Opened 13 years ago

Closed 13 years ago

#313 closed defect (fixed)

Invalid read in decode_cabac_residual_nondc_internal() when decoding corrupt H264 sample

Reported by: Carl Eugen Hoyos Owned by:
Priority: normal Component: undetermined
Version: git-master Keywords: h264
Cc: Blocked By:
Blocking: Reproduced by developer: no
Analyzed by developer: no

Description

$ valgrind ./ffmpeg_g -i invalid_reads2.h264 -f null -
==24328== Memcheck, a memory error detector
==24328== Copyright (C) 2002-2009, and GNU GPL'd, by Julian Seward et al.
==24328== Using Valgrind-3.5.0 and LibVEX; rerun with -h for copyright info
==24328== Command: ./ffmpeg_g -i invalid_reads2.h264 -f null -
==24328==
ffmpeg version N-31019-g5c13b5b, Copyright (c) 2000-2011 the FFmpeg developers
  built on Jun 26 2011 17:49:29 with gcc 4.5.3
  configuration: --cc='/usr/local/gcc-4.5.3/bin/gcc -m32'
  libavutil    51. 10. 0 / 51. 10. 0
  libavcodec   53.  7. 0 / 53.  7. 0
  libavformat  53.  4. 0 / 53.  4. 0
  libavdevice  53.  1. 1 / 53.  1. 1
  libavfilter   2. 23. 0 /  2. 23. 0
  libswscale    2.  0. 0 /  2.  0. 0
[h264 @ 0xa44e320] non-existing PPS referenced
[h264 @ 0xa44e320] non-existing PPS 0 referenced
[h264 @ 0xa44e320] decode_slice_header error
[h264 @ 0xa44e320] no frame!
[h264 @ 0xa44e320] non-existing PPS referenced
[h264 @ 0xa44e320] non-existing PPS 0 referenced
[h264 @ 0xa44e320] decode_slice_header error
[h264 @ 0xa44e320] no frame!

...

[h264 @ 0xa44e320] non-existing PPS referenced
[h264 @ 0xa44e320] non-existing PPS 0 referenced
[h264 @ 0xa44e320] decode_slice_header error
[h264 @ 0xa44e320] no frame!
[h264 @ 0xa44e320] non-existing PPS referenced
[h264 @ 0xa44e320] non-existing PPS 0 referenced
[h264 @ 0xa44e320] decode_slice_header error
[h264 @ 0xa44e320] no frame!
[h264 @ 0xa44e320] top block unavailable for requested intra mode at 33 0
[h264 @ 0xa44e320] error while decoding MB 33 0, bytestream (10457)
[h264 @ 0xa44e320] mmco: unref short failure
[h264 @ 0xa404680] Estimating duration from bitrate, this may be inaccurate

Seems stream 0 codec frame rate differs from container frame rate: 59.94 (60000/1001) -> 29.97 (60000/2002)
Input #0, h264, from 'invalid_reads2.h264':
  Duration: N/A, bitrate: N/A
    Stream #0.0: Video: h264 (Main), yuv420p, 1920x1080 [PAR 1:1 DAR 16:9], 50 fps, 29.97 tbr, 1200k tbn, 59.94 tbc
[buffer @ 0xa534220] w:1920 h:1080 pixfmt:yuv420p tb:1/1000000 sar:1/1 sws_param:
Output #0, null, to 'pipe:':
  Metadata:
    encoder         : Lavf53.4.0
    Stream #0.0: Video: rawvideo, yuv420p, 1920x1080 [PAR 1:1 DAR 16:9], q=2-31, 200 kb/s, 90k tbn, 29.97 tbc
Stream mapping:
  Stream #0.0 -> #0.0
Press [q] to stop, [?] for help
==24328== Invalid read of size 2
==24328==    at 0x823C139: decode_cabac_residual_nondc_internal (cabac.h:115)
==24328==  Address 0xa51469c is 1,404 bytes inside a block of size 1,405 alloc'd
==24328==    at 0x6449E9E: memalign (in /usr/lib64/valgrind/vgpreload_memcheck-x86-linux.so)
==24328==    by 0x6449EFB: posix_memalign (in /usr/lib64/valgrind/vgpreload_memcheck-x86-linux.so)
==24328==    by 0x85AE047: av_malloc (mem.c:90)
==24328==
[h264 @ 0xa44e320] error while decoding MB 68 28, bytestream (-9)
frame=    0 fps=  0 q=0.0 size=      -0kB time=00:00:00.00 bitrate=   0.0kbits/s    ^M[h264 @ 0xa44e320] reference picture missing during reorder
[h264 @ 0xa44e320] Missing reference picture
[h264 @ 0xa44e320] Reference 3 >= 2
[h264 @ 0xa44e320] error while decoding MB 0 23, bytestream (2065)
[h264 @ 0xa44e320] illegal short term buffer state detected
frame=    2 fps=  1 q=0.0 size=      -0kB time=00:00:00.06 bitrate=  -2.6kbits/s    ^M[h264 @ 0xa44e320] top block unavailable for requested intra mode at 33 0
[h264 @ 0xa44e320] error while decoding MB 33 0, bytestream (10457)
frame=    4 fps=  2 q=0.0 Lsize=      -0kB time=00:00:00.13 bitrate=  -1.3kbits/s dup=0 drop=1    ^M
video:0kB audio:0kB global headers:0kB muxing overhead -inf%
==24328==
==24328== HEAP SUMMARY:
==24328==     in use at exit: 132 bytes in 1 blocks
==24328==   total heap usage: 486 allocs, 485 frees, 68,920,233 bytes allocated
==24328==
==24328== LEAK SUMMARY:
==24328==    definitely lost: 132 bytes in 1 blocks
==24328==    indirectly lost: 0 bytes in 0 blocks
==24328==      possibly lost: 0 bytes in 0 blocks
==24328==    still reachable: 0 bytes in 0 blocks
==24328==         suppressed: 0 bytes in 0 blocks
==24328== Rerun with --leak-check=full to see details of leaked memory
==24328==
==24328== For counts of detected and suppressed errors, rerun with: -v
==24328== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 3 from 3)

Attachments (1)

invalid_reads2.h264 (100.0 KB ) - added by Carl Eugen Hoyos 13 years ago.

Download all attachments as: .zip

Change History (3)

by Carl Eugen Hoyos, 13 years ago

Attachment: invalid_reads2.h264 added

comment:1 by Michael Niedermayer, 13 years ago

Maybe its overreading the end of the bitstream

comment:2 by Michael Niedermayer, 13 years ago

Resolution: fixed
Status: newclosed

Fixed locally

Note: See TracTickets for help on using tickets.