Opened 5 years ago

Closed 5 years ago

#316 closed defect (fixed)

Double free with ogg files

Reported by: cehoyos Owned by:
Priority: important Component: avformat
Version: git-master Keywords:
Cc: Blocked By:
Blocking: Reproduced by developer: yes
Analyzed by developer: no

Description

Apart from the double free, the file also triggers a FPE if I remove the av_freeps in oggdec.c

$ valgrind ./ffmpeg_g -i multi2.ogg -f null -
==17417== Memcheck, a memory error detector
==17417== Copyright (C) 2002-2009, and GNU GPL'd, by Julian Seward et al.
==17417== Using Valgrind-3.5.0 and LibVEX; rerun with -h for copyright info
==17417== Command: ./ffmpeg_g -i multi2.ogg -f null -
==17417==
ffmpeg version N-31042-g94e59cb, Copyright (c) 2000-2011 the FFmpeg developers
  built on Jun 28 2011 09:49:35 with gcc 4.5.3
  configuration: --cc='/usr/local/gcc-4.5.3/bin/gcc -m32' --disable-optimizations
  libavutil    51. 10. 0 / 51. 10. 0
  libavcodec   53.  7. 0 / 53.  7. 0
  libavformat  53.  4. 0 / 53.  4. 0
  libavdevice  53.  2. 0 / 53.  2. 0
  libavfilter   2. 24. 0 /  2. 24. 0
  libswscale    2.  0. 0 /  2.  0. 0
==17417== Invalid read of size 4
==17417==    at 0x8108AC1: theora_gptopts (oggparsetheora.c:132)
==17417==    by 0x8100A82: ogg_gptopts (oggdec.h:137)
==17417==    by 0x8101C48: ogg_get_length (oggdec.c:488)
==17417==    by 0x8101D1D: ogg_read_header (oggdec.c:513)
==17417==    by 0x8144D14: av_demuxer_open (utils.c:481)
==17417==    by 0x8056350: opt_input_file (ffmpeg.c:3329)
==17417==    by 0x805A004: parse_options (cmdutils.c:283)
==17417==    by 0x805941C: main (ffmpeg.c:4556)
==17417==  Address 0x5085600 is 0 bytes inside a block of size 12 free'd
==17417==    at 0x4CA98A6: free (in /usr/lib64/valgrind/vgpreload_memcheck-x86-linux.so)
==17417==    by 0x85AAAB0: av_free (mem.c:152)
==17417==    by 0x85AAACB: av_freep (mem.c:159)
==17417==    by 0x81011CE: ogg_read_page (oggdec.c:243)
==17417==    by 0x8101B30: ogg_get_length (oggdec.c:470)
==17417==    by 0x8101D1D: ogg_read_header (oggdec.c:513)
==17417==    by 0x8144D14: av_demuxer_open (utils.c:481)
==17417==    by 0x8056350: opt_input_file (ffmpeg.c:3329)
==17417==    by 0x805A004: parse_options (cmdutils.c:283)
==17417==    by 0x805941C: main (ffmpeg.c:4556)
==17417==
==17417== Invalid read of size 4
==17417==    at 0x8108AE0: theora_gptopts (oggparsetheora.c:133)
==17417==    by 0x8100A82: ogg_gptopts (oggdec.h:137)
==17417==    by 0x8101C48: ogg_get_length (oggdec.c:488)
==17417==    by 0x8101D1D: ogg_read_header (oggdec.c:513)
==17417==    by 0x8144D14: av_demuxer_open (utils.c:481)
==17417==    by 0x8056350: opt_input_file (ffmpeg.c:3329)
==17417==    by 0x805A004: parse_options (cmdutils.c:283)
==17417==    by 0x805941C: main (ffmpeg.c:4556)
==17417==  Address 0x5085604 is 4 bytes inside a block of size 12 free'd
==17417==    at 0x4CA98A6: free (in /usr/lib64/valgrind/vgpreload_memcheck-x86-linux.so)
==17417==    by 0x85AAAB0: av_free (mem.c:152)
==17417==    by 0x85AAACB: av_freep (mem.c:159)
==17417==    by 0x81011CE: ogg_read_page (oggdec.c:243)
==17417==    by 0x8101B30: ogg_get_length (oggdec.c:470)
==17417==    by 0x8101D1D: ogg_read_header (oggdec.c:513)
==17417==    by 0x8144D14: av_demuxer_open (utils.c:481)
==17417==    by 0x8056350: opt_input_file (ffmpeg.c:3329)
==17417==    by 0x805A004: parse_options (cmdutils.c:283)
==17417==    by 0x805941C: main (ffmpeg.c:4556)
==17417==
==17417== Invalid read of size 4
==17417==    at 0x8108AFB: theora_gptopts (oggparsetheora.c:135)
==17417==    by 0x8100A82: ogg_gptopts (oggdec.h:137)
==17417==    by 0x8101C48: ogg_get_length (oggdec.c:488)
==17417==    by 0x8101D1D: ogg_read_header (oggdec.c:513)
==17417==    by 0x8144D14: av_demuxer_open (utils.c:481)
==17417==    by 0x8056350: opt_input_file (ffmpeg.c:3329)
==17417==    by 0x805A004: parse_options (cmdutils.c:283)
==17417==    by 0x805941C: main (ffmpeg.c:4556)
==17417==  Address 0x5085608 is 8 bytes inside a block of size 12 free'd
==17417==    at 0x4CA98A6: free (in /usr/lib64/valgrind/vgpreload_memcheck-x86-linux.so)
==17417==    by 0x85AAAB0: av_free (mem.c:152)
==17417==    by 0x85AAACB: av_freep (mem.c:159)
==17417==    by 0x81011CE: ogg_read_page (oggdec.c:243)
==17417==    by 0x8101B30: ogg_get_length (oggdec.c:470)
==17417==    by 0x8101D1D: ogg_read_header (oggdec.c:513)
==17417==    by 0x8144D14: av_demuxer_open (utils.c:481)
==17417==    by 0x8056350: opt_input_file (ffmpeg.c:3329)
==17417==    by 0x805A004: parse_options (cmdutils.c:283)
==17417==    by 0x805941C: main (ffmpeg.c:4556)
==17417==
[theora @ 0x50851a0] 7 bits left in packet 82
==17417== Invalid read of size 4
==17417==    at 0x8108AC1: theora_gptopts (oggparsetheora.c:132)
==17417==    by 0x8100A82: ogg_gptopts (oggdec.h:137)
==17417==    by 0x8101E83: ogg_calc_pts (oggdec.c:542)
==17417==    by 0x8101F3E: ogg_read_packet (oggdec.c:569)
==17417==    by 0x81455EF: av_read_packet (utils.c:723)
==17417==    by 0x814718A: av_read_frame_internal (utils.c:1181)
==17417==    by 0x814A891: av_find_stream_info (utils.c:2347)
==17417==    by 0x80564BF: opt_input_file (ffmpeg.c:3365)
==17417==    by 0x805A004: parse_options (cmdutils.c:283)
==17417==    by 0x805941C: main (ffmpeg.c:4556)
==17417==  Address 0x5085600 is 0 bytes inside a block of size 12 free'd
==17417==    at 0x4CA98A6: free (in /usr/lib64/valgrind/vgpreload_memcheck-x86-linux.so)
==17417==    by 0x85AAAB0: av_free (mem.c:152)
==17417==    by 0x85AAACB: av_freep (mem.c:159)
==17417==    by 0x81011CE: ogg_read_page (oggdec.c:243)
==17417==    by 0x8101B30: ogg_get_length (oggdec.c:470)
==17417==    by 0x8101D1D: ogg_read_header (oggdec.c:513)
==17417==    by 0x8144D14: av_demuxer_open (utils.c:481)
==17417==    by 0x8056350: opt_input_file (ffmpeg.c:3329)
==17417==    by 0x805A004: parse_options (cmdutils.c:283)
==17417==    by 0x805941C: main (ffmpeg.c:4556)
==17417==
==17417== Invalid read of size 4
==17417==    at 0x8108AE0: theora_gptopts (oggparsetheora.c:133)
==17417==    by 0x8100A82: ogg_gptopts (oggdec.h:137)
==17417==    by 0x8101E83: ogg_calc_pts (oggdec.c:542)
==17417==    by 0x8101F3E: ogg_read_packet (oggdec.c:569)
==17417==    by 0x81455EF: av_read_packet (utils.c:723)
==17417==    by 0x814718A: av_read_frame_internal (utils.c:1181)
==17417==    by 0x814A891: av_find_stream_info (utils.c:2347)
==17417==    by 0x80564BF: opt_input_file (ffmpeg.c:3365)
==17417==    by 0x805A004: parse_options (cmdutils.c:283)
==17417==    by 0x805941C: main (ffmpeg.c:4556)
==17417==  Address 0x5085604 is 4 bytes inside a block of size 12 free'd
==17417==    at 0x4CA98A6: free (in /usr/lib64/valgrind/vgpreload_memcheck-x86-linux.so)
==17417==    by 0x85AAAB0: av_free (mem.c:152)
==17417==    by 0x85AAACB: av_freep (mem.c:159)
==17417==    by 0x81011CE: ogg_read_page (oggdec.c:243)
==17417==    by 0x8101B30: ogg_get_length (oggdec.c:470)
==17417==    by 0x8101D1D: ogg_read_header (oggdec.c:513)
==17417==    by 0x8144D14: av_demuxer_open (utils.c:481)
==17417==    by 0x8056350: opt_input_file (ffmpeg.c:3329)
==17417==    by 0x805A004: parse_options (cmdutils.c:283)
==17417==    by 0x805941C: main (ffmpeg.c:4556)
==17417==
==17417== Invalid read of size 4
==17417==    at 0x8108AFB: theora_gptopts (oggparsetheora.c:135)
==17417==    by 0x8100A82: ogg_gptopts (oggdec.h:137)
==17417==    by 0x8101E83: ogg_calc_pts (oggdec.c:542)
==17417==    by 0x8101F3E: ogg_read_packet (oggdec.c:569)
==17417==    by 0x81455EF: av_read_packet (utils.c:723)
==17417==    by 0x814718A: av_read_frame_internal (utils.c:1181)
==17417==    by 0x814A891: av_find_stream_info (utils.c:2347)
==17417==    by 0x80564BF: opt_input_file (ffmpeg.c:3365)
==17417==    by 0x805A004: parse_options (cmdutils.c:283)
==17417==    by 0x805941C: main (ffmpeg.c:4556)
==17417==  Address 0x5085608 is 8 bytes inside a block of size 12 free'd
==17417==    at 0x4CA98A6: free (in /usr/lib64/valgrind/vgpreload_memcheck-x86-linux.so)
==17417==    by 0x85AAAB0: av_free (mem.c:152)
==17417==    by 0x85AAACB: av_freep (mem.c:159)
==17417==    by 0x81011CE: ogg_read_page (oggdec.c:243)
==17417==    by 0x8101B30: ogg_get_length (oggdec.c:470)
==17417==    by 0x8101D1D: ogg_read_header (oggdec.c:513)
==17417==    by 0x8144D14: av_demuxer_open (utils.c:481)
==17417==    by 0x8056350: opt_input_file (ffmpeg.c:3329)
==17417==    by 0x805A004: parse_options (cmdutils.c:283)
==17417==    by 0x805941C: main (ffmpeg.c:4556)
==17417==
Input #0, ogg, from 'multi2.ogg':
  Duration: 00:00:00.-40, start: 0.000000, bitrate: -3494 kb/s
    Stream #0.0: Video: theora, yuv420p, 320x240, 5 tbr, 5 tbn, 5 tbc
[buffer @ 0x5363040] w:320 h:240 pixfmt:yuv420p tb:1/1000000 sar:0/1 sws_param:
[theora @ 0x50851a0] 7 bits left in packet 82
Output #0, null, to 'pipe:':
  Metadata:
    encoder         : Lavf53.4.0
    Stream #0.0: Video: rawvideo, yuv420p, 320x240, q=2-31, 200 kb/s, 90k tbn, 5 tbc
Stream mapping:
  Stream #0.0 -> #0.0
Press [q] to stop, [?] for help
==17417== Invalid free() / delete / delete[]
==17417==    at 0x4CA98A6: free (in /usr/lib64/valgrind/vgpreload_memcheck-x86-linux.so)
==17417==    by 0x85AAAB0: av_free (mem.c:152)
==17417==    by 0x85AAACB: av_freep (mem.c:159)
==17417==    by 0x81011CE: ogg_read_page (oggdec.c:243)
==17417==    by 0x81014C8: ogg_packet (oggdec.c:323)
==17417==    by 0x8101EDC: ogg_read_packet (oggdec.c:560)
==17417==    by 0x81455EF: av_read_packet (utils.c:723)
==17417==    by 0x814718A: av_read_frame_internal (utils.c:1181)
==17417==    by 0x8147869: av_read_frame (utils.c:1302)
==17417==    by 0x80543BB: transcode (ffmpeg.c:2708)
==17417==    by 0x8059531: main (ffmpeg.c:4576)
==17417==  Address 0x5085600 is 0 bytes inside a block of size 12 free'd
==17417==    at 0x4CA98A6: free (in /usr/lib64/valgrind/vgpreload_memcheck-x86-linux.so)
==17417==    by 0x85AAAB0: av_free (mem.c:152)
==17417==    by 0x85AAACB: av_freep (mem.c:159)
==17417==    by 0x81011CE: ogg_read_page (oggdec.c:243)
==17417==    by 0x8101B30: ogg_get_length (oggdec.c:470)
==17417==    by 0x8101D1D: ogg_read_header (oggdec.c:513)
==17417==    by 0x8144D14: av_demuxer_open (utils.c:481)
==17417==    by 0x8056350: opt_input_file (ffmpeg.c:3329)
==17417==    by 0x805A004: parse_options (cmdutils.c:283)
==17417==    by 0x805941C: main (ffmpeg.c:4556)
==17417==
[theora @ 0x50851a0] Header packet passed to frame decoder, skipping
Error while decoding stream #0.0
Error while decoding stream #0.0
Error while decoding stream #0.0
Error while decoding stream #0.0
    Last message repeated 3 times
[theora @ 0x50851a0] Invalid partially coded superblock run length
[theora @ 0x50851a0] error in unpack_superblocks
Error while decoding stream #0.0
[theora @ 0x50851a0] Invalid fully coded superblock run length
[theora @ 0x50851a0] error in unpack_superblocks
Error while decoding stream #0.0
[theora @ 0x50851a0] Warning, unsupported keyframe coding type?!
[theora @ 0x50851a0] error in unpack_block_qpis
Error while decoding stream #0.0
[theora @ 0x50851a0] Header packet passed to frame decoder, skipping
Error while decoding stream #0.0
[theora @ 0x50851a0] error in unpack_block_qpis
Error while decoding stream #0.0
[theora @ 0x50851a0] Invalid partially coded superblock run length
[theora @ 0x50851a0] error in unpack_superblocks
Error while decoding stream #0.0
[theora @ 0x50851a0] Header packet passed to frame decoder, skipping
Error while decoding stream #0.0
Error while decoding stream #0.0
Error while decoding stream #0.0
    Last message repeated 2 times
[theora @ 0x50851a0] Warning, unsupported keyframe coding type?!
==17417==
==17417== Process terminating with default action of signal 8 (SIGFPE)
==17417==  Integer divide by zero at address 0x976B505
==17417==    at 0x85B2C2C: __divdi3 (libgcc2.c:895)
==17417==    by 0x804FF64: output_packet (ffmpeg.c:1599)
==17417==    by 0x8054C84: transcode (ffmpeg.c:2778)
==17417==    by 0x8059531: main (ffmpeg.c:4576)
==17417==
==17417== HEAP SUMMARY:
==17417==     in use at exit: 2,918,795 bytes in 173 blocks
==17417==   total heap usage: 718 allocs, 546 frees, 6,699,559 bytes allocated
==17417==
==17417== LEAK SUMMARY:
==17417==    definitely lost: 2,743 bytes in 1 blocks
==17417==    indirectly lost: 0 bytes in 0 blocks
==17417==      possibly lost: 0 bytes in 0 blocks
==17417==    still reachable: 2,916,052 bytes in 172 blocks
==17417==         suppressed: 0 bytes in 0 blocks
==17417== Rerun with --leak-check=full to see details of leaked memory
==17417==
==17417== For counts of detected and suppressed errors, rerun with: -v
==17417== ERROR SUMMARY: 13 errors from 7 contexts (suppressed: 3 from 3)
Floating point exception

Attachments (1)

multi2.ogg (170.6 KB) - added by cehoyos 5 years ago.

Download all attachments as: .zip

Change History (2)

Changed 5 years ago by cehoyos

comment:1 Changed 5 years ago by cehoyos

  • Resolution set to fixed
  • Status changed from new to closed

Fixed by Ronald.

Note: See TracTickets for help on using tickets.