#394 closed defect (fixed)
SIGSEGV crash in h264 decoder
| Reported by: | Owned by: | ||
|---|---|---|---|
| Priority: | normal | Component: | libavcodec |
| Version: | unspecified | Severity: | normal |
| Keywords: | Cc: | diego@… | |
| Blocked By: | Blocking: | ||
| Reproduced by developer: | no | Analyzed by developer: | no |
Description
I’ve got a SIGSEGV decoding h264, the stream was generated by x264.
The following stream was recorded live and begins from the middle:
http://bule.ip.tv/~dario/dump.SIGSEGV.h264
the following command line reproduces the fault (the source code is updated
from cvs as of 09/05/2005 08:13pm GMT-3).
$ ./ffmpeg -i dump.SIGSEGV.h264 -f null dump.SIGSEGV.h264.null
ffmpeg version CVS, build 3211266, Copyright (c) 2000-2004 Fabrice Bellard
configuration: --disable-ffserver --disable-ffplay --enable-memalign-hack --
enable-mingw32 --source-path=c:/cygwin/home/dario/ffmpeg
built on Sep 5 2005 19:18:54, gcc: 3.2.3 (mingw special 20030504-1)
Input #0, h264, from 'dump.SIGSEGV.h264':
Duration: N/A, bitrate: N/A
Stream #0.0: Video: h264, yuv420p, 320x240, 10.00 fps
Output #0, null, to 'dump.SIGSEGV.h264.null':
Stream #0.0: Video: rawvideo, yuv420p, 320x240, 10.00 fps, q=2-31, 200 kb/s
Stream mapping:
frame= 104 q=0.0 size= 0kB time=10.4 bitrate= 0.0kbits/s
Here are the requested bug reporting data:
(gdb) r -i dump.SIGSEGV.h264 -f null dump.SIGSEGV.h264.null
Starting program: C:\cygwin\home\dario\ffmpeg/ffmpeg_g.exe -i
dump.SIGSEGV.h264 -f null dump.SIGSEGV.h264.null
Program received signal SIGSEGV, Segmentation fault.
decode_frame (avctx=0x3de270, data=0x22f9d0, data_size=0x22f898,
buf=0xe66ac8 "", buf_size=895) at h264.c:7553
| h->delayed_pic[i]- |
(gdb) bt
#0 decode_frame (avctx=0x3de270, data=0x22f9d0, data_size=0x22f898,
buf=0xe66ac8 "", buf_size=895) at h264.c:7553
#1 0x0045d69a in avcodec_decode_video (avctx=0x3de270, picture=0x22f9d0,
got_picture_ptr=0x22f898, buf=0xe66ac8 "", buf_size=895) at utils.c:625
#2 0x0040cda9 in output_packet (ist=0xd5ced0, ist_index=0,
ost_table=0xd31d60, nb_ostreams=1, pkt=0x22fb30) at ffmpeg.c:1266
#3 0x00406026 in av_encode (output_files=0x7100f0, nb_output_files=1,
input_files=0x710000, nb_input_files=1, stream_maps=0x710140,
nb_stream_maps=0) at ffmpeg.c:2102
#4 0x004048e5 in main (argc=6, argv=0x3d2de0) at ffmpeg.c:4520
(gdb) disass $pc-32 $pc+32
Dump of assembler code from 0x5d53d6 to 0x5d5416:
0x5d53d6 <decode_frame+438>: out %al,(%dx)
0x5d53d7 <decode_frame+439>: add %eax,(%eax)
0x5d53d9 <decode_frame+441>: inc %esi
0x5d53da <decode_frame+442>: mov %esi,0xffffffd8(%ebp)
0x5d53dd <decode_frame+445>: test %ecx,%ecx
0x5d53df <decode_frame+447>: jne 0x5d53e8 <decode_frame+456>
0x5d53e1 <decode_frame+449>: movl $0x1,0x50(%eax)
0x5d53e8 <decode_frame+456>: mov 0x1ee18(%ebx),%eax
0x5d53ee <decode_frame+462>: xor %ecx,%ecx
0x5d53f0 <decode_frame+464>: test %eax,%eax
0x5d53f2 <decode_frame+466>: je 0x5d541a <decode_frame+506>
0x5d53f4 <decode_frame+468>: mov %eax,%esi
0x5d53f6 <decode_frame+470>: mov 0x30(%esi),%edx
0x5d53f9 <decode_frame+473>: test %edx,%edx
0x5d53fb <decode_frame+475>: jne 0x5d5407 <decode_frame+487>
0x5d53fd <decode_frame+477>: mov 0xe4(%esi),%edi
0x5d5403 <decode_frame+483>: test %edi,%edi
0x5d5405 <decode_frame+485>: jne 0x5d540e <decode_frame+494>
0x5d5407 <decode_frame+487>: movl $0x1,0xffffffd4(%ebp)
0x5d540e <decode_frame+494>: inc %ecx
0x5d540f <decode_frame+495>: mov 0x1ee18(%ebx,%ecx,4),%esi
End of assembler dump.
(gdb) info all-registers
eax 0xda51b0 14307760
ecx 0x11 17
edx 0x0 0
ebx 0xd84fc0 14176192
esp 0x22f7a0 0x22f7a0
ebp 0x22f7d8 0x22f7d8
esi 0x1 1
edi 0x32 50
eip 0x5d53f6 0x5d53f6
eflags 0x10202 66050
cs 0x1b 27
ss 0x23 35
ds 0x23 35
es 0x23 35
fs 0x3b 59
gs 0x0 0
st0 -nan(0x6e6e6e6e6e6e6e6e) (raw 0xffff6e6e6e6e6e6e6e6e)
st1 -nan(0x6e6e6e6e6e6e6e6e) (raw 0xffff6e6e6e6e6e6e6e6e)
st2 -nan(0x6e68566b686b6c72) (raw 0xffff6e68566b686b6c72)
st3 -nan(0x6e00680056006b) (raw 0xffff006e00680056006b)
st4 0 (raw 0xffff0000000000000000)
st5 0 (raw 0xffff0000000000000000)
st6 0 (raw 0xffff0000000000000000)
st7 0 (raw 0xffff0000000000000000)
fctrl 0xffff037f -64641
fstat 0xffff0020 -65504
ftag 0xffffffff -1
fiseg 0x1b 27
fioff 0x4065e9 4220393
foseg 0xffff0023 -65501
fooff 0xd5cf08 14012168
fop 0x1ca 458
(gdb) l h264.c:7550
7545 }
7546
7547 while(h->delayed_pic[pics]) pics++;
7548 h->delayed_pic[pics++] = cur;
7549 if(cur->reference == 0)
7550 cur->reference = 1;
7551
7552 for(i=0; h->delayed_pic[i]; i++)
| h->delayed_pic[i]- |
7554 cross_idr = 1;
7555
7556 out = h->delayed_pic[0];
7557 for(i=1; h->delayed_pic[i] && !h->delayed_pic[i]->key_frame;
i++)
7558 if(h->delayed_pic[i]->poc < out->poc){
7559 out = h->delayed_pic[i];
7560 out_idx = i;
7561 }
7562
7563 out_of_order = !cross_idr && prev && out->poc < prev->poc;
7564 if(prev && pics <= s->avctx->has_b_frames)
(gdb) info locals
out = (Picture *) 0xffffffff
cur = (Picture *) 0xda61a0
prev = (Picture *) 0xda6338
out_idx = 0
pics = 16
cross_idr = 0
dropped_frame = 0
s = (MpegEncContext *) 0xd84fc0
buf_index = 895
buf_index = 895
(gdb) out h
(H264Context *) 0xda51b0
(gdb) out h->delayed_pic
{0xbaadf00d <repeats 16 times>}
Attachments (1)
Change History (7)
by , 19 years ago
| Attachment: | dump.SIGSEGV.h264 added |
|---|
comment:2 by , 18 years ago
| Cc: | added |
|---|---|
| op_sys: | MinGW → All |
| Owner: | changed from to |
Loren, can you look into this? I have verified this crash to still occur on
Linux x86 and PPC with latest CVS.
comment:3 by , 18 years ago
| Status: | new → assigned |
|---|
No longer crashes.
This particular stream dump is broken beyond repair: about 25% of all frames are
missing, including most of the I-frames.
The frame reordering code is still wrong in the presence of any dropped frames
at all, so I'll look into heuristics for salvaging less thoroughly broken streams.
comment:5 by , 18 years ago
Thanks a lot guys. I believe the provided patch have fixed the problem, there
were no more crashes since then.
Thanks again.
Live partial h264 stream dump