[FFmpeg-trac] #2668(avcodec:closed): h264 444 file crashes 32bit ffplay
FFmpeg
trac at avcodec.org
Sun Jul 7 18:18:03 CEST 2013
#2668: h264 444 file crashes 32bit ffplay
-------------------------------------+-------------------------------------
Reporter: cehoyos | Owner:
Type: defect | Status: closed
Priority: important | Component: avcodec
Version: git-master | Resolution: fixed
Keywords: h264 crash | Blocked By:
SIGSEGV regression | Reproduced by developer: 0
Blocking: |
Analyzed by developer: 0 |
-------------------------------------+-------------------------------------
Description changed by cehoyos:
Old description:
> http://thread.gmane.org/gmane.comp.video.ffmpeg.user/46189
> A user uploaded a h264 444 sample that crashes current ffplay (with both
> -threads 1 and -threads 2, identical backtrace) if it was compiled for
> x86_32, regression since 32fdfdf for -threads 2, -threads 1 already
> crashed before with a different backtrace since 2e7bc9c / 759001c
> {{{
> (gdb) r -threads 2 444.h264
> Starting program: ffplay_g -threads 2 444.h264
> [Thread debugging using libthread_db enabled]
> Using host libthread_db library "/lib64/libthread_db.so.1".
> ffplay version N-54024-g147adf2 Copyright (c) 2003-2013 the FFmpeg
> developers
> built on Jun 14 2013 11:15:12 with gcc 4.7 (SUSE Linux)
> configuration: --enable-gpl --disable-indev=jack --cc='gcc -m32'
> libavutil 52. 35.101 / 52. 35.101
> libavcodec 55. 16.100 / 55. 16.100
> libavformat 55. 8.102 / 55. 8.102
> libavdevice 55. 2.100 / 55. 2.100
> libavfilter 3. 77.101 / 3. 77.101
> libswscale 2. 3.100 / 2. 3.100
> libswresample 0. 17.102 / 0. 17.102
> libpostproc 52. 3.100 / 52. 3.100
> [New Thread 0xf7a85b40 (LWP 18286)]
> [New Thread 0xf7015b40 (LWP 18287)]
> [New Thread 0xf6713b40 (LWP 18288)]
> Input #0, h264, from '444.h264': 0KB vq= 0KB sq= 0B f=0/0
> Duration: N/A, bitrate: N/A
> Stream #0:0: Video: h264 (High 4:4:4 Predictive), yuv444p, 1550x480,
> 20 fps, 20 tbr, 1200k tbn, 40 tbc
> [New Thread 0xf57ffb40 (LWP 18289)]
> [New Thread 0xf4ffeb40 (LWP 18290)]
> [New Thread 0xf47fdb40 (LWP 18291)]
>
> Program received signal SIGSEGV, Segmentation fault.
> [Switching to Thread 0xf57ffb40 (LWP 18289)]
> 0x083753a8 in xchg_mb_border (pixel_shift=0, simple=0, chroma444=1,
> xchg=1,
> uvlinesize=1552, linesize=1552,
> src_cr=0xf5a48a0f <Address 0xf5a48a0f out of bounds>,
> src_cb=0xf5c91a0f <Address 0xf5c91a0f out of bounds>,
> src_y=0xf5d48a0f "",
> h=0xf5e10b40) at libavcodec/h264.c:2240
> 2240 XCHG(top_border + (16 << pixel_shift), src_cb + (1 <<
> pixel_shift), xchg);
> (gdb) bt
> #0 0x083753a8 in xchg_mb_border (pixel_shift=0, simple=0, chroma444=1,
> xchg=1,
> uvlinesize=1552, linesize=1552,
> src_cr=0xf5a48a0f <Address 0xf5a48a0f out of bounds>,
> src_cb=0xf5c91a0f <Address 0xf5c91a0f out of bounds>,
> src_y=0xf5d48a0f "",
> h=0xf5e10b40) at libavcodec/h264.c:2240
> #1 hl_decode_mb_444_complex (h=h at entry=0xf5e10b40) at
> libavcodec/h264_mb_template.c:341
> #2 0x08383bd2 in ff_h264_hl_decode_mb (h=0xf5e10b40) at
> libavcodec/h264.c:2484
> #3 decode_slice (avctx=avctx at entry=0xf5e011c0, arg=arg at entry=0xf57ff24c)
> at libavcodec/h264.c:4318
> #4 0x0838410f in execute_decode_slices (h=h at entry=0xf5e10b40,
> context_count=<optimized out>) at libavcodec/h264.c:4468
> #5 0x0838b92f in decode_nal_units (parse_extradata=0, buf_size=297559,
> buf=0xf5c17008 "", h=0xf5e10b40) at libavcodec/h264.c:4812
> #6 decode_frame (avctx=0xf5e011c0, data=0xf5e01b80,
> got_frame=0xf5e01d34,
> avpkt=0xf5e01b30) at libavcodec/h264.c:4947
> #7 0x085c1f3e in frame_worker_thread (arg=0xf5e01a60) at
> libavcodec/pthread.c:338
> #8 0xf7cbde32 in start_thread () from /lib/libpthread.so.0
> #9 0xf7b9e7ee in clone () from /lib/libc.so.6
> (gdb) disass $pc-32,$pc+32
> Dump of assembler code from 0x8375388 to 0x83753c8:
> 0x08375388 <hl_decode_mb_444_complex+13928>: add %eax,(%eax)
> 0x0837538a <hl_decode_mb_444_complex+13930>: add
> %cl,-0x4374d3a9(%ecx)
> 0x08375390 <hl_decode_mb_444_complex+13936>: and $0x68,%al
> 0x08375392 <hl_decode_mb_444_complex+13938>: add %eax,(%eax)
> 0x08375394 <hl_decode_mb_444_complex+13940>: add
> %cl,0x1842494(%ebx)
> 0x0837539a <hl_decode_mb_444_complex+13946>: add %al,(%eax)
> 0x0837539c <hl_decode_mb_444_complex+13948>: mov %eax,-0x7(%edi)
> 0x0837539f <hl_decode_mb_444_complex+13951>: mov %edx,-0x3(%edi)
> 0x083753a2 <hl_decode_mb_444_complex+13954>: mov 0x14(%ebx),%edx
> 0x083753a5 <hl_decode_mb_444_complex+13957>: mov 0x10(%ebx),%eax
> => 0x083753a8 <hl_decode_mb_444_complex+13960>: mov 0x5(%esi),%ecx
> 0x083753ab <hl_decode_mb_444_complex+13963>: mov 0x168(%esp),%edi
> 0x083753b2 <hl_decode_mb_444_complex+13970>: mov %edx,0x174(%esp)
> 0x083753b9 <hl_decode_mb_444_complex+13977>: mov 0x1(%esi),%edx
> 0x083753bc <hl_decode_mb_444_complex+13980>: mov %eax,0x170(%esp)
> 0x083753c3 <hl_decode_mb_444_complex+13987>: mov 0x170(%esp),%eax
> End of assembler dump.
> (gdb) info register
> eax 0x0 0
> ecx 0x0 0
> edx 0x0 0
> ebx 0xf59d3140 -174247616
> esp 0xf57fefa0 0xf57fefa0
> ebp 0xf5e10b40 0xf5e10b40
> esi 0xf5c91a0f -171369969
> edi 0xfffff9ef -1553
> eip 0x83753a8 0x83753a8
> <hl_decode_mb_444_complex+13960>
> eflags 0x10246 [ PF ZF IF RF ]
> cs 0x23 35
> ss 0x2b 43
> ds 0x2b 43
> es 0x2b 43
> fs 0x0 0
> gs 0x63 99
> }}}
New description:
http://thread.gmane.org/gmane.comp.video.ffmpeg.user/46189
A user uploaded a h264 444 sample that crashes current ffplay (with both
-threads 1 and -threads 2, identical backtrace) if it was compiled for
x86_32, regression since 32fdfdf for -threads 2, -threads 1 already
crashed before with a different backtrace since 80e9e63 / 759001c
{{{
(gdb) r -threads 2 444.h264
Starting program: ffplay_g -threads 2 444.h264
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib64/libthread_db.so.1".
ffplay version N-54024-g147adf2 Copyright (c) 2003-2013 the FFmpeg
developers
built on Jun 14 2013 11:15:12 with gcc 4.7 (SUSE Linux)
configuration: --enable-gpl --disable-indev=jack --cc='gcc -m32'
libavutil 52. 35.101 / 52. 35.101
libavcodec 55. 16.100 / 55. 16.100
libavformat 55. 8.102 / 55. 8.102
libavdevice 55. 2.100 / 55. 2.100
libavfilter 3. 77.101 / 3. 77.101
libswscale 2. 3.100 / 2. 3.100
libswresample 0. 17.102 / 0. 17.102
libpostproc 52. 3.100 / 52. 3.100
[New Thread 0xf7a85b40 (LWP 18286)]
[New Thread 0xf7015b40 (LWP 18287)]
[New Thread 0xf6713b40 (LWP 18288)]
Input #0, h264, from '444.h264': 0KB vq= 0KB sq= 0B f=0/0
Duration: N/A, bitrate: N/A
Stream #0:0: Video: h264 (High 4:4:4 Predictive), yuv444p, 1550x480,
20 fps, 20 tbr, 1200k tbn, 40 tbc
[New Thread 0xf57ffb40 (LWP 18289)]
[New Thread 0xf4ffeb40 (LWP 18290)]
[New Thread 0xf47fdb40 (LWP 18291)]
Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0xf57ffb40 (LWP 18289)]
0x083753a8 in xchg_mb_border (pixel_shift=0, simple=0, chroma444=1,
xchg=1,
uvlinesize=1552, linesize=1552,
src_cr=0xf5a48a0f <Address 0xf5a48a0f out of bounds>,
src_cb=0xf5c91a0f <Address 0xf5c91a0f out of bounds>, src_y=0xf5d48a0f
"",
h=0xf5e10b40) at libavcodec/h264.c:2240
2240 XCHG(top_border + (16 << pixel_shift), src_cb + (1 <<
pixel_shift), xchg);
(gdb) bt
#0 0x083753a8 in xchg_mb_border (pixel_shift=0, simple=0, chroma444=1,
xchg=1,
uvlinesize=1552, linesize=1552,
src_cr=0xf5a48a0f <Address 0xf5a48a0f out of bounds>,
src_cb=0xf5c91a0f <Address 0xf5c91a0f out of bounds>, src_y=0xf5d48a0f
"",
h=0xf5e10b40) at libavcodec/h264.c:2240
#1 hl_decode_mb_444_complex (h=h at entry=0xf5e10b40) at
libavcodec/h264_mb_template.c:341
#2 0x08383bd2 in ff_h264_hl_decode_mb (h=0xf5e10b40) at
libavcodec/h264.c:2484
#3 decode_slice (avctx=avctx at entry=0xf5e011c0, arg=arg at entry=0xf57ff24c)
at libavcodec/h264.c:4318
#4 0x0838410f in execute_decode_slices (h=h at entry=0xf5e10b40,
context_count=<optimized out>) at libavcodec/h264.c:4468
#5 0x0838b92f in decode_nal_units (parse_extradata=0, buf_size=297559,
buf=0xf5c17008 "", h=0xf5e10b40) at libavcodec/h264.c:4812
#6 decode_frame (avctx=0xf5e011c0, data=0xf5e01b80, got_frame=0xf5e01d34,
avpkt=0xf5e01b30) at libavcodec/h264.c:4947
#7 0x085c1f3e in frame_worker_thread (arg=0xf5e01a60) at
libavcodec/pthread.c:338
#8 0xf7cbde32 in start_thread () from /lib/libpthread.so.0
#9 0xf7b9e7ee in clone () from /lib/libc.so.6
(gdb) disass $pc-32,$pc+32
Dump of assembler code from 0x8375388 to 0x83753c8:
0x08375388 <hl_decode_mb_444_complex+13928>: add %eax,(%eax)
0x0837538a <hl_decode_mb_444_complex+13930>: add
%cl,-0x4374d3a9(%ecx)
0x08375390 <hl_decode_mb_444_complex+13936>: and $0x68,%al
0x08375392 <hl_decode_mb_444_complex+13938>: add %eax,(%eax)
0x08375394 <hl_decode_mb_444_complex+13940>: add %cl,0x1842494(%ebx)
0x0837539a <hl_decode_mb_444_complex+13946>: add %al,(%eax)
0x0837539c <hl_decode_mb_444_complex+13948>: mov %eax,-0x7(%edi)
0x0837539f <hl_decode_mb_444_complex+13951>: mov %edx,-0x3(%edi)
0x083753a2 <hl_decode_mb_444_complex+13954>: mov 0x14(%ebx),%edx
0x083753a5 <hl_decode_mb_444_complex+13957>: mov 0x10(%ebx),%eax
=> 0x083753a8 <hl_decode_mb_444_complex+13960>: mov 0x5(%esi),%ecx
0x083753ab <hl_decode_mb_444_complex+13963>: mov 0x168(%esp),%edi
0x083753b2 <hl_decode_mb_444_complex+13970>: mov %edx,0x174(%esp)
0x083753b9 <hl_decode_mb_444_complex+13977>: mov 0x1(%esi),%edx
0x083753bc <hl_decode_mb_444_complex+13980>: mov %eax,0x170(%esp)
0x083753c3 <hl_decode_mb_444_complex+13987>: mov 0x170(%esp),%eax
End of assembler dump.
(gdb) info register
eax 0x0 0
ecx 0x0 0
edx 0x0 0
ebx 0xf59d3140 -174247616
esp 0xf57fefa0 0xf57fefa0
ebp 0xf5e10b40 0xf5e10b40
esi 0xf5c91a0f -171369969
edi 0xfffff9ef -1553
eip 0x83753a8 0x83753a8 <hl_decode_mb_444_complex+13960>
eflags 0x10246 [ PF ZF IF RF ]
cs 0x23 35
ss 0x2b 43
ds 0x2b 43
es 0x2b 43
fs 0x0 0
gs 0x63 99
}}}
--
--
Ticket URL: <https://ffmpeg.org/trac/ffmpeg/ticket/2668#comment:2>
FFmpeg <http://ffmpeg.org>
FFmpeg issue tracker
More information about the FFmpeg-trac
mailing list