#11152: drawtext arbitrary filter crash on deallocating font face
-------------------------------------+-------------------------------------
Reporter: Leandro | Type: defect
Santiago |
Status: new | Priority: important
Component: avfilter | Version: git-
| master
Keywords: drawtext | Blocked By:
Blocking: | Reproduced by developer: 0
Analyzed by developer: 0 |
-------------------------------------+-------------------------------------
Summary of the bug:
I have a long-run application using the C API and I noticed that it
crashes arbitrarily after some minutes (the exact timing is arbitrary).
The application creates several instances of the `drawtext` filter, in
multiple threads. I don't believe it's a concurrency issue in the
application, so I could isolate the problem in a simple C program that
depends only on libav* and pthread.
It seems to be caused by a double delete on using freetype.
How to reproduce:
I managed to reproduce the bug by using `libavfilter` directly. I don't
believe it'll work with `ffmpeg` directly.
I'm sending as attached in this ticket a C program adapted from
`doc/examples/decode_filter_video.c` that launches several threads, each
with its own drawtext filter calls.
I noticed that the issue started happening after the commit
`1eeb59a2099479eeead8cdc0d4586443fb301a8a` that introduces harfbuzz as
dependency.
I could reproduce it with 7.0 and 7.0.2 tags too.
In the zipped attachment to this ticket, you can build and run the c
program with:
{{{
CC=clang-18 make
time ./decode_filter_video
}}}
It will take some minutes, and on my example, address sanitizer will
indicate the path for the segmentation fault:
{{{
$ time LD_LIBRARY_PATH=$PWD/deps/lib ./decode_filter_video
AddressSanitizer:DEADLYSIGNAL
=================================================================
==803571==ERROR: AddressSanitizer: SEGV on unknown address (pc
0x797ba9347141 bp 0x797a845ff800 sp 0x797a845ff7c8 T209153)
==803571==The signal is caused by a READ memory access.
==803571==Hint: this fault was caused by a dereference of a high value
address (see register values below). Disassemble the provided pc to learn
which register was used.
AddressSanitizer:DEADLYSIGNAL
#0 0x797ba9347141 in FT_List_Find (/usr/lib/libfreetype.so.6+0x10141)
(BuildId: 732ce343af30b9b1537d9a341a0589ceb564eb27)
#1 0x797ba93478cd in FT_Done_Face (/usr/lib/libfreetype.so.6+0x108cd)
(BuildId: 732ce343af30b9b1537d9a341a0589ceb564eb27)
#2 0x797ba7fbc7a9 in _hb_ft_face_destroy
/usr/src/debug/harfbuzz/build/../harfbuzz/src/hb-ft.cc:125:16
#3 0x797ba7fbc7a9 in _hb_ft_font_destroy
/usr/src/debug/harfbuzz/build/../harfbuzz/src/hb-ft.cc:134:25
#4 0x797ba7f35d7f in hb_font_destroy
/usr/src/debug/harfbuzz/build/../harfbuzz/src/hb-font.cc:1992:19
#5 0x797ba7f35d7f in hb_font_destroy
/usr/src/debug/harfbuzz/build/../harfbuzz/src/hb-font.cc:1985:1
#6 0x797baae974db
(/home/tenchi/projects/ffmpeg_experiments/deps/lib/libavfilter.so.10+0x974db)
(BuildId: e01c777ecdd5751cc315d0c9e9a92d0f7bc64d21)
#7 0x797baaff48b2
(/home/tenchi/projects/ffmpeg_experiments/deps/lib/libavfilter.so.10+0x1f48b2)
(BuildId: e01c777ecdd5751cc315d0c9e9a92d0f7bc64d21)
#8 0x797baaf445ea
(/home/tenchi/projects/ffmpeg_experiments/deps/lib/libavfilter.so.10+0x1445ea)
(BuildId: e01c777ecdd5751cc315d0c9e9a92d0f7bc64d21)
#9 0x797baaf48354
(/home/tenchi/projects/ffmpeg_experiments/deps/lib/libavfilter.so.10+0x148354)
(BuildId: e01c777ecdd5751cc315d0c9e9a92d0f7bc64d21)
#10 0x61656eaba507 in execute
/home/tenchi/projects/ffmpeg_experiments/decode_filter_video.c:269:27
#11 0x61656e9ad83d in asan_thread_start(void*) asan_interceptors.cpp.o
#12 0x797ba80a339c (/usr/lib/libc.so.6+0x9439c) (BuildId:
3de7fd3e8d993406afdcb908e63b88f2f4effea9)
#13 0x797ba812849b (/usr/lib/libc.so.6+0x11949b) (BuildId:
3de7fd3e8d993406afdcb908e63b88f2f4effea9)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (/usr/lib/libfreetype.so.6+0x10141)
(BuildId: 732ce343af30b9b1537d9a341a0589ceb564eb27) in FT_List_Find
Thread T209153 created by T0 here:
#0 0x61656ea68f63 in pthread_create
(/mnt/evo/tenchi/projects/ffmpeg_experiments/decode_filter_video+0x10ff63)
(BuildId: 285b2a408601f3235712ef5c690b89ccfc41b779)
#1 0x61656eab9ec6 in main
/home/tenchi/projects/ffmpeg_experiments/decode_filter_video.c:197:16
#2 0x797ba8034e07 (/usr/lib/libc.so.6+0x25e07) (BuildId:
3de7fd3e8d993406afdcb908e63b88f2f4effea9)
#3 0x797ba8034ecb in __libc_start_main (/usr/lib/libc.so.6+0x25ecb)
(BuildId: 3de7fd3e8d993406afdcb908e63b88f2f4effea9)
#4 0x61656e9852a4 in _start
(/mnt/evo/tenchi/projects/ffmpeg_experiments/decode_filter_video+0x2c2a4)
(BuildId: 285b2a408601f3235712ef5c690b89ccfc41b779)
==803571==ABORTING
LD_LIBRARY_PATH=$PWD/deps/lib ./decode_filter_video 17.25s user 157.87s
system 309% cpu 56.575 total
}}}
--
Ticket URL: <https://trac.ffmpeg.org/ticket/11152>
FFmpeg <https://ffmpeg.org>
FFmpeg issue tracker_______________________________________________
FFmpeg-trac mailing list
FFmpeg-trac@avcodec.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-trac
To unsubscribe, visit link above, or email
ffmpeg-trac-requ...@ffmpeg.org with subject "unsubscribe".
