Context Navigation

← Previous Ticket
Next Ticket →

#2262 closed defect (fixed)

mjpeg: crash with fuzzed file

Reported by:	ami_stuff	Owned by:	beastd
Priority:	normal	Component:	undetermined
Version:	HEAD	Severity:	blocker
Keywords:		Cc:
Blocked By:		Blocking:
Reproduced by developer:	yes	Analyzed by developer:	no

Description

http://www.datafilehost.com/d/96f71392

Movie-Aspect is 1.33:1 - prescaling to correct movie aspect.
VO: [x11] 320x240 => 320x240 BGRA 
[mjpeg @ 0xe4c360]decode_sos: index(1) out of components
==9326== Invalid read of size 1
==9326==    at 0x72BC60: ff_mjpeg_decode_frame (mjpegdec.c:2276)
==9326==    by 0x8473AD: avcodec_decode_video2 (utils.c:2445)
==9326==    by 0x3B388C: decode (vd_ffmpeg.c:957)
==9326==    by 0x5ADBB27: ???
==9326==  Address 0x624d630 is 161,120 bytes inside a block of size 165,120 free'd
==9326==    at 0x482750C: free (vg_replace_malloc.c:427)
==9326==    by 0x303125: vf_get_image (vf.c:367)
==9326==    by 0x301048: mpcodecs_get_image (vd.c:399)
==9326==    by 0x3B451D: get_buffer (vd_ffmpeg.c:755)
==9326==    by 0x8456F5: ff_get_buffer (utils.c:928)
==9326==    by 0x726D22: ff_mjpeg_decode_sof (mjpegdec.c:607)
==9326==    by 0x72B45F: ff_mjpeg_decode_frame (mjpegdec.c:2077)
==9326==    by 0x8473AD: avcodec_decode_video2 (utils.c:2445)
==9326==    by 0x3B388C: decode (vd_ffmpeg.c:957)
==9326==    by 0x5ADBB27: ???
==9326== 
==9326== Invalid read of size 1
==9326==    at 0x72BC68: ff_mjpeg_decode_frame (mjpegdec.c:2276)
==9326==    by 0x8473AD: avcodec_decode_video2 (utils.c:2445)
==9326==    by 0x3B388C: decode (vd_ffmpeg.c:957)
==9326==    by 0x5ADBB27: ???
==9326==  Address 0x62440d0 is 122,880 bytes inside a block of size 165,120 free'd
==9326==    at 0x482750C: free (vg_replace_malloc.c:427)
==9326==    by 0x303125: vf_get_image (vf.c:367)
==9326==    by 0x301048: mpcodecs_get_image (vd.c:399)
==9326==    by 0x3B451D: get_buffer (vd_ffmpeg.c:755)
==9326==    by 0x8456F5: ff_get_buffer (utils.c:928)
==9326==    by 0x726D22: ff_mjpeg_decode_sof (mjpegdec.c:607)
==9326==    by 0x72B45F: ff_mjpeg_decode_frame (mjpegdec.c:2077)
==9326==    by 0x8473AD: avcodec_decode_video2 (utils.c:2445)
==9326==    by 0x3B388C: decode (vd_ffmpeg.c:957)
==9326==    by 0x5ADBB27: ???
==9326== 
==9326== Invalid write of size 1
==9326==    at 0x72BC6C: ff_mjpeg_decode_frame (mjpegdec.c:2276)
==9326==    by 0x8473AD: avcodec_decode_video2 (utils.c:2445)
==9326==    by 0x3B388C: decode (vd_ffmpeg.c:957)
==9326==    by 0x5ADBB27: ???
==9326==  Address 0x624d630 is 161,120 bytes inside a block of size 165,120 free'd
==9326==    at 0x482750C: free (vg_replace_malloc.c:427)
==9326==    by 0x303125: vf_get_image (vf.c:367)
==9326==    by 0x301048: mpcodecs_get_image (vd.c:399)
==9326==    by 0x3B451D: get_buffer (vd_ffmpeg.c:755)
==9326==    by 0x8456F5: ff_get_buffer (utils.c:928)
==9326==    by 0x726D22: ff_mjpeg_decode_sof (mjpegdec.c:607)
==9326==    by 0x72B45F: ff_mjpeg_decode_frame (mjpegdec.c:2077)
==9326==    by 0x8473AD: avcodec_decode_video2 (utils.c:2445)
==9326==    by 0x3B388C: decode (vd_ffmpeg.c:957)
==9326==    by 0x5ADBB27: ???
==9326== 
==9326== Invalid write of size 1
==9326==    at 0x72BC74: ff_mjpeg_decode_frame (mjpegdec.c:2276)
==9326==    by 0x8473AD: avcodec_decode_video2 (utils.c:2445)
==9326==    by 0x3B388C: decode (vd_ffmpeg.c:957)
==9326==    by 0x5ADBB27: ???
==9326==  Address 0x62440d0 is 122,880 bytes inside a block of size 165,120 free'd
==9326==    at 0x482750C: free (vg_replace_malloc.c:427)
==9326==    by 0x303125: vf_get_image (vf.c:367)
==9326==    by 0x301048: mpcodecs_get_image (vd.c:399)
==9326==    by 0x3B451D: get_buffer (vd_ffmpeg.c:755)
==9326==    by 0x8456F5: ff_get_buffer (utils.c:928)
==9326==    by 0x726D22: ff_mjpeg_decode_sof (mjpegdec.c:607)
==9326==    by 0x72B45F: ff_mjpeg_decode_frame (mjpegdec.c:2077)
==9326==    by 0x8473AD: avcodec_decode_video2 (utils.c:2445)
==9326==    by 0x3B388C: decode (vd_ffmpeg.c:957)
==9326==    by 0x5ADBB27: ???
==9326== 
==9326== Invalid read of size 1
==9326==    at 0x72BC7C: ff_mjpeg_decode_frame (mjpegdec.c:2275)
==9326==    by 0x8473AD: avcodec_decode_video2 (utils.c:2445)
==9326==    by 0x3B388C: decode (vd_ffmpeg.c:957)
==9326==    by 0x5ADBB27: ???
==9326==  Address 0x624d632 is 161,122 bytes inside a block of size 165,120 free'd
==9326==    at 0x482750C: free (vg_replace_malloc.c:427)
==9326==    by 0x303125: vf_get_image (vf.c:367)
==9326==    by 0x301048: mpcodecs_get_image (vd.c:399)
==9326==    by 0x3B451D: get_buffer (vd_ffmpeg.c:755)
==9326==    by 0x8456F5: ff_get_buffer (utils.c:928)
==9326==    by 0x726D22: ff_mjpeg_decode_sof (mjpegdec.c:607)
==9326==    by 0x72B45F: ff_mjpeg_decode_frame (mjpegdec.c:2077)
==9326==    by 0x8473AD: avcodec_decode_video2 (utils.c:2445)
==9326==    by 0x3B388C: decode (vd_ffmpeg.c:957)
==9326==    by 0x5ADBB27: ???
==9326== 

Exiting... (End of file)
==9326== 
==9326== HEAP SUMMARY:
==9326==     in use at exit: 188,304 bytes in 864 blocks
==9326==   total heap usage: 25,876 allocs, 25,012 frees, 72,581,186 bytes allocated
==9326== 
==9326== 6 bytes in 1 blocks are definitely lost in loss record 12 of 516
==9326==    at 0x4828308: malloc (vg_replace_malloc.c:263)
==9326==    by 0x4F6987F: strdup (strdup.c:43)
==9326==    by 0x39559B: get_term_charset (getch2.c:317)
==9326==    by 0x4F08E15: (below main) (libc-start.c:244)
==9326== 
==9326== 20 bytes in 1 blocks are possibly lost in loss record 144 of 516
==9326==    at 0x4827E54: operator new(unsigned int) (vg_replace_malloc.c:282)
==9326==    by 0x52F72C4: std::string::_Rep::_S_create(unsigned int, unsigned int, std::allocator<char> const&) (in /usr/lib/i386-linux-gnu/libstdc++.so.6.0.17)
==9326==    by 0x52F9569: char* std::string::_S_construct<char const*>(char const*, char const*, std::allocator<char> const&, std::forward_iterator_tag) (in /usr/lib/i386-linux-gnu/libstdc++.so.6.0.17)
==9326==    by 0x52F9641: std::basic_string<char, std::char_traits<char>, std::allocator<char> >::basic_string(char const*, unsigned int, std::allocator<char> const&) (in /usr/lib/i386-linux-gnu/libstdc++.so.6.0.17)
==9326==    by 0x6C73D74: llvm::Module::Module(llvm::StringRef, llvm::LLVMContext&) (in /usr/lib/i386-linux-gnu/dri/swrast_dri.so)
==9326==    by 0x6C123C1: LLVMModuleCreateWithNameInContext (in /usr/lib/i386-linux-gnu/dri/swrast_dri.so)
==9326==    by 0x6643818: ??? (in /usr/lib/i386-linux-gnu/dri/swrast_dri.so)
==9326==    by 0x6643A22: ??? (in /usr/lib/i386-linux-gnu/dri/swrast_dri.so)
==9326==    by 0x63DE5BC: ??? (in /usr/lib/i386-linux-gnu/dri/swrast_dri.so)
==9326==    by 0x63F888F: ??? (in /usr/lib/i386-linux-gnu/dri/swrast_dri.so)
==9326==    by 0x639A8D9: ??? (in /usr/lib/i386-linux-gnu/dri/swrast_dri.so)
==9326==    by 0x6396FF2: ??? (in /usr/lib/i386-linux-gnu/dri/swrast_dri.so)
==9326== 
==9326== 22 bytes in 1 blocks are definitely lost in loss record 153 of 516
==9326==    at 0x4828308: malloc (vg_replace_malloc.c:263)
==9326==    by 0x4F6987F: strdup (strdup.c:43)
==9326==    by 0x2DC5B5: copy_str (m_option.c:419)
==9326==    by 0x2D97EF: m_config_add_option (m_option.h:518)
==9326==    by 0x2DA200: m_config_register_options (m_config.c:380)
==9326==    by 0x4F08E15: (below main) (libc-start.c:244)
==9326== 
==9326== 30 bytes in 1 blocks are possibly lost in loss record 208 of 516
==9326==    at 0x4827E54: operator new(unsigned int) (vg_replace_malloc.c:282)
==9326==    by 0x52F72C4: std::string::_Rep::_S_create(unsigned int, unsigned int, std::allocator<char> const&) (in /usr/lib/i386-linux-gnu/libstdc++.so.6.0.17)
==9326==    by 0x52F9569: char* std::string::_S_construct<char const*>(char const*, char const*, std::allocator<char> const&, std::forward_iterator_tag) (in /usr/lib/i386-linux-gnu/libstdc++.so.6.0.17)
==9326==    by 0x52F9641: std::basic_string<char, std::char_traits<char>, std::allocator<char> >::basic_string(char const*, unsigned int, std::allocator<char> const&) (in /usr/lib/i386-linux-gnu/libstdc++.so.6.0.17)
==9326==    by 0x6D43AD9: llvm::Twine::str() const (in /usr/lib/i386-linux-gnu/dri/swrast_dri.so)
==9326==    by 0x6D42091: llvm::Triple::setTriple(llvm::Twine const&) (in /usr/lib/i386-linux-gnu/dri/swrast_dri.so)
==9326==    by 0x668A350: llvm::JIT::selectTarget(llvm::Module*, llvm::StringRef, llvm::StringRef, llvm::SmallVectorImpl<std::string> const&, std::string*) (in /usr/lib/i386-linux-gnu/dri/swrast_dri.so)
==9326==    by 0x667A872: llvm::JIT::createJIT(llvm::Module*, std::string*, llvm::JITMemoryManager*, llvm::CodeGenOpt::Level, bool, llvm::CodeModel::Model, llvm::StringRef, llvm::StringRef, llvm::SmallVectorImpl<std::string> const&) (in /usr/lib/i386-linux-gnu/dri/swrast_dri.so)
==9326==    by 0x66906CA: llvm::EngineBuilder::create() (in /usr/lib/i386-linux-gnu/dri/swrast_dri.so)
==9326==    by 0x669BE3D: LLVMCreateJITCompilerForModule (in /usr/lib/i386-linux-gnu/dri/swrast_dri.so)
==9326==    by 0x669C032: LLVMCreateJITCompiler (in /usr/lib/i386-linux-gnu/dri/swrast_dri.so)
==9326==    by 0x6643959: ??? (in /usr/lib/i386-linux-gnu/dri/swrast_dri.so)
==9326== 
==9326== 30 bytes in 1 blocks are possibly lost in loss record 209 of 516
==9326==    at 0x4827E54: operator new(unsigned int) (vg_replace_malloc.c:282)
==9326==    by 0x52F72C4: std::string::_Rep::_S_create(unsigned int, unsigned int, std::allocator<char> const&) (in /usr/lib/i386-linux-gnu/libstdc++.so.6.0.17)
==9326==    by 0x52F9569: char* std::string::_S_construct<char const*>(char const*, char const*, std::allocator<char> const&, std::forward_iterator_tag) (in /usr/lib/i386-linux-gnu/libstdc++.so.6.0.17)
==9326==    by 0x52F9641: std::basic_string<char, std::char_traits<char>, std::allocator<char> >::basic_string(char const*, unsigned int, std::allocator<char> const&) (in /usr/lib/i386-linux-gnu/libstdc++.so.6.0.17)
==9326==    by 0x2F748AFF: ???
==9326== 
==9326== 112 bytes in 1 blocks are definitely lost in loss record 358 of 516
==9326==    at 0x4826A68: calloc (vg_replace_malloc.c:566)
==9326==    by 0x4E858B5: ??? (in /usr/lib/i386-linux-gnu/libGL.so.1.2)
==9326== 
==9326== 400 bytes in 1 blocks are definitely lost in loss record 406 of 516
==9326==    at 0x4828308: malloc (vg_replace_malloc.c:263)
==9326==    by 0x4BDDE90: XGetVisualInfo (in /usr/lib/i386-linux-gnu/libX11.so.6.3.0)
==9326==    by 0x4E61AF4: ??? (in /usr/lib/i386-linux-gnu/libGL.so.1.2)
==9326== 
==9326== 980 (68 direct, 912 indirect) bytes in 1 blocks are definitely lost in loss record 482 of 516
==9326==    at 0x48283EE: realloc (vg_replace_malloc.c:632)
==9326==    by 0x4BF3131: ??? (in /usr/lib/i386-linux-gnu/libX11.so.6.3.0)
==9326==    by 0x4BF3604: ??? (in /usr/lib/i386-linux-gnu/libX11.so.6.3.0)
==9326==    by 0x4BF513D: ??? (in /usr/lib/i386-linux-gnu/libX11.so.6.3.0)
==9326==    by 0x4BF5A3B: _XlcCreateLC (in /usr/lib/i386-linux-gnu/libX11.so.6.3.0)
==9326==    by 0x4C18797: _XlcUtf8Loader (in /usr/lib/i386-linux-gnu/libX11.so.6.3.0)
==9326==    by 0x4BFD7BC: _XOpenLC (in /usr/lib/i386-linux-gnu/libX11.so.6.3.0)
==9326==    by 0x4BFDA4A: _XrmInitParseInfo (in /usr/lib/i386-linux-gnu/libX11.so.6.3.0)
==9326==    by 0x4BE496D: ??? (in /usr/lib/i386-linux-gnu/libX11.so.6.3.0)
==9326==    by 0x4BE8164: XrmGetStringDatabase (in /usr/lib/i386-linux-gnu/libX11.so.6.3.0)
==9326==    by 0x4BC409B: ??? (in /usr/lib/i386-linux-gnu/libX11.so.6.3.0)
==9326==    by 0x4BC42B6: XGetDefault (in /usr/lib/i386-linux-gnu/libX11.so.6.3.0)
==9326== 
==9326== LEAK SUMMARY:
==9326==    definitely lost: 608 bytes in 5 blocks
==9326==    indirectly lost: 912 bytes in 34 blocks
==9326==      possibly lost: 80 bytes in 3 blocks
==9326==    still reachable: 186,704 bytes in 822 blocks
==9326==         suppressed: 0 bytes in 0 blocks
==9326== Reachable blocks (those to which a pointer was found) are not shown.
==9326== To see them, rerun with: --leak-check=full --show-reachable=yes
==9326== 
==9326== For counts of detected and suppressed errors, rerun with: -v
==9326== ERROR SUMMARY: 307208 errors from 13 contexts (suppressed: 143 from 13)

(gdb) r inteljpeg_fuzz.avi
Starting program: /media/sdb1/mplayer/mplayer inteljpeg_fuzz.avi
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/i386-linux-gnu/libthread_db.so.1".
MPlayer 1.2-4.7 (C) 2000-2015 MPlayer Team

Playing inteljpeg_fuzz.avi.
libavformat version 56.40.101 (internal)
AVI file format detected.
[aviheader] Video stream found, -vid 0
[aviheader] Audio stream found, -aid 1
VIDEO:  [IJLV]  320x240  24bpp  23.970 fps  1849.8 kbps (225.8 kbyte/s)
Load subtitles in ./
==========================================================================
Opening video decoder: [ffmpeg] FFmpeg's libavcodec codec family
libavcodec version 56.60.100 (internal)
Selected video codec: [ffmjpeg] vfm: ffmpeg (FFmpeg MJPEG)
==========================================================================
==========================================================================
Requested audio codec family [mpg123] (afm=mpg123) not available.
Enable it at compilation.
Opening audio decoder: [ffmpeg] FFmpeg/libavcodec audio decoders
[mp3float @ 0x80d44360]Header missing
AUDIO: 44100 Hz, 2 ch, floatle, 128.0 kbit/4.54% (ratio: 16000->352800)
Selected audio codec: [ffmp3float] afm: ffmpeg (FFmpeg MPEG layer-3 audio)
==========================================================================
AO: [oss] 44100Hz 2ch s16le (2 bytes per sample)
Starting playback...
[mp3float @ 0x80d44360]overread, skip -6 enddists: -3 -3
[mp3float @ 0x80d44360]overread, skip -7 enddists: -4 -4
[mp3float @ 0x80d44360]overread, skip -6 enddists: -4 -4
[mp3float @ 0x80d44360]Header missing
[mp3float @ 0x80d44360]overread, skip -7 enddists: -5 -5
Could not find matching colorspace - retrying with -vf scale...
Opening video filter: [scale]
Movie-Aspect is undefined - no prescaling applied.
[swscaler @ 0x80e5d580]bicubic scaler, from yuv422p to bgra using MMXEXT
[swscaler @ 0x80e5d580]using unscaled yuv422p -> bgra special converter
VO: [x11] 320x240 => 320x240 BGRA 
[mjpeg @ 0x80d44360]overread 394
[mjpeg @ 0x80d44360]EOI missing, emulating
Movie-Aspect is 1.33:1 - prescaling to correct movie aspect.
VO: [x11] 320x240 => 320x240 BGRA 
New_Face failed. Maybe the font path is wrong.
Please supply the text font file (~/.mplayer/subfont.ttf).
subtitle font: load_sub_face failed.
New_Face failed. Maybe the font path is wrong.
Please supply the text font file (~/.mplayer/subfont.ttf).
subtitle font: load_sub_face failed.
A:   0.1 V:   0.0 A-V:  0.135 ct:  0.000   1/  1 ??% ??% ??,?% 0 0 
[...]
Movie-Aspect is 1.33:1 - prescaling to correct movie aspect.
*** glibc detected *** /media/sdb1/mplayer/mplayer: corrupted double-linked list: 0x8170f1d8 ***
======= Backtrace: =========
/lib/i386-linux-gnu/libc.so.6(+0x6f82a)[0xb783e82a]
/lib/i386-linux-gnu/libc.so.6(+0x6fc7a)[0xb783ec7a]
/lib/i386-linux-gnu/libc.so.6(+0x71db5)[0xb7840db5]
/lib/i386-linux-gnu/libc.so.6(+0x73037)[0xb7842037]
/lib/i386-linux-gnu/libc.so.6(__libc_memalign+0xc4)[0xb78437f4]
/lib/i386-linux-gnu/libc.so.6(posix_memalign+0x49)[0xb7843a59]
/media/sdb1/mplayer/mplayer(+0xa7c6c8)[0x80a7c6c8]
======= Memory map: ========
80000000-80f4c000 r-xp 00000000 08:11 2008       /media/sdb1/mplayer/mplayer
80f4c000-80f70000 rw-p 00f4c000 08:11 2008       /media/sdb1/mplayer/mplayer
80f70000-817b7000 rw-p 00000000 00:00 0          [heap]
b5700000-b5721000 rw-p 00000000 00:00 0 
b5721000-b5800000 ---p 00000000 00:00 0 
b5827000-b59a9000 rw-p 00000000 00:00 0 
b5a1f000-b5a6b000 rw-p 00000000 00:00 0 
b5a6b000-b5ab6000 rw-s 00000000 00:04 655365     /SYSV00000000 (deleted)
b5ab6000-b5c4e000 rw-p 00000000 00:00 0 
b5c4e000-b5cce000 rwxp 00000000 00:00 0 
b5cce000-b5cf4000 r-xp 00000000 08:02 10058      /lib/i386-linux-gnu/libexpat.so.1.6.0
b5cf4000-b5cf5000 ---p 00026000 08:02 10058      /lib/i386-linux-gnu/libexpat.so.1.6.0
b5cf5000-b5cf7000 r--p 00026000 08:02 10058      /lib/i386-linux-gnu/libexpat.so.1.6.0
b5cf7000-b5cf8000 rw-p 00028000 08:02 10058      /lib/i386-linux-gnu/libexpat.so.1.6.0
b5cf8000-b5d00000 r-xp 00000000 08:02 24456      /usr/lib/i386-linux-gnu/libffi.so.5.0.10
b5d00000-b5d01000 rw-p 00008000 08:02 24456      /usr/lib/i386-linux-gnu/libffi.so.5.0.10
b5d01000-b5d09000 r-xp 00000000 08:02 24369      /usr/lib/i386-linux-gnu/libXrender.so.1.3.0
b5d09000-b5d0a000 rw-p 00008000 08:02 24369      /usr/lib/i386-linux-gnu/libXrender.so.1.3.0
b5d0a000-b5d13000 r-xp 00000000 08:02 24356      /usr/lib/i386-linux-gnu/libXcursor.so.1.0.2
b5d13000-b5d14000 rw-p 00009000 08:02 24356      /usr/lib/i386-linux-gnu/libXcursor.so.1.0.2
b5d14000-b6a86000 r-xp 00000000 08:02 25244      /usr/lib/i386-linux-gnu/dri/swrast_dri.so
b6a86000-b6ace000 rw-p 00d71000 08:02 25244      /usr/lib/i386-linux-gnu/dri/swrast_dri.so
b6ace000-b6db4000 rw-p 00000000 00:00 0 
b6db4000-b6dda000 r--p 00000000 08:02 20948      /usr/lib/locale/C.UTF-8/LC_CTYPE
b6dda000-b6ddb000 rw-p 00000000 00:00 0 
b6ddb000-b6de2000 r--s 00000000 08:02 22578      /usr/lib/i386-linux-gnu/gconv/gconv-modules.cache
b6de2000-b6de3000 r--p 00839000 08:02 29404      /usr/lib/locale/locale-archive
b6de3000-b6f02000 r--p 00508000 08:02 29404      /usr/lib/locale/locale-archive
b6f02000-b7102000 r--p 00000000 08:02 29404      /usr/lib/locale/locale-archive
b7102000-b7107000 rw-p 00000000 00:00 0 
b7107000-b7118000 r-xp 00000000 08:02 22606      /lib/i386-linux-gnu/libresolv-2.13.so
b7118000-b7119000 r--p 00010000 08:02 22606      /lib/i386-linux-gnu/libresolv-2.13.so
b7119000-b711a000 rw-p 00011000 08:02 22606      /lib/i386-linux-gnu/libresolv-2.13.so
b711a000-b711c000 rw-p 00000000 00:00 0 
b711c000-b7122000 r-xp 00000000 08:02 24762      /usr/lib/i386-linux-gnu/libogg.so.0.8.0
b7122000-b7123000 rw-p 00005000 08:02 24762      /usr/lib/i386-linux-gnu/libogg.so.0.8.0
b7123000-b714d000 r-xp 00000000 08:02 24868      /usr/lib/i386-linux-gnu/libvorbis.so.0.4.5
b714d000-b714e000 r--p 00029000 08:02 24868      /usr/lib/i386-linux-gnu/libvorbis.so.0.4.5
b714e000-b714f000 rw-p 0002a000 08:02 24868      /usr/lib/i386-linux-gnu/libvorbis.so.0.4.5
b714f000-b72b5000 r-xp 00000000 08:02 24869      /usr/lib/i386-linux-gnu/libvorbisenc.so.2.0.8
b72b5000-b72c6000 r--p 00165000 08:02 24869      /usr/lib/i386-linux-gnu/libvorbisenc.so.2.0.8
b72c6000-b72c7000 rw-p 00176000 08:02 24869      /usr/lib/i386-linux-gnu/libvorbisenc.so.2.0.8
b72c7000-b7315000 r-xp 00000000 08:02 24338      /usr/lib/i386-linux-gnu/libFLAC.so.8.2.0
b7315000-b7316000 r--p 0004d000 08:02 24338      /usr/lib/i386-linux-gnu/libFLAC.so.8.2.0
b7316000-b7317000 rw-p 0004e000 08:02 24338      /usr/lib/i386-linux-gnu/libFLAC.so.8.2.0
b7317000-b7318000 rw-p 00000000 00:00 0 
b7318000-b732b000 r-xp 00000000 08:02 22591      /lib/i386-linux-gnu/libnsl-2.13.so
b732b000-b732c000 r--p 00012000 08:02 22591      /lib/i386-linux-gnu/libnsl-2.13.so
b732c000-b732d000 rw-p 00013000 08:02 22591      /lib/i386-linux-gnu/libnsl-2.13.so
b732d000-b732f000 rw-p 00000000 00:00 0 
b732f000-b733d000 r-xp 00000000 08:02 24362      /usr/lib/i386-linux-gnu/libXi.so.6.1.0
b733d000-b733e000 rw-p 0000d000 08:02 24362      /usr/lib/i386-linux-gnu/libXi.so.6.1.0
b733e000-b7342000 r-xp 00000000 08:02 10154      /lib/i386-linux-gnu/libuuid.so.1.3.0
b7342000-b7343000 r--p 00003000 08:02 10154      /lib/i386-linux-gnu/libuuid.so.1.3.0
b7343000-b7344000 rw-p 00004000 08:02 10154      /lib/i386-linux-gnu/libuuid.so.1.3.0
b7344000-b7348000 r-xp 00000000 08:02 10043      /lib/i386-linux-gnu/libattr.so.1.1.0
b7348000-b7349000 r--p 00003000 08:02 10043      /lib/i386-linux-gnu/libattr.so.1.1.0
b7349000-b734a000 rw-p 00004000 08:02 10043      /lib/i386-linux-gnu/libattr.so.1.1.0
b734a000-b734f000 r-xp 00000000 08:02 24386      /usr/lib/i386-linux-gnu/libasyncns.so.0.3.1
b734f000-b7350000 rw-p 00004000 08:02 24386      /usr/lib/i386-linux-gnu/libasyncns.so.0.3.1
b7350000-b7351000 rw-p 00000000 00:00 0 
b7351000-b73be000 r-xp 00000000 08:02 24817      /usr/lib/i386-linux-gnu/libsndfile.so.1.0.25
b73be000-b73c0000 r--p 0006c000 08:02 24817      /usr/lib/i386-linux-gnu/libsndfile.so.1.0.25
b73c0000-b73c1000 rw-p 0006e000 08:02 24817      /usr/lib/i386-linux-gnu/libsndfile.so.1.0.25
b73c1000-b73c5000 rw-p 00000000 00:00 0 
b73c5000-b73cd000 r-xp 00000000 08:02 10155      /lib/i386-linux-gnu/libwrap.so.0.7.6
b73cd000-b73ce000 r--p 00007000 08:02 10155      /lib/i386-linux-gnu/libwrap.so.0.7.6
b73ce000-b73cf000 rw-p 00008000 08:02 10155      /lib/i386-linux-gnu/libwrap.so.0.7.6
b73cf000-b73d4000 r-xp 00000000 08:02 24372      /usr/lib/i386-linux-gnu/libXtst.so.6.1.0
b73d4000-b73d5000 rw-p 00004000 08:02 24372      /usr/lib/i386-linux-gnu/libXtst.so.6.1.0
b73d5000-b73dc000 r-xp 00000000 08:02 24347      /usr/lib/i386-linux-gnu/libSM.so.6.0.1
b73dc000-b73dd000 rw-p 00006000 08:02 24347      /usr/lib/i386-linux-gnu/libSM.so.6.0.1
b73dd000-b73f3000 r-xp 00000000 08:02 24343      /usr/lib/i386-linux-gnu/libICE.so.6.3.0
b73f3000-b73f5000 rw-p 00015000 08:02 24343      /usr/lib/i386-linux-gnu/libICE.so.6.3.0
b73f5000-b73f7000 rw-p 00000000 00:00 0 
b73f7000-b73fc000 r-xp 00000000 08:02 24358      /usr/lib/i386-linux-gnu/libXdmcp.so.6.0.0
b73fc000-b73fd000 rw-p 00004000 08:02 24358      /usr/lib/i386-linux-gnu/libXdmcp.so.6.0.0
b73fd000-b73ff000 r-xp 00000000 08:02 24352      /usr/lib/i386-linux-gnu/libXau.so.6.0.0
b73ff000-b7400000 rw-p 00001000 08:02 24352      /usr/lib/i386-linux-gnu/libXau.so.6.0.0
b7400000-b7404000 r-xp 00000000 08:02 10049      /lib/i386-linux-gnu/libcap.so.2.22
b7404000-b7405000 rw-p 00003000 08:02 10049      /lib/i386-linux-gnu/libcap.so.2.22
b7405000-b744f000 r-xp 00000000 08:02 42883      /lib/i386-linux-gnu/libdbus-1.so.3.7.2
b744f000-b7450000 r--p 00049000 08:02 42883      /lib/i386-linux-gnu/libdbus-1.so.3.7.2
b7450000-b7451000 rw-p 0004a000 08:02 42883      /lib/i386-linux-gnu/libdbus-1.so.3.7.2
b7451000-b7452000 rw-p 00000000 00:00 0 
b7452000-b74b8000 r-xp 00000000 08:02 42210      /usr/lib/i386-linux-gnu/pulseaudio/libpulsecommon-2.0.so
b74b8000-b74b9000 r--p 00065000 08:02 42210      /usr/lib/i386-linux-gnu/pulseaudio/libpulsecommon-2.0.so
b74b9000-b74ba000 rw-p 00066000 08:02 42210      /usr/lib/i386-linux-gnu/pulseaudio/libpulsecommon-2.0.so
b74ba000-b74c2000 r-xp 00000000 08:02 35620      /lib/i386-linux-gnu/libjson.so.0.1.0
b74c2000-b74c3000 r--p 00007000 08:02 35620      /lib/i386-linux-gnu/libjson.so.0.1.0
b74c3000-b74c4000 rw-p 00008000 08:02 35620      /lib/i386-linux-gnu/libjson.so.0.1.0
b74c4000-b74e0000 r-xp 00000000 08:02 10061      /lib/i386-linux-gnu/libgcc_s.so.1
b74e0000-b74e1000 rw-p 0001b000 08:02 10061      /lib/i386-linux-gnu/libgcc_s.so.1
b74e1000-b75c1000 r-xp 00000000 08:02 24828      /usr/lib/i386-linux-gnu/libstdc++.so.6.0.17
b75c1000-b75c5000 r--p 000e0000 08:02 24828      /usr/lib/i386-linux-gnu/libstdc++.so.6.0.17
b75c5000-b75c6000 rw-p 000e4000 08:02 24828      /usr/lib/i386-linux-gnu/libstdc++.so.6.0.17
b75c6000-b75cd000 rw-p 00000000 00:00 0 
b75cd000-b75d8000 r-xp 00000000 08:02 24439      /usr/lib/i386-linux-gnu/libdrm.so.2.4.0
b75d8000-b75d9000 r--p 0000a000 08:02 24439      /usr/lib/i386-linux-gnu/libdrm.so.2.4.0
b75d9000-b75da000 rw-p 0000b000 08:02 24439      /usr/lib/i386-linux-gnu/libdrm.so.2.4.0
b75da000-b75db000 rw-p 00000000 00:00 0 
b75db000-b75df000 r-xp 00000000 08:02 24375      /usr/lib/i386-linux-gnu/libXxf86vm.so.1.0.0
b75df000-b75e0000 r--p 00003000 08:02 24375      /usr/lib/i386-linux-gnu/libXxf86vm.so.1.0.0
b75e0000-b75e1000 rw-p 00004000 08:02 24375      /usr/lib/i386-linux-gnu/libXxf86vm.so.1.0.0
b75e1000-b75f8000 r-xp 00000000 08:02 24878      /usr/lib/i386-linux-gnu/libxcb-glx.so.0.0.0
b75f8000-b75f9000 r--p 00017000 08:02 24878      /usr/lib/i386-linux-gnu/libxcb-glx.so.0.0.0
b75f9000-b75fa000 rw-p 00018000 08:02 24878      /usr/lib/i386-linux-gnu/libxcb-glx.so.0.0.0
b75fa000-b75fb000 r-xp 00000000 08:02 24349      /usr/lib/i386-linux-gnu/libX11-xcb.so.1.0.0
b75fb000-b75fc000 rw-p 00000000 08:02 24349      /usr/lib/i386-linux-gnu/libX11-xcb.so.1.0.0
b75fc000-b7601000 r-xp 00000000 08:02 24360      /usr/lib/i386-linux-gnu/libXfixes.so.3.1.0
b7601000-b7602000 rw-p 00004000 08:02 24360      /usr/lib/i386-linux-gnu/libXfixes.so.3.1.0
b7602000-b7604000 r-xp 00000000 08:02 24357      /usr/lib/i386-linux-gnu/libXdamage.so.1.1.0
b7604000-b7605000 rw-p 00001000 08:02 24357      /usr/lib/i386-linux-gnu/libXdamage.so.1.1.0
b7605000-b7606000 rw-p 00000000 00:00 0 
b7606000-b7615000 r-xp 00000000 08:02 33548      /usr/lib/i386-linux-gnu/libglapi.so.0.0.0
b7615000-b761c000 rwxp 0000e000 08:02 33548      /usr/lib/i386-linux-gnu/libglapi.so.0.0.0
b761c000-b761e000 r-xp 00000000 08:02 24846      /usr/lib/i386-linux-gnu/libts-0.0.so.0.1.1
b761e000-b761f000 rw-p 00001000 08:02 24846      /usr/lib/i386-linux-gnu/libts-0.0.so.0.1.1
b761f000-b7622000 r-xp 00000000 08:02 42124      /usr/lib/i386-linux-gnu/libpulse-simple.so.0.0.3
b7622000-b7623000 r--p 00002000 08:02 42124      /usr/lib/i386-linux-gnu/libpulse-simple.so.0.0.3
b7623000-b7624000 rw-p 00003000 08:02 42124      /usr/lib/i386-linux-gnu/libpulse-simple.so.0.0.3
b7624000-b7655000 r-xp 00000000 08:02 10077      /lib/i386-linux-gnu/libncursesw.so.5.9
b7655000-b7656000 r--p 00030000 08:02 10077      /lib/i386-linux-gnu/libncursesw.so.5.9
b7656000-b7657000 rw-p 00031000 08:02 10077      /lib/i386-linux-gnu/libncursesw.so.5.9
b7657000-b773f000 r-xp 00000000 08:02 10105      /lib/i386-linux-gnu/libslang.so.2.2.4
b773f000-b7741000 r--p 000e8000 08:02 10105      /lib/i386-linux-gnu/libslang.so.2.2.4
b7741000-b7750000 rw-p 000ea000 08:02 10105      /lib/i386-linux-gnu/libslang.so.2.2.4
b7750000-b778b000 rw-p 00000000 00:00 0 
b778b000-b77ac000 r-xp 00000000 08:02 33471      /usr/lib/i386-linux-gnu/libxcb.so.1.1.0
b77ac000-b77ad000 r--p 00020000 08:02 33471      /usr/lib/i386-linux-gnu/libxcb.so.1.1.0
b77ad000-b77ae000 rw-p 00021000 08:02 33471      /usr/lib/i386-linux-gnu/libxcb.so.1.1.0
b77ae000-b77b7000 r-xp 00000000 08:02 24490      /usr/lib/i386-linux-gnu/libfusion-1.2.so.9.0.1
b77b7000-b77b8000 rw-p 00008000 08:02 24490      /usr/lib/i386-linux-gnu/libfusion-1.2.so.9.0.1
b77b8000-b77ce000 r-xp 00000000 08:02 24435      /usr/lib/i386-linux-gnu/libdirect-1.2.so.9.0.1
b77ce000-b77cf000 rw-p 00016000 08:02 24435      /usr/lib/i386-linux-gnu/libdirect-1.2.so.9.0.1
b77cf000-b7918000 r-xp 00000000 08:02 22584      /lib/i386-linux-gnu/libc-2.13.so
b7918000-b791a000 r--p 00149000 08:02 22584      /lib/i386-linux-gnu/libc-2.13.so
b791a000-b791b000 rw-p 0014b000 08:02 22584      /lib/i386-linux-gnu/libc-2.13.so
b791b000-b791e000 rw-p 00000000 00:00 0 
b791e000-b796c000 r-xp 00000000 08:02 42125      /usr/lib/i386-linux-gnu/libpulse.so.0.14.2
b796c000-b796d000 r--p 0004d000 08:02 42125      /usr/lib/i386-linux-gnu/libpulse.so.0.14.2
b796d000-b796e000 rw-p 0004e000 08:02 42125      /usr/lib/i386-linux-gnu/libpulse.so.0.14.2
b796e000-b796f000 rw-p 00000000 00:00 0 
b796f000-b79c3000 r-xp 00000000 08:02 33532      /usr/lib/i386-linux-gnu/libGL.so.1.2
b79c3000-b79c9000 rwxp 00053000 08:02 33532      /usr/lib/i386-linux-gnu/libGL.so.1.2
b79c9000-b7a3b000 r-xp 00000000 08:02 24346      /usr/lib/i386-linux-gnu/libSDL-1.2.so.0.11.4
b7a3b000-b7a3c000 r--p 00071000 08:02 24346      /usr/lib/i386-linux-gnu/libSDL-1.2.so.0.11.4
b7a3c000-b7a3d000 rw-p 00072000 08:02 24346      /usr/lib/i386-linux-gnu/libSDL-1.2.so.0.11.4
b7a3d000-b7a67000 rw-p 00000000 00:00 0 
b7a67000-b7b2e000 r-xp 00000000 08:02 24407      /usr/lib/i386-linux-gnu/libcaca.so.0.99.18
b7b2e000-b7b2f000 rw-p 000c6000 08:02 24407      /usr/lib/i386-linux-gnu/libcaca.so.0.99.18
b7b2f000-b7b34000 rw-p 00000000 00:00 0 
b7b34000-b7c68000 r-xp 00000000 08:02 33486      /usr/lib/i386-linux-gnu/libX11.so.6.3.0
b7c68000-b7c6c000 rw-p 00133000 08:02 33486      /usr/lib/i386-linux-gnu/libX11.so.6.3.0
b7c6c000-b7c7d000 r-xp 00000000 08:02 33506      /usr/lib/i386-linux-gnu/libXext.so.6.4.0
b7c7d000-b7c7e000 rw-p 00010000 08:02 33506      /usr/lib/i386-linux-gnu/libXext.so.6.4.0
b7c7e000-b7c7f000 rw-p 00000000 00:00 0 
b7c7f000-b7d02000 r-xp 00000000 08:02 24436      /usr/lib/i386-linux-gnu/libdirectfb-1.2.so.9.0.1
b7d02000-b7d05000 rw-p 00082000 08:02 24436      /usr/lib/i386-linux-gnu/libdirectfb-1.2.so.9.0.1
b7d05000-b7d29000 r-xp 00000000 08:02 22588      /lib/i386-linux-gnu/libm-2.13.so
b7d29000-b7d2a000 r--p 00023000 08:02 22588      /lib/i386-linux-gnu/libm-2.13.so
b7d2a000-b7d2b000 rw-p 00024000 08:02 22588      /lib/i386-linux-gnu/libm-2.13.so
b7d2b000-b7dc2000 r-xp 00000000 08:02
Program received signal SIGABRT, Aborted.
0xb77f9387 in *__GI_raise (sig=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:64
64	../nptl/sysdeps/unix/sysv/linux/raise.c: No such file or directory.
(gdb) bt
#0  0xb77f9387 in *__GI_raise (sig=6)
    at ../nptl/sysdeps/unix/sysv/linux/raise.c:64
#1  0xb77fc772 in *__GI_abort () at abort.c:92
#2  0xb783472d in __libc_message (do_abort=2, 
    fmt=0xb78fde10 "*** glibc detected *** %s: %s: 0x%s ***\n")
    at ../sysdeps/unix/sysv/linux/libc_fatal.c:189
#3  0xb783e82a in malloc_printerr (action=<optimized out>, 
    str=0x6 <Address 0x6 out of bounds>, ptr=0x8170f1d8) at malloc.c:6312
#4  0xb783ec7a in malloc_consolidate (av=<optimized out>) at malloc.c:5198
#5  0xb7840db5 in _int_malloc (av=<optimized out>, bytes=6) at malloc.c:4402
#6  0xb7842037 in _int_memalign (av=<optimized out>, alignment=16, bytes=28192)
    at malloc.c:5521
#7  0xb78437f4 in *__GI___libc_memalign (alignment=16, bytes=28192)
    at malloc.c:3895
#8  0xb7843a59 in __posix_memalign (memptr=memptr@entry=0xbfffe1bc, 
    alignment=0, alignment@entry=16, size=7641, size@entry=28192)
    at malloc.c:6344
#9  0x80a7c6c8 in av_malloc (size=size@entry=28192) at libavutil/mem.c:97
#10 0x80a7c8f7 in av_mallocz (size=size@entry=28192) at libavutil/mem.c:254
#11 0x80a10330 in sws_alloc_context () at libswscale/utils.c:1024
#12 0x80a1035d in sws_alloc_set_opts (srcW=srcW@entry=320, 
    srcH=srcH@entry=240, srcFormat=srcFormat@entry=AV_PIX_FMT_YUV422P, 
    dstW=dstW@entry=320, dstH=dstH@entry=240, 
---Type <return> to continue, or q <return> to quit---
    dstFormat=dstFormat@entry=AV_PIX_FMT_BGRA, flags=flags@entry=4, 
    param=param@entry=0x816b4e6c) at libswscale/utils.c:1819
#13 0x80a11348 in sws_getContext (srcW=srcW@entry=320, srcH=240, 
    srcFormat=srcFormat@entry=AV_PIX_FMT_YUV422P, dstW=320, dstH=240, 
    dstFormat=dstFormat@entry=AV_PIX_FMT_BGRA, flags=4, srcFilter=0x8170da90, 
    dstFilter=0x0, param=param@entry=0x816b4e6c) at libswscale/utils.c:1845
#14 0x8021e343 in config (vf=0x816b60f8, width=320, height=240, d_width=320, 
    d_height=240, flags=0, outfmt=1345466932) at libmpcodecs/vf_scale.c:325
#15 0x801fbed6 in vf_config_wrapper (vf=0x816b60f8, width=320, height=240, 
    d_width=d_width@entry=320, d_height=d_height@entry=240, 
    flags=flags@entry=0, outfmt=1345466932) at libmpcodecs/vf.c:651
#16 0x801f8a32 in mpcodecs_config_vo (sh=sh@entry=0x816685e0, w=w@entry=320, 
    h=h@entry=240, preferred_outfmt=1345466932) at libmpcodecs/vd.c:368
#17 0x802ab587 in init_vo (sh=sh@entry=0x816685e0, 
    pix_fmt=AV_PIX_FMT_YUVJ422P, ignore_aspect=ignore_aspect@entry=1)
    at libmpcodecs/vd_ffmpeg.c:671
#18 0x802ac2e1 in get_buffer (avctx=0x8167c3e0, pic=0x816b2e30)
    at libmpcodecs/vd_ffmpeg.c:731
#19 0x8073d6f6 in get_buffer_internal (flags=1, frame=0x816b2e30, 
    avctx=0x8167c3e0) at libavcodec/utils.c:928
#20 ff_get_buffer (avctx=0x8167c3e0, frame=0x816b2e30, flags=flags@entry=1)
    at libavcodec/utils.c:1042
#21 0x8061ed23 in ff_mjpeg_decode_sof (s=s@entry=0x816b26e0)
---Type <return> to continue, or q <return> to quit---
    at libavcodec/mjpegdec.c:607
#22 0x80623460 in ff_mjpeg_decode_frame (avctx=0x8167c3e0, data=0x8167c210, 
    got_frame=0xbfffe744, avpkt=0xbfffe658) at libavcodec/mjpegdec.c:2077
#23 0x8073f3ae in avcodec_decode_video2 (avctx=avctx@entry=0x8167c3e0, 
    picture=picture@entry=0x8167c210, 
    got_picture_ptr=got_picture_ptr@entry=0xbfffe744, 
    avpkt=avpkt@entry=0xbfffe768) at libavcodec/utils.c:2445
#24 0x802ab88d in decode (sh=0x816685e0, data=0x81771f58, len=8830, flags=0)
    at libmpcodecs/vd_ffmpeg.c:957
#25 0x801f5663 in decode_video (sh_video=sh_video@entry=0x816685e0, 
    start=0x81771f58 "\377\330\377", <incomplete sequence \340>, 
    in_size=in_size@entry=8830, drop_frame=0, pts=8.0100126266479492, 
    full_frame=full_frame@entry=0xbfffe880) at libmpcodecs/dec_video.c:398
#26 0x80180a4f in update_video (blit_frame=blit_frame@entry=0xbfffe970)
    at mplayer.c:2484
#27 0x801745e7 in main (argc=2, argv=0xbffffa44) at mplayer.c:3811
(gdb)

Change History (5)

comment:1 by rxt, 9 years ago

Reproduced by developer:	set
Status:	new → open
Version:	unspecified → HEAD

Reproduced with HEAD and 1.2 (both release and branch)

comment:2 by reimar, 9 years ago

Let's try to combine this information:
VO: [null] 320x240 => 320x240 Planar Y800
[mjpeg @ 0x14dd6e0]decode_sos: index(1) out of components
==32528== Address 0x2a729770 is 161,120 bytes inside a block of size 165,120 free'd

The address that fails is inside the format chroma part (luma is up to 320*240 as resolution has not changed), however we were just reconfigured to luma-only.
Thus I believe this to be a FFmpeg bug where it requests luma-only buffers but continues the use the chroma part of some old buffers.
I suspect the codec is not sufficiently reset on this format change.

comment:3 by reimar, 9 years ago

Ah, I found a workaround, but I would consider it a FFmpeg bug.
The mjpeg decoder has the following code:
uint8_t *dst = s->picture_ptr->data[index];
if (dst) {
...

Now this assumes that picture pointers for 1-plane formats never have any of the other pointers set.
I believe this is an invalid assumption, it needs to check the pix_fmt.
Alternatively, FFmpeg needs to check and ensure that all application-returned buffers fulfill that requirement.

comment:4 by reimar, 9 years ago

Worked around on MPlayer side by r37802.

comment:5 by reimar, 9 years ago

Resolution:	→ fixed
Status:	open → closed

Patch also sent to FFmpeg list.
I consider this resolved from our side.

Note: See TracTickets for help on using tickets.

Download in other formats: