#2048 closed defect (fixed)
reproducible crash on some subtitles in ff_ass_split_override_codes()
| Reported by: | julian | Owned by: | Clément Bœsch |
|---|---|---|---|
| Priority: | important | Component: | avcodec |
| Version: | git-master | Keywords: | ass crash SIGSEGV |
| Cc: | Blocked By: | ||
| Blocking: | Reproduced by developer: | yes | |
| Analyzed by developer: | no |
Description
ffmpeg crashes reproducibly when converting files with some subtitles.
i've seen the crash with self-compiled ffmpeg 1.0 as well as the Mac OS X binary (linked to from the hompage) for 1.0.1.
download the sample file:
https://dl.dropbox.com/u/7221986/ffmpeg-bug.mkv
% ffmpeg -i ffmpeg-bug.mkv -map 0:2 -map 0:0 -map 0:1 -scodec mov_text -vcodec copy out.mp4
ffmpeg version 1.0.1-tessus Copyright (c) 2000-2012 the FFmpeg developers
built on Dec 3 2012 23:31:08 with llvm-gcc 4.2.1 (LLVM build 2336.1.00)
configuration: --prefix=/Users/tessus/data/ext/ffmpeg/sw --as=yasm --extra-version=tessus --disable-shared --enable-static --disable-ffplay --disable-ffserver --enable-gpl --enable-pthreads --enable-postproc --enable-libmp3lame --enable-libtheora --enable-libvorbis --enable-libx264 --enable-libxvid --enable-libspeex --enable-bzlib --enable-zlib --enable-libopencore-amrnb --enable-libopencore-amrwb --enable-libxavs --enable-version3 --enable-libvo-aacenc --enable-libvo-amrwbenc --enable-libvpx --enable-libgsm --enable-libopus --enable-fontconfig --enable-libfreetype --enable-libass --enable-filters --enable-runtime-cpudetect
libavutil 51. 73.101 / 51. 73.101
libavcodec 54. 59.100 / 54. 59.100
libavformat 54. 29.104 / 54. 29.104
libavdevice 54. 2.101 / 54. 2.101
libavfilter 3. 17.100 / 3. 17.100
libswscale 2. 1.101 / 2. 1.101
libswresample 0. 15.100 / 0. 15.100
libpostproc 52. 0.100 / 52. 0.100
Input #0, matroska,webm, from 'ffmpeg-bug.mkv':
Metadata:
ENCODER : Lavf54.29.104
Duration: 00:24:27.06, start: 0.000000, bitrate: 8 kb/s
Stream #0:0: Subtitle: ssa (default)
Metadata:
title : 简体中文
Stream #0:1: Video: h264 (High), yuv420p, 640x360 [SAR 1:1 DAR 16:9], 23.81 fps, 23.81 tbr, 1k tbn, 47.62 tbc (default)
Stream #0:2: Subtitle: ssa (default)
Metadata:
title : 繁体中文
File 'out.mp4' already exists. Overwrite ? [y/N] y
Output #0, mp4, to 'out.mp4':
Metadata:
encoder : Lavf54.29.104
Stream #0:0: Subtitle: mov_text ([8][0][0][0] / 0x0008) (default)
Metadata:
title : 繁体中文
Stream #0:1: Subtitle: mov_text ([8][0][0][0] / 0x0008) (default)
Metadata:
title : 简体中文
Stream #0:2: Video: h264 ([33][0][0][0] / 0x0021), yuv420p, 640x360 [SAR 1:1 DAR 16:9], q=2-31, 23.81 fps, 1k tbn, 1k tbc (default)
Stream mapping:
Stream #0:2 -> #0:0 (ass -> mov_text)
Stream #0:0 -> #0:1 (ass -> mov_text)
Stream #0:1 -> #0:2 (copy)
Press [q] to stop, [?] for help
Program received signal EXC_BAD_ACCESS, Could not access memory.
Reason: KERN_INVALID_ADDRESS at address: 0x0000000000000000
0x00000001002b1d06 in ff_ass_split_override_codes ()
Attachments (1)
Change History (10)
by , 10 years ago
| Attachment: | ffmpeg-bug.mkv added |
|---|
comment:1 by , 10 years ago
| Component: | undetermined → avcodec |
|---|---|
| Keywords: | ass crash SIGSEGV added |
| Priority: | normal → important |
| Reproduced by developer: | set |
| Status: | new → open |
| Version: | 1.0 → git-master |
comment:2 by , 10 years ago
seems this crash does not only occur in "obscure" asiatic subtitles but also in german ones, e.g. in this file:
"Star-Trek-German-720p-BluRay-x264-EmpireHD" / "empire-st11-720p.mkv".
follow-up: 5 comment:4 by , 10 years ago
no its the same crash. one sample should be enough and i can't upload a 7GB copyrighted file.
comment:5 by , 10 years ago
Replying to julian:
no its the same crash. one sample should be enough
I completely agree (if it is the same crash which I don't know), I only wonder why you mentioned a second file? (A crash does not get less important if it is difficult to trigger as long as there is a sample that triggers the crash.)
comment:6 by , 10 years ago
(if it is the same crash which I don't know)
i'm quite sure, its also in ff_ass_split_override_codes(). will test with this file too once a fix is available to confirm.
(A crash does not get less important if it is difficult to trigger as long as there is a sample that triggers the crash.)
ok thanks. i believed so, thats why i mentioned it. i guessed if the crash occurred /only/ in some obscure asiatic subtitles which are hard to come by it would be low priority ...
at least we know its not related to a specific language now.



(gdb) r -i ffmpeg-bug.mkv -map 0:0 -scodec mov_text out.mp4 Starting program: ffmpeg_g -i ffmpeg-bug.mkv -map 0:0 -scodec mov_text out.mp4 [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib64/libthread_db.so.1". ffmpeg version N-48034-g174c483 Copyright (c) 2000-2012 the FFmpeg developers built on Dec 20 2012 10:05:56 with gcc 4.7 (SUSE Linux) configuration: --enable-gpl --disable-indev=jack libavutil 52. 12.100 / 52. 12.100 libavcodec 54. 81.100 / 54. 81.100 libavformat 54. 49.102 / 54. 49.102 libavdevice 54. 3.102 / 54. 3.102 libavfilter 3. 28.102 / 3. 28.102 libswscale 2. 1.103 / 2. 1.103 libswresample 0. 17.102 / 0. 17.102 libpostproc 52. 2.100 / 52. 2.100 Input #0, matroska,webm, from 'ffmpeg-bug.mkv': Metadata: ENCODER : Lavf54.29.104 Duration: 00:24:27.06, start: 0.000000, bitrate: 8 kb/s Stream #0:0: Subtitle: ssa (default) Metadata: title : 简体中文 Stream #0:1: Video: h264 (High), yuv420p, 640x360 [SAR 1:1 DAR 16:9], 23.81 fps, 23.81 tbr, 1k tbn, 47.62 tbc (default) Stream #0:2: Subtitle: ssa (default) Metadata: title : 繁体中文 Output #0, mp4, to 'out.mp4': Metadata: encoder : Lavf54.49.102 Stream #0:0: Subtitle: mov_text ([8][0][0][0] / 0x0008) (default) Metadata: title : 简体中文 Stream mapping: Stream #0:0 -> #0:0 (ass -> mov_text) Press [q] to stop, [?] for help Program received signal SIGSEGV, Segmentation fault. ff_ass_split_override_codes (callbacks=callbacks@entry=0xc79ee0 <mov_text_callbacks>, priv=priv@entry=0x15ef840, buf=0x0) at libavcodec/ass_split.c:372 372 while (*buf) { (gdb) bt #0 ff_ass_split_override_codes (callbacks=callbacks@entry=0xc79ee0 <mov_text_callbacks>, priv=priv@entry=0x15ef840, buf=0x0) at libavcodec/ass_split.c:372 #1 0x000000000086b5e1 in mov_text_encode_frame (avctx=0x15f5b00, buf=0x7ffff6463040 "", bufsize=1048576, sub=0x7fffffffd6f0) at libavcodec/movtextenc.c:125 #2 0x00000000009a1238 in avcodec_encode_subtitle (avctx=avctx@entry=0x15f5b00, buf=<optimized out>, buf_size=buf_size@entry=1048576, sub=sub@entry=0x7fffffffd6f0) at libavcodec/utils.c:1485 #3 0x0000000000460011 in do_subtitle_out (sub=0x7fffffffd6f0, ost=0x15eb3e0, s=0x15ec9c0, ist=<optimized out>) at ffmpeg.c:753 #4 transcode_subtitles (ist=ist@entry=0x15e9de0, pkt=pkt@entry=0x7fffffffdac0, got_output=got_output@entry=0x7fffffffd85c) at ffmpeg.c:1728 #5 0x000000000046138a in output_packet (pkt=0x7fffffffda60, ist=0x15e9de0) at ffmpeg.c:1812 #6 process_input (file_index=<optimized out>) at ffmpeg.c:2886 #7 0x00000000004515d0 in transcode_step () at ffmpeg.c:2982 #8 transcode () at ffmpeg.c:3034 #9 main (argc=<optimized out>, argv=<optimized out>) at ffmpeg.c:3209 (gdb) disass $pc-32,$pc+32 Dump of assembler code from 0xaae210 to 0xaae250: 0x0000000000aae210 <ff_ass_split_override_codes+16>: push %rsp 0x0000000000aae211 <ff_ass_split_override_codes+17>: mov %rdi,%r12 0x0000000000aae214 <ff_ass_split_override_codes+20>: push %rbp 0x0000000000aae215 <ff_ass_split_override_codes+21>: push %rbx 0x0000000000aae216 <ff_ass_split_override_codes+22>: sub $0x128,%rsp 0x0000000000aae21d <ff_ass_split_override_codes+29>: lea 0xa0(%rsp),%rbp 0x0000000000aae225 <ff_ass_split_override_codes+37>: movl $0x0,0x2c(%rsp) 0x0000000000aae22d <ff_ass_split_override_codes+45>: nopl (%rax) => 0x0000000000aae230 <ff_ass_split_override_codes+48>: cmpb $0x0,(%r15) 0x0000000000aae234 <ff_ass_split_override_codes+52>: je 0xaae42c <ff_ass_split_override_codes+556> 0x0000000000aae23a <ff_ass_split_override_codes+58>: test %r14,%r14 0x0000000000aae23d <ff_ass_split_override_codes+61>: je 0xaae281 <ff_ass_split_override_codes+129> 0x0000000000aae23f <ff_ass_split_override_codes+63>: cmpq $0x0,(%r12) 0x0000000000aae244 <ff_ass_split_override_codes+68>: je 0xaae281 <ff_ass_split_override_codes+129> 0x0000000000aae246 <ff_ass_split_override_codes+70>: lea 0x30(%rsp),%rdx 0x0000000000aae24b <ff_ass_split_override_codes+75>: xor %eax,%eax 0x0000000000aae24d <ff_ass_split_override_codes+77>: mov $0xd4b500,%esi End of assembler dump. (gdb) info register rax 0x1 1 rbx 0x15ef840 23001152 rcx 0x0 0 rdx 0x0 0 rsi 0x15ef840 23001152 rdi 0xc79ee0 13082336 rbp 0x7fffffffd570 0x7fffffffd570 rsp 0x7fffffffd4d0 0x7fffffffd4d0 r8 0x0 0 r9 0x7 7 r10 0x0 0 r11 0x7ffff68d1d60 140737329831264 r12 0xc79ee0 13082336 r13 0x15ef840 23001152 r14 0x0 0 r15 0x0 0 rip 0xaae230 0xaae230 <ff_ass_split_override_codes+48> eflags 0x10202 [ IF RF ] cs 0x33 51 ss 0x2b 43 ds 0x0 0 es 0x0 0 fs 0x0 0 gs 0x0 0