Opened 3 years ago

Closed 3 years ago

#8299 closed defect (fixed)

Segmentation fault in av_frame_ref at libavutil/frame.c:450

Reported by: Suhwan Owned by:
Priority: important Component: undetermined
Version: git-master Keywords:
Cc: Blocked By:
Blocking: Reproduced by developer: no
Analyzed by developer: no


Summary of the bug:
There is a Segmentation fault in av_frame_ref at libavutil/frame.c:450
How to reproduce:

% ffmpeg_g -y -i $PoC -filter_complex dedot -target dv50 -loglevel 0 -map 0 tmp.rpl

ffmpeg version N-95425-g1e35519fe0 Copyright (c) 2000-2019 the FFmpeg developers
built with clang version 6.0.0-1ubuntu2 (tags/RELEASE_600/final)
configuration: --cc=clang --cxx=clang++ --ld=clang --enable-debug

Here's GDB log

libavutil/frame.c:450:32: runtime error: member access within null pointer of type 'const AVFrame' (aka 'const struct AVFrame')

Thread 1 "ffmpeg_g" received signal SIGSEGV, Segmentation fault.
0x0000000005903ad8 in av_frame_ref (dst=0x96a8e80, src=0x0) at libavutil/frame.c:450
450	    dst->format         = src->format;
(gdb) bt
#0  0x0000000005903ad8 in av_frame_ref (dst=0x96a8e80, src=0x0) at libavutil/frame.c:450
#1  0x0000000005908fc0 in av_frame_clone (src=0x0) at libavutil/frame.c:547
#2  0x00000000008f31aa in activate (ctx=0x93edd80) at libavfilter/vf_dedot.c:288
#3  0x00000000005ce2ec in ff_filter_activate (filter=<optimized out>) at libavfilter/avfilter.c:1442
#4  0x00000000005eecd3 in get_frame_internal (ctx=0x93ee780, frame=<optimized out>, flags=1, 
    samples=<optimized out>) at libavfilter/buffersink.c:110
#5  0x00000000005e254b in avfilter_graph_request_oldest (graph=0x93e8a80) at libavfilter/avfiltergraph.c:1409
#6  0x000000000048c3a2 in transcode_from_filter (graph=0x93ae700, best_ist=<optimized out>)
    at fftools/ffmpeg.c:4531
#7  transcode_step () at fftools/ffmpeg.c:4606
#8  transcode () at fftools/ffmpeg.c:4682
#9  0x0000000000487da4 in main (argc=13, argv=<optimized out>) at fftools/ffmpeg.c:4884
(gdb) disass $pc-32,$pc+32
Dump of assembler code from 0x5903ab8 to 0x5903af8:
   0x0000000005903ab8 <av_frame_ref+24>:	xchg   %eax,%ebp
   0x0000000005903ab9 <av_frame_ref+25>:	rolb   $0xc7,-0xa(%rcx)
   0x0000000005903abd <av_frame_ref+29>:	(bad)  
   0x0000000005903abe <av_frame_ref+30>:	sete   %r12b
   0x0000000005903ac2 <av_frame_ref+34>:	and    %al,%r12b
   0x0000000005903ac5 <av_frame_ref+37>:	je     0x5903e72 <av_frame_ref+978>
   0x0000000005903acb <av_frame_ref+43>:	lea    0x74(%r15),%rbx
   0x0000000005903acf <av_frame_ref+47>:	test   $0x3,%bl
   0x0000000005903ad2 <av_frame_ref+50>:	jne    0x5903e8c <av_frame_ref+1004>
=> 0x0000000005903ad8 <av_frame_ref+56>:	mov    (%rbx),%ebp
   0x0000000005903ada <av_frame_ref+58>:	test   %r14,%r14
   0x0000000005903add <av_frame_ref+61>:	setne  %al
   0x0000000005903ae0 <av_frame_ref+64>:	test   $0x7,%r14b
   0x0000000005903ae4 <av_frame_ref+68>:	sete   %cl
   0x0000000005903ae7 <av_frame_ref+71>:	and    %al,%cl
   0x0000000005903ae9 <av_frame_ref+73>:	mov    %cl,0x6(%rsp)
   0x0000000005903aed <av_frame_ref+77>:	je     0x5903e9e <av_frame_ref+1022>
   0x0000000005903af3 <av_frame_ref+83>:	lea    0x74(%r14),%rbx
   0x0000000005903af7 <av_frame_ref+87>:	test   $0x3,%bl
End of assembler dump.

Please confirm.

