Occasional Access Violation: H264 with bad streams
|Reported by:||BlackWarren||Owned by:|
|Blocking:||Reproduced by developer:||no|
|Analyzed by developer:||no|
Summary of the bug:
When playing a certain unreliable live stream, experienced core-dumps about every four hours on average.
How to reproduce:
Version: Git trunk sources as of 5/24/13. "version.sh" reports "N-53488-g953e335".
When playing unreliable H264 streams with FFPlay, I seem to get core-dumps randomly every few hours. The exact location is usually the second instruction of "pred8x8_top_dc_8_mmxext" in "h264_intrapred.asm", where it dereferences "dest_cr" after subtracting "uvlinesize" from it, as called from the line reading
in "h264_mb_template.c". "uvlinesize" is typically something like 320 at the time of crash, with "mb_y" zero.
My take on this is that, when presented with garbaged stream data, the H264 frame decoder sometimes tries to perform predictions that involve higher rows (lower memory addresses): if "mb_y" happens to be zero (the top row), this means that it tries to read memory from "negative rows", addresses a few hundred bytes before the beginning of the legitimate frame data. Often, those addresses point to harmless random bytes, but occasionally it actually points to unmapped memory pages, causing Access Violations.
Change History (12)
comment:9 Changed 6 months ago by Svetlana
- Resolution fixed deleted
- Status changed from closed to reopened
comment:10 follow-up: ↓ 11 Changed 6 months ago by cehoyos
- Resolution set to fixed
- Status changed from reopened to closed