[FFmpeg-devel] Bug decoding multiple png images

Compn tempn
Thu Aug 9 20:39:21 CEST 2007


On Thu, 09 Aug 2007 17:39:41 +0300, Uoti Urpala scribed:

>Decoding a small png, then a big one might be
>enough to reproduce a crash.

confirmed , gdb follows
-compn


MPlayer dev-SVN-r23725-3.4.5

D:\>gdb mplayer
GNU gdb 5.2.1
Copyright 2002 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and
you are welcome to change it and/or distribute copies of it under
certain conditions. Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for
details. This GDB was configured as "i686-pc-mingw32"...
(gdb) run -vf scale mf://1172985948627.png,118126716447.png
Starting program: d:\cdrive\mplayer/mplayer.exe -vf scale
mf://1172985948627.png ,118126716447.png

Program received signal SIGSEGV, Segmentation fault.
0x0056b366 in fast_memcpy (to=0x3792f30, from=0x33ab6b1, len=2100)
    at aclib_template.c:320
320                     __asm__ __volatile__ (
(gdb) bt
#0  0x0056b366 in fast_memcpy (to=0x3792f30, from=0x33ab6b1, len=2100)
    at aclib_template.c:320
#1  0x00687972 in decode_frame (avctx=0x3420450, data=0x3499b50,
    data_size=0x22edac, buf=0x33a3008 "\211PNG\r\n\032\n",
buf_size=24869) at png.c:390
#2  0x005b6111 in avcodec_decode_video (avctx=0x3420450,
#picture=0x3499b50,
    got_picture_ptr=0x22edac, buf=0x33a3008 "\211PNG\r\n\032\n",
    buf_size=24869) at utils.c:920
#3  0x00468442 in decode (sh=0x33d98f0, data=0x33a3008, len=24869,
#flags=0)
    at vd_ffmpeg.c:783
#4  0x004656f6 in decode_video (sh_video=0x33d98f0,
    start=0x33a3008 "\211PNG\r\n\032\n", in_size=24869, drop_frame=0,
pts=1) at dec_video.c:370
#5  0x00407898 in main (argc=4, argv=0x22c3a60) at mplayer.c:2041
(gdb) disass $pc-32 $pc+32
Dump of assembler code from 0x56b346 to 0x56b386:
0x56b346 <fast_memcpy+470>:     add    %cl,(%edi)
0x56b348 <fast_memcpy+472>:     outsl  %ds:(%esi),(%dx)
0x56b349 <fast_memcpy+473>:     push   %es
0x56b34a <fast_memcpy+474>:     movq   0x8(%esi),%mm1
0x56b34e <fast_memcpy+478>:     movq   0x10(%esi),%mm2
0x56b352 <fast_memcpy+482>:     movq   0x18(%esi),%mm3
0x56b356 <fast_memcpy+486>:     movq   0x20(%esi),%mm4
0x56b35a <fast_memcpy+490>:     movq   0x28(%esi),%mm5
0x56b35e <fast_memcpy+494>:     movq   0x30(%esi),%mm6
0x56b362 <fast_memcpy+498>:     movq   0x38(%esi),%mm7
0x56b366 <fast_memcpy+502>:     movntq %mm0,(%edi)
0x56b369 <fast_memcpy+505>:     movntq %mm1,0x8(%edi)
0x56b36d <fast_memcpy+509>:     movntq %mm2,0x10(%edi)
0x56b371 <fast_memcpy+513>:     movntq %mm3,0x18(%edi)
0x56b375 <fast_memcpy+517>:     movntq %mm4,0x20(%edi)
0x56b379 <fast_memcpy+521>:     movntq %mm5,0x28(%edi)
0x56b37d <fast_memcpy+525>:     movntq %mm6,0x30(%edi)
0x56b381 <fast_memcpy+529>:     movntq %mm7,0x38(%edi)
0x56b385 <fast_memcpy+533>:     add    $0x40,%esi
End of assembler dump.
(gdb) info all-registers
eax            0x800    2048
ecx            0x1d     29
edx            0x1      1
ebx            0x3670030        57081904
esp            0x22ec70 0x22ec70
ebp            0x22ec98 0x22ec98
esi            0x33ab781        54179713
edi            0x3793000        58273792
eip            0x56b366 0x56b366
eflags         0x210206 2163206
cs             0x1b     27
ss             0x23     35
ds             0x23     35
es             0x23     35
fs             0x38     56
gs             0x0      0
st0            -nan(0xecebe9ecebe9eceb) (raw 0xffffecebe9ecebe9eceb)
st1            -nan(0xebe9ecebe9ecebe9) (raw 0xffffebe9ecebe9ecebe9)
st2            -nan(0xe9ecebe9ecebe9ec) (raw 0xffffe9ecebe9ecebe9ec)
st3            -nan(0xecebe9ecebe9eceb) (raw 0xffffecebe9ecebe9eceb)
st4            -nan(0xfafaecebe9ecebe9) (raw 0xfffffafaecebe9ecebe9)
st5            -nan(0xfafafafafafafafa) (raw 0xfffffafafafafafafafa)
st6            -nan(0xfafafafafafafafa) (raw 0xfffffafafafafafafafa)
---Type <return> to continue, or q <return> to quit---
st7            -nan(0xfafafafafafafafa) (raw 0xfffffafafafafafafafa)
fctrl          0xffff037f       -64641
fstat          0xffff4020       -49120
ftag           0xffffaaaa       -21846
fiseg          0x0      0
fioff          0x0      0
foseg          0xffff0000       -65536
fooff          0x0      0
fop            0x0      0
(gdb) quit



macosx crash



(gdb) run  -nocache -nofs mf://shegostcths9.png,cisco.png
Starting program: /usr/local/bin/mplayer -nocache -nofs
mf://shegostcths9.png,cisco.png
Reading symbols for shared libraries .........................
+....................................................+....+.++ done
MPlayer dev-SVN-r23821-3.3 (C) 2000-2007 MPlayer Team AltiVec found
CPU: PowerPC

Playing mf://shegostcths9.png,cisco.png.
MF file format detected.
[mf] filelist: shegostcths9.png,cisco.png
[mf] number of files: 2
[demux_mf] file type was not set! trying 'type=png'...
VIDEO:  [MPNG]  0x0  24bpp  25.000 fps    0.0 kbps ( 0.0 kbyte/s)
Opening video filter: [eq]
==========================================================================
Opening video decoder: [ffmpeg] FFmpeg's libavcodec codec family
Selected video codec: [ffpng] vfm: ffmpeg (FFmpeg PNG decoder)
==========================================================================
Audio: no sound
Starting playback...
VDec: vo config request - 485 x 600 (preferred colorspace: RGB 24-bit)
Could not find matching colorspace - retrying with -vf scale...
Opening video filter: [scale]
VDec: using RGB 24-bit as output csp (no 5)
Movie-Aspect is undefined - no prescaling applied.
SwScaler: reducing / aligning filtersize 5 -> 4
SwScaler: reducing / aligning filtersize 1 -> 1
SwScaler: reducing / aligning filtersize 1 -> 1
SwScaler: reducing / aligning filtersize 9 -> 8
[swscaler @ 0x5e79e4]SwScaler: BICUBIC scaler, from rgb24 to yuv420p
using AltiVec [swscaler @ 0x5e79e4]SwScaler: using C scaler for
horizontal scaling [swscaler @ 0x5e79e4]SwScaler: using 1-tap C
"scaler" for vertical scaling (YV12 like) [swscaler @ 0x5e79e4]
SwScaler: 485x600 -> 486x600 VO: [quartz] 486x600 => 486x601 Planar YV12
Reading symbols for shared libraries . done
Reading symbols for shared libraries . done
Reading symbols for shared libraries . done
Reading symbols for shared libraries .. done
Reading symbols for shared libraries . done
Reading symbols for shared libraries . done
Reading symbols for shared libraries . done
Reading symbols for shared libraries . done
Reading symbols for shared libraries . done
Reading symbols for shared libraries . done
Reading symbols for shared libraries . done
Reading symbols for shared libraries . done
V:   0.0   1/  1 ??% ??% ??,?% 0 0
Program received signal EXC_BAD_ACCESS, Could not access memory.
Reason: KERN_PROTECTION_FAILURE at address: 0x00000000
0xffff8a60 in ___memcpy ()
at /System/Library/Frameworks/System.framework/PrivateHeaders/ppc/cpu_capabilities.h:189
189     /System/Library/Frameworks/System.framework/PrivateHeaders/ppc/cpu_capabilities.h:
No such file or directory.
in /System/Library/Frameworks/System.framework/PrivateHeaders/ppc/cpu_capabilities.h
(gdb) bt
#0  0xffff8a60 in ___memcpy ()
#at /System/Library/Frameworks/System.framework/PrivateHeaders/ppc/cpu_capabilities.h:189
#1  0x002738f8 in decode_frame (avctx=0x3012400, data=0x2919650,
#data_size=0xbfffe550, buf=0x10 <Address 0x10 out of bounds>,
#buf_size=32) at pngdec.c:443 2  0x00199b2c in avcodec_decode_video
#(avctx=0x3012400, picture=0x2919650, got_picture_ptr=0xbfffe550,
#buf=0x1f99000 "\211PNG\r\n\032\n", buf_size=31905) at utils.c:921 3
#0x0004cdc4 in decode (sh=0x2911b90, data=0x1f99000, len=31905,
#flags=0) at vd_ffmpeg.c:783 4  0x0004aae4 in decode_video
#(sh_video=0x2911b90, start=0x1f99000 "\211PNG\r\n\032\n",
#in_size=31905, drop_frame=0, pts=5.2753561363708093e-315) at
#dec_video.c:370 5  0x00006b90 in update_video (blit_frame=0xbffff74c)
#at mplayer.c:2040 6  0x00009c28 in png_handle_tRNS () at mplayer.c:3391




More information about the ffmpeg-devel mailing list