[libav-bugs] [Bug 978] New: SEGFAULT at H264 video decoding (libavcodec) #2

bugzilla at libav.org bugzilla at libav.org
Thu Oct 20 10:23:36 CEST 2016


https://bugzilla.libav.org/show_bug.cgi?id=978

            Bug ID: 978
           Summary: SEGFAULT at H264 video decoding (libavcodec) #2
           Product: Libav
           Version: git HEAD
          Hardware: X86
                OS: Linux
            Status: NEW
          Severity: blocker
          Priority: ---
         Component: libavcodec
          Assignee: bugzilla at libav.org
          Reporter: fumfi.255 at gmail.com

After some fuzz testing I found a crashing test case.

Command: avconv -v 9 -loglevel 99 -i crash2_min -f /dev/null

Git Head: dd5d4a0e1e3a30a254d1a57ecbdcedf230c6014b

Output:

avconv version v13_dev0-251-gdd5d4a0, Copyright (c) 2000-2016 the Libav
developers
  built on Oct 19 2016 08:59:29 with clang version 3.9.0
(tags/RELEASE_390/final)
  configuration: --cc=clang --extra-cflags='-fsanitize=address -O1
-fno-omit-frame-pointer -g' --extra-ldflags='-fsanitize=address'
  libavutil     55. 25. 0 / 55. 25. 0
  libavcodec    57. 28. 0 / 57. 28. 0
  libavformat   57.  9. 0 / 57.  9. 0
  libavdevice   56.  1. 0 / 56.  1. 0
  libavfilter    6.  7. 0 /  6.  7. 0
  libavresample  3.  0. 0 /  3.  0. 0
  libswscale     4.  0. 0 /  4.  0. 0
Splitting the commandline.
Reading option '-v' ... matched as option 'v' (set libav* logging level) with
argument '9'.
Reading option '-loglevel' ... matched as option 'loglevel' (set libav* logging
level) with argument '99'.
Reading option '-i' ... matched as input file with argument 'crash2_min'.
Reading option '-f' ... matched as option 'f' (force format) with argument
'/dev/null'.
Trailing options were found on the commandline.
Finished splitting the commandline.
Parsing a group of options: global .
Applying option v (set libav* logging level) with argument 9.
Successfully parsed a group of options.
Parsing a group of options: input file crash2_min.
Successfully parsed a group of options.
Opening an input file: crash2_min.
nsv_probe(), buf_size 44
[h264 @ 0x61a00001f280] Probed with size=2048 and score=51
[h264 @ 0x61900001ea80] FMO not supported
[h264 @ 0x61900001ea80] missing picture in access unit
IN delayed:0 pts:-9223372036854775808, dts:-9223372036854775808 cur_dts:0 st:0
pc:0x61300000db00
OUTdelayed:0/0 pts:-9223372036854775808, dts:-9223372036854775808 cur_dts:0
IN delayed:0 pts:-9223372036854775808, dts:-9223372036854775808 cur_dts:0 st:0
pc:0x61300000db00
OUTdelayed:0/0 pts:-9223372036854775808, dts:-9223372036854775808 cur_dts:0
[AVBSFContext @ 0x60800000b6a0] nal_unit_type: 7, nal_ref_idc: 3
[AVBSFContext @ 0x60800000b6a0] nal_unit_type: 8, nal_ref_idc: 3
[AVBSFContext @ 0x60800000b6a0] nal_unit_type: 5, nal_ref_idc: 3
[h264 @ 0x61900001ea80] nal_unit_type: 7, nal_ref_idc: 3
[h264 @ 0x61900001ea80] nal_unit_type: 8, nal_ref_idc: 3
[h264 @ 0x61900001ea80] nal_unit_type: 5, nal_ref_idc: 3
[h264 @ 0x61900001ea80] FMO not supported
[h264 @ 0x61900001ea80] slice type 32 too large at -1
[h264 @ 0x61900001ea80] decode_slice_header error
[h264 @ 0x61900001ea80] no frame!
[h264 @ 0x61900001ea80] nal_unit_type: 1, nal_ref_idc: 3
[h264 @ 0x61900001ea80] Reinit context to 352x288, pix_fmt: 0
[h264 @ 0x61900001ea80] Frame num gap 48 42
[h264 @ 0x61900001ea80] Frame num gap 48 43
[h264 @ 0x61900001ea80] Frame num gap 48 44
[h264 @ 0x61900001ea80] Frame num gap 48 45
[h264 @ 0x61900001ea80] Frame num gap 48 46
[h264 @ 0x61900001ea80] Missing reference picture
[h264 @ 0x61900001ea80] Reducing left cropping to 0 chroma samples to preserve
alignment.
[h264 @ 0x61900001ea80] Invalid crop parameters
[h264 @ 0x61900001ea80] missing picture in access unit
IN delayed:0 pts:-9223372036854775808, dts:-9223372036854775808 cur_dts:0 st:0
pc:0x61300000db00
OUTdelayed:0/0 pts:-9223372036854775808, dts:-9223372036854775808 cur_dts:0
[h264 @ 0x61900001ea80] nal_unit_type: 7, nal_ref_idc: 2
[h264 @ 0x61900001ea80] Reducing left cropping to 0 chroma samples to preserve
alignment.
[h264 @ 0x61900001ea80] Invalid crop parameters
ASAN:DEADLYSIGNAL
=================================================================
==15972==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000030 (pc
0x00000178bd03 bp 0x000000000000 sp 0x7fff7b3d2f00 T0)
==15972==The signal is caused by a READ memory access.
==15972==Hint: address points to the zero page.
    #0 0x178bd02 in generate_sliding_window_mmcos
XYZ/libav/libavcodec/h264_refs.c:536:62
    #1 0x178bd02 in ff_h264_execute_ref_pic_marking
XYZ/libav/libavcodec/h264_refs.c:561
    #2 0x1787bf0 in ff_h264_field_end
XYZ/libav/libavcodec/h264_picture.c:157:19
    #3 0xa89677 in h264_decode_frame XYZ/libav/libavcodec/h264dec.c:760:9
    #4 0x126342e in avcodec_decode_video2 XYZ/libav/libavcodec/utils.c:1590:19
    #5 0x12653dd in do_decode XYZ/libav/libavcodec/utils.c:1729:15
    #6 0x7b3239 in try_decode_frame XYZ/libav/libavformat/utils.c:1950:19
    #7 0x7aec7e in avformat_find_stream_info
XYZ/libav/libavformat/utils.c:2449:9
    #8 0x4f1669 in open_input_file XYZ/libav/avconv_opt.c:771:11
    #9 0x4f0914 in open_files XYZ/libav/avconv_opt.c:2380:15
    #10 0x4f03a4 in avconv_parse_options XYZ/libav/avconv_opt.c:2417:11
    #11 0x50a93d in main XYZ/libav/avconv.c:2885:11
    #12 0x7f2c3351d82f in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #13 0x41afb8 in _start (/usr/local/bin/avconv+0x41afb8)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV XYZ/libav/libavcodec/h264_refs.c:536:62 in
generate_sliding_window_mmcos
==15972==ABORTING


Regards,
Kamil Frankowicz

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.libav.org/pipermail/libav-bugs/attachments/20161020/de4ed8ae/attachment.html>


More information about the libav-bugs mailing list