Opened 13 years ago

Closed 13 years ago

#329 closed defect (fixed)

Crash when decoding vob file

Reported by: ralexand Owned by: Michael Niedermayer
Priority: important Component: ffmpeg
Version: git-master Keywords: regression
Cc: Blocked By:
Blocking: Reproduced by developer: yes
Analyzed by developer: no

Description

The input file is a DVD rip from Blade Runner Final Cut. I was trying to recode it with just the main english audio track. I've had a bit of a look around and it seems somewhere the number of input streams gets increased during the packet decoding, so it thinks there are more input streams then actually exist (and are allocated for in memory) so it causes a segfault. I time limited to two minutes and the problem always happens at the end of the copy. However doing this on another DVD rip (LAW & ORDER, simple single video + audio streams) works okay.

mig27 15:26:23$ ./ffprobe /vobs/BRFC/vob/001/BRFC-001.vob
ffprobe version 0.8, Copyright (c) 2007-2011 the FFmpeg developers

built on Jul 5 2011 15:06:24 with gcc 4.6.1
configuration: --prefix=/usr --enable-libspeex --enable-libtheora --enable-libvorbis --enable-libx264 --enable-gpl --enable-shared --enable-postproc --enable-libxvid --enable-pthreads --enable-nonfree --enable-libfaac --enable-libschroedinger --enable-libmp3lame
libavutil 51. 9. 1 / 51. 9. 1
libavcodec 53. 7. 0 / 53. 7. 0
libavformat 53. 4. 0 / 53. 4. 0
libavdevice 53. 1. 1 / 53. 1. 1
libavfilter 2. 23. 0 / 2. 23. 0
libswscale 2. 0. 0 / 2. 0. 0
libpostproc 51. 2. 0 / 51. 2. 0

[mpeg @ 0x9b53360] max_analyze_duration 5000000 reached at 5000000
Input #0, mpeg, from '/vobs/BRFC/vob/001/BRFC-001.vob':

Duration: 00:18:14.92, start: 0.287267, bitrate: 7845 kb/s

Stream #0.0[0x1e0]: Video: mpeg2video (Main), yuv420p, 720x576 [PAR 64:45 DAR 16:9], 9800 kb/s, 25 fps, 25 tbr, 90k tbn, 50 tbc
Stream #0.1[0x80]: Audio: ac3, 48000 Hz, 5.1, s16, 448 kb/s
Stream #0.2[0x81]: Audio: ac3, 48000 Hz, 5.1, s16, 448 kb/s
Stream #0.3[0x82]: Audio: ac3, 48000 Hz, 5.1, s16, 448 kb/s
Stream #0.4[0x83]: Audio: ac3, 48000 Hz, 5.1, s16, 448 kb/s
Stream #0.5[0x84]: Audio: ac3, 48000 Hz, stereo, s16, 192 kb/s
Stream #0.6[0x85]: Audio: ac3, 48000 Hz, stereo, s16, 192 kb/s
Stream #0.7[0x86]: Audio: ac3, 48000 Hz, stereo, s16, 192 kb/s

mig27 15:26:26$ gdb ffmpeg_g
GNU gdb (GDB) 7.2
Copyright (C) 2010 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law. Type "show copying"
and "show warranty" for details.
This GDB was configured as "i686-pc-linux-gnu".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>...
Reading symbols from /vobs/build/32/ffmpeg-0.8/ffmpeg_g...done.
(gdb) run -i /vobs/BRFC/vob/001/BRFC-001.vob -acodec copy -vcodec copy -t 00:02:00 -f mp4 -y brfc.mp4
Starting program: /vobs/build/32/ffmpeg-0.8/ffmpeg_g -i /vobs/BRFC/vob/001/BRFC-001.vob -acodec copy -vcodec copy -t 00:02:00 -f mp4 -y brfc.mp4
[Thread debugging using libthread_db enabled]
ffmpeg version 0.8, Copyright (c) 2000-2011 the FFmpeg developers

built on Jul 5 2011 15:06:24 with gcc 4.6.1
configuration: --prefix=/usr --enable-libspeex --enable-libtheora --enable-libvorbis --enable-libx264 --enable-gpl --enable-shared --enable-postproc --enable-libxvid --enable-pthreads --enable-nonfree --enable-libfaac --enable-libschroedinger --enable-libmp3lame
libavutil 51. 9. 1 / 51. 9. 1
libavcodec 53. 7. 0 / 53. 7. 0
libavformat 53. 4. 0 / 53. 4. 0
libavdevice 53. 1. 1 / 53. 1. 1
libavfilter 2. 23. 0 / 2. 23. 0
libswscale 2. 0. 0 / 2. 0. 0
libpostproc 51. 2. 0 / 51. 2. 0

[mpeg @ 0x8068360] max_analyze_duration 5000000 reached at 5000000
Input #0, mpeg, from '/vobs/BRFC/vob/001/BRFC-001.vob':

Duration: 00:18:14.92, start: 0.287267, bitrate: 7845 kb/s

Stream #0.0[0x1e0]: Video: mpeg2video (Main), yuv420p, 720x576 [PAR 64:45 DAR 16:9], 9800 kb/s, 25 fps, 25 tbr, 90k tbn, 50 tbc
Stream #0.1[0x80]: Audio: ac3, 48000 Hz, 5.1, s16, 448 kb/s
Stream #0.2[0x81]: Audio: ac3, 48000 Hz, 5.1, s16, 448 kb/s
Stream #0.3[0x82]: Audio: ac3, 48000 Hz, 5.1, s16, 448 kb/s
Stream #0.4[0x83]: Audio: ac3, 48000 Hz, 5.1, s16, 448 kb/s
Stream #0.5[0x84]: Audio: ac3, 48000 Hz, stereo, s16, 192 kb/s
Stream #0.6[0x85]: Audio: ac3, 48000 Hz, stereo, s16, 192 kb/s
Stream #0.7[0x86]: Audio: ac3, 48000 Hz, stereo, s16, 192 kb/s

Output #0, mp4, to 'brfc.mp4':

Metadata:

encoder : Lavf53.4.0
Stream #0.0: Video: mpeg2video, yuv420p, 720x576 [PAR 64:45 DAR 16:9], q=2-31, 9800 kb/s, 25 tbn, 25 tbc
Stream #0.1: Audio: ac3, 48000 Hz, stereo, 192 kb/s

Stream mapping:

Stream #0.0 -> #0.0
Stream #0.5 -> #0.1

Press [q] to stop, ? for help
[mp4 @ 0x80690c0] pts has no value

Last message repeated 254 times

Program received signal SIGSEGV, Segmentation fault.
0x08053b49 in transcode (nb_output_files=1, input_files=0x8062028, nb_input_files=1,

stream_maps=0x0, nb_stream_maps=0, output_files=0x8060d00) at ffmpeg.c:2739

2739 pkt.dts += av_rescale_q(input_files_ts_offset[ist->file_index], AV_TIME_BASE_Q, ist->st->time_base);

(gdb) disass $pc-32,$pc+32
Dump of assembler code from 0x8053b29 to 0x8053b69:

0x08053b29 <transcode+7945>: test %esi,-0x74fffffc(%eax)
0x08053b2f <transcode+7951>: mov $0xd4024,%esp
0x08053b34 <transcode+7956>: add %cl,0xd3c24b4(%ebx)
0x08053b3a <transcode+7962>: add %al,(%eax)
0x08053b3c <transcode+7964>: lea -0x80000000(%edi),%eax
0x08053b42 <transcode+7970>: or %esi,%eax
0x08053b44 <transcode+7972>: je 0x8053b95 <transcode+8053>
0x08053b46 <transcode+7974>: mov 0x4(%ebx),%eax

=> 0x08053b49 <transcode+7977>: mov 0x3c(%eax),%edx

0x08053b4c <transcode+7980>: mov 0x38(%eax),%eax
0x08053b4f <transcode+7983>: movl $0x1,0x8(%esp)
0x08053b57 <transcode+7991>: movl $0xf4240,0xc(%esp)
0x08053b5f <transcode+7999>: mov %edx,0x14(%esp)
0x08053b63 <transcode+8003>: mov %eax,0x10(%esp)
0x08053b67 <transcode+8007>: mov (%ebx),%eax

End of assembler dump.
(gdb) info all-registers
eax 0x5dc0 24000
ecx 0x9 9
edx 0x0 0
ebx 0x806f3c4 134673348
esp 0xffffbf50 0xffffbf50
ebp 0x0 0x0
esi 0x38f95e 3733854
edi 0x0 0
eip 0x8053b49 0x8053b49 <transcode+7977>
eflags 0x210282 [ SF IF RF ID ]
cs 0x23 35
ss 0x2b 43
ds 0x2b 43
es 0x2b 43
fs 0x0 0
gs 0x63 99
st0 -nan(0x8080808080808080) (raw 0xffff8080808080808080)
st1 -nan(0x80008000800080) (raw 0xffff0080008000800080)
st2 -nan(0x8080808080808080) (raw 0xffff8080808080808080)
st3 -1 (raw 0xbfff8000000000000000)
st4 -1 (raw 0xbfff8000000000000000)
st5 1 (raw 0x3fff8000000000000000)
st6 1 (raw 0x3fff8000000000000000)
st7 1 (raw 0x3fff8000000000000000)
fctrl 0x37f 895
fstat 0x21 33
ftag 0xffff 65535
fiseg 0x0 0
fioff 0x0 0
foseg 0x0 0
fooff 0x0 0
fop 0x0 0
xmm0 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0}, v16_int8 = {

0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_int32 = {0x0,
0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0}, uint128 = 0x00000000000000000000000000000000}

xmm1 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0}, v16_int8 = {0x0, 0x0, 0x0,

0x0, 0xff, 0x0 <repeats 11 times>}, v8_int16 = {0x0, 0x0, 0xff, 0x0, 0x0, 0x0, 0x0, 0x0},

v4_int32 = {0x0, 0xff, 0x0, 0x0}, v2_int64 = {0xff00000000, 0x0},
uint128 = 0x0000000000000000000000ff00000000}

xmm2 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0}, v16_int8 = {

0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_int32 = {0x0,
0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0}, uint128 = 0x00000000000000000000000000000000}

xmm3 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0}, v16_int8 = {
---Type <return> to continue, or q <return> to quit---

0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_int32 = {0x0,
0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0}, uint128 = 0x00000000000000000000000000000000}

xmm4 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0}, v16_int8 = {

0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_int32 = {0x0,
0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0}, uint128 = 0x00000000000000000000000000000000}

xmm5 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0}, v16_int8 = {

0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_int32 = {0x0,
0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0}, uint128 = 0x00000000000000000000000000000000}

xmm6 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0}, v16_int8 = {

0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_int32 = {0x0,
0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0}, uint128 = 0x00000000000000000000000000000000}

xmm7 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0}, v16_int8 = {

0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_int32 = {0x0,
0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0}, uint128 = 0x00000000000000000000000000000000}

mxcsr 0x1f80 [ IM DM ZM OM UM PM ]
mm0 {uint64 = 0x8080808080808080, v2_int32 = {0x80808080, 0x80808080}, v4_int16 = {

0x8080, 0x8080, 0x8080, 0x8080}, v8_int8 = {0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80}}

mm1 {uint64 = 0x80008000800080, v2_int32 = {0x800080, 0x800080}, v4_int16 = {0x80, 0x80,

0x80, 0x80}, v8_int8 = {0x80, 0x0, 0x80, 0x0, 0x80, 0x0, 0x80, 0x0}}

mm2 {uint64 = 0x8080808080808080, v2_int32 = {0x80808080, 0x80808080}, v4_int16 = {

0x8080, 0x8080, 0x8080, 0x8080}, v8_int8 = {0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80}}

mm3 {uint64 = 0x8000000000000000, v2_int32 = {0x0, 0x80000000}, v4_int16 = {0x0, 0x0,

0x0, 0x8000}, v8_int8 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x80}}

mm4 {uint64 = 0x8000000000000000, v2_int32 = {0x0, 0x80000000}, v4_int16 = {0x0, 0x0,

0x0, 0x8000}, v8_int8 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x80}}

mm5 {uint64 = 0x8000000000000000, v2_int32 = {0x0, 0x80000000}, v4_int16 = {0x0, 0x0,

0x0, 0x8000}, v8_int8 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x80}}

mm6 {uint64 = 0x8000000000000000, v2_int32 = {0x0, 0x80000000}, v4_int16 = {0x0, 0x0,

0x0, 0x8000}, v8_int8 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x80}}

mm7 {uint64 = 0x8000000000000000, v2_int32 = {0x0, 0x80000000}, v4_int16 = {0x0, 0x0,

0x0, 0x8000}, v8_int8 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x80}}

(gdb) bt
#0 0x08053b49 in transcode (nb_output_files=1, input_files=0x8062028, nb_input_files=1,

stream_maps=0x0, nb_stream_maps=0, output_files=0x8060d00) at ffmpeg.c:2739

#1 0x0804f6b7 in main (argc=<value optimized out>, argv=<value optimized out>) at ffmpeg.c:4576
(gdb) print ist->file_index
$1 = 0
(gdb) print input_files_ts_offset[0]
$2 = -287267
(gdb) print ist->st
$3 = (AVStream *) 0x5dc0

(gdb) list
2734 ist = &input_streams[ist_index];
2735 if (ist->discard)
2736 goto discard_packet;
2737
2738 if (pkt.dts != AV_NOPTS_VALUE)
2739 pkt.dts += av_rescale_q(input_files_ts_offset[ist->file_index], AV_TIME_BASE_Q, ist->st->time_base);
2740 if (pkt.pts != AV_NOPTS_VALUE)
2741 pkt.pts += av_rescale_q(input_files_ts_offset[ist->file_index], AV_TIME_BASE_Q, ist->st->time_base);
2742
2743 if (pkt.stream_index < nb_input_files_ts_scale[file_index]
(gdb) print ist_index
$6 = 9

Attachments (1)

test.vob (2.4 MB ) - added by Carl Eugen Hoyos 13 years ago.

Change History (8)

comment:1 by ralexand, 13 years ago

I can get it to segfault around 00:00:41 (so if I limit the time to 00:00:40 don't get fault). If make a copy of the streams using ffmpeg 0.6.3 (same format ie mpeg, same streams and stream order) then I don't get these problems.

comment:2 by Carl Eugen Hoyos, 13 years ago

Status: newopen

Please provide a sample on http://www.datafilehost.com/ and/or find the revision introducing the problem.

comment:3 by ralexand, 13 years ago

I've cut enough to get the segfault (about 43s). The link is http://www.datafilehost.com/download-0a2a0a66.html

If you can page showing me how I can do a revision bisect I can try to hunt down the revision. I was using the daily snapshots but they don't seem to be available now.

by Carl Eugen Hoyos, 13 years ago

Attachment: test.vob added

comment:4 by Carl Eugen Hoyos, 13 years ago

Keywords: regression added
Reproduced by developer: set
Summary: Transcoding (including copy) from mpeg2ps to MP4 fails in 0.7 & 0.8 but works in 0.6.3Crash when decoding vob file
Version: 0.8git-master
(gdb) r -i test.vob -f null -
ffmpeg version N-31266-g3950376, Copyright (c) 2000-2011 the FFmpeg developers
  built on Jul  6 2011 10:20:08 with gcc 4.5.3
  configuration: --cc=/usr/local/gcc-4.5.3/bin/gcc
  libavutil    51. 11. 0 / 51. 11. 0
  libavcodec   53.  7. 0 / 53.  7. 0
  libavformat  53.  5. 0 / 53.  5. 0
  libavdevice  53.  2. 0 / 53.  2. 0
  libavfilter   2. 24. 3 /  2. 24. 3
  libswscale    2.  0. 0 /  2.  0. 0
[mpeg @ 0x1275400] max_analyze_duration 5000000 reached at 5000000
Input #0, mpeg, from 'test.vob':
  Duration: 00:00:06.69, start: 35.391267, bitrate: 3058 kb/s
    Stream #0.0[0x85]: Audio: ac3, 48000 Hz, stereo, s16, 192 kb/s
    Stream #0.1[0x86]: Audio: ac3, 48000 Hz, stereo, s16, 192 kb/s
    Stream #0.2[0x80]: Audio: ac3, 48000 Hz, 5.1, s16, 448 kb/s
    Stream #0.3[0x81]: Audio: ac3, 48000 Hz, 5.1, s16, 448 kb/s
    Stream #0.4[0x82]: Audio: ac3, 48000 Hz, 5.1, s16, 448 kb/s
    Stream #0.5[0x83]: Audio: ac3, 48000 Hz, 5.1, s16, 448 kb/s
    Stream #0.6[0x84]: Audio: ac3, 48000 Hz, stereo, s16, 192 kb/s
    Stream #0.7[0x1e0]: Video: mpeg2video (Main), yuv420p, 720x576 [PAR 64:45 DAR 16:9], 9800 kb/s, 25 fps, 25 tbr, 90k tbn, 50 tbc
[buffer @ 0x1279520] w:720 h:576 pixfmt:yuv420p tb:1/1000000 sar:64/45 sws_param:
Output #0, null, to 'pipe:':
  Metadata:
    encoder         : Lavf53.5.0
    Stream #0.0: Video: rawvideo, yuv420p, 720x576 [PAR 64:45 DAR 16:9], q=2-31, 200 kb/s, 90k tbn, 25 tbc
    Stream #0.1: Audio: pcm_s16le, 48000 Hz, stereo, s16, 1536 kb/s
Stream mapping:
  Stream #0.7 -> #0.0
  Stream #0.0 -> #0.1
Press [q] to stop, [?] for help
[ac3 @ 0x1277520] frame sync error
Error while decoding stream #0.0

Program received signal SIGSEGV, Segmentation fault.
0x000000000040b32f in transcode (nb_output_files=1, input_files=0x127bd80, nb_input_files=1, stream_maps=0x0, nb_stream_maps=<value optimized out>, output_files=0xd11fa0) at ffmpeg.c:2742
2742                pkt.dts += av_rescale_q(input_files_ts_offset[ist->file_index], AV_TIME_BASE_Q, ist->st->time_base);
(gdb) bt
#0  0x000000000040b32f in transcode (nb_output_files=1, input_files=0x127bd80, nb_input_files=1, stream_maps=0x0, nb_stream_maps=<value optimized out>, output_files=0xd11fa0) at ffmpeg.c:2742
#1  0x00000000004108eb in main (argc=<value optimized out>, argv=<value optimized out>) at ffmpeg.c:4583
(gdb) disass $pc-32 $pc+32
Dump of assembler code from 0x40b30f to 0x40b34f:
0x000000000040b30f <transcode+5327>:    test   %ecx,0x4c000007(%rcx)
0x000000000040b315 <transcode+5333>:    mov    0xd48(%rsp),%esp
0x000000000040b31c <transcode+5340>:    cmp    %rbx,%r12
0x000000000040b31f <transcode+5343>:    je     0x40b350 <transcode+5392>
0x000000000040b321 <transcode+5345>:    mov    0x8(%rbp),%rax
0x000000000040b325 <transcode+5349>:    mov    $0xf424000000001,%rsi
0x000000000040b32f <transcode+5359>:    mov    0x40(%rax),%rdx
0x000000000040b333 <transcode+5363>:    movslq 0x0(%rbp),%rax
0x000000000040b337 <transcode+5367>:    mov    0xd12e40(,%rax,8),%rdi
0x000000000040b33f <transcode+5375>:    callq  0x943190 <av_rescale_q>
0x000000000040b344 <transcode+5380>:    lea    (%rax,%r12,1),%r12
0x000000000040b348 <transcode+5384>:    mov    %r12,0xd48(%rsp)
End of assembler dump.
(gdb) info register
rax            0x0      0
rbx            0x8000000000000000       -9223372036854775808
rcx            0x0      0
rdx            0x0      0
rsi            0xf424000000001  4294967296000001
rdi            0x7fffffffdaa4   140737488345764
rbp            0x127c1d8        0x127c1d8
rsp            0x7fffffffcd70   0x7fffffffcd70
r8             0x38f95e 3733854
r9             0x12789a0        19368352
r10            0x0      0
r11            0x0      0
r12            0x38f95e 3733854
r13            0x1275400        19354624
r14            0x0      0
r15            0x9      9
rip            0x40b32f 0x40b32f <transcode+5359>
eflags         0x10a83  [ CF SF IF OF RF ]
cs             0x33     51
ss             0x2b     43
ds             0x0      0
es             0x0      0
fs             0x0      0
gs             0x0      0
fctrl          0x37f    895
fstat          0x0      0
ftag           0xffff   65535
fiseg          0x0      0
fioff          0x0      0
foseg          0x0      0
fooff          0x0      0
fop            0x0      0
mxcsr          0x1fa0   [ PE IM DM ZM OM UM PM ]

comment:5 by Carl Eugen Hoyos, 13 years ago

This is a regression since xxx (this number was wrong).

Last edited 13 years ago by Carl Eugen Hoyos (previous) (diff)

comment:6 by Carl Eugen Hoyos, 13 years ago

This is a regression since 2cf8355f98681bdd726b739008acd5483f82f8d7

comment:7 by Carl Eugen Hoyos, 13 years ago

Resolution: fixed
Status: openclosed

Should be fixed.

Note: See TracTickets for help on using tickets.