-vf unsharp=6 causes a segfault with ffmpeg and ffplay

[tjackson]

Summary of the bug: ffmpeg and ffplay crash with -vf unsharp=6
How to reproduce:

% ffmpeg -i test.jpg -vf unsharp=6 test.png
% ffplay -vf unsharp=6 test.jpg
ffmpeg version git-2019-11-30-e5db2e9
built on Sun 01 Dec 2019 01:08:08 AM MST

I was somewhat blindly playing with the unsharp filter and I found a reproducible crash. I rebuilt my SDL with debug symbols but there might be some stuff missing with ffmpeg_g.

I'll attach gdb logs of the crash with ffplay_g and ffmpeg_g. I'd prefer not to attach the image, but here's some ffprobe output:

Input #0, image2, from '/home/tod/Pictures/bz5057-01-600x891.jpg':

Duration: 00:00:00.04, start: 0.000000, bitrate: 73946 kb/s

Stream #0:0: Video: mjpeg (Baseline), yuvj420p(pc, bt470bg/unknown/unknown), 600x891 [SAR 1:1 DAR 200:297], 25 tbr, 25 tbn, 25 tbc

I can test whatever you like.

Thanks,
Tod

[tjackson]

gdb output of ffmpeg_g and ffplay_g with bt full, disass $pc-32,$pc+32 and info all-registers

[tjackson]

(gdb) run -v 9 -loglevel 99 -i ~/Pictures/bz5057-01-600x891.jpg -vf unsharp=6 test.png

[tjackson]

Actually, running ffplay with -vf unsharp=6 crashes on an mp4 and png I tested too.

[tjackson]

valgrind output

[mkver]

Please test this patch:

diff --git a/libavfilter/vf_unsharp.c b/libavfilter/vf_unsharp.c
index 95b4968d41..7b430b650d 100644
--- a/libavfilter/vf_unsharp.c
+++ b/libavfilter/vf_unsharp.c
@@ -218,7 +218,7 @@ static int init_filter_param(AVFilterContext *ctx, UnsharpFilterParam *fp, const
            effect, effect_type, fp->msize_x, fp->msize_y, fp->amount / 65535.0);
 
     fp->sr = av_malloc_array((MAX_MATRIX_SIZE - 1) * s->nb_threads, sizeof(uint32_t));
-    fp->sc = av_malloc_array(2 * fp->steps_y * s->nb_threads, sizeof(uint32_t **));
+    fp->sc = av_mallocz_array(2 * fp->steps_y * s->nb_threads, sizeof(uint32_t *));
     if (!fp->sr || !fp->sc)
         return AVERROR(ENOMEM);
 
@@ -258,9 +258,11 @@ static void free_filter_param(UnsharpFilterParam *fp, int nb_threads)
 {
     int z;
 
-    for (z = 0; z < 2 * fp->steps_y * nb_threads; z++)
-        av_freep(&fp->sc[z]);
-    av_freep(&fp->sc);
+    if (fp->sc) {
+        for (z = 0; z < 2 * fp->steps_y * nb_threads; z++)
+            av_freep(&fp->sc[z]);
+        av_freep(&fp->sc);
+    }
     av_freep(&fp->sr);
 }

[tjackson]

That seems to fix the crash, thanks.

tod@Arch:~/src/FFmpeg$ ./ffmpeg_g -i ~/Pictures/bz5057-01-600x891.jpg -vf unsharp=6 test.png
ffmpeg version git-2019-11-30-e5db2e9 Copyright (c) 2000-2019 the FFmpeg developers

built with gcc 9.2.0 (GCC)
configuration: --enable-debug --enable-ffplay
libavutil 56. 36.101 / 56. 36.101
libavcodec 58. 64.101 / 58. 64.101
libavformat 58. 35.100 / 58. 35.100
libavdevice 58. 9.101 / 58. 9.101
libavfilter 7. 67.100 / 7. 67.100
libswscale 5. 6.100 / 5. 6.100
libswresample 3. 6.100 / 3. 6.100

Input #0, image2, from '/home/tod/Pictures/bz5057-01-600x891.jpg':

Duration: 00:00:00.04, start: 0.000000, bitrate: 73946 kb/s

Stream #0:0: Video: mjpeg (Baseline), yuvj420p(pc, bt470bg/unknown/unknown), 600x891 [SAR 1:1 DAR 200:297], 25 tbr, 25 tbn, 25 tbc

Stream mapping:

Stream #0:0 -> #0:0 (mjpeg (native) -> png (native))

Press [q] to stop, ? for help
[Parsed_unsharp_0 @ 0x5592ed248b00] Invalid even size for luma matrix size 6x5
[Parsed_unsharp_0 @ 0x5592ed248b00] Failed to configure input pad on Parsed_unsharp_0
Error reinitializing filters!
Failed to inject frame into filter network: Invalid argument
Error while processing the decoded data for stream #0:0
Conversion failed!
tod@Arch:~/src/FFmpeg$

[mkver]

Fixed in 710ab136931ff228b355d87512b0d4ca4e94656a.