[Ffmpeg-devel] [BUG] Segfault in h264 decoder on corrupt input

Panagiotis Issaris takis.issaris
Wed Mar 14 17:38:40 CET 2007 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,

Panagiotis Issaris schreef:
> I've uploaded a corrupt (by zzuf) H.264 video file which causes ffplay
> (current revision 8403) to crash. It's available here:
> ftp://upload.mplayerhq.hu/MPlayer/incoming/h264_segfault
> pi-20070314T154046-ffmpeg-ffplay_crash.h264
> pi-20070314T154046-ffmpeg-ffplay_crash.txt
>[...]
> 
> FFmpeg was configured using ./configure --enable-gpl --enable-x11grab
> and GCC 4.1.2 was used.

The segfault also occurs when configuring with --disable-opts:
[h264 @ 0x843cadc]reference count overflow
[h264 @ 0x843cadc]decode_slice_header error
[h264 @ 0x843cadc]concealing 300 DC, 300 AC, 300 MV errors

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread -1230980208 (LWP 4788)]
0x081074a4 in avg_pixels8_c (block=0x8656740
"\rPi\204}~\177\200\200\200\200\201\201\201\201\201", pixels=0x0,
line_size=352, h=16) at dsputil.c:1109
1109    PIXOP2(avg, op_avg)
(gdb) bt
#0  0x081074a4 in avg_pixels8_c (block=0x8656740
"\rPi\204}~\177\200\200\200\200\201\201\201\201\201", pixels=0x0,
line_size=352, h=16) at dsputil.c:1109
#1  0x08107523 in avg_pixels16_c (block=0x8656740
"\rPi\204}~\177\200\200\200\200\201\201\201\201\201", pixels=0x0,
line_size=352, h=16) at dsputil.c:1109
#2  0x080e4303 in MPV_motion (s=0x85a64d0, dest_y=0x8656740
"\rPi\204}~\177\200\200\200\200\201\201\201\201\201",
    dest_cb=0x8657d40 "\177\177\177\177\177\177\177\177",
dest_cr=0x8659340 "\200\200\200\200\200\200\200\200", dir=1,
ref_picture=0x85a6750,
    pix_op=0x85a6f18, qpix_op=0x85a737c) at mpegvideo.c:3054
#3  0x080de0a5 in MPV_decode_mb (s=0x85a64d0, block=0x8662770) at
mpegvideo.c:4016
#4  0x08214448 in decode_mb (s=0x85a64d0) at error_resilience.c:40
#5  0x08217dce in ff_er_frame_end (s=0x85a64d0) at error_resilience.c:927
#6  0x082cf0e3 in decode_frame (avctx=0x857f6c0, data=0x858f300,
data_size=0xb6a0b37c, buf=0x8645060 "", buf_size=26100) at h264.c:8387
#7  0x080d0039 in avcodec_decode_video (avctx=0x857f6c0,
picture=0x858f300, got_picture_ptr=0xb6a0b37c, buf=0x8645060 "",
buf_size=26100) at utils.c:897
#8  0x0805bc8d in video_thread (arg=0xb7248020) at ffplay.c:1357
#9  0xb7edaceb in ?? () from /usr/lib/libSDL-1.2.so.0
#10 0xb7248020 in ?? ()
#11 0x0805bb7a in output_picture2 (is=0x85594e8, src_frame=0xb7c50ff4,
pts1=5.142098762525619e-270) at ffplay.c:1329
#12 0xb7f25f3d in ?? () from /usr/lib/libSDL-1.2.so.0
#13 0x085594e8 in ?? ()
#14 0xb7c50ff4 in ?? () from /lib/tls/i686/cmov/libpthread.so.0
#15 0xb6a0b4b8 in ?? ()
#16 0xb7c4231b in start_thread () from /lib/tls/i686/cmov/libpthread.so.0
Backtrace stopped: frame did not save the PC
(gdb)
(gdb) disass $pc-32 $pc+32
Dump of assembler code from 0x8107484 to 0x81074c4:
0x08107484 <avg_pixels4_c+63>:  inc    %ebp
0x08107485 <avg_pixels4_c+64>:  adc    $0x7c,%al
0x08107487 <avg_pixels4_c+66>:  int    $0x83
0x08107489 <avg_pixels4_c+68>:  les    (%eax),%ebx
0x0810748b <avg_pixels4_c+70>:  pop    %ebx
0x0810748c <avg_pixels4_c+71>:  pop    %ebp
0x0810748d <avg_pixels4_c+72>:  ret
0x0810748e <avg_pixels8_c+0>:   push   %ebp
0x0810748f <avg_pixels8_c+1>:   mov    %esp,%ebp
0x08107491 <avg_pixels8_c+3>:   push   %ebx
0x08107492 <avg_pixels8_c+4>:   sub    $0x18,%esp
0x08107495 <avg_pixels8_c+7>:   movl   $0x0,0xfffffff8(%ebp)
0x0810749c <avg_pixels8_c+14>:  jmp    0x81074ef <avg_pixels8_c+97>
0x0810749e <avg_pixels8_c+16>:  mov    0x8(%ebp),%ebx
0x081074a1 <avg_pixels8_c+19>:  mov    0xc(%ebp),%eax
0x081074a4 <avg_pixels8_c+22>:  mov    (%eax),%edx
0x081074a6 <avg_pixels8_c+24>:  mov    0x8(%ebp),%eax
0x081074a9 <avg_pixels8_c+27>:  mov    (%eax),%eax
0x081074ab <avg_pixels8_c+29>:  mov    %edx,0x4(%esp)
0x081074af <avg_pixels8_c+33>:  mov    %eax,(%esp)
0x081074b2 <avg_pixels8_c+36>:  call   0x8107425 <rnd_avg32>
0x081074b7 <avg_pixels8_c+41>:  mov    %eax,(%ebx)
0x081074b9 <avg_pixels8_c+43>:  mov    0x8(%ebp),%eax
0x081074bc <avg_pixels8_c+46>:  add    $0x4,%eax
0x081074bf <avg_pixels8_c+49>:  mov    %eax,%ebx
0x081074c1 <avg_pixels8_c+51>:  mov    0xc(%ebp),%eax
End of assembler dump.
(gdb)   info all-registers
eax            0x0      0
ecx            0x0      0
edx            0x81074fd        135296253
ebx            0x8656740        140863296
esp            0xb6a0ab54       0xb6a0ab54
ebp            0xb6a0ab70       0xb6a0ab70
esi            0x85594e8        139826408
edi            0xb7248020       -1222344672
eip            0x81074a4        0x81074a4 <avg_pixels8_c+22>
eflags         0x10287  [ CF PF SF IF RF ]
cs             0x73     115
ss             0x7b     123
ds             0x7b     123
es             0x7b     123
fs             0x0      0
gs             0x33     51
st0            0        (raw 0x00000000000000000000)
st1            0        (raw 0x00000000000000000000)
st2            0        (raw 0x00000000000000000000)
st3            0        (raw 0x00000000000000000000)
st4            1        (raw 0x3fff8000000000000000)
st5            0.5      (raw 0x3ffe8000000000000000)
st6            44       (raw 0x4004b000000000000000)
st7            1.759999999999999999991326382620116      (raw
0x3fffe147ae147ae147ae)
fctrl          0x37f    895
fstat          0x220    544
ftag           0xffff   65535
fiseg          0x73     115
fioff          0x805bc54        134593620
foseg          0x7b     123
fooff          0xb6a0b370       -1230982288
fop            0x35d    861
xmm0           {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0,
0x0, 0x0,
    0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0},
uint128 = 0x00000000000000000000000000000000}
xmm1           {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0,
0x0, 0x0,
    0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0},
uint128 = 0x00000000000000000000000000000000}
xmm2           {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0,
0x0, 0x0,
    0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0},
uint128 = 0x00000000000000000000000000000000}
xmm3           {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0,
0x0, 0x0,
    0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0},
uint128 = 0x00000000000000000000000000000000}
xmm4           {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0,
0x0, 0x0,
    0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0},
uint128 = 0x00000000000000000000000000000000}
xmm5           {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0,
0x0, 0x0,
    0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0},
uint128 = 0x00000000000000000000000000000000}
xmm6           {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0,
0x0, 0x0,
    0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0},
uint128 = 0x00000000000000000000000000000000}
xmm7           {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0,
0x0, 0x0,
    0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0},
uint128 = 0x00000000000000000000000000000000}
mxcsr          0x1f80   [ IM DM ZM OM UM PM ]
mm0            {uint64 = 0x0, v2_int32 = {0x0, 0x0}, v4_int16 = {0x0,
0x0, 0x0, 0x0}, v8_int8 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}
mm1            {uint64 = 0x0, v2_int32 = {0x0, 0x0}, v4_int16 = {0x0,
0x0, 0x0, 0x0}, v8_int8 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}
- ---Type <return> to continue, or q <return> to quit---
mm2            {uint64 = 0x0, v2_int32 = {0x0, 0x0}, v4_int16 = {0x0,
0x0, 0x0, 0x0}, v8_int8 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}
mm3            {uint64 = 0x0, v2_int32 = {0x0, 0x0}, v4_int16 = {0x0,
0x0, 0x0, 0x0}, v8_int8 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}
mm4            {uint64 = 0x8000000000000000, v2_int32 = {0x0,
0x80000000}, v4_int16 = {0x0, 0x0, 0x0, 0x8000}, v8_int8 = {0x0, 0x0,
0x0, 0x0, 0x0, 0x0,
    0x0, 0x80}}
mm5            {uint64 = 0x8000000000000000, v2_int32 = {0x0,
0x80000000}, v4_int16 = {0x0, 0x0, 0x0, 0x8000}, v8_int8 = {0x0, 0x0,
0x0, 0x0, 0x0, 0x0,
    0x0, 0x80}}
mm6            {uint64 = 0xb000000000000000, v2_int32 = {0x0,
0xb0000000}, v4_int16 = {0x0, 0x0, 0x0, 0xb000}, v8_int8 = {0x0, 0x0,
0x0, 0x0, 0x0, 0x0,
    0x0, 0xb0}}
mm7            {uint64 = 0xe147ae147ae147ae, v2_int32 = {0x7ae147ae,
0xe147ae14}, v4_int16 = {0x47ae, 0x7ae1, 0xae14, 0xe147}, v8_int8 =
{0xae, 0x47, 0xe1,
    0x7a, 0x14, 0xae, 0x47, 0xe1}}
(gdb)


With friendly regards,
Takis
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFF+CUQ9kOxLuzz4CkRAk0oAJ0dT/pszcYDgrc+rFYWqvTA2rvjQACfUlKW
7kOxr6CRe7dNEk+1ROqhEA8=
=KIHe
-----END PGP SIGNATURE-----

More information about the ffmpeg-devel mailing list