[Ffmpeg-devel] segfault in ff_mpeg1_find_frame_end()

Stefan Lucke stefan
Wed Apr 13 21:37:54 CEST 2005


On Sonntag, 10. April 2005 22:12, M?ns Rullg?rd wrote:
> Stefan Lucke <stefan at lucke.in-berlin.de> writes:
> 
> > On Sonntag, 10. April 2005 20:37, M?ns Rullg?rd wrote:
> >> Stefan Lucke <stefan at lucke.in-berlin.de> writes:
> >> 
> >> > Hi,
> >> >
> >> > We are developing a plugin for vdr named softdevice. Plugins homepage
> >> > is at http://softdevice.berlios.de .
> >> >
> >> > I get a segfault in function mentioned in subject. The segfault happens
> >> > when there is a transition in aspect ratio from 16:9 to 4:3. It happens not
> >> > when the stream is played the first time but when its played the 3rd time.
> >> > But this may vary (segfault may happen at the first time too).
> >> 
> >> That makes me suspect a problem in your code.  Could you be
> >> accidentally using a freed buffer?  Maybe a race between threads.
> >
> > That was one of my initial thoughts too. But I think it is related
> > to the thread: "bug in aspect ratio change detection" from
> > 2005-04-02.  For a test, I backed out Ivan Kalvachev's change
> > (mpeg12.c from rev 1.227 to 1.228). So I got no segfaults any more,
> > but aspect ratio change is not detected correct. Then I used my
> > rejected patch and so I've no segfaults and aspect ratio is detected
> > correct ;-) .
> 
> That change causes some buffers to be reallocated.  My guess is that
> something is still holding pointers to the old buffers.  Perhaps
> someone more familiar with the code could make a better guess.
> 

> >> This looks like an unrelated crash.
> >
> > But it happens at the same place when aspect ratio changes from 16:9
> > to 4:3.
> 
> All signs are pointing at some buffer misuse.  Could you try running
> it under valgrind?

Ok, thats no with valgrind 2.4.0. Before calling avcodec_decode_video()
I still do a extra copy like this (valgrind --tool=addrcheck):

    nd = (uint8_t *) malloc (size + FF_INPUT_BUFFER_PADDING_SIZE);
    if (!nd)
      exit(4);
    memcpy (nd, data, size);
    memset (nd+size,0,FF_INPUT_BUFFER_PADDING_SIZE);
    len = avcodec_decode_video(context, picture, &got_picture,/*data*/nd, size);
    free(nd);

When reaching the 16:9 to 4:3 transition valgrind starts talking:

==2616== Thread 11:
==2616== Invalid read of size 4
==2616==    at 0x346B31D1: (within /usr/local/lib/libavcodec-0.4.9-pre1.so)
==2616==    by 0x346B28A8: (within /usr/local/lib/libavcodec-0.4.9-pre1.so)
==2616==    by 0x345B9153: avcodec_decode_video (in /usr/local/lib/libavcodec-0.4.9-pre1.so)
==2616==    by 0x3454D848: cVideoStreamDecoder::DecodePacket(AVPacket*) (mpeg2decoder.c:518)
==2616==    by 0x3454C8E8: cStreamDecoder::Action() (mpeg2decoder.c:213)
==2616==    by 0x80DBC3F: cThread::StartThread(cThread*) (thread.c:227)
==2616==    by 0x34193F5F: pthread_start_thread (in /lib/i686/libpthread.so.0)
==2616==    by 0x343AE326: clone (in /lib/i686/libc.so.6)
==2616==  Address 0x3B23EC18 is not stack'd, malloc'd or (recently) free'd
==2616==
==2616== Invalid read of size 4
==2616==    at 0x346B31DC: (within /usr/local/lib/libavcodec-0.4.9-pre1.so)
==2616==    by 0x346B28A8: (within /usr/local/lib/libavcodec-0.4.9-pre1.so)
==2616==    by 0x345B9153: avcodec_decode_video (in /usr/local/lib/libavcodec-0.4.9-pre1.so)
==2616==    by 0x3454D848: cVideoStreamDecoder::DecodePacket(AVPacket*) (mpeg2decoder.c:518)
==2616==    by 0x3454C8E8: cStreamDecoder::Action() (mpeg2decoder.c:213)
==2616==    by 0x80DBC3F: cThread::StartThread(cThread*) (thread.c:227)
==2616==    by 0x34193F5F: pthread_start_thread (in /lib/i686/libpthread.so.0)
==2616==    by 0x343AE326: clone (in /lib/i686/libc.so.6)
==2616==  Address 0x3B23EC19 is not stack'd, malloc'd or (recently) free'd
==2616==

and so on. Is there a way to get the line numbers ? ffmpeg is
compiled with " -g " . The same is reported for my uploaded sample stream.


-- 
Stefan Lucke





More information about the ffmpeg-devel mailing list