[FFmpeg-devel] [PATCH] libavfilter:vf_thumbnail.c: Fix bug in buffer handling for RGB width

Chris Kennedy ckennedy at groovy.org
Thu Feb 19 03:20:54 CET 2015 

More details attached, debug level and gdb backtrace.  Hopefully this
helps, and I will work on getting a file I can share showing the issue.

Thanks


On Wed, Feb 18, 2015 at 4:09 PM, Chris Kennedy <ckennedy at groovy.org> wrote:

> On Wed, Feb 18, 2015 at 2:34 PM, Clément Bœsch <u at pkh.me> wrote:
>
>> On Wed, Feb 18, 2015 at 02:22:53PM -0800, Chris Kennedy wrote:
>> > This is a pretty obvious bug we caught in the thumbnail filter that is
>> very
>> > subtle and hardly ever shows issues except for certain videos.  Yet it
>> can
>> > be seen how it is blatantly going out of bounds by basing the width
>> > increment off of i*3 that resulted in odd crashes in rare cases.
>> >
>> >
>> > Thanks,
>> > Chris
>> > --
>> > ---
>> > Chris Kennedy
>> > Video Engineer
>> > CrunchyRoll - http://www.crunchyroll.com
>>
>> > diff --git a/libavfilter/vf_thumbnail.c b/libavfilter/vf_thumbnail.c
>> > index 1883154..a1272a0 100644
>> > --- a/libavfilter/vf_thumbnail.c
>> > +++ b/libavfilter/vf_thumbnail.c
>> > @@ -142,7 +142,8 @@ static int filter_frame(AVFilterLink *inlink,
>> AVFrame *frame)
>> >
>> >      // update current frame RGB histogram
>> >      for (j = 0; j < inlink->h; j++) {
>> > -        for (i = 0; i < inlink->w; i++) {
>> > +        // last third of image, walk every 3 bytes/pixels reading RGB
>> > +        for (i = 0; i < inlink->w/3; i++) {
>>
>> width is expressed in pixels, not bytes.
>>
>
> Right, this part seems tricky, yet it doesn't make sense to walk the
> entire width with var i and then walk it by 3's up to the very last
> increment.
>
>
>>
>> How to reproduce the issue or crash?
>>
>> >              hist[0*256 + p[i*3    ]]++;
>> >              hist[1*256 + p[i*3 + 1]]++;
>> >              hist[2*256 + p[i*3 + 2]]++;
>> >
>>
>>
> The source is copyrighted, and it happens on certain types of encodings it
> seems, and only 1 out of every 250 or some really low number.  I will work
> on getting a reproducible case.
>
> Thanks,
> Chris
>
>
>> --
>> Clément B.
>>
>> _______________________________________________
>> ffmpeg-devel mailing list
>> ffmpeg-devel at ffmpeg.org
>> http://ffmpeg.org/mailman/listinfo/ffmpeg-devel
>>
>>
>
>
-------------- next part --------------
ffmpeg -nostdin -nostats -analyzeduration 774552000 -threads 1 -i input.avi -threads 1 -vsync 0 -q:v 0 -an -vf trim=300:776,fps=fps=29.97,thumbnail=178 video%02d.jpg
Returned: [Parsed_thumbnail_2 @ 0x2f4cac0] frame id #128 (pts_time=351.785118) selected from a set of 178 images
WIP, backtrace and full debug ready, I am going to hunt now for the issue and try to fix it:
Starting program: /opt/ffmpeg/ffmpeg -nostdin -nostats -analyzeduration 774552000 -threads 1 -i input.avi -threads 1 -vsync 0 -q:v 0 -an -vf trim=300:776,fps=fps=29.97,thumbnail=178 -loglevel debug video%02d.jpg
[Thread debugging using libthread_db enabled]
ffmpeg version n2.5.1-22-g26e5e17 Copyright (c) 2000-2014 the FFmpeg developers
built on Feb 17 2015 15:59:56 with gcc 4.4.7 (GCC) 20120313 (Red Hat 4.4.7-11)
configuration: --prefix=/usr --disable-outdev=sdl --disable-ffplay --disable-ffserver --enable-gpl --enable-nonfree --disable-shared --disable-optimizations --disable-stripping --enable-debug=3 --enable-static --disable-mmx --disable-mmxext --disable-ssse3 --extra-cflags='-O0 -fno-inline'
libavutil 54. 15.100 / 54. 15.100
libavcodec 56. 13.100 / 56. 13.100
libavformat 56. 15.102 / 56. 15.102
libavdevice 56. 3.100 / 56. 3.100
libavfilter 5. 2.103 / 5. 2.103
libswscale 3. 1.101 / 3. 1.101
libswresample 1. 1.100 / 1. 1.100
libpostproc 53. 3.100 / 53. 3.100
Splitting the commandline.
Reading option '-nostdin' ... matched as option 'stdin' (enable or disable interaction on standard input) with argument 0.
Reading option '-nostats' ... matched as option 'stats' (print progress report during encoding) with argument 0.
Reading option '-analyzeduration' ... matched as AVOption 'analyzeduration' with argument '774552000'.
Reading option '-threads' ... matched as AVOption 'threads' with argument '1'.
Reading option '-i' ... matched as input file with argument 'input.avi'.
Reading option '-threads' ... matched as AVOption 'threads' with argument '1'.
Reading option '-vsync' ... matched as option 'vsync' (video sync method) with argument '0'.
Reading option '-q:v' ... matched as option 'q' (use fixed quality scale (VBR)) with argument '0'.
Reading option '-an' ... matched as option 'an' (disable audio) with argument '1'.
Reading option '-vf' ... matched as option 'vf' (set video filters) with argument 'trim=300:776,fps=fps=29.97,thumbnail=178'.
Reading option '-loglevel' ... matched as option 'loglevel' (set logging level) with argument 'debug'.
Reading option 'video%02d.jpg' ... matched as output file.
Finished splitting the commandline.
Parsing a group of options: global .
Applying option nostdin (enable or disable interaction on standard input) with argument 0.
Applying option nostats (print progress report during encoding) with argument 0.
Applying option vsync (video sync method) with argument 0.
Applying option loglevel (set logging level) with argument debug.
Successfully parsed a group of options.
Parsing a group of options: input file input.avi.
Successfully parsed a group of options.
Opening an input file: input.avi.
[avi @ 0x1c8d9b0] Format avi probed with size=2048 and score=100
[avi @ 0x1c8e330] use odml:1
[avi @ 0x1c8d9b0] Before avformat_find_stream_info() pos: 9986 bytes read:1906544 seeks:4
[avi @ 0x1c8d9b0] All info found
rfps: 29.666667 0.013653
Last message repeated 1 times
rfps: 29.750000 0.007182
Last message repeated 1 times
rfps: 29.833333 0.002772
Last message repeated 1 times
rfps: 29.916667 0.000422
Last message repeated 1 times
rfps: 30.000000 0.000133
Last message repeated 1 times
rfps: 60.000000 0.000533
Last message repeated 1 times
rfps: 120.000000 0.002132
Last message repeated 1 times
rfps: 240.000000 0.008528
Last message repeated 1 times
rfps: 29.970030 0.000000
rfps: 59.940060 0.000000
[avi @ 0x1c8d9b0] After avformat_find_stream_info() pos: 334549 bytes read:2201456 seeks:4 frames:97
Input #0, avi, from 'input.avi':
Metadata:
encoder : Lavf52.62.0
Duration: 00:25:49.10, start: 0.000000, bitrate: 1644 kb/s
Stream #0:0, 41, 1001/30000: Video: mpeg4 (Simple Profile) (XVID / 0x44495658), yuv420p(left), 624x480 [SAR 1:1 DAR 13:10], 1/30000, 1439 kb/s, 29.97 fps, 29.97 tbr, 29.97 tbn, 30k tbc
Stream #0:1, 56, 3/125: Audio: mp3 (U[0][0][0] / 0x0055), 48000 Hz, stereo, s16p, 192 kb/s
Successfully opened the file.
Parsing a group of options: output file video%02d.jpg.
Applying option q:v (use fixed quality scale (VBR)) with argument 0.
Applying option an (disable audio) with argument 1.
Applying option vf (set video filters) with argument trim=300:776,fps=fps=29.97,thumbnail=178.
Successfully parsed a group of options.
Opening an output file: video%02d.jpg.
Successfully opened the file.
[Parsed_trim_0 @ 0x1c95430] Setting 'starti' to value '300'
[Parsed_trim_0 @ 0x1c95430] Setting 'endi' to value '776'
[Parsed_fps_1 @ 0x1c85a60] Setting 'fps' to value '29.97'
[Parsed_fps_1 @ 0x1c85a60] fps=2997/100
[Parsed_thumbnail_2 @ 0x1c8d810] Setting 'n' to value '178'
[Parsed_thumbnail_2 @ 0x1c8d810] batch size: 178 frames
[graph 0 input from stream 0:0 @ 0x1c8d620] Setting 'video_size' to value '624x480'
[graph 0 input from stream 0:0 @ 0x1c8d620] Setting 'pix_fmt' to value '0'
[graph 0 input from stream 0:0 @ 0x1c8d620] Setting 'time_base' to value '1001/30000'
[graph 0 input from stream 0:0 @ 0x1c8d620] Setting 'pixel_aspect' to value '1/1'
[graph 0 input from stream 0:0 @ 0x1c8d620] Setting 'sws_param' to value 'flags=2'
[graph 0 input from stream 0:0 @ 0x1c8d620] Setting 'frame_rate' to value '30000/1001'
[graph 0 input from stream 0:0 @ 0x1c8d620] w:624 h:480 pixfmt:yuv420p tb:1001/30000 fr:30000/1001 sar:1/1 sws_param:flags=2
[format @ 0x1d15cd0] compat: called with args=[yuvj420p|yuvj422p|yuvj444p]
[format @ 0x1d15cd0] Setting 'pix_fmts' to value 'yuvj420p|yuvj422p|yuvj444p'
[auto-inserted scaler 0 @ 0x1d16b30] Setting 'flags' to value '0x4'
[auto-inserted scaler 0 @ 0x1d16b30] w:iw h:ih flags:'0x4' interl:0
[Parsed_thumbnail_2 @ 0x1c8d810] auto-inserting filter 'auto-inserted scaler 0' between the filter 'Parsed_fps_1' and the filter 'Parsed_thumbnail_2'
[auto-inserted scaler 1 @ 0x1d164e0] Setting 'flags' to value '0x4'
[auto-inserted scaler 1 @ 0x1d164e0] w:iw h:ih flags:'0x4' interl:0
[format @ 0x1d15cd0] auto-inserting filter 'auto-inserted scaler 1' between the filter 'Parsed_thumbnail_2' and the filter 'format'
[AVFilterGraph @ 0x1c85cb0] query_formats: 6 queried, 3 merged, 2 already done, 0 delayed
[auto-inserted scaler 0 @ 0x1d16b30] picking rgb24 out of 2 ref:yuv420p alpha:0
[auto-inserted scaler 1 @ 0x1d164e0] picking yuvj444p out of 3 ref:rgb24 alpha:0
[swscaler @ 0x1c85d20] No accelerated colorspace conversion found from yuv420p to rgb24.
[auto-inserted scaler 0 @ 0x1d16b30] w:624 h:480 fmt:yuv420p sar:1/1 -> w:624 h:480 fmt:rgb24 sar:1/1 flags:0x4
[swscaler @ 0x1ca8be0] deprecated pixel format used, make sure you did set range correctly
[auto-inserted scaler 1 @ 0x1d164e0] w:624 h:480 fmt:rgb24 sar:1/1 -> w:624 h:480 fmt:yuvj444p sar:1/1 flags:0x4
[mjpeg @ 0x1d15660] intra_quant_bias = 96 inter_quant_bias = 0
Output #0, image2, to 'video%02d.jpg':
Metadata:
encoder : Lavf56.15.102
Stream #0:0, 0, 100/2997: Video: mjpeg, yuvj444p(pc, left), 624x480 [SAR 1:1 DAR 13:10], 100/2997, q=2-31, 200 kb/s, 29.97 fps, 29.97 tbn, 29.97 tbc
Metadata:
encoder : Lavc56.13.100 mjpeg
Stream mapping:
Stream #0:0 -> #0:0 (mpeg4 (native) -> mjpeg (native))
[Parsed_thumbnail_2 @ 0x1c8d810] frame id #147 (pts_time=304.904905) selected from a set of 178 images
[AVIOContext @ 0x1f4c140] Statistics: 0 seeks, 2 writeouts
[Parsed_thumbnail_2 @ 0x1c8d810] frame id #129 (pts_time=310.243577) selected from a set of 178 images
[AVIOContext @ 0x6ee8cf0] Statistics: 0 seeks, 2 writeouts
[Parsed_thumbnail_2 @ 0x1c8d810] frame id #43 (pts_time=313.313313) selected from a set of 178 images
[AVIOContext @ 0x1d39a60] Statistics: 0 seeks, 2 writeouts
[Parsed_thumbnail_2 @ 0x1c8d810] frame id #88 (pts_time=320.754087) selected from a set of 178 images
[AVIOContext @ 0x59a9d90] Statistics: 0 seeks, 2 writeouts
[Parsed_thumbnail_2 @ 0x1c8d810] frame id #131 (pts_time=328.128128) selected from a set of 178 images
[AVIOContext @ 0x4f20850] Statistics: 0 seeks, 2 writeouts
[Parsed_thumbnail_2 @ 0x1c8d810] frame id #34 (pts_time=330.830831) selected from a set of 178 images
[AVIOContext @ 0x1d39a40] Statistics: 0 seeks, 2 writeouts
[Parsed_thumbnail_2 @ 0x1c8d810] frame id #147 (pts_time=340.540541) selected from a set of 178 images
[AVIOContext @ 0x6ee3b00] Statistics: 0 seeks, 2 writeouts
[Parsed_thumbnail_2 @ 0x1c8d810] frame id #138 (pts_time=346.179513) selected from a set of 178 images
[AVIOContext @ 0x59b4e10] Statistics: 0 seeks, 2 writeouts
[Parsed_thumbnail_2 @ 0x1c8d810] frame id #128 (pts_time=351.785118) selected from a set of 178 images
[AVIOContext @ 0x1fecb30] Statistics: 0 seeks, 3 writeouts
Program received signal SIGSEGV, Segmentation fault.
_int_malloc (av=0x7ffff7124e80, bytes=<value optimized out>) at malloc.c:4515
4515 fwd->fd->bk_nextsize = victim->bk_nextsize->fd_nextsize = victim;
(gdb) backtrace
#0 _int_malloc (av=0x7ffff7124e80, bytes=<value optimized out>) at malloc.c:4515
#1 0x00007ffff6e0f6b1 in __libc_malloc (bytes=683) at malloc.c:3664
#2 0x0000000001035633 in av_realloc (ptr=0x0, size=683) at libavutil/mem.c:166
#3 0x0000000001026c72 in av_buffer_realloc (pbuf=0x7fffffffd160, size=683) at libavutil/buffer.c:165
#4 0x00000000006fb572 in packet_alloc (buf=0x7fffffffd160, size=651) at libavcodec/avpacket.c:74
#5 0x00000000006fb5d5 in av_new_packet (pkt=0x7fffffffd400, size=651) at libavcodec/avpacket.c:86
#6 0x00000000006fb6dd in av_grow_packet (pkt=0x7fffffffd400, grow_by=651) at libavcodec/avpacket.c:116
#7 0x00000000006a4b31 in append_packet_chunked (s=0x1c964b0, pkt=0x7fffffffd400, size=651) at libavformat/utils.c:217
#8 0x00000000006a4c6b in av_get_packet (s=0x1c964b0, pkt=0x7fffffffd400, size=651) at libavformat/utils.c:245
#9 0x0000000000576fb1 in avi_read_packet (s=0x1c8d9b0, pkt=0x7fffffffd400) at libavformat/avidec.c:1363
#10 0x00000000006a6162 in ff_read_packet (s=0x1c8d9b0, pkt=0x7fffffffd400) at libavformat/utils.c:662
#11 0x00000000006a8900 in read_frame_internal (s=0x1c8d9b0, pkt=0x7fffffffd700) at libavformat/utils.c:1312
#12 0x00000000006a9528 in av_read_frame (s=0x1c8d9b0, pkt=0x7fffffffd700) at libavformat/utils.c:1471
#13 0x00000000004277e5 in get_input_packet (f=0x1c8e7b0, pkt=0x7fffffffd700) at ffmpeg.c:3381
#14 0x000000000042790c in process_input (file_index=0) at ffmpeg.c:3418
#15 0x0000000000429397 in transcode_step () at ffmpeg.c:3719
#16 0x00000000004294a5 in transcode () at ffmpeg.c:3771
#17 0x00000000004299b3 in main (argc=21, argv=0x7fffffffdcf8) at ffmpeg.c:3951
(gdb)

More information about the ffmpeg-devel mailing list