Opened 18 years ago

Closed 18 years ago

Last modified 18 years ago

#443 closed defect (invalid)

mencoder -audiofile parameter leads to a "double free" crash

Reported by: mplayer@… Owned by: moritz@…
Priority: normal Component: demuxer
Version: 1.0pre7 Severity: critical
Keywords: Cc:
Blocked By: Blocking:
Reproduced by developer: no Analyzed by developer: no

Description

Using the "-audiofile" parameter in mencoder leads to the following crash:

$ mencoder -ovc copy -oac copy -audiofile test.wav -o out.avi test.avi
...
Video stream: ...
Audio stream: ...
* glibc detected * double free or corruption (!prev): 0x086c0308 *

The backtrace below shows the circular call to free_demuxer():

(gdb) bt
#0 free_demuxer (demuxer=0x85b9bb8) at demuxer.c:271
#1 0x08133a42 in demux_close_demuxers (demuxer=0x85ba630) at
demux_demuxers.c:95
#2 0x0810cd91 in free_demuxer (demuxer=0x85ba630) at demuxer.c:228
#3 0x0806f005 in main (argc=3, argv=0x3) at mencoder.c:1907

(I added in debugging code, so the line numbers may be a bit off)

This is probably a bug in demux_demuxers.c:demux_close_demuxers():

That's a hack to free the audio file stream
It's ok atm but we shouldn't free that here
s = priv->ad->stream;
free_demuxer(priv->ad);


I tried using mplayer from CVS, but it didn't compile for me. However, the
above code segment still exists in the latest CVS revision.

Change History (2)

comment:1 by mplayer@…, 18 years ago

I've debugged some more, and I now have the impression that the problem isn't
about a circular call to free_demuxer() -- however it happens, though, the
following function is being called twice with the same address:

demuxer.c:free_demuxer(demuxer_t *demuxer):

free_demuxer_stream(demuxer->audio);


comment:2 by mplayer@…, 18 years ago

Resolution: invalid
Status: newclosed

Looking through the CVS code, it looks like the problem has been fixed, though
like I said, CVS isn't compiling for me. I'll close the bug and hope it's
really fixed.

Note: See TracTickets for help on using tickets.