Opened 12 months ago

Last modified 8 months ago

#5869 open defect

ffserver crash when GET sdp file

Reported by: korovkin Owned by:
Priority: important Component: ffserver
Version: 3.1.5 Keywords: codecpar regression crash
Cc: michael, smartzzz, belegdol@gmail.com, gosha-necr@yandex.ru Blocked By:
Blocking: Reproduced by developer: yes
Analyzed by developer: no

Description

Summary of the bug:

when starting the following ffserver instance, running
curl "http://localhost:9203/live.sdp"

seg faults the server.

here is the BT of the crash: http://pastebin.com/Bav5ZpnP

HTTPPort 9203
HTTPBindAddress 0.0.0.0
RTSPPort 9204
RTSPBindAddress 0.0.0.0
MaxHTTPConnections 2000
MaxClients 1000
MaxBandwidth 1000
CustomLog -

<Feed feed1.ffm>
  File feed1.ffm
  FileMaxSize 5M
  ACL allow 127.0.0.1
</Feed>

<Stream live.mp3>
  Format rtp
  Feed feed1.ffm
  AudioCodec libmp3lame
  AudioBitRate 128
  AudioChannels 2
  AudioSampleRate 44100
  NoVideo
</Stream>

<Stream stat.html>
	Format status
	# ACL allow localhost
</Stream>

built on Ubuntu / OS X with version: 8b21b44e7e312589a6c4dbad1b4214f2a03fb54a

Change History (16)

comment:1 Changed 12 months ago by korovkin

the same experiment works well on version 3.0 :

git describe
n3.0.3-1-g73b644c

curl "http://localhost:9203/live.sdp"
v=0
o=- 0 0 IN IP4 127.0.0.1
s=No Title
c=IN IP4 0.0.0.0
t=0 0
a=tool:libavformat 57.25.100
m=audio 0 RTP/AVP 14
b=AS:128
a=control:streamid=0

comment:2 Changed 12 months ago by cehoyos

Please understand that it makes no sense to use external resources for the backtrace and please also provide the complete, uncut console output.

Which change introduced the regression?

comment:3 Changed 12 months ago by korovkin

fair point. here is the crash running with lldb on : origin/release/3.1

the regression was probably introduced somewhere between origin/release/3.0 and origin/release/3.1, as with origin/release/3.0 it seems to be working.

git describe 
n3.1.3-5-g8b21b44
lldb – ../ffserver_g -d -f ffmpeg.rtp.conf
(lldb) target create "../ffserver_g"
Current executable set to '../ffserver_g' (x86_64).
(lldb) settings set – target.run-args "-d" "-f" "ffmpeg.rtp.conf"
(lldb) run 
Process 72859 launched: '../ffserver_g' (x86_64)
ffserver version n3.1.3-5-g8b21b44 Copyright (c) 2000-2016 the FFmpeg developers
built with Apple LLVM version 8.0.0 (clang-800.0.38)
configuration: --prefix=/usr/local --enable-gpl --enable-nonfree --enable-libfreetype --enable-libmp3lame --enable-libvorbis --enable-libvpx --enable-libx264 --enable-libxvid --enable-ffplay --enable-libfdk-aac --enable-libfaac
libavutil 55. 28.100 / 55. 28.100
libavcodec 57. 48.101 / 57. 48.101
libavformat 57. 41.100 / 57. 41.100
libavdevice 57. 0.101 / 57. 0.101
libavfilter 6. 47.100 / 6. 47.100
libswscale 4. 1.100 / 4. 1.100
libswresample 2. 1.100 / 2. 1.100
libpostproc 54. 0.100 / 54. 0.100
Wed Sep 28 10:57:39 2016 FFserver started.
Wed Sep 28 10:57:43 2016 127.0.0.1 - - New connection: GET /live_001.sdp
ffserver_g was compiled with optimization - stepping may behave oddly; variables may not be available.
Process 72859 stopped
thread #1: tid = 0xba3df7, 0x0000000100b689c1 ffserver_g`av_freep(arg=0x0000000000000010) + 1 at mem.c:247, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x10)
frame #0: 0x0000000100b689c1 ffserver_g`av_freep(arg=0x0000000000000010) + 1 at mem.c:247 [opt]
244
Unknown macro: { 245 void *val; 246 -> 247 memcpy(&val, arg, sizeof(val)); 248 memcpy(arg, &(void *){ NULL }, sizeof(val)); 249 av_free(val); 250 }
(lldb) bt
thread #1: tid = 0xba3df7, 0x0000000100b689c1 ffserver_g`av_freep(arg=0x0000000000000010) + 1 at mem.c:247, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x10)
frame #0: 0x0000000100b689c1 ffserver_g`av_freep(arg=0x0000000000000010) + 1 at mem.c:247 [opt]
frame #1: 0x000000010078f4f7 ffserver_g`avcodec_parameters_from_context [inlined] codec_parameters_reset(par=0x0000000000000000) + 12 at utils.c:4020 [opt]
frame #2: 0x000000010078f4eb ffserver_g`avcodec_parameters_from_context(par=0x0000000000000000, codec=0x0000000102810c00) + 11 at utils.c:4080 [opt]
frame #3: 0x0000000100016399 ffserver_g`prepare_sdp_description(stream=<unavailable>, pbuffer=<unavailable>, my_ip=(s_addr = 0)) + 473 at ffserver.c:2999 [opt]
frame #4: 0x0000000100014d09 ffserver_g`handle_connection + 558 at ffserver.c:1688 [opt]
frame #5: 0x0000000100014adb ffserver_g`handle_connection(c=<unavailable>) + 17739 at ffserver.c:1006 [opt]
frame #6: 0x000000010000fb3c ffserver_g`main [inlined] http_server + 47 at ffserver.c:777 [opt]
frame #7: 0x000000010000fb0d ffserver_g`main(argc=<unavailable>, argv=<unavailable>) + 4205 at ffserver.c:4032 [opt]
frame #8: 0x00007fff912855ad libdyld.dylib`start + 1
frame #9: 0x00007fff912855ad libdyld.dylib`start + 1
(lldb)

comment:4 Changed 10 months ago by sergiomb

OK we hit this bug on Linux Fedora https://bugzilla.rpmfusion.org/show_bug.cgi?id=4340

comment:5 Changed 10 months ago by cehoyos

  • Keywords codecpar regression crash added

comment:6 Changed 10 months ago by michael

Not reproducable with git master

comment:7 Changed 10 months ago by michael

  • Status changed from new to open
  • Version changed from unspecified to 3.1.5

Crash confirmed for 3.1 & 3.2.1
Which commits do need to be backported ?

comment:8 Changed 10 months ago by michael

  • Cc michael added
  • Reproduced by developer set

comment:9 Changed 10 months ago by smartzzz

From running git bisect, I found that below commit cause this issue.

commit 9200514ad8717c63f82101dc394f4378854325bf
Author: Anton Khirnov <​anton@khirnov.net>
Date: Wed Jun 18 20:42:52 2014 +0200
lavf: replace AVStream.codec with AVStream.codecpar

Currently, AVStream contains an embedded AVCodecContext instance, which
is used by demuxers to export stream parameters to the caller and by
muxers to receive stream parameters from the caller. It is also used
internally as the codec context that is passed to parsers.

In addition, it is also widely used by the callers as the decoding (when
demuxer) or encoding (when muxing) context, though this has been
officially discouraged since Libav 11.

comment:10 Changed 10 months ago by cehoyos

  • Cc smartzzz added

This was already known, see comment:4 and comment:5
Michael's question was which commit(s) fixed the issue and need to be backported to release branches?

comment:11 Changed 10 months ago by smartzzz

When I checked master git before, this issue reproduced with git master.
But, today, I found a recent commit resolves this issue on git master.

commit 472fee91bcf9b7bae81fd4c00bbe5151ca458a7c
Author: Michael Niedermayer <michael@niedermayer.cc>
Date: Tue Nov 29 18:48:40 2016 +0100

ffserver_config: Setup codecpar in add_codec()


fixes segfault in the status page code


Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

When I backport this commit on 3.1 branch, this issue was resolved.
Please backport upper mentioned commit.

Thanks.

comment:12 Changed 10 months ago by smartzzz

Hi I found 3.1.6 packages are under testing on rpmfusion.org (http://download1.rpmfusion.org/free/fedora/updates/testing/24/armhfp/repoview/ffmpeg.html)

However, 3.1.6 version does not contain upper mentioned commit.
Since current issue is very critical, is it possible to back port the commit and make another release such as 3.1.7 ?
If it's not possible now, could you please let me know the expected schedule of next release?

comment:13 Changed 10 months ago by belegdol

  • Cc belegdol@gmail.com added

comment:14 Changed 8 months ago by ivork.korto

Friends!

I have exactly the same problem with ffmpeg on FreeBSD 11 amd64.
Version ffmpeg is: ffmpeg-3.2.2_4,1

It segfaults when client attempts to connect to rtsp service initiated by ffserver.
More details here on FreeBSD forums: https://forums.freebsd.org/threads/59518/

Guys, tell me please how fix that issue? I can't broadcast IP cams.
Thanks!

comment:15 Changed 8 months ago by ivork.korto

  • Cc gosha-necr@yandex.ru added

comment:16 Changed 8 months ago by smartzzz

Hi Michael,

Requested commit has not been backported to neither 3.1 nor 3.2 branch yet.
Since this issue is very critical, I'd like to request again to backport below commit.

commit 472fee91bcf9b7bae81fd4c00bbe5151ca458a7c
Author: Michael Niedermayer <​michael@niedermayer.cc>
Date: Tue Nov 29 18:48:40 2016 +0100
ffserver_config: Setup codecpar in add_codec()

fixes segfault in the status page code

Signed-off-by: Michael Niedermayer <​michael@niedermayer.cc>

Thanks,
Sooman

Note: See TracTickets for help on using tickets.