On Fri, Jan 30, 2026 at 04:45:16PM +0100, Michael Niedermayer via ffmpeg-devel wrote: > Hi > > 56d9ca69d7f229dccee6ad47c67a37f558196fb7 introduces a "use after free" > > with a srt file as input like this: > 1 > 00:00:00,000 --> 00:00:01,000 > Test > > valgrind ./ffmpeg_g -i test.srt -f hls t.m3u8 > > you get this in about 50% of the runs > > I noticed this issue when debuging the format string issue submited by > Sarthak Munshi > > ==3961210== Thread 2: > ==3961210== Invalid read of size 1 > ==3961210== at 0x4853DF0: __memcpy_chk (in > /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so) > ==3961210== by 0x324297: enc_open (in ffmpeg/ffmpeg_g) > ==3961210== by 0x325F59: encoder_thread (in ffmpeg/ffmpeg_g) > ==3961210== by 0x33E9AF: task_wrapper (in ffmpeg/ffmpeg_g) > ==3961210== by 0x740BAA3: start_thread (pthread_create.c:447) > ==3961210== by 0x7498A63: clone (clone.S:100) > ==3961210== Address 0xca93ac4 is 580 bytes inside a block of size 582 free'd > ==3961210== at 0x484988F: free (in > /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so) > ==3961210== by 0x29824A: ff_codec_close (in ffmpeg/ffmpeg_g) > ==3961210== by 0xD101FC: avcodec_free_context (in ffmpeg/ffmpeg_g) > ==3961210== by 0x31C768: decoder_thread (in ffmpeg/ffmpeg_g) > ==3961210== by 0x33E9AF: task_wrapper (in ffmpeg/ffmpeg_g) > ==3961210== by 0x740BAA3: start_thread (pthread_create.c:447) > ==3961210== by 0x7498A63: clone (clone.S:100) > ==3961210== Block was alloc'd at > ==3961210== at 0x484E366: posix_memalign (in > /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so) > ==3961210== by 0x1871164: av_malloc (in ffmpeg/ffmpeg_g) > ==3961210== by 0x184E70A: av_asprintf (in ffmpeg/ffmpeg_g) > ==3961210== by 0x1301482: ff_ass_subtitle_header_full (in ffmpeg/ffmpeg_g) > ==3961210== by 0x13014FA: ff_ass_subtitle_header (in ffmpeg/ffmpeg_g) > ==3961210== by 0x130152B: ff_ass_subtitle_header_default (in > ffmpeg/ffmpeg_g) > ==3961210== by 0x9464B6: avcodec_open2 (in ffmpeg/ffmpeg_g) > ==3961210== by 0x31B996: dec_open (in ffmpeg/ffmpeg_g) > ==3961210== by 0x31E23F: dec_init (in ffmpeg/ffmpeg_g) > ==3961210== by 0x3212D5: ist_use (in ffmpeg/ffmpeg_g) > ==3961210== by 0x331FAC: ost_add (in ffmpeg/ffmpeg_g) > ==3961210== by 0x333E40: map_auto_subtitle (in ffmpeg/ffmpeg_g) > ==3961210== > ==3961210== Invalid read of size 1 > ==3961210== at 0x4853DFD: __memcpy_chk (in > /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so) > ==3961210== by 0x324297: enc_open (in ffmpeg/ffmpeg_g) > ==3961210== by 0x325F59: encoder_thread (in ffmpeg/ffmpeg_g) > ==3961210== by 0x33E9AF: task_wrapper (in ffmpeg/ffmpeg_g) > ==3961210== by 0x740BAA3: start_thread (pthread_create.c:447) > ==3961210== by 0x7498A63: clone (clone.S:100) > ==3961210== Address 0xca93ac2 is 578 bytes inside a block of size 582 free'd > ==3961210== at 0x484988F: free (in > /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so) > ==3961210== by 0x29824A: ff_codec_close (in ffmpeg/ffmpeg_g) > ==3961210== by 0xD101FC: avcodec_free_context (in ffmpeg/ffmpeg_g) > ==3961210== by 0x31C768: decoder_thread (in ffmpeg/ffmpeg_g) > ==3961210== by 0x33E9AF: task_wrapper (in ffmpeg/ffmpeg_g) > ==3961210== by 0x740BAA3: start_thread (pthread_create.c:447) > ==3961210== by 0x7498A63: clone (clone.S:100) > ==3961210== Block was alloc'd at > ==3961210== at 0x484E366: posix_memalign (in > /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so) > ==3961210== by 0x1871164: av_malloc (in ffmpeg/ffmpeg_g) > ==3961210== by 0x184E70A: av_asprintf (in ffmpeg/ffmpeg_g) > ==3961210== by 0x1301482: ff_ass_subtitle_header_full (in ffmpeg/ffmpeg_g) > ==3961210== by 0x13014FA: ff_ass_subtitle_header (in ffmpeg/ffmpeg_g) > ==3961210== by 0x130152B: ff_ass_subtitle_header_default (in > ffmpeg/ffmpeg_g) > ==3961210== by 0x9464B6: avcodec_open2 (in ffmpeg/ffmpeg_g) > ==3961210== by 0x31B996: dec_open (in ffmpeg/ffmpeg_g) > ==3961210== by 0x31E23F: dec_init (in ffmpeg/ffmpeg_g) > ==3961210== by 0x3212D5: ist_use (in ffmpeg/ffmpeg_g) > ==3961210== by 0x331FAC: ost_add (in ffmpeg/ffmpeg_g) > ==3961210== by 0x333E40: map_auto_subtitle (in ffmpeg/ffmpeg_g)
and with line numbers: this is based on 56d9ca69d7f229dccee6ad47c67a37f558196fb7 ==3985450== Thread 2: ==3985450== Invalid read of size 8 ==3985450== at 0x4852DFD: memmove (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so) ==3985450== by 0x260231: enc_open (ffmpeg_enc.c:327) ==3985450== by 0x2626E5: encoder_thread (ffmpeg_enc.c:887) ==3985450== by 0x2884C9: task_wrapper (ffmpeg_sched.c:2577) ==3985450== by 0x6670AA3: start_thread (pthread_create.c:447) ==3985450== by 0x66FDA63: clone (clone.S:100) ==3985450== Address 0x9cae800 is 0 bytes inside a block of size 582 free'd ==3985450== at 0x484988F: free (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so) ==3985450== by 0x14E65A2: av_free (mem.c:243) ==3985450== by 0x14E65EE: av_freep (mem.c:253) ==3985450== by 0x8FA4D7: ff_codec_close (avcodec.c:493) ==3985450== by 0xC92E95: avcodec_free_context (options.c:171) ==3985450== by 0x2555F5: decoder_thread (ffmpeg_dec.c:1021) ==3985450== by 0x2884C9: task_wrapper (ffmpeg_sched.c:2577) ==3985450== by 0x6670AA3: start_thread (pthread_create.c:447) ==3985450== by 0x66FDA63: clone (clone.S:100) ==3985450== Block was alloc'd at ==3985450== at 0x484E366: posix_memalign (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so) ==3985450== by 0x14E620D: av_malloc (mem.c:107) ==3985450== by 0x14BDC0F: av_asprintf (avstring.c:127) ==3985450== by 0x10F1FC7: ff_ass_subtitle_header_full (ass.c:37) ==3985450== by 0x10F207E: ff_ass_subtitle_header (ass.c:90) ==3985450== by 0x10F20C5: ff_ass_subtitle_header_default (ass.c:100) ==3985450== by 0x8F9E50: avcodec_open2 (avcodec.c:342) ==3985450== by 0x256EA8: dec_open (ffmpeg_dec.c:1602) ==3985450== by 0x257227: dec_init (ffmpeg_dec.c:1668) ==3985450== by 0x25B51B: ist_use (ffmpeg_demux.c:994) ==3985450== by 0x275C64: ost_add (ffmpeg_mux_init.c:1547) ==3985450== by 0x276594: map_auto_subtitle (ffmpeg_mux_init.c:1727) ==3985450== ==3985450== Invalid read of size 8 ==3985450== at 0x4852E0F: memmove (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so) ==3985450== by 0x260231: enc_open (ffmpeg_enc.c:327) ==3985450== by 0x2626E5: encoder_thread (ffmpeg_enc.c:887) ==3985450== by 0x2884C9: task_wrapper (ffmpeg_sched.c:2577) ==3985450== by 0x6670AA3: start_thread (pthread_create.c:447) ==3985450== by 0x66FDA63: clone (clone.S:100) ==3985450== Address 0x9cae808 is 8 bytes inside a block of size 582 free'd ==3985450== at 0x484988F: free (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so) ==3985450== by 0x14E65A2: av_free (mem.c:243) ==3985450== by 0x14E65EE: av_freep (mem.c:253) ==3985450== by 0x8FA4D7: ff_codec_close (avcodec.c:493) ==3985450== by 0xC92E95: avcodec_free_context (options.c:171) ==3985450== by 0x2555F5: decoder_thread (ffmpeg_dec.c:1021) ==3985450== by 0x2884C9: task_wrapper (ffmpeg_sched.c:2577) ==3985450== by 0x6670AA3: start_thread (pthread_create.c:447) ==3985450== by 0x66FDA63: clone (clone.S:100) ==3985450== Block was alloc'd at ==3985450== at 0x484E366: posix_memalign (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so) ==3985450== by 0x14E620D: av_malloc (mem.c:107) ==3985450== by 0x14BDC0F: av_asprintf (avstring.c:127) ==3985450== by 0x10F1FC7: ff_ass_subtitle_header_full (ass.c:37) ==3985450== by 0x10F207E: ff_ass_subtitle_header (ass.c:90) ==3985450== by 0x10F20C5: ff_ass_subtitle_header_default (ass.c:100) ==3985450== by 0x8F9E50: avcodec_open2 (avcodec.c:342) ==3985450== by 0x256EA8: dec_open (ffmpeg_dec.c:1602) ==3985450== by 0x257227: dec_init (ffmpeg_dec.c:1668) ==3985450== by 0x25B51B: ist_use (ffmpeg_demux.c:994) ==3985450== by 0x275C64: ost_add (ffmpeg_mux_init.c:1547) ==3985450== by 0x276594: map_auto_subtitle (ffmpeg_mux_init.c:1727) ==3985450== ==3985450== Invalid read of size 8 ==3985450== at 0x4852E17: memmove (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so) ==3985450== by 0x260231: enc_open (ffmpeg_enc.c:327) ==3985450== by 0x2626E5: encoder_thread (ffmpeg_enc.c:887) ==3985450== by 0x2884C9: task_wrapper (ffmpeg_sched.c:2577) ==3985450== by 0x6670AA3: start_thread (pthread_create.c:447) ==3985450== by 0x66FDA63: clone (clone.S:100) ==3985450== Address 0x9cae810 is 16 bytes inside a block of size 582 free'd ==3985450== at 0x484988F: free (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so) ==3985450== by 0x14E65A2: av_free (mem.c:243) ==3985450== by 0x14E65EE: av_freep (mem.c:253) ==3985450== by 0x8FA4D7: ff_codec_close (avcodec.c:493) ==3985450== by 0xC92E95: avcodec_free_context (options.c:171) ==3985450== by 0x2555F5: decoder_thread (ffmpeg_dec.c:1021) ==3985450== by 0x2884C9: task_wrapper (ffmpeg_sched.c:2577) ==3985450== by 0x6670AA3: start_thread (pthread_create.c:447) ==3985450== by 0x66FDA63: clone (clone.S:100) ==3985450== Block was alloc'd at ==3985450== at 0x484E366: posix_memalign (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so) ==3985450== by 0x14E620D: av_malloc (mem.c:107) ==3985450== by 0x14BDC0F: av_asprintf (avstring.c:127) ==3985450== by 0x10F1FC7: ff_ass_subtitle_header_full (ass.c:37) ==3985450== by 0x10F207E: ff_ass_subtitle_header (ass.c:90) ==3985450== by 0x10F20C5: ff_ass_subtitle_header_default (ass.c:100) ==3985450== by 0x8F9E50: avcodec_open2 (avcodec.c:342) ==3985450== by 0x256EA8: dec_open (ffmpeg_dec.c:1602) ==3985450== by 0x257227: dec_init (ffmpeg_dec.c:1668) ==3985450== by 0x25B51B: ist_use (ffmpeg_demux.c:994) ==3985450== by 0x275C64: ost_add (ffmpeg_mux_init.c:1547) ==3985450== by 0x276594: map_auto_subtitle (ffmpeg_mux_init.c:1727) ==3985450== ==3985450== Invalid read of size 8 ==3985450== at 0x4852E1F: memmove (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so) ==3985450== by 0x260231: enc_open (ffmpeg_enc.c:327) ==3985450== by 0x2626E5: encoder_thread (ffmpeg_enc.c:887) ==3985450== by 0x2884C9: task_wrapper (ffmpeg_sched.c:2577) ==3985450== by 0x6670AA3: start_thread (pthread_create.c:447) ==3985450== by 0x66FDA63: clone (clone.S:100) ==3985450== Address 0x9cae818 is 24 bytes inside a block of size 582 free'd ==3985450== at 0x484988F: free (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so) ==3985450== by 0x14E65A2: av_free (mem.c:243) ==3985450== by 0x14E65EE: av_freep (mem.c:253) ==3985450== by 0x8FA4D7: ff_codec_close (avcodec.c:493) ==3985450== by 0xC92E95: avcodec_free_context (options.c:171) ==3985450== by 0x2555F5: decoder_thread (ffmpeg_dec.c:1021) ==3985450== by 0x2884C9: task_wrapper (ffmpeg_sched.c:2577) ==3985450== by 0x6670AA3: start_thread (pthread_create.c:447) ==3985450== by 0x66FDA63: clone (clone.S:100) ==3985450== Block was alloc'd at ==3985450== at 0x484E366: posix_memalign (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so) ==3985450== by 0x14E620D: av_malloc (mem.c:107) ==3985450== by 0x14BDC0F: av_asprintf (avstring.c:127) ==3985450== by 0x10F1FC7: ff_ass_subtitle_header_full (ass.c:37) ==3985450== by 0x10F207E: ff_ass_subtitle_header (ass.c:90) ==3985450== by 0x10F20C5: ff_ass_subtitle_header_default (ass.c:100) ==3985450== by 0x8F9E50: avcodec_open2 (avcodec.c:342) ==3985450== by 0x256EA8: dec_open (ffmpeg_dec.c:1602) ==3985450== by 0x257227: dec_init (ffmpeg_dec.c:1668) ==3985450== by 0x25B51B: ist_use (ffmpeg_demux.c:994) ==3985450== by 0x275C64: ost_add (ffmpeg_mux_init.c:1547) ==3985450== by 0x276594: map_auto_subtitle (ffmpeg_mux_init.c:1727) ==3985450== ==3985450== Invalid read of size 8 ==3985450== at 0x4852E04: memmove (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so) ==3985450== by 0x260231: enc_open (ffmpeg_enc.c:327) ==3985450== by 0x2626E5: encoder_thread (ffmpeg_enc.c:887) ==3985450== by 0x2884C9: task_wrapper (ffmpeg_sched.c:2577) ==3985450== by 0x6670AA3: start_thread (pthread_create.c:447) ==3985450== by 0x66FDA63: clone (clone.S:100) ==3985450== Address 0x9cae820 is 32 bytes inside a block of size 582 free'd ==3985450== at 0x484988F: free (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so) ==3985450== by 0x14E65A2: av_free (mem.c:243) ==3985450== by 0x14E65EE: av_freep (mem.c:253) ==3985450== by 0x8FA4D7: ff_codec_close (avcodec.c:493) ==3985450== by 0xC92E95: avcodec_free_context (options.c:171) ==3985450== by 0x2555F5: decoder_thread (ffmpeg_dec.c:1021) ==3985450== by 0x2884C9: task_wrapper (ffmpeg_sched.c:2577) ==3985450== by 0x6670AA3: start_thread (pthread_create.c:447) ==3985450== by 0x66FDA63: clone (clone.S:100) ==3985450== Block was alloc'd at ==3985450== at 0x484E366: posix_memalign (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so) ==3985450== by 0x14E620D: av_malloc (mem.c:107) ==3985450== by 0x14BDC0F: av_asprintf (avstring.c:127) ==3985450== by 0x10F1FC7: ff_ass_subtitle_header_full (ass.c:37) ==3985450== by 0x10F207E: ff_ass_subtitle_header (ass.c:90) ==3985450== by 0x10F20C5: ff_ass_subtitle_header_default (ass.c:100) ==3985450== by 0x8F9E50: avcodec_open2 (avcodec.c:342) ==3985450== by 0x256EA8: dec_open (ffmpeg_dec.c:1602) ==3985450== by 0x257227: dec_init (ffmpeg_dec.c:1668) ==3985450== by 0x25B51B: ist_use (ffmpeg_demux.c:994) ==3985450== by 0x275C64: ost_add (ffmpeg_mux_init.c:1547) ==3985450== by 0x276594: map_auto_subtitle (ffmpeg_mux_init.c:1727) ==3985450== ==3985450== Invalid read of size 2 ==3985450== at 0x4852EB0: memmove (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so) ==3985450== by 0x260231: enc_open (ffmpeg_enc.c:327) ==3985450== by 0x2626E5: encoder_thread (ffmpeg_enc.c:887) ==3985450== by 0x2884C9: task_wrapper (ffmpeg_sched.c:2577) ==3985450== by 0x6670AA3: start_thread (pthread_create.c:447) ==3985450== by 0x66FDA63: clone (clone.S:100) ==3985450== Address 0x9caea40 is 576 bytes inside a block of size 582 free'd ==3985450== at 0x484988F: free (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so) ==3985450== by 0x14E65A2: av_free (mem.c:243) ==3985450== by 0x14E65EE: av_freep (mem.c:253) ==3985450== by 0x8FA4D7: ff_codec_close (avcodec.c:493) ==3985450== by 0xC92E95: avcodec_free_context (options.c:171) ==3985450== by 0x2555F5: decoder_thread (ffmpeg_dec.c:1021) ==3985450== by 0x2884C9: task_wrapper (ffmpeg_sched.c:2577) ==3985450== by 0x6670AA3: start_thread (pthread_create.c:447) ==3985450== by 0x66FDA63: clone (clone.S:100) ==3985450== Block was alloc'd at ==3985450== at 0x484E366: posix_memalign (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so) ==3985450== by 0x14E620D: av_malloc (mem.c:107) ==3985450== by 0x14BDC0F: av_asprintf (avstring.c:127) ==3985450== by 0x10F1FC7: ff_ass_subtitle_header_full (ass.c:37) ==3985450== by 0x10F207E: ff_ass_subtitle_header (ass.c:90) ==3985450== by 0x10F20C5: ff_ass_subtitle_header_default (ass.c:100) ==3985450== by 0x8F9E50: avcodec_open2 (avcodec.c:342) ==3985450== by 0x256EA8: dec_open (ffmpeg_dec.c:1602) ==3985450== by 0x257227: dec_init (ffmpeg_dec.c:1668) ==3985450== by 0x25B51B: ist_use (ffmpeg_demux.c:994) ==3985450== by 0x275C64: ost_add (ffmpeg_mux_init.c:1547) ==3985450== by 0x276594: map_auto_subtitle (ffmpeg_mux_init.c:1727) ==3985450== ==3985450== Invalid read of size 1 ==3985450== at 0x4852EE0: memmove (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so) ==3985450== by 0x260231: enc_open (ffmpeg_enc.c:327) ==3985450== by 0x2626E5: encoder_thread (ffmpeg_enc.c:887) ==3985450== by 0x2884C9: task_wrapper (ffmpeg_sched.c:2577) ==3985450== by 0x6670AA3: start_thread (pthread_create.c:447) ==3985450== by 0x66FDA63: clone (clone.S:100) ==3985450== Address 0x9caea44 is 580 bytes inside a block of size 582 free'd ==3985450== at 0x484988F: free (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so) ==3985450== by 0x14E65A2: av_free (mem.c:243) ==3985450== by 0x14E65EE: av_freep (mem.c:253) ==3985450== by 0x8FA4D7: ff_codec_close (avcodec.c:493) ==3985450== by 0xC92E95: avcodec_free_context (options.c:171) ==3985450== by 0x2555F5: decoder_thread (ffmpeg_dec.c:1021) ==3985450== by 0x2884C9: task_wrapper (ffmpeg_sched.c:2577) ==3985450== by 0x6670AA3: start_thread (pthread_create.c:447) ==3985450== by 0x66FDA63: clone (clone.S:100) ==3985450== Block was alloc'd at ==3985450== at 0x484E366: posix_memalign (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so) ==3985450== by 0x14E620D: av_malloc (mem.c:107) ==3985450== by 0x14BDC0F: av_asprintf (avstring.c:127) ==3985450== by 0x10F1FC7: ff_ass_subtitle_header_full (ass.c:37) ==3985450== by 0x10F207E: ff_ass_subtitle_header (ass.c:90) ==3985450== by 0x10F20C5: ff_ass_subtitle_header_default (ass.c:100) ==3985450== by 0x8F9E50: avcodec_open2 (avcodec.c:342) ==3985450== by 0x256EA8: dec_open (ffmpeg_dec.c:1602) ==3985450== by 0x257227: dec_init (ffmpeg_dec.c:1668) ==3985450== by 0x25B51B: ist_use (ffmpeg_demux.c:994) ==3985450== by 0x275C64: ost_add (ffmpeg_mux_init.c:1547) ==3985450== by 0x276594: map_auto_subtitle (ffmpeg_mux_init.c:1727) ==3985450== [...] -- Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB He who knows, does not speak. He who speaks, does not know. -- Lao Tsu
signature.asc
Description: PGP signature
_______________________________________________ ffmpeg-devel mailing list -- [email protected] To unsubscribe send an email to [email protected]
