[Ffmpeg-devel] h.264 decoder segfault

Benoit Fouet benoit.fouet
Tue Jan 23 19:09:40 CET 2007


Hi,

Michael Niedermayer wrote:
> the linenumber in decode_residual() :)))
>   
granted :)

> which is definitly not in bitstream.h but h264.c
> i do know its crashing in get_vlc*() which is called by decode_residual()
> but i dont know in which, there are several
> one of the vlc tables either is damaged, or more likely a index into one
> is out of range
>
> maybe a "#define always_inline" before #include "bitstream.h" with -O0
> would help
>
> or the good old add a printf() before each get_vlc*() in decode_residual()
>   
here is the one that causes the SEGFAULT:
first line is line 4957
if(total_coeff == max_coeff)
        zeros_left=0;
    else{
        if(n == CHROMA_DC_BLOCK_INDEX)
            zeros_left= get_vlc2(gb, chroma_dc_total_zeros_vlc[
total_coeff-1 ].table, CHROMA_DC_TOTAL_ZEROS_VLC_BITS, 1);
        else
            zeros_left= get_vlc2(gb, total_zeros_vlc[ total_coeff-1
].table, TOTAL_ZEROS_VLC_BITS, 1);
    }


the second one causes the crash...
when it crashes, gb is correct (same as previous calls)
total_zeros_vlc[ total_coeff-1 ].table = NULL

Hope that helps more...

> PS: fuzzer crash/bugreports about other decoders and demuxers are also very
> welcome
>   
if i find other ones, i'll send them here :)

Ben





More information about the ffmpeg-devel mailing list