Opened 3 years ago

Closed 3 years ago

Last modified 3 years ago

#4850 closed defect (fixed)

Crash when converting to bgra via swscale with fast_bilinear

Reported by: oromit Owned by:
Priority: important Component: swscale
Version: git-master Keywords: crash SIGSEGV regression
Cc: fritsch@kodi.tv, michael Blocked By:
Blocking: Reproduced by developer: yes
Analyzed by developer: no

Description

Summary of the bug:
The given sample makes ffmpeg 2.8 and git-master(No other versions tested, maybe also earlier releases) crash somewhere in the swscale asm files.

How to reproduce:

% ./ffmpeg -i crash.mkv -map 0:v:0 -c:v rawvideo -sws_flags fast_bilinear -dstw 360 -dsth 202 -pix_fmt bgra -f rawvideo -y /dev/null
ffmpeg version N-75284-g65b96ab Copyright (c) 2000-2015 the FFmpeg developers
  built with gcc 4.9.3 (Gentoo 4.9.3 p1.1, pie-0.6.2)
  configuration: --enable-gpl --enable-nonfree --enable-nvenc --enable-libx264 --enable-libfdk_aac --disable-doc --enable-opencl --cpu=host
  libavutil      55.  2.100 / 55.  2.100
  libavcodec     57.  1.100 / 57.  1.100
  libavformat    57.  0.100 / 57.  0.100
  libavdevice    57.  0.100 / 57.  0.100
  libavfilter     6.  3.100 /  6.  3.100
  libswscale      4.  0.100 /  4.  0.100
  libswresample   2.  0.100 /  2.  0.100
  libpostproc    54.  0.100 / 54.  0.100
Input #0, matroska,webm, from '/home/timo/Downloads/crash.mkv':
  Metadata:
    MINOR_VERSION   : 0
    COMPATIBLE_BRANDS: isommp42
    MAJOR_BRAND     : mp42
    ENCODER         : Lavf56.40.101
  Duration: 00:00:01.22, start: 0.000000, bitrate: 581 kb/s
    Stream #0:0: Video: hevc (Main), yuv420p(tv), 7680x4320 [SAR 1:1 DAR 16:9], 29.97 fps, 29.97 tbr, 1k tbn, 29.97 tbc (default)
    Metadata:
      ENCODER         : Lavc56.60.100 libx265
      DURATION        : 00:00:01.224000000
Output #0, rawvideo, to '/dev/null':
  Metadata:
    MINOR_VERSION   : 0
    COMPATIBLE_BRANDS: isommp42
    MAJOR_BRAND     : mp42
    encoder         : Lavf57.0.100
    Stream #0:0: Video: rawvideo (BGRA / 0x41524742), bgra, 7680x4320 [SAR 1:1 DAR 16:9], q=2-31, 200 kb/s, 29.97 fps, 29.97 tbn, 29.97 tbc (default)
    Metadata:
      DURATION        : 00:00:01.224000000
      encoder         : Lavc57.1.100 rawvideo
Stream mapping:
  Stream #0:0 -> #0:0 (hevc (native) -> rawvideo (native))
Press [q] to stop, [?] for help
zsh: segmentation fault

Backtrace:

#0  ff_hscale8to15_4_ssse3.loop () at libswscale/x86/scale.asm:429
#1  0x0000000000e416e4 in lum_h_scale (c=0x1b88880, desc=0x1b82a20, sliceY=<optimized out>, sliceH=2) at libswscale/hscale.c:41
#2  0x0000000000de087f in swscale (c=0x1b88880, src=<optimized out>, srcStride=<optimized out>, srcSliceY=<optimized out>, srcSliceH=<optimized out>, dst=0x7fffffffd060, dstStride=0x7fffffffd030) at libswscale/swscale.c:588
#3  0x0000000000de1d7b in sws_scale (c=<optimized out>, srcSlice=srcSlice@entry=0x7fffffffd140, srcStride=srcStride@entry=0x7fffffffd120, srcSliceY=srcSliceY@entry=0, srcSliceH=<optimized out>, dst=dst@entry=0x7fffffffd160, 
    dstStride=0x7fffffffd130) at libswscale/swscale.c:1263
#4  0x00000000005121fc in scale_slice (y=<optimized out>, link=<optimized out>, field=<optimized out>, mul=<optimized out>, h=<optimized out>, sws=<optimized out>, cur_pic=<optimized out>, out_buf=<optimized out>)
    at libavfilter/vf_scale.c:477
#5  filter_frame (link=link@entry=0x1b82fa0, in=0x1c94d20) at libavfilter/vf_scale.c:579
#6  0x00000000004a6d7f in ff_filter_frame_framed (link=link@entry=0x1b82fa0, frame=frame@entry=0x1c94d20) at libavfilter/avfilter.c:1089
#7  0x00000000004a8efc in ff_filter_frame (link=0x1b82fa0, frame=0x1c94d20) at libavfilter/avfilter.c:1173
#8  0x00000000004a6d7f in ff_filter_frame_framed (link=link@entry=0x1b82e00, frame=frame@entry=0x1c94d20) at libavfilter/avfilter.c:1089
#9  0x00000000004a8efc in ff_filter_frame (link=link@entry=0x1b82e00, frame=0x1c94d20) at libavfilter/avfilter.c:1173
#10 0x00000000004ad13f in request_frame (link=0x1b82e00) at libavfilter/buffersrc.c:378
#11 0x00000000004ace46 in av_buffersrc_add_frame_internal (ctx=ctx@entry=0x1b82480, frame=frame@entry=0x1c49f00, flags=flags@entry=4) at libavfilter/buffersrc.c:180
#12 0x00000000004ad3ad in av_buffersrc_add_frame_flags (ctx=0x1b82480, frame=frame@entry=0x1c49f00, flags=flags@entry=4) at libavfilter/buffersrc.c:105
#13 0x000000000048d3ca in decode_video (ist=ist@entry=0x1b6af00, pkt=pkt@entry=0x7fffffffd720, got_output=got_output@entry=0x7fffffffd6cc) at ffmpeg.c:2179
#14 0x0000000000476a70 in process_input_packet (pkt=0x7fffffffd6d0, ist=0x1b6af00) at ffmpeg.c:2327
#15 process_input (file_index=<optimized out>) at ffmpeg.c:3833
#16 transcode_step () at ffmpeg.c:3921
#17 transcode () at ffmpeg.c:3974
#18 main (argc=<optimized out>, argv=<optimized out>) at ffmpeg.c:4157

Attachments (1)

crash.mkv (86.8 KB) - added by oromit 3 years ago.

Download all attachments as: .zip

Change History (6)

Changed 3 years ago by oromit

comment:1 Changed 3 years ago by fritsch

  • Cc fritsch@kodi.tv added

comment:2 Changed 3 years ago by cehoyos

  • Keywords crash SIGSEGV regression added
  • Priority changed from normal to important
  • Status changed from new to open

Regression since 62d176de1224f6b9921a53171e5daa7460d5a772

$ valgrind ./ffmpeg_g -cpuflags 0 -f rawvideo -s 7680x4320 -i /dev/zero -s 360x202 -pix_fmt bgra -sws_flags fast_bilinear -f null -
==31919== Memcheck, a memory error detector
==31919== Copyright (C) 2002-2011, and GNU GPL'd, by Julian Seward et al.
==31919== Using Valgrind-3.7.0 and LibVEX; rerun with -h for copyright info
==31919== Command: ./ffmpeg_g -cpuflags 0 -f rawvideo -s 7680x4320 -i /dev/zero -s 360x202 -pix_fmt bgra -sws_flags fast_bilinear -f null -
==31919==
ffmpeg version N-75285-g8b47e10 Copyright (c) 2000-2015 the FFmpeg developers
  built with gcc 4.7 (SUSE Linux)
  configuration: --enable-gpl
  libavutil      55.  2.100 / 55.  2.100
  libavcodec     57.  1.100 / 57.  1.100
  libavformat    57.  0.100 / 57.  0.100
  libavdevice    57.  0.100 / 57.  0.100
  libavfilter     6.  3.100 /  6.  3.100
  libswscale      4.  0.100 /  4.  0.100
  libswresample   2.  0.100 /  2.  0.100
  libpostproc    54.  0.100 / 54.  0.100
Input #0, rawvideo, from '/dev/zero':
  Duration: N/A, start: 0.000000, bitrate: 1363345 kb/s
    Stream #0:0: Video: rawvideo (I420 / 0x30323449), yuv420p, 7680x4320, 1363345 kb/s, 25 tbr, 25 tbn, 25 tbc
Output #0, null, to 'pipe:':
  Metadata:
    encoder         : Lavf57.0.100
    Stream #0:0: Video: rawvideo (BGRA / 0x41524742), bgra, 360x202, q=2-31, 200 kb/s, 25 fps, 25 tbn, 25 tbc
    Metadata:
      encoder         : Lavc57.1.100 rawvideo
Stream mapping:
  Stream #0:0 -> #0:0 (rawvideo (native) -> rawvideo (native))
Press [q] to stop, [?] for help
==31919== Invalid write of size 2
==31919==    at 0xF44959: ff_hyscale_fast_c (hscale_fast_bilinear.c:31)
==31919==    by 0xF94BC1: lum_h_scale (hscale.c:39)
==31919==    by 0xF30936: swscale (swscale.c:588)
==31919==    by 0xF31E45: sws_scale (swscale.c:1263)
==31919==    by 0x51AEB7: filter_frame (vf_scale.c:477)
==31919==    by 0x4A867D: ff_filter_frame_framed (avfilter.c:1089)
==31919==    by 0x4A8B80: default_filter_frame (avfilter.c:1173)
==31919==    by 0x4A867D: ff_filter_frame_framed (avfilter.c:1089)
==31919==    by 0x4A96A8: ff_filter_frame (avfilter.c:1173)
==31919==    by 0x4AD331: request_frame (buffersrc.c:378)
==31919==    by 0x4AD59A: av_buffersrc_add_frame_internal (buffersrc.c:180)
==31919==    by 0x4AD92C: av_buffersrc_add_frame_flags (buffersrc.c:105)
==31919==  Address 0x0 is not stack'd, malloc'd or (recently) free'd
==31919==
==31919==
==31919== Process terminating with default action of signal 11 (SIGSEGV)
==31919==  Access not within mapped region at address 0x0
==31919==    at 0xF44959: ff_hyscale_fast_c (hscale_fast_bilinear.c:31)
==31919==    by 0xF94BC1: lum_h_scale (hscale.c:39)
==31919==    by 0xF30936: swscale (swscale.c:588)
==31919==    by 0xF31E45: sws_scale (swscale.c:1263)
==31919==    by 0x51AEB7: filter_frame (vf_scale.c:477)
==31919==    by 0x4A867D: ff_filter_frame_framed (avfilter.c:1089)
==31919==    by 0x4A8B80: default_filter_frame (avfilter.c:1173)
==31919==    by 0x4A867D: ff_filter_frame_framed (avfilter.c:1089)
==31919==    by 0x4A96A8: ff_filter_frame (avfilter.c:1173)
==31919==    by 0x4AD331: request_frame (buffersrc.c:378)
==31919==    by 0x4AD59A: av_buffersrc_add_frame_internal (buffersrc.c:180)
==31919==    by 0x4AD92C: av_buffersrc_add_frame_flags (buffersrc.c:105)
==31919==  If you believe this happened as a result of a stack
==31919==  overflow in your program's main thread (unlikely but
==31919==  possible), you can try to increase the size of the
==31919==  main thread stack using the --main-stacksize= flag.
==31919==  The main thread stack size used in this run was 8388608.
==31919==
==31919== HEAP SUMMARY:
==31919==     in use at exit: 50,373,517 bytes in 199 blocks
==31919==   total heap usage: 1,710 allocs, 1,511 frees, 50,826,397 bytes allocated
==31919==
==31919== LEAK SUMMARY:
==31919==    definitely lost: 0 bytes in 0 blocks
==31919==    indirectly lost: 0 bytes in 0 blocks
==31919==      possibly lost: 2,736 bytes in 9 blocks
==31919==    still reachable: 50,370,781 bytes in 190 blocks
==31919==         suppressed: 0 bytes in 0 blocks
==31919== Rerun with --leak-check=full to see details of leaked memory
==31919==
==31919== For counts of detected and suppressed errors, rerun with: -v
==31919== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 2 from 2)
Killed

comment:3 Changed 3 years ago by michael

  • Cc michael added

comment:4 Changed 3 years ago by pedrosouza

  • Resolution set to fixed
  • Status changed from open to closed

comment:5 Changed 3 years ago by fritsch

Thanks you very much!

Note: See TracTickets for help on using tickets.