[Ffmpeg-devel] Division by zero crash at h263.c:333 with seeking in interlaced streams.

Scott A Crosby scrosby
Fri Jan 12 21:16:23 CET 2007 

I was told by Nico Sabbi on mplayer-users to post here.

Scott


On Tue, 09 Jan 2007 08:05:03 -0600, Scott A Crosby <scrosby at cs.rice.edu> writes:

> Thanks for the great software.
>
> I have bug report for a reproducable crash in mplayer when seeking
> in interlaced streams. It does not trigger when playing normally. It
> doesn't trigger on every seek, but it triggers on most seeks including
> those done by '-ss' and interactively. I've verified the problem in
> pre7, rc1 and in SVN#21857, which was checked out yesterday morning.
>
> Hope this helps,
> Scott
>
>
> ///
>
> The cause is in ff_mpeg4_set_direct_mv (s=0x880d900, mx=-1, my=0) at h263.c:633
>
>     } else if(IS_INTERLACED(colocated_mb_type)){
>         s->mv_type = MV_TYPE_FIELD;
>         for(i=0; i<2; i++){
>             int field_select= s->next_picture.ref_index[0][s->block_index[2*i]];
>             s->field_select[0][i]= field_select;
>             s->field_select[1][i]= i;
>             if(s->top_field_first){
>                 time_pp= s->pp_field_time - field_select + i;
>                 time_pb= s->pb_field_time - field_select + i;
>             }else{
>                 time_pp= s->pp_field_time + field_select - i;
>                 time_pb= s->pb_field_time + field_select - i;
>             }
>             s->mv[0][i][0] = s->p_field_mv_table[i][0][mb_index][0]*time_pb/time_pp + mx;
>             s->mv[0][i][1] = s->p_field_mv_table[i][0][mb_index][1]*time_pb/time_pp + my;
>
>
> The bug is that 'time_pb = time_pp = 0' and we get a division by
> zero. Relevant local variables are:
>
> (gdb) print s->top_field_first
> $2 = 1
> (gdb) print  s->pp_field_time
> $3 = 0
> (gdb) print i
> $5 = 0
> (gdb) print field_select
> $4 = <value optimized out>
> (gdb) print s->next_picture.ref_index[0][s->block_index[2*i]]
> $6 = 0 '\0'
> (gdb) print s->pp_field_time
> $9 = 0
> (gdb) print s->pb_field_time
> $10 = 0
>
> ////
>
> The backtrace is:
>
> (gdb) bt
> Program received signal SIGFPE, Arithmetic exception.
>
> 0x08329a80 in ff_mpeg4_set_direct_mv (s=0x880d900, mx=-1, my=0) at h263.c:633
> 633                 s->mv[0][i][0] = s->p_field_mv_table[i][0][mb_index][0]*time_pb/time_pp + mx;
>
> #0  0x08329a80 in ff_mpeg4_set_direct_mv (s=0x880d900, mx=-1, my=0)
>     at h263.c:633
> #1  0x08332532 in ff_mpeg4_decode_mb (s=0x880d900, block=0x88fcaa0)
>     at h263.c:4466
> #2  0x0833ccf7 in decode_slice (s=0x880d900) at h263dec.c:206
> #3  0x0833df6b in ff_h263_decode_frame (avctx=0x880d5a0, data=0x880d4c0, 
>     data_size=0xbf9c3e04, buf=0x8914718 "", buf_size=2125) at h263dec.c:729
>
> ///
>
> To exact command lines I used to construct a file triggering the bug:
>
>   # Rip it
>   mplayer dvd://12 -alang en -dumpstream -dumpfile  XXX.vob
>
>   # Compress it
>   BITRATE=1450
>   AUDIO="-alang en -aid 128 -oac mp3lame  -lameopts q=3"
>   LAVC2="vcodec=mpeg4:vbitrate=${BITRATE}:vqcomp=.7:autoaspect:nr=300:vmax_b_frames=2:psnr:vb_strategy=1:b_sensitivity=15:ildct:ilme:mbd=2:v4mv:trell"
>   mencoder XXX.vob -o XXX.avi $AUDIO -ovc lavc -ofps 29.97 -lavcopts $LAVC2 
> -vf-add hqdn3d=2:1:2
>
>   # Try seeking in the resulting file. (I have a file that reliably
>   # crashes with these arguments)
>   mplayer XXX.avi -ss 3
>
> ///
>
> Compiler:
>   cc (GCC) 4.1.2 20061028 (prerelease) (Debian 4.1.1-19)

More information about the ffmpeg-devel mailing list