Carl Eugen Hoyos <[email protected]> added the comment:
Sample uploaded to issue1666.
I tried to simplify the command line to get a useful (?) back-trace.
(gdb) r -i ffmpeg-audio-double-free.ts -async 2 out.avi
Starting program: ffmpeg_g -i ffmpeg-audio-double-free.ts -async 2 out.avi
[Thread debugging using libthread_db enabled]
[New Thread 0x7fbf0cc1c700 (LWP 22306)]
[New Thread 0x41145950 (LWP 22309)]
[New Thread 0x418e9950 (LWP 22310)]
FFmpeg version SVN-r21104, Copyright (c) 2000-2010 Fabrice Bellard, et al.
built on Jan 8 2010 23:18:40 with icc 1110
configuration: --cc=/opt/intel/Compiler/11.1/059/bin/intel64/icc --cpu=core2
--enable-gpl --extra-cflags=-parallel --extra-ldflags=-parallel
--enable-postproc --enable-avfilter --enable-pthreads --enable-nonfree
--enable-version3 --enable-libopencore-amrnb --enable-libopencore-amrwb
--enable-libdirac --enable-libfaac --enable-libfaad --enable-libgsm
--enable-libmp3lame --extra-cflags='-I/usr/include/openjpeg -I/usr/include/gsm'
--enable-libopenjpeg --enable-libschroedinger --enable-libspeex
--enable-libtheora --enable-libvorbis --enable-libx264 --enable-libxvid
--enable-avfilter --enable-avfilter-lavf --enable-libdc1394 --enable-x11grab
libavutil 50. 7. 0 / 50. 7. 0
libavcodec 52.45. 0 / 52.45. 0
libavformat 52.46. 0 / 52.46. 0
libavdevice 52. 2. 0 / 52. 2. 0
libavfilter 1.14. 1 / 1.14. 1
libswscale 0. 8. 0 / 0. 8. 0
libpostproc 51. 2. 0 / 51. 2. 0
[mpegts @ 0x141bf10]max_analyze_duration reached
[NULL @ 0x143a8c0]start time is not set in av_estimate_timings_from_pts
[NULL @ 0x143b0c0]start time is not set in av_estimate_timings_from_pts
[NULL @ 0x143b8c0]start time is not set in av_estimate_timings_from_pts
[NULL @ 0x143c0f0]start time is not set in av_estimate_timings_from_pts
[NULL @ 0x143d150]start time is not set in av_estimate_timings_from_pts
[NULL @ 0x143d950]start time is not set in av_estimate_timings_from_pts
[NULL @ 0x143e190]start time is not set in av_estimate_timings_from_pts
[NULL @ 0x143e990]start time is not set in av_estimate_timings_from_pts
[NULL @ 0x143f190]start time is not set in av_estimate_timings_from_pts
[NULL @ 0x143f990]start time is not set in av_estimate_timings_from_pts
[NULL @ 0x14401a0]start time is not set in av_estimate_timings_from_pts
[NULL @ 0x14409a0]start time is not set in av_estimate_timings_from_pts
[NULL @ 0x14411a0]start time is not set in av_estimate_timings_from_pts
[NULL @ 0x14419a0]start time is not set in av_estimate_timings_from_pts
[NULL @ 0x1442200]start time is not set in av_estimate_timings_from_pts
[NULL @ 0x14429c0]start time is not set in av_estimate_timings_from_pts
Seems stream 0 codec frame rate differs from container frame rate: 50.00 (50/1)
-> 25.00 (25/1)
Input #0, mpegts, from 'ffmpeg-audio-double-free.ts':
Duration: 00:00:20.89, start: 46067.049300, bitrate: 2679 kb/s
Program 6319
Stream #0.0[0x1450]: Video: mpeg2video, yuv420p, 720x576 [PAR 64:45 DAR
16:9], 15000 kb/s, 25 fps, 25 tbr, 90k tbn, 50 tbc
Stream #0.1[0x1451](eng): Audio: mp2, 48000 Hz, 2 channels, s16, 256 kb/s
Stream #0.2[0x1452](NAR): Audio: mp2, 48000 Hz, 2 channels, s16, 256 kb/s
Stream #0.3[0x1453](eng): Subtitle: 0x0006
Stream #0.4[0xf06]: Data: 0x000b
Stream #0.5[0xf07]: Data: 0x000b
Stream #0.6[0xf08]: Data: 0x000b
Stream #0.7[0xf09]: Data: 0x000b
Stream #0.8[0x1454](eng): Subtitle: dvbsub
Stream #0.9[0xf00]: Data: 0x0005
Stream #0.10[0xf01]: Data: 0x0005
Stream #0.11[0xf02]: Data: 0x0005
Stream #0.12[0xf03]: Data: 0x0005
Stream #0.13[0xf04]: Data: 0x0005
Stream #0.14[0x904]: Data: 0x0005
Stream #0.15[0x906]: Data: 0x0005
Stream #0.16[0x908]: Data: 0x0005
Stream #0.17[0x90a]: Data: 0x0005
Stream #0.18[0x912]: Data: 0x0005
Stream #0.19[0x913]: Data: 0x0005
Stream #0.20[0x923]: Data: 0x0005
Output #0, avi, to 'out.avi':
Stream #0.0: Video: mpeg4, yuv420p, 720x576 [PAR 64:45 DAR 16:9], q=2-31,
200 kb/s, 25 tbn, 25 tbc
Stream #0.1(eng): Audio: mp2, 48000 Hz, 2 channels, s16, 64 kb/s
Stream mapping:
Stream #0.0 -> #0.0
Stream #0.1 -> #0.1
Press [q] to stop encoding
[mp2 @ 0x1438f40]Header missing= 617kB time=11.76 bitrate= 430.0kbits/s
Error while decoding stream #0.1
[mpeg2video @ 0x1438720]00 motion_type at 31 34
[mpeg2video @ 0x1438720]00 motion_type at 3 1
[mpeg2video @ 0x1438720]ac-tex damaged at 0 2
[mpeg2video @ 0x1438720]ac-tex damaged at 0 3
[mpeg2video @ 0x1438720]ac-tex damaged at 0 4
[mpeg2video @ 0x1438720]ac-tex damaged at 0 5
[mpeg2video @ 0x1438720]ac-tex damaged at 0 6
[mpeg2video @ 0x1438720]slice mismatch
[mpeg2video @ 0x1438720]ac-tex damaged at 0 8
[mpeg2video @ 0x1438720]slice mismatch
[mpeg2video @ 0x1438720]00 motion_type at 2 10
[mpeg2video @ 0x1438720]ac-tex damaged at 0 11
[mpeg2video @ 0x1438720]ac-tex damaged at 0 12
[mpeg2video @ 0x1438720]ac-tex damaged at 0 13
[mpeg2video @ 0x1438720]ac-tex damaged at 0 14
[mpeg2video @ 0x1438720]ac-tex damaged at 0 15
[mpeg2video @ 0x1438720]ac-tex damaged at 0 16
[mpeg2video @ 0x1438720]slice mismatch
[mpeg2video @ 0x1438720]00 motion_type at 6 18
[mpeg2video @ 0x1438720]ac-tex damaged at 0 19
[mpeg2video @ 0x1438720]ac-tex damaged at 0 20
[mpeg2video @ 0x1438720]ac-tex damaged at 0 21
[mpeg2video @ 0x1438720]ac-tex damaged at 0 22
[mpeg2video @ 0x1438720]ac-tex damaged at 0 23
[mpeg2video @ 0x1438720]ac-tex damaged at 0 24
[mpeg2video @ 0x1438720]ac-tex damaged at 0 25
[mpeg2video @ 0x1438720]ac-tex damaged at 0 26
[mpeg2video @ 0x1438720]ac-tex damaged at 0 27
[mpeg2video @ 0x1438720]ac-tex damaged at 0 28
[mpeg2video @ 0x1438720]ac-tex damaged at 0 29
[mpeg2video @ 0x1438720]ac-tex damaged at 4 30
[mpeg2video @ 0x1438720]invalid mb type in P Frame at 9 31
[mpeg2video @ 0x1438720]00 motion_type at 1 32
[mpeg2video @ 0x1438720]00 motion_type at 4 33
[mpeg2video @ 0x1438720]00 motion_type at 2 34
[mpeg2video @ 0x1438720]00 motion_type at 13 35
[mpeg2video @ 0x1438720]Warning MVs not available
[mpeg2video @ 0x1438720]concealing 1575 DC, 1575 AC, 1575 MV errors
[mpeg2video @ 0x1438720]ac-tex damaged at 22 4
[mpeg2video @ 0x1438720]Warning MVs not available
[mpeg2video @ 0x1438720]concealing 1440 DC, 1440 AC, 1440 MV errors
[mp2 @ 0x1438f40]incomplete frame
Error while decoding stream #0.1
frame= 407 fps=281 q=31.0 Lsize= 915kB time=18.82 bitrate= 398.2kbits/s
video:728kB audio:147kB global headers:0kB muxing overhead 4.523901%
Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7fbf0cc1c700 (LWP 22306)]
0x00007fbf08bd71c8 in ?? () from /lib64/libc.so.6
(gdb) bt full
#0 0x00007fbf08bd71c8 in ?? () from /lib64/libc.so.6
No symbol table info available.
#1 0x00007fbf08bd76e6 in free () from /lib64/libc.so.6
No symbol table info available.
#2 0x0000000000ac3465 in av_freep (arg=0x1669210) at libavutil/mem.c:136
No locals.
#3 0x000000000051cff5 in MPV_common_end (s=0x1669210) at
libavcodec/mpegvideo.c:713
No locals.
#4 0x0000000000626586 in mpeg_decode_end (avctx=0x1669210) at
libavcodec/mpeg12.c:2494
s = (Mpeg1Context *) 0x1669210
#5 0x00000000004de0d5 in avcodec_close (avctx=0x1669210) at
libavcodec/utils.c:683
No locals.
#6 0x000000000040cf03 in av_encode (output_files=0x1669210,
nb_output_files=147337080, input_files=0x1587c80, nb_input_files=-127273111,
stream_maps=0x1669f30, nb_stream_maps=407) at ffmpeg.c:2360
out_file = (AVFormatContext *) 0x1437f50
in_file = (AVFormatContext *) 0xa
out_file_index = 23502640
in_file_index = 407
j = 23499280
k = 147337080
nb_ostreams = 10
is = (AVFormatContext *) 0x0
codec = (AVCodecContext *) 0x15
icodec = (AVCodecContext *) 0xa
ist = (AVInputStream *) 0xf52df778f63ff7c9
error = '\0' <repeats 28 times>,
"�_�\b�\177\000\000\000\000\000\000\000\000\000\000\001\000\000\000\000\000\000\000�/6\001\000\000\000\000\001\000\000\000\000\000\000\000\000\001\000\000\000\000\000\000z\031�\b�\177\000\000\000\000\000\000\000\000\000\000`8�\b�\177\000\000\001\000\000\000\000\000\000\000\001\000\000\000\000\000\000\000�/6\001\000\000\000\000�\025�\b�\177\000\000\000\001\000\000\000\000\000\000\001\000\000\000\000\000\000\000\001\000\000\000\000\000\000\000\001\000\000\000\000\000\000\000`8�\b�\177\000\000�\030�\b�\177\000\000
\000\000\0000\000\000\000`8�\b�\177\000\000�/6\001\000\000\000\000\001\000\000\000\000\000\000\000�t�\024�\177"...
no_packet = '\0' <repeats 19 times>
no_packet_count = 21
#7 0x000000000040a2f4 in main (argc=23499280, argv=0x7fbf08c82f78) at
ffmpeg.c:4018
ti = -779695061565704247
The relevant part of valgrind's output before it crashes:
==22324== Invalid write of size 2
==22324== at 0x4DBEC0: audio_resample (resample.c:338)
==22324== by 0x40FEC9: do_audio_out (ffmpeg.c:675)
==22324== by 0x40E8CD: output_packet (ffmpeg.c:1445)
==22324== by 0x40CC35: av_encode (ffmpeg.c:2310)
==22324== by 0x40A2F3: main (ffmpeg.c:4018)
==22324== Address 0xbbf138c is 0 bytes after a block of size 52,332 alloc'd
==22324== at 0x4C23570: memalign (vg_replace_malloc.c:460)
==22324== by 0x4C2362A: posix_memalign (vg_replace_malloc.c:569)
==22324== by 0xAC3404: av_malloc (mem.c:66)
==22324== by 0x4DD5C8: av_fast_malloc (utils.c:73)
==22324== by 0x40FAA3: do_audio_out (ffmpeg.c:585)
==22324== by 0x40E8CD: output_packet (ffmpeg.c:1445)
==22324== by 0x40CC35: av_encode (ffmpeg.c:2310)
==22324== by 0x40A2F3: main (ffmpeg.c:4018)
==22324==
==22324== Invalid write of size 2
==22324== at 0x4DBECE: audio_resample (resample.c:338)
==22324== by 0x40FEC9: do_audio_out (ffmpeg.c:675)
==22324== by 0x40E8CD: output_packet (ffmpeg.c:1445)
==22324== by 0x40CC35: av_encode (ffmpeg.c:2310)
==22324== by 0x40A2F3: main (ffmpeg.c:4018)
==22324== Address 0xbbf138e is 2 bytes after a block of size 52,332 alloc'd
==22324== at 0x4C23570: memalign (vg_replace_malloc.c:460)
==22324== by 0x4C2362A: posix_memalign (vg_replace_malloc.c:569)
==22324== by 0xAC3404: av_malloc (mem.c:66)
==22324== by 0x4DD5C8: av_fast_malloc (utils.c:73)
==22324== by 0x40FAA3: do_audio_out (ffmpeg.c:585)
==22324== by 0x40E8CD: output_packet (ffmpeg.c:1445)
==22324== by 0x40CC35: av_encode (ffmpeg.c:2310)
==22324== by 0x40A2F3: main (ffmpeg.c:4018)
==22324==
==22324== Invalid write of size 2
==22324== at 0x4DBEAC: audio_resample (resample.c:338)
==22324== by 0x40FEC9: do_audio_out (ffmpeg.c:675)
==22324== by 0x40E8CD: output_packet (ffmpeg.c:1445)
==22324== by 0x40CC35: av_encode (ffmpeg.c:2310)
==22324== by 0x40A2F3: main (ffmpeg.c:4018)
==22324== Address 0xbbf1390 is 4 bytes after a block of size 52,332 alloc'd
==22324== at 0x4C23570: memalign (vg_replace_malloc.c:460)
==22324== by 0x4C2362A: posix_memalign (vg_replace_malloc.c:569)
==22324== by 0xAC3404: av_malloc (mem.c:66)
==22324== by 0x4DD5C8: av_fast_malloc (utils.c:73)
==22324== by 0x40FAA3: do_audio_out (ffmpeg.c:585)
==22324== by 0x40E8CD: output_packet (ffmpeg.c:1445)
==22324== by 0x40CC35: av_encode (ffmpeg.c:2310)
==22324== by 0x40A2F3: main (ffmpeg.c:4018)
==22324==
==22324== Invalid write of size 2
==22324== at 0x4DBEB6: audio_resample (resample.c:338)
==22324== by 0x40FEC9: do_audio_out (ffmpeg.c:675)
==22324== by 0x40E8CD: output_packet (ffmpeg.c:1445)
==22324== by 0x40CC35: av_encode (ffmpeg.c:2310)
==22324== by 0x40A2F3: main (ffmpeg.c:4018)
==22324== Address 0xbbf1392 is 6 bytes after a block of size 52,332 alloc'd
==22324== at 0x4C23570: memalign (vg_replace_malloc.c:460)
==22324== by 0x4C2362A: posix_memalign (vg_replace_malloc.c:569)
==22324== by 0xAC3404: av_malloc (mem.c:66)
==22324== by 0x4DD5C8: av_fast_malloc (utils.c:73)
==22324== by 0x40FAA3: do_audio_out (ffmpeg.c:585)
==22324== by 0x40E8CD: output_packet (ffmpeg.c:1445)
==22324== by 0x40CC35: av_encode (ffmpeg.c:2310)
==22324== by 0x40A2F3: main (ffmpeg.c:4018)
----------
priority: normal -> important
status: new -> open
substatus: new -> reproduced
title: FFmpeg aborts with double free() in glibc -> Crash and invalid writes on
corrupt MPEG2 sample
_____________________________________________________
FFmpeg issue tracker <[email protected]>
<https://roundup.ffmpeg.org/roundup/ffmpeg/issue1666>
_____________________________________________________
