Opened 13 years ago

Closed 12 years ago

#455 closed defect (fixed)

Invalid read in ff_mspel_motion called from EC code

Reported by: Carl Eugen Hoyos Owned by:
Priority: important Component: avcodec
Version: git-master Keywords: crash SIGSEGV vc1
Cc: DonMoir Blocked By:
Blocking: Reproduced by developer: yes
Analyzed by developer: no

Description

Found using fenrir's text file.
Only happens on ia32.

(gdb) r -i audio-switch-z14.m2ts -f null -
Starting program: ffmpeg_g -i audio-switch-z14.m2ts -f null -
[Thread debugging using libthread_db enabled]                                              
ffmpeg version N-32449-g8fd1da5, Copyright (c) 2000-2011 the FFmpeg developers             
  built on Sep 10 2011 23:48:36 with gcc 4.5.3                                             
  configuration: --cc='/usr/local/gcc-4.5.3/bin/gcc -m32' --disable-optimizations          
  libavutil    51. 16. 0 / 51. 16. 0                                                       
  libavcodec   53. 13. 0 / 53. 13. 0                                                       
  libavformat  53. 12. 0 / 53. 12. 0                                                       
  libavdevice  53.  3. 0 / 53.  3. 0                                                       
  libavfilter   2. 39. 0 /  2. 39. 0                                                       
  libswscale    2.  1. 0 /  2.  1. 0                                                       

...

...

Program received signal SIGSEGV, Segmentation fault.
0x08455652 in ff_mspel_motion (s=0x8e1acc0, dest_y=0xf6d16420 "",
    dest_cb=0x8ff5a80 'h' <repeats 200 times>..., dest_cr=0x90752c0 'P' <repeats 200 times>...,
    ref_picture=0x8e1b024, pix_op=0x8e1bd38, motion_x=128, motion_y=0, h=16) at libavcodec/wmv2.c:112
112         s->dsp.put_mspel_pixels_tab[dxy](dest_y             , ptr             , linesize);
(gdb) bt
#0  0x08455652 in ff_mspel_motion (s=0x8e1acc0, dest_y=0xf6d16420 "",
    dest_cb=0x8ff5a80 'h' <repeats 200 times>..., dest_cr=0x90752c0 'P' <repeats 200 times>...,
    ref_picture=0x8e1b024, pix_op=0x8e1bd38, motion_x=128, motion_y=0, h=16) at libavcodec/wmv2.c:112
#1  0x0833a6cd in MPV_motion_internal (s=0x8e1acc0, dest_y=0xf6d16420 "",
    dest_cb=0x8ff5a80 'h' <repeats 200 times>..., dest_cr=0x90752c0 'P' <repeats 200 times>..., dir=0,
    ref_picture=0x8e1b024, pix_op=0x8e1bd38, qpix_op=0x8e1be98, is_mpeg12=0)
    at libavcodec/mpegvideo_common.h:729
#2  0x0833b2ac in MPV_motion (s=0x8e1acc0, dest_y=0xf6d16420 "",
    dest_cb=0x8ff5a80 'h' <repeats 200 times>..., dest_cr=0x90752c0 'P' <repeats 200 times>..., dir=0,
    ref_picture=0x8e1b024, pix_op=0x8e1bd38, qpix_op=0x8e1be98) at libavcodec/mpegvideo_common.h:896
#3  0x083433f6 in MPV_decode_mb_internal (s=0x8e1acc0, block=0x8d0a9c0, lowres_flag=0, is_mpeg12=0)
    at libavcodec/mpegvideo.c:2161
#4  0x08344196 in MPV_decode_mb (s=0x8e1acc0, block=0x8d0a9c0) at libavcodec/mpegvideo.c:2298
#5  0x08507bd1 in decode_mb (s=0x8e1acc0, ref=0) at libavcodec/error_resilience.c:62
#6  0x08509e5b in guess_mv (s=0x8e1acc0) at libavcodec/error_resilience.c:584
#7  0x0850ba43 in ff_er_frame_end (s=0x8e1acc0) at libavcodec/error_resilience.c:1066
#8  0x0840f0ed in vc1_decode_frame (avctx=0x8ca1da0, data=0xffffb8f4, data_size=0xffffb9fc,
    avpkt=0xffffb890) at libavcodec/vc1dec.c:4009
#9  0x083f6a10 in avcodec_decode_video2 (avctx=0x8ca1da0, picture=0xffffb8f4, got_picture_ptr=0xffffb9fc,
    avpkt=0xffffb890) at libavcodec/utils.c:769
#10 0x080503d8 in output_packet (ist=0x8cbdda8, ist_index=0, ost_table=0x8d62308, nb_ostreams=2,
    pkt=0xffffcd18) at ffmpeg.c:1707
#11 0x0805384e in transcode (output_files=0x8ca4ff0, nb_output_files=1, input_files=0x8c9ca78,
    nb_input_files=1) at ffmpeg.c:2572
#12 0x08058eeb in main (argc=6, argv=0xffffd004) at ffmpeg.c:4489
(gdb) disass $pc-32 $pc+32
Dump of assembler code from 0x8455632 to 0x8455672:
0x08455632 <ff_mspel_motion+496>:       cwtl
0x08455633 <ff_mspel_motion+497>:       add    %al,(%eax)
0x08455635 <ff_mspel_motion+499>:       add    %al,0x48d01c0(%ebx)
0x0845563b <ff_mspel_motion+505>:       add    0x45c7e445(%ecx),%cl
0x08455641 <ff_mspel_motion+511>:       aam    $0x1
0x08455643 <ff_mspel_motion+513>:       add    %al,(%eax)
0x08455645 <ff_mspel_motion+515>:       add    %cl,0x558b0845(%ebx)
0x0845564b <ff_mspel_motion+521>:       loopne 0x84555ce <ff_mspel_motion+396>
0x0845564d <ff_mspel_motion+523>:       ret    $0x4f4
0x08455650 <ff_mspel_motion+526>:       add    %al,(%eax)
0x08455652 <ff_mspel_motion+528>:       mov    0x8(%eax,%edx,4),%edx
0x08455656 <ff_mspel_motion+532>:       mov    -0x40(%ebp),%eax
0x08455659 <ff_mspel_motion+535>:       mov    %eax,0x8(%esp)
0x0845565d <ff_mspel_motion+539>:       mov    -0x1c(%ebp),%eax
0x08455660 <ff_mspel_motion+542>:       mov    %eax,0x4(%esp)
0x08455664 <ff_mspel_motion+546>:       mov    0xc(%ebp),%eax
0x08455667 <ff_mspel_motion+549>:       mov    %eax,(%esp)
0x0845566a <ff_mspel_motion+552>:       call   *%edx
0x0845566c <ff_mspel_motion+554>:       mov    0x8(%ebp),%eax
0x0845566f <ff_mspel_motion+557>:       mov    -0x20(%ebp),%edx
End of assembler dump.
(gdb) info registers
eax            0x8e1acc0        149007552
ecx            0xf000   61440
edx            0x84a1b39        139074361
ebx            0x780    1920
esp            0xffff8fe0       0xffff8fe0
ebp            0xffff9068       0xffff9068
esi            0x40     64
edi            0x8      8
eip            0x8455652        0x8455652 <ff_mspel_motion+528>
eflags         0x210206 [ PF IF RF ID ]
cs             0x23     35
ss             0x2b     43
ds             0x2b     43
es             0x2b     43
fs             0x0      0
gs             0x63     99

Attachments (1)

audio-switch-z14.m2ts (2.0 MB ) - added by Carl Eugen Hoyos 13 years ago.

Download all attachments as: .zip

Change History (6)

by Carl Eugen Hoyos, 13 years ago

Attachment: audio-switch-z14.m2ts added

comment:1 by Carl Eugen Hoyos, 13 years ago

Status: newopen
Summary: Crash in ff_mspel_motionInvalid read in ff_mspel_motion

comment:2 by Michael Niedermayer, 13 years ago

Summary: Invalid read in ff_mspel_motionInvalid read in ff_mspel_motion called from EC code

comment:3 by DonMoir, 12 years ago

Originally I posted ticket #495 about a crash here:

https://ffmpeg.org/trac/ffmpeg/ticket/495

This ticket was closed but I never saw any difference in the status of the crash on my machine. It has come to my attention that while the crash seemed the same to me, this is most likely a different case. That is, it may not happen with 64bit etc.

Using this file (hidef_crash_cut.wmv 20mb) it crashes everytime for me on windows x86 32bit.

http://www.datafilehost.com/download-3cd0d3f7.html

Looking at the details below, it appears to be the same case as in ff_mspel_motion as originally posted here.

ffmpeg_g -i c:\hidef_crash_cut.wmv -f null -
ffmpeg version 0.8.5.git, Copyright (c) 2000-2011 the FFmpeg developers

built on Oct 17 2011 12:07:23 with gcc 4.5.2
configuration: --target-os=mingw32 --disable-yasm --disable-doc
libavutil 51. 21. 0 / 51. 21. 0
libavcodec 53. 20. 1 / 53. 20. 1
libavformat 53. 16. 0 / 53. 16. 0
libavdevice 53. 4. 0 / 53. 4. 0
libavfilter 2. 43. 6 / 2. 43. 6
libswscale 2. 1. 0 / 2. 1. 0

[asf @ 03519860] Ext DRM protected stream detected, decoding will likely fail!
[asf @ 03519860] DRM protected stream detected, decoding will likely fail!
[asf @ 03519860] Digital signature detected!
[asf @ 03519860] parser not found for codec wmapro, packets or times may be invalid.

gdb ffmpeg_g
r -i c:\hidef_crash_cut.wmv -f null -

[wmv3 @ 03616200] Bits overconsumption: 379253 > 379232
[wmv3 @ 03616200] concealing 2246 DC, 2246 AC, 2246 MV errors
[wmv3 @ 03616200] Bits overconsumption: 197142 > 197120 at 66x35
[wmv3 @ 03616200] concealing 733 DC, 733 AC, 733 MV errors

Program received signal SIGSEGV, Segmentation fault.
0x007bdc49 in ff_mspel_motion (s=0x351b020, dest_y=0x458f470 "",

dest_cb=0x40722b8 "tvwwwwwwrrrrrrrrnmnnnnifXUQRQRRRRSSSSSTUXYYZYZhxñ\261++++

++++¦+¦+\262«\237¢\226\224\223\223\223\225\226\224\216\211\205\207\220¢¦+++++¦¦¦
\262¦¦¦¦½ª\225\221\215\215\215\215\215\215hhhhgfeddcba`][[ZYWVUUUVVVVUUUUVVVVVV
VVWWWWWWXX[ZZZ[[[[[", 'Z' <repeats 14 times>, "YYXXXXWWVVVWXYZ[[[JP?80;1"...,

dest_cr=0x40aa6f8 "(======(n¦", '\377' <repeats 12 times>, "=t\300+¡¡¡¡¡¡«««

«««½¬½P\216\203\203\217\224\226umffffa
LH", 'D' <repeats 12 times>, "EGOJOSKNTP
WYZZZZYXUUTTTTSSSTSSSSSS\332\332\332\332\331\330\327++++---\316\314\314\313-++\3
13\316-\330¦¦G\344Fdn±)\370n", '¦' <repeats 13 times>, "²nv\372\371\370˜)(((((((
\371÷=n²\377\377\377=======8nFa\331-\313++++¦¦mvcg"...,

ref_picture=0x351b388, pix_op=0x351c4f8, motion_x=-16, motion_y=36, h=16)
at libavcodec/wmv2.c:112

112 s->dsp.put_mspel_pixels_tab[dxy](dest_y, ptr , linesize);

(gdb) bt

#0 0x007bdc49 in ff_mspel_motion (s=0x351b020, dest_y=0x458f470 "",

dest_cb=0x40722b8 "tvwwwwwwrrrrrrrrnmnnnnifXUQRQRRRRSSSSSTUXYYZYZhxñ\261++++

++++¦+¦+\262«\237¢\226\224\223\223\223\225\226\224\216\211\205\207\220¢¦+++++¦¦¦
\262¦¦¦¦½ª\225\221\215\215\215\215\215\215hhhhgfeddcba`][[ZYWVUUUVVVVUUUUVVVVVV
VVWWWWWWXX[ZZZ[[[[[", 'Z' <repeats 14 times>, "YYXXXXWWVVVWXYZ[[[JP?80;1"...,

dest_cr=0x40aa6f8 "(======(n¦", '\377' <repeats 12 times>, "=t\300+¡¡¡¡¡¡«««

«««½¬½P\216\203\203\217\224\226umffffa
LH", 'D' <repeats 12 times>, "EGOJOSKNTP
WYZZZZYXUUTTTTSSSTSSSSSS\332\332\332\332\331\330\327++++---\316\314\314\313-++\3
13\316-\330¦¦G\344Fdn±)\370n", '¦' <repeats 13 times>, "²nv\372\371\370˜)(((((((
\371÷=n²\377\377\377=======8nFa\331-\313++++¦¦mvcg"...,

ref_picture=0x351b388, pix_op=0x351c4f8, motion_x=-16, motion_y=36, h=16)
at libavcodec/wmv2.c:112

#1 0x0057cb22 in MPV_motion_internal (s=0x351b020, dest_y=0x458f470 "",

dest_cb=0x40722b8 "tvwwwwwwrrrrrrrrnmnnnnifXUQRQRRRRSSSSSTUXYYZYZhxñ\261++++

++++¦+¦+\262«\237¢\226\224\223\223\223\225\226\224\216\211\205\207\220¢¦+++++¦¦¦
\262¦¦¦¦½ª\225\221\215\215\215\215\215\215hhhhgfeddcba`][[ZYWVUUUVVVVUUUUVVVVVV
VVWWWWWWXX[ZZZ[[[[[", 'Z' <repeats 14 times>, "YYXXXXWWVVVWXYZ[[[JP?80;1"...,

dest_cr=0x40aa6f8 "(======(n¦", '\377' <repeats 12 times>, "=t\300+¡¡¡¡¡¡«««

«««½¬½P\216\203\203\217\224\226umffffa
LH", 'D' <repeats 12 times>, "EGOJOSKNTP
WYZZZZYXUUTTTTSSSTSSSSSS\332\332\332\332\331\330\327++++---\316\314\314\313-++\3
13\316-\330¦¦G\344Fdn±)\370n", '¦' <repeats 13 times>, "²nv\372\371\370˜)(((((((
\371÷=n²\377\377\377=======8nFa\331-\313++++¦¦mvcg"..., dir=0,

ref_picture=0x351b388, pix_op=0x351c4f8, qpix_op=0x351c658)
at libavcodec/mpegvideo_common.h:729

#2 MPV_motion (s=0x351b020, dest_y=0x458f470 "",

dest_cb=0x40722b8 "tvwwwwwwrrrrrrrrnmnnnnifXUQRQRRRRSSSSSTUXYYZYZhxñ\261++++

++++¦+¦+\262«\237¢\226\224\223\223\223\225\226\224\216\211\205\207\220¢¦+++++¦¦¦
\262¦¦¦¦½ª\225\221\215\215\215\215\215\215hhhhgfeddcba`][[ZYWVUUUVVVVUUUUVVVVVV
VVWWWWWWXX[ZZZ[[[[[", 'Z' <repeats 14 times>, "YYXXXXWWVVVWXYZ[[[JP?80;1"...,

dest_cr=0x40aa6f8 "(======(n¦", '\377' <repeats 12 times>, "=t\300+¡¡¡¡¡¡«««

«««½¬½P\216\203\203\217\224\226umffffa
LH", 'D' <repeats 12 times>, "EGOJOSKNTP
WYZZZZYXUUTTTTSSSTSSSSSS\332\332\332\332\331\330\327++++---\316\314\314\313-++\3
13\316-\330¦¦G\344Fdn±)\370n", '¦' <repeats 13 times>, "²nv\372\371\370˜)(((((((
\371÷=n²\377\377\377=======8nFa\331-\313++++¦¦mvcg"..., dir=0,

ref_picture=0x351b388, pix_op=0x351c4f8, qpix_op=0x351c658)
at libavcodec/mpegvideo_common.h:896

#3 0x00584a26 in MPV_decode_mb_internal (s=0x351b020, block=0x38f53a0)

at libavcodec/mpegvideo.c:2165

#4 MPV_decode_mb (s=0x351b020, block=0x38f53a0)

at libavcodec/mpegvideo.c:2302

#5 0x007c3712 in decode_mb (s=0x351b020, ref=<value optimized out>)

at libavcodec/error_resilience.c:62

#6 0x007c4151 in guess_mv (s=<value optimized out>)

at libavcodec/error_resilience.c:584

#7 0x007c5ef2 in ff_er_frame_end (s=0x351b020)

at libavcodec/error_resilience.c:1066

#8 0x0063be93 in vc1_decode_frame (avctx=0x3616200, data=0x36a0e40,

data_size=0x23deec, avpkt=0x23de48) at libavcodec/vc1dec.c:5737

#9 0x004efc31 in avcodec_decode_video2 (avctx=0x3616200, picture=0x36a0e40,

got_picture_ptr=0x23deec, avpkt=0x23de48) at libavcodec/utils.c:804

#10 0x004072ee in output_packet (ist=0x351a648, ist_index=1,

ost_table=0x3615010, nb_ostreams=2, pkt=0x23fbf8) at ffmpeg.c:1685

#11 0x0040ad16 in transcode (output_files=<value optimized out>,

nb_output_files=0, input_files=0x0, nb_input_files=4252759)
at ffmpeg.c:2630

#12 0x0023ff48 in ?? ()
#13 0x00000000 in ?? ()

(gdb) disass $pc-32,$pc+32

Dump of assembler code from 0x7bdc29 to 0x7bdc69:

0x007bdc29 <ff_mspel_motion+449>: (bad)
0x007bdc2a <ff_mspel_motion+450>: xchg %ax,%ax
0x007bdc2c <ff_mspel_motion+452>: movl $0x0,0x58(%esp)
0x007bdc34 <ff_mspel_motion+460>: add $0x60c,%ebp
0x007bdc3a <ff_mspel_motion+466>: mov %esi,0x8(%esp)
0x007bdc3e <ff_mspel_motion+470>: mov %edi,0x4(%esp)
0x007bdc42 <ff_mspel_motion+474>: mov 0x54(%esp),%ecx
0x007bdc46 <ff_mspel_motion+478>: mov %ecx,(%esp)

=> 0x007bdc49 <ff_mspel_motion+481>: call *0x8(%ebx,%ebp,4)

0x007bdc4d <ff_mspel_motion+485>: mov %esi,0x8(%esp)
0x007bdc51 <ff_mspel_motion+489>: lea 0x8(%edi),%eax
0x007bdc54 <ff_mspel_motion+492>: mov %eax,0x4(%esp)
0x007bdc58 <ff_mspel_motion+496>: mov 0x54(%esp),%eax
0x007bdc5c <ff_mspel_motion+500>: add $0x8,%eax
0x007bdc5f <ff_mspel_motion+503>: mov %eax,(%esp)
0x007bdc62 <ff_mspel_motion+506>: call *0x8(%ebx,%ebp,4)
0x007bdc66 <ff_mspel_motion+510>: lea 0x0(,%esi,8),%eax

End of assembler dump.

(gdb) info registers

eax 0x242 578
ecx 0x458f470 72938608
edx 0x253 595
ebx 0x351b020 55685152
esp 0x23c630 0x23c630
ebp 0x80a3e8 0x80a3e8
esi 0x500 1280
edi 0x44a4e68 71978600
eip 0x7bdc49 0x7bdc49 <ff_mspel_motion+481>
eflags 0x210216 [ PF AF IF RF ID ]
cs 0x1b 27
ss 0x23 35
ds 0x23 35
es 0x23 35
fs 0x3b 59
gs 0x0 0

Last edited 12 years ago by DonMoir (previous) (diff)

comment:4 by Michael Niedermayer, 12 years ago

I suspect that my last commit fixed this as well

comment:5 by Carl Eugen Hoyos, 12 years ago

Cc: DonMoir added
Keywords: crash SIGSEGV vc1 added
Resolution: fixed
Status: openclosed
Note: See TracTickets for help on using tickets.