Opened 4 years ago

Closed 4 years ago

Last modified 4 years ago

#2609 closed defect (fixed)

av_seek_frame crashes on .nut file

Reported by: hxuanyu
Priority: important Component: avformat
Version: 1.1.5 Keywords: nut crash SIGSEGV regression
Cc: Blocked By:
Blocking: Reproduced by developer: yes
Analyzed by developer: no

Description

I'm building application with ffmpeg 1.1.3 While opening a .nut file, av_seek_frame always crashes. I also wrote a simple test app, it also crashes every time.

The file I used is here And below is the test code:

static int open_codec_context(int *stream_idx,
                              AVFormatContext *fmt_ctx, enum AVMediaType type)
    int ret;
    AVStream *st;
    AVCodecContext *dec_ctx = NULL;
    AVCodec *dec = NULL;

    ret = av_find_best_stream(fmt_ctx, type, -1, -1, NULL, 0);
    if (ret < 0) {
        //fprintf(stderr, "Could not find %s stream in input file '%s'\n",
        //        av_get_media_type_string(type), src_filename);
        return ret;
    } else {
        *stream_idx = ret;
        st = fmt_ctx->streams[*stream_idx];

        /* find decoder for the stream */
        dec_ctx = st->codec;
        dec = avcodec_find_decoder(dec_ctx->codec_id);
        if (!dec) {
            fprintf(stderr, "Failed to find %s codec\n",
            return ret;

        if ((ret = avcodec_open2(dec_ctx, dec, NULL)) < 0) {
            fprintf(stderr, "Failed to open %s codec\n",
            return ret;

    return 0;

int main(int argc, char **argv)
    int ret;

    if (argc == 1) {
        printf("no argument provided, exit ************** \n");
        return 0;
    const char *src_filename = argv[1];

    printf("to play %s\n", src_filename);

    AVFormatContext *pFormatCtx = NULL;
    if (avformat_open_input(&pFormatCtx, src_filename, NULL, NULL) < 0) {
        fprintf(stderr, "Could not open source file %s\n", src_filename);

    if (avformat_find_stream_info(pFormatCtx, NULL) < 0) {
        fprintf(stderr, "Could not find stream information\n");

    int video_stream_idx = -1, audio_stream_idx = -1;
    AVStream *video_stream;
    AVCodecContext *pCodecCtx = NULL;
    if (open_codec_context(&video_stream_idx, pFormatCtx, AVMEDIA_TYPE_VIDEO) >= 0) {
        video_stream = pFormatCtx->streams[video_stream_idx];
        pCodecCtx = video_stream->codec;
        printf("video stream index = %d", video_stream_idx);

    AVCodec* pCodec = avcodec_find_decoder(pCodecCtx->codec_id);
    avcodec_open(pCodecCtx, pCodec);

    AVFrame *frame = avcodec_alloc_frame();
    AVPacket pkt;	

    av_init_packet(&pkt); = NULL;
    pkt.size = 0;
    int count = 0;
    while (av_read_frame(pFormatCtx, &pkt) >= 0) {
        printf("frame %d\n", count++);
        if (count == 100) av_seek_frame(pFormatCtx, video_stream_idx, 0, 0); // always crashes here.

I tried to print out some trace, it's pretty much that crash happens in read_seek of nutdec.c

Akon_cut.nut (200.0 KB) - added by cehoyos 4 years ago.

Changed 4 years ago by cehoyos

Please test current git head and please provide a backtrace etc. as explained on

Changed 4 years ago by cehoyos

  • Description modified (diff)

comment:3 Changed 4 years ago by cehoyos

  • Keywords nut crash SIGSEGV regression added
  • Priority changed from normal to important
  • Reproduced by developer set
  • Resolution set to fixed
  • Status changed from new to closed
  • Version changed from unspecified to 1.1.5

Fixed in origin/release/1.1, thank you for the report!

For future tickets: Please always also test with ffmpeg (first) and ffplay, if they allow to reproduce a problem, it is generally significantly easier to test / reproduce / fix the bug.

(gdb) r -ss 1 -i Akon.nut
Starting program: /home/cehoyos/test/cehoyos/FFmpeg/ffmpeg_g -ss 1 -i Akon.nut
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib64/".
ffmpeg version 1.1.5 Copyright (c) 2000-2013 the FFmpeg developers
  built on May 30 2013 11:10:58 with gcc 4.7 (SUSE Linux)
  libavutil      52. 13.100 / 52. 13.100
  libavcodec     54. 86.100 / 54. 86.100
  libavformat    54. 59.106 / 54. 59.106
  libavdevice    54.  3.102 / 54.  3.102
  libavfilter     3. 32.100 /  3. 32.100
  libswscale      2.  1.103 /  2.  1.103
  libswresample   0. 17.102 /  0. 17.102
[nut @ 0x1553540] no index at the end
[nut @ 0x1553540] read_timestamp failed.

Program received signal SIGSEGV, Segmentation fault.
ff_read_timestamp (read_timestamp=0x516660 <nut_read_timestamp>, pos_limit=9223372036854775807,
    ppos=0x7fffffffd388, stream_index=-1, s=0x1553540) at libavformat/utils.c:4347
4347    }
(gdb) bt
#0  ff_read_timestamp (read_timestamp=0x516660 <nut_read_timestamp>, pos_limit=9223372036854775807,
    ppos=0x7fffffffd388, stream_index=-1, s=0x1553540) at libavformat/utils.c:4347
#1  ff_gen_search (s=s@entry=0x1553540, stream_index=stream_index@entry=-1,
    target_ts=<optimized out>, pos_min=6522, pos_max=15065570, pos_limit=15065570, ts_min=0,
    ts_max=301768133, flags=flags@entry=1, ts_ret=ts_ret@entry=0x7fffffffd428,
    read_timestamp=read_timestamp@entry=0x516660 <nut_read_timestamp>) at libavformat/utils.c:1917
#2  0x0000000000515b24 in read_seek (s=0x1553540, stream_index=<optimized out>,
    pts=<optimized out>, flags=1) at libavformat/nutdec.c:985
#3  0x0000000000564279 in seek_frame_internal (s=s@entry=0x1553540, stream_index=0,
    stream_index@entry=-1, timestamp=30, timestamp@entry=1000000, flags=flags@entry=1)
    at libavformat/utils.c:2060
#4  0x0000000000564f29 in av_seek_frame (flags=1, timestamp=1000000, stream_index=-1, s=0x1553540)
    at libavformat/utils.c:2080
#5  avformat_seek_file (s=s@entry=0x1553540, stream_index=stream_index@entry=-1,
    min_ts=-9223372036854775808, ts=ts@entry=1000000, max_ts=max_ts@entry=1000000,
    flags=flags@entry=0) at libavformat/utils.c:2123
#6  0x0000000000451e29 in open_input_file (o=o@entry=0x7fffffffd7b0, filename=<optimized out>)
    at ffmpeg_opt.c:808
#7  0x000000000044ffd0 in open_files (inout=<optimized out>, inout@entry=0xbaba1f "input",
    open_file=open_file@entry=0x451080 <open_input_file>, l=<optimized out>, l=<optimized out>)
    at ffmpeg_opt.c:2293
#8  0x0000000000455989 in ffmpeg_parse_options (argc=argc@entry=5, argv=argv@entry=0x7fffffffdde8)
    at ffmpeg_opt.c:2330
#9  0x000000000044de18 in main (argc=5, argv=0x7fffffffdde8) at ffmpeg.c:3192
(gdb) disass $pc-32,$pc+32
Dump of assembler code from 0x5638f1 to 0x563931:
   0x00000000005638f1 <ff_gen_search+305>:      mov    0xc(%rsp),%esi
   0x00000000005638f5 <ff_gen_search+309>:      mov    0xa0(%rsp),%r8
   0x00000000005638fd <ff_gen_search+317>:      mov    %r12,%rdi
   0x0000000000563900 <ff_gen_search+320>:      callq  *%r8
   0x0000000000563903 <ff_gen_search+323>:      mov    0x30(%r12),%rdx
   0x0000000000563908 <ff_gen_search+328>:      mov    0x10(%rsp),%r8
   0x000000000056390d <ff_gen_search+333>:      mov    (%rdx,%r8,1),%rdx
=> 0x0000000000563911 <ff_gen_search+337>:      mov    0xd8(%rdx),%ecx
   0x0000000000563917 <ff_gen_search+343>:      mov    0x200(%rdx),%rsi
   0x000000000056391e <ff_gen_search+350>:      mov    0x208(%rdx),%edx
   0x0000000000563924 <ff_gen_search+356>:      test   %edx,%edx
   0x0000000000563926 <ff_gen_search+358>:      je     0x563950 <ff_gen_search+400>
   0x0000000000563928 <ff_gen_search+360>:      movabs $0x8000000000000000,%rdi
End of assembler dump.
(gdb) info register
rax            0xfc87e  1034366
rbx            0xf4628  1001000
rcx            0x7fffffffd208   140737488343560
rdx            0x20     32
rsi            0x30     48
rdi            0x1553540        22361408
rbp            0xdc9b   0xdc9b
rsp            0x7fffffffd350   0x7fffffffd350
r8             0xfffffffffffffff8       -8
r9             0x101010101010101        72340172838076673
r10            0x5b21   23329
r11            0x7ffff65a910e   140737326518542
r12            0x1553540        22361408
r13            0x197a   6522
r14            0x0      0
r15            0xe5e1e2 15065570
rip            0x563911 0x563911 <ff_gen_search+337>
eflags         0x10206  [ PF IF RF ]
cs             0x33     51
ss             0x2b     43
ds             0x0      0
es             0x0      0
fs             0x0      0
gs             0x0      0

Changed 4 years ago by cehoyos

Changed 4 years ago by hxuanyu

Hi, I checked both the master and release/1.1 branches here,

seems nutdec.c hasn't been changed. Could you guys kindly tell me how to get the correct code?


Changed 4 years ago by cehoyos

The crash did not happen in nutdec.c for me.
If you wanted to report another crash, please add backtrace etc. as I have done above.

Changed 4 years ago by cehoyos

This is the commit that fixed the crash that I could reproduce:;a=commitdiff;h=2416eff

