[MPlayer-dev-eng] [PATCH] libass: ass_render.c: SEGFAULT: return without a safe default

Stanislav Maslovski stanislav.maslovski at gmail.com
Sat Jan 27 17:53:27 CET 2007 

Mplayer segfaults when started with -ass and the attached subtitle file.

GDB log:
====================================================================

[postproc @ 0x86bc81c]using npp filters 0x7/0x7241  4%  9%  0.7% 0 0 
[postproc @ 0x86bc81c]using npp filters 0x7/0x7242  4%  9%  0.7% 0 0 
[postproc @ 0x86bc81c]using npp filters 0x7/0x7243  4%  9%  0.7% 0 0 
[postproc @ 0x86bc81c]using npp filters 0x7/0x7244  4%  9%  0.7% 0 0 
[postproc @ 0x86bc81c]using npp filters 0x7/0x7245  4%  9%  0.7% 0 0 
[postproc @ 0x86bc81c]using npp filters 0x7/0x7246  4%  9%  0.7% 0 0 
[postproc @ 0x86bc81c]using npp filters 0x7/0x7247  4%  9%  0.7% 0 0 
[postproc @ 0x86bc81c]using npp filters 0x7/0x7248  4%  9%  0.7% 0 0 
[postproc @ 0x86bc81c]using npp filters 0x7/0x7249  4%  9%  0.7% 0 0 
[postproc @ 0x86bc81c]using npp filters 0x7/0x7250  4%  9%  0.7% 0 0 
[postproc @ 0x86bc81c]using npp filters 0x7/0x7251  4%  9%  0.7% 0 0 
[postproc @ 0x86bc81c]using npp filters 0x7/0x7252  4%  9%  0.7% 0 0 
[postproc @ 0x86bc81c]using npp filters 0x7/0x7253  4%  9%  0.7% 0 0 
[postproc @ 0x86bc81c]using npp filters 0x7/0x7254  4%  9%  0.7% 0 0 
[postproc @ 0x86bc81c]using npp filters 0x7/0x7255  4%  9%  0.7% 0 0 
[postproc @ 0x86bc81c]using npp filters 0x7/0x7256  4%  9%  0.7% 0 0 
[postproc @ 0x86bc81c]using npp filters 0x7/0x7257  4%  9%  0.7% 0 0 
fontconfig_select: (Trebuchet MS, 200, 0) ->
/var/lib/defoma/fontconfig.d/T/TrebuchetMS-Bold.ttf, 0
[postproc @ 0x86bc81c]using npp filters 0x7/0x7258  4%  9%  0.7% 0 0 

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread -1231206144 (LWP 17631)]
0x08b5740d in ?? ()
(gdb) bt
#0  0x08b5740d in ?? ()
#1  0xb7492107 in FT_Glyph_Transform () from /usr/lib/libfreetype.so.6
#2  0x0852ad66 in ass_render_frame (priv=0x8807090, track=0x87f1708, 
    now=135886, detect_change=0x0) at ass_render.c:1826
#3  0x0813911d in put_image (vf=0x8804ac0, mpi=0x87d1850, 
    pts=135.88587951660156) at vf_ass.c:329
#4  0x0810684e in filter_video (sh_video=0x87cf920, frame=0x89c5af8, 
    pts=135.88587951660156) at dec_video.c:388
#5  0x08088940 in main (argc=-1076527260, argv=0x0) at mplayer.c:3446
(gdb) disass $pc-32 $pc+32
Dump of assembler code from 0x8b573ed to 0x8b5742d:
/////// this code looks like garbage ///////
0x08b573ed:     add    %al,(%eax)
0x08b573ef:     add    %cl,0x69(%ebp)
0x08b573f2:     arpl   %si,0x6f(%edx)
0x08b573f5:     jae    0x8b57466
0x08b573f7:     data16
0x08b573f8:     je     0x8b5741a
0x08b573fa:     push   %ebx
0x08b573fb:     popa   
0x08b573fc:     outsb  %ds:(%esi),(%dx)
0x08b573fd:     jae    0x8b5741f
0x08b573ff:     push   %ebx
0x08b57400:     gs
0x08b57401:     jb     0x8b5746c
0x08b57403:     data16
0x08b57404:     add    %al,(%ecx)
0x08b57406:     add    %al,(%eax)
0x08b57408:     imul   $0x0,(%ecx),%eax
0x08b5740b:     add    %dl,(%ecx)
///////////////////////////////////////////
0x08b5740d:     add    %al,(%eax)
///////////////////////////////////////////
0x08b5740f:     add    %al,(%eax)
0x08b57411:     add    $0x628b742,%eax
0x08b57416:     mov    $0x8,%cl
0x08b57418:     adc    %al,(%eax)
0x08b5741a:     add    %al,(%eax)
0x08b5741c:     call   0x8b57421
0x08b57421:     add    %al,(%eax)
0x08b57423:     add    %dl,0xeed6ab68
0x08b57429:     sti    
0x08b5742a:     imul   %cl
0x08b5742c:     movl   $0x6000000,0x348(%edi)
End of assembler dump.
(gdb) up
#1  0xb7492107 in FT_Glyph_Transform () from /usr/lib/libfreetype.so.6
(gdb) disass $pc-32 $pc+32
Dump of assembler code from 0xb74920e7 to 0xb7492127:
0xb74920e7 <FT_Glyph_Transform+39>:     test   %eax,%eax
0xb74920e9 <FT_Glyph_Transform+41>:     je     0xb749212b
<FT_Glyph_Transform+107>
0xb74920eb <FT_Glyph_Transform+43>:     mov    0x14(%eax),%edx
0xb74920ee <FT_Glyph_Transform+46>:     mov    $0x12,%eax
0xb74920f3 <FT_Glyph_Transform+51>:     test   %edx,%edx
0xb74920f5 <FT_Glyph_Transform+53>:     je     0xb749211e
<FT_Glyph_Transform+94>
0xb74920f7 <FT_Glyph_Transform+55>:     mov    0x10(%ebp),%eax
0xb74920fa <FT_Glyph_Transform+58>:     mov    %edi,0x4(%esp)
0xb74920fe <FT_Glyph_Transform+62>:     mov    %esi,(%esp)
0xb7492101 <FT_Glyph_Transform+65>:     mov    %eax,0x8(%esp)
////////////////////////////////////////////////////////////
0xb7492105 <FT_Glyph_Transform+69>:     call   *%edx
////////////////////////////////////////////////////////////
0xb7492107 <FT_Glyph_Transform+71>:     xor    %eax,%eax
0xb7492109 <FT_Glyph_Transform+73>:     test   %edi,%edi
0xb749210b <FT_Glyph_Transform+75>:     je     0xb749211e
<FT_Glyph_Transform+94>
0xb749210d <FT_Glyph_Transform+77>:     lea    0xc(%esi),%eax
0xb7492110 <FT_Glyph_Transform+80>:     mov    %eax,(%esp)
0xb7492113 <FT_Glyph_Transform+83>:     mov    %edi,0x4(%esp)
0xb7492117 <FT_Glyph_Transform+87>:     call   0xb7487690
<FT_Vector_Transform at plt>
0xb749211c <FT_Glyph_Transform+92>:     xor    %eax,%eax
0xb749211e <FT_Glyph_Transform+94>:     mov    0xfffffff4(%ebp),%ebx
0xb7492121 <FT_Glyph_Transform+97>:     mov    0xfffffff8(%ebp),%esi
0xb7492124 <FT_Glyph_Transform+100>:    mov    0xfffffffc(%ebp),%edi
End of assembler dump.
(gdb) print /x $edx
$1 = 0x8b57408
(gdb) up
#2  0x0852ad66 in ass_render_frame (priv=0x8807090, track=0x87f1708, 
    now=135886, detect_change=0x0) at ass_render.c:1826
    1826         FT_Glyph_Transform(info->outline_glyph, &matrix_rotate, 0 );
(gdb) list
1821                            info->pos.y -= start.y >> 6;
1822
1823                            if (info->glyph)
1824                                    FT_Glyph_Transform( info->glyph, &matrix_rotate, 0 );
1825                            if (info->outline_glyph)
1826                                    FT_Glyph_Transform( info->outline_glyph, &matrix_rotate, 0 );
1827                    }
1828            }
1829
1830            event_images->top = device_y - (text_info.lines[0].asc >> 6);
(gdb) print info->outline_glyph
$2 = (FT_Glyph) 0x4241
(gdb) print &matrix_rotate
$3 = (FT_Matrix *) 0xbfd55bd8
=============================================================================
Likely, a wrong (old or unset) value of info->outline_glyph has slipped
into the code. Investigating ass_render.c around lines 1230 - 1250 we see
that get_glyph() may return without setting outline_glyph.

And "Vuala!" this solves the issue.

The patch is attached.

-- 
Stanislav
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ass_render_segfault_patch.diff
Type: text/x-diff
Size: 744 bytes
Desc: not available
URL: <http://lists.mplayerhq.hu/pipermail/mplayer-dev-eng/attachments/20070127/b8c6f642/attachment.diff>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Episode 01.ass.gz
Type: application/octet-stream
Size: 12669 bytes
Desc: not available
URL: <http://lists.mplayerhq.hu/pipermail/mplayer-dev-eng/attachments/20070127/b8c6f642/attachment.obj>

More information about the MPlayer-dev-eng mailing list