Opened 11 years ago

Closed 11 years ago

#2365 closed defect (fixed)

aas4 regression (crash)

Reported by: ami_stuff Owned by:
Priority: important Component: avcodec
Version: git-master Keywords: aasc regression crash SIGSEGV
Cc: Blocked By:
Blocking: Reproduced by developer: yes
Analyzed by developer: no

Description

24bpp doesn't decode due to

[aasc @ 026ad380] Skip beyond picture bounds

8bpp crashes

http://www.filehostfree.com/?d=51425AD41
(datafilehost seems to be down)

C:\>ffmpeg -i aas4_8bpp.avi out.avi
ffmpeg version N-50911-g9efcfbe Copyright (c) 2000-2013 the FFmpeg developers
  built on Mar 13 2013 21:26:48 with gcc 4.7.2 (GCC)
  configuration: --enable-gpl --enable-version3 --disable-w32threads --enable-av
isynth --enable-bzlib --enable-fontconfig --enable-frei0r --enable-gnutls --enab
le-libass --enable-libbluray --enable-libcaca --enable-libfreetype --enable-libg
sm --enable-libilbc --enable-libmp3lame --enable-libopencore-amrnb --enable-libo
pencore-amrwb --enable-libopenjpeg --enable-libopus --enable-librtmp --enable-li
bschroedinger --enable-libsoxr --enable-libspeex --enable-libtheora --enable-lib
twolame --enable-libvo-aacenc --enable-libvo-amrwbenc --enable-libvorbis --enabl
e-libvpx --enable-libx264 --enable-libxavs --enable-libxvid --enable-zlib
  libavutil      52. 19.100 / 52. 19.100
  libavcodec     55.  0.100 / 55.  0.100
  libavformat    55.  0.100 / 55.  0.100
  libavdevice    54.  4.100 / 54.  4.100
  libavfilter     3. 45.103 /  3. 45.103
  libswscale      2.  2.100 /  2.  2.100
  libswresample   0. 17.102 /  0. 17.102
  libpostproc    52.  2.100 / 52.  2.100
Input #0, avi, from 'aas4_8bpp.avi':
  Duration: 00:00:12.60, start: 0.000000, bitrate: 3043 kb/s
    Stream #0:0: Video: aasc (AAS4 / 0x34534141), pal8, 320x240, 5 tbr, 5 tbn, 5
 tbc
Output #0, avi, to 'out.avi':
  Metadata:
    ISFT            : Lavf55.0.100
    Stream #0:0: Video: mpeg4 (FMP4 / 0x34504D46), yuv420p, 320x240, q=2-31, 200
 kb/s, 5 tbn, 5 tbc
Stream mapping:
  Stream #0:0 -> #0:0 (aasc -> mpeg4)
Press [q] to stop, [?] for help

Change History (2)

comment:1 by Carl Eugen Hoyos, 11 years ago

Component: undeterminedavcodec
Keywords: aasc regression crash SIGSEGV added
Priority: normalimportant
Reproduced by developer: set
Status: newopen
Version: unspecifiedgit-master

Regression since 80e9e63

(gdb) r -i aas4_8bpp.avi -f null -
Starting program: ffmpeg_g -i aas4_8bpp.avi -f null -
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib64/libthread_db.so.1".
ffmpeg version N-50945-g1f68bac Copyright (c) 2000-2013 the FFmpeg developers
  built on Mar 15 2013 00:47:24 with gcc 4.7 (SUSE Linux)
  configuration: --enable-gpl --enable-indev=jack
  libavutil      52. 19.100 / 52. 19.100
  libavcodec     55.  0.100 / 55.  0.100
  libavformat    55.  0.100 / 55.  0.100
  libavdevice    55.  0.100 / 55.  0.100
  libavfilter     3. 45.103 /  3. 45.103
  libswscale      2.  2.100 /  2.  2.100
  libswresample   0. 17.102 /  0. 17.102
  libpostproc    52.  2.100 / 52.  2.100
Input #0, avi, from 'aas4_8bpp.avi':
  Duration: 00:00:12.60, start: 0.000000, bitrate: 3043 kb/s
    Stream #0:0: Video: aasc (AAS4 / 0x34534141), pal8, 320x240, 5 tbr, 5 tbn, 5 tbc
Output #0, null, to 'pipe:':
  Metadata:
    encoder         : Lavf55.0.100
    Stream #0:0: Video: rawvideo, pal8, 320x240, q=2-31, 200 kb/s, 90k tbn, 5 tbc
Stream mapping:
  Stream #0:0 -> #0:0 (aasc -> rawvideo)
Press [q] to stop, [?] for help

Program received signal SIGSEGV, Segmentation fault.
msrle_decode_8_16_24_32 (gb=0x15fa428, depth=8, avctx=0x15f5920, pic=<optimized out>)
    at libavcodec/msrledec.c:215
215                             *output++ = pix[0];
(gdb) bt
#0  msrle_decode_8_16_24_32 (gb=0x15fa428, depth=8, avctx=0x15f5920,
    pic=<optimized out>) at libavcodec/msrledec.c:215
#1  ff_msrle_decode (avctx=avctx@entry=0x15f5920, pic=pic@entry=0x15fa440,
    depth=depth@entry=8, gb=gb@entry=0x15fa428) at libavcodec/msrledec.c:261
#2  0x0000000000a8ab6c in aasc_decode_frame (avctx=0x15f5920, data=0x15f8ec0,
    got_frame=0x7fffffffd87c, avpkt=<optimized out>) at libavcodec/aasc.c:104
#3  0x00000000009a140b in avcodec_decode_video2 (avctx=0x15f5920,
    picture=picture@entry=0x15f8ec0,
    got_picture_ptr=got_picture_ptr@entry=0x7fffffffd87c,
    avpkt=avpkt@entry=0x7fffffffdae0) at libavcodec/utils.c:1915
#4  0x000000000045d840 in decode_video (ist=ist@entry=0x15f7900,
    pkt=pkt@entry=0x7fffffffdae0, got_output=got_output@entry=0x7fffffffd87c)
    at ffmpeg.c:1682
#5  0x0000000000460d37 in output_packet (pkt=0x7fffffffda80, ist=0x15f7900)
    at ffmpeg.c:1877
#6  process_input (file_index=<optimized out>) at ffmpeg.c:3032
#7  0x00000000004508d0 in transcode_step () at ffmpeg.c:3128
#8  transcode () at ffmpeg.c:3180
#9  main (argc=<optimized out>, argv=<optimized out>) at ffmpeg.c:3357
(gdb) disass $pc-32,$pc+32
Dump of assembler code from 0x8d07b0 to 0x8d07f0:
   0x00000000008d07b0 <ff_msrle_decode+1792>:   (bad)
   0x00000000008d07b1 <ff_msrle_decode+1793>:   decl   0x29(%rbp)
   0x00000000008d07b4 <ff_msrle_decode+1796>:   retq
   0x00000000008d07b5 <ff_msrle_decode+1797>:   xor    %ecx,%ecx
   0x00000000008d07b7 <ff_msrle_decode+1799>:   test   %r11,%r11
   0x00000000008d07ba <ff_msrle_decode+1802>:   jle    0x8d07c8 <ff_msrle_decode+1816>
   0x00000000008d07bc <ff_msrle_decode+1804>:   lea    0x2(%r9),%rcx
   0x00000000008d07c0 <ff_msrle_decode+1808>:   mov    %rcx,(%r15)
   0x00000000008d07c3 <ff_msrle_decode+1811>:   movzbl 0x1(%r9),%ecx
   0x00000000008d07c8 <ff_msrle_decode+1816>:   lea    -0x1(%rdx),%edx
   0x00000000008d07cb <ff_msrle_decode+1819>:   lea    0x1(%rax,%rdx,1),%rdx
=> 0x00000000008d07d0 <ff_msrle_decode+1824>:   mov    %cl,(%rax)
   0x00000000008d07d2 <ff_msrle_decode+1826>:   add    $0x1,%rax
   0x00000000008d07d6 <ff_msrle_decode+1830>:   cmp    %rdx,%rax
   0x00000000008d07d9 <ff_msrle_decode+1833>:   jne    0x8d07d0 <ff_msrle_decode+1824>
   0x00000000008d07db <ff_msrle_decode+1835>:   mov    (%r15),%r9
   0x00000000008d07de <ff_msrle_decode+1838>:   mov    0x8(%r15),%r11
   0x00000000008d07e2 <ff_msrle_decode+1842>:   add    %ebx,%r14d
   0x00000000008d07e5 <ff_msrle_decode+1845>:   jmpq   0x8d0188 <ff_msrle_decode+216>
   0x00000000008d07ea <ff_msrle_decode+1850>:   mov    %r11,%rcx
   0x00000000008d07ed <ff_msrle_decode+1853>:   sub    %r8,%rcx
End of assembler dump.
(gdb) info register
rax            0xffffffffd0d4864f       -791378353
rbx            0xff     255
rcx            0xa      10
rdx            0xffffffffd0d4874e       -791378098
rsi            0x15fa440        23045184
rdi            0x15f5920        23025952
rbp            0x8      0x8
rsp            0x7fffffffd4e0   0x7fffffffd4e0
r8             0x16056a1        23090849
r9             0x16056a0        23090848
r10            0x5aa1   23201
r11            0x3415   13333
r12            0xef     239
r13            0x1      1
r14            0x0      0
r15            0x15fa428        23045160
rip            0x8d07d0 0x8d07d0 <ff_msrle_decode+1824>
eflags         0x10202  [ IF RF ]
cs             0x33     51
ss             0x2b     43
ds             0x0      0
es             0x0      0
fs             0x0      0
gs             0x0      0

comment:2 by Michael Niedermayer, 11 years ago

Resolution: fixed
Status: openclosed
Note: See TracTickets for help on using tickets.