Opened 11 years ago

Closed 11 years ago

#2217 closed defect (fixed)

amerge crashes with adpcm_ima_qt input

Reported by: Carl Eugen Hoyos Owned by:
Priority: important Component: avfilter
Version: git-master Keywords: crash SIGSEGV amerge
Cc: Blocked By:
Blocking: Reproduced by developer: yes
Analyzed by developer: yes

Description

(gdb) r -i fate-suite/svq3/Vertical400kbit.sorenson3.mov -i fate-suite/svq3/Vertical400kbit.sorenson3.mov -filter_complex amerge -f null -
Starting program: ffmpeg_g -i fate-suite/svq3/Vertical400kbit.sorenson3.mov -i fate-suite/svq3/Vertical400kbit.sorenson3.mov -filter_complex amerge -f null -
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib64/libthread_db.so.1".
ffmpeg version N-49470-g9df9420 Copyright (c) 2000-2013 the FFmpeg developers
  built on Jan 31 2013 01:35:42 with gcc 4.7 (SUSE Linux)
  configuration: --enable-gpl --disable-indev=jack
  libavutil      52. 17.100 / 52. 17.100
  libavcodec     54. 91.100 / 54. 91.100
  libavformat    54. 61.104 / 54. 61.104
  libavdevice    54.  3.102 / 54.  3.102
  libavfilter     3. 34.101 /  3. 34.101
  libswscale      2.  2.100 /  2.  2.100
  libswresample   0. 17.102 /  0. 17.102
  libpostproc    52.  2.100 / 52.  2.100
[mov,mp4,m4a,3gp,3g2,mj2 @ 0x1605a60] max_analyze_duration 5000000 reached at 5000998 microseconds
Guessed Channel Layout for  Input Stream #0.1 : mono
Input #0, mov,mp4,m4a,3gp,3g2,mj2, from 'fate-suite/svq3/Vertical400kbit.sorenson3.mov':
  Metadata:
    creation_time   : 2001-03-20 16:17:18
    title           : Vertical Online SV3 Demo
    title-eng       : Vertical Online SV3 Demo
    artist          : Logan Kelsey
    artist-eng      : Logan Kelsey
    copyright       : © Vertical Online 2001
    copyright-eng   : © Vertical Online 2001
    encoder         : Sorenson Video 3
    encoder-eng     : Sorenson Video 3
  Duration: 00:00:43.58, start: 0.000000, bitrate: 580 kb/s
    Stream #0:0(eng): Video: svq3 (SVQ3 / 0x33515653), yuvj420p, 320x240, 391 kb/s, 30.02 fps, 30 tbr, 600 tbn, 600 tbc
    Metadata:
      creation_time   : 2001-03-20 16:17:18
      handler_name    : Apple Alias Data Handler
    Stream #0:1(eng): Audio: adpcm_ima_qt (ima4 / 0x34616D69), 44100 Hz, mono, s16p, 176 kb/s
    Metadata:
      creation_time   : 2001-03-20 16:17:18
      handler_name    : Apple Alias Data Handler
[mov,mp4,m4a,3gp,3g2,mj2 @ 0x160d360] max_analyze_duration 5000000 reached at 5000998 microseconds
Guessed Channel Layout for  Input Stream #1.1 : mono
Input #1, mov,mp4,m4a,3gp,3g2,mj2, from 'fate-suite/svq3/Vertical400kbit.sorenson3.mov':
  Metadata:
    creation_time   : 2001-03-20 16:17:18
    title           : Vertical Online SV3 Demo
    title-eng       : Vertical Online SV3 Demo
    artist          : Logan Kelsey
    artist-eng      : Logan Kelsey
    copyright       : © Vertical Online 2001
    copyright-eng   : © Vertical Online 2001
    encoder         : Sorenson Video 3
    encoder-eng     : Sorenson Video 3
  Duration: 00:00:43.58, start: 0.000000, bitrate: 580 kb/s
    Stream #1:0(eng): Video: svq3 (SVQ3 / 0x33515653), yuvj420p, 320x240, 391 kb/s, 30.02 fps, 30 tbr, 600 tbn, 600 tbc
    Metadata:
      creation_time   : 2001-03-20 16:17:18
      handler_name    : Apple Alias Data Handler
    Stream #1:1(eng): Audio: adpcm_ima_qt (ima4 / 0x34616D69), 44100 Hz, mono, s16p, 176 kb/s
    Metadata:
      creation_time   : 2001-03-20 16:17:18
      handler_name    : Apple Alias Data Handler
[Parsed_amerge_0 @ 0x1642be0] Input channel layouts overlap: output layout will be determined by the number of distinct input channels
Output #0, null, to 'pipe:':
  Metadata:
    encoder-eng     : Sorenson Video 3
    title           : Vertical Online SV3 Demo
    title-eng       : Vertical Online SV3 Demo
    artist          : Logan Kelsey
    artist-eng      : Logan Kelsey
    copyright       : © Vertical Online 2001
    copyright-eng   : © Vertical Online 2001
    encoder         : Lavf54.61.104
    Stream #0:0: Audio: pcm_s16le, 44100 Hz, stereo, s16, 1411 kb/s
    Stream #0:1(eng): Video: rawvideo (I420 / 0x30323449), yuvj420p, 320x240, q=2-31, 200 kb/s, 90k tbn, 30 tbc
    Metadata:
      creation_time   : 2001-03-20 16:17:18
      handler_name    : Apple Alias Data Handler
Stream mapping:
  Stream #0:1 (adpcm_ima_qt) -> amerge:in0 (graph 0)
  Stream #1:1 (adpcm_ima_qt) -> amerge:in1 (graph 0)
  amerge (graph 0) -> Stream #0:0 (pcm_s16le)
  Stream #0:0 -> #0:1 (svq3 -> rawvideo)
Press [q] to stop, [?] for help
[New Thread 0x7ffff6563700 (LWP 5169)]
[New Thread 0x7ffff5d62700 (LWP 5170)]
Multiple frames in a packet from stream 1
    Last message repeated 1 times
[Parsed_amerge_0 @ 0x1642be0] Buffer queue overflow, dropping.
    Last message repeated 641 times
[null @ 0x1607ec0] Encoder did not produce proper pts, making some up.
[Parsed_amerge_0 @ 0x1642be0] Buffer queue overflow, dropping.
    Last message repeated 6569 times
Program received signal SIGSEGV, Segmentation fault.
0x000000000049c52c in filter_frame (inlink=<optimized out>, insamples=0x1698940)
    at libavfilter/af_amerge.c:249
249             ins[i] = inbuf[i]->data[0] +
(gdb) bt
#0  0x000000000049c52c in filter_frame (inlink=<optimized out>, insamples=0x1698940)
    at libavfilter/af_amerge.c:249
#1  0x000000000046dc16 in ff_filter_frame_framed (link=link@entry=0x1609900,
    frame=frame@entry=0x1698940) at libavfilter/avfilter.c:719
#2  0x000000000046f86b in ff_filter_frame (link=link@entry=0x1609900,
    frame=frame@entry=0x1698940) at libavfilter/avfilter.c:791
#3  0x000000000049e192 in filter_frame (inlink=0x1606a20, insamplesref=0x165a020)
    at libavfilter/af_aresample.c:213
#4  0x000000000046dc16 in ff_filter_frame_framed (link=link@entry=0x1606a20,
    frame=frame@entry=0x165a020) at libavfilter/avfilter.c:719
#5  0x000000000046f86b in ff_filter_frame (link=link@entry=0x1606a20, frame=0x165a020)
    at libavfilter/avfilter.c:791
#6  0x0000000000472852 in request_frame (link=0x1606a20) at libavfilter/buffersrc.c:397
#7  0x0000000000472ca4 in av_buffersrc_add_ref (s=0x16544c0, buf=0x1606558,
    flags=<optimized out>) at libavfilter/buffersrc.c:151
#8  0x0000000000472e98 in av_buffersrc_add_frame (buffer_src=0x16544c0,
    frame=frame@entry=0x15fec60, flags=flags@entry=4) at libavfilter/buffersrc.c:90
#9  0x000000000045d03b in decode_audio (ist=ist@entry=0x1642980,
    pkt=pkt@entry=0x7fffffffda80, got_output=got_output@entry=0x7fffffffd81c)
    at ffmpeg.c:1612
#10 0x000000000045f6c6 in output_packet (pkt=0x7fffffffda20, ist=0x1642980)
    at ffmpeg.c:1832
#11 process_input (file_index=<optimized out>) at ffmpeg.c:2988
#12 0x000000000044eb30 in transcode_step () at ffmpeg.c:3084
#13 transcode () at ffmpeg.c:3136
#14 main (argc=<optimized out>, argv=<optimized out>) at ffmpeg.c:3311
(gdb) disass $pc-32,$pc+32
Dump of assembler code from 0x49c50c to 0x49c54c:
   0x000000000049c50c <filter_frame+412>:       (bad)
   0x000000000049c50d <filter_frame+413>:       mov    (%rcx,%rax,8),%rdx
   0x000000000049c511 <filter_frame+417>:       mov    0x110(%rcx),%eax
   0x000000000049c517 <filter_frame+423>:       mov    %rdx,0x70(%rsp,%rdi,1)
   0x000000000049c51c <filter_frame+428>:       imul   0x108(%rcx),%eax
   0x000000000049c523 <filter_frame+435>:       mov    %rsi,%rcx
   0x000000000049c526 <filter_frame+438>:       imul   %r9d,%eax
   0x000000000049c52a <filter_frame+442>:       cltq
=> 0x000000000049c52c <filter_frame+444>:       add    0x8(%rdx),%rax
   0x000000000049c530 <filter_frame+448>:       mov    %rax,0x170(%rsp,%rdi,1)
   0x000000000049c538 <filter_frame+456>:       add    $0x8,%rdi
   0x000000000049c53c <filter_frame+460>:       cmp    %r8,%rsi
   0x000000000049c53f <filter_frame+463>:       jne    0x49c4f0 <filter_frame+384>
   0x000000000049c541 <filter_frame+465>:       mov    0x70(%rsp),%r12
   0x000000000049c546 <filter_frame+470>:       mov    0x60(%rsp),%rdi
   0x000000000049c54b <filter_frame+475>:       mov    %r12,%rsi
End of assembler dump.
(gdb) info register
rax            0x0      0
rbx            0x16085c0        23102912
rcx            0x1606558        23094616
rdx            0x0      0
rsi            0x1606558        23094616
rdi            0x0      0
rbp            0x40     0x40
rsp            0x7fffffffcff0   0x7fffffffcff0
r8             0x1606670        23094896
r9             0x2      2
r10            0x0      0
r11            0x7ffff68d1d60   140737329831264
r12            0x1698940        23693632
r13            0x118    280
r14            0x1606a20        23095840
r15            0x49c370 4834160
rip            0x49c52c 0x49c52c <filter_frame+444>
eflags         0x10206  [ PF IF RF ]
cs             0x33     51
ss             0x2b     43
ds             0x0      0
es             0x0      0
fs             0x0      0
gs             0x0      0

Change History (2)

comment:1 by Cigaes, 11 years ago

Analyzed by developer: set
Reproduced by developer: set
Status: newopen

You should build with --assert-level=1 or even 2, you whould have had a more detailed output.

The culprit is, once again, avfilter_copy_buffer_ref_props. I have a fix, but it unearthed another bug, I am working on it.

comment:2 by Carl Eugen Hoyos, 11 years ago

Resolution: fixed
Status: openclosed

Fixed by Nicolas.

Note: See TracTickets for help on using tickets.