Opened 5 years ago

Closed 4 years ago

#4038 closed defect (fixed)

avio_seek gets called with (..., -1, SEEK_SET)

Reported by: albertzeyer Owned by:
Priority: normal Component: undetermined
Version: unspecified Keywords:
Cc: Blocked By:
Blocking: Reproduced by developer: no
Analyzed by developer: no

Description

In libavformat/mp3dec.c, the bug is in mp3_seek:

static int check(AVFormatContext *s, int64_t pos)
{
    int64_t ret = avio_seek(s->pb, pos, SEEK_SET);
...
}
...
static int mp3_seek(...)
{
...
    best_pos = ie->pos;
    best_score = 999;
    for(i=0; i<4096; i++) {
        int64_t pos = ie->pos + (dir > 0 ? i - 1024 : -i);
        int64_t candidate = -1;
        int score = 999;
        for(j=0; j<MIN_VALID; j++) {
            ret = check(s, pos);
...

I have the case where ie->pos is small. In that case, negative values can land in pos and will get passed over to avio_seek.

Attachments (2)

ffmpeg-seek-bug.cpp (8.1 KB) - added by albertzeyer 5 years ago.
test.mp3 (9.8 KB) - added by albertzeyer 5 years ago.

Download all attachments as: .zip

Change History (6)

comment:1 Changed 5 years ago by cehoyos

Please provide your case.

Changed 5 years ago by albertzeyer

comment:2 Changed 5 years ago by albertzeyer

This is the backtrace:

    frame #2: 0x00007fff863ebb1a libsystem_c.dylib`abort + 125
    frame #3: 0x00000001064ba8e2 a.out`player_seek(_song=0x00007ff4ca40c2f8, offset=-1, whence=0) + 242 at ffmpeg-seek-bug.cpp:61
    frame #4: 0x00000001065305ae libavformat.56.dylib`avio_seek(s=0x00007ff4ca40c580, offset=<unavailable>, whence=<unavailable>) + 622 at aviobuf.c:261
    frame #5: 0x0000000106593e6d libavformat.56.dylib`mp3_seek [inlined] check(s=<unavailable>, pos=-1) + 17 at mp3dec.c:395
    frame #6: 0x0000000106593e5c libavformat.56.dylib`mp3_seek(s=0x00007ff4ca80c000, stream_index=<unavailable>, timestamp=<unavailable>, flags=<unavailable>) + 732 at mp3dec.c:458
    frame #7: 0x000000010660b97c libavformat.56.dylib`av_seek_frame [inlined] seek_frame_internal(s=<unavailable>, stream_index=<unavailable>, timestamp=<unavailable>, flags=1) + 217 at utils.c:2059
    frame #8: 0x000000010660b8a3 libavformat.56.dylib`av_seek_frame(s=0x00007ff4ca80c000, stream_index=<unavailable>, timestamp=<unavailable>, flags=1) + 243 at utils.c:2091
    frame #9: 0x000000010660bebf libavformat.56.dylib`avformat_seek_file(s=<unavailable>, stream_index=-1, min_ts=0, ts=1000, max_ts=1998, flags=<unavailable>) + 175 at utils.c:2142
    frame #10: 0x00000001064b95a1 a.out`Song::seekAbs(this=0x00007ff4ca40c2f8, pos=0.001) + 401 at ffmpeg-seek-bug.cpp:296
    frame #11: 0x00000001064b9788 a.out`main(argc=2, argv=0x00007fff597477d8) + 424 at ffmpeg-seek-bug.cpp:330

Changed 5 years ago by albertzeyer

comment:3 Changed 5 years ago by albertzeyer

I added the first 10kb of the file which triggers the bug for me. This test.mp3 also triggers the bug.

The code can also be seen online here: https://github.com/albertz/music-player-core/blob/master/tests/ffmpeg-seek-bug.cpp

Compile and run ./a.out test.mp3.

comment:4 Changed 4 years ago by michael

  • Resolution set to fixed
  • Status changed from new to closed
Note: See TracTickets for help on using tickets.