Opened 6 years ago

Closed 5 years ago

#7079 closed defect (fixed)

Remuxing mp4 with data streams leads to crash

Reported by: mkver Owned by:
Priority: important Component: avformat
Version: git-master Keywords: mov regression crash SIGSEGV
Cc: Blocked By:
Blocking: Reproduced by developer: yes
Analyzed by developer: no

Description

If I try to remux a data stream (of type "rtp / 0x20707472") from an mp4 file to another mp4 file ffmpeg produces a segfault.

"I:\\ffmpeg-debug\\ffmpeg.exe" -report -loglevel 99 -i Data.Stream.included.mp4 -map 0:2 -c copy output.mp4
ffmpeg version N-90288-g2536bd8632 Copyright (c) 2000-2018 the FFmpeg developers
  built with gcc 7.3.0 (Rev1, Built by MSYS2 project)
  configuration: --disable-static --enable-shared --disable-amf --disable-cuda --disable-cuvid --disable-d3d11va --disable-nvenc --disable-filters --disable-devices --enable-debug --disable-encoders --enable-libfdk-aac --enable-gpl --enable-nonfree --disable-stripping --shlibdir=/local64/bin-video
  libavutil      56.  9.100 / 56.  9.100
  libavcodec     58. 14.100 / 58. 14.100
  libavformat    58. 10.100 / 58. 10.100
  libavdevice    58.  2.100 / 58.  2.100
  libavfilter     7. 12.100 /  7. 12.100
  libswscale      5.  0.102 /  5.  0.102
  libswresample   3.  0.101 /  3.  0.101
  libpostproc    55.  0.100 / 55.  0.100
Splitting the commandline.
Reading option '-report' ... matched as option 'report' (generate a report) with argument '1'.
Reading option '-loglevel' ... matched as option 'loglevel' (set logging level) with argument '99'.
Reading option '-i' ... matched as input url with argument 'Data.Stream.included.mp4'.
Reading option '-map' ... matched as option 'map' (set input stream mapping) with argument '0:2'.
Reading option '-c' ... matched as option 'c' (codec name) with argument 'copy'.
Reading option 'output.mp4' ... matched as output url.
Finished splitting the commandline.
Parsing a group of options: global .
Applying option report (generate a report) with argument 1.
Applying option loglevel (set logging level) with argument 99.
Successfully parsed a group of options.
Parsing a group of options: input url Data.Stream.included.mp4.
Successfully parsed a group of options.
Opening an input file: Data.Stream.included.mp4.
[NULL @ 0000000000327280] Opening 'Data.Stream.included.mp4' for reading
[file @ 0000000000327d00] Setting default whitelist 'file,crypto'
[mov,mp4,m4a,3gp,3g2,mj2 @ 0000000000327280] Format mov,mp4,m4a,3gp,3g2,mj2 probed with size=2048 and score=100
[mov,mp4,m4a,3gp,3g2,mj2 @ 0000000000327280] ISO: File Type Major Brand: mp42
[mov,mp4,m4a,3gp,3g2,mj2 @ 0000000000327280] Unknown dref type 0x206c7275 size 12
[mov,mp4,m4a,3gp,3g2,mj2 @ 0000000000327280] Setting codecpar->delay to 1 for stream st: 0
[mov,mp4,m4a,3gp,3g2,mj2 @ 0000000000327280] Unknown dref type 0x206c7275 size 12
[mov,mp4,m4a,3gp,3g2,mj2 @ 0000000000327280] Unknown dref type 0x206c7275 size 12
[mov,mp4,m4a,3gp,3g2,mj2 @ 0000000000327280] Unknown dref type 0x206c7275 size 12
[mov,mp4,m4a,3gp,3g2,mj2 @ 0000000000327280] Before avformat_find_stream_info() pos: 1552246 bytes read:43167 seeks:1 nb_streams:4
[h264 @ 0000000001f60ac0] nal_unit_type: 7, nal_ref_idc: 3
[h264 @ 0000000001f60ac0] nal_unit_type: 8, nal_ref_idc: 3
[h264 @ 0000000001f60ac0] nal_unit_type: 9, nal_ref_idc: 0
[h264 @ 0000000001f60ac0] nal_unit_type: 7, nal_ref_idc: 3
[h264 @ 0000000001f60ac0] nal_unit_type: 8, nal_ref_idc: 3
[h264 @ 0000000001f60ac0] nal_unit_type: 6, nal_ref_idc: 0
[h264 @ 0000000001f60ac0] nal_unit_type: 5, nal_ref_idc: 3
[h264 @ 0000000001f60ac0] ct_type:1 pic_struct:0
[h264 @ 0000000001f60ac0] Format yuv420p chosen by get_format().
[h264 @ 0000000001f60ac0] Reinit context to 640x368, pix_fmt: yuv420p
[h264 @ 0000000001f60ac0] no picture 
[mov,mp4,m4a,3gp,3g2,mj2 @ 0000000000327280] All info found
[mov,mp4,m4a,3gp,3g2,mj2 @ 0000000000327280] After avformat_find_stream_info() pos: 128195 bytes read:192761 seeks:2 frames:14
Input #0, mov,mp4,m4a,3gp,3g2,mj2, from 'Data.Stream.included.mp4':
  Metadata:
    major_brand     : mp42
    minor_version   : 0
    compatible_brands: mp42isom
    creation_time   : 2018-03-10T17:16:55.000000Z
  Duration: 00:00:11.28, start: 0.000000, bitrate: 1100 kb/s
    Stream #0:0(und), 13, 1/25000: Video: h264 (Main), 1 reference frame (avc1 / 0x31637661), yuv420p(tv, left), 640x360 (640x368) [SAR 1:1 DAR 16:9], 0/1, 831 kb/s, 25 fps, 25 tbr, 25k tbn, 50 tbc (default)
    Metadata:
      handler_name    : Telestream, LLC Telestream Media Framework - Release TXGP 2016.80.216804
      encoder         : AVC
    Stream #0:1(und), 1, 1/48000: Audio: aac (LC) (mp4a / 0x6134706D), 48000 Hz, stereo, fltp, 192 kb/s (default)
    Metadata:
      handler_name    : Telestream, LLC Telestream Media Framework - Release TXGP 2016.80.216804
    Stream #0:2(und), 0, 1/90000: Data: none (rtp  / 0x20707472), 0/1, 50 kb/s (default)
    Metadata:
      creation_time   : 2018-03-09T16:17:03.000000Z
      handler_name    : GPAC ISO Hint Handler
    Stream #0:3(und), 0, 1/48000: Data: none (rtp  / 0x20707472), 0/1, 11 kb/s (default)
    Metadata:
      creation_time   : 2018-03-09T16:17:03.000000Z
      handler_name    : GPAC ISO Hint Handler
Successfully opened the file.
Parsing a group of options: output url output.mp4.
Applying option map (set input stream mapping) with argument 0:2.
Applying option c (codec name) with argument copy.
Successfully parsed a group of options.
Opening an output file: output.mp4.
[file @ 000000000204e940] Setting default whitelist 'file,crypto'
Successfully opened the file.
Output #0, mp4, to 'output.mp4':
  Metadata:
    major_brand     : mp42
    minor_version   : 0
    compatible_brands: mp42isom
    encoder         : Lavf58.10.100
    Stream #0:0(und), 0, 1/90000: Data: none (rtp  / 0x20707472), 0/1, 50 kb/s (default)
    Metadata:
      creation_time   : 2018-03-09T16:17:03.000000Z
      handler_name    : GPAC ISO Hint Handler
Stream mapping:
  Stream #0:2 -> #0:0 (copy)
Press [q] to stop, [?] for help
cur_dts is invalid (this is harmless if it occurs once at the start per stream)
cur_dts is invalid (this is harmless if it occurs once at the start per stream)
cur_dts is invalid (this is harmless if it occurs once at the start per stream)
cur_dts is invalid (this is harmless if it occurs once at the start per stream)
cur_dts is invalid (this is harmless if it occurs once at the start per stream)
cur_dts is invalid (this is harmless if it occurs once at the start per stream)
cur_dts is invalid (this is harmless if it occurs once at the start per stream)
cur_dts is invalid (this is harmless if it occurs once at the start per stream)
cur_dts is invalid (this is harmless if it occurs once at the start per stream)
cur_dts is invalid (this is harmless if it occurs once at the start per stream)
cur_dts is invalid (this is harmless if it occurs once at the start per stream)
cur_dts is invalid (this is harmless if it occurs once at the start per stream)
cur_dts is invalid (this is harmless if it occurs once at the start per stream)
cur_dts is invalid (this is harmless if it occurs once at the start per stream)
cur_dts is invalid (this is harmless if it occurs once at the start per stream)
size=       0kB time=00:00:01.52 bitrate=   0.2kbits/s speed=2.37x    
size=       0kB time=00:00:03.32 bitrate=   0.1kbits/s speed=2.91x    
size=       0kB time=00:00:04.96 bitrate=   0.1kbits/s speed=3.02x    
size=       0kB time=00:00:07.28 bitrate=   0.0kbits/s speed=3.25x    
size=       0kB time=00:00:09.64 bitrate=   0.0kbits/s speed=3.52x    
size=       0kB time=00:00:10.80 bitrate=   0.0kbits/s speed=3.33x    
No more output streams to write to, finishing.

gdb output:

Program received signal SIGSEGV, Segmentation fault.
0x000007fed7723c4e in mov_write_udta_sdp (pb=pb@entry=0x204ebc0,
    track=track@entry=0x21676c0)
    at I:/media-autobuild_suite-master_3/build/ffmpeg-git/libavformat/movenc.c:2987
2987        ff_sdp_write_media(buf, sizeof(buf), ctx->streams[0], track->src_track,
(gdb) bt
#0  0x000007fed7723c4e in mov_write_udta_sdp (pb=pb@entry=0x204ebc0,
    track=track@entry=0x21676c0)
    at I:/media-autobuild_suite-master_3/build/ffmpeg-git/libavformat/movenc.c:2987
#1  0x000007fed772e72e in mov_write_trak_tag (st=<optimized out>,
    track=0x21676c0, mov=<optimized out>, pb=<optimized out>, s=0x204c0c0)
    at I:/media-autobuild_suite-master_3/build/ffmpeg-git/libavformat/movenc.c:3078
#2  mov_write_moov_tag (pb=<optimized out>, mov=0x204c880, s=0x204c0c0)
    at I:/media-autobuild_suite-master_3/build/ffmpeg-git/libavformat/movenc.c:3870
#3  0x000007fed773327a in mov_write_trailer (s=0x204c0c0)
    at I:/media-autobuild_suite-master_3/build/ffmpeg-git/libavformat/movenc.c:6537
#4  0x000007fed7750990 in av_write_trailer (s=0x204c0c0)
    at I:/media-autobuild_suite-master_3/build/ffmpeg-git/libavformat/mux.c:1276

#5  0x0000000140023ed1 in transcode ()
    at I:/media-autobuild_suite-master_3/build/ffmpeg-git/fftools/ffmpeg.c:4675
#6  0x0000000140033732 in main (argc=<optimized out>, argv=<optimized out>)
    at I:/media-autobuild_suite-master_3/build/ffmpeg-git/fftools/ffmpeg.c:4844
(gdb) disass $pc-32,$pc+32
Dump of assembler code from 0x7fed7723c2e to 0x7fed7723c6e:
   0x000007fed7723c2e <mov_write_udta_sdp+30>:  mov    0xc0(%rdx),%edx
   0x000007fed7723c34 <mov_write_udta_sdp+36>:  movq   $0x0,0x50(%rsp)
   0x000007fed7723c3d <mov_write_udta_sdp+45>:  rep stos %rax,%es:(%rdi)
   0x000007fed7723c40 <mov_write_udta_sdp+48>:  movq   $0x0,0x58(%rsp)
   0x000007fed7723c49 <mov_write_udta_sdp+57>:  lea    0x50(%rsp),%rsi
=> 0x000007fed7723c4e <mov_write_udta_sdp+62>:  mov    0x30(%rdx),%rax
   0x000007fed7723c52 <mov_write_udta_sdp+66>:  mov    %rdx,0x40(%rsp)
   0x000007fed7723c57 <mov_write_udta_sdp+71>:  mov    %rsi,%rcx
   0x000007fed7723c5a <mov_write_udta_sdp+74>:  movl   $0x0,0x38(%rsp)
   0x000007fed7723c62 <mov_write_udta_sdp+82>:  movl   $0x0,0x30(%rsp)
   0x000007fed7723c6a <mov_write_udta_sdp+90>:  mov    $0x3e8,%edx
End of assembler dump.
(gdb) info all-registers
rax            0x0      0
rbx            0x21676c0        35026624
rcx            0x0      0
rdx            0x0      0
rsi            0x22ee60 2289248
rdi            0x22f248 2290248
rbp            0x204ebc0        0x204ebc0
rsp            0x22ee10 0x22ee10
r8             0x0      0
r9             0x1      1
r10            0x6cc    1740
r11            0x2151c60        34937952
r12            0x11a    282
r13            0x5bc    1468
r14            0x204c880        33867904
r15            0x204ebc0        33876928
rip            0x7fed7723c4e    0x7fed7723c4e <mov_write_udta_sdp+62>
eflags         0x10246  [ PF ZF IF RF ]
cs             0x33     51
ss             0x2b     43
ds             0x0      0
es             0x0      0
fs             0x0      0
gs             0x0      0
st0            -nan(0x8080808080808080) (raw 0xffff8080808080808080)
st1            -nan(0x8080808080808080) (raw 0xffff8080808080808080)
st2            -nan(0x002000200)        (raw 0xffff0000000002000200)
st3            -nan(0x200020002000200)  (raw 0xffff0200020002000200)
st4            -nan(0x1111101010101010) (raw 0xffff1111101010101010)
st5            -nan(0x1111101010101010) (raw 0xffff1111101010101010)
st6            20.157732868574325       (raw 0x4003a1430973403f7800)
st7            3.3329433634497785       (raw 0x4000d54ef1ae5bf87800)
fctrl          0x20037f 2098047
fstat          0x20     32
ftag           0x0      0
fiseg          0x0      0
fioff          0xd96ecfd8       -647049256
foseg          0x0      0
fooff          0x22ea30 2288176
fop            0x0      0
xmm0           {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
  v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0,
    0x0, 0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0},
  uint128 = 0x00000000000000000000000000000000}
xmm1           {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
  v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0,
    0x0, 0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0},
  uint128 = 0x00000000000000000000000000000000}
xmm2           {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
  v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0,
    0x0, 0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0},
  uint128 = 0x00000000000000000000000000000000}
xmm3           {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
  v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0,
    0x0, 0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0},
  uint128 = 0x00000000000000000000000000000000}
xmm4           {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
  v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0,
    0x0, 0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0},
  uint128 = 0x00000000000000000000000000000000}
xmm5           {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
  v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0,
    0x0, 0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0},
  uint128 = 0x00000000000000000000000000000000}
xmm6           {v4_float = {0x0, 0x1, 0x0, 0x0}, v2_double = {0x1, 0x0},
  v16_int8 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xf0, 0x3f, 0x0, 0x0, 0x0, 0x0,
    0x0, 0x0, 0x0, 0x0}, v8_int16 = {0x0, 0x0, 0x0, 0x3ff0, 0x0, 0x0, 0x0,
    0x0}, v4_int32 = {0x0, 0x3ff00000, 0x0, 0x0}, v2_int64 = {
    0x3ff0000000000000, 0x0}, uint128 = 0x00000000000000003ff0000000000000}
xmm7           {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
  v16_int8 = {0x0, 0x0, 0x0, 0x80, 0x0 <repeats 12 times>}, v8_int16 = {0x0,
    0x8000, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_int32 = {0x80000000, 0x0, 0x0,
    0x0}, v2_int64 = {0x80000000, 0x0},
  uint128 = 0x00000000000000000000000080000000}
xmm8           {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
  v16_int8 = {0x0, 0x0, 0x0, 0x80, 0x0 <repeats 12 times>}, v8_int16 = {0x0,
    0x8000, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_int32 = {0x80000000, 0x0, 0x0,
    0x0}, v2_int64 = {0x80000000, 0x0},
  uint128 = 0x00000000000000000000000080000000}
xmm9           {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
  v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0,
    0x0, 0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0},
  uint128 = 0x00000000000000000000000000000000}
xmm10          {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
  v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0,
    0x0, 0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0},
  uint128 = 0x00000000000000000000000000000000}
xmm11          {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
  v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0,
    0x0, 0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0},
  uint128 = 0x00000000000000000000000000000000}
xmm12          {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
  v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0,
    0x0, 0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0},
  uint128 = 0x00000000000000000000000000000000}
xmm13          {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
  v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0,
    0x0, 0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0},
  uint128 = 0x00000000000000000000000000000000}
xmm14          {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
  v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0,
    0x0, 0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0},
  uint128 = 0x00000000000000000000000000000000}
xmm15          {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
  v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0,
    0x0, 0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0},
  uint128 = 0x00000000000000000000000000000000}
mxcsr          0x1fa0   [ PE IM DM ZM OM UM PM ]

I tested whether this is a regression by using old Zeranoe builds. Result: The build until c885356 (from 2017-07-02) say that muxing these streams into mp4 is currently not supported and abort. From 3b3501f (2017-07-06) onwards one gets a crash. This means that probably the commits e199d90da and 38d808d7 are to be blamed.
PS: The sample is quite small so that it finishes pretty much instantaneously; if one uses a bigger file (the website of the Austrian channel ORF is full of such files; some are geoblocked though) one can see that the crash happens at the end of the muxing process, probably during the finalization.

Attachments (1)

Data.Stream.included.mp4 (1.5 MB ) - added by mkver 6 years ago.

Download all attachments as: .zip

Change History (7)

by mkver, 6 years ago

Attachment: Data.Stream.included.mp4 added

comment:1 by mkver, 6 years ago

Version: unspecifiedgit-master

comment:2 by colin ng, 6 years ago

The output stream can't compose of hint track only (must contain at least one media track in mp4 stream) where track no. 2 is a hint track.

comment:3 by mkver, 6 years ago

I get a crash as soon as I remux any of the data streams regardless of whether I keep the audio and/or video streams. In particular, I get a crash when I copy all four tracks.

comment:4 by colin ng, 6 years ago

I tested using latest ffmpeg code (ubuntu 16.0.4 envirnonment). Re-muxing with hint track will crash as the rtp_ctx (hint track context) is never initialized. Guess copying non-media track doesn't support.

I tried
1) ./ffmpeg -i Data.Stream.included.mp4 -c copy output.mp4 (OK)
2) ./ffmpeg -i Data.Stream.included.mp4 -map 0:1 -c copy output.mp4 (OK)
3) ./ffmpeg -i Data.Stream.included.mp4 -map 0:0 -c copy output.mp4 (OK)
4) ./ffmpeg -i Data.Stream.included.mp4 -map 0:2 -c copy output.mp4 (crash)
5) ./ffmpeg -i Data.Stream.included.mp4 -map 0:3 -c copy output.mp4 (crash)

For case 1, the output.mp4 contains only media tracks.

comment:5 by Carl Eugen Hoyos, 6 years ago

Keywords: mov regression added; mp4 removed
Reproduced by developer: set
Status: newopen

Regression since e199d90da6473abc0d010797b14f2ae2c9811d34, see also tickets #6897 and #7311.

comment:6 by Carl Eugen Hoyos, 5 years ago

Resolution: fixed
Status: openclosed
Note: See TracTickets for help on using tickets.