Opened 11 years ago

Closed 10 years ago

#3115 closed defect (fixed)

hevc: crash with threads 1 (fuzzed file)

Reported by: ami_stuff Owned by:
Priority: important Component: avcodec
Version: git-master Keywords: hevc crash regression
Cc: Blocked By:
Blocking: Reproduced by developer: yes
Analyzed by developer: no

Description

http://www1.datafilehost.com/d/f0c599ad

(gdb) r -threads 1 -i ./fahevc2.ts -f null -
Starting program: /media/sdb1/ffmpeg-HEAD-73e7d8f/ffmpeg_g -threads 1 -i ./fahevc2.ts -f null -
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/i386-linux-gnu/libthread_db.so.1".
ffmpeg version 2.0-73e7d8f Copyright (c) 2000-2013 the FFmpeg developers
  built on Nov  3 2013 17:06:30 with gcc 4.7 (Debian 4.7.2-5)
  configuration: --disable-yasm --disable-ffserver --disable-ffprobe --enable-gpl
  libavutil      52. 49.100 / 52. 49.100
  libavcodec     55. 40.101 / 55. 40.101
  libavformat    55. 21.100 / 55. 21.100
  libavdevice    55.  5.100 / 55.  5.100
  libavfilter     3. 90.100 /  3. 90.100
  libswscale      2.  5.101 /  2.  5.101
  libswresample   0. 17.104 /  0. 17.104
  libpostproc    52.  3.100 / 52.  3.100
[mpegts @ 0x91bdde0] Invalid timestamps stream=0, pts=14709, dts=4205381, size=1933
[hevc @ 0x91c1ba0] No profile indication! (0)
    Last message repeated 4 times
[hevc @ 0x91c1ba0] Error decoding profile tier level.
[hevc @ 0x91c1ba0] No profile indication! (0)
[hevc @ 0x91c1ba0] error decoding profile tier level
[hevc @ 0x91c1ba0] No profile indication! (0)
    Last message repeated 2 times
[hevc @ 0x91c1ba0] Error decoding profile tier level.
[hevc @ 0x91c1ba0] No profile indication! (0)
[hevc @ 0x91c1ba0] Invalid coded frame dimensions.
[mpegts @ 0x91bdde0] PES packet size mismatch
[hevc @ 0x91c1ba0] No profile indication! (0)
    Last message repeated 1 times
[hevc @ 0x91c1ba0] error decoding profile tier level
[hevc @ 0x91c1ba0] pps_cr_qp_offset out of range: -164
[hevc @ 0x91c1ba0] PPS id out of range: 110
[hevc @ 0x91c1ba0] No profile indication! (0)
    Last message repeated 3 times
[mpegts @ 0x91bdde0] Invalid timestamps stream=0, pts=61472, dts=16837136, size=8967
[hevc @ 0x91c1ba0] No profile indication! (0)
    Last message repeated 1 times
[hevc @ 0x91c1ba0] Luma bit depth (8) is different from chroma bit depth (9), this is unsupported.
[hevc @ 0x91c1ba0] vps_reserved_ffff_16bits is not 0xffff
[hevc @ 0x91c1ba0] No profile indication! (0)
    Last message repeated 2 times
[hevc @ 0x91c1ba0] vps_max_dec_pic_buffering_minus1 out of range: 61475
[hevc @ 0x91c1ba0] No profile indication! (0)
    Last message repeated 2 times
[hevc @ 0x91c1ba0] error decoding profile tier level
[hevc @ 0x91c1ba0] No profile indication! (0)
[hevc @ 0x91c1ba0] PPS id out of range: 27
[hevc @ 0x91c1ba0] No profile indication! (0)
    Last message repeated 1 times
[hevc @ 0x91c1ba0] error decoding profile tier level
[hevc @ 0x91c1ba0] No profile indication! (0)
[hevc @ 0x91c1ba0] Error decoding profile tier level.
[hevc @ 0x91c1ba0] No profile indication! (0)
[mpegts @ 0x91bdde0] Invalid timestamps stream=0, pts=104822, dts=1149798, size=4807
[hevc @ 0x91c1ba0] No profile indication! (0)
[hevc @ 0x91c1ba0] Error decoding profile tier level.
[hevc @ 0x91c1ba0] No profile indication! (0)
[hevc @ 0x91c1ba0] chroma_format_idc != 1
[hevc @ 0x91c1ba0]  is not implemented. Update your FFmpeg version to the newest one from Git. If the problem still occurs, it means that your file has a feature which has not been implemented.
[hevc @ 0x91c1ba0] PPS id out of range: 175
[hevc @ 0x91c1ba0] No profile indication! (0)
[hevc @ 0x91c1ba0] vps_max_dec_pic_buffering_minus1 out of range: 239
[hevc @ 0x91c1ba0] No profile indication! (0)
    Last message repeated 1 times
[hevc @ 0x91c1ba0] Error decoding profile tier level.
[hevc @ 0x91c1ba0] No profile indication! (0)
[hevc @ 0x91c1ba0] error decoding profile tier level
[hevc @ 0x91c1ba0] No profile indication! (0)
    Last message repeated 2 times
[hevc @ 0x91c1ba0] vps_max_dec_pic_buffering_minus1 out of range: 239
[hevc @ 0x91c1ba0] No profile indication! (0)
    Last message repeated 1 times
[hevc @ 0x91c1ba0] vps_max_dec_pic_buffering_minus1 out of range: 239
[hevc @ 0x91c1ba0] No profile indication! (0)
[mpegts @ 0x91bdde0] PES packet size mismatch
[mpegts @ 0x91bdde0] Invalid timestamps stream=0, pts=142369, dts=268574225, size=194
[hevc @ 0x91c1ba0] No profile indication! (0)
    Last message repeated 2 times
[hevc @ 0x91c1ba0] Error decoding profile tier level.
[hevc @ 0x91c1ba0] SPS id out of range: 391
[hevc @ 0x91c1ba0] vps_reserved_ffff_16bits is not 0xffff
[hevc @ 0x91c1ba0] No profile indication! (0)
[hevc @ 0x91c1ba0] pps_cr_qp_offset out of range: -164
[hevc @ 0x91c1ba0] PPS id out of range: 0
[mpegts @ 0x91bdde0] PES packet size mismatch
[hevc @ 0x91c1ba0] No profile indication! (0)
[...]
[mpegts @ 0x91bdde0] Could not find codec parameters for stream 6 (Audio: mp3, 0 channels): unspecified frame size
Consider increasing the value for the 'analyzeduration' and 'probesize' options
[mpegts @ 0x91bdde0] Could not find codec parameters for stream 7 (Unknown: none): unknown codec
Consider increasing the value for the 'analyzeduration' and 'probesize' options
[mpegts @ 0x91bdde0] Could not find codec parameters for stream 8 (Audio: mp3, 0 channels): unspecified frame size
Consider increasing the value for the 'analyzeduration' and 'probesize' options
[mpegts @ 0x91bdde0] Could not find codec parameters for stream 9 (Unknown: none): unknown codec
Consider increasing the value for the 'analyzeduration' and 'probesize' options
[mpegts @ 0x91bdde0] Could not find codec parameters for stream 10 (Unknown: none): unknown codec
Consider increasing the value for the 'analyzeduration' and 'probesize' options
Input #0, mpegts, from './fahevc2.ts':
  Duration: 00:00:12.52, start: 0.080000, bitrate: 1281 kb/s
  Program 1 
    Stream #0:0[0x12d]: Video: hevc (HEVC / 0x43564548), yuv420p, 320x240, 23.98 tbr, 90k tbn, 90k tbc
  No Program
    Stream #0:1[0x125]: Unknown: none
    Stream #0:2[0x12f]: Unknown: none
    Stream #0:3[0x52d]: Unknown: none
    Stream #0:4[0x32d]: Unknown: none
    Stream #0:5[0x1ad]: Unknown: none
    Stream #0:6[0x10d]: Audio: mp3, 0 channels
    Stream #0:7[0x2d]: Unknown: none
    Stream #0:8[0x112d]: Audio: mp3, 0 channels
    Stream #0:9[0x13d]: Unknown: none
    Stream #0:10[0x1fff]: Unknown: none
[New Thread 0xb7df8b70 (LWP 2376)]
[New Thread 0xb75f8b70 (LWP 2377)]
[New Thread 0xb6df8b70 (LWP 2378)]
[New Thread 0xb65f8b70 (LWP 2379)]
[New Thread 0xb5df8b70 (LWP 2380)]
[New Thread 0xb55f8b70 (LWP 2381)]
[New Thread 0xb4df8b70 (LWP 2382)]
[New Thread 0xb45f8b70 (LWP 2383)]
[New Thread 0xb3df8b70 (LWP 2384)]
[hevc @ 0x91c1ba0] No profile indication! (0)
    Last message repeated 1 times
Output #0, null, to 'pipe:':
  Metadata:
    encoder         : Lavf55.21.100
    Stream #0:0: Video: rawvideo (I420 / 0x30323449), yuv420p, 320x240, q=2-31, 200 kb/s, 90k tbn, 23.98 tbc
Stream mapping:
  Stream #0:0 -> #0:0 (hevc -> rawvideo)
Press [q] to stop, [?] for help
[mpegts @ 0x91bdde0] Invalid timestamps stream=0, pts=14709, dts=4205381, size=1933
[hevc @ 0x91c1ba0] No profile indication! (0)
    Last message repeated 3 times
[null @ 0x933c620] Encoder did not produce proper pts, making some up.
[hevc @ 0x91c1ba0] No profile indication! (0)
[hevc @ 0x91c1ba0] Error decoding profile tier level.
[hevc @ 0x91c1ba0] No profile indication! (0)
[hevc @ 0x91c1ba0] error decoding profile tier level
[hevc @ 0x91c1ba0] No profile indication! (0)
[...]
[hevc @ 0x91c1ba0] No profile indication! (0)
    Last message repeated 5 times
[mpegts @ 0x91bdde0] PES packet size mismatch
[hevc @ 0x91c1ba0] No profile indication! (0)
[hevc @ 0x91c1ba0] Error decoding profile tier level.
[hevc @ 0x91c1ba0] No profile indication! (0)
[hevc @ 0x91c1ba0] chroma_format_idc != 1
[hevc @ 0x91c1ba0]  is not implemented. Update your FFmpeg version to the newest one from Git. If the problem still occurs, it means that your file has a feature which has not been implemented.
[hevc @ 0x91c1ba0] PPS id out of range: -1
[hevc @ 0x91c1ba0] No profile indication! (0)
[hevc @ 0x91c1ba0] Error decoding profile tier level.
[hevc @ 0x91c1ba0] Error parsing NAL unit #0.
[hevc @ 0x91c1ba0] No profile indication! (0)
[hevc @ 0x91c1ba0] chroma_format_idc != 1
[hevc @ 0x91c1ba0]  is not implemented. Update your FFmpeg version to the newest one from Git. If the problem still occurs, it means that your file has a feature which has not been implemented.
[hevc @ 0x91c1ba0] Error parsing NAL unit #1.
[hevc @ 0x91c1ba0] Invalid NAL unit 0, skipping.
[hevc @ 0x91c1ba0] No profile indication! (0)
    Last message repeated 2 times
[hevc @ 0x91c1ba0] Error decoding profile tier level.
[hevc @ 0x91c1ba0] No profile indication! (0)
[hevc @ 0x91c1ba0] error decoding profile tier level
[hevc @ 0x91c1ba0] Invalid NAL unit 19, skipping.
[hevc @ 0x91c1ba0] No profile indication! (0)
[hevc @ 0x91c1ba0] Error decoding profile tier level.
[hevc @ 0x91c1ba0] Error parsing NAL unit #1.
[hevc @ 0x91c1ba0] No profile indication! (0)
[hevc @ 0x91c1ba0] error decoding profile tier level
[hevc @ 0x91c1ba0] Error parsing NAL unit #2.
[hevc @ 0x91c1ba0] vps_reserved_ffff_16bits is not 0xffff
[hevc @ 0x91c1ba0] No profile indication! (0)
[hevc @ 0x91c1ba0] error decoding profile tier level
[hevc @ 0x91c1ba0] vps_reserved_ffff_16bits is not 0xffff
[hevc @ 0x91c1ba0] Error parsing NAL unit #0.
[hevc @ 0x91c1ba0] No profile indication! (0)
[hevc @ 0x91c1ba0] error decoding profile tier level
[hevc @ 0x91c1ba0] Error parsing NAL unit #1.
[hevc @ 0x91c1ba0] No profile indication! (0)
[hevc @ 0x91c1ba0] Error decoding profile tier level.
[hevc @ 0x91c1ba0] No profile indication! (0)
    Last message repeated 1 times
[hevc @ 0x91c1ba0] Error decoding profile tier level.
[hevc @ 0x91c1ba0] Error parsing NAL unit #0.
[hevc @ 0x91c1ba0] No profile indication! (0)
[hevc @ 0x91c1ba0] PPS id out of range: 0
[hevc @ 0x91c1ba0] Error parsing NAL unit #2.
[hevc @ 0x91c1ba0] No profile indication! (0)
[hevc @ 0x91c1ba0] PPS id out of range: 61475
[hevc @ 0x91c1ba0] No profile indication! (0)
[hevc @ 0x91c1ba0] Invalid NAL unit 0, skipping.
[hevc @ 0x91c1ba0] No profile indication! (0)
    Last message repeated 1 times
[hevc @ 0x91c1ba0] Error decoding profile tier level.
[hevc @ 0x91c1ba0] No profile indication! (16)
[hevc @ 0x91c1ba0] error decoding profile tier level
*** glibc detected *** /media/sdb1/ffmpeg-HEAD-73e7d8f/ffmpeg_g: corrupted double-linked list: 0x0a3f0850 ***
======= Backtrace: =========
/lib/i386-linux-gnu/libc.so.6(+0x70a8a)[0xb7ea4a8a]
/lib/i386-linux-gnu/libc.so.6(+0x723ac)[0xb7ea63ac]
/lib/i386-linux-gnu/libc.so.6(cfree+0x6d)[0xb7ea93ed]
/media/sdb1/ffmpeg-HEAD-73e7d8f/ffmpeg_g[0x8902e82]
======= Memory map: ========
08048000-08b9c000 r-xp 00000000 08:11 19683      /media/sdb1/ffmpeg-HEAD-73e7d8f/ffmpeg_g
08b9c000-08bbb000 rw-p 00b54000 08:11 19683      /media/sdb1/ffmpeg-HEAD-73e7d8f/ffmpeg_g
08bbb000-0b426000 rw-p 00000000 00:00 0          [heap]
41602000-41619000 r-xp 00000000 08:02 10056      /lib/i386-linux-gnu/libz.so.1.2.7
41619000-4161a000 r--p 00016000 08:02 10056      /lib/i386-linux-gnu/libz.so.1.2.7
4161a000-4161b000 rw-p 00017000 08:02 10056      /lib/i386-linux-gnu/libz.so.1.2.7
41628000-41659000 r-xp 00000000 08:02 10014      /lib/i386-linux-gnu/libncursesw.so.5.9
41659000-4165a000 r--p 00030000 08:02 10014      /lib/i386-linux-gnu/libncursesw.so.5.9
4165a000-4165b000 rw-p 00031000 08:02 10014      /lib/i386-linux-gnu/libncursesw.so.5.9
41673000-41676000 r-xp 00000000 08:02 24959      /usr/lib/i386-linux-gnu/libpulse-simple.so.0.0.3
41676000-41677000 r--p 00002000 08:02 24959      /usr/lib/i386-linux-gnu/libpulse-simple.so.0.0.3
41677000-41678000 rw-p 00003000 08:02 24959      /usr/lib/i386-linux-gnu/libpulse-simple.so.0.0.3
4178e000-418c2000 r-xp 00000000 08:02 24566      /usr/lib/i386-linux-gnu/libX11.so.6.3.0
418c2000-418c6000 rw-p 00133000 08:02 24566      /usr/lib/i386-linux-gnu/libX11.so.6.3.0
418c8000-418e9000 r-xp 00000000 08:02 25047      /usr/lib/i386-linux-gnu/libxcb.so.1.1.0
418e9000-418ea000 r--p 00020000 08:02 25047      /usr/lib/i386-linux-gnu/libxcb.so.1.1.0
418ea000-418eb000 rw-p 00021000 08:02 25047      /usr/lib/i386-linux-gnu/libxcb.so.1.1.0
418ed000-418ef000 r-xp 00000000 08:02 24568      /usr/lib/i386-linux-gnu/libXau.so.6.0.0
418ef000-418f0000 rw-p 00001000 08:02 24568      /usr/lib/i386-linux-gnu/libXau.so.6.0.0
418f2000-418f7000 r-xp 00000000 08:02 24574      /usr/lib/i386-linux-gnu/libXdmcp.so.6.0.0
418f7000-418f8000 rw-p 00004000 08:02 24574      /usr/lib/i386-linux-gnu/libXdmcp.so.6.0.0
41913000-41924000 r-xp 00000000 08:02 24575      /usr/lib/i386-linux-gnu/libXext.so.6.4.0
41924000-41925000 rw-p 00010000 08:02 24575      /usr/lib/i386-linux-gnu/libXext.so.6.4.0
41cd1000-41cd3000 r-xp 00000000 08:02 25013      /usr/lib/i386-linux-gnu/libts-0.0.so.0.1.1
41cd3000-41cd4000 rw-p 00001000 08:02 25013      /usr/lib/i386-linux-gnu/libts-0.0.so.0.1.1
41cd6000-41ce4000 r-xp 00000000 08:02 24578      /usr/lib/i386-linux-gnu/libXi.so.6.1.0
41ce4000-41ce5000 rw-p 0000e000 08:02 24578      /usr/lib/i386-linux-gnu/libXi.so.6.1.0
41f58000-41f6e000 r-xp 00000000 08:02 24654      /usr/lib/i386-linux-gnu/libdirect-1.2.so.9.0.1
41f6e000-41f6f000 rw-p 00016000 08:02 24654      /usr/lib/i386-linux-gnu/libdirect-1.2.so.9.0.1
41f94000-41f98000 r-xp 00000000 08:02 9978       /lib/i386-linux-gnu/libattr.so.1.1.0
41f98000-41f99000 r--p 00003000 08:02 9978       /lib/i386-linux-gnu/libattr.so.1.1.0
41f99000-41f9a000 rw-p 00004000 08:02 9978       /lib/i386-linux-gnu/libattr.so.1.1.0
41f9c000-41fa0000 r-xp 00000000 08:02 9985       /lib/i386-linux-gnu/libcap.so.2.22
41fa0000-41fa1000 rw-p 00003000 08:02 9985       /lib/i386-linux-gnu/libcap.so.2.22
41fa3000-41fab000 r-xp 00000000 08:02 10054      /lib/i386-linux-gnu/libwrap.so.0.7.6
41fab000-41fac000 r--p 00007000 08:02 10054      /lib/i386-linux-gnu/libwrap.so.0.7.6
41fac000-41fad000 rw-p 00008000 08:02 10054      /lib/i386-linux-gnu/libwrap.so.0.7.6
41faf000-41fb4000 r-xp 00000000 08:02 24589      /usr/lib/i386-linux-gnu/libXtst.so.6.1.0
41fb4000-41fb5000 rw-p 00004000 08:02 24589      /usr/lib/i386-linux-gnu/libXtst.so.6.1.0
4244e000-42457000 r-xp 00000000 08:02 24707      /usr/lib/i386-linux-gnu/libfusion-1.2.so.9.0.1
42457000-42458000 rw-p 00008000 08:02 24707      /usr/lib/i386-linux-gnu/libfusion-1.2.so.9.0.1
42489000-42491000 r-xp 00000000 08:02 10005      /lib/i386-linux-gnu/libjson.so.0.1.0
42491000-42492000 r--p 00007000 08:02 10005      /lib/i386-linux-gnu/libjson.so.0.1.0
42492000-42493000 rw-p 00008000 08:02 10005      /lib/i386-linux-gnu/libjson.so.0.1.0
42495000-4249a000 r-xp 00000000 08:02 24603      /usr/lib/i386-linux-gnu/libasyncns.so.0.3.1
4249a000-4249b000 rw-p 00004000 08:02 24603      /usr/lib/i386-linux-gnu/libasyncns.so.0.3.1
424a1000-424a7000 r-xp 00000000 08:02 24920      /usr/lib/i386-linux-gnu/libogg.so.0.8.0
424a7000-424a8000 rw-p 00005000 08:02 24920      /usr/lib/i386-linux-gnu/libogg.so.0.8.0
424aa000-424d4000 r-xp 00000000 08:02 25032      /usr/lib/i386-linux-gnu/libvorbis.so.0.4.5
424d4000-424d5000 r--p 00029000 08:02 25032      /usr/lib/i386-linux-gnu/libvorbis.so.0.4.5
424d5000-424d6000 rw-p 0002a000 08:02 25032      /usr/lib/i386-linux-gnu/libvorbis.so.0.4.5
424d8000-42526000 r-xp 00000000 08:02 24551      /usr/lib/i386-linux-gnu/libFLAC.so.8.2.0
42526000-42527000 r--p 0004d000 08:02 24551      /usr/lib/i386-linux-gnu/libFLAC.so.8.2.0
42527000-42528000 rw-p 0004e000 08:02 24551      /usr/lib/i386-linux-gnu/libFLAC.so.8.2.0
42530000-42534000 r-xp 00000000 08:02 10053      /lib/i386-linux-gnu/libuuid.so.1.3.0
42534000-42535000 r--p 00003000 08:02 10053      /lib/i386-linux-gnu/libuuid.so.1.3.0
42535000-42536000 rw-p 00004000 08:02 10053      /lib/i386-linux-gnu/libuuid.so.1.3.0
4254b000-4263e000 r-xp 00000000 08:02 24600      /usr/lib/i386-linux-gnu/libasound.so.2.0.0
4263e000-42642000 r--p 000f2000 08:02 24600      /usr/lib/i386-linux-gnu/libasound.so.2.0.0
42642000-42643000 rw-p 000f6000 08:02 24600      /usr/lib/i386-linux-gnu/libasound.so.2.0.0
4266f000-426b8000 r-xp 00000000 08:02 9989       /lib/i386-linux-gnu/libdbus-1.so.3.7.2
426b8000-426b9000 ---p 00049000 08:02 9989       /lib/i386-linux-gnu/libdbus-1.so.3.7.2
426b9000-426ba000 r--p 00049000 08:02 9989       /lib/i386-linux-gnu/libdbus-1.so.3.7.2
Program received signal SIGABRT, Aborted.
0xb7e5e667 in *__GI_raise (sig=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:64
64	../nptl/sysdeps/unix/sysv/linux/raise.c: No such file or directory.
(gdb) bt
#0  0xb7e5e667 in *__GI_raise (sig=6)
    at ../nptl/sysdeps/unix/sysv/linux/raise.c:64
#1  0xb7e61a52 in *__GI_abort () at abort.c:92
#2  0xb7e9a98d in __libc_message (do_abort=2, 
    fmt=0xb7f61330 "*** glibc detected *** %s: %s: 0x%s ***\n")
    at ../sysdeps/unix/sysv/linux/libc_fatal.c:189
#3  0xb7ea4a8a in malloc_printerr (action=<optimized out>, 
    str=0x6 <Address 0x6 out of bounds>, ptr=0xa3f0850) at malloc.c:6283
#4  0xb7ea63ac in _int_free (av=<optimized out>, p=0xa3ef550) at malloc.c:4973
#5  0xb7ea93ed in *__GI___libc_free (mem=0xa3ef580) at malloc.c:3738
#6  0x08902e82 in av_free (ptr=<optimized out>) at libavutil/mem.c:230
#7  av_freep (arg=0x934a7a8) at libavutil/mem.c:237
#8  0x084f2a81 in hevc_pps_free (opaque=0x0, data=0x934a120 "")
    at libavcodec/hevc_ps.c:976
#9  0x088f56b3 in av_buffer_unref (buf=buf@entry=0x923d6dc)
    at libavutil/buffer.c:115
#10 0x084fa076 in ff_hevc_decode_nal_pps (s=s@entry=0x923d560)
    at libavcodec/hevc_ps.c:1319
#11 0x084f2388 in parse_nal_units (buf_size=<optimized out>, 
    buf=0x933f630 "D\001\300b\006\002\222", avctx=0x91c1ba0, s=0x933b760)
    at libavcodec/hevc_parser.c:146
#12 hevc_parse (s=0x933b760, avctx=0x91c1ba0, poutbuf=0xbffff1b4, 
    poutbuf_size=0xbffff1b8, buf=0x933f5f0 "", buf_size=8778)
---Type <return> to continue, or q <return> to quit---
    at libavcodec/hevc_parser.c:279
#13 0x0860cbb0 in av_parser_parse2 (s=0x933b760, avctx=0x91c1ba0, 
    poutbuf=poutbuf@entry=0xbffff1b4, 
    poutbuf_size=poutbuf_size@entry=0xbffff1b8, buf=buf@entry=0xa292080 "", 
    buf_size=buf_size@entry=4119, pts=499065, dts=495465, pos=920636)
    at libavcodec/parser.c:155
#14 0x08240041 in parse_packet (s=s@entry=0x91bdde0, pkt=pkt@entry=0xbffff348, 
    stream_index=<optimized out>) at libavformat/utils.c:1200
#15 0x08240f7d in read_frame_internal (s=s@entry=0x91bdde0, 
    pkt=pkt@entry=0xbffff6f8) at libavformat/utils.c:1378
#16 0x0824185a in av_read_frame (s=0x91bdde0, pkt=pkt@entry=0xbffff6f8)
    at libavformat/utils.c:1419
#17 0x080ba196 in get_input_packet (pkt=0xbffff6d8, f=0x923cdc0)
    at ffmpeg.c:2904
#18 process_input (file_index=0) at ffmpeg.c:2941
#19 0x080a6213 in transcode_step () at ffmpeg.c:3211
#20 transcode () at ffmpeg.c:3263
#21 main (argc=<optimized out>, argv=<optimized out>) at ffmpeg.c:3441
(gdb) 

Attachments (1)

fahevc2.ts (1.9 MB ) - added by Carl Eugen Hoyos 11 years ago.

Download all attachments as: .zip

Change History (10)

by Carl Eugen Hoyos, 11 years ago

Attachment: fahevc2.ts added

comment:1 by Carl Eugen Hoyos, 11 years ago

Component: undeterminedavcodec
Keywords: hevc crash added
Priority: normalimportant
Reproduced by developer: set
Status: newopen
Version: unspecifiedgit-master

Not reproducible with valgrind.

comment:2 by Michael Niedermayer, 11 years ago

not reproduceable with -cpuflags 0 nor with address sanitizer

comment:3 by Carl Eugen Hoyos, 11 years ago

Only reproducible with --disable-yasm (and --disable-asm), valgrind shows no problem, threads > 2 also works fine here.
Depending on the exact configure options, it crashes or works with -threads 1 here.
Different backtraces possible with the same command line and the same configure options.

(gdb) r -threads 2 -i fahevc2.ts -f null -
ffmpeg version N-58263-g1f7b7d5 Copyright (c) 2000-2013 the FFmpeg developers
  built on Nov 19 2013 11:25:41 with gcc 4.7 (SUSE Linux)
  configuration: --disable-yasm
  libavutil      52. 53.100 / 52. 53.100
  libavcodec     55. 43.101 / 55. 43.101
  libavformat    55. 21.100 / 55. 21.100
  libavdevice    55.  5.100 / 55.  5.100
  libavfilter     3. 91.100 /  3. 91.100
  libswscale      2.  5.101 /  2.  5.101
  libswresample   0. 17.104 /  0. 17.104

...

*** glibc detected *** ffmpeg_g: free(): invalid pointer: 0x00007fffec007760 ***

...

(gdb) bt
#0  0x00007ffff6048d25 in raise () from /lib64/libc.so.6
#1  0x00007ffff604a1a8 in abort () from /lib64/libc.so.6
#2  0x00007ffff6086fcb in __libc_message () from /lib64/libc.so.6
#3  0x00007ffff608cb66 in malloc_printerr () from /lib64/libc.so.6
#4  0x0000000000c01dec in av_free (ptr=<optimized out>) at libavutil/mem.c:231
#5  av_freep (arg=arg@entry=0x1806f98) at libavutil/mem.c:238
#6  0x0000000000bf571e in av_buffer_unref (buf=buf@entry=0x1806f98) at libavutil/buffer.c:112
#7  0x0000000000bfbb51 in av_frame_unref (frame=frame@entry=0x1806dc0) at libavutil/frame.c:363
#8  0x00000000004689e0 in reap_filters () at ffmpeg.c:1127
#9  0x00000000004590c8 in transcode_step () at ffmpeg.c:3235
#10 transcode () at ffmpeg.c:3278
#11 main (argc=<optimized out>, argv=<optimized out>) at ffmpeg.c:3456
(gdb) bt
#0  0x00007ffff6104c0b in __lll_lock_wait_private () from /lib64/libc.so.6
#1  0x00007ffff6092b5e in _L_lock_11285 () from /lib64/libc.so.6
#2  0x00007ffff6090c22 in malloc () from /lib64/libc.so.6
#3  0x00007ffff7de01d2 in local_strdup () from /lib64/ld-linux-x86-64.so.2
#4  0x00007ffff7de33c7 in _dl_map_object () from /lib64/ld-linux-x86-64.so.2
#5  0x00007ffff7ded81e in dl_open_worker () from /lib64/ld-linux-x86-64.so.2
#6  0x00007ffff7de95f6 in _dl_catch_error () from /lib64/ld-linux-x86-64.so.2
#7  0x00007ffff7ded28c in _dl_open () from /lib64/ld-linux-x86-64.so.2
#8  0x00007ffff612e332 in do_dlopen () from /lib64/libc.so.6
#9  0x00007ffff7de95f6 in _dl_catch_error () from /lib64/ld-linux-x86-64.so.2
#10 0x00007ffff612e3cf in dlerror_run () from /lib64/libc.so.6
#11 0x00007ffff612e441 in __libc_dlopen_mode () from /lib64/libc.so.6
#12 0x00007ffff6109ed5 in init () from /lib64/libc.so.6
#13 0x00007ffff6ce9c80 in pthread_once () from /lib64/libpthread.so.0
#14 0x00007ffff6109ff4 in backtrace () from /lib64/libc.so.6
#15 0x00007ffff6086fe5 in __libc_message () from /lib64/libc.so.6
#16 0x00007ffff608cb66 in malloc_printerr () from /lib64/libc.so.6
#17 0x00007ffff608cecb in malloc_consolidate () from /lib64/libc.so.6
#18 0x00007ffff608de47 in _int_malloc () from /lib64/libc.so.6
#19 0x00007ffff6090c30 in malloc () from /lib64/libc.so.6
#20 0x0000000000bf5a4a in av_buffer_realloc (pbuf=pbuf@entry=0x7fffffffd440, size=8193)
    at libavutil/buffer.c:164
#21 0x00000000005de453 in copy_packet_data (dup=1, src=<synthetic pointer>, pkt=0x7fffffffd440)
    at libavcodec/avpacket.c:204
#22 av_dup_packet (pkt=pkt@entry=0x7fffffffd440) at libavcodec/avpacket.c:259
#23 0x000000000059fd5f in parse_packet (s=s@entry=0x16fd9e0, pkt=pkt@entry=0x7fffffffd620,
    stream_index=<optimized out>) at libavformat/utils.c:1273
#24 0x00000000005a0764 in read_frame_internal (s=0x16fd9e0, pkt=0x7fffffffd9e0)
    at libavformat/utils.c:1384
#25 0x00000000005a1526 in av_read_frame (s=0x16fd9e0, pkt=pkt@entry=0x7fffffffd9e0)
    at libavformat/utils.c:1425
#26 0x000000000046b1e4 in get_input_packet (pkt=0x7fffffffd9e0, f=0x183a4c0) at ffmpeg.c:2919
#27 process_input (file_index=0) at ffmpeg.c:2956
#28 0x00000000004590b0 in transcode_step () at ffmpeg.c:3226
#29 transcode () at ffmpeg.c:3278
#30 main (argc=<optimized out>, argv=<optimized out>) at ffmpeg.c:3456
(gdb) bt
#0  0x00007ffff608ce03 in malloc_consolidate () from /lib64/libc.so.6
#1  0x00007ffff608de47 in _int_malloc () from /lib64/libc.so.6
#2  0x00007ffff608f101 in _int_memalign () from /lib64/libc.so.6
#3  0x00007ffff6091534 in memalign () from /lib64/libc.so.6
#4  0x00007ffff609261c in posix_memalign () from /lib64/libc.so.6
#5  0x0000000000c01bca in av_malloc (size=size@entry=1040) at libavutil/mem.c:94
#6  0x0000000000bf5398 in av_buffer_alloc (size=1040) at libavutil/buffer.c:70
#7  0x0000000000537946 in mpegts_push_data (filter=<optimized out>, buf=<optimized out>,
    buf_size=170, is_start=<optimized out>, pos=<optimized out>, pcr=<optimized out>)
    at libavformat/mpegts.c:911
#8  0x0000000000535176 in handle_packet (ts=ts@entry=0x170e1a0, packet=0x170a56c "GA-7\ap")
    at libavformat/mpegts.c:1920
#9  0x00000000005356d2 in handle_packets (ts=ts@entry=0x170e1a0, nb_packets=nb_packets@entry=0)
    at libavformat/mpegts.c:2059
#10 0x0000000000535754 in mpegts_read_packet (s=<optimized out>, pkt=0x7fffffffd620)
    at libavformat/mpegts.c:2294
#11 0x000000000059e7d2 in ff_read_packet (s=s@entry=0x16fd9e0, pkt=pkt@entry=0x7fffffffd620)
    at libavformat/utils.c:680
#12 0x00000000005a06d0 in read_frame_internal (s=0x16fd9e0, pkt=0x7fffffffd9e0)
    at libavformat/utils.c:1321
#13 0x00000000005a1526 in av_read_frame (s=0x16fd9e0, pkt=pkt@entry=0x7fffffffd9e0)
    at libavformat/utils.c:1425
#14 0x000000000046b1e4 in get_input_packet (pkt=0x7fffffffd9e0, f=0x183a4c0) at ffmpeg.c:2919
#15 process_input (file_index=0) at ffmpeg.c:2956
#16 0x00000000004590b0 in transcode_step () at ffmpeg.c:3226
#17 transcode () at ffmpeg.c:3278
#18 main (argc=<optimized out>, argv=<optimized out>) at ffmpeg.c:3456

comment:4 by Carl Eugen Hoyos, 11 years ago

(gdb) r -threads 1 -i fahevc2.ts -f null -
ffmpeg version N-58263-g1f7b7d5 Copyright (c) 2000-2013 the FFmpeg developers
  built on Nov 19 2013 11:36:45 with gcc 4.7 (SUSE Linux)
  configuration: --disable-optimizations --disable-asm --enable-debug=3
  libavutil      52. 53.100 / 52. 53.100
  libavcodec     55. 43.101 / 55. 43.101
  libavformat    55. 21.100 / 55. 21.100
  libavdevice    55.  5.100 / 55.  5.100
  libavfilter     3. 91.100 /  3. 91.100
  libswscale      2.  5.101 /  2.  5.101
  libswresample   0. 17.104 /  0. 17.104

...

*** glibc detected *** ffmpeg_g: corrupted double-linked list: 0x0000000002d6a680 ***

...

(gdb) bt
#0  0x00007ffff6104c0b in __lll_lock_wait_private () from /lib64/libc.so.6
#1  0x00007ffff6092b5e in _L_lock_11285 () from /lib64/libc.so.6
#2  0x00007ffff6090c22 in malloc () from /lib64/libc.so.6
#3  0x00007ffff7de01d2 in local_strdup () from /lib64/ld-linux-x86-64.so.2
#4  0x00007ffff7de33c7 in _dl_map_object () from /lib64/ld-linux-x86-64.so.2
#5  0x00007ffff7ded81e in dl_open_worker () from /lib64/ld-linux-x86-64.so.2
#6  0x00007ffff7de95f6 in _dl_catch_error () from /lib64/ld-linux-x86-64.so.2
#7  0x00007ffff7ded28c in _dl_open () from /lib64/ld-linux-x86-64.so.2
#8  0x00007ffff612e332 in do_dlopen () from /lib64/libc.so.6
#9  0x00007ffff7de95f6 in _dl_catch_error () from /lib64/ld-linux-x86-64.so.2
#10 0x00007ffff612e3cf in dlerror_run () from /lib64/libc.so.6
#11 0x00007ffff612e441 in __libc_dlopen_mode () from /lib64/libc.so.6
#12 0x00007ffff6109ed5 in init () from /lib64/libc.so.6
#13 0x00007ffff6ce9c80 in pthread_once () from /lib64/libpthread.so.0
#14 0x00007ffff6109ff4 in backtrace () from /lib64/libc.so.6
#15 0x00007ffff6086fe5 in __libc_message () from /lib64/libc.so.6
#16 0x00007ffff608cb66 in malloc_printerr () from /lib64/libc.so.6
#17 0x00007ffff608edcc in _int_malloc () from /lib64/libc.so.6
#18 0x00007ffff6090c30 in malloc () from /lib64/libc.so.6
#19 0x00007ffff609261c in posix_memalign () from /lib64/libc.so.6
#20 0x0000000000de95ba in av_malloc (size=1200) at libavutil/mem.c:94
#21 0x000000000088d73b in av_malloc_array (nmemb=300, size=4) at ./libavutil/mem.h:97
#22 0x0000000000892408 in ff_hevc_decode_nal_pps (s=0x19b75a0) at libavcodec/hevc_ps.c:1238
#23 0x000000000088ce09 in parse_nal_units (s=0x19a4000, avctx=0x1932500,
    buf=0x19270c0 "D\001\300b\006\002\222", buf_size=8778) at libavcodec/hevc_parser.c:146
#24 0x000000000088d4a0 in hevc_parse (s=0x19a4000, avctx=0x1932500, poutbuf=0x7fffffffd3b8,
    poutbuf_size=0x7fffffffd3c0, buf=0x1927080 "", buf_size=8778)
    at libavcodec/hevc_parser.c:279
#25 0x00000000009e4cf1 in av_parser_parse2 (s=0x19a4000, avctx=0x1932500,
    poutbuf=0x7fffffffd3b8, poutbuf_size=0x7fffffffd3c0, buf=0x2f2e900 "", buf_size=4119,
    pts=499065, dts=495465, pos=920636) at libavcodec/parser.c:155
#26 0x00000000005b74b3 in parse_packet (s=0x192e7e0, pkt=0x7fffffffd470, stream_index=0)
    at libavformat/utils.c:1206
#27 0x00000000005b7f87 in read_frame_internal (s=0x192e7e0, pkt=0x7fffffffd7a0)
    at libavformat/utils.c:1384
#28 0x00000000005b8265 in av_read_frame (s=0x192e7e0, pkt=0x7fffffffd7a0)
    at libavformat/utils.c:1425
#29 0x000000000041e5e5 in get_input_packet (f=0x1b36b20, pkt=0x7fffffffd7a0) at ffmpeg.c:2919
#30 0x000000000041e700 in process_input (file_index=0) at ffmpeg.c:2956
#31 0x000000000041fe8d in transcode_step () at ffmpeg.c:3226
#32 0x000000000041ff9a in transcode () at ffmpeg.c:3278
#33 0x00000000004204ae in main (argc=8, argv=0x7fffffffdd48) at ffmpeg.c:3456

comment:5 by Michael Niedermayer, 10 years ago

not reproduceable under valgrind or address sanitizer
dumping all alloc & free addresses on a run that crashed shows no mismatches so this isnt a double free or freeing of a corrupted pointer, at least not in that single affected run
is this a regression ?

in reply to:  5 comment:6 by Michael Niedermayer, 10 years ago

Replying to michael:

not reproduceable under valgrind or address sanitizer
dumping all alloc & free addresses on a run that crashed shows no mismatches so this isnt a double free or freeing of a corrupted pointer, at least not in that single affected run

also this one was with -threads 1

comment:7 by Carl Eugen Hoyos, 10 years ago

Keywords: regression added

Regression since cb148e56

comment:8 by Carl Eugen Hoyos, 10 years ago

Both Helgrind and clang-tsan report possible race conditions.

comment:9 by Michael Niedermayer, 10 years ago

Resolution: fixed
Status: openclosed
Note: See TracTickets for help on using tickets.