[FFmpeg-devel] [PATCH] Exception when frame is set NULL

Yy young_chelsea at 163.com
Fri Dec 3 15:12:23 EET 2021 


> 2021年12月3日 下午6:04,Andreas Rheinhardt <andreas.rheinhardt at outlook.com> 写道:
> 
> Yu Yang:
>> fftools/ffmpegc  When `ost->last_frame` is NULL, 'SEGV' occurs when accessing its pts.
>> 
>> libavutil/framec `ost->last_frame` may be set NULL by av_frame_alloc(). In this situation,
>>                 av_frame_unref() and av_frame_free() do nothing. Frame is not released.
>> 
>> ```c
>> // in fftools/ffmpeg.c:1145
>> 1145 static void do_video_out(OutputFile *of, ...)
>> 
>> 1148 {
>>      ...
>>             // `ost->last_frame` is NULL.
>> 1272         av_log(NULL, AV_LOG_VERBOSE,
>> 1273                "*** dropping frame %d from stream %d at ts %"PRId64"\n",
>> 1274                ost->frame_number, ost->st->index, ost->last_frame->pts);
>>      ...
>> 1421     if (!ost->last_frame)
>>             // `ost->last_frame` may be set NULL here.
>> 1422         ost->last_frame = av_frame_alloc();
>>      ...
>> 
>> 1433 }
>> ```
>> 
>> coredump backtrace info:
>> ==7192==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000088 (pc 0x0000005e87e2 bp 0x7fff84f0ffb0 sp 0x7fff84f0f020 T0)
>> ==7192==The signal is caused by a READ memory access.
>> ==7192==Hint: address points to the zero page.
>>    #0 0x5e87e2 in do_video_out /home/r1/ffmpeg/ffmpeg-4.4.1/build/src/fftools/ffmpeg.c:1274:68
>>    #1 0x5df341 in reap_filters /home/r1/ffmpeg/ffmpeg-4.4.1/build/src/fftools/ffmpeg.c:1548:25
>>    #2 0x5d08b7 in transcode_from_filter /home/r1/ffmpeg/ffmpeg-4.4.1/build/src/fftools/ffmpeg.c:4644:15
>>    #3 0x59e557 in transcode_step /home/r1/ffmpeg/ffmpeg-4.4.1/build/src/fftools/ffmpeg.c:4729:20
>>    #4 0x593970 in transcode /home/r1/ffmpeg/ffmpeg-4.4.1/build/src/fftools/ffmpeg.c:4805:15
>>    #5 0x58f7a4 in main /home/r1/ffmpeg/ffmpeg-4.4.1/build/src/fftools/ffmpeg.c:5010:9
>>    #6 0x7f0fa9d900b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
>>    #7 0x42033d in _start (/home/r1/ffmpeg/ffmpeg_4.4.1+0x42033d)
>> 
>> Reported-by: TOTE Robot <oslab at tsinghua.edu.cn>
>> Signed-off-by: Yu Yang <young_chelsea at 163.com>
>> ---
>> fftools/ffmpeg.c  | 7 ++++---
>> libavutil/frame.c | 9 ++++-----
>> 2 files changed, 8 insertions(+), 8 deletions(-)
>> 
>> diff --git a/fftools/ffmpeg.c b/fftools/ffmpeg.c
>> index cfb04d5eff..cade05f762 100644
>> --- a/fftools/ffmpeg.c
>> +++ b/fftools/ffmpeg.c
>> @@ -1265,9 +1265,10 @@ static void do_video_out(OutputFile *of,
>> 
>>     if (nb0_frames == 0 && ost->last_dropped) {
>>         nb_frames_drop++;
>> -        av_log(NULL, AV_LOG_VERBOSE,
>> -               "*** dropping frame %d from stream %d at ts %"PRId64"\n",
>> -               ost->frame_number, ost->st->index, ost->last_frame->pts);
>> +        if (ost->last_frame)
>> +            av_log(NULL, AV_LOG_VERBOSE,
>> +                   "*** dropping frame %d from stream %d at ts %"PRId64"\n",
>> +                   ost->frame_number, ost->st->index, ost->last_frame->pts);
>>     }
>>     if (nb_frames > (nb0_frames && ost->last_dropped) + (nb_frames > nb0_frames)) {
>>         if (nb_frames > dts_error_threshold * 30) {
>> diff --git a/libavutil/frame.c b/libavutil/frame.c
>> index d4d3ad6988..9c866320a7 100644
>> --- a/libavutil/frame.c
>> +++ b/libavutil/frame.c
>> @@ -111,11 +111,10 @@ AVFrame *av_frame_alloc(void)
>> 
>> void av_frame_free(AVFrame **frame)
>> {
>> -    if (!frame || !*frame)
>> -        return;
>> -
>> -    av_frame_unref(*frame);
>> -    av_freep(frame);
>> +    if (*frame)
>> +        av_frame_unref(*frame);
>> +    if (frame)
>> +        av_freep(frame);
>> }
>> 
>> static int get_video_buffer(AVFrame *frame, int align)
>> 
> 
> This change to frame.c is also completely wrong; this frame should
> probably not be constantly allocated and freed and the code at lines
> 1422-1428 should actually error out in case of allocation error.
Thx, how do you think about the fix of 'ost->last_frame’?
The code at lines 1266-1270 , if ost->last_frame == NULL,
error when accessing its its.  And at lines 1422, we can know that 
ost->last_frame can be NULL. In this situation,I don’t understand that 
It is emptied and released immediately after allocation. Is it necessary?
> 
> - Andreas
> _______________________________________________
> ffmpeg-devel mailing list
> ffmpeg-devel at ffmpeg.org
> https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
> 
> To unsubscribe, visit link above, or email
> ffmpeg-devel-request at ffmpeg.org with subject "unsubscribe".

More information about the ffmpeg-devel mailing list