Opened 11 years ago
Closed 11 years ago
#3070 closed defect (fixed)
hevc: invalid reads
| Reported by: | ami_stuff | Owned by: | |
|---|---|---|---|
| Priority: | important | Component: | avcodec |
| Version: | git-master | Keywords: | hevc crash SIGSEGV |
| Cc: | mickael raulet | Blocked By: | |
| Blocking: | Reproduced by developer: | yes | |
| Analyzed by developer: | no |
Description
attached file is valid (not fuzzed)
knoppix@Microknoppix:/media/sdb1$ valgrind --leak-check=full ffmpeg-HEAD-da30d0c/ffmpeg_g -threads 1 -strict -2 -i hevc1.ts -f null -
==2916== Memcheck, a memory error detector
==2916== Copyright (C) 2002-2011, and GNU GPL'd, by Julian Seward et al.
==2916== Using Valgrind-3.7.0 and LibVEX; rerun with -h for copyright info
==2916== Command: ffmpeg-HEAD-da30d0c/ffmpeg_g -threads 1 -strict -2 -i hevc1.ts -f null -
==2916==
ffmpeg version 2.0-da30d0c Copyright (c) 2000-2013 the FFmpeg developers
built on Oct 22 2013 14:57:21 with gcc 4.7 (Debian 4.7.2-5)
configuration: --disable-yasm --disable-ffprobe --disable-ffserver --enable-gpl
libavutil 52. 47.101 / 52. 47.101
libavcodec 55. 37.102 / 55. 37.102
libavformat 55. 19.103 / 55. 19.103
libavdevice 55. 4.100 / 55. 4.100
libavfilter 3. 89.100 / 3. 89.100
libswscale 2. 5.101 / 2. 5.101
libswresample 0. 17.104 / 0. 17.104
libpostproc 52. 3.100 / 52. 3.100
Input #0, mpegts, from 'hevc1.ts':
Duration: 00:00:12.60, start: 0.080000, bitrate: 348 kb/s
Program 1
Stream #0:0[0x12d]: Video: hevc (HEVC / 0x43564548), yuv420p, 320x240, 23.98 tbr, 90k tbn, 90k tbc
Output #0, null, to 'pipe:':
Metadata:
encoder : Lavf55.19.103
Stream #0:0: Video: rawvideo (I420 / 0x30323449), yuv420p, 320x240, q=2-31, 200 kb/s, 90k tbn, 23.98 tbc
Stream mapping:
Stream #0:0 -> #0:0 (hevc -> rawvideo)
Press [q] to stop, [?] for help
[null @ 0x4a13d00] Encoder did not produce proper pts, making some up.
==2916== Invalid read of size 2N/A time=00:00:12.13 bitrate=N/A
==2916== at 0x84E6FCC: ff_hevc_hls_residual_coding (cabac.h:174)
==2916== by 0x84DB37A: hls_transform_tree (hevc.c:761)
==2916== by 0x84DADFA: hls_transform_tree (hevc.c:850)
==2916== by 0x84DD5F8: hls_coding_quadtree (hevc.c:1571)
==2916== by 0x84E28A7: decode_nal_units (hevc.c:1742)
==2916== by 0x84E369B: hevc_decode_frame (hevc.c:2275)
==2916== by 0x80B64FC: decode_video (ffmpeg.c:1668)
==2916== by 0x4032257F: ???
==2916== Address 0x4bdff48 is 184 bytes inside a block of size 185 alloc'd
==2916== at 0x4028308: malloc (vg_replace_malloc.c:263)
==2916== by 0x402849F: realloc (vg_replace_malloc.c:632)
==2916== by 0x88F0407: av_buffer_realloc (buffer.c:164)
==2916== by 0x827F7CC: av_dup_packet (avpacket.c:204)
==2916== by 0x823CC9B: parse_packet (utils.c:1285)
==2916== by 0x823DE60: read_frame_internal (utils.c:1341)
==2916== by 0x823E369: av_read_frame (utils.c:1437)
==2916== by 0x80B9A65: process_input (ffmpeg.c:2893)
==2916== by 0x80A5B82: main (ffmpeg.c:3200)
==2916==
==2916== Invalid read of size 2
==2916== at 0x84E8352: ff_hevc_hls_residual_coding (cabac.h:239)
==2916== by 0x84DB37A: hls_transform_tree (hevc.c:761)
==2916== by 0x84DADFA: hls_transform_tree (hevc.c:850)
==2916== by 0x84DD5F8: hls_coding_quadtree (hevc.c:1571)
==2916== by 0x84E28A7: decode_nal_units (hevc.c:1742)
==2916== by 0x84E369B: hevc_decode_frame (hevc.c:2275)
==2916== by 0x80B64FC: decode_video (ffmpeg.c:1668)
==2916== by 0x4032257F: ???
==2916== Address 0x4bdff4a is 1 bytes after a block of size 185 alloc'd
==2916== at 0x4028308: malloc (vg_replace_malloc.c:263)
==2916== by 0x402849F: realloc (vg_replace_malloc.c:632)
==2916== by 0x88F0407: av_buffer_realloc (buffer.c:164)
==2916== by 0x827F7CC: av_dup_packet (avpacket.c:204)
==2916== by 0x823CC9B: parse_packet (utils.c:1285)
==2916== by 0x823DE60: read_frame_internal (utils.c:1341)
==2916== by 0x823E369: av_read_frame (utils.c:1437)
==2916== by 0x80B9A65: process_input (ffmpeg.c:2893)
==2916== by 0x80A5B82: main (ffmpeg.c:3200)
==2916==
==2916== Invalid read of size 2
==2916== at 0x84E8A63: ff_hevc_hls_mvd_coding (cabac.h:174)
==2916== by 0x84DC9E7: hls_prediction_unit (hevc.c:1107)
==2916== by 0x84DDB34: hls_coding_quadtree (hevc.c:1531)
==2916== by 0x84E28A7: decode_nal_units (hevc.c:1742)
==2916== by 0x84E369B: hevc_decode_frame (hevc.c:2275)
==2916== by 0x80B64FC: decode_video (ffmpeg.c:1668)
==2916== by 0x4032257F: ???
==2916== Address 0x4bdff4a is 1 bytes after a block of size 185 alloc'd
==2916== at 0x4028308: malloc (vg_replace_malloc.c:263)
==2916== by 0x402849F: realloc (vg_replace_malloc.c:632)
==2916== by 0x88F0407: av_buffer_realloc (buffer.c:164)
==2916== by 0x827F7CC: av_dup_packet (avpacket.c:204)
==2916== by 0x823CC9B: parse_packet (utils.c:1285)
==2916== by 0x823DE60: read_frame_internal (utils.c:1341)
==2916== by 0x823E369: av_read_frame (utils.c:1437)
==2916== by 0x80B9A65: process_input (ffmpeg.c:2893)
==2916== by 0x80A5B82: main (ffmpeg.c:3200)
==2916==
==2916== Invalid read of size 2
==2916== at 0x84E608A: ff_hevc_merge_idx_decode (cabac.h:174)
==2916== by 0x84DBD01: hls_prediction_unit (hevc.c:1068)
==2916== by 0x84DDBF8: hls_coding_quadtree (hevc.c:1488)
==2916== by 0x84DCF0D: hls_coding_quadtree (hevc.c:1623)
==2916== by 0x84DCF0D: hls_coding_quadtree (hevc.c:1623)
==2916== by 0x84DCF0D: hls_coding_quadtree (hevc.c:1623)
==2916== by 0x84E28A7: decode_nal_units (hevc.c:1742)
==2916== by 0x84E369B: hevc_decode_frame (hevc.c:2275)
==2916== by 0x80B64FC: decode_video (ffmpeg.c:1668)
==2916== by 0x4032257F: ???
==2916== Address 0x4bdff4c is 3 bytes after a block of size 185 alloc'd
==2916== at 0x4028308: malloc (vg_replace_malloc.c:263)
==2916== by 0x402849F: realloc (vg_replace_malloc.c:632)
==2916== by 0x88F0407: av_buffer_realloc (buffer.c:164)
==2916== by 0x827F7CC: av_dup_packet (avpacket.c:204)
==2916== by 0x823CC9B: parse_packet (utils.c:1285)
==2916== by 0x823DE60: read_frame_internal (utils.c:1341)
==2916== by 0x823E369: av_read_frame (utils.c:1437)
==2916== by 0x80B9A65: process_input (ffmpeg.c:2893)
==2916== by 0x80A5B82: main (ffmpeg.c:3200)
==2916==
==2916== Invalid read of size 2
==2916== at 0x84E7691: ff_hevc_hls_residual_coding (cabac.h:174)
==2916== by 0x84DB37A: hls_transform_tree (hevc.c:761)
==2916== by 0x84DD5F8: hls_coding_quadtree (hevc.c:1571)
==2916== by 0x84DCFA4: hls_coding_quadtree (hevc.c:1630)
==2916== by 0x84DCF0D: hls_coding_quadtree (hevc.c:1623)
==2916== by 0x84DCF0D: hls_coding_quadtree (hevc.c:1623)
==2916== by 0x84E28A7: decode_nal_units (hevc.c:1742)
==2916== by 0x84E369B: hevc_decode_frame (hevc.c:2275)
==2916== by 0x80B64FC: decode_video (ffmpeg.c:1668)
==2916== by 0x4032257F: ???
==2916== Address 0x4bdff4e is 5 bytes after a block of size 185 alloc'd
==2916== at 0x4028308: malloc (vg_replace_malloc.c:263)
==2916== by 0x402849F: realloc (vg_replace_malloc.c:632)
==2916== by 0x88F0407: av_buffer_realloc (buffer.c:164)
==2916== by 0x827F7CC: av_dup_packet (avpacket.c:204)
==2916== by 0x823CC9B: parse_packet (utils.c:1285)
==2916== by 0x823DE60: read_frame_internal (utils.c:1341)
==2916== by 0x823E369: av_read_frame (utils.c:1437)
==2916== by 0x80B9A65: process_input (ffmpeg.c:2893)
==2916== by 0x80A5B82: main (ffmpeg.c:3200)
==2916==
==2916== Invalid read of size 2
==2916== at 0x84E55FA: ff_hevc_part_mode_decode (cabac.h:174)
==2916== by 0x84DD74F: hls_coding_quadtree (hevc.c:1500)
==2916== by 0x84DCFD2: hls_coding_quadtree (hevc.c:1628)
==2916== by 0x84DCFD2: hls_coding_quadtree (hevc.c:1628)
==2916== by 0x84DCF0D: hls_coding_quadtree (hevc.c:1623)
==2916== by 0x84E28A7: decode_nal_units (hevc.c:1742)
==2916== by 0x84E369B: hevc_decode_frame (hevc.c:2275)
==2916== by 0x80B64FC: decode_video (ffmpeg.c:1668)
==2916== by 0x4032257F: ???
==2916== Address 0x4bdff50 is 7 bytes after a block of size 185 alloc'd
==2916== at 0x4028308: malloc (vg_replace_malloc.c:263)
==2916== by 0x402849F: realloc (vg_replace_malloc.c:632)
==2916== by 0x88F0407: av_buffer_realloc (buffer.c:164)
==2916== by 0x827F7CC: av_dup_packet (avpacket.c:204)
==2916== by 0x823CC9B: parse_packet (utils.c:1285)
==2916== by 0x823DE60: read_frame_internal (utils.c:1341)
==2916== by 0x823E369: av_read_frame (utils.c:1437)
==2916== by 0x80B9A65: process_input (ffmpeg.c:2893)
==2916== by 0x80A5B82: main (ffmpeg.c:3200)
==2916==
==2916== Invalid read of size 2
==2916== at 0x84E6FCC: ff_hevc_hls_residual_coding (cabac.h:174)
==2916== by 0x84DB37A: hls_transform_tree (hevc.c:761)
==2916== by 0x84DAE3C: hls_transform_tree (hevc.c:852)
==2916== by 0x84DD5F8: hls_coding_quadtree (hevc.c:1571)
==2916== by 0x84DCFD2: hls_coding_quadtree (hevc.c:1628)
==2916== by 0x84DCFD2: hls_coding_quadtree (hevc.c:1628)
==2916== by 0x84DCF0D: hls_coding_quadtree (hevc.c:1623)
==2916== by 0x84E28A7: decode_nal_units (hevc.c:1742)
==2916== by 0x84E369B: hevc_decode_frame (hevc.c:2275)
==2916== by 0x80B64FC: decode_video (ffmpeg.c:1668)
==2916== by 0x4032257F: ???
==2916== Address 0x4bdff52 is 9 bytes after a block of size 185 alloc'd
==2916== at 0x4028308: malloc (vg_replace_malloc.c:263)
==2916== by 0x402849F: realloc (vg_replace_malloc.c:632)
==2916== by 0x88F0407: av_buffer_realloc (buffer.c:164)
==2916== by 0x827F7CC: av_dup_packet (avpacket.c:204)
==2916== by 0x823CC9B: parse_packet (utils.c:1285)
==2916== by 0x823DE60: read_frame_internal (utils.c:1341)
==2916== by 0x823E369: av_read_frame (utils.c:1437)
==2916== by 0x80B9A65: process_input (ffmpeg.c:2893)
==2916== by 0x80A5B82: main (ffmpeg.c:3200)
==2916==
==2916== Invalid read of size 2
==2916== at 0x84E8523: ff_hevc_hls_residual_coding (cabac.h:174)
==2916== by 0x84DB37A: hls_transform_tree (hevc.c:761)
==2916== by 0x84DAE3C: hls_transform_tree (hevc.c:852)
==2916== by 0x84DD5F8: hls_coding_quadtree (hevc.c:1571)
==2916== by 0x84DCFD2: hls_coding_quadtree (hevc.c:1628)
==2916== by 0x84DCFD2: hls_coding_quadtree (hevc.c:1628)
==2916== by 0x84DCF0D: hls_coding_quadtree (hevc.c:1623)
==2916== by 0x84E28A7: decode_nal_units (hevc.c:1742)
==2916== by 0x84E369B: hevc_decode_frame (hevc.c:2275)
==2916== by 0x80B64FC: decode_video (ffmpeg.c:1668)
==2916== by 0x4032257F: ???
==2916== Address 0x4bdff54 is 11 bytes after a block of size 185 alloc'd
==2916== at 0x4028308: malloc (vg_replace_malloc.c:263)
==2916== by 0x402849F: realloc (vg_replace_malloc.c:632)
==2916== by 0x88F0407: av_buffer_realloc (buffer.c:164)
==2916== by 0x827F7CC: av_dup_packet (avpacket.c:204)
==2916== by 0x823CC9B: parse_packet (utils.c:1285)
==2916== by 0x823DE60: read_frame_internal (utils.c:1341)
==2916== by 0x823E369: av_read_frame (utils.c:1437)
==2916== by 0x80B9A65: process_input (ffmpeg.c:2893)
==2916== by 0x80A5B82: main (ffmpeg.c:3200)
==2916==
==2916== Invalid read of size 2
==2916== at 0x84E6FCC: ff_hevc_hls_residual_coding (cabac.h:174)
==2916== by 0x84DB37A: hls_transform_tree (hevc.c:761)
==2916== by 0x84DD5F8: hls_coding_quadtree (hevc.c:1571)
==2916== by 0x84DCFD2: hls_coding_quadtree (hevc.c:1628)
==2916== by 0x84DCFD2: hls_coding_quadtree (hevc.c:1628)
==2916== by 0x84DCF0D: hls_coding_quadtree (hevc.c:1623)
==2916== by 0x84E28A7: decode_nal_units (hevc.c:1742)
==2916== by 0x84E369B: hevc_decode_frame (hevc.c:2275)
==2916== by 0x80B64FC: decode_video (ffmpeg.c:1668)
==2916== by 0x4032257F: ???
==2916== Address 0x4bdff56 is 13 bytes after a block of size 185 alloc'd
==2916== at 0x4028308: malloc (vg_replace_malloc.c:263)
==2916== by 0x402849F: realloc (vg_replace_malloc.c:632)
==2916== by 0x88F0407: av_buffer_realloc (buffer.c:164)
==2916== by 0x827F7CC: av_dup_packet (avpacket.c:204)
==2916== by 0x823CC9B: parse_packet (utils.c:1285)
==2916== by 0x823DE60: read_frame_internal (utils.c:1341)
==2916== by 0x823E369: av_read_frame (utils.c:1437)
==2916== by 0x80B9A65: process_input (ffmpeg.c:2893)
==2916== by 0x80A5B82: main (ffmpeg.c:3200)
==2916==
==2916== Invalid read of size 2
==2916== at 0x84E6119: ff_hevc_merge_idx_decode (cabac.h:239)
==2916== by 0x84DBD01: hls_prediction_unit (hevc.c:1068)
==2916== by 0x84DDBF8: hls_coding_quadtree (hevc.c:1488)
==2916== by 0x84DCFA4: hls_coding_quadtree (hevc.c:1630)
==2916== by 0x84DCF0D: hls_coding_quadtree (hevc.c:1623)
==2916== by 0x84E28A7: decode_nal_units (hevc.c:1742)
==2916== by 0x84E369B: hevc_decode_frame (hevc.c:2275)
==2916== by 0x80B64FC: decode_video (ffmpeg.c:1668)
==2916== by 0x4032257F: ???
==2916== Address 0x4bdff58 is 15 bytes after a block of size 185 alloc'd
==2916== at 0x4028308: malloc (vg_replace_malloc.c:263)
==2916== by 0x402849F: realloc (vg_replace_malloc.c:632)
==2916== by 0x88F0407: av_buffer_realloc (buffer.c:164)
==2916== by 0x827F7CC: av_dup_packet (avpacket.c:204)
==2916== by 0x823CC9B: parse_packet (utils.c:1285)
==2916== by 0x823DE60: read_frame_internal (utils.c:1341)
==2916== by 0x823E369: av_read_frame (utils.c:1437)
==2916== by 0x80B9A65: process_input (ffmpeg.c:2893)
==2916== by 0x80A5B82: main (ffmpeg.c:3200)
==2916==
==2916== Invalid read of size 2
==2916== at 0x84E54F3: ff_hevc_split_coding_unit_flag_decode (cabac.h:174)
==2916== by 0x84DD021: hls_coding_quadtree (hevc.c:1606)
==2916== by 0x84DCF0D: hls_coding_quadtree (hevc.c:1623)
==2916== by 0x84DCFD2: hls_coding_quadtree (hevc.c:1628)
==2916== by 0x84E28A7: decode_nal_units (hevc.c:1742)
==2916== by 0x84E369B: hevc_decode_frame (hevc.c:2275)
==2916== by 0x80B64FC: decode_video (ffmpeg.c:1668)
==2916== by 0x4032257F: ???
==2916== Address 0x4bdff58 is 15 bytes after a block of size 185 alloc'd
==2916== at 0x4028308: malloc (vg_replace_malloc.c:263)
==2916== by 0x402849F: realloc (vg_replace_malloc.c:632)
==2916== by 0x88F0407: av_buffer_realloc (buffer.c:164)
==2916== by 0x827F7CC: av_dup_packet (avpacket.c:204)
==2916== by 0x823CC9B: parse_packet (utils.c:1285)
==2916== by 0x823DE60: read_frame_internal (utils.c:1341)
==2916== by 0x823E369: av_read_frame (utils.c:1437)
==2916== by 0x80B9A65: process_input (ffmpeg.c:2893)
==2916== by 0x80A5B82: main (ffmpeg.c:3200)
==2916==
==2916== Invalid read of size 2
==2916== at 0x84E8ED9: ff_hevc_hls_mvd_coding (cabac.h:198)
==2916== by 0x84DC9E7: hls_prediction_unit (hevc.c:1107)
==2916== by 0x84DDB64: hls_coding_quadtree (hevc.c:1527)
==2916== by 0x84DCFD2: hls_coding_quadtree (hevc.c:1628)
==2916== by 0x84DCF0D: hls_coding_quadtree (hevc.c:1623)
==2916== by 0x84DCFD2: hls_coding_quadtree (hevc.c:1628)
==2916== by 0x84E28A7: decode_nal_units (hevc.c:1742)
==2916== by 0x84E369B: hevc_decode_frame (hevc.c:2275)
==2916== by 0x80B64FC: decode_video (ffmpeg.c:1668)
==2916== by 0x4032257F: ???
==2916== Address 0x4bdff5a is not stack'd, malloc'd or (recently) free'd
==2916==
==2916== Invalid read of size 2
==2916== at 0x84E4DB1: ff_hevc_skip_flag_decode (cabac.h:174)
==2916== by 0x84DD116: hls_coding_quadtree (hevc.c:1476)
==2916== by 0x84DCFA4: hls_coding_quadtree (hevc.c:1630)
==2916== by 0x84DCFD2: hls_coding_quadtree (hevc.c:1628)
==2916== by 0x84E28A7: decode_nal_units (hevc.c:1742)
==2916== by 0x84E369B: hevc_decode_frame (hevc.c:2275)
==2916== by 0x80B64FC: decode_video (ffmpeg.c:1668)
==2916== by 0x4032257F: ???
==2916== Address 0x4bdff5c is not stack'd, malloc'd or (recently) free'd
==2916==
==2916== Invalid read of size 2
==2916== at 0x84E54F3: ff_hevc_split_coding_unit_flag_decode (cabac.h:174)
==2916== by 0x84DD021: hls_coding_quadtree (hevc.c:1606)
==2916== by 0x84E28A7: decode_nal_units (hevc.c:1742)
==2916== by 0x84E369B: hevc_decode_frame (hevc.c:2275)
==2916== by 0x80B64FC: decode_video (ffmpeg.c:1668)
==2916== by 0x4032257F: ???
==2916== Address 0x4bdff5e is not stack'd, malloc'd or (recently) free'd
==2916==
==2916== Invalid read of size 2
==2916== at 0x84E5379: ff_hevc_pred_mode_decode (cabac.h:174)
==2916== by 0x84DD1AD: hls_coding_quadtree (hevc.c:1497)
==2916== by 0x84DCF0D: hls_coding_quadtree (hevc.c:1623)
==2916== by 0x84E28A7: decode_nal_units (hevc.c:1742)
==2916== by 0x84E369B: hevc_decode_frame (hevc.c:2275)
==2916== by 0x80B64FC: decode_video (ffmpeg.c:1668)
==2916== by 0x4032257F: ???
==2916== Address 0x4bdff60 is not stack'd, malloc'd or (recently) free'd
==2916==
==2916== Invalid read of size 2
==2916== at 0x84E5DBE: ff_hevc_rem_intra_luma_pred_mode_decode (cabac.h:239)
==2916== by 0x84DE1D0: hls_coding_quadtree (hevc.c:1407)
==2916== by 0x84DCF0D: hls_coding_quadtree (hevc.c:1623)
==2916== by 0x84E28A7: decode_nal_units (hevc.c:1742)
==2916== by 0x84E369B: hevc_decode_frame (hevc.c:2275)
==2916== by 0x80B64FC: decode_video (ffmpeg.c:1668)
==2916== by 0x4032257F: ???
==2916== Address 0x4bdff62 is not stack'd, malloc'd or (recently) free'd
==2916==
==2916== Invalid read of size 2
==2916== at 0x84E54F3: ff_hevc_split_coding_unit_flag_decode (cabac.h:174)
==2916== by 0x84DD021: hls_coding_quadtree (hevc.c:1606)
==2916== by 0x84DCFD2: hls_coding_quadtree (hevc.c:1628)
==2916== by 0x84DCF0D: hls_coding_quadtree (hevc.c:1623)
==2916== by 0x84E28A7: decode_nal_units (hevc.c:1742)
==2916== by 0x84E369B: hevc_decode_frame (hevc.c:2275)
==2916== by 0x80B64FC: decode_video (ffmpeg.c:1668)
==2916== by 0x4032257F: ???
==2916== Address 0x4bdff62 is not stack'd, malloc'd or (recently) free'd
==2916==
==2916== Invalid read of size 2
==2916== at 0x84E67D9: ff_hevc_no_residual_syntax_flag_decode (cabac.h:174)
==2916== by 0x84DD58D: hls_coding_quadtree (hevc.c:1565)
==2916== by 0x84E28A7: decode_nal_units (hevc.c:1742)
==2916== by 0x84E369B: hevc_decode_frame (hevc.c:2275)
==2916== by 0x80B64FC: decode_video (ffmpeg.c:1668)
==2916== by 0x4032257F: ???
==2916== Address 0x4bdff66 is not stack'd, malloc'd or (recently) free'd
==2916==
==2916== Invalid read of size 2
==2916== at 0x84E54F3: ff_hevc_split_coding_unit_flag_decode (cabac.h:174)
==2916== by 0x84DD021: hls_coding_quadtree (hevc.c:1606)
==2916== by 0x84DCFA4: hls_coding_quadtree (hevc.c:1630)
==2916== by 0x84E28A7: decode_nal_units (hevc.c:1742)
==2916== by 0x84E369B: hevc_decode_frame (hevc.c:2275)
==2916== by 0x80B64FC: decode_video (ffmpeg.c:1668)
==2916== by 0x4032257F: ???
==2916== Address 0x4bdff68 is not stack'd, malloc'd or (recently) free'd
==2916==
==2916== Invalid read of size 2
==2916== at 0x84E54F3: ff_hevc_split_coding_unit_flag_decode (cabac.h:174)
==2916== by 0x84DD021: hls_coding_quadtree (hevc.c:1606)
==2916== by 0x84DCF0D: hls_coding_quadtree (hevc.c:1623)
==2916== by 0x84E28A7: decode_nal_units (hevc.c:1742)
==2916== by 0x84E369B: hevc_decode_frame (hevc.c:2275)
==2916== by 0x80B64FC: decode_video (ffmpeg.c:1668)
==2916== by 0x4032257F: ???
==2916== Address 0x4bdff6a is not stack'd, malloc'd or (recently) free'd
==2916==
frame= 303 fps= 26 q=0.0 Lsize=N/A time=00:00:12.63 bitrate=N/A
video:19kB audio:0kB subtitle:0 global headers:0kB muxing overhead -100.113449%
==2916==
==2916== HEAP SUMMARY:
==2916== in use at exit: 0 bytes in 0 blocks
==2916== total heap usage: 12,005 allocs, 12,005 frees, 118,781,688 bytes allocated
==2916==
==2916== All heap blocks were freed -- no leaks are possible
==2916==
==2916== For counts of detected and suppressed errors, rerun with: -v
==2916== ERROR SUMMARY: 23 errors from 20 contexts (suppressed: 59 from 6)
Attachments (1)
Change History (7)
by , 11 years ago
follow-up: 2 comment:1 by , 11 years ago
| Component: | undetermined → avcodec |
|---|---|
| Keywords: | hevc added |
| Reproduced by developer: | set |
| Status: | new → open |
| Version: | unspecified → git-master |
comment:2 by , 11 years ago
Replying to cehoyos:
Does this crash on any operating system?
yes, it sometimes crashes on windows (for some reason it's easier to reproduce when I add -strict -2 to the command line).
this is autobuild, so no debug symbols:
(gdb) r -strict -2 -threads 3 -i hevc1.ts -f null -
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: D:\MinGW\msys\1.0\ffmpeg-HEAD-10c6d1b\ffmpeg.exe -strict -2 -t
hreads 3 -i hevc1.ts -f null -
[New Thread 3828.0x9a8]
ffmpeg version N-57367-g2f31b73 Copyright (c) 2000-2013 the FFmpeg developers
built on Oct 23 2013 20:22:19 with gcc 4.8.2 (GCC)
configuration: --enable-gpl --enable-version3 --disable-w32threads --enable-av
isynth --enable-bzlib --enable-fontconfig --enable-frei0r --enable-gnutls --enab
le-iconv --enable-libass --enable-libbluray --enable-libcaca --enable-libfreetyp
e --enable-libgsm --enable-libilbc --enable-libmodplug --enable-libmp3lame --ena
ble-libopencore-amrnb --enable-libopencore-amrwb --enable-libopenjpeg --enable-l
ibopus --enable-librtmp --enable-libschroedinger --enable-libsoxr --enable-libsp
eex --enable-libtheora --enable-libtwolame --enable-libvidstab --enable-libvo-aa
cenc --enable-libvo-amrwbenc --enable-libvorbis --enable-libvpx --enable-libwavp
ack --enable-libx264 --enable-libxavs --enable-libxvid --enable-zlib
libavutil 52. 47.101 / 52. 47.101
libavcodec 55. 38.101 / 55. 38.101
libavformat 55. 19.104 / 55. 19.104
libavdevice 55. 4.100 / 55. 4.100
libavfilter 3. 89.100 / 3. 89.100
libswscale 2. 5.101 / 2. 5.101
libswresample 0. 17.104 / 0. 17.104
libpostproc 52. 3.100 / 52. 3.100
Input #0, mpegts, from 'hevc1.ts':
Duration: 00:00:12.60, start: 0.080000, bitrate: 348 kb/s
Program 1
Stream #0:0[0x12d]: Video: hevc (HEVC / 0x43564548), yuv420p, 320x240, 23.98
tbr, 90k tbn, 90k tbc
[New Thread 3828.0x9ac]
[New Thread 3828.0xa0]
[New Thread 3828.0xf14]
[New Thread 3828.0xf10]
[New Thread 3828.0x374]
[New Thread 3828.0x798]
[New Thread 3828.0x720]
[New Thread 3828.0xef0]
[New Thread 3828.0x7c4]
[New Thread 3828.0xdc]
[New Thread 3828.0x750]
[New Thread 3828.0xbc]
Output #0, null, to 'pipe:':
Metadata:
encoder : Lavf55.19.104
Stream #0:0: Video: rawvideo (I420 / 0x30323449), yuv420p, 320x240, q=2-31,
200 kb/s, 90k tbn, 23.98 tbc
Stream mapping:
Stream #0:0 -> #0:0 (hevc -> rawvideo)
Press [q] to stop, [?] for help
[null @ 02e08020] Encoder did not produce proper pts, making some up.
Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 3828.0xbc]
0x0099e9fe in ?? ()
(gdb)
comment:3 by , 11 years ago
Had to run this like 20 times before i could reproduce the crash.
(gdb) r -threads 3 -i ../hevc1.ts -f null -
Starting program: D:\MinGW\msys\1.0\ffmpeg\build32/ffmpeg_g.exe -threads 3 -i ../hevc1.ts -f null -
[New Thread 2572.0xae4]
ffmpeg version N-57397-g6c9c636 Copyright (c) 2000-2013 the FFmpeg developers
built on Oct 24 2013 17:33:33 with gcc 4.8.1 (GCC)
configuration: --enable-gpl --disable-optimizations --enable-debug=gdb --enable-cross-compile --cross-prefix=x86_64-w64-mingw32- --arch=x86_64 --target-os=mingw32 --prefix=/mingw64
libavutil 52. 47.101 / 52. 47.101
libavcodec 55. 38.101 / 55. 38.101
libavformat 55. 19.104 / 55. 19.104
libavdevice 55. 5.100 / 55. 5.100
libavfilter 3. 89.100 / 3. 89.100
libswscale 2. 5.101 / 2. 5.101
libswresample 0. 17.104 / 0. 17.104
libpostproc 52. 3.100 / 52. 3.100
Input #0, mpegts, from '../hevc1.ts':
Duration: 00:00:12.60, start: 0.080000, bitrate: 348 kb/s
Program 1
Stream #0:0[0x12d]: Video: hevc (HEVC / 0x43564548), yuv420p, 320x240, 23.98 tbr, 90k tbn, 90k tbc
[New Thread 2572.0x968]
[New Thread 2572.0xd64]
[New Thread 2572.0xf50]
[New Thread 2572.0xf38]
[New Thread 2572.0x54c]
[New Thread 2572.0xf28]
Output #0, null, to 'pipe:':
Metadata:
encoder : Lavf55.19.104
Stream #0:0: Video: rawvideo (I420 / 0x30323449), yuv420p, 320x240, q=2-31,200 kb/s, 90k tbn, 23.98 tbc
Stream mapping:
Stream #0:0 -> #0:0 (hevc -> rawvideo)
Press [q] to stop, [?] for help
[null @ 000000000644ee20] Encoder did not produce proper pts, making some up.
frame= 288 fps=191 q=0.0 size=N/A time=00:00:12.01 bitrate=N/A
Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 2572.0xf28]
0x0000000000c3e844 in get_cabac ()
(gdb) bt
#0 0x0000000000c3e844 in get_cabac ()
#1 0x0000000000c426dd in ff_hevc_hls_mvd_coding ()
#2 0x000000000076e107 in hls_prediction_unit ()
#3 0x0000000000770678 in hls_coding_unit ()
#4 0x00000000007711be in hls_coding_quadtree ()
#5 0x00000000007710a0 in hls_coding_quadtree ()
#6 0x00000000007710a0 in hls_coding_quadtree ()
#7 0x00000000007710a0 in hls_coding_quadtree ()
#8 0x0000000000771b9a in hls_decode_entry ()
#9 0x0000000000617820 in avcodec_default_execute ()
#10 0x0000000000771cab in hls_slice_data ()
#11 0x0000000000773284 in decode_nal_unit ()
#12 0x0000000000773cf4 in decode_nal_units ()
#13 0x000000000077418b in hevc_decode_frame ()
#14 0x00000000006b6b24 in frame_worker_thread ()
#15 0x00000000006b5be9 in win32thread_worker ()
#16 0x000007feff71415f in srand () from C:\Windows\system32\msvcrt.dll
#17 0x0000000006456688 in ?? ()
#18 0x0000000000000000 in ?? ()
(gdb) disass $pc-32,$pc+32
Dump of assembler code from 0xc3e824 to 0xc3e864:
0x0000000000c3e824 <get_cabac+130>: or $0x2,%al
0x0000000000c3e826 <get_cabac+132>: shl %cl,%eax
0x0000000000c3e828 <get_cabac+134>: movzbl 0x480(%r10,%rbx,1),%r11d
0x0000000000c3e831 <get_cabac+143>: shl %cl,%edx
0x0000000000c3e833 <get_cabac+145>: mov %r11b,(%r8)
0x0000000000c3e836 <get_cabac+148>: test %dx,%dx
0x0000000000c3e839 <get_cabac+151>: jne 0xc3e86f <get_cabac+205>
0x0000000000c3e83b <get_cabac+153>: mov 0x18(%r9),%rcx
0x0000000000c3e83f <get_cabac+157>: addq $0x2,0x18(%r9)
=> 0x0000000000c3e844 <get_cabac+162>: movzwl (%rcx),%r11d
0x0000000000c3e848 <get_cabac+166>: lea -0x1(%edx),%ecx
0x0000000000c3e84c <get_cabac+170>: xor %edx,%ecx
0x0000000000c3e84e <get_cabac+172>: shr $0xf,%ecx
0x0000000000c3e851 <get_cabac+175>: bswap %r11d
0x0000000000c3e854 <get_cabac+178>: shr $0xf,%r11d
0x0000000000c3e858 <get_cabac+182>: movzbl (%r10,%rcx,1),%ecx
0x0000000000c3e85d <get_cabac+187>: sub $0xffff,%r11d
End of assembler dump.
(gdb) info all-registers
rax 0x1c6 454
rbx 0xfffffffffffffffd -3
rcx 0x6a6d000 111595520
rdx 0x15d0000 22872064
rsi 0x0 0
rdi 0x0 0
rbp 0x7667730 0x7667730
rsp 0x76676b0 0x76676b0
r8 0x689a63f 109684287
r9 0x689a6f8 109684472
r10 0xf72360 16196448
r11 0x0 0
r12 0x0 0
r13 0x0 0
r14 0x0 0
r15 0x0 0
rip 0xc3e844 0xc3e844 <get_cabac+162>
eflags 0x10202 [ IF RF ]
cs 0x33 51
ss 0x202002b 33685547
ds 0x0 0
es 0x0 0
fs 0x0 0
gs 0x2b0000 2818048
st0 -nan(0x083848583) (raw 0xffff0000000083848583)
st1 -nan(0x080828384) (raw 0xffff0000000080828384)
st2 0 (raw 0x00000000000000000000)
st3 0 (raw 0x00000000000000000000)
st4 0 (raw 0x00000000000000000000)
st5 0 (raw 0x00000000000000000000)
st6 0 (raw 0x00000000000000000000)
st7 0 (raw 0x00000000000000000000)
fctrl 0x27f 639
fstat 0xff0000 16711680
ftag 0xff 255
fiseg 0x0 0
fioff 0x0 0
foseg 0x0 0
fooff 0x0 0
fop 0x0 0
xmm0 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = { 0x8000000000000000, 0x0}, v16_int8 = {0x69, 0x6a, 0x6c, 0x6c, 0x6d, 0x6e, 0x6d, 0x6c, 0x6d, 0x6b, 0x6b, 0x6d, 0x6a, 0x5e, 0x3c, 0x11}, v8_int16 = { 0x6a69, 0x6c6c, 0x6e6d, 0x6c6d, 0x6b6d, 0x6d6b, 0x5e6a, 0x113c}, v4_int32 = {0x6c6c6a69, 0x6c6d6e6d, 0x6d6b6b6d, 0x113c5e6a}, v2_int64 = { 0x6c6d6e6d6c6c6a69, 0x113c5e6a6d6b6b6d}, uint128 = 0x113c5e6a6d6b6b6d6c6d6e6d6c6c6a69}
xmm1 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0}, v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0}, uint128 = 0x00000000000000000000000000000000}
xmm2 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0}, v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0}, uint128 = 0x00000000000000000000000000000000}
xmm3 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0}, v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0}, uint128 = 0x00000000000000000000000000000000}
xmm4 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0}, v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0}, uint128 = 0x00000000000000000000000000000000}
xmm5 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0}, v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0}, uint128 = 0x00000000000000000000000000000000}
xmm6 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0}, v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0}, uint128 = 0x00000000000000000000000000000000}
xmm7 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0}, v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0}, uint128 = 0x00000000000000000000000000000000}
xmm8 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0}, v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0}, uint128 = 0x00000000000000000000000000000000}
xmm9 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0}, v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0}, uint128 = 0x00000000000000000000000000000000}
xmm10 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0}, v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0}, uint128 = 0x00000000000000000000000000000000}
xmm11 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0}, v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0}, uint128 = 0x00000000000000000000000000000000}
xmm12 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0}, v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0}, uint128 = 0x00000000000000000000000000000000}
xmm13 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0}, v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0}, uint128 = 0x00000000000000000000000000000000}
xmm14 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0}, v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0}, uint128 = 0x00000000000000000000000000000000}
xmm15 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0}, v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0}, uint128 = 0x00000000000000000000000000000000}
mxcsr 0x1f80 [ IM DM ZM OM UM PM ]
comment:4 by , 11 years ago
| Keywords: | crash SIGSEGV added |
|---|---|
| Priority: | normal → important |
comment:5 by , 11 years ago
| Cc: | added |
|---|
comment:6 by , 11 years ago
| Resolution: | → fixed |
|---|---|
| Status: | open → closed |
Note:
See TracTickets
for help on using tickets.
Does this crash on any operating system?