Context Navigation

#3773 closed defect (fixed)

regression: h264_mp4toannexb crashes

Reported by:	vi	Owned by:
Priority:	important	Component:	avcodec
Version:	git-master	Keywords:	h264 regression crash abort
Cc:		Blocked By:
Blocking:		Reproduced by developer:	yes
Analyzed by developer:	no

Description

How to reproduce:

% ffmpeg -i somevideo.mp4 -an -vcodec copy -bsf h264_mp4toannexb -f h264 -y /dev/null

Starting from commit 07941c2cb28d6a80f628e035d61ab437d9719bf0 (according to git-bisect) to current master's 9bc0410e4f891719b54a5788665526e22d94bb50.

ef1d4ee2f8b621a009d482d5b183a905bcb1cd74 works well.

MALLOC_CHECK_=1 works around the problem, the problem is clearly seen in valgrind.

==5806== Invalid read of size 4
==5806==    at 0x80F527A: av_packet_free_side_data (avpacket.c:276)
==5806==    by 0x80F531D: av_free_packet (avpacket.c:296)
==5806==    by 0x80D5144: av_interleaved_write_frame (mux.c:898)
==5806==    by 0x8061114: write_frame (ffmpeg.c:689)
==5806==    by 0x80660D2: do_streamcopy (ffmpeg.c:1694)
==5806==    by 0x80688E9: output_packet (ffmpeg.c:2187)
==5806==    by 0x806EB49: process_input (ffmpeg.c:3515)
==5806==    by 0x744F584: (below main) (libc-start.c:276)
==5806==  Address 0x7aa96e0 is 0 bytes inside a block of size 12 free'd
==5806==    at 0x4D5050C: free (vg_replace_malloc.c:427)
==5806==    by 0x8436EC6: av_free (mem.c:232)
==5806==    by 0x8436EE3: av_freep (mem.c:239)
==5806==    by 0x80F52A4: av_packet_free_side_data (avpacket.c:277)
==5806==    by 0x80F531D: av_free_packet (avpacket.c:296)
==5806==    by 0x8060A04: write_frame (ffmpeg.c:621)
==5806==    by 0x80660D2: do_streamcopy (ffmpeg.c:1694)
==5806==    by 0x80688E9: output_packet (ffmpeg.c:2187)
==5806==    by 0x806EB49: process_input (ffmpeg.c:3515)
==5806==    by 0x744F584: (below main) (libc-start.c:276)
==5806== 
==5806== Invalid free() / delete / delete[] / realloc()
==5806==    at 0x4D5050C: free (vg_replace_malloc.c:427)
==5806==    by 0x8436EC6: av_free (mem.c:232)
==5806==    by 0x80F5283: av_packet_free_side_data (avpacket.c:276)
==5806==    by 0x80F531D: av_free_packet (avpacket.c:296)
==5806==    by 0x80D5144: av_interleaved_write_frame (mux.c:898)
==5806==    by 0x8061114: write_frame (ffmpeg.c:689)
==5806==    by 0x80660D2: do_streamcopy (ffmpeg.c:1694)
==5806==    by 0x80688E9: output_packet (ffmpeg.c:2187)
==5806==    by 0x806EB49: process_input (ffmpeg.c:3515)
==5806==    by 0x744F584: (below main) (libc-start.c:276)
==5806==  Address 0x9354340 is 0 bytes inside a block of size 68 free'd
==5806==    at 0x4D5050C: free (vg_replace_malloc.c:427)
==5806==    by 0x8436EC6: av_free (mem.c:232)
==5806==    by 0x80F5283: av_packet_free_side_data (avpacket.c:276)
==5806==    by 0x80F531D: av_free_packet (avpacket.c:296)
==5806==    by 0x8060A04: write_frame (ffmpeg.c:621)
==5806==    by 0x80660D2: do_streamcopy (ffmpeg.c:1694)
==5806==    by 0x80688E9: output_packet (ffmpeg.c:2187)
==5806==    by 0x806EB49: process_input (ffmpeg.c:3515)
==5806==    by 0x744F584: (below main) (libc-start.c:276)

Attachments (1)

sample.mp4 (583.9 KB ) - added by vi 10 years ago.: Short input video sample

Download all attachments as: .zip

Change History (7)

comment:1 by Carl Eugen Hoyos, 10 years ago

Component:	avfilter → undetermined

Please provide an input sample that allows to reproduce the issue and please post the complete, uncut console output of valgrind here.

by vi, 10 years ago

Attachment:	sample.mp4 added

Short input video sample

follow-up: 4 comment:2 by vi, 10 years ago

Keywords:	h264_mp4toannexb added

$ valgrind /.../ffmpeg_g -v debug -i sample.mp4 -an -vcodec copy -bsf h264_mp4toannexb -f h264 - > /dev/null
==30868== Memcheck, a memory error detector
==30868== Copyright (C) 2002-2011, and GNU GPL'd, by Julian Seward et al.
==30868== Using Valgrind-3.7.0 and LibVEX; rerun with -h for copyright info
==30868== Command: /mnt/src/git/android-ffmpeg/ffmpeg/ffmpeg_g -v debug -i sample.mp4 -an -vcodec copy -bsf h264_mp4toannexb -f h264 -
==30868== 
ffmpeg version N-64702-g9bc0410 Copyright (c) 2000-2014 the FFmpeg developers
  built on Jul 17 2014 15:20:44 with gcc 4.7 (Debian 4.7.2-5)
  configuration: --disable-everything --disable-doc --disable-avdevice --disable-postproc --disable-pthreads --disable-network --disable-iconv --disable-zlib --disable-ffplay --disable-ffprobe --disable-ffserver --enable-demuxer=h264 --enable-demuxer=matroska --enable-demuxer=mpegts --enable-demuxer=rawvideo --enable-demuxer=mpegps --enable-demuxer=yuv4mpegpipe --enable-demuxer=flv --enable-demuxer=mov --enable-demuxer=mpegvideo --enable-filter=scale --enable-protocol=file --enable-protocol=pipe --enable-muxer=h264 --enable-muxer=rawvideo --enable-muxer=yuv4mpegpipe --enable-muxer=matroska --enable-muxer=mpegts --enable-muxer=mp4 --enable-muxer=mov --enable-bsf=h264_mp4toannexb --enable-parser=mpeg4video --enable-encoder=rawvideo --enable-decoder=rawvideo
  libavutil      52. 92.100 / 52. 92.100
  libavcodec     55. 69.100 / 55. 69.100
  libavformat    55. 48.100 / 55. 48.100
  libavfilter     4. 11.100 /  4. 11.100
  libswscale      2.  6.100 /  2.  6.100
  libswresample   0. 19.100 /  0. 19.100
Splitting the commandline.
Reading option '-v' ... matched as option 'v' (set logging level) with argument 'debug'.
Reading option '-i' ... matched as input file with argument 'sample.mp4'.
Reading option '-an' ... matched as option 'an' (disable audio) with argument '1'.
Reading option '-vcodec' ... matched as option 'vcodec' (force video codec ('copy' to copy stream)) with argument 'copy'.
Reading option '-bsf' ... matched as option 'bsf' (A comma-separated list of bitstream filters) with argument 'h264_mp4toannexb'.
Reading option '-f' ... matched as option 'f' (force format) with argument 'h264'.
Reading option '-' ... matched as output file.
Finished splitting the commandline.
Parsing a group of options: global .
Applying option v (set logging level) with argument debug.
Successfully parsed a group of options.
Parsing a group of options: input file sample.mp4.
Successfully parsed a group of options.
Opening an input file: sample.mp4.
[mov,mp4,m4a,3gp,3g2,mj2 @ 0x77fffa0] Format mov,mp4,m4a,3gp,3g2,mj2 probed with size=2048 and score=100
[mov,mp4,m4a,3gp,3g2,mj2 @ 0x77fffa0] ISO: File Type Major Brand: isom
rfps: 27.583333 0.019109
    Last message repeated 1 times
rfps: 27.666667 0.017820
    Last message repeated 1 times
rfps: 27.750000 0.016577
    Last message repeated 1 times
rfps: 27.833333 0.015378
    Last message repeated 1 times
rfps: 27.916667 0.014224
    Last message repeated 1 times
rfps: 28.000000 0.013116
    Last message repeated 1 times
rfps: 28.083333 0.012052
    Last message repeated 1 times
rfps: 28.166667 0.011034
    Last message repeated 1 times
rfps: 28.250000 0.010060
    Last message repeated 1 times
rfps: 28.333333 0.009131
    Last message repeated 1 times
rfps: 28.416667 0.008247
    Last message repeated 1 times
rfps: 28.500000 0.007409
    Last message repeated 1 times
rfps: 28.583333 0.006615
    Last message repeated 1 times
rfps: 28.666667 0.005866
    Last message repeated 1 times
rfps: 28.750000 0.005162
    Last message repeated 1 times
rfps: 28.833333 0.004503
    Last message repeated 1 times
rfps: 28.916667 0.003889
    Last message repeated 1 times
rfps: 29.000000 0.003320
    Last message repeated 1 times
rfps: 29.083333 0.002796
    Last message repeated 1 times
rfps: 29.166667 0.002317
    Last message repeated 1 times
rfps: 29.250000 0.001883
    Last message repeated 1 times
rfps: 29.333333 0.001494
    Last message repeated 1 times
rfps: 29.416667 0.001150
    Last message repeated 1 times
rfps: 29.500000 0.000851
    Last message repeated 1 times
rfps: 29.583333 0.000597
    Last message repeated 1 times
rfps: 29.666667 0.000388
    Last message repeated 1 times
rfps: 29.750000 0.000224
    Last message repeated 1 times
rfps: 29.833333 0.000104
    Last message repeated 1 times
rfps: 29.916667 0.000030
    Last message repeated 1 times
rfps: 30.000000 0.000001
rfps: 30.083333 0.000017
    Last message repeated 1 times
rfps: 30.166667 0.000077
    Last message repeated 1 times
rfps: 30.250000 0.000183
    Last message repeated 1 times
rfps: 30.333333 0.000334
    Last message repeated 1 times
rfps: 30.416667 0.000529
    Last message repeated 1 times
rfps: 30.500000 0.000770
    Last message repeated 1 times
rfps: 30.583333 0.001055
    Last message repeated 1 times
rfps: 30.666667 0.001386
    Last message repeated 1 times
rfps: 30.750000 0.001761
    Last message repeated 1 times
rfps: 30.833333 0.002182
    Last message repeated 1 times
rfps: 30.916667 0.002647
    Last message repeated 1 times
rfps: 31.000000 0.003158
    Last message repeated 1 times
rfps: 31.083333 0.003713
    Last message repeated 1 times
rfps: 31.166667 0.004313
    Last message repeated 1 times
rfps: 31.250000 0.004959
    Last message repeated 1 times
rfps: 31.333333 0.005649
    Last message repeated 1 times
rfps: 31.416667 0.006384
    Last message repeated 1 times
rfps: 31.500000 0.007164
    Last message repeated 1 times
rfps: 31.583333 0.007990
    Last message repeated 1 times
rfps: 31.666667 0.008860
    Last message repeated 1 times
rfps: 31.750000 0.009775
    Last message repeated 1 times
rfps: 31.833333 0.010735
    Last message repeated 1 times
rfps: 31.916667 0.011740
    Last message repeated 1 times
rfps: 32.000000 0.012790
    Last message repeated 1 times
rfps: 32.083333 0.013885
    Last message repeated 1 times
rfps: 32.166667 0.015025
    Last message repeated 1 times
rfps: 32.250000 0.016210
    Last message repeated 1 times
rfps: 32.333333 0.017440
    Last message repeated 1 times
rfps: 32.416667 0.018715
    Last message repeated 1 times
rfps: 57.583333 0.019308
    Last message repeated 1 times
rfps: 57.666667 0.018013
    Last message repeated 1 times
rfps: 57.750000 0.016763
    Last message repeated 1 times
rfps: 57.833333 0.015557
    Last message repeated 1 times
rfps: 57.916667 0.014397
    Last message repeated 1 times
rfps: 58.000000 0.013281
    Last message repeated 1 times
rfps: 58.083333 0.012211
    Last message repeated 1 times
rfps: 58.166667 0.011186
    Last message repeated 1 times
rfps: 58.250000 0.010205
    Last message repeated 1 times
rfps: 58.333333 0.009270
    Last message repeated 1 times
rfps: 58.416667 0.008379
    Last message repeated 1 times
rfps: 58.500000 0.007533
    Last message repeated 1 times
rfps: 58.583333 0.006733
    Last message repeated 1 times
rfps: 58.666667 0.005977
    Last message repeated 1 times
rfps: 58.750000 0.005267
    Last message repeated 1 times
rfps: 58.833333 0.004601
    Last message repeated 1 times
rfps: 58.916667 0.003980
    Last message repeated 1 times
rfps: 59.000000 0.003405
    Last message repeated 1 times
rfps: 59.083333 0.002874
    Last message repeated 1 times
rfps: 59.166667 0.002388
    Last message repeated 1 times
rfps: 59.250000 0.001947
    Last message repeated 1 times
rfps: 59.333333 0.001551
    Last message repeated 1 times
rfps: 59.416667 0.001200
    Last message repeated 1 times
rfps: 59.500000 0.000895
    Last message repeated 1 times
rfps: 59.583333 0.000634
    Last message repeated 1 times
rfps: 59.666667 0.000418
    Last message repeated 1 times
rfps: 59.750000 0.000247
    Last message repeated 1 times
rfps: 59.833333 0.000121
    Last message repeated 1 times
rfps: 59.916667 0.000040
rfps: 60.000000 0.000004
rfps: 29.970030 0.000006
rfps: 59.940060 0.000025
[mov,mp4,m4a,3gp,3g2,mj2 @ 0x77fffa0] Before avformat_find_stream_info() pos: 597883 bytes read:33600 seeks:1
[mov,mp4,m4a,3gp,3g2,mj2 @ 0x77fffa0] All info found
[mov,mp4,m4a,3gp,3g2,mj2 @ 0x77fffa0] After avformat_find_stream_info() pos: 183610 bytes read:217162 seeks:2 frames:1
Input #0, mov,mp4,m4a,3gp,3g2,mj2, from 'sample.mp4':
  Metadata:
    major_brand     : isom
    minor_version   : 512
    compatible_brands: isomiso2avc1mp41
    encoder         : Lavf55.10.100
  Duration: 00:00:00.23, start: 0.000000, bitrate: 20440 kb/s
    Stream #0:0(eng), 1, 1/90000: Video: h264 (avc1 / 0x31637661), 1920x1080, 1/90000, 20469 kb/s, 30 fps, 30 tbr, 90k tbn, 90k tbc (default)
    Metadata:
      rotate          : 90
      handler_name    : VideoHandler
    Side data:
      displaymatrix: rotation of -90.00 degrees
Successfully opened the file.
Parsing a group of options: output file -.
Applying option an (disable audio) with argument 1.
Applying option vcodec (force video codec ('copy' to copy stream)) with argument copy.
Applying option bsf (A comma-separated list of bitstream filters) with argument h264_mp4toannexb.
Applying option f (force format) with argument h264.
Successfully parsed a group of options.
Opening an output file: -.
Successfully opened the file.
Output #0, h264, to 'pipe:':
  Metadata:
    major_brand     : isom
    minor_version   : 512
    compatible_brands: isomiso2avc1mp41
    encoder         : Lavf55.48.100
    Stream #0:0(eng), 0, 1/90000: Video: h264 (avc1 / 0x31637661), 1920x1080, 1/90000, q=2-31, 20469 kb/s, 30 fps, 90k tbn, 90k tbc (default)
    Metadata:
      rotate          : 90
      handler_name    : VideoHandler
Stream mapping:
  Stream #0:0 -> #0:0 (copy)
Press [q] to stop, [?] for help
==30868== Invalid read of size 4
==30868==    at 0x80F4FC6: av_free_packet (avpacket.c:276)
==30868==    by 0x80D7AD5: av_interleaved_write_frame (mux.c:898)
==30868==    by 0x80751B8: write_frame (ffmpeg.c:689)
==30868==    by 0x807BABC: do_streamcopy (ffmpeg.c:1694)
==30868==    by 0x807CED6: process_input (ffmpeg.c:2187)
==30868==    by 0x805F016: main (ffmpeg.c:3609)
==30868==  Address 0x784fd40 is 0 bytes inside a block of size 12 free'd
==30868==    at 0x4DED50C: free (vg_replace_malloc.c:427)
==30868==    by 0x820C281: av_freep (mem.c:232)
==30868==    by 0x80F4FE3: av_free_packet (avpacket.c:277)
==30868==    by 0x8074F3F: write_frame (ffmpeg.c:621)
==30868==    by 0x807BABC: do_streamcopy (ffmpeg.c:1694)
==30868==    by 0x807CED6: process_input (ffmpeg.c:2187)
==30868==    by 0x805F016: main (ffmpeg.c:3609)
==30868== 
==30868== Invalid free() / delete / delete[] / realloc()
==30868==    at 0x4DED50C: free (vg_replace_malloc.c:427)
==30868==    by 0x80F4FD3: av_free_packet (avpacket.c:276)
==30868==    by 0x80D7AD5: av_interleaved_write_frame (mux.c:898)
==30868==    by 0x80751B8: write_frame (ffmpeg.c:689)
==30868==    by 0x807BABC: do_streamcopy (ffmpeg.c:1694)
==30868==    by 0x807CED6: process_input (ffmpeg.c:2187)
==30868==    by 0x805F016: main (ffmpeg.c:3609)
==30868==  Address 0x784fdc0 is 0 bytes inside a block of size 68 free'd
==30868==    at 0x4DED50C: free (vg_replace_malloc.c:427)
==30868==    by 0x80F4FD3: av_free_packet (avpacket.c:276)
==30868==    by 0x8074F3F: write_frame (ffmpeg.c:621)
==30868==    by 0x807BABC: do_streamcopy (ffmpeg.c:1694)
==30868==    by 0x807CED6: process_input (ffmpeg.c:2187)
==30868==    by 0x805F016: main (ffmpeg.c:3609)
==30868== 
==30868== Invalid free() / delete / delete[] / realloc()
==30868==    at 0x4DED50C: free (vg_replace_malloc.c:427)
==30868==    by 0x820C281: av_freep (mem.c:232)
==30868==    by 0x80F4FE3: av_free_packet (avpacket.c:277)
==30868==    by 0x80D7AD5: av_interleaved_write_frame (mux.c:898)
==30868==    by 0x80751B8: write_frame (ffmpeg.c:689)
==30868==    by 0x807BABC: do_streamcopy (ffmpeg.c:1694)
==30868==    by 0x807CED6: process_input (ffmpeg.c:2187)
==30868==    by 0x805F016: main (ffmpeg.c:3609)
==30868==  Address 0x784fd40 is 0 bytes inside a block of size 12 free'd
==30868==    at 0x4DED50C: free (vg_replace_malloc.c:427)
==30868==    by 0x820C281: av_freep (mem.c:232)
==30868==    by 0x80F4FE3: av_free_packet (avpacket.c:277)
==30868==    by 0x8074F3F: write_frame (ffmpeg.c:621)
==30868==    by 0x807BABC: do_streamcopy (ffmpeg.c:1694)
==30868==    by 0x807CED6: process_input (ffmpeg.c:2187)
==30868==    by 0x805F016: main (ffmpeg.c:3609)
==30868== 
No more output streams to write to, finishing.
frame=    7 fps=0.0 q=-1.0 Lsize=     583kB time=00:00:00.20 bitrate=23881.1kbits/s    
video:583kB audio:0kB subtitle:0kB other streams:0kB global headers:0kB muxing overhead: 0.000000%
Input file #0 (sample.mp4):
  Input stream #0:0 (video): 7 packets read (597003 bytes); 
  Total: 7 packets (597003 bytes) demuxed
Output file #0 (pipe:):
  Output stream #0:0 (video): 7 packets muxed (597027 bytes); 
  Total: 7 packets (597027 bytes) muxed
0 frames successfully decoded, 0 decoding errors
[AVIOContext @ 0x784f7c0] Statistics: 0 seeks, 24 writeouts
[AVIOContext @ 0x78087c0] Statistics: 630603 bytes read, 2 seeks
==30868== 
==30868== HEAP SUMMARY:
==30868==     in use at exit: 0 bytes in 0 blocks
==30868==   total heap usage: 299 allocs, 313 frees, 1,414,657 bytes allocated
==30868== 
==30868== All heap blocks were freed -- no leaks are possible
==30868== 
==30868== For counts of detected and suppressed errors, rerun with: -v
==30868== ERROR SUMMARY: 21 errors from 3 contexts (suppressed: 0 from 0)

comment:3 by Carl Eugen Hoyos, 10 years ago

Component:	undetermined → avcodec
Keywords:	regression added; h264_mp4toannexb removed
Priority:	normal → important
Reproduced by developer:	set
Status:	new → open
Version:	unspecified → git-master

in reply to: 2 comment:4 by Carl Eugen Hoyos, 10 years ago

Replying to vi:

--enable-demuxer=h264 --enable-demuxer=matroska

Unrelated:
You can write: --enable-demuxer=h264,matroska

comment:5 by Carl Eugen Hoyos, 10 years ago

Keywords:	crash abort added

comment:6 by Christophe, 10 years ago

Resolution:	→ fixed
Status:	open → closed

Fixed in 33fefdb44992bce18acb4548f28c9cd5b31de11f.

Note: See TracTickets for help on using tickets.

Download in other formats: