[issue624] Crash decoding Sanyo HD1000 MP4 H.264/AAC

Carl Eugen Hoyos Fri, 05 Sep 2008 14:37:27 -0700

Carl Eugen Hoyos <[EMAIL PROTECTED]> added the comment:

Reproduced with r15216:
gdb ffmpeg_g
(gdb) r -an -i avc-crash.mp4 -ss 30 -f framecrc -y test
...
[h264 @ 0x87e5970]AVC: Consumed only 149226 bytes instead of 149236
[h264 @ 0x87e5970]negative number of zero coeffs at 66 43
[h264 @ 0x87e5970]error while decoding MB 66 43
[h264 @ 0x87e5970]concealing 143 DC, 143 AC, 143 MV errors


Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0xb76b46d0 (LWP 6696)]
0x083db597 in sad16_mmx2 (v=0x0, blk2=0x440 <Address 0x440 out of bounds>,
    blk1=0xb7178670 "���|[E8*$#$%$#\"
\036\034\033\025\022\017\017\021\022\023\024\022\021\020\017\023\022\022\022\024\027\033\035\032\032\032\032\026\026\026\026\024\023\022\021\021\020\017\016\016\r\t\a\005\005\005\005\002\002\002\002\002\002\002\002\003\003\003\003\002\002\002\002\002\002\002\002\004\004\004\004\005\005\005\005\b\b\b\b\n\t\b\b\004\004\004\004\006\006\006\006\a\a\a\a\005\005\005\005\006\006\006\006\005\005\a\a\f\f\f\f\t\t\t\t\b\b\b\b\t\t\t\t\t\t\t\t\v\016\023\026\033\033\033\033\036\"*.000///.......*#\037\034\034\034\034!&)(+,*'&&&&%$##22222222"...,
stride=1312, h=16) at libavcodec/i386/motion_est_mmx.c:425
425     PIX_SAD(mmx2)
(gdb) bt
#0  0x083db597 in sad16_mmx2 (v=0x0, blk2=0x440 <Address 0x440 out of bounds>,
    blk1=0xb7178670 "���|[E8*$#$%$#\"
\036\034\033\025\022\017\017\021\022\023\024\022\021\020\017\023\022\022\022\024\027\033\035\032\032\032\032\026\026\026\026\024\023\022\021\021\020\017\016\016\r\t\a\005\005\005\005\002\002\002\002\002\002\002\002\003\003\003\003\002\002\002\002\002\002\002\002\004\004\004\004\005\005\005\005\b\b\b\b\n\t\b\b\004\004\004\004\006\006\006\006\a\a\a\a\005\005\005\005\006\006\006\006\005\005\a\a\f\f\f\f\t\t\t\t\b\b\b\b\t\t\t\t\t\t\t\t\v\016\023\026\033\033\033\033\036\"*.000///.......*#\037\034\034\034\034!&)(+,*'&&&&%$##22222222"...,
stride=1312, h=16) at libavcodec/i386/motion_est_mmx.c:425
#1  0x08276167 in is_intra_more_likely (s=0x10) at 
libavcodec/error_resilience.c:591
#2  0x082747bf in ff_er_frame_end (s=0x88cc1e0) at 
libavcodec/error_resilience.c:844
#3  0x08282b5b in decode_frame (avctx=0x81018d8, data=0x87e5970,
data_size=0xbf9711c4, buf=0xbf9712c8 "", buf_size=142901584) at
libavcodec/h264.c:7596
#4  0x081018d8 in avcodec_decode_video (avctx=0x246f8, picture=0xbf9711c4,
got_picture_ptr=0x1, buf=0x8825760 "", buf_size=134650427) at 
libavcodec/utils.c:924
#5  0x08069a3b in output_packet (ist=0x10, ist_index=1088, ost_table=0xb7178670,
nb_ostreams=2040, pkt=0xffffffff) at ffmpeg.c:1233
#6  0x08068fbe in av_encode (output_files=0x10, nb_output_files=1088,
input_files=0xb7178670, nb_input_files=1, stream_maps=0x8530b00,
nb_stream_maps=0) at ffmpeg.c:2129
#7  0x0806712c in main (argc=10, argv=0xbf971924) at ffmpeg.c:3936
(gdb) disass $pc-32 $pc+32
Dump of assembler code from 0x83db577 to 0x83db5b7:
0x083db577 <sad16_mmx2+19>:     and    $0x20,%al
0x083db579 <sad16_mmx2+21>:     mov    0x24(%esp),%edi
0x083db57d <sad16_mmx2+25>:     mov    %edi,%eax
0x083db57f <sad16_mmx2+27>:     mov    %esi,%ecx
0x083db581 <sad16_mmx2+29>:     add    $0x8,%esi
0x083db584 <sad16_mmx2+32>:     pxor   %mm7,%mm7
0x083db587 <sad16_mmx2+35>:     pxor   %mm6,%mm6
0x083db58a <sad16_mmx2+38>:     lea    0x0(%esi),%esi
0x083db590 <sad16_mmx2+44>:     movq   (%ecx),%mm0
0x083db593 <sad16_mmx2+47>:     movq   (%ecx,%ebx,1),%mm1
0x083db597 <sad16_mmx2+51>:     psadbw (%edx),%mm0
0x083db59a <sad16_mmx2+54>:     psadbw (%edx,%ebx,1),%mm1
0x083db59e <sad16_mmx2+58>:     paddw  %mm0,%mm6
0x083db5a1 <sad16_mmx2+61>:     paddw  %mm1,%mm6
0x083db5a4 <sad16_mmx2+64>:     lea    (%ecx,%ebx,2),%ecx
0x083db5a7 <sad16_mmx2+67>:     lea    (%edx,%ebx,2),%edx
0x083db5aa <sad16_mmx2+70>:     sub    $0x2,%eax
0x083db5ad <sad16_mmx2+73>:     jg     0x83db590 <sad16_mmx2+44>
0x083db5af <sad16_mmx2+75>:     nop
0x083db5b0 <sad16_mmx2+76>:     movq   (%esi),%mm0
0x083db5b3 <sad16_mmx2+79>:     movq   (%esi,%ebx,1),%mm1
End of assembler dump.
(gdb) info all-registers
eax            0x10     16
ecx            0xb7178670       -1223195024
edx            0x440    1088
ebx            0x520    1312
esp            0xbf970f0c       0xbf970f0c
ebp            0x448    0x448
esi            0xb7178678       -1223195016
edi            0x10     16
eip            0x83db597        0x83db597 <sad16_mmx2+51>
eflags         0x10286  [ PF SF IF RF ]
cs             0x73     115
ss             0x7b     123
ds             0x7b     123
es             0x7b     123
fs             0x0      0
gs             0x33     51
st0            -nan(0x38455b7ca8c0c8c1) (raw 0xffff38455b7ca8c0c8c1)
st1            -nan(0x2c35537ba9c2c9bf) (raw 0xffff2c35537ba9c2c9bf)
st2            -nan(0x525252524f524f52) (raw 0xffff525252524f524f52)
st3            -inf     (raw 0xffff0000000000000000)
st4            -nan(0x8383838382848282) (raw 0xffff8383838382848282)
st5            -nan(0x101010100010001)  (raw 0xffff0101010100010001)
st6            -inf     (raw 0xffff0000000000000000)
st7            -inf     (raw 0xffff0000000000000000)
fctrl          0x37f    895
fstat          0x4020   16416
ftag           0xaaaa   43690
fiseg          0x0      0
fioff          0x0      0
foseg          0x0      0
fooff          0x0      0
fop            0x0      0
xmm0           {v4_float = {0x412b, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0x0, 0x56, 0x82, 0x46, 0x0 <repeats 12 times>}, v8_int16 = {0x5600,
0x4682, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_int32 = {0x46825600, 0x0, 0x0, 0x0},
v2_int64 = {0x46825600, 0x0}, uint128 = 0x00000000000000000000000046825600}
xmm1           {v4_float = {0x989680, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0x80, 0x96, 0x18, 0x4b, 0x0 <repeats 12 times>}, v8_int16 = {0x9680,
0x4b18, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_int32 = {0x4b189680, 0x0, 0x0, 0x0},
v2_int64 = {0x4b189680, 0x0}, uint128 = 0x0000000000000000000000004b189680}
xmm2           {v4_float = {0xaae60, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0x0, 0xe6, 0x2a, 0x49, 0x0 <repeats 12 times>}, v8_int16 = {0xe600,
0x492a, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_int32 = {0x492ae600, 0x0, 0x0, 0x0},
v2_int64 = {0x492ae600, 0x0}, uint128 = 0x000000000000000000000000492ae600}
xmm3           {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0}, uint128 =
0x00000000000000000000000000000000}
xmm4           {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0}, uint128 =
0x00000000000000000000000000000000}
xmm5           {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0}, uint128 =
0x00000000000000000000000000000000}
xmm6           {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0}, uint128 =
0x00000000000000000000000000000000}
xmm7           {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0}, uint128 =
0x00000000000000000000000000000000}
mxcsr          0x9fa0   [ PE IM DM ZM OM UM PM FZ ]
mm0            {uint64 = 0x38455b7ca8c0c8c1, v2_int32 = {0xa8c0c8c1,
0x38455b7c}, v4_int16 = {0xc8c1, 0xa8c0, 0x5b7c, 0x3845}, v8_int8 = {0xc1, 0xc8,
0xc0, 0xa8, 0x7c, 0x5b, 0x45, 0x38}}
mm1            {uint64 = 0x2c35537ba9c2c9bf, v2_int32 = {0xa9c2c9bf,
0x2c35537b}, v4_int16 = {0xc9bf, 0xa9c2, 0x537b, 0x2c35}, v8_int8 = {0xbf, 0xc9,
0xc2, 0xa9, 0x7b, 0x53, 0x35, 0x2c}}
mm2            {uint64 = 0x525252524f524f52, v2_int32 = {0x4f524f52,
0x52525252}, v4_int16 = {0x4f52, 0x4f52, 0x5252, 0x5252}, v8_int8 = {0x52, 0x4f,
0x52, 0x4f, 0x52, 0x52, 0x52, 0x52}}
mm3            {uint64 = 0x0, v2_int32 = {0x0, 0x0}, v4_int16 = {0x0, 0x0, 0x0,
0x0}, v8_int8 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}
mm4            {uint64 = 0x8383838382848282, v2_int32 = {0x82848282,
0x83838383}, v4_int16 = {0x8282, 0x8284, 0x8383, 0x8383}, v8_int8 = {0x82, 0x82,
0x84, 0x82, 0x83, 0x83, 0x83, 0x83}}
mm5            {uint64 = 0x101010100010001, v2_int32 = {0x10001, 0x1010101},
v4_int16 = {0x1, 0x1, 0x101, 0x101}, v8_int8 = {0x1, 0x0, 0x1, 0x0, 0x1, 0x1,
0x1, 0x1}}
mm6            {uint64 = 0x0, v2_int32 = {0x0, 0x0}, v4_int16 = {0x0, 0x0, 0x0,
0x0}, v8_int8 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}
mm7            {uint64 = 0x0, v2_int32 = {0x0, 0x0}, v4_int16 = {0x0, 0x0, 0x0,
0x0}, v8_int8 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}

----------
nosy: +cehoyos
status: new -> open
substatus: new -> reproduced

______________________________________________________
FFmpeg issue tracker <[EMAIL PROTECTED]>
<https://roundup.mplayerhq.hu/roundup/ffmpeg/issue624>
______________________________________________________

[issue624] Crash decoding Sanyo HD1000 MP4 H.264/AAC

Reply via email to