[MPlayer-users] Division by zero crash-bug at h263.c:333 with seeking in interlaced streams.

Tue Jan 9 15:05:03 CET 2007

Thanks for the great software.

I have bug report for a reproducable crash-bug in mplayer when seeking
in interlaced streams. It does not trigger when playing normally. It
doesn't trigger on every seek, but it triggers on most seeks including
those done by '-ss' and interactively. I've verified the problem in
pre7, rc1 and in SVN#21857, which was checked out yesterday morning.

Hope this helps,
Scott

///

The cause is in ff_mpeg4_set_direct_mv (s=0x880d900, mx=-1, my=0) at h263.c:633

    } else if(IS_INTERLACED(colocated_mb_type)){
        s->mv_type = MV_TYPE_FIELD;
        for(i=0; i<2; i++){
            int field_select= s->next_picture.ref_index[0][s->block_index[2*i]];
            s->field_select[0][i]= field_select;
            s->field_select[1][i]= i;
            if(s->top_field_first){
                time_pp= s->pp_field_time - field_select + i;
                time_pb= s->pb_field_time - field_select + i;
            }else{
                time_pp= s->pp_field_time + field_select - i;
                time_pb= s->pb_field_time + field_select - i;
            }
            s->mv[0][i][0] = s->p_field_mv_table[i][0][mb_index][0]*time_pb/time_pp + mx;
            s->mv[0][i][1] = s->p_field_mv_table[i][0][mb_index][1]*time_pb/time_pp + my;

The bug is that 'time_pb = time_pp = 0' and we get a division by
zero. Relevant local variables are:

(gdb) print s->top_field_first
$2 = 1
(gdb) print  s->pp_field_time
$3 = 0
(gdb) print i
$5 = 0
(gdb) print field_select
$4 = <value optimized out>
(gdb) print s->next_picture.ref_index[0][s->block_index[2*i]]
$6 = 0 '\0'
(gdb) print s->pp_field_time
$9 = 0
(gdb) print s->pb_field_time
$10 = 0

////

The backtrace is:

(gdb) bt
Program received signal SIGFPE, Arithmetic exception.

0x08329a80 in ff_mpeg4_set_direct_mv (s=0x880d900, mx=-1, my=0) at h263.c:633
633                 s->mv[0][i][0] = s->p_field_mv_table[i][0][mb_index][0]*time_pb/time_pp + mx;

#0  0x08329a80 in ff_mpeg4_set_direct_mv (s=0x880d900, mx=-1, my=0)
    at h263.c:633
#1  0x08332532 in ff_mpeg4_decode_mb (s=0x880d900, block=0x88fcaa0)
    at h263.c:4466
#2  0x0833ccf7 in decode_slice (s=0x880d900) at h263dec.c:206
#3  0x0833df6b in ff_h263_decode_frame (avctx=0x880d5a0, data=0x880d4c0, 
    data_size=0xbf9c3e04, buf=0x8914718 "", buf_size=2125) at h263dec.c:729

///

To exact command lines I used to construct a file triggering the bug:

  # Rip it
  mplayer dvd://12 -alang en -dumpstream -dumpfile  XXX.vob

  # Compress it
  BITRATE=1450
  AUDIO="-alang en -aid 128 -oac mp3lame  -lameopts q=3"
  LAVC2="vcodec=mpeg4:vbitrate=${BITRATE}:vqcomp=.7:autoaspect:nr=300:vmax_b_frames=2:psnr:vb_strategy=1:b_sensitivity=15:ildct:ilme:mbd=2:v4mv:trell"
  mencoder XXX.vob -o XXX.avi $AUDIO -ovc lavc -ofps 29.97 -lavcopts $LAVC2 
-vf-add hqdn3d=2:1:2

  # Try seeking in the resulting file. (I have a file that reliably
  # crashes with these arguments)
  mplayer XXX.avi -ss 3

///

Compiler:
  cc (GCC) 4.1.2 20061028 (prerelease) (Debian 4.1.1-19)