Opened 3 years ago

Closed 3 years ago

Last modified 3 years ago

#2677 closed defect (fixed)

Crash when trying to read a .tta audio file

Reported by: cyril Owned by:
Priority: important Component: avformat
Version: git-master Keywords: tta crash SIGSEGV regression
Cc: Blocked By:
Blocking: Reproduced by developer: yes
Analyzed by developer: no

Description

Summary of the bug: ffplay crashes when trying to read a .tta audio file. I used the latest Zeranoe build, it was working fine with previous builds from 2-3 weeks ago. Regression is maybe related to the fix for ticket #2635.

Tested file: http://towerofbabel.free.fr/test/music.ape.tta

How to reproduce:

% ffplay.exe music.ape.tta
ffplay version N-54036-g6c4516d Copyright (c) 2003-2013 the FFmpeg developers
  built on Jun 15 2013 13:04:51 with gcc 4.7.3 (GCC)
  configuration: --enable-gpl --enable-version3 --disable-w32threads --enable-av
isynth --enable-bzlib --enable-fontconfig --enable-frei0r --enable-gnutls --enab
le-iconv --enable-libass --enable-libbluray --enable-libcaca --enable-libfreetyp
e --enable-libgsm --enable-libilbc --enable-libmodplug --enable-libmp3lame --ena
ble-libopencore-amrnb --enable-libopencore-amrwb --enable-libopenjpeg --enable-l
ibopus --enable-librtmp --enable-libschroedinger --enable-libsoxr --enable-libsp
eex --enable-libtheora --enable-libtwolame --enable-libvo-aacenc --enable-libvo-
amrwbenc --enable-libvorbis --enable-libvpx --enable-libx264 --enable-libxavs --
enable-libxvid --enable-zlib
  libavutil      52. 35.101 / 52. 35.101
  libavcodec     55. 16.100 / 55. 16.100
  libavformat    55.  8.102 / 55.  8.102
  libavdevice    55.  2.100 / 55.  2.100
  libavfilter     3. 77.101 /  3. 77.101
  libswscale      2.  3.100 /  2.  3.100
  libswresample   0. 17.102 /  0. 17.102
  libpostproc    52.  3.100 / 52.  3.100
    nan    :  0.000 fd=   0 aq=    0KB vq=    0KB sq=    0B f=0/0

Change History (4)

comment:1 Changed 3 years ago by cehoyos

  • Component changed from FFplay to avcodec
  • Keywords tta crash SIGSEGV regression added
  • Priority changed from normal to important
  • Reproduced by developer set
  • Status changed from new to open
  • Summary changed from ffplay crashes when trying to read a .tta audio file to Crash when trying to read a .tta audio file

Regression since 55121f3

(gdb) r -i music.ape.tta
Starting program: ffmpeg_g -i music.ape.tta
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib64/libthread_db.so.1".
ffmpeg version N-54046-g3b86174 Copyright (c) 2000-2013 the FFmpeg developers
  built on Jun 16 2013 19:20:08 with gcc 4.7 (SUSE Linux)
  configuration: --enable-gpl --disable-indev=jack
  libavutil      52. 37.101 / 52. 37.101
  libavcodec     55. 16.100 / 55. 16.100
  libavformat    55.  8.103 / 55.  8.103
  libavdevice    55.  2.100 / 55.  2.100
  libavfilter     3. 77.101 /  3. 77.101
  libswscale      2.  3.100 /  2.  3.100
  libswresample   0. 17.102 /  0. 17.102
  libpostproc    52.  3.100 / 52.  3.100

Program received signal SIGSEGV, Segmentation fault.
0x00000000005babe2 in tta_read_packet (s=<optimized out>, pkt=0x7fffffffd190) at libavformat/tta.c:159
159         size = st->index_entries[c->currentframe].size;
(gdb) bt
#0  0x00000000005babe2 in tta_read_packet (s=<optimized out>, pkt=0x7fffffffd190)
    at libavformat/tta.c:159
#1  0x00000000005c0a52 in ff_read_packet (s=s@entry=0x1692020, pkt=pkt@entry=0x7fffffffd190)
    at libavformat/utils.c:791
#2  0x00000000005c2970 in read_frame_internal (s=s@entry=0x1692020, pkt=pkt@entry=0x7fffffffd3b0)
    at libavformat/utils.c:1443
#3  0x00000000005c5d4e in avformat_find_stream_info (ic=0x1692020, options=0x1693880)
    at libavformat/utils.c:2904
#4  0x00000000004637f9 in open_input_file (o=o@entry=0x7fffffffd760, filename=<optimized out>)
    at ffmpeg_opt.c:814
#5  0x000000000045e2f2 in open_files (inout=<optimized out>, inout@entry=0xc6f47f "input",
    open_file=open_file@entry=0x463450 <open_input_file>, l=<optimized out>, l=<optimized out>)
    at ffmpeg_opt.c:2483
#6  0x0000000000464b89 in ffmpeg_parse_options (argc=argc@entry=3, argv=argv@entry=0x7fffffffddf8)
    at ffmpeg_opt.c:2520
#7  0x000000000045be38 in main (argc=3, argv=0x7fffffffddf8) at ffmpeg.c:3361
(gdb) disass $pc-32,$pc+32
Dump of assembler code from 0x5babc2 to 0x5bac02:
   0x00000000005babc2 <tta_read_packet+34>:     mov    (%rax),%esp
   0x00000000005babc4 <tta_read_packet+36>:     mov    $0xdfb9b0bb,%eax
   0x00000000005babc9 <tta_read_packet+41>:     jge    0x5bac1b <tta_read_packet+123>
   0x00000000005babcb <tta_read_packet+43>:     mov    0x1e0(%r12),%rcx
   0x00000000005babd3 <tta_read_packet+51>:     lea    (%rdx,%rdx,2),%rax
   0x00000000005babd7 <tta_read_packet+55>:     mov    0x20(%rdi),%rdi
   0x00000000005babdb <tta_read_packet+59>:     mov    %rsi,%rbp
   0x00000000005babde <tta_read_packet+62>:     lea    (%rcx,%rax,8),%rax
=> 0x00000000005babe2 <tta_read_packet+66>:     mov    0x10(%rax),%edx
   0x00000000005babe5 <tta_read_packet+69>:     sar    $0x2,%edx
   0x00000000005babe8 <tta_read_packet+72>:     callq  0x5bfbd0 <av_get_packet>
   0x00000000005babed <tta_read_packet+77>:     mov    0x4(%rbx),%ecx
   0x00000000005babf0 <tta_read_packet+80>:     mov    0x1e0(%r12),%rsi
   0x00000000005babf8 <tta_read_packet+88>:     movslq %ecx,%rdx
   0x00000000005babfb <tta_read_packet+91>:     lea    (%rdx,%rdx,2),%rdx
   0x00000000005babff <tta_read_packet+95>:     lea    (%rsi,%rdx,8),%rdx
End of assembler dump.
(gdb) info register
rax            0x0      0
rbx            0x1692600        23668224
rcx            0x0      0
rdx            0x0      0
rsi            0x7fffffffd190   140737488343440
rdi            0x169a720        23701280
rbp            0x7fffffffd190   0x7fffffffd190
rsp            0x7fffffffd040   0x7fffffffd040
r8             0x0      0
r9             0x8      8
r10            0x0      0
r11            0x19     25
r12            0x16926c0        23668416
r13            0x8000000000000000       -9223372036854775808
r14            0x8000000000000000       -9223372036854775808
r15            0x0      0
rip            0x5babe2 0x5babe2 <tta_read_packet+66>
eflags         0x10287  [ CF PF SF IF RF ]
cs             0x33     51
ss             0x2b     43
ds             0x0      0
es             0x0      0
fs             0x0      0
gs             0x0      0

comment:2 Changed 3 years ago by cyril

Another detail: I have the same audio file but with id3v2 metadata instead of ape metadata. The id3v2 version doesn't have any issue: http://towerofbabel.free.fr/test/music.id3.tta

Sorry, I don't have a smaller sample...

comment:3 Changed 3 years ago by richardpl

  • Resolution set to fixed
  • Status changed from open to closed

comment:4 Changed 3 years ago by richardpl

  • Component changed from avcodec to avformat
Note: See TracTickets for help on using tickets.