[FFmpeg-trac] #3188(avcodec:reopened): vp9 crash (fuzzed input, MT regression)

FFmpeg trac at avcodec.org
Tue Dec 24 12:50:21 CET 2013 

#3188: vp9 crash (fuzzed input, MT regression)
-------------------------------------+-------------------------------------
             Reporter:  ubitux       |                    Owner:
                 Type:  defect       |                   Status:  reopened
             Priority:  important    |                Component:  avcodec
              Version:  git-master   |               Resolution:
             Keywords:  vp9          |               Blocked By:
  regression crash SIGSEGV           |  Reproduced by developer:  1
             Blocking:               |
Analyzed by developer:  0            |
-------------------------------------+-------------------------------------
Changes (by ubitux):

 * status:  closed => reopened
 * resolution:  fixed =>


Comment:

 Another crash, with same commit as regression.

 {{{
 ☭ ./ffmpeg -threads auto -f ivf -c:v vp9 -i ~/samples/vp9/fuzzed1.ivf -f
 null -
 ffmpeg version N-59315-gacafbb4 Copyright (c) 2000-2013 the FFmpeg
 developers
   built on Dec 24 2013 12:43:25 with gcc 4.8.2 (GCC)
   configuration: --enable-nonfree --enable-gpl --enable-libx264 --enable-
 libmp3lame --enable-x11grab --enable-libvorbis --samples=/home/ux/fate-
 samples --enable-libvpx --cpu=native --enable-libfaac --cc='ccache cc'
   libavutil      52. 59.100 / 52. 59.100
   libavcodec     55. 46.100 / 55. 46.100
   libavformat    55. 22.100 / 55. 22.100
   libavdevice    55.  5.102 / 55.  5.102
   libavfilter     4.  0.100 /  4.  0.100
   libswscale      2.  5.101 /  2.  5.101
   libswresample   0. 17.104 /  0. 17.104
   libpostproc    52.  3.100 / 52.  3.100
 Input #0, ivf, from '/home/ux/samples/vp9/fuzzed1.ivf':
   Duration: 00:08:42.22, start: 342228469.800797, bitrate: 31 kb/s
     Stream #0:0: Video: vp9 (VP90 / 0x30395056), yuv420p, 320x180, 26.42
 tbr, 1004 tbn, 1004 tbc
 Output #0, null, to 'pipe:':
   Metadata:
     encoder         : Lavf55.22.100
     Stream #0:0: Video: rawvideo (I420 / 0x30323449), yuv420p, 320x180,
 q=2-31, 200 kb/s, 90k tbn, 26.42 tbc
 Stream mapping:
   Stream #0:0 -> #0:0 (vp9 -> rawvideo)
 Press [q] to stop, [?] for help
 DTS -17592186044376, next:996 st:0 invalid dropping
 PTS -17592186044376, next:996 invalid dropping st:0
 DTS -17592186044336, next:1992 st:0 invalid dropping
 PTS -17592186044336, next:1992 invalid dropping st:0
 DTS -17592186044296, next:2988 st:0 invalid dropping
 PTS -17592186044296, next:2988 invalid dropping st:0
 DTS -17592186044256, next:3984 st:0 invalid dropping
 PTS -17592186044256, next:3984 invalid dropping st:0
 [null @ 0x1c65720] Encoder did not produce proper pts, making some up.
 DTS -17592186043192, next:4980 st:0 invalid dropping
 PTS -17592186043192, next:4980 invalid dropping st:0
 DTS -17592186044176, next:5976 st:0 invalid dropping
 PTS -17592186044176, next:5976 invalid dropping st:0
 Input stream #0:0 frame changed from size:320x180 fmt:yuv420p to
 size:320x8372 fmt:yuv420p
 [vp9 @ 0x1c69fa0] Invalid sync code
 DTS -17592152489704, next:6972 st:0 invalid dropping
 PTS -17592152489704, next:6972 invalid dropping st:0
 zsh: segmentation fault (core dumped)  ./ffmpeg -threads auto -f ivf -c:v
 vp9 -i ~/samples/vp9/fuzzed1.ivf -f null -
 }}}

 {{{
 ☭ gdb --args ./ffmpeg_g -f ivf -c:v vp9 -i ~/samples/vp9/fuzzed1.ivf -f
 null -
 GNU gdb (GDB) 7.6.2
 Copyright (C) 2013 Free Software Foundation, Inc.
 License GPLv3+: GNU GPL version 3 or later
 <http://gnu.org/licenses/gpl.html>
 This is free software: you are free to change and redistribute it.
 There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
 and "show warranty" for details.
 This GDB was configured as "x86_64-unknown-linux-gnu".
 For bug reporting instructions, please see:
 <http://www.gnu.org/software/gdb/bugs/>...
 Reading symbols from /home/ux/src/ffmpeg/ffmpeg_g...done.
 (gdb) r
 Starting program: /home/ux/src/ffmpeg/./ffmpeg_g -f ivf -c:v vp9 -i
 /home/ux/samples/vp9/fuzzed1.ivf -f null -
 warning: Could not load shared library symbols for linux-vdso.so.1.
 Do you need "set solib-search-path" or "set sysroot"?
 [Thread debugging using libthread_db enabled]
 Using host libthread_db library "/usr/lib/libthread_db.so.1".
 ffmpeg version N-59315-gacafbb4 Copyright (c) 2000-2013 the FFmpeg
 developers
   built on Dec 24 2013 12:43:25 with gcc 4.8.2 (GCC)
   configuration: --enable-nonfree --enable-gpl --enable-libx264 --enable-
 libmp3lame --enable-x11grab --enable-libvorbis --samples=/home/ux/fate-
 samples --enable-libvpx --cpu=native --enable-libfaac --cc='ccache cc'
   libavutil      52. 59.100 / 52. 59.100
   libavcodec     55. 46.100 / 55. 46.100
   libavformat    55. 22.100 / 55. 22.100
   libavdevice    55.  5.102 / 55.  5.102
   libavfilter     4.  0.100 /  4.  0.100
   libswscale      2.  5.101 /  2.  5.101
   libswresample   0. 17.104 /  0. 17.104
   libpostproc    52.  3.100 / 52.  3.100
 Input #0, ivf, from '/home/ux/samples/vp9/fuzzed1.ivf':
   Duration: 00:08:42.22, start: 342228469.800797, bitrate: 31 kb/s
     Stream #0:0: Video: vp9 (VP90 / 0x30395056), yuv420p, 320x180, 26.42
 tbr, 1004 tbn, 1004 tbc
 [New Thread 0x7ffff3a99700 (LWP 16828)]
 [New Thread 0x7ffff3298700 (LWP 16829)]
 [New Thread 0x7ffff2a97700 (LWP 16830)]
 [New Thread 0x7ffff2296700 (LWP 16831)]
 [New Thread 0x7ffff1a95700 (LWP 16832)]
 [New Thread 0x7ffff1294700 (LWP 16833)]
 [New Thread 0x7ffff0a93700 (LWP 16834)]
 [New Thread 0x7ffff0292700 (LWP 16835)]
 [New Thread 0x7fffefa91700 (LWP 16836)]
 [New Thread 0x7fffef290700 (LWP 16837)]
 Output #0, null, to 'pipe:':
   Metadata:
     encoder         : Lavf55.22.100
     Stream #0:0: Video: rawvideo (I420 / 0x30323449), yuv420p, 320x180,
 q=2-31, 200 kb/s, 90k tbn, 26.42 tbc
 Stream mapping:
   Stream #0:0 -> #0:0 (vp9 -> rawvideo)
 Press [q] to stop, [?] for help
 DTS -17592186044376, next:996 st:0 invalid dropping
 PTS -17592186044376, next:996 invalid dropping st:0
 DTS -17592186044336, next:1992 st:0 invalid dropping
 PTS -17592186044336, next:1992 invalid dropping st:0
 DTS -17592186044296, next:2988 st:0 invalid dropping
 PTS -17592186044296, next:2988 invalid dropping st:0
 DTS -17592186044256, next:3984 st:0 invalid dropping
 PTS -17592186044256, next:3984 invalid dropping st:0
 [null @ 0x1724500] Encoder did not produce proper pts, making some up.
 DTS -17592186043192, next:4980 st:0 invalid dropping
 PTS -17592186043192, next:4980 invalid dropping st:0
 DTS -17592186044176, next:5976 st:0 invalid dropping
 PTS -17592186044176, next:5976 invalid dropping st:0
 Input stream #0:0 frame changed from size:320x180 fmt:yuv420p to
 size:320x8372 fmt:yuv420p
 [vp9 @ 0x1728e00] Invalid sync code
 [Thread 0x7ffff3a99700 (LWP 16828) exited]
 [Thread 0x7ffff1a95700 (LWP 16832) exited]
 [Thread 0x7ffff3298700 (LWP 16829) exited]
 [Thread 0x7ffff2a97700 (LWP 16830) exited]
 [Thread 0x7ffff2296700 (LWP 16831) exited]
 [New Thread 0x7ffff1a95700 (LWP 16838)]
 [New Thread 0x7ffff2296700 (LWP 16839)]
 [New Thread 0x7ffff2a97700 (LWP 16840)]
 [New Thread 0x7ffff3298700 (LWP 16841)]
 [New Thread 0x7ffff3a99700 (LWP 16842)]
 DTS -17592152489704, next:6972 st:0 invalid dropping
 PTS -17592152489704, next:6972 invalid dropping st:0

 Program received signal SIGSEGV, Segmentation fault.
 [Switching to Thread 0x7ffff0292700 (LWP 16835)]
 0x00000000009d8945 in dc_top_4x4_c (dst=<optimized out>, stride=176,
 left=<optimized out>,
     top=0x7fffe4023f20 '\200' <repeats 20 times>,
 "\201\201\201\201\201\201\201\201\202\202\202\202") at
 libavcodec/vp9dsp.c:380
 380         AV_WN32A(dst + stride * 1, dc);
 (gdb) bt
 #0  0x00000000009d8945 in dc_top_4x4_c (dst=<optimized out>, stride=176,
 left=<optimized out>,
     top=0x7fffe4023f20 '\200' <repeats 20 times>,
 "\201\201\201\201\201\201\201\201\202\202\202\202") at
 libavcodec/vp9dsp.c:380
 #1  0x00000000009c3408 in intra_recon (y_off=y_off at entry=67584,
 uv_off=uv_off at entry=16896, ctx=0x16aec20) at libavcodec/vp9.c:2288
 #2  0x00000000009c7419 in decode_b (ctx=ctx at entry=0x16aec20,
 row=row at entry=24, col=col at entry=0, lflvl=lflvl at entry=0x7fffe4000d70,
     yoff=yoff at entry=67584, uvoff=uvoff at entry=16896, bl=bl at entry=BL_64X64,
 bp=bp at entry=PARTITION_NONE) at libavcodec/vp9.c:2770
 #3  0x00000000009d3354 in decode_sb (bl=BL_64X64, uvoff=16896, yoff=67584,
 lflvl=0x7fffe4000d70, col=0, row=24, ctx=0x16aec20)
     at libavcodec/vp9.c:2867
 #4  vp9_decode_frame (ctx=<optimized out>, frame=<optimized out>,
 got_frame=<optimized out>, pkt=<optimized out>)
     at libavcodec/vp9.c:3637
 #5  0x00000000008af8ea in frame_worker_thread (arg=0x17252f0) at
 libavcodec/pthread_frame.c:153
 #6  0x00007ffff66aa0a2 in start_thread () from /usr/lib/libpthread.so.0
 #7  0x00007ffff49d43dd in clone () from /usr/lib/libc.so.6
 (gdb)
 }}}

--
Ticket URL: <https://trac.ffmpeg.org/ticket/3188#comment:3>
FFmpeg <http://ffmpeg.org>
FFmpeg issue tracker

More information about the FFmpeg-trac mailing list