Opened 10 years ago

Closed 10 years ago

Last modified 10 years ago

#3190 closed defect (fixed)

vf_pad/ff_fill_rectangle corrupts memory and crashes

Reported by: MarkZV Owned by:
Priority: important Component: avfilter
Version: git-master Keywords: pad crash regression
Cc: Blocked By:
Blocking: Reproduced by developer: yes
Analyzed by developer: no

Description

Memory is corrupted by the followed command:

$ ffmpeg -f lavfi -i smptehdbars -vf "pad=320:960:0:240,crop=w=320:h=240:x=0:y=if(lt(t\,0)\,240\,if(lt(t\,2)\,240-64*t\,112)),pad=320:1080:0:120" -f null -t 2.5 -
ffmpeg version N-58712-ga6c455c Copyright (c) 2000-2013 the FFmpeg developers
  built on Dec  2 2013 12:01:53 with gcc 4.8.2 (MacPots gcc48 4.8.2_0)
  configuration: --enable-swscale --enable-avfilter --cc=/opt/local/bin/gcc-mp-4.8 --arch=x86_64 --enable-yasm --enable-debug=3 --disable-optimizations --disable-stripping --assert-level=2 --enable-memory-poisoning
  libavutil      52. 56.100 / 52. 56.100
  libavcodec     55. 44.100 / 55. 44.100
  libavformat    55. 22.100 / 55. 22.100
  libavdevice    55.  5.102 / 55.  5.102
  libavfilter     3. 91.100 /  3. 91.100
  libswscale      2.  5.101 /  2.  5.101
  libswresample   0. 17.104 /  0. 17.104
Input #0, lavfi, from 'smptehdbars':
  Duration: N/A, start: 0.000000, bitrate: N/A
    Stream #0:0: Video: rawvideo (I420 / 0x30323449), yuv420p, 320x240 [SAR 1:1 DAR 4:3], 25 tbr, 25 tbn, 25 tbc
Output #0, null, to 'pipe:':
  Metadata:
    encoder         : Lavf55.22.100
    Stream #0:0: Video: rawvideo (I420 / 0x30323449), yuv420p, 320x1080 [SAR 1:1 DAR 8:27], q=2-31, 200 kb/s, 90k tbn, 25 tbc
Stream mapping:
  Stream #0:0 -> #0:0 (rawvideo -> rawvideo)
Press [q] to stop, [?] for help
Segmentation fault
$
Program received signal EXC_BAD_ACCESS, Could not access memory.
Reason: KERN_INVALID_ADDRESS at address: 0x0000000101ad2000
0x00007fffffe008b7 in __memcpy ()
(gdb) bt
#0  0x00007fffffe008b7 in __memcpy ()
#1  0x0000000100052b22 in __inline_memcpy_chk (__dest=0x101ad1f40, __src=0x101aaa800, __len=320) at secure/_string.h:58
#2  0x0000000100054026 in ff_fill_rectangle (draw=0x102b00408, color=0x102b00438, dst=0x102b02ca0, dst_linesize=0x102b02ce0, dst_x=0, dst_y=360, w=320, h=720) at libavfilter/drawutils.c:276
#3  0x000000010008a95d in filter_frame (inlink=0x102b00ac0, in=0x102b02ca0) at libavfilter/vf_pad.c:330
#4  0x000000010004bf45 in ff_filter_frame_framed (link=0x102b00ac0, frame=0x102b02ca0) at libavfilter/avfilter.c:1072
#5  0x000000010004c49f in ff_filter_frame (link=0x102b00ac0, frame=0x102b02ca0) at libavfilter/avfilter.c:1147
#6  0x000000010006b733 in filter_frame (link=0x102b00780, frame=0x102b02ca0) at libavfilter/vf_crop.c:297
#7  0x000000010004bf45 in ff_filter_frame_framed (link=0x102b00780, frame=0x102b02ca0) at libavfilter/avfilter.c:1072
#8  0x000000010004c49f in ff_filter_frame (link=0x102b00780, frame=0x102b02ca0) at libavfilter/avfilter.c:1147
#9  0x000000010008aae1 in filter_frame (inlink=0x102b00e20, in=0x0) at libavfilter/vf_pad.c:355
#10 0x000000010004bf45 in ff_filter_frame_framed (link=0x102b00e20, frame=0x102b02a00) at libavfilter/avfilter.c:1072
#11 0x000000010004c49f in ff_filter_frame (link=0x102b00e20, frame=0x102b02a00) at libavfilter/avfilter.c:1147
#12 0x0000000100052aa0 in request_frame (link=0x102b00e20) at libavfilter/buffersrc.c:491
#13 0x0000000100051e52 in av_buffersrc_add_frame_internal (ctx=0x102b00d00, frame=0x102b024e0, flags=4) at libavfilter/buffersrc.c:170
#14 0x0000000100051b73 in av_buffersrc_add_frame_flags (ctx=0x102b00d00, frame=0x102b024e0, flags=4) at libavfilter/buffersrc.c:107
#15 0x000000010001cdfa in decode_video (ist=0x1028010c0, pkt=0x7fff5fbfeba0, got_output=0x7fff5fbfec0c) at ffmpeg.c:1778
#16 0x000000010001d63b in output_packet (ist=0x1028010c0, pkt=0x7fff5fbfed90) at ffmpeg.c:1908
#17 0x0000000100022f3e in process_input (file_index=0) at ffmpeg.c:3216
#18 0x00000001000232a2 in transcode_step () at ffmpeg.c:3312
#19 0x00000001000233bc in transcode () at ffmpeg.c:3364
#20 0x0000000100023908 in main (argc=12, argv=0x7fff5fbff278) at ffmpeg.c:3544

Change History (3)

comment:1 by Carl Eugen Hoyos, 10 years ago

Keywords: crash regression added
Priority: normalimportant
Reproduced by developer: set
Status: newopen

Regression since b077d8d9

==20243== Invalid write of size 8
==20243==    at 0x4C2C55D: memcpy@@GLIBC_2.14 (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==20243==    by 0x4EBF7D: ff_fill_rectangle (drawutils.c:276)
==20243==    by 0x4BB2E7: filter_frame (vf_pad.c:330)
==20243==    by 0x489F45: ff_filter_frame_framed (avfilter.c:1072)
==20243==    by 0x48B008: ff_filter_frame (avfilter.c:1147)
==20243==    by 0x489F45: ff_filter_frame_framed (avfilter.c:1072)
==20243==    by 0x48B008: ff_filter_frame (avfilter.c:1147)
==20243==    by 0x4BB1E2: filter_frame (vf_pad.c:355)
==20243==    by 0x489F45: ff_filter_frame_framed (avfilter.c:1072)
==20243==    by 0x48B008: ff_filter_frame (avfilter.c:1147)
==20243==    by 0x48F0C1: request_frame (buffersrc.c:491)
==20243==    by 0x48F321: av_buffersrc_add_frame_internal (buffersrc.c:170)
==20243==  Address 0x7764138 is not stack'd, malloc'd or (recently) free'd

Reverting b077d8d9 only for libavfilter/vf_crop.c fixes the crash.

comment:2 by Carl Eugen Hoyos, 10 years ago

Resolution: fixed
Status: openclosed

Fixed by Michael in 0cc5011f

comment:3 by Carl Eugen Hoyos, 10 years ago

Keywords: pad added
Note: See TracTickets for help on using tickets.