Opened 5 years ago

Closed 5 years ago

Last modified 5 years ago

#754 closed defect (fixed)

ljpeg: crash with lowres

Reported by: ami_stuff Owned by:
Priority: normal Component: avcodec
Version: git-master Keywords: ljpeg lowres
Cc: Blocked By:
Blocking: Reproduced by developer: yes
Analyzed by developer: no

Description

GNU gdb (GDB) 7.2
Copyright (C) 2010 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "mingw32".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>...
Reading symbols from F:\MinGW\msys\1.0\ffmpeg-HEAD-d3bc75c/ffmpeg_g.exe...done.
(gdb) r -vlowres 3 -i lossless.jpg out.bmp
Starting program: F:\MinGW\msys\1.0\ffmpeg-HEAD-d3bc75c/ffmpeg_g.exe -vlowres 3
-i lossless.jpg out.bmp
[New Thread 1524.0x1e4]
ffmpeg version 0.8.5.git-d3bc75c, Copyright (c) 2000-2011 the FFmpeg developers
  built on Nov  6 2011 18:11:47 with gcc 4.5.2
  configuration: --disable-ffplay --disable-ffserver --disable-asm --disable-yas
m --disable-shared --enable-static
  libavutil    51. 23. 0 / 51. 23. 0
  libavcodec   53. 28. 0 / 53. 28. 0
  libavformat  53. 19. 0 / 53. 19. 0
  libavdevice  53.  4. 0 / 53.  4. 0
  libavfilter   2. 47. 0 /  2. 47. 0
  libswscale    2.  1. 0 /  2.  1. 0

Program received signal SIGSEGV, Segmentation fault.
0x005e2e91 in ljpeg_decode_rgb_scan (s=0x40f0048, predictor=2,
    point_transform=0) at libavcodec/mjpegdec.c:703
703                     ptr[4*mb_x+0] = buffer[mb_x][2];
(gdb) bt
#0  0x005e2e91 in ljpeg_decode_rgb_scan (s=0x40f0048, predictor=2,
    point_transform=0) at libavcodec/mjpegdec.c:703
#1  0x005e5d20 in ff_mjpeg_decode_sos (avctx=0x3b9ef68, data=0x22f850,
    data_size=0x22fb04, avpkt=0x3ba1560) at libavcodec/mjpegdec.c:1064
#2  ff_mjpeg_decode_frame (avctx=0x3b9ef68, data=0x22f850,
    data_size=0x22fb04, avpkt=0x3ba1560) at libavcodec/mjpegdec.c:1532
#3  0x004f9bde in avcodec_decode_video2 (avctx=0x3b9ef68, picture=0x22f850,
    got_picture_ptr=0x22fb04, avpkt=0x3ba1560) at libavcodec/utils.c:819
#4  0x004393d6 in try_decode_frame (ic=0x3b98b40, options=0x3ba0ce0)
    at libavformat/utils.c:2230
#5  avformat_find_stream_info (ic=0x3b98b40, options=0x3ba0ce0)
    at libavformat/utils.c:2535
#6  0x0040c5f8 in opt_input_file (o=0x22fda8, opt=0x3ba0d8b "i",
    filename=<value optimized out>) at ffmpeg.c:3317
#7  0x0041114a in parse_option (optctx=0x22fda8, opt=<value optimized out>,
    arg=0x3ba0d8d "lossless.jpg", options=0xa0d2c0) at cmdutils.c:275
#8  0x004114f8 in parse_options (optctx=0x22fda8, argc=6,
    argv=<value optimized out>, options=0xa0d2c0,
    parse_arg_function=0x40e018 <opt_output_file>) at cmdutils.c:308
#9  0x0040f847 in main (argc=6, argv=<value optimized out>) at ffmpeg.c:4716
(gdb) disass $pc-32,$pc+32
Dump of assembler code from 0x5e2e71 to 0x5e2eb1:
   0x005e2e71 <ljpeg_decode_rgb_scan+2333>:     lea    0x0(%esi),%esi
   0x005e2e74 <ljpeg_decode_rgb_scan+2336>:     mov    0x318(%ebx),%edx
   0x005e2e7a <ljpeg_decode_rgb_scan+2342>:     test   %edx,%edx
   0x005e2e7c <ljpeg_decode_rgb_scan+2344>:     jne    0x5e2ec4 <ljpeg_decode_rg
b_scan+2416>
   0x005e2e7e <ljpeg_decode_rgb_scan+2346>:     test   %edi,%edi
   0x005e2e80 <ljpeg_decode_rgb_scan+2348>:     jle    0x5e2e3c <ljpeg_decode_rg
b_scan+2280>
   0x005e2e82 <ljpeg_decode_rgb_scan+2350>:     xor    %eax,%eax
   0x005e2e84 <ljpeg_decode_rgb_scan+2352>:     mov    0x90(%esp),%edx
   0x005e2e8b <ljpeg_decode_rgb_scan+2359>:     nop
   0x005e2e8c <ljpeg_decode_rgb_scan+2360>:     mov    0x4(%esi,%eax,8),%cx
=> 0x005e2e91 <ljpeg_decode_rgb_scan+2365>:     mov    %cl,(%edx,%eax,4)
   0x005e2e94 <ljpeg_decode_rgb_scan+2368>:     mov    0x2(%esi,%eax,8),%cx
   0x005e2e99 <ljpeg_decode_rgb_scan+2373>:     mov    %cl,0x1(%edx,%eax,4)
   0x005e2e9d <ljpeg_decode_rgb_scan+2377>:     mov    (%esi,%eax,8),%cx
   0x005e2ea1 <ljpeg_decode_rgb_scan+2381>:     mov    %cl,0x2(%edx,%eax,4)
   0x005e2ea5 <ljpeg_decode_rgb_scan+2385>:     inc    %eax
   0x005e2ea6 <ljpeg_decode_rgb_scan+2386>:     mov    0x340(%ebx),%ecx
   0x005e2eac <ljpeg_decode_rgb_scan+2392>:     cmp    %eax,%ecx
   0x005e2eae <ljpeg_decode_rgb_scan+2394>:     jg     0x5e2e8c <ljpeg_decode_rg
b_scan+2360>
   0x005e2eb0 <ljpeg_decode_rgb_scan+2396>:     jmp    0x5e2e3a <ljpeg_decode_rg
b_scan+2278>
End of assembler dump.
(gdb) info all-registers
eax            0x392    914
ecx            0xbb     187
edx            0x41141b8        68239800
ebx            0x40f0048        68091976
esp            0x22f570 0x22f570
ebp            0x37     0x37
esi            0x410b860        68204640
edi            0x400    1024
eip            0x5e2e91 0x5e2e91 <ljpeg_decode_rgb_scan+2365>
eflags         0x10212  [ AF IF RF ]
cs             0x1b     27
ss             0x23     35
ds             0x23     35
es             0x23     35
fs             0x3b     59
gs             0x0      0
st0            <invalid float value>    (raw 0x0000ba286a24ba28695c)
st1            0        (raw 0x00000000000000000001)
st2            1.#INF   (raw 0x69d4badb0d00804dc8c1)
st3            0        (raw 0x00000000000000000000)
st4            3        (raw 0x4000c000000000000000)
st5            3        (raw 0x4000c000000000000000)
st6            3        (raw 0x4000c000000000000000)
st7            3        (raw 0x4000c000000000000000)
fctrl          0xffff037f       -64641
fstat          0xffff0120       -65248
ftag           0xffffffff       -1
fiseg          0x0      0
fioff          0x0      0
foseg          0xffff0000       -65536
fooff          0x0      0
fop            0x0      0
xmm0           {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
  v16_int8 = {0x0, 0x0, 0x0, 0x0, 0xc1, 0xc8, 0x4d, 0x80, 0x8, 0x0, 0x0, 0x0,
    0x82, 0x2, 0x0, 0x0}, v8_int16 = {0x0, 0x0, 0xc8c1, 0x804d, 0x8, 0x0,
    0x282, 0x0}, v4_int32 = {0x0, 0x804dc8c1, 0x8, 0x282}, v2_int64 = {
    0x804dc8c100000000, 0x28200000008},
  uint128 = 0x0000028200000008804dc8c100000000}
xmm1           {v4_float = {0xffffffff, 0x0, 0x0, 0x0}, v2_double = {0x0,
    0x0}, v16_int8 = {0xd6, 0x99, 0x85, 0xbf, 0xa8, 0x24, 0x0, 0x80, 0x0,
    0x0, 0x0, 0x0, 0x10, 0x6b, 0x28, 0xba}, v8_int16 = {0x99d6, 0xbf85,
    0x24a8, 0x8000, 0x0, 0x0, 0x6b10, 0xba28}, v4_int32 = {0xbf8599d6,
    0x800024a8, 0x0, 0xba286b10}, v2_int64 = {0x800024a8bf8599d6,
    0xba286b1000000000}, uint128 = 0xba286b1000000000800024a8bf8599d6}
xmm2           {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
  v16_int8 = {0xd8, 0x93, 0xf2, 0xe2, 0x10, 0x0, 0x12, 0x0, 0x0, 0x6b, 0x28,
    0xba, 0xac, 0x0, 0x0, 0x0}, v8_int16 = {0x93d8, 0xe2f2, 0x10, 0x12,
    0x6b00, 0xba28, 0xac, 0x0}, v4_int32 = {0xe2f293d8, 0x120010, 0xba286b00,
    0xac}, v2_int64 = {0x120010e2f293d8, 0xacba286b00},
  uint128 = 0x000000acba286b0000120010e2f293d8}
xmm3           {v4_float = {0x0, 0x0, 0xffffffff, 0x0}, v2_double = {0x0,
    0x0}, v16_int8 = {0x0, 0x0, 0x0, 0x0, 0xd0, 0x6b, 0x28, 0xba, 0x26, 0x4a,
    0x85, 0xbf, 0x0, 0x0, 0x0, 0x0}, v8_int16 = {0x0, 0x0, 0x6bd0, 0xba28,
    0x4a26, 0xbf85, 0x0, 0x0}, v4_int32 = {0x0, 0xba286bd0, 0xbf854a26, 0x0},
  v2_int64 = {0xba286bd000000000, 0xbf854a26},
  uint128 = 0x00000000bf854a26ba286bd000000000}
xmm4           {v4_float = {0x0, 0x0, 0xffffffff, 0x0}, v2_double = {0x0,
    0x8000000000000000}, v16_int8 = {0x81, 0x9f, 0x0, 0x0, 0xd0, 0x6b, 0x28,
    0xba, 0x61, 0x4a, 0x85, 0xbf, 0xd8, 0x93, 0xf2, 0xe2}, v8_int16 = {
    0x9f81, 0x0, 0x6bd0, 0xba28, 0x4a61, 0xbf85, 0x93d8, 0xe2f2}, v4_int32 = {
    0x9f81, 0xba286bd0, 0xbf854a61, 0xe2f293d8}, v2_int64 = {
    0xba286bd000009f81, 0xe2f293d8bf854a61},
  uint128 = 0xe2f293d8bf854a61ba286bd000009f81}
xmm5           {v4_float = {0x0, 0xffffffff, 0x0, 0x0}, v2_double = {0x0,
    0x8000000000000000}, v16_int8 = {0x24, 0x6a, 0x28, 0xba, 0xd1, 0x4a,
    0x85, 0xbf, 0x0, 0x0, 0x0, 0x1, 0xd0, 0x18, 0x75, 0xe1}, v8_int16 = {
    0x6a24, 0xba28, 0x4ad1, 0xbf85, 0x0, 0x100, 0x18d0, 0xe175}, v4_int32 = {
    0xba286a24, 0xbf854ad1, 0x1000000, 0xe17518d0}, v2_int64 = {
    0xbf854ad1ba286a24, 0xe17518d001000000},
  uint128 = 0xe17518d001000000bf854ad1ba286a24}
xmm6           {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
  v16_int8 = {0xd8, 0x93, 0xf2, 0xe2, 0x10, 0x0, 0x12, 0x0, 0x0, 0x6b, 0x28,
    0xba, 0x14, 0x6a, 0x28, 0xba}, v8_int16 = {0x93d8, 0xe2f2, 0x10, 0x12,
    0x6b00, 0xba28, 0x6a14, 0xba28}, v4_int32 = {0xe2f293d8, 0x120010,
    0xba286b00, 0xba286a14}, v2_int64 = {0x120010e2f293d8,
    0xba286a14ba286b00}, uint128 = 0xba286a14ba286b0000120010e2f293d8}
xmm7           {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
  v16_int8 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x2, 0x0, 0x0, 0xe0, 0xfd, 0x7f,
    0x40, 0x6a, 0x28, 0xba}, v8_int16 = {0x0, 0x0, 0x0, 0x2, 0xe000, 0x7ffd,
    0x6a40, 0xba28}, v4_int32 = {0x0, 0x20000, 0x7ffde000, 0xba286a40},
  v2_int64 = {0x2000000000000, 0xba286a407ffde000},
  uint128 = 0xba286a407ffde0000002000000000000}
mxcsr          0x1f80   [ IM DM ZM OM UM PM ]
mm0            {uint64 = 0xba286a24ba28695c, v2_int32 = {0xba28695c,
    0xba286a24}, v4_int16 = {0x695c, 0xba28, 0x6a24, 0xba28}, v8_int8 = {
    0x5c, 0x69, 0x28, 0xba, 0x24, 0x6a, 0x28, 0xba}}
mm1            {uint64 = 0x1, v2_int32 = {0x1, 0x0}, v4_int16 = {0x1, 0x0,
    0x0, 0x0}, v8_int8 = {0x1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}
mm2            {uint64 = 0xbadb0d00804dc8c1, v2_int32 = {0x804dc8c1,
    0xbadb0d00}, v4_int16 = {0xc8c1, 0x804d, 0xd00, 0xbadb}, v8_int8 = {0xc1,
    0xc8, 0x4d, 0x80, 0x0, 0xd, 0xdb, 0xba}}
mm3            {uint64 = 0x0, v2_int32 = {0x0, 0x0}, v4_int16 = {0x0, 0x0,
    0x0, 0x0}, v8_int8 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}
mm4            {uint64 = 0xc000000000000000, v2_int32 = {0x0, 0xc0000000},
  v4_int16 = {0x0, 0x0, 0x0, 0xc000}, v8_int8 = {0x0, 0x0, 0x0, 0x0, 0x0,
    0x0, 0x0, 0xc0}}
mm5            {uint64 = 0xc000000000000000, v2_int32 = {0x0, 0xc0000000},
  v4_int16 = {0x0, 0x0, 0x0, 0xc000}, v8_int8 = {0x0, 0x0, 0x0, 0x0, 0x0,
    0x0, 0x0, 0xc0}}
mm6            {uint64 = 0xc000000000000000, v2_int32 = {0x0, 0xc0000000},
  v4_int16 = {0x0, 0x0, 0x0, 0xc000}, v8_int8 = {0x0, 0x0, 0x0, 0x0, 0x0,
    0x0, 0x0, 0xc0}}
mm7            {uint64 = 0xc000000000000000, v2_int32 = {0x0, 0xc0000000},
  v4_int16 = {0x0, 0x0, 0x0, 0xc000}, v8_int8 = {0x0, 0x0, 0x0, 0x0, 0x0,
    0x0, 0x0, 0xc0}}

Attachments (2)

lossless.jpg (1.4 MB) - added by ami_stuff 5 years ago.
lossless_2.jpg (1.4 MB) - added by ami_stuff 5 years ago.

Change History (7)

Changed 5 years ago by ami_stuff

comment:1 Changed 5 years ago by ami_stuff

please change the title of this ticket to "infinite loop while probing (most likely broken) jpeg lossles file"

ffmpeg -i lossless.jpg

Changed 5 years ago by ami_stuff

comment:2 Changed 5 years ago by ami_stuff

"lossless_2.jpg" decodes with ffmpeg, but crashes with lowres

comment:3 Changed 5 years ago by cehoyos

  • Component changed from undetermined to avcodec
  • Keywords ljpeg lowres added
  • Reproduced by developer set
  • Resolution set to fixed
  • Status changed from new to closed
  • Summary changed from jpeg lossless: crash with lowres to ljpeg: crash with lowres
  • Version changed from unspecified to git-master

Note that there is another codec called jpeg-ls or jpeg lossless, see http://en.wikipedia.org/wiki/Jpeg-ls for an explanation.

The crash with lowres is fixed (ljpeg does not support lowres), I cannot reproduce an endless loop with the first file, but please open a new ticket if there still is a problem.

$ ffmpeg -i lossless.jpg
ffmpeg version N-35771-g7862bd3, Copyright (c) 2000-2011 the FFmpeg developers
  built on Dec 14 2011 23:44:58 with gcc 4.5.3
  configuration: --cc='/usr/local/gcc-4.5.3/bin/gcc -m32'
  libavutil    51. 32. 0 / 51. 32. 0
  libavcodec   53. 44. 0 / 53. 44. 0
  libavformat  53. 25. 0 / 53. 25. 0
  libavdevice  53.  4. 0 / 53.  4. 0
  libavfilter   2. 53. 0 /  2. 53. 0
  libswscale    2.  1. 0 /  2.  1. 0
[mjpeg @ 0x8dae0e0] mjpeg_decode_dc: bad vlc: 0:0 (0x8dae924)
    Last message repeated 4718591 times
Input #0, image2, from 'lossless.jpg':
  Duration: 00:00:00.04, start: 0.000000, bitrate: N/A
    Stream #0:0: Video: mjpeg, bgr24, 1024x768 [SAR 96:96 DAR 4:3], 25 tbr, 25 tbn, 25 tbc
At least one output file must be specified

comment:4 follow-up: Changed 5 years ago by ami_stuff

You're right, probing takes 2 and a half minute here, so it's not an infinite loop, but I think it should be fixed as well.

comment:5 in reply to: ↑ 4 Changed 5 years ago by michael

Replying to ami_stuff:

You're right, probing takes 2 and a half minute here, so it's not an infinite loop, but I think it should be fixed as well.

Yes, indeed, fixed locally, will be in git after tests

Note: See TracTickets for help on using tickets.