[libav-bugs] [Bug 280] New: NULL pointer deference in avplay+avresample

bugzilla-daemon at aruru.libav.org bugzilla-daemon at aruru.libav.org
Fri May 4 00:03:49 CEST 2012


http://bugzilla.libav.org/show_bug.cgi?id=280

           Summary: NULL pointer deference in avplay+avresample
           Product: Libav
           Version: git HEAD
          Platform: All
        OS/Version: Linux
            Status: NEW
          Severity: normal
          Priority: Normal
         Component: general
        AssignedTo: bugzilla at libav.org
        ReportedBy: alex.converse at gmail.com


avplay+avresample crashes when playing stereo seeking forward to mono, seeking
backward to stereo then playing across the stereo to mono transition...

$ ./avplay 17b0f405026bdf34 |& asan_symbolize.py 
avplay version v0.8-1578-gc02efac, Copyright (c) 2003-2012 the Libav developers
  built on May  3 2012 14:32:12 with clang 3.2 ((trunk 155352))
INFO: AddressSanitizer ignores mlock/mlockall/munlock/munlockall
Input #0, flv, from '17b0f405026bdf34':
  Duration: 03:24:35.67, start: 0.000000, bitrate: N/A
    Stream #0.0: Video: h264 (Main), yuv420p, 1280x720 [PAR 1:1 DAR 16:9], 1536
kb/s, 25 tbr, 1k tbn, 50 tbc
    Stream #0.1: Audio: aac, 44100 Hz, stereo, s16, 65 kb/s
ASAN:SIGSEGV -0.017 s:0.0 aq=  320KB vq= 4871KB sq=    0B f=0/0   f=0/0   
==26417== ERROR: AddressSanitizer crashed on unknown address 0x00000000011c (pc
0x00000101c655 sp 0x7f2cb6a65980 bp 0x7f2cb6a65cb0 T3)
AddressSanitizer can not provide additional info. ABORTING
    #0 0x101c655 in ff_audio_data_copy
/home/aconverse/src-ext/libav/libav/libavresample/audio_data.c:220
    #1 0xfc9d86 in avresample_convert
/home/aconverse/src-ext/libav/libav/libavresample/utils.c:295
    #2 0x4719ec in audio_decode_frame
/home/aconverse/src-ext/libav/libav/avplay.c:2105
    #3 0x460998 in sdl_audio_callback
/home/aconverse/src-ext/libav/libav/avplay.c:2177
    #4 0x7f2cc0ef4ba8 in ?? ??:0
Stats: 628M malloced (243M for red zones) by 41334 calls
Stats: 1M realloced by 169 calls
Stats: 546M freed by 31881 calls
Stats: 360M really freed by 27086 calls
Stats: 448M (114794 full pages) mmaped in 112 calls
  mmaps   by size class: 8:49149; 9:8191; 10:4095; 11:2047; 12:2048; 13:2048;
14:1280; 15:256; 16:128; 17:64; 18:96; 19:32; 20:4; 21:156;
  mallocs by size class: 8:30055; 9:4646; 10:962; 11:432; 12:1261; 13:1971;
14:1235; 15:150; 16:76; 17:35; 18:93; 19:33; 20:2; 21:383;
  frees   by size class: 8:22963; 9:3959; 10:742; 11:301; 12:820; 13:1698;
14:892; 15:95; 16:34; 17:5; 18:12; 19:3; 20:2; 21:355;
  rfrees  by size class: 8:19523; 9:3114; 10:651; 11:270; 12:761; 13:1606;
14:793; 15:87; 16:31; 17:5; 18:12; 19:3; 20:2; 21:228;
Stats: malloc large: 546 small slow: 539


$ gdb ./avplay core
GNU gdb (GDB) 7.4
Copyright (C) 2012 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-linux".

Reading symbols from
/usr/local/google/home/aconverse/src-ext/libav/build/avplay...done.
[New LWP 25850]
[New LWP 25851]
[New LWP 25852]
[New LWP 25853]
[New LWP 25856]
[New LWP 25855]
[New LWP 25857]
[New LWP 25861]
[New LWP 25854]
[New LWP 25862]
[New LWP 25864]
[New LWP 25860]
[New LWP 25858]
[New LWP 25859]
[New LWP 25847]
[New LWP 25865]
[New LWP 25849]
[New LWP 25863]

warning: Can't read pathname for load map: Input/output error.
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Core was generated by `./avplay /data/yt/17b0f405026bdf34.orig'.
Program terminated with signal 11, Segmentation fault.
#0  0x000000000050e415 in ff_audio_data_copy (dst=0x0, src=0x7f8e23bc6ab0) at
/home/aconverse/src-ext/libav/libav/libavresample/audio_data.c:220
220        if (dst->sample_fmt != src->sample_fmt || dst->channels <
src->channels)
(gdb) p dst
$1 = (AudioData *) 0x0
(gdb) p src
$2 = (AudioData *) 0x7f8e23bc6ab0
(gdb) bt
#0  0x000000000050e415 in ff_audio_data_copy (dst=0x0, src=0x7f8e23bc6ab0) at
/home/aconverse/src-ext/libav/libav/libavresample/audio_data.c:220
#1  0x000000000050b3a8 in avresample_convert (avr=0x7f8e10071920,
output=0x1b93aa0, out_plane_size=8192, out_samples=2048, input=0x7f8e100008c0, 
    in_plane_size=4096, in_samples=2048) at
/home/aconverse/src-ext/libav/libav/libavresample/utils.c:295
#2  0x000000000043d6de in audio_decode_frame (pts_ptr=<synthetic pointer>,
is=0x1b935c0) at /home/aconverse/src-ext/libav/libav/avplay.c:2105
#3  sdl_audio_callback (opaque=<optimized out>, stream=0x7f8e2433b3a0 "",
len=1488) at /home/aconverse/src-ext/libav/libav/avplay.c:2177
#4  0x00007f8e2dfa0ba8 in ?? () from /usr/lib/x86_64-linux-gnu/libSDL-1.2.so.0
#5  0x00007f8e2dfa8fd5 in ?? () from /usr/lib/x86_64-linux-gnu/libSDL-1.2.so.0
#6  0x00007f8e2dfec999 in ?? () from /usr/lib/x86_64-linux-gnu/libSDL-1.2.so.0
#7  0x00007f8e2dd80e9a in start_thread (arg=0x7f8e23bc7700) at
pthread_create.c:308
#8  0x00007f8e2daae4bd in clone () at
../sysdeps/unix/sysv/linux/x86_64/clone.S:112
#9  0x0000000000000000 in ?? ()
(gdb)

-- 
Configure bugmail: http://bugzilla.libav.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching all bug changes.


More information about the libav-bugs mailing list