[libav-bugs] [Bug 1031] New: vf_yadif performs invalid read/write when width == 704

bugzilla at libav.org bugzilla at libav.org
Tue Feb 21 20:31:50 CET 2017


https://bugzilla.libav.org/show_bug.cgi?id=1031

            Bug ID: 1031
           Summary: vf_yadif performs invalid read/write when width == 704
           Product: Libav
           Version: git HEAD
          Hardware: Other
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: ---
         Component: libavfilter
          Assignee: bugzilla at libav.org
          Reporter: stebbins at jetheaddev.com

Created attachment 651
  --> https://bugzilla.libav.org/attachment.cgi?id=651&action=edit
Sample the reproduces valgrind results

I get the following output from valgrind with a sample ts file where the video
dimensions are 704x480

On OSX this results in a crash in an unrelated part of the code due to memory
corruption.  On linux, I have not been able to make it crash.

==22052== Invalid read of size 8
==22052==    at 0xC9F0BE: ff_yadif_filter_line_sse2 (vf_yadif.asm:250)
==22052==    by 0xC7AF11: worker (pthread.c:89)
==22052==    by 0x7A3C6C9: start_thread (pthread_create.c:333)
==22052==    by 0x8806F7E: clone (clone.S:105)
==22052==  Address 0x1c4c669b is 337,915 bytes inside a block of size 337,920
alloc'd
==22052==    at 0x4C2FD79: memalign (vg_replace_malloc.c:857)
==22052==    by 0x4C2FE77: posix_memalign (vg_replace_malloc.c:1020)
==22052==    by 0xCAD2FD: av_malloc (mem.c:81)
==22052==    by 0xCA19FD: av_buffer_alloc (buffer.c:71)
==22052==    by 0xCA6FD4: get_video_buffer (frame.c:115)
==22052==    by 0xCA73ED: av_frame_get_buffer (frame.c:192)
==22052==    by 0xCA74CF: av_frame_ref (frame.c:215)
==22052==    by 0xC770C7: av_buffersrc_add_frame (buffersrc.c:191)
==22052==    by 0x44678C: filterFrame (avfilter.c:468)
==22052==    by 0x44697B: avfilter_work (avfilter.c:515)
==22052==    by 0x44DBF8: filter_loop (work.c:1983)
==22052==    by 0x457610: hb_thread_func (ports.c:860)
==22052== 
==22052== Invalid read of size 8
==22052==    at 0xC9F0C8: ff_yadif_filter_line_sse2 (vf_yadif.asm:250)
==22052==    by 0xC7AF11: worker (pthread.c:89)
==22052==    by 0x7A3C6C9: start_thread (pthread_create.c:333)
==22052==    by 0x8806F7E: clone (clone.S:105)
==22052==  Address 0x1c4c669b is 337,915 bytes inside a block of size 337,920
alloc'd
==22052==    at 0x4C2FD79: memalign (vg_replace_malloc.c:857)
==22052==    by 0x4C2FE77: posix_memalign (vg_replace_malloc.c:1020)
==22052==    by 0xCAD2FD: av_malloc (mem.c:81)
==22052==    by 0xCA19FD: av_buffer_alloc (buffer.c:71)
==22052==    by 0xCA6FD4: get_video_buffer (frame.c:115)
==22052==    by 0xCA73ED: av_frame_get_buffer (frame.c:192)
==22052==    by 0xCA74CF: av_frame_ref (frame.c:215)
==22052==    by 0xC770C7: av_buffersrc_add_frame (buffersrc.c:191)
==22052==    by 0x44678C: filterFrame (avfilter.c:468)
==22052==    by 0x44697B: avfilter_work (avfilter.c:515)
==22052==    by 0x44DBF8: filter_loop (work.c:1983)
==22052==    by 0x457610: hb_thread_func (ports.c:860)
==22052== 
==22052== Invalid read of size 8
==22052==    at 0xC9ED38: ff_yadif_filter_line_sse2 (vf_yadif.asm:250)
==22052==    by 0xC7AF11: worker (pthread.c:89)
==22052==    by 0x7A3C6C9: start_thread (pthread_create.c:333)
==22052==    by 0x8806F7E: clone (clone.S:105)
==22052==  Address 0x1c4c669b is 337,915 bytes inside a block of size 337,920
alloc'd
==22052==    at 0x4C2FD79: memalign (vg_replace_malloc.c:857)
==22052==    by 0x4C2FE77: posix_memalign (vg_replace_malloc.c:1020)
==22052==    by 0xCAD2FD: av_malloc (mem.c:81)
==22052==    by 0xCA19FD: av_buffer_alloc (buffer.c:71)
==22052==    by 0xCA6FD4: get_video_buffer (frame.c:115)
==22052==    by 0xCA73ED: av_frame_get_buffer (frame.c:192)
==22052==    by 0xCA74CF: av_frame_ref (frame.c:215)
==22052==    by 0xC770C7: av_buffersrc_add_frame (buffersrc.c:191)
==22052==    by 0x44678C: filterFrame (avfilter.c:468)
==22052==    by 0x44697B: avfilter_work (avfilter.c:515)
==22052==    by 0x44DBF8: filter_loop (work.c:1983)
==22052==    by 0x457610: hb_thread_func (ports.c:860)
==22052== 
==22052== Invalid read of size 8
==22052==    at 0xC9ED40: ff_yadif_filter_line_sse2 (vf_yadif.asm:250)
==22052==    by 0xC7AF11: worker (pthread.c:89)
==22052==    by 0x7A3C6C9: start_thread (pthread_create.c:333)
==22052==    by 0x8806F7E: clone (clone.S:105)
==22052==  Address 0x1c4c669b is 337,915 bytes inside a block of size 337,920
alloc'd
==22052==    at 0x4C2FD79: memalign (vg_replace_malloc.c:857)
==22052==    by 0x4C2FE77: posix_memalign (vg_replace_malloc.c:1020)
==22052==    by 0xCAD2FD: av_malloc (mem.c:81)
==22052==    by 0xCA19FD: av_buffer_alloc (buffer.c:71)
==22052==    by 0xCA6FD4: get_video_buffer (frame.c:115)
==22052==    by 0xCA73ED: av_frame_get_buffer (frame.c:192)
==22052==    by 0xCA74CF: av_frame_ref (frame.c:215)
==22052==    by 0xC770C7: av_buffersrc_add_frame (buffersrc.c:191)
==22052==    by 0x44678C: filterFrame (avfilter.c:468)
==22052==    by 0x44697B: avfilter_work (avfilter.c:515)
==22052==    by 0x44DBF8: filter_loop (work.c:1983)
==22052==    by 0x457610: hb_thread_func (ports.c:860)
==22052== 
==22052== Invalid write of size 8
==22052==    at 0xC9F153: ff_yadif_filter_line_sse2 (vf_yadif.asm:250)
==22052==    by 0xC7AF11: worker (pthread.c:89)
==22052==    by 0x7A3C6C9: start_thread (pthread_create.c:333)
==22052==    by 0x8806F7E: clone (clone.S:105)
==22052==  Address 0x1d55887b is 337,915 bytes inside a block of size 337,920
alloc'd
==22052==    at 0x4C2FD79: memalign (vg_replace_malloc.c:857)
==22052==    by 0x4C2FE77: posix_memalign (vg_replace_malloc.c:1020)
==22052==    by 0xCAD2FD: av_malloc (mem.c:81)
==22052==    by 0xCA19FD: av_buffer_alloc (buffer.c:71)
==22052==    by 0xCA6FD4: get_video_buffer (frame.c:115)
==22052==    by 0xCA73ED: av_frame_get_buffer (frame.c:192)
==22052==    by 0xC9215B: ff_default_get_video_buffer (video.c:50)
==22052==    by 0xC9220F: ff_get_video_buffer (video.c:67)
==22052==    by 0xC920FB: ff_null_get_video_buffer (video.c:32)
==22052==    by 0xC921F0: ff_get_video_buffer (video.c:64)
==22052==    by 0xC91BFB: filter_frame (vf_yadif.c:340)
==22052==    by 0xC748CB: ff_filter_frame (avfilter.c:804)

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.libav.org/pipermail/libav-bugs/attachments/20170221/a7e1ece8/attachment.html>


More information about the libav-bugs mailing list