Opened 5 years ago

Closed 5 years ago

#7976 closed defect (fixed)

ffplay mpd file segfaults in refresh_manifest()

Reported by: Clem Taylor Owned by:
Priority: important Component: avformat
Version: git-master Keywords: dash crash SIGSEGV
Cc: Blocked By:
Blocking: Reproduced by developer: no
Analyzed by developer: no

Description

ffplay http://.../test.mpd plays for a while (>30s) and then segfaults with a null pointer deref in refresh_manifest() libavformat/dashdec.c:1437

ffmpeg 4154f89678

ffplay version n4.1.3 Copyright (c) 2003-2019 the FFmpeg developers
  built with gcc 9 (GCC)
  configuration: --enable-libxml2
  libavutil      56. 22.100 / 56. 22.100
  libavcodec     58. 35.100 / 58. 35.100
  libavformat    58. 20.100 / 58. 20.100
  libavdevice    58.  5.100 / 58.  5.100
  libavfilter     7. 40.101 /  7. 40.101
  libswscale      5.  3.100 /  5.  3.100
  libswresample   3.  3.100 /  3.  3.100

0x00000000006378b0 in refresh_manifest (s=0x0) at libavformat/dashdec.c:1437
1437	    DASHContext *c = s->priv_data;
(gdb) where
#0  0x00000000006378b0 in refresh_manifest (s=0x0) at libavformat/dashdec.c:1437
#1  0x0000000000638203 in get_current_fragment (pls=pls@entry=0x7fffd0005cc0)
    at libavformat/dashdec.c:1542
#2  0x0000000000638669 in read_data (opaque=0x7fffd0005cc0, buf=0x7fffd0896bc0 "", buf_size=32768)
    at libavformat/dashdec.c:1709
#3  0x0000000000626b01 in read_packet_wrapper (size=32768, buf=<optimized out>, s=0x7fffd0005cc8)
    at libavformat/aviobuf.c:535
#4  fill_buffer (s=0x7fffd0005cc8) at libavformat/aviobuf.c:585
#5  avio_read (s=s@entry=0x7fffd0005cc8, buf=<optimized out>, size=size@entry=2048)
    at libavformat/aviobuf.c:678
#6  0x0000000000650a04 in av_probe_input_buffer2 (pb=pb@entry=0x7fffd0005cc8, 
    fmt=fmt@entry=0x7fffdcc9dad0, filename=filename@entry=0x117939c "", logctx=logctx@entry=0x0, 
    offset=offset@entry=0, max_probe_size=1048576, max_probe_size@entry=0) at libavformat/format.c:262
#7  0x0000000000650bf9 in av_probe_input_buffer (pb=pb@entry=0x7fffdNcat: 0005cc8, 
    fmt=fmt@entry=0x7fffdcc9dad0, filename=filename@entry=0x117939c "", logctx=logctx@entry=0x0, 
    offset=offset@entry=0,Broken pipe.
 max_probe_size=max_probe_size@entry=0) at libavformat/format.c:316
#8  0x0000000000633ec4 in reopen_demux_for_component (s=s@entry=0x7fffd0000b80, 
    pls=pls@entry=0x7fffd0005cc0) at libavformat/dashdec.c:1850
#9  0x00000000006355cc in dash_read_packet (s=0x7fffd0000b80, pkt=0x7fffdcc9dc60)
    at libavformat/dashdec.c:2115
#10 0x0000000000732733 in ff_read_packet (s=s@entry=0x7fffd0000b80, pkt=pkt@entry=0x7fffdcc9dc60)
    at libavformat/utils.c:856
#11 0x00000000007337e9 in read_frame_internal (s=0x7fffd0000b80, pkt=0x7fffdcc9ddc0)
    at libavformat/utils.c:1582
#12 0x000000000073477d in av_read_frame (s=0x7fffd0000b80, pkt=pkt@entry=0x7fffdcc9ddc0)
    at libavformat/utils.c:472
#13 0x000000000048c2b8 in read_thread (arg=0x45869c0) at fftools/ffplay.c:3014
#14 0x00007ffff7c126e0 in ?? () from /lib64/libSDL2-2.0.so.0
#15 0x00007ffff7c8a2ad in ?? () from /lib64/libSDL2-2.0.so.0
#16 0x00007ffff786c5a2 in start_thread () from /lib64/libpthread.so.0
#17 0x00007ffff7799163 in clone () from /lib64/libc.so.6

Attachments (1)

master.mpd (31.7 KB ) - added by npryan 5 years ago.
Example mpd causing segfault with startNumber parser for segmentlist

Download all attachments as: .zip

Change History (13)

comment:1 by Carl Eugen Hoyos, 5 years ago

Component: ffplayavformat
Keywords: dash crash SIGSEGV added; segfault removed

Please test current FFmpeg git head and provide all missing information as explained on http://ffmpeg.org/bugreports.html

comment:2 by Steven Liu, 5 years ago

Hi can you leave the mpd link here, let me test it.

in reply to:  2 comment:3 by Clem Taylor, 5 years ago

Replying to stevenliu:

Hi can you leave the mpd link here, let me test it.

Sorry, I don't have a public source, I was just re-muxing a rtsp stream generated with ffmpeg.

The crash is related to the window expiration. With the rtsp source using 90 frame gops, the segfault happened after ~48s, which is the window size (3*16=48). Reducing the gop size to 60 frames, it would crash after 30s.

Here is the ffmpeg command to generate the mpd:

ffmpeg \
        -nostats -hide_banner \
        -buffer_size 1572864 \
        -i rtsp://192.168.100.100/video1 \
        -probesize 32 \
        -c:v copy \
        -an \
        -copyts \
        -fflags nobuffer \
        -flags +global_header+low_delay \
        -seg_duration 0.5 \
        -window_size 16 \
        -extra_window_size 2 \
        -use_template 0 \
        -use_timeline 0 \
        -init_seg_name 'live-init-stream$RepresentationID$.m4s' \
        -media_seg_name 'live-$RepresentationID$-$Number%06d$-$Time%09d$.m4s' \
        -hls_playlist 1 \
        -streaming 1 \
        -dash_segment_type mp4 \
        -f dash test.mpd

in reply to:  2 comment:4 by Clem Taylor, 5 years ago

Replying to stevenliu:

Hi can you leave the mpd link here, let me test it.

Sorry, I don't have a public source, I was just re-muxing a rtsp stream generated with ffmpeg.

The crash is related to the window expiration. With the rtsp source using 90 frame gops, the segfault happened after ~48s, which is the window size (3*16=48). Reducing the gop size to 60 frames, it would crash after 30s.

Here is the ffmpeg command to generate the mpd:

ffmpeg \
        -nostats -hide_banner \
        -buffer_size 1572864 \
        -i rtsp://192.168.100.100/video1 \
        -probesize 32 \
        -c:v copy \
        -an \
        -copyts \
        -fflags nobuffer \
        -flags +global_header+low_delay \
        -seg_duration 0.5 \
        -window_size 16 \
        -extra_window_size 2 \
        -use_template 0 \
        -use_timeline 0 \
        -init_seg_name 'live-init-stream$RepresentationID$.m4s' \
        -media_seg_name 'live-$RepresentationID$-$Number%06d$-$Time%09d$.m4s' \
        -hls_playlist 1 \
        -streaming 1 \
        -dash_segment_type mp4 \
        -f dash test.mpd
Version 0, edited 5 years ago by Clem Taylor (next)

comment:5 by Carl Eugen Hoyos, 5 years ago

Can't you upload what you produced?

in reply to:  5 comment:6 by Clem Taylor, 5 years ago

Replying to cehoyos:

Can't you upload what you produced?

It is a live stream, the .mpd file is constantly (every 5s) changing and the problem seems to occur when the all the segments that where present initially have fallen out of the sliding window.

Just reading the initial .mpd file is fine, the problem doesn't occur until the 16 or 17th time it reads the .mpd file.

comment:7 by Steven Liu, 5 years ago

OK

I have reproduced it, let me think how to fix it.

by npryan, 5 years ago

Attachment: master.mpd added

Example mpd causing segfault with startNumber parser for segmentlist

comment:9 by npryan, 5 years ago

I have attached an example mpd file which produces a segfault in ffprobe with the patch https://patchwork.ffmpeg.org/patch/14996/ applied.

I am about to submit a patch which should rectify this.

comment:11 by Carl Eugen Hoyos, 5 years ago

The attached sample (and patch) look unrelated to the provided bug report.

comment:12 by Carl Eugen Hoyos, 5 years ago

Priority: normalimportant
Resolution: fixed
Status: newclosed

Maybe fixed by Steven Liu in e55018ee110bf42e32739b1725411dde44e70291

Note: See TracTickets for help on using tickets.