Opened 5 years ago

Closed 5 years ago

#3582 closed defect (duplicate)

invalid read in swscale with cpu optimizations

Reported by: ubitux Owned by:
Priority: normal Component: swscale
Version: git-master Keywords:
Cc: Blocked By:
Blocking: Reproduced by developer: yes
Analyzed by developer: no

Description

☭ valgrind ./ffmpeg_g -f lavfi -i testsrc=s=634x320 -frames:v 1 -y test.avi
==18764== Memcheck, a memory error detector
==18764== Copyright (C) 2002-2013, and GNU GPL'd, by Julian Seward et al.
==18764== Using Valgrind-3.9.0 and LibVEX; rerun with -h for copyright info
==18764== Command: ./ffmpeg_g -f lavfi -i testsrc=s=634x320 -frames:v 1 -y test.avi
==18764== 
ffmpeg version N-62606-g57fb570 Copyright (c) 2000-2014 the FFmpeg developers
  built on Apr 22 2014 09:42:25 with gcc 4.8.2 (GCC) 20140206 (prerelease)
  configuration: --enable-fontconfig --enable-libfreetype --enable-nonfree --enable-gpl --enable-libx264 --enable-libmp3lame --enable-x11grab --enable-libvorbis --samples=/home/ux/fate-samples --enable-libvpx --cpu=native --enable-libfaac --cc='ccache cc'
  libavutil      52. 77.100 / 52. 77.100
  libavcodec     55. 58.105 / 55. 58.105
  libavformat    55. 37.101 / 55. 37.101
  libavdevice    55. 13.100 / 55. 13.100
  libavfilter     4.  4.100 /  4.  4.100
  libswscale      2.  6.100 /  2.  6.100
  libswresample   0. 18.100 /  0. 18.100
  libpostproc    52.  3.100 / 52.  3.100
Input #0, lavfi, from 'testsrc=s=634x320':
  Duration: N/A, start: 0.000000, bitrate: N/A
    Stream #0:0: Video: rawvideo (RGB[24] / 0x18424752), rgb24, 634x320 [SAR 1:1 DAR 317:160], 25 tbr, 25 tbn, 25 tbc
Output #0, avi, to 'test.avi':
  Metadata:
    ISFT            : Lavf55.37.101
    Stream #0:0: Video: mpeg4 (FMP4 / 0x34504D46), yuv420p, 634x320 [SAR 1:1 DAR 317:160], q=2-31, 200 kb/s, 25 tbn, 25 tbc
Stream mapping:
  Stream #0:0 -> #0:0 (rawvideo -> mpeg4)
Press [q] to stop, [?] for help
[swscaler @ 0xa77a540] Warning: data is not aligned! This can lead to a speedloss
==18764== Invalid read of size 16
==18764==    at 0xC063C7: ??? (input.asm:334)
==18764==    by 0xBC0C08: swscale (swscale.c:255)
==18764==    by 0xBC2944: sws_scale (swscale.c:1109)
==18764==    by 0x4D01E0: filter_frame (vf_scale.c:423)
==18764==    by 0x49428D: ff_filter_frame_framed (avfilter.c:1081)
==18764==    by 0x495108: ff_filter_frame (avfilter.c:1161)
==18764==    by 0x49428D: ff_filter_frame_framed (avfilter.c:1081)
==18764==    by 0x495108: ff_filter_frame (avfilter.c:1161)
==18764==    by 0x499881: request_frame (buffersrc.c:500)
==18764==    by 0x4995A7: av_buffersrc_add_frame_internal (buffersrc.c:181)
==18764==    by 0x499AAC: av_buffersrc_add_frame_flags (buffersrc.c:106)
==18764==    by 0x480B61: decode_video (ffmpeg.c:1931)
==18764==  Address 0xa6038c6 is 608,646 bytes inside a block of size 608,656 alloc'd
==18764==    at 0x4C28730: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==18764==    by 0x4C2AACF: realloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==18764==    by 0xC17866: av_buffer_realloc (buffer.c:164)
==18764==    by 0x62D86D: av_new_packet (avpacket.c:74)
==18764==    by 0x48984C: lavfi_read_packet (lavfi.c:365)
==18764==    by 0x5EC9A5: ff_read_packet (utils.c:777)
==18764==    by 0x5EF76F: read_frame_internal (utils.c:1446)
==18764==    by 0x5F2E86: avformat_find_stream_info (utils.c:3181)
==18764==    by 0x47763E: open_input_file (ffmpeg_opt.c:861)
==18764==    by 0x47B7BE: ffmpeg_parse_options (ffmpeg_opt.c:2610)
==18764==    by 0x46B757: main (ffmpeg.c:3722)
==18764== 
frame=    1 fps=0.0 q=5.0 Lsize=      21kB time=00:00:00.04 bitrate=4199.6kbits/s    
video:15kB audio:0kB subtitle:0kB other streams:0kB global headers:0kB muxing overhead: 37.999474%
==18764== 
==18764== HEAP SUMMARY:
==18764==     in use at exit: 80 bytes in 2 blocks
==18764==   total heap usage: 3,924 allocs, 3,922 frees, 9,025,400 bytes allocated
==18764== 
==18764== LEAK SUMMARY:
==18764==    definitely lost: 0 bytes in 0 blocks
==18764==    indirectly lost: 0 bytes in 0 blocks
==18764==      possibly lost: 0 bytes in 0 blocks
==18764==    still reachable: 80 bytes in 2 blocks
==18764==         suppressed: 0 bytes in 0 blocks
==18764== Rerun with --leak-check=full to see details of leaked memory
==18764== 
==18764== For counts of detected and suppressed errors, rerun with: -v
==18764== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 3 from 3)

OK with no cpu flags:

☭ valgrind ./ffmpeg_g -cpuflags none -f lavfi -i testsrc=s=634x320 -frames:v 1 -y test.avi
==18780== Memcheck, a memory error detector
==18780== Copyright (C) 2002-2013, and GNU GPL'd, by Julian Seward et al.
==18780== Using Valgrind-3.9.0 and LibVEX; rerun with -h for copyright info
==18780== Command: ./ffmpeg_g -cpuflags none -f lavfi -i testsrc=s=634x320 -frames:v 1 -y test.avi
==18780== 
ffmpeg version N-62606-g57fb570 Copyright (c) 2000-2014 the FFmpeg developers
  built on Apr 22 2014 09:42:25 with gcc 4.8.2 (GCC) 20140206 (prerelease)
  configuration: --enable-fontconfig --enable-libfreetype --enable-nonfree --enable-gpl --enable-libx264 --enable-libmp3lame --enable-x11grab --enable-libvorbis --samples=/home/ux/fate-samples --enable-libvpx --cpu=native --enable-libfaac --cc='ccache cc'
  libavutil      52. 77.100 / 52. 77.100
  libavcodec     55. 58.105 / 55. 58.105
  libavformat    55. 37.101 / 55. 37.101
  libavdevice    55. 13.100 / 55. 13.100
  libavfilter     4.  4.100 /  4.  4.100
  libswscale      2.  6.100 /  2.  6.100
  libswresample   0. 18.100 /  0. 18.100
  libpostproc    52.  3.100 / 52.  3.100
Input #0, lavfi, from 'testsrc=s=634x320':
  Duration: N/A, start: 0.000000, bitrate: N/A
    Stream #0:0: Video: rawvideo (RGB[24] / 0x18424752), rgb24, 634x320 [SAR 1:1 DAR 317:160], 25 tbr, 25 tbn, 25 tbc
Output #0, avi, to 'test.avi':
  Metadata:
    ISFT            : Lavf55.37.101
    Stream #0:0: Video: mpeg4 (FMP4 / 0x34504D46), yuv420p, 634x320 [SAR 1:1 DAR 317:160], q=2-31, 200 kb/s, 25 tbn, 25 tbc
Stream mapping:
  Stream #0:0 -> #0:0 (rawvideo -> mpeg4)
Press [q] to stop, [?] for help
frame=    1 fps=0.0 q=5.0 Lsize=      21kB time=00:00:00.04 bitrate=4200.0kbits/s    
video:15kB audio:0kB subtitle:0kB other streams:0kB global headers:0kB muxing overhead: 38.003548%
==18780== 
==18780== HEAP SUMMARY:
==18780==     in use at exit: 80 bytes in 2 blocks
==18780==   total heap usage: 3,925 allocs, 3,923 frees, 8,996,883 bytes allocated
==18780== 
==18780== LEAK SUMMARY:
==18780==    definitely lost: 0 bytes in 0 blocks
==18780==    indirectly lost: 0 bytes in 0 blocks
==18780==      possibly lost: 0 bytes in 0 blocks
==18780==    still reachable: 80 bytes in 2 blocks
==18780==         suppressed: 0 bytes in 0 blocks
==18780== Rerun with --leak-check=full to see details of leaked memory
==18780== 
==18780== For counts of detected and suppressed errors, rerun with: -v
==18780== ERROR SUMMARY: 0 errors from 0 contexts (suppressed: 3 from 3)

Change History (6)

comment:1 follow-up: Changed 5 years ago by cehoyos

Is there a specific --cpu option that allows to reproduce this problem?

comment:2 in reply to: ↑ 1 Changed 5 years ago by ubitux

Replying to cehoyos:

Is there a specific --cpu option that allows to reproduce this problem?

You can ignore the --cpu=native part. x86 cpu with avx, ssse3 or sse2 is enough to reproduce.

Last edited 5 years ago by ubitux (previous) (diff)

comment:3 Changed 5 years ago by cehoyos

  • Reproduced by developer set
  • Status changed from new to open

"Invalid read of size 8" is reproducible with:

$ valgrind ./ffmpeg_g -cpuflags mmx+sse+sse2+ssse3 -f lavfi -i testsrc=s=634x320 -frames:v 1 -vcodec mpeg4 -f null -

I cannot trigger an invalid read of size 16 here.

Last edited 5 years ago by cehoyos (previous) (diff)

comment:4 follow-up: Changed 5 years ago by cehoyos

Isn't this a duplicate of ticket #3413?

comment:5 in reply to: ↑ 4 Changed 5 years ago by ubitux

Replying to cehoyos:

Isn't this a duplicate of ticket #3413?

Ah, probably. I forgot I opened that ticket too... This one is easier to reproduce though.

comment:6 Changed 5 years ago by cehoyos

  • Resolution set to duplicate
  • Status changed from open to closed

Fixed the example above and posted it at ticket #3413...

Note: See TracTickets for help on using tickets.