[MPlayer-dev-eng] faad seg faults

Chandan Pitta chandan.pitta at gmail.com
Sat Sep 2 19:30:14 CEST 2006 

Hi,

The a_in_buffer_len is not being checked for a value of 0 in
ad_faac.c, decode_audio() which is causing seg faults. Here is the
code snippet:

    if(faac_finfo.error > 0) {
      mp_msg(MSGT_DECAUDIO,MSGL_WARN,"FAAD: error: %s, trying to resync!\n",
              faacDecGetErrorMessage(faac_finfo.error));
      sh->a_in_buffer_len--;
      memmove(sh->a_in_buffer,&sh->a_in_buffer[1],sh->a_in_buffer_len);
      aac_sync(sh);
      errors++;

So basically a "sh->a_in_buffer_len--" is performed without checking
if it is already 0. Which mean a memmove is performed with length of
-1. This is causing seg faults when I am playing raw aac files.

To fix it I check for length and if it is 0 I set the errors to
MAX_FAAD_ERRORS and break out of the loop, but I am not sure if that
is the proper fix, or should the EOF be detected and the method
decode_audio() should never be called? Here is my code and the error I
am getting without this fix (see the EOF detection just before crash).

    if(faac_finfo.error > 0) {
      mp_msg(MSGT_DECAUDIO,MSGL_WARN,"FAAD: error: %s, trying to resync!\n",
              faacDecGetErrorMessage(faac_finfo.error));
      if (sh->a_in_buffer_len == 0) {
        errors = MAX_FAAD_ERRORS;
        break;
      }
      sh->a_in_buffer_len--;
      memmove(sh->a_in_buffer,&sh->a_in_buffer[1],sh->a_in_buffer_len);
      aac_sync(sh);
      errors++;



********** MPlayer crash log **************

decaudio: minlen=4096 maxlen=62820 declen=4096 (max=114688)
decaudio: decoding 2716 bytes, max: 113308 (49152)
ds_fill_buffer: EOF reached (stream: audio)
FAAD: Successfully decoded frame (4096 Bytes)!
decaudio: declen=4096 out=4096 (max 62820)
A:   2.6 (02.6) of 2.3 (02.2)  2.6% 0%
decaudio: minlen=4096 maxlen=62820 declen=4096 (max=114688)
decaudio: decoding 2716 bytes, max: 113308 (49152)
ds_fill_buffer: EOF reached (stream: audio)
FAAD: error: Unable to find ADTS syncword, trying to resync!

MPlayer interrupted by signal 11 in module: decode_audio
- MPlayer crashed by bad usage of CPU/FPU/RAM.
  Recompile MPlayer with --enable-debug and make a 'gdb' backtrace and
  disassembly. Details in DOCS/HTML/en/bugreports_what.html#bugreports_crash.
- MPlayer crashed. This shouldn't happen.
  It can be a bug in the MPlayer code _or_ in your drivers _or_ in your
  gcc version. If you think it's MPlayer's fault, please read
  DOCS/HTML/en/bugreports.html and follow the instructions there. We can't and
  won't help unless you provide this information when reporting a possible bug.

*** uninit(0x6CA)
Uninit audio filters...
[libaf] Removing filter volnorm
*** glibc detected *** double free or corruption (out): 0x087f8b78 ***


MPlayer interrupted by signal 6 in module: uninit_acodec

*** uninit(0x2CA)
DEMUXER: freeing demuxer at 0x87f0278


MPlayer interrupted by signal 11 in module: free_demuxer

*** uninit(0xCA)


MPlayer interrupted by signal 2 in module: uninit_stream

*** uninit(0x8A)

[[[uninit getch2]]]
Killed

More information about the MPlayer-dev-eng mailing list