Opened 11 years ago

Closed 11 years ago

#997 closed defect (fixed)

ffprobe -show_frames segfaults on h264 in mpegts

Reported by: Petter Ericson Owned by: stefano
Priority: normal Component: ffprobe
Version: git-master Keywords: h264, mpegts
Cc: Blocked By:
Blocking: Reproduced by developer: yes
Analyzed by developer: yes


The file
produces a segfault when ffprobe -show_frames is run on it. See below for details.

Given the backtraces shown below, I am pretty sure that avcodec_decode_video2 is called from get_decoded_frame at a time it shouldn't be, but I have not been able to decipher from ffmpeg.c/ffplay.c the exact conditions under which calls should be made or not. A simple (but probably wrong) fix would be to check s0->current_picture_ptr at some point in decode_slice_header, and return if set to NULL.

The file further gives a number of... interesting effects, for the other ff* programs:

ffplay plays it more or less correctly, but is unable to seek properly, in most cases.

There are a number of known issues with the file, such as DTS discontinuities, but my knowledge of MPEG-TS and h264 is not deep enough to determine if they are actually enough to break any standards The fact that ffplay can play it properly speaks against this, but up until very recently, ffmpeg had issues transcoding this specific file: a visible audio lag. I do not have the time at this moment to bisect properly, but the issue was present in git 2cbe9121... at the very least.

ffprobe version N-37608-g0b717e2 Copyright (c) 2007-2012 the FFmpeg developers

built on Feb 13 2012 10:19:14 with gcc 4.5.2
configuration: --enable-shared --enable-debug --disable-stripping --enable-gpl --enable-version3 --enable-nonfree --enable-postproc --enable-libfaac --enable-libmp3lame --enable-libopencore-amrnb --enable-libopencore-amrwb --enable-libtheora --enable-libvorbis --enable-libx264 --enable-libxvid --enable-x11grab --enable-libvorbis --enable-libvpx --enable-debug --disable-asm --disable-stripping
libavutil 51. 39.100 / 51. 39.100
libavcodec 54. 1.100 / 54. 1.100
libavformat 54. 0.100 / 54.100.100
libavdevice 53. 4.100 / 53. 4.100
libavfilter 2. 62.100 / 2. 62.100
libswscale 2. 1.100 / 2. 1.100
libswresample 0. 6.100 / 0. 6.100
libpostproc 52. 0.100 / 52. 0.100

Backtrace from segfaulting thread

#0  0x00007f9356b4fc68 in decode_slice_header (h=0xb016f0, h0=<value optimized out>)
    at /home/pettter/dev/ffmpeg-official/libavcodec/h264.c:2945
#1  0x00007f9356b5202f in decode_nal_units (h=0xb016f0, buf=0x13b8880 "", buf_size=3822)
    at /home/pettter/dev/ffmpeg-official/libavcodec/h264.c:3883
#2  0x00007f9356b52d8e in decode_frame (avctx=0x90ebd0, data=0x999850, data_size=0x999a38, 
    avpkt=<value optimized out>) at /home/pettter/dev/ffmpeg-official/libavcodec/h264.c:4095
#3  0x00007f9356cbab3e in frame_worker_thread (arg=0x9996f0)
    at /home/pettter/dev/ffmpeg-official/libavcodec/pthread.c:385
#4  0x00007f9355bf5d8c in start_thread (arg=0x7f934dcfa700) at pthread_create.c:304
#5  0x00007f935594104d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:112
#6  0x0000000000000000 in ?? ()

backtrace from main thread:

#0  pthread_cond_wait@@GLIBC_2.3.2 ()
    at ../nptl/sysdeps/unix/sysv/linux/x86_64/pthread_cond_wait.S:162
#1  0x00007f9356cba7bb in submit_packet (avctx=0x90bfa0, picture=0x7fffe4a3eab0, 
    got_picture_ptr=0x7fffe4a3edbc, avpkt=<value optimized out>)
    at /home/pettter/dev/ffmpeg-official/libavcodec/pthread.c:551
#2  ff_thread_decode_frame (avctx=0x90bfa0, picture=0x7fffe4a3eab0, 
    got_picture_ptr=0x7fffe4a3edbc, avpkt=<value optimized out>)
    at /home/pettter/dev/ffmpeg-official/libavcodec/pthread.c:616
#3  0x00007f9356d4c4b1 in avcodec_decode_video2 (avctx=0x90bfa0, picture=0x7fffe4a3eab0, 
    got_picture_ptr=0x7fffe4a3edbc, avpkt=0x7fffe4a3eca0)
    at /home/pettter/dev/ffmpeg-official/libavcodec/utils.c:1338
#4  0x0000000000405dc8 in get_decoded_frame (w=0x908340, fmt_ctx=0x9083a0)
    at /home/pettter/dev/ffmpeg-official/ffprobe.c:1352
#5  show_packets (w=0x908340, fmt_ctx=0x9083a0) at /home/pettter/dev/ffmpeg-official/ffprobe.c:1378
#6  0x0000000000407577 in probe_file (argc=<value optimized out>, argv=<value optimized out>)
    at /home/pettter/dev/ffmpeg-official/ffprobe.c:1618
#7  main (argc=<value optimized out>, argv=<value optimized out>)
    at /home/pettter/dev/ffmpeg-official/ffprobe.c:1816

Change History (6)

comment:1 by Petter Ericson, 11 years ago

I have found what appears to be the cause - ffprobe calls avcodec_decode_video2 with a packet with size == 0. Patch coming to the list once I figure out how to do so properly.

comment:2 by Carl Eugen Hoyos, 11 years ago

Reproduced by developer: set
Status: newopen

comment:3 by Cigaes, 11 years ago

A slightly different patch was just applied to the Git repository. Can you check that it fixes the bug for you?

comment:4 by Petter Ericson, 11 years ago

Confirmed - it no longer crashes on the file. Out of curiousity, which diff was the supposed fix?

comment:6 by Stefano Sabatini, 11 years ago

Analyzed by developer: set
Resolution: fixed
Status: openclosed
Note: See TracTickets for help on using tickets.