Opened 11 years ago

Closed 11 years ago

#2139 closed defect (fixed)

Crash on invalid command-line

Reported by: Carl Eugen Hoyos Owned by:
Priority: important Component: avformat
Version: git-master Keywords: crash SIGSEGV
Cc: Blocked By:
Blocking: Reproduced by developer: yes
Analyzed by developer: no

Description

(gdb) r -i tests/lena.pnm concat:out.bmp
Starting program: /home/cehoyos/test/cehoyos/FFmpeg/ffmpeg_g -i tests/lena.pnm concat:out.bmp
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib64/libthread_db.so.1".
ffmpeg version N-48916-ge074fe2 Copyright (c) 2000-2013 the FFmpeg developers
  built on Jan 15 2013 15:59:20 with gcc 4.7 (SUSE Linux)
  configuration: --enable-gpl --disable-indev=jack
  libavutil      52. 14.100 / 52. 14.100
  libavcodec     54. 89.100 / 54. 89.100
  libavformat    54. 59.107 / 54. 59.107
  libavdevice    54.  3.102 / 54.  3.102
  libavfilter     3. 32.100 /  3. 32.100
  libswscale      2.  1.103 /  2.  1.103
  libswresample   0. 17.102 /  0. 17.102
  libpostproc    52.  2.100 / 52.  2.100
Input #0, image2, from 'tests/lena.pnm':
  Duration: 00:00:00.04, start: 0.000000, bitrate: N/A
    Stream #0:0: Video: ppm, rgb24, 256x256, 25 tbr, 25 tbn, 25 tbc
Output #0, image2, to 'concat:out.bmp':
  Metadata:
    encoder         : Lavf54.59.107
    Stream #0:0: Video: bmp, bgr24, 256x256, q=2-31, 200 kb/s, 90k tbn, 25 tbc
Stream mapping:
  Stream #0:0 -> #0:0 (ppm -> bmp)
Press [q] to stop, [?] for help

Program received signal SIGSEGV, Segmentation fault.
0x0000000000000000 in ?? ()
(gdb) bt
#0  0x0000000000000000 in ?? ()
#1  0x00000000004dc053 in retry_transfer_wrapper (transfer_func=0x0, size_min=32768,
    size=32768, buf=0x16772c0 "BM6", h=0x15d6d60) at libavformat/avio.c:262
#2  ffurl_write (h=0x15d6d60, buf=0x16772c0 "BM6", size=32768) at libavformat/avio.c:313
#3  0x00000000004dcf26 in writeout (len=32768, data=<optimized out>, s=0x15d48e0)
    at libavformat/aviobuf.c:129
#4  flush_buffer (s=0x15d48e0) at libavformat/aviobuf.c:140
#5  avio_write (s=0x15d48e0, buf=0x1647240 "BM6", size=196662)
    at libavformat/aviobuf.c:185
#6  0x0000000000504167 in write_packet (s=0x15d7b00, pkt=0x7fffffffd600)
    at libavformat/img2enc.c:117
#7  0x000000000053fbe3 in split_write_packet (pkt=0x7fffffffd600, s=0x15d7b00)
    at libavformat/mux.c:496
#8  av_interleaved_write_frame (s=s@entry=0x15d7b00, pkt=<optimized out>,
    pkt@entry=0x7fffffffd920) at libavformat/mux.c:751
#9  0x000000000045da03 in write_frame (s=s@entry=0x15d7b00, pkt=pkt@entry=0x7fffffffd920,
    ost=ost@entry=0x15ddb80) at ffmpeg.c:589
#10 0x000000000045f648 in do_video_out (in_picture=0x15ce520, ost=0x15ddb80, s=0x15d7b00)
    at ffmpeg.c:932
#11 reap_filters () at ffmpeg.c:1060
#12 0x0000000000451c25 in transcode_step () at ffmpeg.c:2991
#13 transcode () at ffmpeg.c:3034
#14 main (argc=<optimized out>, argv=<optimized out>) at ffmpeg.c:3209
$ valgrind ./ffmpeg_g -i tests/lena.pnm concat:out.bmp
==11105== Memcheck, a memory error detector
==11105== Copyright (C) 2002-2011, and GNU GPL'd, by Julian Seward et al.
==11105== Using Valgrind-3.7.0 and LibVEX; rerun with -h for copyright info
==11105== Command: ./ffmpeg_g -i tests/lena.pnm concat:out.bmp
==11105==
ffmpeg version N-48916-ge074fe2 Copyright (c) 2000-2013 the FFmpeg developers
  built on Jan 15 2013 15:59:20 with gcc 4.7 (SUSE Linux)
  configuration: --enable-gpl --disable-indev=jack
  libavutil      52. 14.100 / 52. 14.100
  libavcodec     54. 89.100 / 54. 89.100
  libavformat    54. 59.107 / 54. 59.107
  libavdevice    54.  3.102 / 54.  3.102
  libavfilter     3. 32.100 /  3. 32.100
  libswscale      2.  1.103 /  2.  1.103
  libswresample   0. 17.102 /  0. 17.102
  libpostproc    52.  2.100 / 52.  2.100
Input #0, image2, from 'tests/lena.pnm':
  Duration: 00:00:00.04, start: 0.000000, bitrate: N/A
    Stream #0:0: Video: ppm, rgb24, 256x256, 25 tbr, 25 tbn, 25 tbc
Output #0, image2, to 'concat:out.bmp':
  Metadata:
    encoder         : Lavf54.59.107
    Stream #0:0: Video: bmp, bgr24, 256x256, q=2-31, 200 kb/s, 90k tbn, 25 tbc
Stream mapping:
  Stream #0:0 -> #0:0 (ppm -> bmp)
Press [q] to stop, [?] for help
==11105== Jump to the invalid address stated on the next line
==11105==    at 0x0: ???
==11105==    by 0x4DC052: ffurl_write (avio.c:262)
==11105==    by 0x4DCF25: avio_write (aviobuf.c:129)
==11105==    by 0x504166: write_packet (img2enc.c:117)
==11105==    by 0x53FBE2: av_interleaved_write_frame (mux.c:496)
==11105==    by 0x45DA02: write_frame (ffmpeg.c:589)
==11105==    by 0x45F647: reap_filters (ffmpeg.c:932)
==11105==    by 0x451C24: main (ffmpeg.c:2991)
==11105==  Address 0x0 is not stack'd, malloc'd or (recently) free'd
==11105==
==11105==
==11105== Process terminating with default action of signal 11 (SIGSEGV)
==11105==  Bad permissions for mapped region at address 0x0
==11105==    at 0x0: ???
==11105==    by 0x4DC052: ffurl_write (avio.c:262)
==11105==    by 0x4DCF25: avio_write (aviobuf.c:129)
==11105==    by 0x504166: write_packet (img2enc.c:117)
==11105==    by 0x53FBE2: av_interleaved_write_frame (mux.c:496)
==11105==    by 0x45DA02: write_frame (ffmpeg.c:589)
==11105==    by 0x45F647: reap_filters (ffmpeg.c:932)
==11105==    by 0x451C24: main (ffmpeg.c:2991)
==11105==
==11105== HEAP SUMMARY:
==11105==     in use at exit: 1,077,722 bytes in 114 blocks
==11105==   total heap usage: 2,315 allocs, 2,201 frees, 2,892,263 bytes allocated
==11105==
==11105== LEAK SUMMARY:
==11105==    definitely lost: 0 bytes in 0 blocks
==11105==    indirectly lost: 0 bytes in 0 blocks
==11105==      possibly lost: 0 bytes in 0 blocks
==11105==    still reachable: 1,077,722 bytes in 114 blocks
==11105==         suppressed: 0 bytes in 0 blocks
==11105== Rerun with --leak-check=full to see details of leaked memory
==11105==
==11105== For counts of detected and suppressed errors, rerun with: -v
==11105== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 2 from 2)
Segmentation fault

Attachments (1)

2139.patch (1.0 KB ) - added by Hari 11 years ago.

Download all attachments as: .zip

Change History (6)

comment:1 by Elon Musk, 11 years ago

Component: undeterminedavformat
Reproduced by developer: set
Status: newopen

comment:2 by Hari, 11 years ago

For out.bmp, h->prot looks like
$3 = {name = 0xc872d1 "file", url_open = 0x5402c0 <file_open>,

url_open2 = 0x0, url_read = 0x5404a0 <file_read>,
url_write = 0x540460 <file_write>, url_seek = 0x540220 <file_seek>,
url_close = 0x540200 <file_close>, next = 0xc33d20, url_read_pause = 0x0,
url_read_seek = 0x0, url_get_file_handle = 0x540150 <file_get_handle>,
url_get_multi_file_handle = 0x0, url_shutdown = 0x0, priv_data_size = 12,
priv_data_class = 0xc872e0, flags = 0, url_check = 0x5403c0 <file_check>}

For concat:out.bmp, it looks like
$1 = {name = 0xc86eba "concat", url_open = 0xbe5038 <concat_open>,

url_open2 = 0x0, url_read = 0x53f510 <concat_read>, url_write = 0x0,
url_seek = 0x53f280 <concat_seek>, url_close = 0xbe4ff4 <concat_close>,
next = 0xc33b40, url_read_pause = 0x0, url_read_seek = 0x0,
url_get_file_handle = 0x0, url_get_multi_file_handle = 0x0,
url_shutdown = 0x0, priv_data_size = 12, priv_data_class = 0x0, flags = 0,
url_check = 0x0}

Since url_write is NULL, it causes seg fault in function retry_transfer_wrapper where its passed as param.

by Hari, 11 years ago

Attachment: 2139.patch added

comment:4 by Hari, 11 years ago

Last edited 11 years ago by Hari (previous) (diff)

comment:5 by Carl Eugen Hoyos, 11 years ago

Resolution: fixed
Status: openclosed

Fixed by Nicolas.

Note: See TracTickets for help on using tickets.