[MPlayer-dev-eng] [Bug] Analog video capture raises all kind of several glibc+process memory exceptions intermittently

thomas schorpp thomas.schorpp at googlemail.com
Mon Dec 10 23:08:28 CET 2007 

thomas schorpp wrote:
> thomas schorpp wrote:
>> hi,
>>
> 
>> (gdb) bt
>> #0  0x00002b0bc616ed3d in _int_free () from /lib/libc.so.6
>> #1  0x00002b0bc6172bdc in free () from /lib/libc.so.6
>> #2  0x00000000004c9146 in ds_fill_buffer (ds=0xfbda30) at 
>> demuxer.h:265                        <------- REPRODUCIBLE
>> #3  0x00000000004c9795 in ds_get_packet (ds=0xfbda30, 
>> start=0x7fffe7764e60) at demuxer.c:535
>> #4  0x00000000005111cd in video_read_frame (sh_video=0xfbe0c0, 
>> frame_time_ptr=0x7fffe7764e6c, start=0x7fffe7764e60,
>>   force_fps=0) at video.c:549
>> #5  0x000000000043b246 in main (argc=<value optimized out>, 
>> argv=<value optimized out>) at mencoder.c:1241
>                                   
>>
>> seems the ds_get_next_pts at demuxer.c:595 buffer code is not safe.
>> I see no land here and use transcode until this is fixed.
>>
>> y
>> tom
>>
> 
> hi, investigating
> 
> http://article.gmane.org/gmane.comp.video.mencoder.user/7442
> 
> what is that?
> 
> static inline void free_demux_packet(demux_packet_t* dp){
>  if (dp->master==NULL){  //dp is a master packet
>    dp->refcount--;
>    if (dp->refcount==0){
> //    if (dp->buffer) free(dp->buffer); schorpp
>      free(dp); <--- above instruction is dp's work.           
> 
> well, this is indeed a "double free" if dp type is designed with OO 
> orthodox canonical form in mind.
> other explanation?
> 
> intermittent bug seems to occur on buffer underrun, I'm using a USB 1.1 
> grabber.
> 

not working, 

#0  0x00002aef8ade2d3d in _int_free () from /lib/libc.so.6
#1  0x00002aef8ade6bdc in free () from /lib/libc.so.6
#2  0x00000000004c9146 in ds_fill_buffer (ds=0xfbee80) at demuxer.h:265
#3  0x00000000004c9795 in ds_get_packet (ds=0xfbee80, start=0x7fff22aef450) at demuxer.c:535	<--- intermittently on 595 too.
#4  0x00000000005111cd in video_read_frame (sh_video=0xfbf510, frame_time_ptr=0x7fff22aef45c, start=0x7fff22aef450,
    force_fps=0) at video.c:549
#5  0x000000000043b246 in main (argc=<value optimized out>, argv=<value optimized out>) at mencoder.c:1241


trying extra check (useless if unnulled pointer):

static inline void free_demux_packet(demux_packet_t* dp){
  if (dp->master==NULL){  //dp is a master packet
    dp->refcount--;
    if (dp->refcount==0){
      if (dp->buffer) free(dp->buffer);
      if (dp) free(dp);	//    free(dp); schorpp
  
ideas?

More information about the MPlayer-dev-eng mailing list