[FFmpeg-devel] libavcodec h264 crashes

David DeHaven dave
Fri Dec 5 19:41:19 CET 2008 

I have a mpeg TS clip with H.264 video recorded at 1080i with 2  
channel AC-3 audio. It was captured using a Hauppauge HD-PVR with the  
latest firmware.

FFmpeg decodes it fine, I can transcode and play back the resulting  
stream and everything looks intact.

MPlayer, however, crashes when it tries to decode the first (?) SPS  
NAL unit:
Starting playback...

Program received signal EXC_BAD_ACCESS, Could not access memory.
Reason: KERN_INVALID_ADDRESS at address: 0x167c3000
0x002e3b96 in get_ue_golomb [inlined] () at golomb.h:57
57	    UPDATE_CACHE(re, gb);
(gdb) bt
#0  0x002e3b96 in get_ue_golomb [inlined] () at golomb.h:57
#1  0x002e3b96 in decode_hrd_parameters [inlined] () at golomb.h:6851
#2  0x002e3b96 in decode_vui_parameters [inlined] () at bitstream.h:6914
#3  0x002e3b96 in decode_vui_parameters [inlined] () at bitstream.h:6914
#4  0x002e3b96 in decode_seq_parameter_set (h=0x15f85000) at h264.c:7098
#5  0x61737365 in ?? ()
Cannot access memory at address 0x6d5f5f04
(gdb)

I dug around a bit.. The crash is pretty obvious, it's getting a  
garbage cpb_count in decode_hrd_parameters and overrunning the buffer  
by a considerable amount.

I added some debugging statements and came up with the following  
results:

When run through FFmpeg:
NAL_SPS: init_get_bits with data (bit length 278):
00000000  4d 40 28 9a 62 80 f0 08 8f bc 07 d4 04 04 05 00  
M@(.b...........
00000010  00 03 e9 00 00 ea 60 e8 c0 00 4c 4b 00 02 fa  
f2 ......`...LK....
00000020  ef 38                                           .8
hrd params: cpb_count = 1
hrd params: cpb 0:
     -> bit_rate_value_minus1 = 19530
     -> cpb_size_value_minus1 = 24413
     -> cbr_flag = 0


When run through MPlayer:
NAL_SPS: init_get_bits with data (bit length 270):
00000000  4d 40 28 9a 62 80 f0 08 8f bc 07 d4 04 04 05 00  
M@(.b...........
00000010  00 e9 00 00 ea 60 e8 c0 00 4c 4b 00 02 fa f2  
ef .....`...LK.....
00000020  38                                              8
hrd params: cpb_count = 39062
<abort()ing on insane cpb_count value>

A single byte is missing in the MPlayer run, value 03 at offset 0x11.  
It looks like the problem lies between here and decode_nal.


Popping the file open in a hex editor, I found this particular NAL unit:
00 00 00 01 27 4D 40 28 9A 62 80 F0 08 8F BC 07
D4 04 04 05 00 00 03 03 E9 00 00 EA 60 E8 C0 00
4C 4B 00 02 FA F2 EF 38 0A

It looks like there's an escape code in the middle (00 00 03) that's  
being decoded twice (?), at least from what I can tell. I am not well  
versed in h.264 syntax and trying to hand parse this stuff makes my  
head hurt...

Both FFmpeg and MPlayer are using the same snapshots of libavcodec/ 
libavformat. I'm currently building SVN HEAD completely unmodified as  
of sometime this morning. Happens on Windows under MinGW/Cygwin and  
Mac OS X on Intel AND PowerPC, so I think we can rule out platform or  
processor.

I can make a portion of the file available for testing if needed.

-DrD-

More information about the ffmpeg-devel mailing list