New submission from Vitor <[email protected]>:
It is almost impossible to cut a CAVS big file into a smaller one
without triggering either invalid reads on valgrind or a plain segfault.
Example input is attached.
vi...@vitor:~$ valgrind ~/ffmpeg/ffmpeg/ffmpeg_g -i cavs_cut.avs -f md5
-
==32264== Memcheck, a memory error detector.
==32264== Copyright (C) 2002-2007, and GNU GPL'd, by Julian Seward et
al.
==32264== Using LibVEX rev 1804, a library for dynamic binary
translation.
==32264== Copyright (C) 2004-2007, and GNU GPL'd, by OpenWorks LLP.
==32264== Using valgrind-3.3.0-Debian, a dynamic binary instrumentation
framework.
==32264== Copyright (C) 2000-2007, and GNU GPL'd, by Julian Seward et
al.
==32264== For more details, rerun with: -v
==32264==
FFmpeg version SVN-r24860, Copyright (c) 2000-2010 the FFmpeg developers
built on Aug 23 2010 08:11:42 with gcc 4.2.4 (Ubuntu 4.2.4-1ubuntu3)
configuration: --cpu=host --cc='ccache gcc' --disable-asm
libavutil 50.24. 0 / 50.24. 0
libavcore 0. 6. 0 / 0. 6. 0
libavcodec 52.85. 1 / 52.85. 1
libavformat 52.78. 3 / 52.78. 3
libavdevice 52. 2. 1 / 52. 2. 1
libavfilter 1.37. 0 / 1.37. 0
libswscale 0.11. 0 / 0.11. 0
==32264== Conditional jump or move depends on uninitialised value(s)
==32264== at 0x811A517: cavsvideo_parse (cavs_parser.c:62)
[cavs @ 0x4214380] Found 1 unreleased buffers!
Input #0, mpeg, from 'cavs_cut.avs':
Duration: 00:00:01.20, start: 0.220000, bitrate: 1761 kb/s
Stream #0.0[0x1e0]: Video: cavs, yuv420p, 720x576, 25 fps, 25 tbr,
90k tbn, 25 tbc
Stream #0.1[0x1c0]: Audio: mp2, 48000 Hz, 2 channels, s16, 160 kb/s
[buffer @ 0x4448af0] w:720 h:576 pixfmt:yuv420p
Output #0, md5, to 'pipe:':
Metadata:
encoder : Lavf52.78.3
Stream #0.0: Video: rawvideo, yuv420p, 720x576, q=2-31, 200 kb/s,
90k tbn, 25 tbc
Stream #0.1: Audio: pcm_s16le, 48000 Hz, 2 channels, s16, 1536 kb/s
Stream mapping:
Stream #0.0 -> #0.0
Stream #0.1 -> #0.1
Press [q] to stop encoding
==32264== Conditional jump or move depends on uninitialised value(s)
==32264== at 0x811A62E: decode_residual_block (golomb.h:61)
==32264==
==32264== Use of uninitialised value of size 4
==32264== at 0x811A637: decode_residual_block (golomb.h:64)
==32264==
==32264== Conditional jump or move depends on uninitialised value(s)
==32264== at 0x811A69E: decode_residual_block (cavsdec.c:125)
==32264==
==32264== Use of uninitialised value of size 4
==32264== at 0x811A80A: decode_residual_block (cavsdec.c:134)
[... similar errors ...]
[cavs @ 0x4214380] position out of block bounds at pic 60 MB(41,10)
[cavs @ 0x4214380] illegal intra chroma pred mode
[cavs @ 0x4214380] position out of block bounds at pic 60 MB(43,10)
[cavs @ 0x4214380] illegal intra chroma pred mode
[cavs @ 0x4214380] illegal intra cbp
[cavs @ 0x4214380] position out of block bounds at pic 60 MB(15,24)
[cavs @ 0x4214380] position out of block bounds at pic 60 MB(16,24)
[... more errors ...]
==32264==
==32264== Use of uninitialised value of size 4
==32264== at 0x811C3FB: decode_mb_i (cavsdec.c:237)
==32264== by 0xFFFFFFFE: ???
==32264==
==32264== Use of uninitialised value of size 4
==32264== at 0x811C457: decode_mb_i (cavsdec.c:237)
==32264== by 0xFFFFFFFE: ???
==32264==
==32264== Invalid read of size 4
==32264== at 0x811A60B: decode_residual_block (golomb.h:58)
==32264== Address 0x4d6cf6c is 5 bytes after a block of size 24,535
alloc'd
==32264== at 0x4022B8E: realloc (vg_replace_malloc.c:429)
==32264== by 0x8327C58: av_fast_realloc (utils.c:55)
==32264== by 0x82B741D: ff_combine_frame (parser.c:287)
==32264== by 0x41E2F5F: ???
==32264==
[... more a bunch of errors to finally ]
Segmentation fault
File 'cavs_cut.avs' not attached - you can download it from
https://roundup.ffmpeg.org/file1040.
----------
files: cavs_cut.avs
messages: 11728
priority: normal
status: new
substatus: new
title: CAVS crashes or does invalid reads in practically any truncated file
type: bug
________________________________________________
FFmpeg issue tracker <[email protected]>
<https://roundup.ffmpeg.org/issue2180>
________________________________________________
