Opened 21 months ago
Closed 17 months ago
#9917 closed defect (fixed)
Crash on (corrupt) DNG file
| Reported by: | John P. Kiffmeyer | Owned by: | |
|---|---|---|---|
| Priority: | important | Component: | avcodec |
| Version: | git-master | Keywords: | crash tif mjpeg SIGSEGV |
| Cc: | John P. Kiffmeyer | Blocked By: | |
| Blocking: | Reproduced by developer: | yes | |
| Analyzed by developer: | no |
Description
How to reproduce: "ffprobe original.dng" File likely corrupt, see details below.
Expected behavior: Graceful error or warning, if necessary
Actual behavior: Segmentation fault
Versions observed:
- 4.4.2 on Mac (release build)
- 5.0.1 on Linux (release build) and Mac (release and debug builds)
- 5.1.1 on Mac (debug build)
- git-master (06b98e396adc467a5164a03d71dd71508a2d8881) on Mac (debug build)
I'm seeing a segfault when running ffprobe on a particular DNG file. I suspect the file itself is corrupt, as it also renders poorly or not at all in other applications, but ffprobe is crashing on it.
Unfortunately, the file that reproduces this is a customer asset, so I can't share it, but debugger output as well as some additional metadata is included below in hopes those things are enough. If not, I'll see what I can do.
I've observed this crash in release builds of 4.4.2, and 5.0.1, as well as debug builds of 5.1.1 and git-master. The debugger output below was from a debug build of 5.1.1, pulled from git, built on an Intel Mac.
Additional metadata from mediainfo and ImageMagick follow the debugger output.
Debugger output from lldb:
➜ ~/code/__non_fio/ffmpeg/ffmpeg-git git:(1bad30dbe3) lldb ./ffprobe_g
(lldb) target create "./ffprobe_g"
Current executable set to '/Users/jpk/code/__non_fio/ffmpeg/ffmpeg-git/ffprobe_g' (x86_64).
(lldb) run -v 9 -loglevel 99 -i ~/Downloads/original.dng
Process 68824 launched: '/Users/jpk/code/__non_fio/ffmpeg/ffmpeg-git/ffprobe_g' (x86_64)
ffprobe version n5.1.1 Copyright (c) 2007-2022 the FFmpeg developers
built with Apple clang version 13.0.0 (clang-1300.0.29.30)
configuration: --disable-iconv --disable-asm --disable-optimizations
libavutil 57. 28.100 / 57. 28.100
libavcodec 59. 37.100 / 59. 37.100
libavformat 59. 27.100 / 59. 27.100
libavdevice 59. 7.100 / 59. 7.100
libavfilter 8. 44.100 / 8. 44.100
libswscale 6. 7.100 / 6. 7.100
libswresample 4. 7.100 / 4. 7.100
[NULL @ 0x105206650] Opening '/Users/jpk/Downloads/original.dng' for reading
[file @ 0x1052069f0] Setting default whitelist 'file,crypto,data'
Probing image2 score:50 size:2048
Probing tiff_pipe score:51 size:2048
[tiff_pipe @ 0x105206650] Format tiff_pipe probed with size=2048 and score=51
[tiff_pipe @ 0x105206650] Before avformat_find_stream_info() pos: 0 bytes read:32768 seeks:0 nb_streams:1
[tiff_pipe @ 0x105206650] parser not found for codec tiff, packets or times may be invalid.
Last message repeated 1 times
[tiff @ 0x1052070a0] compression: 7
[tiff @ 0x1052070a0] DNG file, version 1.4.0.0
[mjpeg @ 0x102b04b40] marker=d8 avail_size_in_buf=3776296
[mjpeg @ 0x102b04b40] marker parser used 0 bytes (0 bits)
[mjpeg @ 0x102b04b40] marker=db avail_size_in_buf=3776294
[mjpeg @ 0x102b04b40] index=0
[mjpeg @ 0x102b04b40] qscale[0]: 2
[mjpeg @ 0x102b04b40] marker parser used 67 bytes (536 bits)
[mjpeg @ 0x102b04b40] marker=c1 avail_size_in_buf=3776225
[mjpeg @ 0x102b04b40] Changing bps from 0 to 12
[mjpeg @ 0x102b04b40] sof0: picture: 8528x602
[mjpeg @ 0x102b04b40] component 0 1:1 id: -1 quant:0
[mjpeg @ 0x102b04b40] component 1 1:1 id: 0 quant:0
[mjpeg @ 0x102b04b40] pix fmt id 11110000
[mjpeg @ 0x102b04b40] Format gray16le chosen by get_format().
[mjpeg @ 0x102b04b40] marker parser used 14 bytes (112 bits)
[mjpeg @ 0x102b04b40] marker=c4 avail_size_in_buf=3776209
[mjpeg @ 0x102b04b40] class=0 index=0 nb_codes=14
[mjpeg @ 0x102b04b40] marker parser used 33 bytes (264 bits)
[mjpeg @ 0x102b04b40] marker=c4 avail_size_in_buf=3776174
[mjpeg @ 0x102b04b40] class=1 index=0 nb_codes=84
[mjpeg @ 0x102b04b40] marker parser used 103 bytes (824 bits)
[mjpeg @ 0x102b04b40] escaping removed 13475 bytes
[mjpeg @ 0x102b04b40] marker=da avail_size_in_buf=3776069
[mjpeg @ 0x102b04b40] component: -1
[mjpeg @ 0x102b04b40] component: 0
Process 68824 stopped
* thread #1, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x10)
frame #0: 0x0000000100ee8934 ffprobe_g`idctSparseColPut_int16_12bit(dest=0x0000000000000010, line_size=0, col=0x000000010480eb00) at simple_idct_template.c:271:13
268
269 IDCT_COLS;
270
-> 271 dest[0] = av_clip_pixel((int)(a0 + b0) >> COL_SHIFT);
272 dest += line_size;
273 dest[0] = av_clip_pixel((int)(a1 + b1) >> COL_SHIFT);
274 dest += line_size;
Target 0: (ffprobe_g) stopped.
(lldb) bt
* thread #1, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x10)
* frame #0: 0x0000000100ee8934 ffprobe_g`idctSparseColPut_int16_12bit(dest=0x0000000000000010, line_size=0, col=0x000000010480eb00) at simple_idct_template.c:271:13
frame #1: 0x0000000100ee8191 ffprobe_g`ff_simple_idct_put_int16_12bit(dest_="", line_size=0, block_=0x000000010480eb00) at simple_idct_template.c:342:9
frame #2: 0x0000000100cdb626 ffprobe_g`mjpeg_decode_scan(s=0x000000010480e600, nb_components=2, Ah=0, Al=0, mb_bitmask=0x0000000000000000, mb_bitmask_size=0, reference=0x0000000000000000) at mjpegdec.c:1514:33
frame #3: 0x0000000100cd88cc ffprobe_g`ff_mjpeg_decode_sos(s=0x000000010480e600, mb_bitmask=0x0000000000000000, mb_bitmask_size=0, reference=0x0000000000000000) at mjpegdec.c:1790:24
frame #4: 0x0000000100cdcf53 ffprobe_g`ff_mjpeg_receive_frame(avctx=0x0000000102b04b40, frame=0x0000000102b04fc0) at mjpegdec.c:2623:24
frame #5: 0x00000001008d590b ffprobe_g`decode_receive_frame_internal(avctx=0x0000000102b04b40, frame=0x0000000102b04fc0) at decode.c:532:15
frame #6: 0x00000001008d5826 ffprobe_g`avcodec_send_packet(avctx=0x0000000102b04b40, avpkt=0x0000000102b04ad0) at decode.c:604:15
frame #7: 0x0000000100f58e6e ffprobe_g`dng_decode_jpeg(avctx=0x00000001052070a0, frame=0x0000000105207590, tile_byte_count=3776298, dst_x=0, dst_y=0, w=4264, h=2408) at tiff.c:660:11
frame #8: 0x0000000100f55778 ffprobe_g`tiff_unpack_strip(s=0x0000000105156000, p=0x0000000105207590, dst="", stride=8528, src="\xff\xd8\xff\xdb", size=3776298, strip_start=0, lines=2408) at tiff.c:850:20
frame #9: 0x0000000100f4e1be ffprobe_g`decode_frame(avctx=0x00000001052070a0, p=0x0000000105207590, got_frame=0x00007ffeefbfed4c, avpkt=0x0000000102b04580) at tiff.c:1990:24
frame #10: 0x00000001008d8b5c ffprobe_g`decode_simple_internal(avctx=0x00000001052070a0, frame=0x0000000105207590, discarded_samples=0x00007ffeefbfedb8) at decode.c:307:15
frame #11: 0x00000001008d8858 ffprobe_g`decode_simple_receive_frame(avctx=0x00000001052070a0, frame=0x0000000105207590) at decode.c:515:15
frame #12: 0x00000001008d5937 ffprobe_g`decode_receive_frame_internal(avctx=0x00000001052070a0, frame=0x0000000105207590) at decode.c:536:15
frame #13: 0x00000001008d5826 ffprobe_g`avcodec_send_packet(avctx=0x00000001052070a0, avpkt=0x00007ffeefbfeed0) at decode.c:604:15
frame #14: 0x00000001004e1ab3 ffprobe_g`try_decode_frame(s=0x0000000105206650, st=0x0000000105206cb0, avpkt=0x00000001052077e8, options=0x0000000105206c60) at demux.c:2053:19
frame #15: 0x00000001004dfe26 ffprobe_g`avformat_find_stream_info(ic=0x0000000105206650, options=0x0000000105206c60) at demux.c:2746:9
frame #16: 0x00000001000133e1 ffprobe_g`open_input_file(ifile=0x00007ffeefbff5b0, filename="/Users/jpk/Downloads/original.dng", print_filename=0x0000000000000000) at ffprobe.c:3316:15
frame #17: 0x000000010000e302 ffprobe_g`probe_file(wctx=0x000000010e009a00, filename="/Users/jpk/Downloads/original.dng", print_filename=0x0000000000000000) at ffprobe.c:3420:11
frame #18: 0x000000010000c87b ffprobe_g`main(argc=7, argv=0x00007ffeefbff6b8) at ffprobe.c:4148:19
frame #19: 0x00007fff20646f3d libdyld.dylib`start + 1
frame #20: 0x00007fff20646f3d libdyld.dylib`start + 1
(lldb) frame variable
(uint16_t *) dest = 0x0000000000000010
(ptrdiff_t) line_size = 0
(int16_t *) col = 0x000000010480eb00
(unsigned int) a0 = 42902265
(unsigned int) a1 = 42157125
(unsigned int) a2 = 42316201
(unsigned int) a3 = 41833197
(unsigned int) b0 = 456858
(unsigned int) b1 = 434488
(unsigned int) b2 = 4294272359
(unsigned int) b3 = 4294222919
(lldb)
mediainfo metadata:
➜ ~/code/__non_fio/ffmpeg/ffmpeg-git git:(1bad30dbe3) mediainfo ~/Downloads/original.dng General Complete name : /Users/jpk/Downloads/original.dng Format : TIFF File size : 3.61 MiB Writing application : SONY RAW convertor Writing library : ILCE-7SM3 FileExtension_Invalid : tiff tif Image Format : JPEG (ISO) Format settings : Little Width : 4 264 pixels Height : 2 408 pixels Bit depth : 16 bits Density : 96 dpi
ImageMagick metadata:
➜ ~/code/__non_fio/ffmpeg/ffmpeg-git git:(1bad30dbe3) convert ~/Downloads/original.dng json:
[{
"version": "1.0",
"image": {
"name": "/Users/jpk/Downloads/original.dng",
"format": "DNG",
"formatDescription": "Digital Negative",
"class": "DirectClass",
"geometry": {
"width": 4264,
"height": 2408,
"x": 0,
"y": 0
},
"units": "Undefined",
"type": "Palette",
"endianness": "Undefined",
"colorspace": "sRGB",
"depth": 16,
"baseDepth": 16,
"channelDepth": {
"red": 11,
"green": 16,
"blue": 14
},
"pixels": 10267712,
"imageStatistics": {
"all": {
"min": 0,
"max": 65535,
"mean": 29.19,
"standardDeviation": 1330.98,
"kurtosis": 2240.14,
"skewness": 47.3509,
"entropy": 0.00347813
}
},
"channelStatistics": {
"red": {
"min": 0,
"max": 65535,
"mean": 48.2214,
"standardDeviation": 1776.98,
"kurtosis": 1354.06,
"skewness": 36.8244,
"entropy": 0.00550377
},
"green": {
"min": 0,
"max": 65535,
"mean": 28.0433,
"standardDeviation": 1355.34,
"kurtosis": 2331.9,
"skewness": 48.3102,
"entropy": 0.00341168
},
"blue": {
"min": 0,
"max": 65535,
"mean": 11.3053,
"standardDeviation": 860.631,
"kurtosis": 5792.25,
"skewness": 76.1191,
"entropy": 0.00151895
}
},
"renderingIntent": "Perceptual",
"gamma": 0.454545,
"chromaticity": {
"redPrimary": {
"x": 0.64,
"y": 0.33
},
"greenPrimary": {
"x": 0.3,
"y": 0.6
},
"bluePrimary": {
"x": 0.15,
"y": 0.06
},
"whitePrimary": {
"x": 0.3127,
"y": 0.329
}
},
"backgroundColor": "#FFFFFFFFFFFF",
"borderColor": "#DFDFDFDFDFDF",
"matteColor": "#BDBDBDBDBDBD",
"transparentColor": "#000000000000",
"interlace": "None",
"intensity": "Undefined",
"compose": "Over",
"pageGeometry": {
"width": 4264,
"height": 2408,
"x": 0,
"y": 0
},
"dispose": "Undefined",
"iterations": 0,
"compression": "Undefined",
"orientation": "Undefined",
"properties": {
"date:create": "2022-09-07T15:16:02+00:00",
"date:modify": "2022-08-31T18:42:20+00:00",
"dng:camera.model.name": "ILCE-7SM3",
"dng:create.date": "1970-01-01T00:00:00+00:00",
"dng:exposure.time": "1/1000000000000.0",
"dng:f.number": "dng",
"dng:focal.length": "0.0",
"dng:focal.length.in.35mm.format": "0 mm",
"dng:iso.setting": "0.0",
"dng:lens": "0.0-0.0mm f/0.0-0.0",
"dng:lens.f.stops": "0.00",
"dng:make": "Sony",
"dng:max.aperture.at.max.focal": "0.0",
"dng:max.aperture.at.min.focal": "0.0 mm",
"dng:max.aperture.value": "0.0",
"dng:max.focal.length": "0.0 mm",
"dng:min.focal.length": "0.0 mm",
"dng:software": "RAW convertor",
"dng:wb.rb.levels": "2.392578 1.569336 1.000000 0.000000",
"signature": "cba58a106be84cda148144a21c48f7dc98b64eeef416c2e89f9814af3c44de2e"
},
"artifacts": {
"filename": "/Users/jpk/Downloads/original.dng"
},
"tainted": false,
"filesize": "3785330B",
"numberPixels": "10.2677M",
"pixelsPerSecond": "8.47782MB",
"userTime": "1.190u",
"elapsedTime": "0:02.211",
"version": "ImageMagick 6.9.11-60 Q16 x86_64 2021-01-25 https://imagemagick.org"
}
}
Attachments (1)
Change History (9)
follow-up: 2 comment:1 by , 21 months ago
comment:2 by , 21 months ago
Replying to Balling:
Where is the sample, Mr. Adobe guy?
Unfortunately, the file that reproduces this is a customer asset, so I can't share it. :(
The debugger output as well as some additional metadata is included in hopes those things are enough. If not, I'll see what I can do.
follow-up: 6 comment:3 by , 20 months ago
Did you try to cut the input file or overwrite parts of it?
Note that I am not aware of many tickets not using copyrighted samples.
follow-up: 5 comment:4 by , 20 months ago
Does it work with other DNG files? I'm asking because I never saw an example for successfully importing a DNG file in FFmpeg.
comment:5 by , 20 months ago
Replying to Michael Koch:
Does it work with other DNG files? I'm asking because I never saw an example for successfully importing a DNG file in FFmpeg.
Please note color managment is not done, that is #4364.
by , 20 months ago
| Attachment: | ticket-9917-ffprobe-crash-01.dng.gz added |
|---|
This is an example file for reproducing the crash described in ticket #9917. It is gzipped, so a simple 'gunzip' will inflate it back to the dng file that repros the crash.
comment:6 by , 20 months ago
Replying to Carl Eugen Hoyos:
Did you try to cut the input file or overwrite parts of it?
Note that I am not aware of many tickets not using copyrighted samples.
Ah, hadn't considered that! At your suggestion, I fiddled around a little bit and found a byte range I could overwrite but still get the crash. The file is 3785330 bytes long, and overwriting [243, 3776306) with null bytes leaves the metadata largely intact and the crash still happens (the backtrace looks the same to me).
Since the file is a little larger than the ticket attachment limit of 2.5MB, I gzipped it and attached that. A simple 'gunzip' will inflate it back to the dng file that reproduces the crash.
comment:7 by , 20 months ago
| Component: | undetermined → avcodec |
|---|---|
| Keywords: | crash tif mjpeg SIGSEGV added |
| Priority: | normal → important |
| Reproduced by developer: | set |
| Status: | new → open |
Regression since 9280e4b2918cb3d84b4ea082f4b06e9e6f4f62b8
comment:8 by , 17 months ago
| Resolution: | → fixed |
|---|---|
| Status: | open → closed |
Note:
See TracTickets
for help on using tickets.
Where is the sample, Mr. Adobe guy?