[libav-bugs] [Bug 367] New: Crash in bmp_decode_frame() when decoding unusual bmp file

bugzilla-daemon at aruru.libav.org bugzilla-daemon at aruru.libav.org
Sun Sep 16 04:08:38 CEST 2012


https://bugzilla.libav.org/show_bug.cgi?id=367

           Summary: Crash in bmp_decode_frame() when decoding unusual bmp
                    file
           Product: Libav
           Version: 0.8
          Platform: X86
        OS/Version: All
            Status: NEW
          Severity: critical
          Priority: Normal
         Component: libavcodec
        AssignedTo: bugzilla at libav.org
        ReportedBy: lrn1986 at gmail.com


Created attachment 350
  --> https://bugzilla.libav.org/attachment.cgi?id=350
Causes the crash

I am trying to discover information about a file.

libav* crashes (and takes the application with it, be it avconv or
gst-discoverer)

Commandline for avconv is:
avconv -f image2 -r 30 -i extractortmp.bmp -s 32x32 ./out.mkv
Commandline for gst-discoverer is:
gst-discoverer-1.0.exe extractortmp.nlc5JE

F:\ffmpeg\bin>avconv -v 9 -loglevel 99 -i extractortmp.bmp
avconv version v0.8-2342-g453c02f, Copyright (c) 2000-2012 the Libav developers
  built on Jul 17 2012 18:38:26 with gcc 4.5.2
  configuration: --enable-runtime-cpudetect --enable-cross-compile
--enable-w32threads --prefix=/usr --cross-prefix=mingw32- --arch=i686
--target-os=mingw32 --sysroot=/usr/mingw32/ --enable-gpl --enable-version3
--enable-librtmp --enable-libx264 --enable-libmp3lame --enable-libvorbis
--enable-libvo-aacenc --enable-memalign-hack --enable-shared --enable-avisynth
--enable-libvpx
  libavutil     51. 37. 0 / 51. 37. 0
  libavcodec    54. 22. 0 / 54. 22. 0
  libavformat   54.  9. 0 / 54.  9. 0
  libavdevice   53.  2. 0 / 53.  2. 0
  libavfilter    3.  0. 0 /  3.  0. 0
  libavresample  0.  0. 3 /  0.  0. 3
  libswscale     2.  1. 0 /  2.  1. 0


I don't have the right debug symbols to show a good backtrace with avconv, so
i'm using GStreamer (compiled against libav 0.8.3, if RELEASE file is to be
believed):

$ gdb --args gst-discoverer-1.0.exe extractortmp.nlc5JE
GNU gdb (GDB) 7.4
Copyright (C) 2012 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "i686-pc-mingw32".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>...
Reading symbols from /mingw/bin/gst-discoverer-1.0.exe...done.
(gdb) r
Starting program: /mingw/bin/gst-discoverer-1.0.exe extractortmp.nlc5JE
[New Thread 6696.0x3784]
[New Thread 6696.0x2440]
[New Thread 6696.0x2e64]
[New Thread 6696.0x1e50]
Analyzing file:///mingw/bin/extractortmp.nlc5JE
[New Thread 6696.0x3ba0]

** (gst-discoverer-1.0.exe:6696): CRITICAL **: gst_video_decoder_set_latency:
assertion `GST_CLOCK_TIME_IS_VALID (min_latency)' failed
[New Thread 6696.0x228c]

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 6696.0x3ba0]
0x033cf1dc in bmp_decode_frame (avctx=0x2e1c960, data=0x2e1cd80, 
    data_size=0x323f9bc, avpkt=0x323f950) at libavcodec/bmp.c:231
231            memset(p->data[1], 0, 1024);
(gdb) bt
#0  0x033cf1dc in bmp_decode_frame (avctx=0x2e1c960, data=0x2e1cd80, 
    data_size=0x323f9bc, avpkt=0x323f950) at libavcodec/bmp.c:231
#1  0x0330298a in avcodec_decode_video2 (avctx=0x2e1c960, picture=0x2e1cd80, 
    got_picture_ptr=0x323f9bc, avpkt=0x323f950) at libavcodec/utils.c:1152
#2  0x0325531f in _fu240___gst_debug_min () at gstavviddec.c:1134
#3  0x03255e6f in _fu259___gst_debug_min () at gstavviddec.c:1261
#4  0x032565a8 in _fu426__GST_CAT_PERFORMANCE () at gstavviddec.c:1378
#5  0x6d40d4c7 in _fu96___gst_debug_min () at gstvideodecoder.c:2547
#6  0x6d4125bd in _fu146___gst_debug_min () at gstvideodecoder.c:1671
#7  0x6d413e1a in _fu162___gst_debug_min () at gstvideodecoder.c:1932
#8  0x6147758f in gst_pad_chain_data_unchecked (data=0x2db00e0, type=4112, 
    pad=0x2d8f528) at gstpad.c:3618
#9  gst_pad_push_data (pad=0x2d8f150, type=4112, data=0x2db00e0)
    at gstpad.c:3835
#10 0x6e0aeb5d in _fu595___gst_debug_min () at gsttypefindelement.c:1071
#11 0x614a2612 in gst_task_func (task=0x2da6008) at gsttask.c:316
#12 0x6861ec2a in g_thread_pool_thread_proxy ()
   from /mingw/bin/libglib-2.0-0.dll
#13 0x6861e6f6 in g_thread_proxy ()
   from /mingw/bin/libglib-2.0-0.dll
#14 0x6863c1bc in g_thread_win32_proxy at 4 ()
   from /mingw/bin/libglib-2.0-0.dll
#15 0x75dc1287 in msvcrt!_itow_s () from C:/Windows/syswow64/msvcrt.dll
#16 0x75dc1328 in msvcrt!_endthreadex () from C:/Windows/syswow64/msvcrt.dll
#17 0x7610339a in KERNEL32!BaseCleanupAppcompatCacheSupport ()
   from C:/Windows/syswow64/kernel32.dll
#18 0x02db6460 in ?? ()
#19 0x77ea9ef2 in ntdll!RtlpNtSetValueKey ()
   from C:/Windows/system32/ntdll.dll
#20 0x02db6460 in ?? ()
#21 0x77ea9ec5 in ntdll!RtlpNtSetValueKey ()
   from C:/Windows/system32/ntdll.dll
#22 0x75dc12e5 in msvcrt!_endthreadex () from C:/Windows/syswow64/msvcrt.dll
#23 0x00000000 in ?? ()
(gdb) disass $pc-32,$pc+32
Dump of assembler code from 0x33cf1bc to 0x33cf1fc:
   0x033cf1bc <bmp_decode_frame+932>:    dec    %esp
   0x033cf1bd <bmp_decode_frame+933>:    cmp    $0x1,%ebx
   0x033cf1c0 <bmp_decode_frame+936>:    ja     0x33cf0c5
<bmp_decode_frame+685>
   0x033cf1c6 <bmp_decode_frame+942>:    jmp    0x33cf0b5
<bmp_decode_frame+669>
   0x033cf1cb <bmp_decode_frame+947>:    nop
   0x033cf1cc <bmp_decode_frame+948>:    mov    0x28(%esp),%ecx
   0x033cf1d0 <bmp_decode_frame+952>:    mov    0x4(%ecx),%edx
   0x033cf1d3 <bmp_decode_frame+955>:    mov    $0x400,%ecx
   0x033cf1d8 <bmp_decode_frame+960>:    xor    %eax,%eax
   0x033cf1da <bmp_decode_frame+962>:    mov    %edx,%edi
=> 0x033cf1dc <bmp_decode_frame+964>:    rep stos %al,%es:(%edi)
   0x033cf1de <bmp_decode_frame+966>:    mov    0x40(%esp),%eax
   0x033cf1e2 <bmp_decode_frame+970>:    test   %eax,%eax
   0x033cf1e4 <bmp_decode_frame+972>:    jg     0x33cf0e7
<bmp_decode_frame+719>
   0x033cf1ea <bmp_decode_frame+978>:    mov    0x28(%esp),%ecx
   0x033cf1ee <bmp_decode_frame+982>:    mov    (%ecx),%ebx
   0x033cf1f0 <bmp_decode_frame+984>:    mov    0x10(%ecx),%eax
   0x033cf1f3 <bmp_decode_frame+987>:    mov    %eax,0x34(%esp)
   0x033cf1f7 <bmp_decode_frame+991>:    cmpl   $0xb,0x34(%ebp)
   0x033cf1fb <bmp_decode_frame+995>:    jne    0x33cf107
<bmp_decode_frame+751>
End of assembler dump.
(gdb) info all-registers
eax            0x0    0
ecx            0x400    1024
edx            0x0    0
ebx            0xffffffff    -1
esp            0x323f6e0    0x323f6e0
ebp            0x2e1c960    0x2e1c960
esi            0x2e1dcc8    48356552
edi            0x0    0
eip            0x33cf1dc    0x33cf1dc <bmp_decode_frame+964>
eflags         0x10246    [ PF ZF IF RF ]
cs             0x23    35
ss             0x2b    43
ds             0x2b    43
es             0x2b    43
fs             0x53    83
gs             0x2b    43
st0            0    (raw 0x00000000000000000000)
st1            0    (raw 0x00000000000000000000)
st2            0    (raw 0x00000000000000000000)
st3            -1    (raw 0xbfff8000000000000000)
st4            -1    (raw 0xbfff8000000000000000)
st5            1    (raw 0x3fff8000000000000000)
st6            1    (raw 0x3fff8000000000000000)
st7            -1    (raw 0xbfff8000000000000000)
fctrl          0x27f    639
fstat          0x4020    16416
ftag           0xffff    65535
fiseg          0x23    35
fioff          0x6b5cff34    1801256756
foseg          0x2b    43
fooff          0x2e20888    48367752
fop            0x0    0
xmm0           {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0}, 
  v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0, 
    0x0, 0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0}, 
  uint128 = 0x00000000000000000000000000000000}
xmm1           {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0}, 
  v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0, 
    0x0, 0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0}, 
  uint128 = 0x00000000000000000000000000000000}
xmm2           {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0}, 
  v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0, 
    0x0, 0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0}, 
  uint128 = 0x00000000000000000000000000000000}
xmm3           {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0}, 
  v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0, 
    0x0, 0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0}, 
  uint128 = 0x00000000000000000000000000000000}
xmm4           {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0}, 
  v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0, 
    0x0, 0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0}, 
  uint128 = 0x00000000000000000000000000000000}
xmm5           {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0}, 
  v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0, 
    0x0, 0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0}, 
  uint128 = 0x00000000000000000000000000000000}
xmm6           {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0}, 
  v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0, 
    0x0, 0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0}, 
  uint128 = 0x00000000000000000000000000000000}
xmm7           {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0}, 
  v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0, 
    0x0, 0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0}, 
  uint128 = 0x00000000000000000000000000000000}
mxcsr          0x1f80    [ IM DM ZM OM UM PM ]
mm0            {uint64 = 0x0, v2_int32 = {0x0, 0x0}, v4_int16 = {0x0, 0x0, 
    0x0, 0x0}, v8_int8 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}
mm1            {uint64 = 0x0, v2_int32 = {0x0, 0x0}, v4_int16 = {0x0, 0x0, 
    0x0, 0x0}, v8_int8 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}
mm2            {uint64 = 0x0, v2_int32 = {0x0, 0x0}, v4_int16 = {0x0, 0x0, 
    0x0, 0x0}, v8_int8 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}
mm3            {uint64 = 0x8000000000000000, v2_int32 = {0x0, 0x80000000}, 
  v4_int16 = {0x0, 0x0, 0x0, 0x8000}, v8_int8 = {0x0, 0x0, 0x0, 0x0, 0x0, 
    0x0, 0x0, 0x80}}
mm4            {uint64 = 0x8000000000000000, v2_int32 = {0x0, 0x80000000}, 
  v4_int16 = {0x0, 0x0, 0x0, 0x8000}, v8_int8 = {0x0, 0x0, 0x0, 0x0, 0x0, 
    0x0, 0x0, 0x80}}
mm5            {uint64 = 0x8000000000000000, v2_int32 = {0x0, 0x80000000}, 
  v4_int16 = {0x0, 0x0, 0x0, 0x8000}, v8_int8 = {0x0, 0x0, 0x0, 0x0, 0x0, 
    0x0, 0x0, 0x80}}
mm6            {uint64 = 0x8000000000000000, v2_int32 = {0x0, 0x80000000}, 
  v4_int16 = {0x0, 0x0, 0x0, 0x8000}, v8_int8 = {0x0, 0x0, 0x0, 0x0, 0x0, 
    0x0, 0x0, 0x80}}
mm7            {uint64 = 0x8000000000000000, v2_int32 = {0x0, 0x80000000}, 
  v4_int16 = {0x0, 0x0, 0x0, 0x8000}, v8_int8 = {0x0, 0x0, 0x0, 0x0, 0x0, 
    0x0, 0x0, 0x80}}
(gdb) p p
$1 = (AVFrame *) 0x2e1a560
(gdb) p p->data
$2 = {0x2e22340 '€' <repeats 200 times>..., 0x0, 0x0, 0x0}
(gdb) p *p
$3 = {data = {0x2e22340 '€' <repeats 200 times>..., 0x0, 0x0, 0x0}, 
  linesize = {64, 0, 0, 0}, base = {0x2e22340 '€' <repeats 200 times>..., 
    0x0, 0x0, 0x0}, key_frame = 1, pict_type = AV_PICTURE_TYPE_I, 
  pts = -9223372036854775808, coded_picture_number = 0, 
  display_picture_number = 0, quality = 0, age = 0, reference = 0, 
  qscale_table = 0x0, qstride = 0, mbskip_table = 0x0, motion_val = {0x0, 
    0x0}, mb_type = 0x0, motion_subsample_log2 = 0 '\000', 
  opaque = 0x2de50b8, error = {0, 0, 0, 0}, type = 1, repeat_pict = 0, 
  qscale_type = 0, interlaced_frame = 0, top_field_first = 0, pan_scan = 0x0, 
  palette_has_changed = 0, buffer_hints = 0, dct_coeff = 0x0, ref_index = {
    0x0, 0x0}, reordered_opaque = 0, hwaccel_picture_private = 0x0, 
  pkt_pts = 0, pkt_dts = 0, owner = 0x0, thread_opaque = 0x0, nb_samples = 0, 
  extended_data = 0x2e1a560, sample_aspect_ratio = {num = 0, den = 1}, 
  width = 0, height = 0, format = -1}
(gdb) p *p->data[1]
(gdb) Cannot access memory at address 0x0

-- 
Configure bugmail: https://bugzilla.libav.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching all bug changes.


More information about the libav-bugs mailing list