[Ffmpeg-devel] [PATCH/BUGREPORT] crash in vorbis decoder

Måns Rullgård mru
Sun Feb 4 23:27:40 CET 2007


Michael Niedermayer <michaelni at gmx.at> writes:

> Hi
>
> On Sun, Feb 04, 2007 at 11:08:16PM +0100, Reimar D?ffinger wrote:
>> Hello,
>> http://samples.mplayerhq.hu/A-codecs/vorbis/ffvorbis_crash.ogm
>> crashes a few seconds into the files.
>
> gdb/valgrind output?

Valgrind chokes on some MMX instruction unless I disable those.  With
MMX disabled, it crashes like this:

$ valgrind ./ffmpeg -i ffvorbis_crash.ogm -vn -f null -y /dev/null
==3462== Memcheck, a memory error detector.
==3462== Copyright (C) 2002-2006, and GNU GPL'd, by Julian Seward et al.
==3462== Using LibVEX rev 1658, a library for dynamic binary translation.
==3462== Copyright (C) 2004-2006, and GNU GPL'd, by OpenWorks LLP.
==3462== Using valgrind-3.2.1, a dynamic binary instrumentation framework.
==3462== Copyright (C) 2000-2006, and GNU GPL'd, by Julian Seward et al.
==3462== For more details, rerun with: -v
==3462== 
FFmpeg version SVN-r7817, Copyright (c) 2000-2006 Fabrice Bellard, et al.
  configuration:  --cc=x86_64-pc-linux-gnu-gcc-4.3.0-alpha20061216 --enable-gpl --cpu=core2 --disable-strip --disable-mmx 
  libavutil version: 49.3.0
  libavcodec version: 51.30.0
  libavformat version: 51.8.0
  built on Feb  4 2007 22:24:09, gcc: 4.3.0-alpha20061216  (experimental) (Gentoo 4.3.0_alpha20061216)
Input #0, ogg, from 'ffvorbis_crash.ogm':
  Duration: 00:00:06.4, start: 0.480000, bitrate: 632 kb/s
  Stream #0.0: Video: mpeg4, yuv420p, 576x432, 25.00 fps(r)
  Stream #0.1: Audio: vorbis, 48000 Hz, stereo, 80 kb/s
Output #0, null, to '/dev/null':
  Stream #0.0: Audio: pcm_s16le, 48000 Hz, stereo, 1536 kb/s
Stream mapping:
  Stream #0.1 -> #0.0
==3462== Invalid read of size 4
==3462==    at 0x6A29EB: vorbis_decode_init (bitstream.h:672)
==3462==    by 0x46DE13: avcodec_open (utils.c:836)
==3462==    by 0x417FCC: av_encode (ffmpeg.c:1759)
==3462==    by 0x418E22: main (ffmpeg.c:3931)
==3462==  Address 0x50E6B71 is 3,793 bytes inside a block of size 3,795 alloc'd
==3462==    at 0x4A2127C: realloc (in /usr/lib64/valgrind/amd64-linux/vgpreload_memcheck.so)
==3462==    by 0x45B425: vorbis_header (oggparsevorbis.c:153)
==3462==    by 0x45A6E7: ogg_packet (ogg2.c:398)
==3462==    by 0x45A86D: ogg_read_header (ogg2.c:436)
==3462==    by 0x41D464: av_open_input_stream (utils.c:404)
==3462==    by 0x4205DF: av_open_input_file (utils.c:517)
==3462==    by 0x411D8B: opt_input_file (ffmpeg.c:2587)
==3462==    by 0x41A722: parse_options (cmdutils.c:105)
==3462==    by 0x418A7F: main (ffmpeg.c:3917)
Press [q] to stop encoding
==3462==    0kB time=3.7 bitrate=   0.0kbits/s    
==3462== Invalid read of size 4
==3462==    at 0x69EF19: vorbis_residue_decode (vorbis.c:1512)
==3462==    by 0x69F8A6: vorbis_parse_audio_packet (vorbis.c:1658)
==3462==    by 0x69FEC4: vorbis_decode_frame (vorbis.c:1773)
==3462==    by 0x46D181: avcodec_decode_audio2 (utils.c:945)
==3462==    by 0x417062: output_packet (ffmpeg.c:1072)
==3462==    by 0x4186E2: av_encode (ffmpeg.c:1937)
==3462==    by 0x418E22: main (ffmpeg.c:3931)
==3462==  Address 0x4052B7F20 is not stack'd, malloc'd or (recently) free'd
==3462== 
==3462== Process terminating with default action of signal 11 (SIGSEGV): dumping core
==3462==  Access not within mapped region at address 0x4052B7F20
==3462==    at 0x69EF19: vorbis_residue_decode (vorbis.c:1512)
==3462==    by 0x69F8A6: vorbis_parse_audio_packet (vorbis.c:1658)
==3462==    by 0x69FEC4: vorbis_decode_frame (vorbis.c:1773)
==3462==    by 0x46D181: avcodec_decode_audio2 (utils.c:945)
==3462==    by 0x417062: output_packet (ffmpeg.c:1072)
==3462==    by 0x4186E2: av_encode (ffmpeg.c:1937)
==3462==    by 0x418E22: main (ffmpeg.c:3931)
==3462== 
==3462== ERROR SUMMARY: 2 errors from 2 contexts (suppressed: 4 from 1)
==3462== malloc/free: in use at exit: 2,425,902 bytes in 321 blocks.
==3462== malloc/free: 1,865 allocs, 1,544 frees, 10,128,054 bytes allocated.
==3462== For counts of detected errors, rerun with: -v
==3462== searching for pointers to 321 not-freed blocks.
==3462== checked 1,409,584 bytes.
==3462== 
==3462== LEAK SUMMARY:
==3462==    definitely lost: 0 bytes in 0 blocks.
==3462==      possibly lost: 0 bytes in 0 blocks.
==3462==    still reachable: 2,425,902 bytes in 321 blocks.
==3462==         suppressed: 0 bytes in 0 blocks.
==3462== Reachable blocks (those to which a pointer was found) are not shown.
==3462== To see them, rerun with: --show-reachable=yes


mru at thrashbarg:/tmp/ffmpeg$ ./ffmpeg -i ffvorbis_crash.ogm -vn -f null -y /dev/null
FFmpeg version SVN-r7817, Copyright (c) 2000-2006 Fabrice Bellard, et al.
  configuration:  --cc=x86_64-pc-linux-gnu-gcc-4.3.0-alpha20061216 --enable-gpl --cpu=core2 --disable-strip 
  libavutil version: 49.3.0
  libavcodec version: 51.30.0
  libavformat version: 51.8.0
  built on Feb  4 2007 22:20:50, gcc: 4.3.0-alpha20061216  (experimental) (Gentoo 4.3.0_alpha20061216)
Input #0, ogg, from 'ffvorbis_crash.ogm':
  Duration: 00:00:06.4, start: 0.480000, bitrate: 632 kb/s
  Stream #0.0: Video: mpeg4, yuv420p, 576x432, 25.00 fps(r)
  Stream #0.1: Audio: vorbis, 48000 Hz, stereo, 80 kb/s
Output #0, null, to '/dev/null':
  Stream #0.0: Audio: pcm_s16le, 48000 Hz, stereo, 1536 kb/s
Stream mapping:
  Stream #0.1 -> #0.0
Press [q] to stop encoding
Segmentation fault (core dumped)
mru at thrashbarg:/tmp/ffmpeg$ gdb ffmpeg core 
GNU gdb 6.4
Copyright 2005 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "x86_64-pc-linux-gnu"...Using host libthread_db library "/lib/libthread_db.so.1".

Core was generated by `./ffmpeg -i ffvorbis_crash.ogm -vn -f null -y /dev/null'.
Program terminated with signal 11, Segmentation fault.
Reading symbols from /lib64/libm.so.6...done.
Loaded symbols for /lib/libm.so.6
Reading symbols from /lib64/libz.so.1...done.
Loaded symbols for /lib/libz.so.1
Reading symbols from /lib64/libdl.so.2...done.
Loaded symbols for /lib/libdl.so.2
Reading symbols from /lib64/libc.so.6...done.
Loaded symbols for /lib/libc.so.6
Reading symbols from /lib64/ld-linux-x86-64.so.2...done.
Loaded symbols for /lib64/ld-linux-x86-64.so.2
#0  vorbis_residue_decode (vc=0xa2dee0, vr=0xac41b0, ch=2 '\002', 
    do_not_decode=0x7fff0f3f8d70 "", vec=0xab2000, vlen=1024)
    at /home/mru/src/ffmpeg/libavcodec/vorbis.c:1512
1512                                            vec[voffs     ]+=codebook.codevectors[coffs+l  ];  // FPMATH
(gdb) bt
#0  vorbis_residue_decode (vc=0xa2dee0, vr=0xac41b0, ch=2 '\002', 
    do_not_decode=0x7fff0f3f8d70 "", vec=0xab2000, vlen=1024)
    at /home/mru/src/ffmpeg/libavcodec/vorbis.c:1512
#1  0x00000000007915c7 in vorbis_parse_audio_packet (vc=0xa2dee0)
    at /home/mru/src/ffmpeg/libavcodec/vorbis.c:1658
#2  0x0000000000791be5 in vorbis_decode_frame (
    avccontext=<value optimized out>, data=0x2b259b761010, 
    data_size=0x7fff0f3f957c, buf=0xab2240 "", buf_size=185)
    at /home/mru/src/ffmpeg/libavcodec/vorbis.c:1773
#3  0x000000000046ce42 in avcodec_decode_audio2 (avctx=0xa24860, samples=0x4, 
    frame_size_ptr=0xffffffff, buf=0xab2240 "", buf_size=145)
    at /home/mru/src/ffmpeg/libavcodec/utils.c:945
#4  0x0000000000417803 in output_packet (ist=0xa31cf0, ist_index=1, 
    ost_table=0xa31440, nb_ostreams=1, pkt=0x7fff0f3f9ad0)
    at /home/mru/src/ffmpeg/ffmpeg.c:1072
#5  0x0000000000418e83 in av_encode (output_files=0x98fcc0, nb_output_files=1, 
    input_files=0x98fb80, nb_input_files=1, stream_maps=0x98fd60, 
    nb_stream_maps=0) at /home/mru/src/ffmpeg/ffmpeg.c:1937
#6  0x00000000004195c3 in main (argc=<value optimized out>, 
    argv=<value optimized out>) at /home/mru/src/ffmpeg/ffmpeg.c:3931
(gdb) info registers all
rax            0xfffffffc       4294967292
rbx            0x8      8
rcx            0xab2240 11215424
rdx            0xab3240 11219520
rsi            0x4      4
rdi            0xa2fb30 10681136
rbp            0x7fff0f3f8d30   0x7fff0f3f8d30
rsp            0x7fff0f3f8b90   0x7fff0f3f8b90
r8             0x91     145
r9             0xffffffff       4294967295
r10            0x2      2
r11            0xfffffffc       4294967292
r12            0x0      0
r13            0xae0b90 11406224
r14            0xab2000 11214848
r15            0xa29e50 10657360
rip            0x790c39 0x790c39 <vorbis_residue_decode+2905>
eflags         0x210202 2163202
cs             0x33     51
ss             0x2b     43
ds             0x0      0
es             0x0      0
fs             0x0      0
gs             0x0      0
st0            -nan(0xe8f8ed83ee74f2ad) (raw 0xffffe8f8ed83ee74f2ad)
st1            -nan(0xffffe8f8ffffed83) (raw 0xffffffffe8f8ffffed83)
st2            0        (raw 0x00000000000000000000)
st3            0        (raw 0x00000000000000000000)
st4            0        (raw 0x00000000000000000000)
st5            0        (raw 0x00000000000000000000)
st6            0        (raw 0x00000000000000000000)
st7            0        (raw 0x00000000000000000000)
fctrl          0x37f    895
fstat          0x0      0
ftag           0xffff   65535
fiseg          0x0      0
fioff          0x0      0
foseg          0x0      0
fooff          0x0      0
fop            0x0      0
xmm0           {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0}, 
---Type <return> to continue, or q <return> to quit---
  v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0, 
    0x0, 0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0}, 
  uint128 = 0x00000000000000000000000000000000}
xmm1           {v4_float = {0x0, 0x7, 0xffffba52, 0xffffc333}, v2_double = {
    0x15f90, 0x8000000000000000}, v16_int8 = {0x0, 0x0, 0x0, 0x0, 0x0, 0xf9, 
    0xf5, 0x40, 0x35, 0x5c, 0x8b, 0xc6, 0x54, 0x34, 0x73, 0xc6}, v8_int16 = {
    0x0, 0x0, 0xf900, 0x40f5, 0x5c35, 0xc68b, 0x3454, 0xc673}, v4_int32 = {
    0x0, 0x40f5f900, 0xc68b5c35, 0xc6733454}, v2_int64 = {0x40f5f90000000000, 
    0xc6733454c68b5c35}, uint128 = 0xc6733454c68b5c3540f5f90000000000}
xmm2           {v4_float = {0xfffffb23, 0x2, 0x0, 0x0}, v2_double = {0x5, 
    0x0}, v16_int8 = {0xe4, 0xa5, 0x9b, 0xc4, 0x20, 0xb0, 0x14, 0x40, 0xd1, 
    0x7e, 0x4e, 0xbe, 0x84, 0x41, 0x42, 0xbe}, v8_int16 = {0xa5e4, 0xc49b, 
    0xb020, 0x4014, 0x7ed1, 0xbe4e, 0x4184, 0xbe42}, v4_int32 = {0xc49ba5e4, 
    0x4014b020, 0xbe4e7ed1, 0xbe424184}, v2_int64 = {0x4014b020c49ba5e4, 
    0xbe424184be4e7ed1}, uint128 = 0xbe424184be4e7ed14014b020c49ba5e4}
xmm3           {v4_float = {0xfffffb23, 0x2, 0x0, 0x0}, v2_double = {0x5, 
    0x0}, v16_int8 = {0xe4, 0xa5, 0x9b, 0xc4, 0x20, 0xb0, 0x14, 0x40, 0xd1, 
    0x7e, 0x4e, 0xbe, 0x84, 0x41, 0x42, 0xbe}, v8_int16 = {0xa5e4, 0xc49b, 
    0xb020, 0x4014, 0x7ed1, 0xbe4e, 0x4184, 0xbe42}, v4_int32 = {0xc49ba5e4, 
    0x4014b020, 0xbe4e7ed1, 0xbe424184}, v2_int64 = {0x4014b020c49ba5e4, 
    0xbe424184be4e7ed1}, uint128 = 0xbe424184be4e7ed14014b020c49ba5e4}
xmm4           {v4_float = {0xfffffffe, 0xd, 0xffffdd7f, 0xffffce14}, 
  v2_double = {0x5014a7, 0x8000000000000000}, v16_int8 = {0x0, 0x0, 0x0, 0xc0, 
    0x29, 0x5, 0x54, 0x41, 0x48, 0x7, 0xa, 0xc6, 0x3e, 0xb0, 0x47, 0xc6}, 
  v8_int16 = {0x0, 0xc000, 0x529, 0x4154, 0x748, 0xc60a, 0xb03e, 0xc647}, 
  v4_int32 = {0xc0000000, 0x41540529, 0xc60a0748, 0xc647b03e}, v2_int64 = {
    0x41540529c0000000, 0xc647b03ec60a0748}, 
  uint128 = 0xc647b03ec60a074841540529c0000000}
xmm5           {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0}, 
  v16_int8 = {0x0 <repeats 11 times>, 0x80, 0x0, 0x0, 0x0, 0x0}, v8_int16 = {
    0x0, 0x0, 0x0, 0x0, 0x0, 0x8000, 0x0, 0x0}, v4_int32 = {0x0, 0x0, 
    0x80000000, 0x0}, v2_int64 = {0x0, 0x80000000}, 
  uint128 = 0x00000000800000000000000000000000}
xmm6           {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0}, 
  v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0, 
    0x0, 0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0}, 
  uint128 = 0x00000000000000000000000000000000}
xmm7           {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0}, 
  v16_int8 = {0x0, 0x0, 0x0, 0x80, 0x0, 0x0, 0x0, 0x80, 0x0, 0x0, 0x0, 0x80, 
    0x0, 0x0, 0x0, 0x80}, v8_int16 = {0x0, 0x8000, 0x0, 0x8000, 0x0, 0x8000, 
    0x0, 0x8000}, v4_int32 = {0x80000000, 0x80000000, 0x80000000, 0x80000000}, 
---Type <return> to continue, or q <return> to quit---
  v2_int64 = {0x8000000080000000, 0x8000000080000000}, 
  uint128 = 0x80000000800000008000000080000000}
xmm8           {v4_float = {0xb4600000, 0x1, 0x0, 0x0}, v2_double = {0x1, 
    0x0}, v16_int8 = {0x18, 0x2d, 0x44, 0x54, 0xfb, 0x21, 0xf9, 0x3f, 0x0, 
    0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v8_int16 = {0x2d18, 0x5444, 0x21fb, 
    0x3ff9, 0x0, 0x0, 0x0, 0x0}, v4_int32 = {0x54442d18, 0x3ff921fb, 0x0, 
    0x0}, v2_int64 = {0x3ff921fb54442d18, 0x0}, 
  uint128 = 0x00000000000000003ff921fb54442d18}
xmm9           {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0}, 
  v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0, 
    0x0, 0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0}, 
  uint128 = 0x00000000000000000000000000000000}
xmm10          {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0}, 
  v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0, 
    0x0, 0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0}, 
  uint128 = 0x00000000000000000000000000000000}
xmm11          {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0}, 
  v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0, 
    0x0, 0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0}, 
  uint128 = 0x00000000000000000000000000000000}
xmm12          {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0}, 
  v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0, 
    0x0, 0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0}, 
  uint128 = 0x00000000000000000000000000000000}
xmm13          {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0}, 
  v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0, 
    0x0, 0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0}, 
  uint128 = 0x00000000000000000000000000000000}
xmm14          {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0}, 
  v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0, 
    0x0, 0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0}, 
  uint128 = 0x00000000000000000000000000000000}
xmm15          {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0}, 
  v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0, 
    0x0, 0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0}, 
  uint128 = 0x00000000000000000000000000000000}
mxcsr          0x1fa0   8096


-- 
M?ns Rullg?rd
mru at inprovide.com




More information about the ffmpeg-devel mailing list