[Ffmpeg-devel] MPEG2 seeking broken

Tue Mar 14 13:46:35 CET 2006

Hi,

Since nobody is able to reproduce this bug or fix it (I think some MPEG 
data are handled incorrectly, but I am not able to tell what) I made a 
temporary fix to avoid FFMPEG crashing on many (vob) files.

See attached patch. Basically it's to avoid accessing data from a NULL 
pointer. So I guess it's safe to put it in the official FFMPEG code. 
After that seeking work fine on most files.

I still have a crash with a trimed VOB file but I don't know if cut 
files are supported.

Steve

Steve Lhomme wrote:
> Hi everyone,
> 
> As a follow-up to the email I sent a few days ago, I tried ffplay
> (latest from CVS) on Linux on chems1.vob. The default seeking mode of
> ffplay works. 
> 
> But it's not "precise" enough for me (seeking 10s away is too far for
> what we are using to analyse video frames). So I added the value set by
> our application to seek inside any file. Namely I replaced :
> 
> ret = av_seek_frame(is->ic, -1, is->seek_pos, is->seek_flags);
> =>
> ret = av_seek_frame(is->ic, 0, 152393, AVSEEK_FLAG_BACKWARD);
> 
> and also tried :
> 
> ret = av_seek_frame(is->ic, -1, is->seek_pos, is->seek_flags);
> =>
> ret = av_seek_frame(is->ic, 1, 152393, AVSEEK_FLAG_BACKWARD);
> 
> 
> All these values are legitimate (AFAIK). There are 2 streams (1 video
> and 1 audio) and we seek at around 1.6s from the first frame. The
> BACKWARD flag is to ensure we go to the previous keyframe and not the
> next one (otherwise we might miss a lot of content on files like small
> AVIs).
> 
> Both case crash exactly like the MSVC debug build we use. I attach the
> backtrace of gdb in both cases.
> 
> Setting the stream index to -1 doesn't crash. But I'm not sure it would
> be clean for some formats where it would seek at an audio location and
> in the middle of P/B frames.
> 
> This crash doesn't occur with a version of libavcodec/mpeg12.c from
> 2006-03-01.
> 
> Steve
> 
> 
> ------------------------------------------------------------------------
> 
> ret = av_seek_frame(is->ic, -1, is->seek_pos, is->seek_flags);
> =>
> ret = av_seek_frame(is->ic, 1, 152393, AVSEEK_FLAG_BACKWARD);
> 
> (gdb) backtrace
> #0  0x080bb7d4 in MPV_motion (s=0x83e3080,
>     dest_y=0x84ddf70 "\020\021\020\017\021\023\020\016\020\020\017\022\021\022\020\023\0203\uffff\uffff\uffff\uffff\uffff\uffff\uffff\uffff\uffff\uffff\uffff\uffff\uffff\uffff\uffff\uffff\uffff\uffff\uffff\uffff\uffff\uffff\uffff\uffff\uffff\uffff\uffff\uffff\uffff\uffff\uffff\uffff\uffff\uffff\uffff\uffff\uffff\uffff\uffff\uffff\uffff\uffff\uffff\uffff\uffff\uffff\uffff\uffff\uffff\uffff\uffff\uffff\uffff\uffff\uffff\uffff\uffff\uffff\uffff\uffff\uffff\uffff\uffff\uffff\uffff\uffff\uffff\uffff\uffff\uffff\uffff\uffff\uffff\uffff\uffff\uffff\uffff\uffff\uffff\uffff\uffff\uffff\uffff\uffff\uffff\uffff\uffff\uffff\uffff\uffff\uffff\uffff\uffff\uffff\uffff\uffff\uffff\uffff\uffff\uffff\uffff\uffff\uffff\uffff\uffff\uffff\uffff\uffff\uffff\uffff\uffff\uffff\uffff\uffff\uffff\uffff\uffff\uffff\uffff\uffff\uffff\uffff\uffff\uffff\uffff\uffff\uffff\uffff\uffff\uffff\uffff\uffff\uffff\uffff\uffff\uffff\uffff\uffff\uffff\uffff\uffff\uffff\uffff\uffff\uffff\uffff\uffff\uffff\uffff\u
ffff\uffff\uffff\uffff?\uffff\uffff\uffff\uffff\uffff\uffff\uffff\uffff\uffff\uffff\uffff\uffff\uffff\uffff\uffff\uffff\uffff\uffff\uffff\uffff\uffff\uffff\uffff\uffff\uffff\uffff\uffff"..., dest_cb=Variable "dest_cb" is not available.
> )
>     at mpegvideo.c:2938
> #1  0x080c2221 in MPV_decode_mb (s=0x83e3080, block=0x867c000) at mpegvideo.c:3919
> #2  0x0816eb81 in mpeg_decode_slice (s1=0x83e3080, mb_y=2, buf=0xb625a304, buf_size=48128) at mpeg12.c:2609
> #3  0x08171177 in mpeg_decode_frame (avctx=0x83df2c0, data=0x8644e60, data_size=0xb625a404,
>     buf=0x83e5950 "'\"@)8\bA\uffff\uffff\uffff\u04f6\231\225\u047a\236\002\uffff0\rng\u0130\uffff\uffff\uffff\u04e7\uffff\234\ad\006a\uffff\uffff\\\233\uffff\uffff)-\002\021\uffff\220\uffff7\020@\a\uffff\223![\237\uffff\020Z\022\204\uffff\uffff?\032\uffff2\uffff[}\uffffi\uffff\b6\u0174D\uffff\uffff:\220\217\u05a0\037\uffff0#\207\uffff'\uffff\222\uffff=\uffff\uffffG\003{\uffff$\234\uffffH\026\rG\n\206\uffff\202\uffff8\uffff\025$\016X1", buf_size=11590) at mpeg12.c:3157
> #4  0x080ac815 in avcodec_decode_video (avctx=0x83df2c0, picture=0x8644e60, got_picture_ptr=0xb625a404,
>     buf=0x83e5950 "'\"@)8\bA\uffff\uffff\uffff\u04f6\231\225\u047a\236\002\uffff0\rng\u0130\uffff\uffff\uffff\u04e7\uffff\234\ad\006a\uffff\uffff\\\233\uffff\uffff)-\002\021\uffff\220\uffff7\020@\a\uffff\223![\237\uffff\020Z\022\204\uffff\uffff?\032\uffff2\uffff[}\uffffi\uffff\b6\u0174D\uffff\uffff:\220\217\u05a0\037\uffff0#\207\uffff'\uffff\222\uffff=\uffff\uffffG\003{\uffff$\234\uffffH\026\rG\n\206\uffff\202\uffff8\uffff\025$\016X1", buf_size=11590) at utils.c:943
> #5  0x08058005 in video_thread (arg=0xb725d020) at ffplay.c:1283
> #6  0xb7e92591 in SDL_RunThread () from /usr/lib/libSDL-1.2.so.0
> #7  0xb7e92861 in SDL_KillThread () from /usr/lib/libSDL-1.2.so.0
> #8  0xb7e2f361 in start_thread () from /lib/tls/i686/cmov/libpthread.so.0
> #9  0xb7dc4bde in clone () from /lib/tls/i686/cmov/libc.so.6
> 
> 
> ret = av_seek_frame(is->ic, -1, is->seek_pos, is->seek_flags);
> =>
> ret = av_seek_frame(is->ic, 0, 152393, AVSEEK_FLAG_BACKWARD);
> 
> (gdb) backtrace
> #0  0x080bb7d4 in MPV_motion (s=0x83e3080,
>     dest_y=0x85361b0 "31122213466779:;:999:99978788888766431101-+,/00../0/-,,+(*+-./.--./1223333210.,-/+++,,,.,,---..-+,,+,-/0000013454755664554432446686669988:888987875578867899:;;;:866852244753574133442101320/.,,,,+-.-,."..., dest_cb=Variable "dest_cb" is not available.
> ) at mpegvideo.c:2938
> #1  0x080c2221 in MPV_decode_mb (s=0x83e3080, block=0x867c070) at mpegvideo.c:3919
> #2  0x0816eb81 in mpeg_decode_slice (s1=0x83e3080, mb_y=17, buf=0xb6273304, buf_size=409088) at mpeg12.c:2609
> #3  0x08171177 in mpeg_decode_frame (avctx=0x83df2c0, data=0x8644f10, data_size=0xb6273404,
>     buf=0x83e5110 "\004\uffffy\uffff\uffff\uffffvt\uffff\uffff\uffff$pemp\uffff\226\217>\226\u06b9\uffff\034\uffff\205\u01a6\u05b5\uffff\uffff#\0274\uffff\212-z.\214\uffff\uffffb\030\uffff \uffff\034\uffff\205\uffffQ\uffff\uffff\uffffX\uffff\u0536\217\227Z\uffff\uffffF\uffff\025\uffff\ufffff\uffff\uffff\215\004\uffff!\uffff\225\uffff\230[{'\2077\027C\233|-\uffff\uffff\uffff\uffff\002\uffff\uffff5\uffff\037>\\\234\uffff\uffffV\207\uffff\230\200\uffff4YJ\035\0245\uffff\u01b4\uffff\232\217\uffff\206\"J\uffff\005H\030\uffffMdo\akk#G\uffff\005I[\uffff\uffffm\uffff\uffffh\uffff+e\uffffg\221Z?s\uffff#\233\uffffd\215k\uffff\234\uffff\uffffmq\uffff\005\uffffh\035#Z!\206x\uffff\"\223'Sl\fg\227\023\006\215\uffff\uffff\uffff3"..., buf_size=1773) at mpeg12.c:3157
> #4  0x080ac815 in avcodec_decode_video (avctx=0x83df2c0, picture=0x8644f10, got_picture_ptr=0xb6273404,
>     buf=0x83e5110 "\004\uffffy\uffff\uffff\uffffvt\uffff\uffff\uffff$pemp\uffff\226\217>\226\u06b9\uffff\034\uffff\205\u01a6\u05b5\uffff\uffff#\0274\uffff\212-z.\214\uffff\uffffb\030\uffff \uffff\034\uffff\205\uffffQ\uffff\uffff\uffffX\uffff\u0536\217\227Z\uffff\uffffF\uffff\025\uffff\ufffff\uffff\uffff\215\004\uffff!\uffff\225\uffff\230[{'\2077\027C\233|-\uffff\uffff\uffff\uffff\002\uffff\uffff5\uffff\037>\\\234\uffff\uffffV\207\uffff\230\200\uffff4YJ\035\0245\uffff\u01b4\uffff\232\217\uffff\206\"J\uffff\005H\030\uffffMdo\akk#G\uffff\005I[\uffff\uffffm\uffff\uffffh\uffff+e\uffffg\221Z?s\uffff#\233\uffffd\215k\uffff\234\uffff\uffffmq\uffff\005\uffffh\035#Z!\206x\uffff\"\223'Sl\fg\227\023\006\215\uffff\uffff\uffff3"..., buf_size=1773) at utils.c:943
> #5  0x08058005 in video_thread (arg=0xb7276020) at ffplay.c:1283
> #6  0xb7eab591 in SDL_RunThread () from /usr/lib/libSDL-1.2.so.0
> #7  0xb7eab861 in SDL_KillThread () from /usr/lib/libSDL-1.2.so.0
> #8  0xb7e48361 in start_thread () from /lib/tls/i686/cmov/libpthread.so.0
> #9  0xb7dddbde in clone () from /lib/tls/i686/cmov/libc.so.6
> 
> 
> -1 for stream number works

-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: mpeg-avoid-crash.patch
URL: <http://lists.mplayerhq.hu/pipermail/ffmpeg-devel/attachments/20060314/ee73508e/attachment.txt>