ffserver crash at init_muxer

[tdk]

Summary of the bug:
freshly compiled ffmpeg from git version git-2015-12-04-5d2cc00 on a 64 bit centos 6.7 crashes at init_muxer.
How to reproduce:

[tdk@webserver ~]$ ffserver -f ffmpeg_sources/ffmpeg/doc/ffserver.conf
ffserver version git-2015-12-04-5d2cc00 Copyright (c) 2000-2015 the FFmpeg developers
  built with gcc 4.4.7 (GCC) 20120313 (Red Hat 4.4.7-16)
  configuration: --prefix=/home/tdk/ffmpeg_build --extra-cflags=-I/home/tdk/ffmpeg_build/include --extra-ldflags=-L/home/tdk/ffmpeg_build/lib --bindir=/home/tdk/bin --pkg-config-flags=--static --enable-gpl --enable-nonfree --enable-libfdk-aac --enable-libfreetype --enable-libmp3lame --enable-libvorbis --enable-libx264 --disable-optimizations --enable-static --disable-shared --disable-mmx --disable-stripping --enable-debug=3 --extra-cflags='-O0 -fno-inline'
  libavutil      55.  9.100 / 55.  9.100
  libavcodec     57. 16.101 / 57. 16.101
  libavformat    57. 19.100 / 57. 19.100
  libavdevice    57.  0.100 / 57.  0.100
  libavfilter     6. 20.100 /  6. 20.100
  libswscale      4.  0.100 /  4.  0.100
  libswresample   2.  0.101 /  2.  0.101
  libpostproc    54.  0.100 / 54.  0.100
ffmpeg_sources/ffmpeg/doc/ffserver.conf:164: Setting default value for video bit rate tolerance = 21333. Use NoDefaults to disable it.
ffmpeg_sources/ffmpeg/doc/ffserver.conf:164: Setting default value for video rate control equation = tex^qComp. Use NoDefaults to disable it.
ffmpeg_sources/ffmpeg/doc/ffserver.conf:164: Setting default value for video max rate = 128000. Use NoDefaults to disable it.
ffmpeg_sources/ffmpeg/doc/ffserver.conf:219: Setting default value for audio sample rate = 22050. Use NoDefaults to disable it.
ffmpeg_sources/ffmpeg/doc/ffserver.conf:219: Setting default value for audio channel count = 1. Use NoDefaults to disable it.
ffmpeg_sources/ffmpeg/doc/ffserver.conf:219: Setting default value for video bit rate tolerance = 64000. Use NoDefaults to disable it.
ffmpeg_sources/ffmpeg/doc/ffserver.conf:219: Setting default value for video rate control equation = tex^qComp. Use NoDefaults to disable it.
ffmpeg_sources/ffmpeg/doc/ffserver.conf:219: Setting default value for video max rate = 512000. Use NoDefaults to disable it.
Fri Dec  4 18:13:56 2015 Deleting feed file '/tmp/feed1.ffm' as it appears to be corrupt
Segmentation fault

[tdk@webserver ~]$ gdb ffserver
GNU gdb (GDB) Red Hat Enterprise Linux (7.2-83.el6)
Copyright (C) 2010 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-redhat-linux-gnu".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>...
Reading symbols from /home/tdk/bin/ffserver...done.
(gdb) r -f ffmpeg_sources/ffmpeg/doc/ffserver.conf
Starting program: /home/tdk/bin/ffserver -f ffmpeg_sources/ffmpeg/doc/ffserver.conf
[Thread debugging using libthread_db enabled]
ffserver version git-2015-12-04-5d2cc00 Copyright (c) 2000-2015 the FFmpeg developers
  built with gcc 4.4.7 (GCC) 20120313 (Red Hat 4.4.7-16)
  configuration: --prefix=/home/tdk/ffmpeg_build --extra-cflags=-I/home/tdk/ffmpeg_build/include --extra-ldflags=-L/home/tdk/ffmpeg_build/lib --bindir=/home/tdk/bin --pkg-config-flags=--static --enable-gpl --enable-nonfree --enable-libfdk-aac --enable-libfreetype --enable-libmp3lame --enable-libvorbis --enable-libx264 --disable-optimizations --enable-static --disable-shared --disable-mmx --disable-stripping --enable-debug=3 --extra-cflags='-O0 -fno-inline'
  libavutil      55.  9.100 / 55.  9.100
  libavcodec     57. 16.101 / 57. 16.101
  libavformat    57. 19.100 / 57. 19.100
  libavdevice    57.  0.100 / 57.  0.100
  libavfilter     6. 20.100 /  6. 20.100
  libswscale      4.  0.100 /  4.  0.100
  libswresample   2.  0.101 /  2.  0.101
  libpostproc    54.  0.100 / 54.  0.100
ffmpeg_sources/ffmpeg/doc/ffserver.conf:164: Setting default value for video bit rate tolerance = 21333. Use NoDefaults to disable it.
ffmpeg_sources/ffmpeg/doc/ffserver.conf:164: Setting default value for video rate control equation = tex^qComp. Use NoDefaults to disable it.
ffmpeg_sources/ffmpeg/doc/ffserver.conf:164: Setting default value for video max rate = 128000. Use NoDefaults to disable it.
ffmpeg_sources/ffmpeg/doc/ffserver.conf:219: Setting default value for audio sample rate = 22050. Use NoDefaults to disable it.
ffmpeg_sources/ffmpeg/doc/ffserver.conf:219: Setting default value for audio channel count = 1. Use NoDefaults to disable it.
ffmpeg_sources/ffmpeg/doc/ffserver.conf:219: Setting default value for video bit rate tolerance = 64000. Use NoDefaults to disable it.
ffmpeg_sources/ffmpeg/doc/ffserver.conf:219: Setting default value for video rate control equation = tex^qComp. Use NoDefaults to disable it.
ffmpeg_sources/ffmpeg/doc/ffserver.conf:219: Setting default value for video max rate = 512000. Use NoDefaults to disable it.
Fri Dec  4 18:18:09 2015 Deleting feed file '/tmp/feed1.ffm' as it appears to be corrupt

Program received signal SIGSEGV, Segmentation fault.
0x00000000004fc66b in init_muxer (s=0x2117d10, options=0x0) at libavformat/mux.c:341
341                 st->internal->reorder = 1;
(gdb) bt
#0  0x00000000004fc66b in init_muxer (s=0x2117d10, options=0x0) at libavformat/mux.c:341
#1  0x00000000004fcb96 in avformat_write_header (s=0x2117d10, options=0x0) at libavformat/mux.c:456
#2  0x000000000041a6d1 in build_feed_streams () at ffserver.c:3751
#3  0x000000000041ac43 in main (argc=3, argv=0x7fffffffe718) at ffserver.c:3897
(gdb) disass $pc-32,$pc+32
Dump of assembler code from 0x4fc64b to 0x4fc68b:
   0x00000000004fc64b <init_muxer+1264>:        cmpq   $0x0,-0x20(%rbp)
   0x00000000004fc650 <init_muxer+1269>:        je     0x4fc671 <init_muxer+1302>
   0x00000000004fc652 <init_muxer+1271>:        mov    -0x20(%rbp),%rax
   0x00000000004fc656 <init_muxer+1275>:        mov    0x18(%rax),%eax
   0x00000000004fc659 <init_muxer+1278>:        and    $0x8,%eax
   0x00000000004fc65c <init_muxer+1281>:        test   %eax,%eax
   0x00000000004fc65e <init_muxer+1283>:        je     0x4fc671 <init_muxer+1302>
   0x00000000004fc660 <init_muxer+1285>:        mov    -0x38(%rbp),%rax
   0x00000000004fc664 <init_muxer+1289>:        mov    0x308(%rax),%rax
=> 0x00000000004fc66b <init_muxer+1296>:        movl   $0x1,(%rax)
   0x00000000004fc671 <init_muxer+1302>:        mov    -0x28(%rbp),%rax
   0x00000000004fc675 <init_muxer+1306>:        mov    0x30(%rax),%rax
   0x00000000004fc679 <init_muxer+1310>:        test   %rax,%rax
   0x00000000004fc67c <init_muxer+1313>:        je     0x4fc7e6 <init_muxer+1675>
   0x00000000004fc682 <init_muxer+1319>:        mov    -0x30(%rbp),%rax
   0x00000000004fc686 <init_muxer+1323>:        mov    0x3c(%rax),%eax
   0x00000000004fc689 <init_muxer+1326>:        test   %eax,%eax
End of assembler dump.
(gdb) info all-registers
rax            0x0      0
rbx            0x1      1
rcx            0x0      0
rdx            0x0      0
rsi            0x100000000      4294967296
rdi            0x1      1
rbp            0x7fffffffe470   0x7fffffffe470
rsp            0x7fffffffe3b0   0x7fffffffe3b0
r8             0x2105610        34625040
r9             0x445e1e 4480542
r10            0x0      0
r11            0x7ffff7009e39   140737337400889
r12            0x404c00 4213760
r13            0x7fffffffe710   140737488348944
r14            0x0      0
r15            0x0      0
rip            0x4fc66b 0x4fc66b <init_muxer+1296>
eflags         0x10202  [ IF RF ]
cs             0x33     51
ss             0x2b     43
ds             0x0      0
es             0x0      0
fs             0x0      0
gs             0x0      0
st0            -nan(0x000000010)        (raw 0xffff0000000000000010)
st1            -nan(0x000000030)        (raw 0xffff0000000000000030)
st2            -nan(0x1e000000000000)   (raw 0xffff001e000000000000)
st3            -nan(0x00000001e)        (raw 0xffff000000000000001e)
st4            0        (raw 0x00000000000000000000)
st5            0        (raw 0x00000000000000000000)
st6            0        (raw 0x00000000000000000000)
st7            -inf     (raw 0xffff0000000000000000)
fctrl          0x37f    895
fstat          0x0      0
ftag           0xffff   65535
fiseg          0x0      0
fioff          0x0      0
foseg          0x0      0
fooff          0x0      0
fop            0x0      0
xmm0           {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0}, v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0,
    0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0}, uint128 = 0x00000000000000000000000000000000}
xmm1           {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0}, v16_int8 = {0x0, 0x0, 0x0, 0x0, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1,
    0x0, 0x0}, v8_int16 = {0x0, 0x0, 0x101, 0x101, 0x101, 0x101, 0x101, 0x0}, v4_int32 = {0x0, 0x1010101, 0x1010101, 0x101}, v2_int64 = {0x101010100000000,
    0x10101010101}, uint128 = 0x00000101010101010101010100000000}
xmm2           {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x8000000000000000, 0x0}, v16_int8 = {0x2f, 0x74, 0x6d, 0x70, 0x2f, 0x66, 0x65, 0x65, 0x64,
    0x31, 0x2e, 0x66, 0x66, 0x6d, 0x0, 0x0}, v8_int16 = {0x742f, 0x706d, 0x662f, 0x6565, 0x3164, 0x662e, 0x6d66, 0x0}, v4_int32 = {0x706d742f, 0x6565662f,
    0x662e3164, 0x6d66}, v2_int64 = {0x6565662f706d742f, 0x6d66662e3164}, uint128 = 0x00006d66662e31646565662f706d742f}
xmm3           {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x8000000000000000, 0x0}, v16_int8 = {0x0, 0x0, 0x0, 0x0, 0xff, 0xff, 0xff, 0xff, 0x0, 0x0,
    0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v8_int16 = {0x0, 0x0, 0xffff, 0xffff, 0x0, 0x0, 0x0, 0x0}, v4_int32 = {0x0, 0xffffffff, 0x0, 0x0}, v2_int64 = {
    0xffffffff00000000, 0x0}, uint128 = 0x0000000000000000ffffffff00000000}
xmm4           {v4_float = {0x3, 0x3, 0x3, 0x3}, v2_double = {0x20, 0x20}, v16_int8 = {0x40 <repeats 16 times>}, v8_int16 = {0x4040, 0x4040, 0x4040,
    0x4040, 0x4040, 0x4040, 0x4040, 0x4040}, v4_int32 = {0x40404040, 0x40404040, 0x40404040, 0x40404040}, v2_int64 = {0x4040404040404040,
    0x4040404040404040}, uint128 = 0x40404040404040404040404040404040}
xmm5           {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x8000000000000000, 0x8000000000000000}, v16_int8 = {0x5b <repeats 16 times>}, v8_int16 = {
    0x5b5b, 0x5b5b, 0x5b5b, 0x5b5b, 0x5b5b, 0x5b5b, 0x5b5b, 0x5b5b}, v4_int32 = {0x5b5b5b5b, 0x5b5b5b5b, 0x5b5b5b5b, 0x5b5b5b5b}, v2_int64 = {
    0x5b5b5b5b5b5b5b5b, 0x5b5b5b5b5b5b5b5b}, uint128 = 0x5b5b5b5b5b5b5b5b5b5b5b5b5b5b5b5b}
xmm6           {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0}, v16_int8 = {0x20 <repeats 16 times>}, v8_int16 = {0x2020, 0x2020, 0x2020, 0x2020,
    0x2020, 0x2020, 0x2020, 0x2020}, v4_int32 = {0x20202020, 0x20202020, 0x20202020, 0x20202020}, v2_int64 = {0x2020202020202020, 0x2020202020202020},
---Type <return> to continue, or q <return> to quit---

Patches should be submitted to the ffmpeg-devel mailing list and not this bug tracker.

[tdk]

just confirmed the same building with 2.8.3 tarball works, that means, no crash ;)

[tdk@webserver ffmpeg-2.8.3]$ ffserver -f /home/tdk/ffmpeg_sources/ffmpeg-2.8.3/doc/ffserver.conf
ffserver version 2.8.3 Copyright (c) 2000-2015 the FFmpeg developers
  built with gcc 4.4.7 (GCC) 20120313 (Red Hat 4.4.7-16)
  configuration: --prefix=/home/tdk/ffmpeg_build --extra-cflags=-I/home/tdk/ffmpeg_build/include --extra-ldflags=-L/home/tdk/ffmpeg_build/lib --bindir=/home/tdk/bin --pkg-config-flags=--static --enable-gpl --enable-nonfree --enable-libfdk-aac --enable-libfreetype --enable-libmp3lame --enable-libvorbis --enable-libx264 --disable-optimizations --enable-static --disable-shared --disable-mmx --disable-stripping --enable-debug=3 --extra-cflags='-O0 -fno-inline'
  libavutil      54. 31.100 / 54. 31.100
  libavcodec     56. 60.100 / 56. 60.100
  libavformat    56. 40.101 / 56. 40.101
  libavdevice    56.  4.100 / 56.  4.100
  libavfilter     5. 40.101 /  5. 40.101
  libswscale      3.  1.101 /  3.  1.101
  libswresample   1.  2.101 /  1.  2.101
  libpostproc    53.  3.100 / 53.  3.100
/home/tdk/ffmpeg_sources/ffmpeg-2.8.3/doc/ffserver.conf:164: Setting default value for video bit rate tolerance = 21333. Use NoDefaults to disable it.
/home/tdk/ffmpeg_sources/ffmpeg-2.8.3/doc/ffserver.conf:164: Setting default value for video rate control equation = tex^qComp. Use NoDefaults to disable it.
/home/tdk/ffmpeg_sources/ffmpeg-2.8.3/doc/ffserver.conf:164: Setting default value for video max rate = 128000. Use NoDefaults to disable it.
/home/tdk/ffmpeg_sources/ffmpeg-2.8.3/doc/ffserver.conf:219: Setting default value for audio sample rate = 22050. Use NoDefaults to disable it.
/home/tdk/ffmpeg_sources/ffmpeg-2.8.3/doc/ffserver.conf:219: Setting default value for audio channel count = 1. Use NoDefaults to disable it.
/home/tdk/ffmpeg_sources/ffmpeg-2.8.3/doc/ffserver.conf:219: Setting default value for video bit rate tolerance = 64000. Use NoDefaults to disable it.
/home/tdk/ffmpeg_sources/ffmpeg-2.8.3/doc/ffserver.conf:219: Setting default value for video rate control equation = tex^qComp. Use NoDefaults to disable it.
/home/tdk/ffmpeg_sources/ffmpeg-2.8.3/doc/ffserver.conf:219: Setting default value for video max rate = 512000. Use NoDefaults to disable it.
Fri Dec  4 19:16:02 2015 Deleting feed file '/tmp/feed1.ffm' as it appears to be corrupt
Fri Dec  4 19:16:02 2015 FFserver started.

[Reynaldo H. Verdejo Pinochet]

Thanks for reporting. We are aware of this regression and
are already working on fixing it.

[Reynaldo H. Verdejo Pinochet]

This bug should had been fixed by:

ffserver: allocate AVStream's internal too

Avoids segfault at init_muxer() (mux.c) due to a
null pointer dereference on the recently
introduced AVStream->internal

Fixes: #5059 (​https://trac.ffmpeg.org/ticket/5059)

Signed-off-by: Reynaldo H. Verdejo Pinochet <​reynaldo@osg.samsung.com>