Opened 7 years ago
Closed 3 years ago
#6255 closed defect (fixed)
Corrupt .flv file segfaults ffprobe (-print_format json) -show_streams $filename
Reported by: | Katie Holly | Owned by: | |
---|---|---|---|
Priority: | important | Component: | ffprobe |
Version: | git-master | Keywords: | crash SIGSEGV regression |
Cc: | Blocked By: | ||
Blocking: | Reproduced by developer: | yes | |
Analyzed by developer: | no |
Description
corrupt.flv (File attached)
00000000 46 4c 56 01 30 00 00 00 09 30 30 30 30 09 00 00 |FLV.0....0000...| 00000010 30 30 30 30 30 30 30 30 17 00 30 30 30 01 30 30 |00000000..000.00| 00000020 30 ff e1 00 0a 30 30 30 30 30 30 30 30 09 00 00 |0....00000000...| 00000030 13 30 30 30 30 30 30 30 27 30 30 30 30 30 30 30 |.0000000'0000000| 00000040 30 30 30 30 30 30 30 30 30 30 30 00 00 00 1e 09 |00000000000.....| 00000050 00 00 11 30 30 30 30 30 30 30 30 30 30 30 30 00 |...000000000000.| 00000060 00 00 08 e7 30 30 30 42 df e8 81 00 00 00 1c |....000B.......| 0000006f
ffprobe -print_format default -show_streams $filename
GDB:
Program received signal SIGSEGV, Segmentation fault. strlen () at ../sysdeps/x86_64/strlen.S:106 106 ../sysdeps/x86_64/strlen.S: No such file or directory. (gdb) bt #0 strlen () at ../sysdeps/x86_64/strlen.S:106 #1 0x00007ffff660e99c in _IO_puts (str=0x0) at ioputs.c:36 #2 0x00000000005a5bed in writer_print_string (wctx=wctx@entry=0x3bb30b0, key=key@entry=0x2cb31b3 "chroma_location", val=0x0, flags=0) at ffprobe.c:673 #3 0x00000000005bdbe5 in show_stream (w=w@entry=0x3bb30b0, fmt_ctx=fmt_ctx@entry=0x3bb59e0, stream_idx=stream_idx@entry=0, ist=<optimized out>, in_program=in_program@entry=0) at ffprobe.c:2289 #4 0x000000000057dcd0 in show_streams (ifile=0x7fffffffe940, w=0x3bb30b0) at ffprobe.c:2436 #5 probe_file (filename=<optimized out>, wctx=0x3bb30b0) at ffprobe.c:2750 #6 main (argc=<optimized out>, argv=<optimized out>) at ffprobe.c:3397 (gdb) up 2 #2 0x00000000005a5bed in writer_print_string (wctx=wctx@entry=0x3bb30b0, key=key@entry=0x2cb31b3 "chroma_location", val=0x0, flags=0) at ffprobe.c:673 673 wctx->writer->print_string(wctx, key, val); (gdb) l 668 key, val, section->unique_name); 669 } 670 av_free(key1); 671 av_free(val1); 672 } else { *673 wctx->writer->print_string(wctx, key, val); 674 } 675 676 wctx->nb_item[wctx->level]++; 677 }
Valgrind:
==940423== Invalid read of size 1 ==940423== at 0x4C2C1A2: strlen (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) ==940423== by 0x632E99B: puts (ioputs.c:36) ==940423== by 0x5A5BEC: writer_print_string.constprop.29 (ffprobe.c:673) ==940423== by 0x5BDBE4: show_stream (ffprobe.c:2289) ==940423== by 0x57DCCF: show_streams (ffprobe.c:2436) ==940423== by 0x57DCCF: probe_file (ffprobe.c:2750) ==940423== by 0x57DCCF: main (ffprobe.c:3397) ==940423== Address 0x0 is not stack'd, malloc'd or (recently) free'd ==940423== ==940423== ==940423== Process terminating with default action of signal 11 (SIGSEGV) ==940423== Access not within mapped region at address 0x0 ==940423== at 0x4C2C1A2: strlen (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) ==940423== by 0x632E99B: puts (ioputs.c:36) ==940423== by 0x5A5BEC: writer_print_string.constprop.29 (ffprobe.c:673) ==940423== by 0x5BDBE4: show_stream (ffprobe.c:2289) ==940423== by 0x57DCCF: show_streams (ffprobe.c:2436) ==940423== by 0x57DCCF: probe_file (ffprobe.c:2750) ==940423== by 0x57DCCF: main (ffprobe.c:3397) ==940423== If you believe this happened as a result of a stack ==940423== overflow in your program's main thread (unlikely but ==940423== possible), you can try to increase the size of the ==940423== main thread stack using the --main-stacksize= flag. ==940423== The main thread stack size used in this run was 8388608. ==940423== ==940423== HEAP SUMMARY: ==940423== in use at exit: 2,257,232 bytes in 89 blocks ==940423== total heap usage: 225 allocs, 136 frees, 2,709,948 bytes allocated ==940423== ==940423== LEAK SUMMARY: ==940423== definitely lost: 0 bytes in 0 blocks ==940423== indirectly lost: 0 bytes in 0 blocks ==940423== possibly lost: 0 bytes in 0 blocks ==940423== still reachable: 2,257,232 bytes in 89 blocks ==940423== suppressed: 0 bytes in 0 blocks ==940423== Rerun with --leak-check=full to see details of leaked memory ==940423== ==940423== For counts of detected and suppressed errors, rerun with: -v ==940423== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)
ffprobe -print_format compact -show_streams $filename
GDB:
Program received signal SIGSEGV, Segmentation fault. c_escape_str (dst=0x7fffffffd700, src=0x0, sep=124 '|', log_ctx=0x3bb30b0) at ffprobe.c:934 934 for (p = src; *p; p++) { (gdb) bt #0 c_escape_str (dst=0x7fffffffd700, src=0x0, sep=124 '|', log_ctx=0x3bb30b0) at ffprobe.c:934 #1 0x000000000059c1d2 in compact_print_str (wctx=0x3bb30b0, key=0x2cb31b3 "chroma_location", value=0x0) at ffprobe.c:1077 #2 0x00000000005a5bed in writer_print_string (wctx=wctx@entry=0x3bb30b0, key=key@entry=0x2cb31b3 "chroma_location", val=0x0, flags=0) at ffprobe.c:673 #3 0x00000000005bdbe5 in show_stream (w=w@entry=0x3bb30b0, fmt_ctx=fmt_ctx@entry=0x3bb5a90, stream_idx=stream_idx@entry=0, ist=<optimized out>, in_program=in_program@entry=0) at ffprobe.c:2289 #4 0x000000000057dcd0 in show_streams (ifile=0x7fffffffe900, w=0x3bb30b0) at ffprobe.c:2436 #5 probe_file (filename=<optimized out>, wctx=0x3bb30b0) at ffprobe.c:2750 #6 main (argc=<optimized out>, argv=<optimized out>) at ffprobe.c:3397 (gdb) l 929 */ 930 static const char *c_escape_str(AVBPrint *dst, const char *src, const char sep, void *log_ctx) 931 { 932 const char *p; 933 *934 for (p = src; *p; p++) { 935 switch (*p) { 936 case '\b': av_bprintf(dst, "%s", "\\b"); break; 937 case '\f': av_bprintf(dst, "%s", "\\f"); break; 938 case '\n': av_bprintf(dst, "%s", "\\n"); break;
Valgrind:
==214239== Invalid read of size 1 ==214239== at 0x59E48F: c_escape_str (ffprobe.c:934) ==214239== by 0x59C1D1: compact_print_str (ffprobe.c:1077) ==214239== by 0x5A5BEC: writer_print_string.constprop.29 (ffprobe.c:673) ==214239== by 0x5BDBE4: show_stream (ffprobe.c:2289) ==214239== by 0x57DCCF: show_streams (ffprobe.c:2436) ==214239== by 0x57DCCF: probe_file (ffprobe.c:2750) ==214239== by 0x57DCCF: main (ffprobe.c:3397) ==214239== Address 0x0 is not stack'd, malloc'd or (recently) free'd ==214239== ==214239== ==214239== Process terminating with default action of signal 11 (SIGSEGV) ==214239== Access not within mapped region at address 0x0 ==214239== at 0x59E48F: c_escape_str (ffprobe.c:934) ==214239== by 0x59C1D1: compact_print_str (ffprobe.c:1077) ==214239== by 0x5A5BEC: writer_print_string.constprop.29 (ffprobe.c:673) ==214239== by 0x5BDBE4: show_stream (ffprobe.c:2289) ==214239== by 0x57DCCF: show_streams (ffprobe.c:2436) ==214239== by 0x57DCCF: probe_file (ffprobe.c:2750) ==214239== by 0x57DCCF: main (ffprobe.c:3397) ==214239== If you believe this happened as a result of a stack ==214239== overflow in your program's main thread (unlikely but ==214239== possible), you can try to increase the size of the ==214239== main thread stack using the --main-stacksize= flag. ==214239== The main thread stack size used in this run was 8388608. ==214239== ==214239== HEAP SUMMARY: ==214239== in use at exit: 2,257,348 bytes in 91 blocks ==214239== total heap usage: 229 allocs, 138 frees, 2,710,068 bytes allocated ==214239== ==214239== LEAK SUMMARY: ==214239== definitely lost: 0 bytes in 0 blocks ==214239== indirectly lost: 0 bytes in 0 blocks ==214239== possibly lost: 0 bytes in 0 blocks ==214239== still reachable: 2,257,348 bytes in 91 blocks ==214239== suppressed: 0 bytes in 0 blocks ==214239== Rerun with --leak-check=full to see details of leaked memory ==214239== ==214239== For counts of detected and suppressed errors, rerun with: -v ==214239== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0) Segmentation fault
ffprobe -print_format json -show_streams $filename
GDB:
Program received signal SIGSEGV, Segmentation fault. json_print_item_str (key=<optimized out>, value=0x0, wctx=<optimized out>) at ffprobe.c:1482 1482 printf(" \"%s\"", json_escape_str(&buf, value, wctx)); (gdb) bt #0 json_print_item_str (key=<optimized out>, value=0x0, wctx=<optimized out>) at ffprobe.c:1482 #1 0x00000000005a5bed in writer_print_string (wctx=wctx@entry=0x3bb30b0, key=key@entry=0x2cb31b3 "chroma_location", val=0x0, flags=0) at ffprobe.c:673 #2 0x00000000005bdbe5 in show_stream (w=w@entry=0x3bb30b0, fmt_ctx=fmt_ctx@entry=0x3bb59d0, stream_idx=stream_idx@entry=0, ist=<optimized out>, in_program=in_program@entry=0) at ffprobe.c:2289 #3 0x000000000057dcd0 in show_streams (ifile=0x7fffffffe920, w=0x3bb30b0) at ffprobe.c:2436 #4 probe_file (filename=<optimized out>, wctx=0x3bb30b0) at ffprobe.c:2750 #5 main (argc=<optimized out>, argv=<optimized out>) at ffprobe.c:3397 (gdb) l 1477 AVBPrint buf; 1478 1479 av_bprint_init(&buf, 1, AV_BPRINT_SIZE_UNLIMITED); 1480 printf("\"%s\":", json_escape_str(&buf, key, wctx)); 1481 av_bprint_clear(&buf); *1482 printf(" \"%s\"", json_escape_str(&buf, value, wctx)); 1483 av_bprint_finalize(&buf, NULL); 1484 } 1485 1486 static void json_print_str(WriterContext *wctx, const char *key, const char *value)
Valgrind:
==1007190== Invalid read of size 1 ==1007190== at 0x5A9F60: json_escape_str (ffprobe.c:1398) ==1007190== by 0x5A9F60: json_print_item_str.isra.9 (ffprobe.c:1482) ==1007190== by 0x5A5BEC: writer_print_string.constprop.29 (ffprobe.c:673) ==1007190== by 0x5BDBE4: show_stream (ffprobe.c:2289) ==1007190== by 0x57DCCF: show_streams (ffprobe.c:2436) ==1007190== by 0x57DCCF: probe_file (ffprobe.c:2750) ==1007190== by 0x57DCCF: main (ffprobe.c:3397) ==1007190== Address 0x0 is not stack'd, malloc'd or (recently) free'd ==1007190== ==1007190== ==1007190== Process terminating with default action of signal 11 (SIGSEGV) ==1007190== Access not within mapped region at address 0x0 ==1007190== at 0x5A9F60: json_escape_str (ffprobe.c:1398) ==1007190== by 0x5A9F60: json_print_item_str.isra.9 (ffprobe.c:1482) ==1007190== by 0x5A5BEC: writer_print_string.constprop.29 (ffprobe.c:673) ==1007190== by 0x5BDBE4: show_stream (ffprobe.c:2289) ==1007190== by 0x57DCCF: show_streams (ffprobe.c:2436) ==1007190== by 0x57DCCF: probe_file (ffprobe.c:2750) ==1007190== by 0x57DCCF: main (ffprobe.c:3397) ==1007190== If you believe this happened as a result of a stack ==1007190== overflow in your program's main thread (unlikely but ==1007190== possible), you can try to increase the size of the ==1007190== main thread stack using the --main-stacksize= flag. ==1007190== The main thread stack size used in this run was 8388608. ==1007190== ==1007190== HEAP SUMMARY: ==1007190== in use at exit: 2,257,205 bytes in 89 blocks ==1007190== total heap usage: 225 allocs, 136 frees, 2,709,921 bytes allocated ==1007190== ==1007190== LEAK SUMMARY: ==1007190== definitely lost: 0 bytes in 0 blocks ==1007190== indirectly lost: 0 bytes in 0 blocks ==1007190== possibly lost: 0 bytes in 0 blocks ==1007190== still reachable: 2,257,205 bytes in 89 blocks ==1007190== suppressed: 0 bytes in 0 blocks ==1007190== Rerun with --leak-check=full to see details of leaked memory ==1007190== ==1007190== For counts of detected and suppressed errors, rerun with: -v ==1007190== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)
Not attaching more examples but it seems all writers are affected by this
Attachments (1)
Change History (4)
by , 7 years ago
Attachment: | corrupt.flv added |
---|
comment:1 by , 7 years ago
Keywords: | crash SIGSEGV regression added |
---|---|
Priority: | normal → important |
Reproduced by developer: | set |
Status: | new → open |
comment:2 by , 7 years ago
Patch sent:
http://ffmpeg.org/pipermail/ffmpeg-devel/2017-March/209049.html
Afaict, other developers prefer that this crash will not be fixed;-(
comment:3 by , 3 years ago
Resolution: | → fixed |
---|---|
Status: | open → closed |
Fixed in 351e28f9a799d9bbbb33dd10c964dca7219fa13b.
Note:
See TracTickets
for help on using tickets.
Regression since e0faad837cd5047a1310cefa0cf163d8caa865e7, (possibly) related to ticket #5648.