[Ffmpeg-devel] [PATCH/BUGREPORT] crash in vorbis decoder
Måns Rullgård
mru
Sun Feb 4 23:27:40 CET 2007
Michael Niedermayer <michaelni at gmx.at> writes:
> Hi
>
> On Sun, Feb 04, 2007 at 11:08:16PM +0100, Reimar D?ffinger wrote:
>> Hello,
>> http://samples.mplayerhq.hu/A-codecs/vorbis/ffvorbis_crash.ogm
>> crashes a few seconds into the files.
>
> gdb/valgrind output?
Valgrind chokes on some MMX instruction unless I disable those. With
MMX disabled, it crashes like this:
$ valgrind ./ffmpeg -i ffvorbis_crash.ogm -vn -f null -y /dev/null
==3462== Memcheck, a memory error detector.
==3462== Copyright (C) 2002-2006, and GNU GPL'd, by Julian Seward et al.
==3462== Using LibVEX rev 1658, a library for dynamic binary translation.
==3462== Copyright (C) 2004-2006, and GNU GPL'd, by OpenWorks LLP.
==3462== Using valgrind-3.2.1, a dynamic binary instrumentation framework.
==3462== Copyright (C) 2000-2006, and GNU GPL'd, by Julian Seward et al.
==3462== For more details, rerun with: -v
==3462==
FFmpeg version SVN-r7817, Copyright (c) 2000-2006 Fabrice Bellard, et al.
configuration: --cc=x86_64-pc-linux-gnu-gcc-4.3.0-alpha20061216 --enable-gpl --cpu=core2 --disable-strip --disable-mmx
libavutil version: 49.3.0
libavcodec version: 51.30.0
libavformat version: 51.8.0
built on Feb 4 2007 22:24:09, gcc: 4.3.0-alpha20061216 (experimental) (Gentoo 4.3.0_alpha20061216)
Input #0, ogg, from 'ffvorbis_crash.ogm':
Duration: 00:00:06.4, start: 0.480000, bitrate: 632 kb/s
Stream #0.0: Video: mpeg4, yuv420p, 576x432, 25.00 fps(r)
Stream #0.1: Audio: vorbis, 48000 Hz, stereo, 80 kb/s
Output #0, null, to '/dev/null':
Stream #0.0: Audio: pcm_s16le, 48000 Hz, stereo, 1536 kb/s
Stream mapping:
Stream #0.1 -> #0.0
==3462== Invalid read of size 4
==3462== at 0x6A29EB: vorbis_decode_init (bitstream.h:672)
==3462== by 0x46DE13: avcodec_open (utils.c:836)
==3462== by 0x417FCC: av_encode (ffmpeg.c:1759)
==3462== by 0x418E22: main (ffmpeg.c:3931)
==3462== Address 0x50E6B71 is 3,793 bytes inside a block of size 3,795 alloc'd
==3462== at 0x4A2127C: realloc (in /usr/lib64/valgrind/amd64-linux/vgpreload_memcheck.so)
==3462== by 0x45B425: vorbis_header (oggparsevorbis.c:153)
==3462== by 0x45A6E7: ogg_packet (ogg2.c:398)
==3462== by 0x45A86D: ogg_read_header (ogg2.c:436)
==3462== by 0x41D464: av_open_input_stream (utils.c:404)
==3462== by 0x4205DF: av_open_input_file (utils.c:517)
==3462== by 0x411D8B: opt_input_file (ffmpeg.c:2587)
==3462== by 0x41A722: parse_options (cmdutils.c:105)
==3462== by 0x418A7F: main (ffmpeg.c:3917)
Press [q] to stop encoding
==3462== 0kB time=3.7 bitrate= 0.0kbits/s
==3462== Invalid read of size 4
==3462== at 0x69EF19: vorbis_residue_decode (vorbis.c:1512)
==3462== by 0x69F8A6: vorbis_parse_audio_packet (vorbis.c:1658)
==3462== by 0x69FEC4: vorbis_decode_frame (vorbis.c:1773)
==3462== by 0x46D181: avcodec_decode_audio2 (utils.c:945)
==3462== by 0x417062: output_packet (ffmpeg.c:1072)
==3462== by 0x4186E2: av_encode (ffmpeg.c:1937)
==3462== by 0x418E22: main (ffmpeg.c:3931)
==3462== Address 0x4052B7F20 is not stack'd, malloc'd or (recently) free'd
==3462==
==3462== Process terminating with default action of signal 11 (SIGSEGV): dumping core
==3462== Access not within mapped region at address 0x4052B7F20
==3462== at 0x69EF19: vorbis_residue_decode (vorbis.c:1512)
==3462== by 0x69F8A6: vorbis_parse_audio_packet (vorbis.c:1658)
==3462== by 0x69FEC4: vorbis_decode_frame (vorbis.c:1773)
==3462== by 0x46D181: avcodec_decode_audio2 (utils.c:945)
==3462== by 0x417062: output_packet (ffmpeg.c:1072)
==3462== by 0x4186E2: av_encode (ffmpeg.c:1937)
==3462== by 0x418E22: main (ffmpeg.c:3931)
==3462==
==3462== ERROR SUMMARY: 2 errors from 2 contexts (suppressed: 4 from 1)
==3462== malloc/free: in use at exit: 2,425,902 bytes in 321 blocks.
==3462== malloc/free: 1,865 allocs, 1,544 frees, 10,128,054 bytes allocated.
==3462== For counts of detected errors, rerun with: -v
==3462== searching for pointers to 321 not-freed blocks.
==3462== checked 1,409,584 bytes.
==3462==
==3462== LEAK SUMMARY:
==3462== definitely lost: 0 bytes in 0 blocks.
==3462== possibly lost: 0 bytes in 0 blocks.
==3462== still reachable: 2,425,902 bytes in 321 blocks.
==3462== suppressed: 0 bytes in 0 blocks.
==3462== Reachable blocks (those to which a pointer was found) are not shown.
==3462== To see them, rerun with: --show-reachable=yes
mru at thrashbarg:/tmp/ffmpeg$ ./ffmpeg -i ffvorbis_crash.ogm -vn -f null -y /dev/null
FFmpeg version SVN-r7817, Copyright (c) 2000-2006 Fabrice Bellard, et al.
configuration: --cc=x86_64-pc-linux-gnu-gcc-4.3.0-alpha20061216 --enable-gpl --cpu=core2 --disable-strip
libavutil version: 49.3.0
libavcodec version: 51.30.0
libavformat version: 51.8.0
built on Feb 4 2007 22:20:50, gcc: 4.3.0-alpha20061216 (experimental) (Gentoo 4.3.0_alpha20061216)
Input #0, ogg, from 'ffvorbis_crash.ogm':
Duration: 00:00:06.4, start: 0.480000, bitrate: 632 kb/s
Stream #0.0: Video: mpeg4, yuv420p, 576x432, 25.00 fps(r)
Stream #0.1: Audio: vorbis, 48000 Hz, stereo, 80 kb/s
Output #0, null, to '/dev/null':
Stream #0.0: Audio: pcm_s16le, 48000 Hz, stereo, 1536 kb/s
Stream mapping:
Stream #0.1 -> #0.0
Press [q] to stop encoding
Segmentation fault (core dumped)
mru at thrashbarg:/tmp/ffmpeg$ gdb ffmpeg core
GNU gdb 6.4
Copyright 2005 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB. Type "show warranty" for details.
This GDB was configured as "x86_64-pc-linux-gnu"...Using host libthread_db library "/lib/libthread_db.so.1".
Core was generated by `./ffmpeg -i ffvorbis_crash.ogm -vn -f null -y /dev/null'.
Program terminated with signal 11, Segmentation fault.
Reading symbols from /lib64/libm.so.6...done.
Loaded symbols for /lib/libm.so.6
Reading symbols from /lib64/libz.so.1...done.
Loaded symbols for /lib/libz.so.1
Reading symbols from /lib64/libdl.so.2...done.
Loaded symbols for /lib/libdl.so.2
Reading symbols from /lib64/libc.so.6...done.
Loaded symbols for /lib/libc.so.6
Reading symbols from /lib64/ld-linux-x86-64.so.2...done.
Loaded symbols for /lib64/ld-linux-x86-64.so.2
#0 vorbis_residue_decode (vc=0xa2dee0, vr=0xac41b0, ch=2 '\002',
do_not_decode=0x7fff0f3f8d70 "", vec=0xab2000, vlen=1024)
at /home/mru/src/ffmpeg/libavcodec/vorbis.c:1512
1512 vec[voffs ]+=codebook.codevectors[coffs+l ]; // FPMATH
(gdb) bt
#0 vorbis_residue_decode (vc=0xa2dee0, vr=0xac41b0, ch=2 '\002',
do_not_decode=0x7fff0f3f8d70 "", vec=0xab2000, vlen=1024)
at /home/mru/src/ffmpeg/libavcodec/vorbis.c:1512
#1 0x00000000007915c7 in vorbis_parse_audio_packet (vc=0xa2dee0)
at /home/mru/src/ffmpeg/libavcodec/vorbis.c:1658
#2 0x0000000000791be5 in vorbis_decode_frame (
avccontext=<value optimized out>, data=0x2b259b761010,
data_size=0x7fff0f3f957c, buf=0xab2240 "", buf_size=185)
at /home/mru/src/ffmpeg/libavcodec/vorbis.c:1773
#3 0x000000000046ce42 in avcodec_decode_audio2 (avctx=0xa24860, samples=0x4,
frame_size_ptr=0xffffffff, buf=0xab2240 "", buf_size=145)
at /home/mru/src/ffmpeg/libavcodec/utils.c:945
#4 0x0000000000417803 in output_packet (ist=0xa31cf0, ist_index=1,
ost_table=0xa31440, nb_ostreams=1, pkt=0x7fff0f3f9ad0)
at /home/mru/src/ffmpeg/ffmpeg.c:1072
#5 0x0000000000418e83 in av_encode (output_files=0x98fcc0, nb_output_files=1,
input_files=0x98fb80, nb_input_files=1, stream_maps=0x98fd60,
nb_stream_maps=0) at /home/mru/src/ffmpeg/ffmpeg.c:1937
#6 0x00000000004195c3 in main (argc=<value optimized out>,
argv=<value optimized out>) at /home/mru/src/ffmpeg/ffmpeg.c:3931
(gdb) info registers all
rax 0xfffffffc 4294967292
rbx 0x8 8
rcx 0xab2240 11215424
rdx 0xab3240 11219520
rsi 0x4 4
rdi 0xa2fb30 10681136
rbp 0x7fff0f3f8d30 0x7fff0f3f8d30
rsp 0x7fff0f3f8b90 0x7fff0f3f8b90
r8 0x91 145
r9 0xffffffff 4294967295
r10 0x2 2
r11 0xfffffffc 4294967292
r12 0x0 0
r13 0xae0b90 11406224
r14 0xab2000 11214848
r15 0xa29e50 10657360
rip 0x790c39 0x790c39 <vorbis_residue_decode+2905>
eflags 0x210202 2163202
cs 0x33 51
ss 0x2b 43
ds 0x0 0
es 0x0 0
fs 0x0 0
gs 0x0 0
st0 -nan(0xe8f8ed83ee74f2ad) (raw 0xffffe8f8ed83ee74f2ad)
st1 -nan(0xffffe8f8ffffed83) (raw 0xffffffffe8f8ffffed83)
st2 0 (raw 0x00000000000000000000)
st3 0 (raw 0x00000000000000000000)
st4 0 (raw 0x00000000000000000000)
st5 0 (raw 0x00000000000000000000)
st6 0 (raw 0x00000000000000000000)
st7 0 (raw 0x00000000000000000000)
fctrl 0x37f 895
fstat 0x0 0
ftag 0xffff 65535
fiseg 0x0 0
fioff 0x0 0
foseg 0x0 0
fooff 0x0 0
fop 0x0 0
xmm0 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
---Type <return> to continue, or q <return> to quit---
v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0},
uint128 = 0x00000000000000000000000000000000}
xmm1 {v4_float = {0x0, 0x7, 0xffffba52, 0xffffc333}, v2_double = {
0x15f90, 0x8000000000000000}, v16_int8 = {0x0, 0x0, 0x0, 0x0, 0x0, 0xf9,
0xf5, 0x40, 0x35, 0x5c, 0x8b, 0xc6, 0x54, 0x34, 0x73, 0xc6}, v8_int16 = {
0x0, 0x0, 0xf900, 0x40f5, 0x5c35, 0xc68b, 0x3454, 0xc673}, v4_int32 = {
0x0, 0x40f5f900, 0xc68b5c35, 0xc6733454}, v2_int64 = {0x40f5f90000000000,
0xc6733454c68b5c35}, uint128 = 0xc6733454c68b5c3540f5f90000000000}
xmm2 {v4_float = {0xfffffb23, 0x2, 0x0, 0x0}, v2_double = {0x5,
0x0}, v16_int8 = {0xe4, 0xa5, 0x9b, 0xc4, 0x20, 0xb0, 0x14, 0x40, 0xd1,
0x7e, 0x4e, 0xbe, 0x84, 0x41, 0x42, 0xbe}, v8_int16 = {0xa5e4, 0xc49b,
0xb020, 0x4014, 0x7ed1, 0xbe4e, 0x4184, 0xbe42}, v4_int32 = {0xc49ba5e4,
0x4014b020, 0xbe4e7ed1, 0xbe424184}, v2_int64 = {0x4014b020c49ba5e4,
0xbe424184be4e7ed1}, uint128 = 0xbe424184be4e7ed14014b020c49ba5e4}
xmm3 {v4_float = {0xfffffb23, 0x2, 0x0, 0x0}, v2_double = {0x5,
0x0}, v16_int8 = {0xe4, 0xa5, 0x9b, 0xc4, 0x20, 0xb0, 0x14, 0x40, 0xd1,
0x7e, 0x4e, 0xbe, 0x84, 0x41, 0x42, 0xbe}, v8_int16 = {0xa5e4, 0xc49b,
0xb020, 0x4014, 0x7ed1, 0xbe4e, 0x4184, 0xbe42}, v4_int32 = {0xc49ba5e4,
0x4014b020, 0xbe4e7ed1, 0xbe424184}, v2_int64 = {0x4014b020c49ba5e4,
0xbe424184be4e7ed1}, uint128 = 0xbe424184be4e7ed14014b020c49ba5e4}
xmm4 {v4_float = {0xfffffffe, 0xd, 0xffffdd7f, 0xffffce14},
v2_double = {0x5014a7, 0x8000000000000000}, v16_int8 = {0x0, 0x0, 0x0, 0xc0,
0x29, 0x5, 0x54, 0x41, 0x48, 0x7, 0xa, 0xc6, 0x3e, 0xb0, 0x47, 0xc6},
v8_int16 = {0x0, 0xc000, 0x529, 0x4154, 0x748, 0xc60a, 0xb03e, 0xc647},
v4_int32 = {0xc0000000, 0x41540529, 0xc60a0748, 0xc647b03e}, v2_int64 = {
0x41540529c0000000, 0xc647b03ec60a0748},
uint128 = 0xc647b03ec60a074841540529c0000000}
xmm5 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0x0 <repeats 11 times>, 0x80, 0x0, 0x0, 0x0, 0x0}, v8_int16 = {
0x0, 0x0, 0x0, 0x0, 0x0, 0x8000, 0x0, 0x0}, v4_int32 = {0x0, 0x0,
0x80000000, 0x0}, v2_int64 = {0x0, 0x80000000},
uint128 = 0x00000000800000000000000000000000}
xmm6 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0},
uint128 = 0x00000000000000000000000000000000}
xmm7 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0x0, 0x0, 0x0, 0x80, 0x0, 0x0, 0x0, 0x80, 0x0, 0x0, 0x0, 0x80,
0x0, 0x0, 0x0, 0x80}, v8_int16 = {0x0, 0x8000, 0x0, 0x8000, 0x0, 0x8000,
0x0, 0x8000}, v4_int32 = {0x80000000, 0x80000000, 0x80000000, 0x80000000},
---Type <return> to continue, or q <return> to quit---
v2_int64 = {0x8000000080000000, 0x8000000080000000},
uint128 = 0x80000000800000008000000080000000}
xmm8 {v4_float = {0xb4600000, 0x1, 0x0, 0x0}, v2_double = {0x1,
0x0}, v16_int8 = {0x18, 0x2d, 0x44, 0x54, 0xfb, 0x21, 0xf9, 0x3f, 0x0,
0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v8_int16 = {0x2d18, 0x5444, 0x21fb,
0x3ff9, 0x0, 0x0, 0x0, 0x0}, v4_int32 = {0x54442d18, 0x3ff921fb, 0x0,
0x0}, v2_int64 = {0x3ff921fb54442d18, 0x0},
uint128 = 0x00000000000000003ff921fb54442d18}
xmm9 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0},
uint128 = 0x00000000000000000000000000000000}
xmm10 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0},
uint128 = 0x00000000000000000000000000000000}
xmm11 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0},
uint128 = 0x00000000000000000000000000000000}
xmm12 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0},
uint128 = 0x00000000000000000000000000000000}
xmm13 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0},
uint128 = 0x00000000000000000000000000000000}
xmm14 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0},
uint128 = 0x00000000000000000000000000000000}
xmm15 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0},
uint128 = 0x00000000000000000000000000000000}
mxcsr 0x1fa0 8096
--
M?ns Rullg?rd
mru at inprovide.com
More information about the ffmpeg-devel
mailing list