[FFmpeg-devel] H263 decoding crash, [BUG] : reading memory past the end of the buffer.

Pavel Pavlov pavel
Fri Jun 5 04:49:08 CEST 2009 

> Hello everybody,
> I have some random crashes while decoding h263.
> 
> I use icl build of ffmpeg and can debug with visual studio. 
> The problem is that I only get crashes in release build, and 
> only if I'm not attached with the debugger.
> I always get it in the same function after running a video 
> call for a while.
> Once I attach with the debugger after it crashed some of the 
> variables aren't showing correctly, so I can't really see 
> what's the problem.
> 
> For example, it crashes inside h263.c on line 4190
> 
> Here's the stack trace:
> 
>  	avcodec-52.dll!ff_h263_decode_mb(MpegEncContext * s=0x01068c10,
> short [64]* block=0x06ce48c0)  Line 4190 + 0x11 bytes	C
>  	avcodec-52.dll!decode_slice(MpegEncContext * s=0x00000000)  Line
> 221 + 0x7 bytes	C
>  	avcodec-52.dll!ff_h263_decode_frame(AVCodecContext * 
> avctx=0x01068280, void * data=0x01068620, int * data_size=0x015af8d8,
> AVPacket * avpkt=0x015af830)  Line 653	C
>  	avcodec-52.dll!avcodec_decode_video(AVCodecContext * 
> avctx=0x00000000, AVFrame * picture=0x015af8f8, int * 
> got_picture_ptr=0x015afcc4, const unsigned char * buf=0x005ac98a, int
> buf_size=17203840)  Line 563 + 0x6c bytes	C
> >	EC-09.exe!H263DecoderStruct::Transform(void * pData=0x07aa5954,
> int nSize=1706, SAL::MediaSample & Sample={...}, 
> SAL::SmartPointer<SAL::MediaHandler> p={...})  Line 459 + 0x20 bytes
> C++
> 
> 
> stack trace doesn't make much sence, as my code calls 
> avcodec_decode_video(0x01068620, 0x01068620, &nResult, 
> 0x07aa5954, 1706); but on the next line it shows 
> AVCodecContext * avctx=0x00000000
> 
> Just before ff_h263_decode_mb is called, in file 
> h263dec.c:221 inside function decode_slice there is a 
> commented out printf:
> //            s->mb_skipped = 0;
> //printf("%d %d %06X\n", ret, get_bits_count(&s->gb), 
> show_bits(&s->gb, 24)); Was someone getting some sort of 
> problems and that's why there is this printf to trace?


Before you start reading below, I start with my conclusion: 
there is code that always reads past the end of the buffer when
decoding h263.


I was able to get more info

show_bits (h263.c:4190) is called with GetBitsContext that contains
these values:
buffer : 0x017dbf4c     (25018188)
buffer_end : 0x017dcffd (25022461)
index : 34184
size_in_bits : 34184

And the exceptions I get is:
Unhandled exception at 0x10180e06 (avcodec-52.dll) in EC-09.exe: 
0xC0000005: Access violation reading location 0x017dd000.

Location 0x017dd000 (25022464) is just 3 bytes outside of 
passed GetBitsContext.buffer_end

The place of crash has this asm code:
        int v= show_bits(&s->gb, 16);
10180DF5  mov         ebx,dword ptr [esp+0B4h] 
10180DFC  mov         edx,dword ptr [ebx+8] 
10180DFF  mov         eax,dword ptr [ebx] 
10180E01  mov         edi,edx 
10180E03  sar         edi,3 
10180E06  mov         eax,dword ptr [edi+eax]    
10180E09  bswap       eax  
10180E0B  mov         ecx,edx 
10180E0D  and         ecx,7 
10180E10  shl         eax,cl 
10180E12  shr         eax,0F0h 

And the crash is at 10180e06



The values passed to the show_bits as buffer and buffer_end is the
pointer 
to the h263 video data that I pass to the decoder:
avcodec_decode_video(m_pContext, m_pFrame, &nResult, (uint8_t*)pData,
nSize);
where pData is 0x017dbf4c and nSize is 4273 (which is 34184/8)

At the point of crash EDI is 000010B1 and eax is : 017DBF4C which means
that edi cotnains 4273 and eax is the passed buffer, so on line 10180E06

it tries to read past the buffer.


On the encoding side I use the same version of ffmpeg and the same
client.
The question I have - is it a bug that it tries to read past the end of
the buffer
or it's my fault that I don't pass some sort of multiple of 8 bytes or
something 
like that?



On top of that, I can confirm that this read happens 100% all the time.
I addded hardware breakpoint at the end the the passed h263 data and it 
always asserts. Basically, I tell cpu to int 1 if any instruction tries
to access 
memory after the end of the buffer and now I get assertion on the first
frame and 
it's not some random error. Moreover, since it's not a fatal error I get
assertion 
for reading past the end of the buffer in many places:

get_bits.h:628 

h263.c:3949
h263.c:3962
h263.c:3978
h263.c:4190
h263.c:4639
h263.c:4661

And hardware breakpoint on i386 is done through setting dr0-3 with the
address of the memory and setting flags for data read or write in dr7
http://en.wikipedia.org/wiki/Debug_register

More information about the ffmpeg-devel mailing list