
Reading symbols from /home/sonntex-devel/devel/ffmpeg-1.0/ffserver_g...done.
[New LWP 31838]

warning: Can't read pathname for load map: Input/output error.
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Core was generated by `./ffserver_g -v 9 -loglevel 99 -f ffserver.conf'.
Program terminated with signal 11, Segmentation fault.
#0  0x0000000000523e40 in sdp_write_media_attributes (
    buff=0x35a36c0 "v=0\r\no=- 0 0 IN IP4 127.0.0.1\r\ns=No Title\r\nc=IN IP4 0.0.0.0\r\nt=0 0\r\na=tool:libavformat 54.29.104\r\nm=video 0 RTP/AVP 96\r\n", size=2048, c=0x35a2220, payload_type=96, 
    fmt=0x35a1940) at libavformat/sdp.c:405
405                 if (fmt && fmt->oformat->priv_class &&
(gdb) bt
#0  0x0000000000523e40 in sdp_write_media_attributes (
    buff=0x35a36c0 "v=0\r\no=- 0 0 IN IP4 127.0.0.1\r\ns=No Title\r\nc=IN IP4 0.0.0.0\r\nt=0 0\r\na=tool:libavformat 54.29.104\r\nm=video 0 RTP/AVP 96\r\n", size=2048, c=0x35a2220, payload_type=96, 
    fmt=0x35a1940) at libavformat/sdp.c:405
#1  0x00000000005246da in ff_sdp_write_media (buff=0x35a36c0 "v=0\r\no=- 0 0 IN IP4 127.0.0.1\r\ns=No Title\r\nc=IN IP4 0.0.0.0\r\nt=0 0\r\na=tool:libavformat 54.29.104\r\nm=video 0 RTP/AVP 96\r\n", 
    size=2048, c=0x35a2220, dest_addr=0x0, dest_type=0x7fff05c842e0 "IP4", port=0, ttl=0, fmt=0x35a1940) at libavformat/sdp.c:609
#2  0x00000000005249b0 in av_sdp_create (ac=0x7fff05c843c8, n_files=1, 
    buf=0x35a36c0 "v=0\r\no=- 0 0 IN IP4 127.0.0.1\r\ns=No Title\r\nc=IN IP4 0.0.0.0\r\nt=0 0\r\na=tool:libavformat 54.29.104\r\nm=video 0 RTP/AVP 96\r\n", size=2048) at libavformat/sdp.c:655
#3  0x000000000043d1cc in prepare_sdp_description (stream=0x3599320, pbuffer=0x7fff05c84448, my_ip=...) at ffserver.c:2969
#4  0x000000000043d41e in rtsp_cmd_describe (c=0x35a2640, url=0x7fff05c867a0 "rtsp://localhost:8554/h264-cut.mkv") at ffserver.c:3021
#5  0x000000000043cdf0 in rtsp_parse_request (c=0x35a2640) at ffserver.c:2908
#6  0x000000000043751e in handle_connection (c=0x35a2640) at ffserver.c:955
#7  0x0000000000436c97 in http_server () at ffserver.c:729
#8  0x00000000004429f9 in main (argc=7, argv=0x7fff05c86e28) at ffserver.c:4757
(gdb) disass $pc-32,$pc+32
Dump of assembler code from 0x523e20 to 0x523e60:
   0x0000000000523e20 <sdp_write_media_attributes+290>: test   %dh,%cl
   0x0000000000523e22 <sdp_write_media_attributes+292>: (bad)  
   0x0000000000523e23 <sdp_write_media_attributes+293>: add    %al,(%rax)
   0x0000000000523e25 <sdp_write_media_attributes+295>: jmpq   0x524598 <sdp_write_media_attributes+2202>
   0x0000000000523e2a <sdp_write_media_attributes+300>: movl   $0x1,-0xc(%rbp)
   0x0000000000523e31 <sdp_write_media_attributes+307>: cmpq   $0x0,-0x40(%rbp)
   0x0000000000523e36 <sdp_write_media_attributes+312>: je     0x523e6e <sdp_write_media_attributes+368>
   0x0000000000523e38 <sdp_write_media_attributes+314>: mov    -0x40(%rbp),%rax
   0x0000000000523e3c <sdp_write_media_attributes+318>: mov    0x10(%rax),%rax
=> 0x0000000000523e40 <sdp_write_media_attributes+322>: mov    0x38(%rax),%rax
   0x0000000000523e44 <sdp_write_media_attributes+326>: test   %rax,%rax
   0x0000000000523e47 <sdp_write_media_attributes+329>: je     0x523e6e <sdp_write_media_attributes+368>
   0x0000000000523e49 <sdp_write_media_attributes+331>: mov    -0x40(%rbp),%rax
   0x0000000000523e4d <sdp_write_media_attributes+335>: mov    0x18(%rax),%rax
   0x0000000000523e51 <sdp_write_media_attributes+339>: mov    $0xcc1d35,%edx
   0x0000000000523e56 <sdp_write_media_attributes+344>: mov    $0xcc1d40,%esi
   0x0000000000523e5b <sdp_write_media_attributes+349>: mov    %rax,%rdi
   0x0000000000523e5e <sdp_write_media_attributes+352>: callq  0xc95a48 <av_opt_flag_is_set>
End of assembler dump.
(gdb) info all-registers
rax            0x0      0
rbx            0x35a1940        56236352
rcx            0x60     96
rdx            0x35a2220        56238624
rsi            0x800    2048
rdi            0x35a36c0        56243904
rbp            0x7fff05c84250   0x7fff05c84250
rsp            0x7fff05c841f0   0x7fff05c841f0
r8             0x35a1940        56236352
r9             0x1      1
r10            0x0      0
r11            0xfffffffb       4294967291
r12            0x435d00 4414720
r13            0x7fff05c86e20   140733290409504
r14            0x0      0
r15            0x0      0
rip            0x523e40 0x523e40 <sdp_write_media_attributes+322>
eflags         0x10202  [ IF RF ]
cs             0x33     51
ss             0x2b     43
ds             0x0      0
es             0x0      0
fs             0x0      0
gs             0x0      0
st0            -nan(0x8080808080808080) (raw 0xffff8080808080808080)
st1            -nan(0x8080808080808080) (raw 0xffff8080808080808080)
st2            -nan(0x002000200)        (raw 0xffff0000000002000200)
st3            -nan(0x200020002000200)  (raw 0xffff0200020002000200)
st4            -nan(0x8080808080808080) (raw 0xffff8080808080808080)
st5            -nan(0x8080808080808080) (raw 0xffff8080808080808080)
st6            -nan(0x1010101010101010) (raw 0xffff1010101010101010)
st7            -inf     (raw 0xffff0000000000000000)
fctrl          0x37f    895
fstat          0x0      0
ftag           0xffff   65535
fiseg          0x0      0
fioff          0x0      0
foseg          0x0      0
fooff          0x0      0
fop            0x0      0
xmm0           {
  v4_float = {0x0, 0x0, 0x0, 0x0}, 
  v2_double = {0x8000000000000000, 0x0}, 
  v16_int8 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 
  v8_int16 = {0x0, 0x0, 0x0, 0xff00, 0x0, 0x0, 0x0, 0x0}, 
  v4_int32 = {0x0, 0xff000000, 0x0, 0x0}, 
  v2_int64 = {0xff00000000000000, 0x0}, 
  uint128 = 0x0000000000000000ff00000000000000
}
xmm1           {
  v4_float = {0x0, 0x0, 0x0, 0x0}, 
  v2_double = {0x0, 0x0}, 
  v16_int8 = {0x25 <repeats 16 times>}, 
  v8_int16 = {0x2525, 0x2525, 0x2525, 0x2525, 0x2525, 0x2525, 0x2525, 0x2525}, 
  v4_int32 = {0x25252525, 0x25252525, 0x25252525, 0x25252525}, 
  v2_int64 = {0x2525252525252525, 0x2525252525252525}, 
  uint128 = 0x25252525252525252525252525252525
}
xmm2           {
  v4_float = {0x0, 0x0, 0x0, 0x0}, 
  v2_double = {0x0, 0x0}, 
  v16_int8 = {0x0 <repeats 16 times>}, 
  v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 
  v4_int32 = {0x0, 0x0, 0x0, 0x0}, 
  v2_int64 = {0x0, 0x0}, 
  uint128 = 0x00000000000000000000000000000000
}
xmm3           {
  v4_float = {0x0, 0x0, 0x0, 0x0}, 
  v2_double = {0x0, 0x0}, 
  v16_int8 = {0x0, 0xff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xff, 0x0, 0x0, 0x0, 0x0}, 
  v8_int16 = {0xff00, 0x0, 0x0, 0x0, 0x0, 0xff00, 0x0, 0x0}, 
  v4_int32 = {0xff00, 0x0, 0xff000000, 0x0}, 
  v2_int64 = {0xff00, 0xff000000}, 
  uint128 = 0x00000000ff000000000000000000ff00
}
xmm4           {
  v4_float = {0x0, 0x0, 0x0, 0x0}, 
  v2_double = {0x0, 0x8000000000000000}, 
  v16_int8 = {0x6d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x6d, 0x61, 0x78, 0x20, 0x6d, 0x65, 0x6d, 0x6f}, 
  v8_int16 = {0x6d, 0x0, 0x0, 0x0, 0x616d, 0x2078, 0x656d, 0x6f6d}, 
  v4_int32 = {0x6d, 0x0, 0x2078616d, 0x6f6d656d}, 
  v2_int64 = {0x6d, 0x6f6d656d2078616d}, 
  uint128 = 0x6f6d656d2078616d000000000000006d
}
xmm5           {
  v4_float = {0x0, 0x1, 0x0, 0x0}, 
  v2_double = {0x0, 0x0}, 
  v16_int8 = {0x0, 0x0, 0x0, 0xe0, 0x95, 0x9c, 0xe7, 0x3f, 0x1, 0x0, 0x1, 0x0, 0x1, 0x0, 0x1, 0x0}, 
---Type <return> to continue, or q <return> to quit---
  v8_int16 = {0x0, 0xe000, 0x9c95, 0x3fe7, 0x1, 0x1, 0x1, 0x1}, 
  v4_int32 = {0xe0000000, 0x3fe79c95, 0x10001, 0x10001}, 
  v2_int64 = {0x3fe79c95e0000000, 0x1000100010001}, 
  uint128 = 0x00010001000100013fe79c95e0000000
}
xmm6           {
  v4_float = {0x0, 0x1, 0x0, 0x0}, 
  v2_double = {0x1, 0x0}, 
  v16_int8 = {0x6d, 0x7d, 0xbf, 0xbb, 0x27, 0xaf, 0xf5, 0x3f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 
  v8_int16 = {0x7d6d, 0xbbbf, 0xaf27, 0x3ff5, 0x0, 0x0, 0x0, 0x0}, 
  v4_int32 = {0xbbbf7d6d, 0x3ff5af27, 0x0, 0x0}, 
  v2_int64 = {0x3ff5af27bbbf7d6d, 0x0}, 
  uint128 = 0x00000000000000003ff5af27bbbf7d6d
}
xmm7           {
  v4_float = {0x0, 0x0, 0x0, 0x0}, 
  v2_double = {0x0, 0x0}, 
  v16_int8 = {0x0, 0x0, 0x0, 0x0, 0x68, 0xc8, 0xbc, 0x3b, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 
  v8_int16 = {0x0, 0x0, 0xc868, 0x3bbc, 0x0, 0x0, 0x0, 0x0}, 
  v4_int32 = {0x0, 0x3bbcc868, 0x0, 0x0}, 
  v2_int64 = {0x3bbcc86800000000, 0x0}, 
  uint128 = 0x00000000000000003bbcc86800000000
}
xmm8           {
  v4_float = {0x0, 0xfffffffd, 0x0, 0x0}, 
  v2_double = {0xffffffffffffffd2, 0x0}, 
  v16_int8 = {0xe0, 0xe6, 0x35, 0x67, 0x9e, 0x6, 0x47, 0xc0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 
  v8_int16 = {0xe6e0, 0x6735, 0x69e, 0xc047, 0x0, 0x0, 0x0, 0x0}, 
  v4_int32 = {0x6735e6e0, 0xc047069e, 0x0, 0x0}, 
  v2_int64 = {0xc047069e6735e6e0, 0x0}, 
  uint128 = 0x0000000000000000c047069e6735e6e0
}
xmm9           {
  v4_float = {0x0, 0x1, 0x0, 0x0}, 
  v2_double = {0x1, 0x0}, 
  v16_int8 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xf0, 0x3f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 
  v8_int16 = {0x0, 0x0, 0x0, 0x3ff0, 0x0, 0x0, 0x0, 0x0}, 
  v4_int32 = {0x0, 0x3ff00000, 0x0, 0x0}, 
  v2_int64 = {0x3ff0000000000000, 0x0}, 
  uint128 = 0x00000000000000003ff0000000000000
}
xmm10          {
  v4_float = {0x0, 0x0, 0x0, 0x0}, 
  v2_double = {0x0, 0x0}, 
  v16_int8 = {0x0, 0x0, 0x46, 0x84, 0x24, 0x59, 0xd6, 0x3e, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 
  v8_int16 = {0x0, 0x8446, 0x5924, 0x3ed6, 0x0, 0x0, 0x0, 0x0}, 
  v4_int32 = {0x84460000, 0x3ed65924, 0x0, 0x0}, 
  v2_int64 = {0x3ed6592484460000, 0x0}, 
  uint128 = 0x00000000000000003ed6592484460000
}
xmm11          {
  v4_float = {0x9689a800, 0x0, 0x0, 0x0}, 
  v2_double = {0x0, 0x0}, 
  v16_int8 = {0x6a, 0xa2, 0x65, 0x50, 0xf2, 0xea, 0x8f, 0xbd, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 
  v8_int16 = {0xa26a, 0x5065, 0xeaf2, 0xbd8f, 0x0, 0x0, 0x0, 0x0}, 
  v4_int32 = {0x5065a26a, 0xbd8feaf2, 0x0, 0x0}, 
  v2_int64 = {0xbd8feaf25065a26a, 0x0}, 
  uint128 = 0x0000000000000000bd8feaf25065a26a
}
xmm12          {
  v4_float = {0x0, 0x0, 0x0, 0x0}, 
  v2_double = {0x0, 0x0}, 
  v16_int8 = {0x29, 0xf2, 0x88, 0x6c, 0xa6, 0x49, 0xde, 0x3e, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 
  v8_int16 = {0xf229, 0x6c88, 0x49a6, 0x3ede, 0x0, 0x0, 0x0, 0x0}, 
  v4_int32 = {0x6c88f229, 0x3ede49a6, 0x0, 0x0}, 
  v2_int64 = {0x3ede49a66c88f229, 0x0}, 
  uint128 = 0x00000000000000003ede49a66c88f229
}
xmm13          {
  v4_float = {0x0, 0x0, 0x0, 0x0}, 
  v2_double = {0x0, 0x0}, 
  v16_int8 = {0xb3, 0x12, 0x58, 0x17, 0x64, 0x46, 0xe6, 0x3b, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 
  v8_int16 = {0x12b3, 0x1758, 0x4664, 0x3be6, 0x0, 0x0, 0x0, 0x0}, 
  v4_int32 = {0x175812b3, 0x3be64664, 0x0, 0x0}, 
  v2_int64 = {0x3be64664175812b3, 0x0}, 
  uint128 = 0x00000000000000003be64664175812b3
}
xmm14          {
  v4_float = {0x0, 0x3, 0x0, 0x0}, 
  v2_double = {0x2d, 0x0}, 
  v16_int8 = {0xc0, 0x9, 0xf2, 0x16, 0xb5, 0xdf, 0x46, 0x40, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 
  v8_int16 = {0x9c0, 0x16f2, 0xdfb5, 0x4046, 0x0, 0x0, 0x0, 0x0}, 
  v4_int32 = {0x16f209c0, 0x4046dfb5, 0x0, 0x0}, 
  v2_int64 = {0x4046dfb516f209c0, 0x0}, 
  uint128 = 0x00000000000000004046dfb516f209c0
}
xmm15          {
  v4_float = {0x0, 0x0, 0x0, 0x0}, 
  v2_double = {0x0, 0x0}, 
---Type <return> to continue, or q <return> to quit---
  v16_int8 = {0x0 <repeats 16 times>}, 
  v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 
  v4_int32 = {0x0, 0x0, 0x0, 0x0}, 
  v2_int64 = {0x0, 0x0}, 
  uint128 = 0x00000000000000000000000000000000
}
mxcsr          0x1fa0   [ PE IM DM ZM OM UM PM ]

Attachments (1)

h264-cut.mkv (2.0 MB) - added by sonntex 3 years ago.
this is cut down version of 85 mb file

Download all attachments as: .zip

Change History (6)

Changed 3 years ago by sonntex

this is cut down version of 85 mb file

comment:1 Changed 3 years ago by sonntex

  • Component changed from undetermined to FFserver

comment:2 follow-up: Changed 3 years ago by cehoyos

  • Keywords crash added
  • Priority changed from normal to important
  • Version changed from unspecified to 1.0

Does current git head also crash?

comment:3 in reply to: ↑ 2 Changed 3 years ago by sonntex

Replying to cehoyos:

Does current git head also crash?

Yes

comment:4 Changed 3 years ago by cehoyos

  • Keywords SIGSEGV regression added
  • Reproduced by developer set
  • Status changed from new to open
  • Version changed from 1.0 to git-master

Regression since d77f4af / 82edf67.

comment:5 Changed 3 years ago by cehoyos

  • Resolution set to fixed
  • Status changed from open to closed

Fixed by Michael.

Note: See TracTickets for help on using tickets.