Opened 7 months ago

Last modified 7 months ago

#6354 open defect

segfault using signature filter on some videos

Reported by: smarquard Owned by:
Priority: important Component: avfilter
Version: git-master Keywords: signature crash SIGSEGV
Cc: Blocked By:
Blocking: Reproduced by developer: yes
Analyzed by developer: no

Description

The attached videos produce a segfault when using the signature filter.

Using the x64 binary build for ffmpeg 3.3:

https://johnvansickle.com/ffmpeg/releases/ffmpeg-release-64bit-static.tar.xz

How to reproduce:

ffmpeg -i v1.avi -i v2.avi -filter_complex "[0:v][1:v] signature=nb_inputs=2:detectmode=full" -map :v -f null - 

Most videos work fine, but these particular ones cause a segfault and core dump though the static build does not contain debugging symbols so I was not able to get a backtrace.

ffmpeg version 3.3-static http://johnvansickle.com/ffmpeg/ Copyright (c) 2000-2017 the FFmpeg developers
built with gcc 5.4.1 (Debian 5.4.1-8) 20170304
configuration: --enable-gpl --enable-version3 --enable-static --disable-debug --disable-ffplay --disable-indev=sndio --disable-outdev=sndio --cc=gcc-5 --enable-fontconfig --enable-frei0r --enable-gnutls --enable-gray --enable-libass --enable-libfreetype --enable-libfribidi --enable-libmp3lame --enable-libopencore-amrnb --enable-libopencore-amrwb --enable-libopenjpeg --enable-libopus --enable-librtmp --enable-libsoxr --enable-libspeex --enable-libtheora --enable-libvidstab --enable-libvo-amrwbenc --enable-libvorbis --enable-libvpx --enable-libwebp --enable-libx264 --enable-libx265 --enable-libxvid --enable-libzimg
libavutil 55. 58.100 / 55. 58.100
libavcodec 57. 89.100 / 57. 89.100
libavformat 57. 71.100 / 57. 71.100
libavdevice 57. 6.100 / 57. 6.100
libavfilter 6. 82.100 / 6. 82.100
libswscale 4. 6.100 / 4. 6.100
libswresample 2. 7.100 / 2. 7.100
libpostproc 54. 5.100 / 54. 5.100

Attachments (3)

v1.avi (25.0 KB) - added by smarquard 7 months ago.
video1
v2.avi (25.1 KB) - added by smarquard 7 months ago.
video2
in.avi (156.6 KB) - added by cehoyos 7 months ago.

Download all attachments as: .zip

Change History (7)

Changed 7 months ago by smarquard

video1

Changed 7 months ago by smarquard

video2

comment:2 Changed 7 months ago by cehoyos

Is the crash reproducible with current FFmpeg git head?

comment:3 Changed 7 months ago by smarquard

The crash is still present with ffmpeg-git-20170417-64bit-static (https://johnvansickle.com/ffmpeg/builds/ffmpeg-git-64bit-static.tar.xz)

I don't have a source build available for testing at the moment.

comment:4 Changed 7 months ago by cehoyos

  • Keywords signature crash SIGSEGV added
  • Priority changed from normal to important
  • Reproduced by developer set
  • Status changed from new to open
  • Version changed from unspecified to git-master

Depending on compiler, this is a regression since 4cf1f68903cebcf6a6bede970f1b8f1509edf710 for the original samples but I will upload a sample for which the crash is reproducible with 5e3a418b6047acd848698c4bb4bf0c1b73526744

$ valgrind ffmpeg_g -i in.avi -filter_complex signature=nb_inputs=2:detectmode=full -f null -
==1012== Memcheck, a memory error detector
==1012== Copyright (C) 2002-2011, and GNU GPL'd, by Julian Seward et al.
==1012== Using Valgrind-3.7.0 and LibVEX; rerun with -h for copyright info
==1012== Command: ffmpeg_g -i in.avi -filter_complex signature=nb_inputs=2:detectmode=full -f null -
==1012==
ffmpeg version N-85646-g550a9c5 Copyright (c) 2000-2017 the FFmpeg developers
  built with gcc 6.3.0 (GCC)
  configuration: --enable-gpl
  libavutil      55. 61.100 / 55. 61.100
  libavcodec     57. 93.100 / 57. 93.100
  libavformat    57. 72.101 / 57. 72.101
  libavdevice    57.  7.100 / 57.  7.100
  libavfilter     6. 87.100 /  6. 87.100
  libswscale      4.  7.101 /  4.  7.101
  libswresample   2.  8.100 /  2.  8.100
  libpostproc    54.  6.100 / 54.  6.100
Input #0, avi, from 'in.avi':
  Metadata:
    encoder         : Lavf57.56.100
  Duration: 00:03:18.00, start: 0.000000, bitrate: 6 kb/s
    Stream #0:0: Video: ffv1 (FFV1 / 0x31564646), yuv420p, 160x90, 2 kb/s, SAR 1:1 DAR 16:9, 1 fps, 1 tbr, 1 tbn, 1 tbc
    Stream #0:1: Video: ffv1 (FFV1 / 0x31564646), yuv420p, 160x90, 2 kb/s, SAR 1:1 DAR 16:9, 1 fps, 1 tbr, 1 tbn, 1 tbc
Stream mapping:
  Stream #0:0 (ffv1) -> signature:in0
  Stream #0:1 (ffv1) -> signature:in1
  signature -> Stream #0:0 (wrapped_avframe)
Press [q] to stop, [?] for help
Output #0, null, to 'pipe:':
  Metadata:
    encoder         : Lavf57.72.101
    Stream #0:0: Video: wrapped_avframe, yuv420p, 160x90 [SAR 1:1 DAR 16:9], q=2-31, 200 kb/s, 1 fps, 1 tbn, 1 tbc (default)
    Metadata:
      encoder         : Lavc57.93.100 wrapped_avframe
==1012== Conditional jump or move depends on uninitialised value(s)eed=48.1x
==1012==    at 0x5584CA: get_matching_parameters (signature_lookup.c:258)
==1012==    by 0x55BCBE: request_frame (signature_lookup.c:559)
==1012==    by 0x4B971E: ff_request_frame_to_filter (avfilter.c:438)
==1012==    by 0x4BC53E: ff_filter_activate (avfilter.c:1288)
==1012==    by 0x4C0C37: av_buffersrc_add_frame_internal (buffersrc.c:181)
==1012==    by 0x4C10EC: av_buffersrc_add_frame_flags (buffersrc.c:164)
==1012==    by 0x495AA3: send_filter_eof.isra.4 (ffmpeg.c:2231)
==1012==    by 0x49EF60: process_input_packet.constprop.21 (ffmpeg.c:2715)
==1012==    by 0x47E8C6: main (ffmpeg.c:4199)
==1012==
==1012== Conditional jump or move depends on uninitialised value(s)
==1012==    at 0x5583DD: get_matching_parameters (signature_lookup.c:252)
==1012==    by 0x55BCBE: request_frame (signature_lookup.c:559)
==1012==    by 0x4B971E: ff_request_frame_to_filter (avfilter.c:438)
==1012==    by 0x4BC53E: ff_filter_activate (avfilter.c:1288)
==1012==    by 0x4C0C37: av_buffersrc_add_frame_internal (buffersrc.c:181)
==1012==    by 0x4C10EC: av_buffersrc_add_frame_flags (buffersrc.c:164)
==1012==    by 0x495AA3: send_filter_eof.isra.4 (ffmpeg.c:2231)
==1012==    by 0x49EF60: process_input_packet.constprop.21 (ffmpeg.c:2715)
==1012==    by 0x47E8C6: main (ffmpeg.c:4199)
==1012==
==1012== Conditional jump or move depends on uninitialised value(s)
==1012==    at 0x558530: get_matching_parameters (signature_lookup.c:277)
==1012==    by 0x55BCBE: request_frame (signature_lookup.c:559)
==1012==    by 0x4B971E: ff_request_frame_to_filter (avfilter.c:438)
==1012==    by 0x4BC53E: ff_filter_activate (avfilter.c:1288)
==1012==    by 0x4C0C37: av_buffersrc_add_frame_internal (buffersrc.c:181)
==1012==    by 0x4C10EC: av_buffersrc_add_frame_flags (buffersrc.c:164)
==1012==    by 0x495AA3: send_filter_eof.isra.4 (ffmpeg.c:2231)
==1012==    by 0x49EF60: process_input_packet.constprop.21 (ffmpeg.c:2715)
==1012==    by 0x47E8C6: main (ffmpeg.c:4199)
==1012==
==1012== Conditional jump or move depends on uninitialised value(s)
==1012==    at 0x558536: get_matching_parameters (signature_lookup.c:278)
==1012==    by 0x55BCBE: request_frame (signature_lookup.c:559)
==1012==    by 0x4B971E: ff_request_frame_to_filter (avfilter.c:438)
==1012==    by 0x4BC53E: ff_filter_activate (avfilter.c:1288)
==1012==    by 0x4C0C37: av_buffersrc_add_frame_internal (buffersrc.c:181)
==1012==    by 0x4C10EC: av_buffersrc_add_frame_flags (buffersrc.c:164)
==1012==    by 0x495AA3: send_filter_eof.isra.4 (ffmpeg.c:2231)
==1012==    by 0x49EF60: process_input_packet.constprop.21 (ffmpeg.c:2715)
==1012==    by 0x47E8C6: main (ffmpeg.c:4199)
==1012==
==1012== Conditional jump or move depends on uninitialised value(s)
==1012==    at 0x558625: get_matching_parameters (signature_lookup.c:281)
==1012==    by 0x55BCBE: request_frame (signature_lookup.c:559)
==1012==    by 0x4B971E: ff_request_frame_to_filter (avfilter.c:438)
==1012==    by 0x4BC53E: ff_filter_activate (avfilter.c:1288)
==1012==    by 0x4C0C37: av_buffersrc_add_frame_internal (buffersrc.c:181)
==1012==    by 0x4C10EC: av_buffersrc_add_frame_flags (buffersrc.c:164)
==1012==    by 0x495AA3: send_filter_eof.isra.4 (ffmpeg.c:2231)
==1012==    by 0x49EF60: process_input_packet.constprop.21 (ffmpeg.c:2715)
==1012==    by 0x47E8C6: main (ffmpeg.c:4199)
==1012==
==1012== Use of uninitialised value of size 8
==1012==    at 0x55C2B4: request_frame (signature_lookup.c:571)
==1012==    by 0x4B971E: ff_request_frame_to_filter (avfilter.c:438)
==1012==    by 0x4BC53E: ff_filter_activate (avfilter.c:1288)
==1012==    by 0x4C0C37: av_buffersrc_add_frame_internal (buffersrc.c:181)
==1012==    by 0x4C10EC: av_buffersrc_add_frame_flags (buffersrc.c:164)
==1012==    by 0x495AA3: send_filter_eof.isra.4 (ffmpeg.c:2231)
==1012==    by 0x49EF60: process_input_packet.constprop.21 (ffmpeg.c:2715)
==1012==    by 0x47E8C6: main (ffmpeg.c:4199)
==1012==
==1012== Use of uninitialised value of size 8
==1012==    at 0x55C2E3: request_frame (signature_lookup.c:571)
==1012==    by 0x4B971E: ff_request_frame_to_filter (avfilter.c:438)
==1012==    by 0x4BC53E: ff_filter_activate (avfilter.c:1288)
==1012==    by 0x4C0C37: av_buffersrc_add_frame_internal (buffersrc.c:181)
==1012==    by 0x4C10EC: av_buffersrc_add_frame_flags (buffersrc.c:164)
==1012==    by 0x495AA3: send_filter_eof.isra.4 (ffmpeg.c:2231)
==1012==    by 0x49EF60: process_input_packet.constprop.21 (ffmpeg.c:2715)
==1012==    by 0x47E8C6: main (ffmpeg.c:4199)
==1012==
==1012== Invalid read of size 4
==1012==    at 0x55C2E3: request_frame (signature_lookup.c:571)
==1012==    by 0x4B971E: ff_request_frame_to_filter (avfilter.c:438)
==1012==    by 0x4BC53E: ff_filter_activate (avfilter.c:1288)
==1012==    by 0x4C0C37: av_buffersrc_add_frame_internal (buffersrc.c:181)
==1012==    by 0x4C10EC: av_buffersrc_add_frame_flags (buffersrc.c:164)
==1012==    by 0x495AA3: send_filter_eof.isra.4 (ffmpeg.c:2231)
==1012==    by 0x49EF60: process_input_packet.constprop.21 (ffmpeg.c:2715)
==1012==    by 0x47E8C6: main (ffmpeg.c:4199)
==1012==  Address 0xffffffff00000018 is not stack'd, malloc'd or (recently) free'd
==1012==
==1012==
==1012== Process terminating with default action of signal 11 (SIGSEGV)
==1012==  Access not within mapped region at address 0xFFFFFFFF00000018
==1012==    at 0x55C2E3: request_frame (signature_lookup.c:571)
==1012==    by 0x4B971E: ff_request_frame_to_filter (avfilter.c:438)
==1012==    by 0x4BC53E: ff_filter_activate (avfilter.c:1288)
==1012==    by 0x4C0C37: av_buffersrc_add_frame_internal (buffersrc.c:181)
==1012==    by 0x4C10EC: av_buffersrc_add_frame_flags (buffersrc.c:164)
==1012==    by 0x495AA3: send_filter_eof.isra.4 (ffmpeg.c:2231)
==1012==    by 0x49EF60: process_input_packet.constprop.21 (ffmpeg.c:2715)
==1012==    by 0x47E8C6: main (ffmpeg.c:4199)
==1012==  If you believe this happened as a result of a stack
==1012==  overflow in your program's main thread (unlikely but
==1012==  possible), you can try to increase the size of the
==1012==  main thread stack using the --main-stacksize= flag.
==1012==  The main thread stack size used in this run was 8388608.
==1012==
==1012== HEAP SUMMARY:
==1012==     in use at exit: 7,978,654 bytes in 3,643 blocks
==1012==   total heap usage: 24,584 allocs, 20,941 frees, 16,751,810 bytes allocated
==1012==
==1012== LEAK SUMMARY:
==1012==    definitely lost: 97,720 bytes in 199 blocks
==1012==    indirectly lost: 5,311,665 bytes in 2,292 blocks
==1012==      possibly lost: 7,776 bytes in 27 blocks
==1012==    still reachable: 2,561,493 bytes in 1,125 blocks
==1012==         suppressed: 0 bytes in 0 blocks
==1012== Rerun with --leak-check=full to see details of leaked memory
==1012==
==1012== For counts of detected and suppressed errors, rerun with: -v
==1012== Use --track-origins=yes to see where uninitialised values come from
==1012== ERROR SUMMARY: 50006 errors from 8 contexts (suppressed: 2 from 2)
Killed
(gdb) r -i in.avi -filter_complex signature=nb_inputs=2:detectmode=full -f null -
Starting program: ffmpeg_g -i in.avi -filter_complex signature=nb_inputs=2:detectmode=full -f null -
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib64/libthread_db.so.1".
ffmpeg version N-85646-g550a9c5 Copyright (c) 2000-2017 the FFmpeg developers
  built with gcc 6.3.0 (GCC)
  configuration: --enable-gpl
  libavutil      55. 61.100 / 55. 61.100
  libavcodec     57. 93.100 / 57. 93.100
  libavformat    57. 72.101 / 57. 72.101
  libavdevice    57.  7.100 / 57.  7.100
  libavfilter     6. 87.100 /  6. 87.100
  libswscale      4.  7.101 /  4.  7.101
  libswresample   2.  8.100 /  2.  8.100
  libpostproc    54.  6.100 / 54.  6.100
Input #0, avi, from 'in.avi':
  Metadata:
    encoder         : Lavf57.56.100
  Duration: 00:03:18.00, start: 0.000000, bitrate: 6 kb/s
    Stream #0:0: Video: ffv1 (FFV1 / 0x31564646), yuv420p, 160x90, 2 kb/s, SAR 1:1 DAR 16:9, 1 fps, 1 tbr, 1 tbn, 1 tbc
    Stream #0:1: Video: ffv1 (FFV1 / 0x31564646), yuv420p, 160x90, 2 kb/s, SAR 1:1 DAR 16:9, 1 fps, 1 tbr, 1 tbn, 1 tbc
[New Thread 0x7ffff49f6700 (LWP 1107)]
[New Thread 0x7ffff41f5700 (LWP 1108)]
[New Thread 0x7ffff39f4700 (LWP 1109)]
[New Thread 0x7ffff31f3700 (LWP 1110)]
[New Thread 0x7ffff29f2700 (LWP 1111)]
[New Thread 0x7ffff21f1700 (LWP 1112)]
[New Thread 0x7ffff19f0700 (LWP 1113)]
[New Thread 0x7ffff11ef700 (LWP 1114)]
[New Thread 0x7ffff09ee700 (LWP 1115)]
[Thread 0x7ffff11ef700 (LWP 1114) exited]
[Thread 0x7ffff09ee700 (LWP 1115) exited]
[Thread 0x7ffff19f0700 (LWP 1113) exited]
[Thread 0x7ffff31f3700 (LWP 1110) exited]
[Thread 0x7ffff21f1700 (LWP 1112) exited]
[Thread 0x7ffff29f2700 (LWP 1111) exited]
[Thread 0x7ffff49f6700 (LWP 1107) exited]
[Thread 0x7ffff39f4700 (LWP 1109) exited]
[Thread 0x7ffff41f5700 (LWP 1108) exited]
[New Thread 0x7ffff09ee700 (LWP 1116)]
[New Thread 0x7ffff11ef700 (LWP 1117)]
[New Thread 0x7ffff19f0700 (LWP 1118)]
[New Thread 0x7ffff21f1700 (LWP 1119)]
[New Thread 0x7ffff49f6700 (LWP 1120)]
[New Thread 0x7ffff41f5700 (LWP 1121)]
[New Thread 0x7ffff39f4700 (LWP 1122)]
[New Thread 0x7ffff31f3700 (LWP 1123)]
[New Thread 0x7ffff29f2700 (LWP 1124)]
[New Thread 0x7ffff01ed700 (LWP 1125)]
[New Thread 0x7fffef9ec700 (LWP 1126)]
[New Thread 0x7fffef1eb700 (LWP 1127)]
[New Thread 0x7fffee9ea700 (LWP 1128)]
[New Thread 0x7fffee1e9700 (LWP 1129)]
[New Thread 0x7fffed9e8700 (LWP 1130)]
[New Thread 0x7fffed1e7700 (LWP 1131)]
[New Thread 0x7fffec9e6700 (LWP 1132)]
[New Thread 0x7fffec1e5700 (LWP 1133)]
Stream mapping:
  Stream #0:0 (ffv1) -> signature:in0
  Stream #0:1 (ffv1) -> signature:in1
  signature -> Stream #0:0 (wrapped_avframe)
Press [q] to stop, [?] for help
[New Thread 0x7fffabfff700 (LWP 1134)]
[New Thread 0x7fffab7fe700 (LWP 1135)]
[New Thread 0x7fffaaffd700 (LWP 1136)]
[New Thread 0x7fffaa7fc700 (LWP 1137)]
[New Thread 0x7fffa9ffb700 (LWP 1138)]
[New Thread 0x7fffa97fa700 (LWP 1139)]
[New Thread 0x7fffa8ff9700 (LWP 1140)]
[New Thread 0x7fffa3fff700 (LWP 1141)]
[New Thread 0x7fffa37fe700 (LWP 1142)]
Output #0, null, to 'pipe:':
  Metadata:
    encoder         : Lavf57.72.101
    Stream #0:0: Video: wrapped_avframe, yuv420p, 160x90 [SAR 1:1 DAR 16:9], q=2-31, 200 kb/s, 1 fps, 1 tbn, 1 tbc (default)
    Metadata:
      encoder         : Lavc57.93.100 wrapped_avframe

Program received signal SIGSEGV, Segmentation fault.
0x000000000055c2e3 in lookup_signatures (first=0x21d19a0, second=0x21d19f8, mode=1, sc=0x21d3540,
    ctx=0x21d3440) at libavfilter/signature_lookup.c:571
571                 av_log(ctx, AV_LOG_DEBUG, "Stage 3: best matching pair at %"PRIu32" and %"PRIu32", "
(gdb) bt
#0  0x000000000055c2e3 in lookup_signatures (first=0x21d19a0, second=0x21d19f8, mode=1,
    sc=0x21d3540, ctx=0x21d3440) at libavfilter/signature_lookup.c:571
#1  request_frame (outlink=<optimized out>) at libavfilter/vf_signature.c:623
#2  0x00000000004b971f in ff_request_frame_to_filter (link=0x21cf520)
    at libavfilter/avfilter.c:438
#3  0x00000000004bc53f in forward_status_change (in=0x21cfbc0, filter=0x21d3440)
    at libavfilter/avfilter.c:1288
#4  ff_filter_activate_default (filter=<optimized out>) at libavfilter/avfilter.c:1321
#5  ff_filter_activate (filter=0x21d3440) at libavfilter/avfilter.c:1476
#6  0x00000000004bfbcc in ff_filter_graph_run_once (graph=graph@entry=0x21d2660)
    at libavfilter/avfiltergraph.c:1446
#7  0x00000000004c0c38 in push_frame (graph=0x21d2660) at libavfilter/buffersrc.c:181
#8  av_buffersrc_add_frame_internal (ctx=ctx@entry=0x2062600, frame=frame@entry=0x0,
    flags=flags@entry=4) at libavfilter/buffersrc.c:203
#9  0x00000000004c10ed in av_buffersrc_add_frame_flags (ctx=0x2062600, frame=frame@entry=0x0,
    flags=flags@entry=4) at libavfilter/buffersrc.c:164
#10 0x0000000000495aa4 in ifilter_send_eof (ifilter=<optimized out>) at ffmpeg.c:2231
#11 send_filter_eof (ist=<optimized out>, ist=<optimized out>) at ffmpeg.c:2582
#12 0x000000000049ef61 in process_input_packet (ist=0x2013a80, no_eof=no_eof@entry=0, pkt=0x0)
    at ffmpeg.c:2715
#13 0x000000000047e8c7 in process_input (file_index=0) at ffmpeg.c:4199
#14 transcode_step () at ffmpeg.c:4510
#15 transcode () at ffmpeg.c:4564
#16 main (argc=<optimized out>, argv=<optimized out>) at ffmpeg.c:4769
(gdb) disass $pc-32,$pc+32
Dump of assembler code from 0x55c2c3 to 0x55c303:
   0x000000000055c2c3 <request_frame+2211>:     xor    %al,(%rax)
   0x000000000055c2c5 <request_frame+2213>:     add    %al,(%rax)
   0x000000000055c2c7 <request_frame+2215>:     push   %rax
   0x000000000055c2c8 <request_frame+2216>:     mov    0x30(%rsp),%rax
   0x000000000055c2cd <request_frame+2221>:     mov    0xb4(%rsp),%r9d
   0x000000000055c2d5 <request_frame+2229>:     mov    0x40(%rsp),%rdi
   0x000000000055c2da <request_frame+2234>:     movsd  0xa8(%rsp),%xmm0
=> 0x000000000055c2e3 <request_frame+2243>:     mov    0x18(%rax),%r8d
   0x000000000055c2e7 <request_frame+2247>:     mov    $0x1,%eax
   0x000000000055c2ec <request_frame+2252>:     callq  0x10260d0 <av_log>
   0x000000000055c2f1 <request_frame+2257>:     pop    %rdx
   0x000000000055c2f2 <request_frame+2258>:     pop    %rcx
   0x000000000055c2f3 <request_frame+2259>:     mov    0x50(%rsp),%rbp
   0x000000000055c2f8 <request_frame+2264>:     mov    %rbp,0xc8(%rsp)
   0x000000000055c300 <request_frame+2272>:     mov    0x30(%rbp),%rbp
End of assembler dump.
(gdb) info register
rax            0xffffffff00000000       -4294967296
rbx            0x0      0
rcx            0x48f9f748       1224341320
rdx            0x109f728        17430312
rsi            0x30     48
rdi            0x21d3440        35468352
rbp            0x0      0x0
rsp            0x7fffffffd130   0x7fffffffd130
r8             0x10     16
r9             0x0      0
r10            0x21dc6a2        35505826
r11            0xf2     242
r12            0x21dc680        35505792
r13            0xa2     162
r14            0x0      0
r15            0x21d3540        35468608
rip            0x55c2e3 0x55c2e3 <request_frame+2243>
eflags         0x10246  [ PF ZF IF RF ]
cs             0x33     51
ss             0x2b     43
ds             0x0      0
es             0x0      0
fs             0x0      0
gs             0x0      0

Changed 7 months ago by cehoyos

Note: See TracTickets for help on using tickets.