[FFmpeg-devel] [PATCH] fix AVI decode crash introduced in r24579

Fri Aug 27 19:04:12 CEST 2010

ffmpeg r24579 introduced a bug that causes a crash with some AVI
samples (I have 3 samples that cause it, all are AVI with DV and PCM
audio).

r24579 added a call to get_subtitle_pkt() in get_stream_idx(), but for
these samples the audio streams st->priv_data is NULL and
get_subtitle_pkt() crashes when it attempts to use it.

Sample uploaded to /MPlayer/incoming/avidec-crash/dv-pcm-crash.avi

Attached patch adds a check to guard against NULL st->priv_data in
get_subtitle_pkt() and in avi_read_close().


Crash backtrace:

FFplay version SVN-r24953, Copyright (c) 2003-2010 the FFmpeg developers
  built on Aug 27 2010 12:29:46 with gcc 4.2.1 (Apple Inc. build 5664)
  configuration: --enable-debug=gdb3 --disable-optimizations
  libavutil     50.24. 0 / 50.24. 0
  libavcore      0. 6. 0 /  0. 6. 0
  libavcodec    52.87. 0 / 52.87. 0
  libavformat   52.78. 3 / 52.78. 3
  libavdevice   52. 2. 1 / 52. 2. 1
  libavfilter    1.38. 1 /  1.38. 1
  libswscale     0.11. 0 /  0.11. 0
[avi @ 0x10280c200] Estimating duration from bitrate, this may be inaccurate
Input #0, avi, from '/Volumes/Passport/bugs/ffmpeg-avi-pcm/dv-pcm-crash.avi':
  Duration: 00:01:12.87, start: 0.000000, bitrate: 30307 kb/s
    Stream #0.0: Video: dvvideo, yuv411p, 720x480, 28771 kb/s, PAR
10:11 DAR 15:11, 29.97 tbr, 29.97 tbn, 29.97 tbc
    Stream #0.1: Audio: pcm_s16le, 48000 Hz, 2 channels, s16, 1536 kb/s
[ffplay_output @ 0x101b2b000] auto-inserting filter 'auto-inserted
scaler 0' between the filter 'src' and the filter 'out'
[scale @ 0x101b2b290] w:720 h:480 fmt:yuv411p -> w:720 h:480
fmt:yuv420p flags:0x4

Program received signal EXC_BAD_ACCESS, Could not access memory.
Reason: KERN_INVALID_ADDRESS at address: 0x0000000000000450
[Switching to process 21503]
0x0000000100028074 in get_subtitle_pkt (s=0x114809000,
next_st=0x102608c10, pkt=0x114790c30) at libavformat/avidec.c:762
762	        if (st->discard < AVDISCARD_ALL && ast->sub_pkt.data) {
(gdb) bt
#0  0x0000000100028074 in get_subtitle_pkt (s=0x114809000,
next_st=0x102608c10, pkt=0x114790c30) at libavformat/avidec.c:762
#1  0x0000000100028619 in avi_read_packet (s=0x114809000,
pkt=0x114790c30) at libavformat/avidec.c:869
#2  0x00000001000c4e7e in av_read_packet (s=0x114809000,
pkt=0x114790c30) at libavformat/utils.c:665
#3  0x00000001000c6822 in av_read_frame_internal (s=0x114809000,
pkt=0x114790d50) at libavformat/utils.c:1105
#4  0x00000001000c6f36 in av_read_frame (s=0x114809000,
pkt=0x114790d50) at libavformat/utils.c:1230
#5  0x00000001000081f3 in decode_thread (arg=0x114642000) at ffplay.c:2640
-------------- next part --------------
Index: libavformat/avidec.c
===================================================================

--- libavformat/avidec.c	(revision 24953)
+++ libavformat/avidec.c	(working copy)
@@ -759,7 +759,7 @@
     for (i=0; i<s->nb_streams; i++) {
         st  = s->streams[i];
         ast = st->priv_data;
-        if (st->discard < AVDISCARD_ALL && ast->sub_pkt.data) {
+        if (st->discard < AVDISCARD_ALL && ast && ast->sub_pkt.data) {
             ts = av_rescale_q(ast->sub_pkt.dts, st->time_base, AV_TIME_BASE_Q);
             if (ts <= next_ts && ts < ts_min) {
                 ts_min = ts;
@@ -1294,12 +1294,14 @@
         AVStream *st = s->streams[i];
         AVIStream *ast = st->priv_data;
         av_free(st->codec->palctrl);
+        if (ast) {
         if (ast->sub_ctx) {
             av_freep(&ast->sub_ctx->pb);
             av_close_input_stream(ast->sub_ctx);
         }
         av_free(ast->sub_buffer);
         av_free_packet(&ast->sub_pkt);
+        }
     }
 
     if (avi->dv_demux)

