[FFmpeg-trac] #782(avcodec:new): mpegaudiodec segfault

FFmpeg trac at avcodec.org
Fri Dec 16 22:12:27 CET 2011 

#782: mpegaudiodec segfault
---------------------------------+---------------------------------------
             Reporter:  bluepin  |                     Type:  defect
               Status:  new      |                 Priority:  normal
            Component:  avcodec  |                  Version:  unspecified
             Keywords:           |               Blocked By:
             Blocking:           |  Reproduced by developer:  0
Analyzed by developer:  0        |
---------------------------------+---------------------------------------
 I have a rare and hardly reproducible error but I will take any suggestion
 on how to prevent it.

 From what I understand from the coredumps : A mpeg layer 3 stream is
 detected as a layer 1 stream, then  mp_decode_layer1 is called, followed
 by a segfault in UPDATE_CACHE(re, s). This could be indeed a bad stream, a
 random bit flip but ffmpeg should not segfault because of that.

 Stack trace:
 #0  0x08338083 in mp_decode_layer1 (s=0xa94707a0, samples=0x98b00040,
 buf=<value optimized out>, buf_size=256) at
 /opt/icecast/src/ffmpeg/libavcodec/get_bits.h:285
 #1  mp_decode_frame (s=0xa94707a0, samples=0x98b00040, buf=<value
 optimized out>, buf_size=256) at
 /opt/icecast/src/ffmpeg/libavcodec/mpegaudiodec.c:1715
 #2  0x08339bb7 in decode_frame (avctx=0x9a8e3c0, data=0x98b00040,
 data_size=0xacb3f5c, avpkt=0xb48b7228) at
 /opt/icecast/src/ffmpeg/libavcodec/mpegaudiodec.c:1816
 #3  0x0841588e in avcodec_decode_audio3 (avctx=0x9a8e3c0,
 samples=0x98b00040, frame_size_ptr=0xacb3f5c, avpkt=0x2) at
 /opt/icecast/src/ffmpeg/libavcodec/utils.c:839

 In Frame 1 : gdb: p *s yields:
  {frame_size = 256, error_protection = 0, layer = 1, sample_rate = 48000,
 sample_rate_index = 1, bit_rate = 256000, nb_channels = 2, mode = 0,
 mode_ext = 2, lsf = 0,
   last_buf = [[lots of other stuff]]
 {scfsi = 0 '\000', part2_3_length = 0, big_values = 0, global_gain = 0,
 scalefac_compress = 0, block_type = 0 '\000', switch_point = 0 '\000',
         table_select = {0, 0, 0}, subblock_gain = {0, 0, 0},
 scalefac_scale = 0 '\000', count1table_select = 0 '\000', region_size =
 {0, 0, 0}, preflag = 0, short_start = 0, long_end = 0,
         scale_factors = '\000' <repeats 39 times>, sb_hybrid = {0 <repeats
 576 times>}}}}, adu_mode = 0, dither_state = 14709380, error_recognition =
 1, avctx = 0x9a8e3c0, mpadsp = {
     apply_window_float = 0x84f5530 <apply_window_mp3>, apply_window_fixed
 = 0x8340600 <ff_mpadsp_apply_window_fixed>, dct32_float = 0x85a7180
 <ff_dct32_float_sse2>,
     dct32_fixed = 0x8555da0 <ff_dct32_fixed>}}

 From the exact same stream a captured packet looked like :

 {frame_size = 418, error_protection = 0, layer = 3, sample_rate = 44100,
 sample_rate_index = 0, bit_rate = 128000, nb_channels = 2, mode = 0,
 mode_ext = 0, lsf = 0, last_buf = '\000' <repeats 1047 times>,
 last_buf_size = 0, free_format_next_header = 0, gb = {buffer = 0x8d6f764
 "\347\017\362\345
 ك8bP\\\244\033\060g\fJ\rh\251f\fቁ\256\025,\301\234\061\060\254\231\255\363\037÷\266\357\006X9\"p2X\251\322\006\212ڱV=\205\251R\236\257\267M\200
 \214\207\031", buffer_end = 0x8d6f902 "", index = 0, size_in_bits = 3312},
 in_gb = {buffer = 0x0, buffer_end = 0x0, index = 0, size_in_bits = 0},
 synth_buf = {{0 <repeats 1024 times>}, {0 <repeats 1024 times>}},
 synth_buf_offset = {0, 0}, sb_samples = {{{0 <repeats 32 times>} <repeats
 36 times>}, {{0 <repeats 32 times>} <repeats 36 times>}}, mdct_buf = {{0
 <repeats 576 times>}, {0 <repeats 576 times>}}, granules = {{{scfsi = 0
 '\000', part2_3_length = 0, big_values = 0, global_gain = 0,
 scalefac_compress = 0, block_type = 0 '\000', switch_point = 0 '\000',
 table_select = {0, 0, 0}, subblock_gain = {0, 0, 0}, scalefac_scale = 0
 '\000', count1table_select = 0 '\000', region_size = {0, 0, 0}, preflag =
 0, short_start = 0, long_end = 0, scale_factors = '\000' <repeats 39
 times>, sb_hybrid = {0 <repeats 576 times>}}, {scfsi = 0 '\000',
 part2_3_length = 0, big_values = 0, global_gain = 0, scalefac_compress =
 0, block_type = 0 '\000', switch_point = 0 '\000', table_select = {0, 0,
 0}, subblock_gain = {0, 0, 0}, scalefac_scale = 0 '\000',
 count1table_select = 0 '\000', region_size = {0, 0, 0}, preflag = 0,
 short_start = 0, long_end = 0, scale_factors = '\000' <repeats 39 times>,
 sb_hybrid = {0 <repeats 576 times>}}}, {{scfsi = 0 '\000', part2_3_length
 = 0, big_values = 0, global_gain = 0, scalefac_compress = 0, block_type =
 0 '\000', switch_point = 0 '\000', table_select = {0, 0, 0}, subblock_gain
 = {0, 0, 0}, scalefac_scale = 0 '\000', count1table_select = 0 '\000',
 region_size = {0, 0, 0}, preflag = 0, short_start = 0, long_end = 0,
 scale_factors = '\000' <repeats 39 times>, sb_hybrid = {0 <repeats 576
 times>}}, {scfsi = 0 '\000', part2_3_length = 0, big_values = 0,
 global_gain = 0, scalefac_compress = 0, block_type = 0 '\000',
 switch_point = 0 '\000', table_select = {0, 0, 0}, subblock_gain = {0, 0,
 0}, scalefac_scale = 0 '\000', count1table_select = 0 '\000', region_size
 = {0, 0, 0}, preflag = 0, short_start = 0, long_end = 0, scale_factors =
 '\000' <repeats 39 times>, sb_hybrid = {0 <repeats 576 times>}}}},
 adu_mode = 0, dither_state = 0, error_recognition = 1, avctx = 0x8d6fb00,
 mpadsp = {apply_window_float = 0x85aa0c0 <apply_window_mp3>,
 apply_window_fixed = 0x83f3a40 <ff_mpadsp_apply_window_fixed>, dct32_float
 = 0x866c420 <ff_dct32_float_sse2>, dct32_fixed = 0x860b490
 <ff_dct32_fixed>}}

 I have 2 coredumps available with the same issue. If directed as such, I
 can extract more info from them.

-- 
Ticket URL: <https://ffmpeg.org/trac/ffmpeg/ticket/782>
FFmpeg <http://ffmpeg.org>
FFmpeg issue tracker

More information about the FFmpeg-trac mailing list