Opened 2 years ago

Closed 14 months ago

#8251 closed defect (fixed)

Segmentation fault in sws_scale at libswscale/swscale.c:850

Reported by: Suhwan Owned by:
Priority: normal Component: avfilter
Version: git-master Keywords:
Cc: Blocked By:
Blocking: Reproduced by developer: no
Analyzed by developer: no

Description

Summary of the bug:
There is a Segmentation fault in sws_scale at libswscale/swscale.c:850

Thread 1 "ffmpeg_g" received signal SIGSEGV, Segmentation fault.
0x00000000013030bd in sws_scale (c=0x22d09c0, srcSlice=0x7fffffffc5e0, srcStride=0x7fffffffc5b0, 
    srcSliceY=0, srcSliceH=<optimized out>, dst=0x7fffffffc5c0, dstStride=0x7fffffffc5a0)
    at libswscale/swscale.c:850
850	                uint32_t p = ((const uint32_t *)(srcSlice[1]))[i];
(gdb) bt
#0  0x00000000013030bd in sws_scale (c=0x22d09c0, srcSlice=0x7fffffffc5e0, srcStride=0x7fffffffc5b0, 
    srcSliceY=0, srcSliceH=<optimized out>, dst=0x7fffffffc5c0, dstStride=0x7fffffffc5a0)
    at libswscale/swscale.c:850
#1  0x000000000052e350 in scale_slice (link=<optimized out>, out_buf=<optimized out>, 
    cur_pic=<optimized out>, sws=<optimized out>, y=<optimized out>, h=<optimized out>, 
    mul=<optimized out>, field=<optimized out>) at libavfilter/vf_scale.c:411
#2  scale_frame (link=<optimized out>, in=<optimized out>, frame_out=<optimized out>)
    at libavfilter/vf_scale.c:535
#3  filter_frame (link=0x22cca40, in=<optimized out>) at libavfilter/vf_scale.c:549
#4  0x00000000004520a5 in ff_filter_frame_framed (link=<optimized out>, frame=<optimized out>)
    at libavfilter/avfilter.c:1071
#5  ff_filter_frame_to_filter (link=<optimized out>) at libavfilter/avfilter.c:1219
#6  ff_filter_activate_default (filter=<optimized out>) at libavfilter/avfilter.c:1268
#7  ff_filter_activate (filter=<optimized out>) at libavfilter/avfilter.c:1430
#8  0x00000000004576ca in push_frame (graph=0x22b3700) at libavfilter/buffersrc.c:187
#9  av_buffersrc_add_frame_internal (ctx=0x22cae00, frame=<optimized out>, flags=4)
    at libavfilter/buffersrc.c:261
#10 0x00000000004571e8 in av_buffersrc_add_frame_flags (ctx=0x22cae00, frame=0x22c5440, flags=4)
    at libavfilter/buffersrc.c:170
#11 0x0000000000425fd8 in ifilter_send_frame (ifilter=<optimized out>, frame=<optimized out>)
    at fftools/ffmpeg.c:2196
#12 send_frame_to_filters (ist=<optimized out>, decoded_frame=<optimized out>) at fftools/ffmpeg.c:2270
#13 0x0000000000420f69 in decode_video (ist=<optimized out>, pkt=<optimized out>, 
    got_output=<optimized out>, duration_pts=<optimized out>, eof=<optimized out>, 
    decode_failed=<optimized out>) at fftools/ffmpeg.c:2469
#14 process_input_packet (ist=<optimized out>, pkt=<optimized out>, no_eof=<optimized out>)
    at fftools/ffmpeg.c:2623
#15 0x000000000041d40f in process_input (file_index=<optimized out>) at fftools/ffmpeg.c:4518
#16 transcode_step () at fftools/ffmpeg.c:4638
#17 transcode () at fftools/ffmpeg.c:4692
#18 0x0000000000419377 in main (argc=<optimized out>, argv=<optimized out>) at fftools/ffmpeg.c:4894
(gdb) list
845	
846	    if (usePal(c->srcFormat)) {
847	        for (i = 0; i < 256; i++) {
848	            int r, g, b, y, u, v, a = 0xff;
849	            if (c->srcFormat == AV_PIX_FMT_PAL8) {
850	                uint32_t p = ((const uint32_t *)(srcSlice[1]))[i];
851	                a = (p >> 24) & 0xFF;
852	                r = (p >> 16) & 0xFF;
853	                g = (p >>  8) & 0xFF;
854	                b =  p        & 0xFF;
(gdb) print srcSlice[1]
$1 = (const uint8_t * const) 0x0
(gdb) disass $pc-32,$pc+32
Dump of assembler code from 0x130309d to 0x13030dd:
   0x000000000130309d <sws_scale+925>:	jmpq   *0x17908f0(,%r9,8)
   0x00000000013030a5 <sws_scale+933>:	mov    $0xff,%r10d
   0x00000000013030ab <sws_scale+939>:	mov    %r11d,%esi
   0x00000000013030ae <sws_scale+942>:	mov    %r11d,%ebp
   0x00000000013030b1 <sws_scale+945>:	mov    %r11d,%ebx
   0x00000000013030b4 <sws_scale+948>:	jmpq   0x1303175 <sws_scale+1141>
   0x00000000013030b9 <sws_scale+953>:	mov    0x8(%r14),%rax
=> 0x00000000013030bd <sws_scale+957>:	mov    (%rax,%r11,4),%eax
   0x00000000013030c1 <sws_scale+961>:	mov    %eax,%ecx
   0x00000000013030c3 <sws_scale+963>:	movzbl %ah,%ebp
   0x00000000013030c6 <sws_scale+966>:	movzbl %al,%esi
   0x00000000013030c9 <sws_scale+969>:	mov    %eax,%r10d
   0x00000000013030cc <sws_scale+972>:	shr    $0x18,%r10d
   0x00000000013030d0 <sws_scale+976>:	shr    $0x10,%ecx
   0x00000000013030d3 <sws_scale+979>:	movzbl %cl,%ebx
   0x00000000013030d6 <sws_scale+982>:	jmpq   0x1303175 <sws_scale+1141>
   0x00000000013030db <sws_scale+987>:	mov    %r11d,%eax
End of assembler dump.

How to reproduce:

% ffmpeg_g -y -i $PoC -filter_complex shuffleplanes -target dvd -loglevel 99  tmp.mpegts

ffmpeg version N-95314-g1331e00179 Copyright (c) 2000-2019 the FFmpeg developers
  built with clang version 6.0.0-1ubuntu2 (tags/RELEASE_600/final)
  configuration: --cc=clang --cxx=clang++ --ld=clang --enable-debug

Attachments (2)

gdb-sws_scale_850 (25.6 KB ) - added by Suhwan 2 years ago.
PoC_swscale_850.art (632 bytes ) - added by Suhwan 2 years ago.
poc

Download all attachments as: .zip

Change History (3)

by Suhwan, 2 years ago

Attachment: gdb-sws_scale_850 added

by Suhwan, 2 years ago

Attachment: PoC_swscale_850.art added

poc

comment:1 by mkver, 14 months ago

Component: undeterminedavfilter
Resolution: fixed
Status: newclosed
Note: See TracTickets for help on using tickets.