Opened 4 years ago

Closed 4 years ago

#8298 closed defect (fixed)

Palette not propagated by vf_shuffleplanes

Reported by: Suhwan Owned by:
Priority: important Component: avfilter
Version: git-master Keywords:
Cc: Blocked By:
Blocking: Reproduced by developer: no
Analyzed by developer: no


Summary of the bug:
There is a Segmentation fault in av_crc at libavutil/crc.c:403
How to reproduce:

% ffmpeg_g -y -i $PoC -filter_complex shuffleplanes -loglevel 0 -map 0 -c:a:58 pcm_f32le tmp.apng

ffmpeg version N-95425-g1e35519fe0 Copyright (c) 2000-2019 the FFmpeg developers
built with clang version 6.0.0-1ubuntu2 (tags/RELEASE_600/final)
configuration: --cc=clang --cxx=clang++ --ld=clang --enable-debug

Here's GDB log

libavutil/crc.c:403:20: runtime error: load of null pointer of type 'const uint32_t' (aka 'const unsigned int')

Thread 1 "ffmpeg_g" received signal SIGSEGV, Segmentation fault.
0x00000000058e57eb in av_crc (ctx=0x911ef90 <av_crc_table+16384>, crc=4294967295, buffer=0x0, 
    length=<optimized out>) at libavutil/crc.c:403
403	            crc ^= av_le2ne32(*(const uint32_t *) buffer); buffer += 4;
(gdb) bt
#0  0x00000000058e57eb in av_crc (ctx=0x911ef90 <av_crc_table+16384>, crc=4294967295, buffer=0x0, 
    length=<optimized out>) at libavutil/crc.c:403
#1  0x0000000002e310fc in encode_apng (avctx=<optimized out>, pkt=0x93cbe80, pict=0x940dc40, 
    got_packet=0x7fffffffc294) at libavcodec/pngenc.c:851
#2  0x0000000001fd0b9f in avcodec_encode_video2 (avctx=0x93b5b40, avpkt=<optimized out>, frame=<optimized out>, 
    got_packet_ptr=0x7fffffffc294) at libavcodec/encode.c:302
#3  0x0000000001fd28d0 in do_encode (avctx=0x93b5b40, frame=0x940dc40, got_packet=0x7fffffffc294)
    at libavcodec/encode.c:371
#4  0x0000000001fd244a in avcodec_send_frame (avctx=0x93b5b40, frame=0x940dc40) at libavcodec/encode.c:420
#5  0x00000000004c51d8 in do_video_out (of=0x93b0cc0, ost=<optimized out>, next_picture=<optimized out>, 
    sync_ipts=4.9406564584124654e-324) at fftools/ffmpeg.c:1287
#6  0x00000000004c0f0b in reap_filters (flush=0) at fftools/ffmpeg.c:1504
#7  0x000000000048d662 in transcode_step () at fftools/ffmpeg.c:4638
#8  transcode () at fftools/ffmpeg.c:4682
#9  0x0000000000487da4 in main (argc=13, argv=<optimized out>) at fftools/ffmpeg.c:4884
(gdb) disass $pc-32,$pc+32
Dump of assembler code from 0x58e57cb to 0x58e580b:
   0x00000000058e57cb <av_crc+811>:	(bad)  
   0x00000000058e57cc <av_crc+812>:	(bad)  
   0x00000000058e57cd <av_crc+813>:	jmpq   0x58e56c8 <av_crc+552>
   0x00000000058e57d2 <av_crc+818>:	mov    $0x7f73600,%edi
   0x00000000058e57d7 <av_crc+823>:	mov    %r12,%rsi
   0x00000000058e57da <av_crc+826>:	mov    %rcx,%rbx
   0x00000000058e57dd <av_crc+829>:	mov    %r8,%rbp
   0x00000000058e57e0 <av_crc+832>:	callq  0x42c820 <__ubsan_handle_type_mismatch_v1>
   0x00000000058e57e5 <av_crc+837>:	mov    %rbp,%r8
   0x00000000058e57e8 <av_crc+840>:	mov    %rbx,%rcx
=> 0x00000000058e57eb <av_crc+843>:	xor    (%r12),%ecx
   0x00000000058e57ef <av_crc+847>:	cmp    $0xfffffffffffffffc,%r12
   0x00000000058e57f3 <av_crc+851>:	mov    %rcx,%r13
   0x00000000058e57f6 <av_crc+854>:	jb     0x58e5624 <av_crc+388>
   0x00000000058e57fc <av_crc+860>:	lea    0x4(%r12),%rdx
   0x00000000058e5801 <av_crc+865>:	mov    $0x7f73620,%edi
   0x00000000058e5806 <av_crc+870>:	mov    %r12,%rsi
   0x00000000058e5809 <av_crc+873>:	mov    %r8,%rbx
End of assembler dump.

Please confirm.

Attachments (1)

PoC_seg_crc_403.tga (3.1 KB ) - added by Suhwan 4 years ago.

Download all attachments as: .zip

Change History (3)

by Suhwan, 4 years ago

Attachment: PoC_seg_crc_403.tga added


comment:1 by James, 4 years ago

Component: undeterminedavfilter
Status: newopen
Summary: Segmentation fault in av_crc at libavutil/crc.c:403Palette not propagated by vf_shuffleplanes

The problem is not in av_crc, but in shuffleplanes. It's not propagating the palette plane despite being a pal8 stream.

./ffmpeg -i PoC_seg_crc_403.tga -vf shuffleplanes,showpalette -f null -
./ffmpeg -i PoC_seg_crc_403.tga -vf shuffleplanes -f apng -y /dev/null

All fail the same way, trying to access AVFrame->data[1], which is NULL.

comment:2 by Elon Musk, 4 years ago

Resolution: fixed
Status: openclosed
Note: See TracTickets for help on using tickets.