[libav-bugs] [Bug 605] New: segfault caused by init_get_bits behavior change

bugzilla at libav.org bugzilla at libav.org
Tue Dec 17 13:14:16 CET 2013


https://bugzilla.libav.org/show_bug.cgi?id=605

           Summary: segfault caused by init_get_bits behavior change
           Product: Libav
           Version: 0.8
          Platform: X86
        OS/Version: All
            Status: NEW
          Severity: normal
          Priority: Normal
         Component: libavcodec
        AssignedTo: bugzilla at libav.org
        ReportedBy: hdk1983+vdsmtlgm at gmail.com


This bug is in version 0.8.8 and 0.8.9.

I did "git bisect" and found that commit
e6a365b5d2fc8010558ae9a0c3e9749819ad9d45 breaks something.  The commit is
cherry picked from commit d9cf5f516974c64e01846ca685301014b38cf224.  It changes
init_get_bits behavior.

Then I looked at master branch and found another commit
4603ec85ed620e585fc6e2e072c99858ed421855 that changes init_get_bits behavior
again.  The most important change is that the 0.8 version of init_get_bits
returns buffer=NULL when bit_size parameter is zero.

The commit 4603ec85ed620e585fc6e2e072c99858ed421855 fixes the problem in 0.8.
Please cheery pick it.


Environment: Debian GNU/Linux 7 (i386), FreeBSD 9.2-RELEASE (i386)
Command line: avconv -i ~/hoge2.ts -an -vcodec bmp /tmp/a%02d.bmp

Segfault gdb output on FreeBSD (see the bit_size parameter is "buf_size * 8"
and buf_size=0):
------------------------------------------------------------
$ gdb ./avconv
GNU gdb 6.1.1 [FreeBSD]
Copyright 2004 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "i386-marcel-freebsd"...
(gdb) r -v 9 -loglevel 99 -i ~/hoge2.ts -an -vcodec bmp /tmp/a%02d.bmp
Starting program: /home/hdk/libav/libav-0.8.9/avconv -v 9 -loglevel 99 -i
~/hoge2.ts -an -vcodec bmp /tmp/a%02d.bmp
[New LWP 100068]
[New Thread 34804300 (LWP 100068/avconv)]
avconv version 0.8.9, Copyright (c) 2000-2013 the Libav developers
  built on Dec 17 2013 12:57:09 with gcc 4.2.1 20070831 patched [FreeBSD]
  configuration: --prefix=/home/hdk/libav/libav-0.8.9/_
  libavutil    51. 22. 1 / 51. 22. 1
  libavcodec   53. 35. 0 / 53. 35. 0
  libavformat  53. 21. 1 / 53. 21. 1
  libavdevice  53.  2. 0 / 53.  2. 0
  libavfilter   2. 15. 0 /  2. 15. 0
  libswscale    2.  1. 0 /  2.  1. 0
[mpegts @ 0x3485e100] Probed with size=2048 and score=100
[mpegts @ 0x3485e100] stream=0 stream_type=2 pid=100 prog_reg_desc=
[mpeg2video @ 0x3496e400] err{or,}_recognition separate: 1; 1
[mpeg2video @ 0x3496e400] err{or,}_recognition combined: 1; 1
[mpeg2video @ 0x3496e400] Unsupported bit depth: 0
Input #0, mpegts, from '/home/hdk/hoge2.ts':
  Duration: 26:30:43.68, start: 1.573956, bitrate: 0 kb/s
  Program 1
    Metadata:
      service_name    : Service01
      service_provider: Libav
    Stream #0.0[0x100], 15, 1/90000: Video: mpeg2video (Main), yuv420p,
1920x1080 [PAR 1:1 DAR 16:9], 1001/60000, 24000 kb/s, 29.97 fps, 29.97 tbr, 90k
tbn, 59.94 tbc
Incompatible pixel format 'yuv420p' for codec 'bmp', auto-selecting format
'bgr24'
[buffer @ 0x3486e180] w:1920 h:1080 pixfmt:yuv420p
[avsink @ 0x3486e200] auto-inserting filter 'auto-inserted scaler 0' between
the filter 'src' and the filter 'out'
[scale @ 0x3486e280] w:1920 h:1080 fmt:yuv420p -> w:1920 h:1080 fmt:bgr24
flags:0x4
[bmp @ 0x3496e800] err{or,}_recognition separate: 1; 1
[bmp @ 0x3496e800] err{or,}_recognition combined: 1; 1
[mpeg2video @ 0x3496e400] err{or,}_recognition separate: 1; 1
[mpeg2video @ 0x3496e400] err{or,}_recognition combined: 1; 1
[mpeg2video @ 0x3496e400] detected 1 logical cores
Output #0, image2, to '/tmp/a%02d.bmp':
  Metadata:
    encoder         : Lavf53.21.1
    Stream #0.0, 0, 1/90000: Video: bmp, bgr24, 1920x1080 [PAR 1:1 DAR 16:9],
1001/30000, q=2-31, 200 kb/s, 90k tbn, 29.97 tbc
Stream mapping:
  Stream #0:0 -> #0:0 (mpeg2video -> bmp)
Press ctrl-c to stop encoding
[mpeg2video @ 0x3496e400] Unsupported bit depth: 0
frame=   10 fps=  8 q=0.0 size=      -0kB time=0.33 bitrate=  -0.5kbits/s
Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 34804300 (LWP 100068/avconv)]
0x08392d20 in mpeg_decode_slice (s=0x349e0000, mb_y=66, buf=0xbfbfd544,
    buf_size=0) at get_bits.h:241
241         UPDATE_CACHE(re, s);
(gdb) bt
#0  0x08392d20 in mpeg_decode_slice (s=0x349e0000, mb_y=66, buf=0xbfbfd544,
    buf_size=0) at get_bits.h:241
#1  0x083961d9 in decode_chunks (avctx=0x3496e400, picture=0x349c9200,
    data_size=0xbfbfd924, buf=0x34a36000 "", buf_size=906)
    at libavcodec/mpeg12.c:2449
#2  0x0839670b in mpeg_decode_frame (avctx=0x3496e400, data=0x349c9200,
    data_size=0xbfbfd924, avpkt=0xbfbfd89c) at libavcodec/mpeg12.c:2233
#3  0x0849a04e in avcodec_decode_video2 (avctx=0x3496e400, picture=0x349c9200,
    got_picture_ptr=0xbfbfd924, avpkt=0xbfbfd89c) at libavcodec/utils.c:1155
#4  0x08054971 in output_packet (ist=0x3492b080, ost_table=0x349c1200,
    nb_ostreams=1, pkt=0xbfbfdba0) at avconv.c:1934
#5  0x08056d19 in main (argc=Error accessing memory address 0x0: Bad address.
) at avconv.c:2807
(gdb) l mpeg_decode_slice
1624     * @return DECODE_SLICE_ERROR if the slice is damaged,
1625     *         DECODE_SLICE_OK if this slice is OK
1626     */
1627    static int mpeg_decode_slice(MpegEncContext *s, int mb_y,
1628                                 const uint8_t **buf, int buf_size)
1629    {
1630        AVCodecContext *avctx = s->avctx;
1631        const int lowres      = s->avctx->lowres;
1632        const int field_pic   = s->picture_structure != PICT_FRAME;
1633
(gdb) 
1634        s->resync_mb_x =
1635        s->resync_mb_y = -1;
1636
1637        assert(mb_y < s->mb_height);
1638
1639        init_get_bits(&s->gb, *buf, buf_size * 8);
1640
1641        ff_mpeg1_clean_buffers(s);
1642        s->interlaced_dct = 0;
1643
------------------------------------------------------------

Expected result, fixed by applying a patch in the commit
4603ec85ed620e585fc6e2e072c99858ed421855:
------------------------------------------------------------
$ ./avconv -v 9 -loglevel 99 -i ~/hoge2.ts -an -vcodec bmp /tmp/a%02d.bmp
avconv version 0.8.9, Copyright (c) 2000-2013 the Libav developers
  built on Dec 17 2013 12:57:09 with gcc 4.2.1 20070831 patched [FreeBSD]
  configuration: --prefix=/home/hdk/libav/libav-0.8.9/_
  libavutil    51. 22. 1 / 51. 22. 1
  libavcodec   53. 35. 0 / 53. 35. 0
  libavformat  53. 21. 1 / 53. 21. 1
  libavdevice  53.  2. 0 / 53.  2. 0
  libavfilter   2. 15. 0 /  2. 15. 0
  libswscale    2.  1. 0 /  2.  1. 0
[mpegts @ 0x3485e100] Probed with size=2048 and score=100
[mpegts @ 0x3485e100] stream=0 stream_type=2 pid=100 prog_reg_desc=
[mpeg2video @ 0x3496e400] err{or,}_recognition separate: 1; 1
[mpeg2video @ 0x3496e400] err{or,}_recognition combined: 1; 1
[mpeg2video @ 0x3496e400] Unsupported bit depth: 0
Input #0, mpegts, from '/home/hdk/hoge2.ts':
  Duration: 26:30:43.68, start: 1.573956, bitrate: 0 kb/s
  Program 1
    Metadata:
      service_name    : Service01
      service_provider: Libav
    Stream #0.0[0x100], 15, 1/90000: Video: mpeg2video (Main), yuv420p,
1920x1080 [PAR 1:1 DAR 16:9], 1001/60000, 24000 kb/s, 29.97 fps, 29.97 tbr, 90k
tbn, 59.94 tbc
Incompatible pixel format 'yuv420p' for codec 'bmp', auto-selecting format
'bgr24'
[buffer @ 0x3486e180] w:1920 h:1080 pixfmt:yuv420p
[avsink @ 0x3486e200] auto-inserting filter 'auto-inserted scaler 0' between
the filter 'src' and the filter 'out'
[scale @ 0x3486e280] w:1920 h:1080 fmt:yuv420p -> w:1920 h:1080 fmt:bgr24
flags:0x4
[bmp @ 0x3496e800] err{or,}_recognition separate: 1; 1
[bmp @ 0x3496e800] err{or,}_recognition combined: 1; 1
[mpeg2video @ 0x3496e400] err{or,}_recognition separate: 1; 1
[mpeg2video @ 0x3496e400] err{or,}_recognition combined: 1; 1
[mpeg2video @ 0x3496e400] detected 1 logical cores
Output #0, image2, to '/tmp/a%02d.bmp':
  Metadata:
    encoder         : Lavf53.21.1
    Stream #0.0, 0, 1/90000: Video: bmp, bgr24, 1920x1080 [PAR 1:1 DAR 16:9],
1001/30000, q=2-31, 200 kb/s, 90k tbn, 29.97 tbc
Stream mapping:
  Stream #0:0 -> #0:0 (mpeg2video -> bmp)
Press ctrl-c to stop encoding
[mpeg2video @ 0x3496e400] Unsupported bit depth: 0
qscale == 0 fps=  8 q=0.0 size=      -0kB time=0.30 bitrate=  -0.6kbits/s
[mpeg2video @ 0x3496e400] Warning MVs not available
[mpeg2video @ 0x3496e400] concealing 240 DC, 240 AC, 240 MV errors
frame=   13 fps=  8 q=0.0 Lsize=      -0kB time=0.43 bitrate=  -0.4kbits/s
video:78976kB audio:0kB global headers:0kB muxing overhead -100.000027%
------------------------------------------------------------

-- 
Configure bugmail: https://bugzilla.libav.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching all bug changes.


More information about the libav-bugs mailing list