#4914: Segmentation fault creating MXF transcoded from mp2
-----------------------------------+--------------------------------------
Reporter: wim_arbor | Type: defect
Status: new | Priority: important
Component: avformat | Version: git-master
Keywords: mxf | Blocked By:
Blocking: | Reproduced by developer: 0
Analyzed by developer: 0 |
-----------------------------------+--------------------------------------
Summary of the bug:
When I run the same command of #4913 with a 1 second input file, I get a
Segmentation fault
How to reproduce:
Created xdcam8mp2-1s.ts using
{{{
./ffmpeg -i xdcam8mp2-2s.ts -c:v copy -c:a copy -t 1 -map 0:v -map 0:a
xdcam8mp2-1s.ts
}}}
Executed:
{{{
ffmpeg started on 2015-10-07 at 13:10:59
Report written to "ffmpeg-20151007-131059.log"
Command line:
/home/arbor/src/ffmpegdebian/ffmpeg_g -report -v 9 -loglevel 99 -y -i
xdcam8mp2-1s.ts -c:a pcm_s16le -map 0:v -c:v copy -filter_complex
"[0:a:0]channelsplit=channel_layout=stereo[a0][a1];[0:a:1]channelsplit=channel_layout=stereo[a2][a3];[0:a:2]channelsplit=channel_layout=stereo[a4][a5];[0:a:3]channelsplit=channel_layout=stereo[a6][a7]"
-map "[a0]" -map "[a1]" -map "[a2]" -map "[a3]" -map "[a4]" -map "[a5]"
-map "[a6]" -map "[a7]" -f mxf -ss 1 xdcam8mp2-1s.mxf
ffmpeg version N-75804-ga852db7 Copyright (c) 2000-2015 the FFmpeg
developers
built with gcc 4.7 (Debian 4.7.2-5)
configuration:
libavutil 55. 2.100 / 55. 2.100
libavcodec 57. 4.100 / 57. 4.100
libavformat 57. 3.100 / 57. 3.100
libavdevice 57. 0.100 / 57. 0.100
libavfilter 6. 10.100 / 6. 10.100
libswscale 4. 0.100 / 4. 0.100
libswresample 2. 0.100 / 2. 0.100
}}}
gdb output (last part):
{{{
No more output streams to write to, finishing.
[mxf @ 0x1c4f480] out st:1 dts:0
[mxf @ 0x1c4f480] essence container count:2
Last message repeated 1 times
[mxf @ 0x1c4f480] package type:1
[mxf @ 0x1c4f480] package type:2
[mxf @ 0x1c4f480] -d10_channelcount requires MXF D-10 and will be ignored
Last message repeated 7 times
Program received signal SIGSEGV, Segmentation fault.
0x00000000005f92ff in mxf_write_packet (s=<optimized out>, pkt=<optimized
out>) at libavformat/mxfenc.c:2455
2455 mxf->index_entries[mxf->edit_units_count-1].slice_offset =
(gdb) bt
#0 0x00000000005f92ff in mxf_write_packet (s=<optimized out>,
pkt=<optimized out>) at libavformat/mxfenc.c:2455
#1 0x00000000005e6bbd in write_packet (s=s@entry=0x1c4f480,
pkt=pkt@entry=0x7fffffffdd80) at libavformat/mux.c:660
#2 0x00000000005e8f48 in av_write_trailer (s=0x1c4f480) at
libavformat/mux.c:998
#3 0x00000000004907c2 in transcode () at ffmpeg.c:4008
#4 0x000000000047427b in main (argc=<optimized out>, argv=0x7fffffffe3e8)
at ffmpeg.c:4157
(gdb) disass $pc-32,$pc+32
Dump of assembler code from 0x5f92df to 0x5f931f:
0x00000000005f92df <mxf_write_packet+1167>: add %ecx,(%rdi)
0x00000000005f92e1 <mxf_write_packet+1169>: test %ecx,%esi
0x00000000005f92e3 <mxf_write_packet+1171>: (bad)
0x00000000005f92e4 <mxf_write_packet+1172>: (bad)
0x00000000005f92e5 <mxf_write_packet+1173>: decl -0x177cd7bd(%rbx)
0x00000000005f92eb <mxf_write_packet+1179>: add %ecx,-0x73(%rax)
0x00000000005f92ee <mxf_write_packet+1182>: adc $0x40,%al
0x00000000005f92f0 <mxf_write_packet+1184>: mov 0x20(%rbx),%rax
0x00000000005f92f4 <mxf_write_packet+1188>: lea (%rax,%rdx,8),%rax
0x00000000005f92f8 <mxf_write_packet+1192>: mov 0x80(%rbx),%rdx
=> 0x00000000005f92ff <mxf_write_packet+1199>: sub 0x8(%rax),%edx
0x00000000005f9302 <mxf_write_packet+1202>: mov %edx,0x10(%rax)
0x00000000005f9305 <mxf_write_packet+1205>: jmpq 0x5f91b4
<mxf_write_packet+868>
0x00000000005f930a <mxf_write_packet+1210>: nopw 0x0(%rax,%rax,1)
0x00000000005f9310 <mxf_write_packet+1216>: and $0x1ff,%ebp
0x00000000005f9316 <mxf_write_packet+1222>: je 0x5f921e
<mxf_write_packet+974>
0x00000000005f931c <mxf_write_packet+1228>: jmpq 0x5f91e0
<mxf_write_packet+912>
End of assembler dump.
(gdb) info all-registers
rax 0x1801e5b898 103111047320
rbx 0x1c4da80 29678208
rcx 0x7ffff6b7b180 140737332621696
rdx 0x0 0
rsi 0x1c507e0 29689824
rdi 0x9 9
rbp 0x0 0x0
rsp 0x7fffffffdc40 0x7fffffffdc40
r8 0x0 0
r9 0x1c66b00 29780736
r10 0x0 0
r11 0x246 582
r12 0x0 0
r13 0x0 0
r14 0x7fffffffdd80 140737488346496
r15 0x1c4f480 29684864
rip 0x5f92ff 0x5f92ff <mxf_write_packet+1199>
eflags 0x10297 [ CF PF AF SF IF RF ]
cs 0x33 51
ss 0x2b 43
ds 0x0 0
es 0x0 0
fs 0x0 0
gs 0x0 0
st0 -nan(0x80008000800080) (raw 0xffff0080008000800080)
st1 -nan(0x80008000800080) (raw 0xffff0080008000800080)
st2 -nan(0x80008000800080) (raw 0xffff0080008000800080)
st3 -nan(0xb18afffdeb62) (raw 0xffff0000b18afffdeb62)
st4 -nan(0x80008000800080) (raw 0xffff0080008000800080)
st5 -nan(0x80008000800080) (raw 0xffff0080008000800080)
st6 -nan(0x80008000800080) (raw 0xffff0080008000800080)
st7 -nan(0x6492fffed24a) (raw 0xffff00006492fffed24a)
fctrl 0x37f 895
fstat 0x0 0
ftag 0xffff 65535
fiseg 0x0 0
fioff 0x0 0
foseg 0x0 0
fooff 0x0 0
fop 0x0 0
mxcsr 0x1fa0 [ PE IM DM ZM OM UM PM ]
ymm0 {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0},
v4_double = {0x0, 0x0, 0x0, 0x0}, v32_int8 = {
0x0 <repeats 32 times>}, v16_int16 = {0x0 <repeats 16 times>},
v8_int32 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0,
0x0}, v4_int64 = {0x0, 0x0, 0x0, 0x0}, v2_int128 =
{0x00000000000000000000000000000000,
0x00000000000000000000000000000000}}
ymm1 {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0},
v4_double = {0x0, 0x0, 0x0, 0x0}, v32_int8 = {
0x0 <repeats 32 times>}, v16_int16 = {0x0 <repeats 16 times>},
v8_int32 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0,
0x0}, v4_int64 = {0x0, 0x0, 0x0, 0x0}, v2_int128 =
{0x00000000000000000000000000000000,
0x00000000000000000000000000000000}}
ymm2 {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0},
v4_double = {0x0, 0x0, 0x0, 0x0}, v32_int8 = {
0x0 <repeats 32 times>}, v16_int16 = {0x0 <repeats 16 times>},
v8_int32 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0,
0x0}, v4_int64 = {0x0, 0x0, 0x0, 0x0}, v2_int128 =
{0x00000000000000000000000000000000,
0x00000000000000000000000000000000}}
ymm3 {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0},
v4_double = {0x0, 0x8000000000000000, 0x0,
0x0}, v32_int8 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0,
0xff, 0x0, 0x0, 0x0, 0xff, 0xff,
0x0 <repeats 16 times>}, v16_int16 = {0x0, 0x0, 0x0, 0x0, 0x0, 0xff,
0x0, 0xffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0}, v8_int32 = {0x0, 0x0, 0xff0000, 0xffff0000, 0x0, 0x0, 0x0,
0x0}, v4_int64 = {0x0, 0xffff000000ff0000,
0x0, 0x0}, v2_int128 = {0xffff000000ff00000000000000000000,
0x00000000000000000000000000000000}}
ymm4 {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0},
v4_double = {0x0, 0x0, 0x0, 0x0}, v32_int8 = {
0x0 <repeats 32 times>}, v16_int16 = {0x0 <repeats 16 times>},
v8_int32 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0,
0x0}, v4_int64 = {0x0, 0x0, 0x0, 0x0}, v2_int128 =
{0x00000000000000000000000000000000,
0x00000000000000000000000000000000}}
ymm5 {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0},
v4_double = {0x0, 0x0, 0x0, 0x0}, v32_int8 = {
0x0 <repeats 32 times>}, v16_int16 = {0x0 <repeats 16 times>},
v8_int32 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0,
0x0}, v4_int64 = {0x0, 0x0, 0x0, 0x0}, v2_int128 =
{0x00000000000000000000000000000000,
0x00000000000000000000000000000000}}
ymm6 {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0},
v4_double = {0x0, 0x0, 0x0, 0x0}, v32_int8 = {
0x0 <repeats 32 times>}, v16_int16 = {0x0 <repeats 16 times>},
v8_int32 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0,
0x0}, v4_int64 = {0x0, 0x0, 0x0, 0x0}, v2_int128 =
{0x00000000000000000000000000000000,
0x00000000000000000000000000000000}}
---Type <return> to continue, or q <return> to quit---
ymm7 {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0},
v4_double = {0x0, 0x0, 0x0, 0x0}, v32_int8 = {
0x0 <repeats 32 times>}, v16_int16 = {0x0 <repeats 16 times>},
v8_int32 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0,
0x0}, v4_int64 = {0x0, 0x0, 0x0, 0x0}, v2_int128 =
{0x00000000000000000000000000000000,
0x00000000000000000000000000000000}}
ymm8 {v8_float = {0x53500000, 0x1, 0x0, 0x0, 0x0, 0x0, 0x0,
0x0}, v4_double = {0x0, 0x0, 0x0, 0x0},
v32_int8 = {0x35, 0x55, 0x55, 0x55, 0x55, 0x55, 0xa5, 0x3f, 0x0 <repeats
24 times>}, v16_int16 = {0x5535, 0x5555,
0x5555, 0x3fa5, 0x0 <repeats 12 times>}, v8_int32 = {0x55555535,
0x3fa55555, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0},
v4_int64 = {0x3fa5555555555535, 0x0, 0x0, 0x0}, v2_int128 =
{0x00000000000000003fa5555555555535,
0x00000000000000000000000000000000}}
ymm9 {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0},
v4_double = {0x0, 0x0, 0x0, 0x0}, v32_int8 = {
0x39, 0xe2, 0xd9, 0xed, 0x6b, 0xc1, 0x56, 0x3f, 0x0 <repeats 24
times>}, v16_int16 = {0xe239, 0xedd9, 0xc16b,
0x3f56, 0x0 <repeats 12 times>}, v8_int32 = {0xedd9e239, 0x3f56c16b,
0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_int64 = {
0x3f56c16bedd9e239, 0x0, 0x0, 0x0}, v2_int128 =
{0x00000000000000003f56c16bedd9e239,
0x00000000000000000000000000000000}}
ymm10 {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0},
v4_double = {0x0, 0x0, 0x0, 0x0}, v32_int8 = {
0xe0, 0x11, 0x4a, 0xb3, 0xb5, 0xb6, 0x32, 0x3f, 0x0 <repeats 24
times>}, v16_int16 = {0x11e0, 0xb34a, 0xb6b5,
0x3f32, 0x0 <repeats 12 times>}, v8_int32 = {0xb34a11e0, 0x3f32b6b5,
0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_int64 = {
0x3f32b6b5b34a11e0, 0x0, 0x0, 0x0}, v2_int128 =
{0x00000000000000003f32b6b5b34a11e0,
0x00000000000000000000000000000000}}
ymm11 {v8_float = {0x9d810300, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0,
0x0}, v4_double = {0x0, 0x0, 0x0, 0x0},
v32_int8 = {0x3, 0x81, 0x1d, 0x4f, 0xd0, 0xb7, 0x32, 0xbf, 0x0 <repeats
24 times>}, v16_int16 = {0x8103, 0x4f1d,
0xb7d0, 0xbf32, 0x0 <repeats 12 times>}, v8_int32 = {0x4f1d8103,
0xbf32b7d0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0},
v4_int64 = {0xbf32b7d04f1d8103, 0x0, 0x0, 0x0}, v2_int128 =
{0x0000000000000000bf32b7d04f1d8103,
0x00000000000000000000000000000000}}
ymm12 {v8_float = {0x33ad0000, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0,
0x0}, v4_double = {0x0, 0x0, 0x0, 0x0},
v32_int8 = {0x68, 0x9d, 0x99, 0x51, 0x66, 0xf7, 0x87, 0x3e, 0x0 <repeats
24 times>}, v16_int16 = {0x9d68, 0x5199,
0xf766, 0x3e87, 0x0 <repeats 12 times>}, v8_int32 = {0x51999d68,
0x3e87f766, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0},
v4_int64 = {0x3e87f76651999d68, 0x0, 0x0, 0x0}, v2_int128 =
{0x00000000000000003e87f76651999d68,
0x00000000000000000000000000000000}}
ymm13 {v8_float = {0xc1e69, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0},
v4_double = {0x0, 0x0, 0x0, 0x0},
v32_int8 = {0x9d, 0xe6, 0x41, 0x49, 0x10, 0xa1, 0xd7, 0x39, 0x0 <repeats
24 times>}, v16_int16 = {0xe69d, 0x4941,
0xa110, 0x39d7, 0x0 <repeats 12 times>}, v8_int32 = {0x4941e69d,
0x39d7a110, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0},
v4_int64 = {0x39d7a1104941e69d, 0x0, 0x0, 0x0}, v2_int128 =
{0x000000000000000039d7a1104941e69d,
0x00000000000000000000000000000000}}
ymm14 {v8_float = {0x62000000, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0,
0x0}, v4_double = {0x0, 0x0, 0x0, 0x0},
v32_int8 = {0x0, 0x88, 0x39, 0x52, 0x83, 0xb1, 0x3b, 0xbf, 0x0 <repeats
24 times>}, v16_int16 = {0x8800, 0x5239,
0xb183, 0xbf3b, 0x0 <repeats 12 times>}, v8_int32 = {0x52398800,
0xbf3bb183, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0},
v4_int64 = {0xbf3bb18352398800, 0x0, 0x0, 0x0}, v2_int128 =
{0x0000000000000000bf3bb18352398800,
0x00000000000000000000000000000000}}
ymm15 {v8_float = {0x0, 0x1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0},
v4_double = {0x0, 0x0, 0x0, 0x0}, v32_int8 = {
0x85, 0xce, 0x35, 0xa4, 0xc6, 0x97, 0xe7, 0x3f, 0x0 <repeats 24
times>}, v16_int16 = {0xce85, 0xa435, 0x97c6,
0x3fe7, 0x0 <repeats 12 times>}, v8_int32 = {0xa435ce85, 0x3fe797c6,
0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_int64 = {
0x3fe797c6a435ce85, 0x0, 0x0, 0x0}, v2_int128 =
{0x00000000000000003fe797c6a435ce85,
0x00000000000000000000000000000000}}
(gdb) print mxf->edit_units_count
value has been optimized out
}}}
valgrind output (last part):
{{{
No more output streams to write to, finishing.
[mxf @ 0xc457b00] out st:1 dts:0
[mxf @ 0xc457b00] essence container count:2
Last message repeated 1 times
[mxf @ 0xc457b00] package type:1
[mxf @ 0xc457b00] package type:2
[mxf @ 0xc457b00] -d10_channelcount requires MXF D-10 and will be ignored
==5581== Invalid read of size 4es
==5581== at 0x5F92FF: mxf_write_packet (mxfenc.c:2455)
==5581== by 0x5E6BBC: write_packet (mux.c:660)
==5581== by 0x5E8F47: av_write_trailer (mux.c:998)
==5581== by 0x4907C1: transcode (ffmpeg.c:4008)
==5581== by 0x47427A: main (ffmpeg.c:4157)
==5581== Address 0x180b19e260 is not stack'd, malloc'd or (recently)
free'd
==5581==
==5581==
==5581== Process terminating with default action of signal 11 (SIGSEGV)
==5581== Access not within mapped region at address 0x180B19E260
==5581== at 0x5F92FF: mxf_write_packet (mxfenc.c:2455)
==5581== by 0x5E6BBC: write_packet (mux.c:660)
==5581== by 0x5E8F47: av_write_trailer (mux.c:998)
==5581== by 0x4907C1: transcode (ffmpeg.c:4008)
==5581== by 0x47427A: main (ffmpeg.c:4157)
==5581== If you believe this happened as a result of a stack
==5581== overflow in your program's main thread (unlikely but
==5581== possible), you can try to increase the size of the
==5581== main thread stack using the --main-stacksize= flag.
==5581== The main thread stack size used in this run was 8388608.
==5581==
==5581== HEAP SUMMARY:
==5581== in use at exit: 2,397,591 bytes in 782 blocks
==5581== total heap usage: 9,395 allocs, 8,613 frees, 37,104,789 bytes
allocated
==5581==
==5581== LEAK SUMMARY:
==5581== definitely lost: 0 bytes in 0 blocks
==5581== indirectly lost: 0 bytes in 0 blocks
==5581== possibly lost: 0 bytes in 0 blocks
==5581== still reachable: 2,397,591 bytes in 782 blocks
==5581== suppressed: 0 bytes in 0 blocks
==5581== Rerun with --leak-check=full to see details of leaked memory
==5581==
==5581== For counts of detected and suppressed errors, rerun with: -v
==5581== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 4 from 4)
Segmentation fault
}}}
Patches should be submitted to the ffmpeg-devel mailing list and not this
bug tracker.
--
Ticket URL: <https://trac.ffmpeg.org/ticket/4914>
FFmpeg <https://ffmpeg.org>
FFmpeg issue tracker
_______________________________________________
FFmpeg-trac mailing list
FFmpeg-trac@avcodec.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-trac
