[libav-bugs] [Bug 977] New: SEGFAULT at H264 video decoding (libavcodec) #1

bugzilla at libav.org bugzilla at libav.org
Thu Oct 20 10:05:22 CEST 2016


https://bugzilla.libav.org/show_bug.cgi?id=977

            Bug ID: 977
           Summary: SEGFAULT at H264 video decoding (libavcodec) #1
           Product: Libav
           Version: git HEAD
          Hardware: X86
                OS: Linux
            Status: NEW
          Severity: blocker
          Priority: ---
         Component: libavcodec
          Assignee: bugzilla at libav.org
          Reporter: fumfi.255 at gmail.com

Created attachment 612
  --> https://bugzilla.libav.org/attachment.cgi?id=612&action=edit
POC to trigger SEGFAULT (avconv)

After some fuzz testing I found a crashing test case.

Command: avconv -v 9 -loglevel 99 -i crash1_min -f /dev/null

Git Head: dd5d4a0e1e3a30a254d1a57ecbdcedf230c6014b

Output:

avconv version v13_dev0-251-gdd5d4a0, Copyright (c) 2000-2016 the Libav
developers
  built on Oct 19 2016 08:59:29 with clang version 3.9.0
(tags/RELEASE_390/final)
  configuration: --cc=clang --extra-cflags='-fsanitize=address -O1
-fno-omit-frame-pointer -g' --extra-ldflags='-fsanitize=address'
  libavutil     55. 25. 0 / 55. 25. 0
  libavcodec    57. 28. 0 / 57. 28. 0
  libavformat   57.  9. 0 / 57.  9. 0
  libavdevice   56.  1. 0 / 56.  1. 0
  libavfilter    6.  7. 0 /  6.  7. 0
  libavresample  3.  0. 0 /  3.  0. 0
  libswscale     4.  0. 0 /  4.  0. 0
Splitting the commandline.
Reading option '-v' ... matched as option 'v' (set libav* logging level) with
argument '9'.
Reading option '-loglevel' ... matched as option 'loglevel' (set libav* logging
level) with argument '99'.
Reading option '-i' ... matched as input file with argument '2_min'.
Reading option '-f' ... matched as option 'f' (force format) with argument
'/dev/null'.
Trailing options were found on the commandline.
Finished splitting the commandline.
Parsing a group of options: global .
Applying option v (set libav* logging level) with argument 9.
Successfully parsed a group of options.
Parsing a group of options: input file 2_min.
Successfully parsed a group of options.
Opening an input file: 2_min.
nsv_probe(), buf_size 36
[h264 @ 0x61a00001f280] Probed with size=2048 and score=51
IN delayed:0 pts:-9223372036854775808, dts:-9223372036854775808 cur_dts:0 st:0
pc:0x61300000db00
OUTdelayed:0/0 pts:-9223372036854775808, dts:-9223372036854775808 cur_dts:0
[AVBSFContext @ 0x60800000b6a0] nal_unit_type: 7, nal_ref_idc: 3
[AVBSFContext @ 0x60800000b6a0] nal_unit_type: 8, nal_ref_idc: 3
[AVBSFContext @ 0x60800000b6a0] nal_unit_type: 5, nal_ref_idc: 3
[h264 @ 0x61900001ea80] nal_unit_type: 7, nal_ref_idc: 3
[h264 @ 0x61900001ea80] nal_unit_type: 8, nal_ref_idc: 3
[h264 @ 0x61900001ea80] nal_unit_type: 5, nal_ref_idc: 3
[h264 @ 0x61900001ea80] Reinit context to 352x288, pix_fmt: 0
[h264 @ 0x61900001ea80] left block unavailable for requested intra4x4 mode -1
[h264 @ 0x61900001ea80] error while decoding MB 0 1, bytestream -3
[h264 @ 0x61900001ea80] Overread VUI by 8 bits
[h264 @ 0x61900001ea80] missing picture in access unit
IN delayed:0 pts:-9223372036854775808, dts:-9223372036854775808 cur_dts:0 st:0
pc:0x61300000db00
OUTdelayed:0/0 pts:-9223372036854775808, dts:-9223372036854775808 cur_dts:0
[h264 @ 0x61900001ea80] nal_unit_type: 7, nal_ref_idc: 3
[h264 @ 0x61900001ea80] Overread VUI by 8 bits
ASAN:DEADLYSIGNAL
=================================================================
==6513==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000030 (pc
0x00000178e3f7 bp 0x62e000007b00 sp 0x7fff28679de0 T0)
==6513==The signal is caused by a READ memory access.
==6513==Hint: address points to the zero page.
    #0 0x178e3f6 in ff_h264_execute_ref_pic_marking
XYZ/libav/libavcodec/h264_refs.c:700:48
    #1 0x1787bf0 in ff_h264_field_end
XYZ/libav/libavcodec/h264_picture.c:157:19
    #2 0xa89677 in h264_decode_frame XYZ/libav/libavcodec/h264dec.c:760:9
    #3 0x126342e in avcodec_decode_video2 XYZ/libav/libavcodec/utils.c:1590:19
    #4 0x12653dd in do_decode XYZ/libav/libavcodec/utils.c:1729:15
    #5 0x7b3239 in try_decode_frame XYZ/libav/libavformat/utils.c:1950:19
    #6 0x7aec7e in avformat_find_stream_info
XYZ/libav/libavformat/utils.c:2449:9
    #7 0x4f1669 in open_input_file XYZ/libav/avconv_opt.c:771:11
    #8 0x4f0914 in open_files XYZ/libav/avconv_opt.c:2380:15
    #9 0x4f03a4 in avconv_parse_options XYZ/libav/avconv_opt.c:2417:11
    #10 0x50a93d in main XYZ/libav/avconv.c:2885:11
    #11 0x7f5ac323082f in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #12 0x41afb8 in _start (/usr/local/bin/avconv+0x41afb8)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV XYZ/libav/libavcodec/h264_refs.c:700:48 in
ff_h264_execute_ref_pic_marking
==6513==ABORTING

Regards,
Kamil Frankowicz

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.libav.org/pipermail/libav-bugs/attachments/20161020/9997409b/attachment.html>


More information about the libav-bugs mailing list