Control: reopen -1
Control: reassign -1 kodi 16.1+dfsg1-2
Control: severity -1 important


The relevant backtrace from the kodi_crashlog is:

Thread 1 (Thread 0x7f1b6bffe700 (LWP 16893)):
#0  0x00007f1ba92991c8 in __GI_raise (sig=sig@entry=6) at 
#1  0x00007f1ba929a64a in __GI_abort () at abort.c:89
#2  0x00007f1ba92d4f4a in __libc_message (do_abort=do_abort@entry=2, 
fmt=fmt@entry=0x7f1ba93cdb30 "*** Error in `%s': %s: 0x%s ***\n") at 
#3  0x00007f1ba92da6b6 in malloc_printerr (action=3, str=0x7f1ba93ca909 
"free(): invalid pointer", ptr=<optimized out>, ar_ptr=<optimized out>) at 
#4  0x00007f1ba92dae9e in _int_free (av=0x7f1ba9601b20 <main_arena>, 
p=<optimized out>, have_lock=0) at malloc.c:3865
#5  0x00007f1baa6d4a9d in av_buffer_unref () from 
#6  0x00007f1baa6e15d2 in av_frame_unref () from 
#7  0x00007f1bab93cf10 in avcodec_decode_video2 () from 
#8  0x000000000090b26c in CDVDDemuxFFmpeg::ParsePacket(AVPacket*) ()
#9  0x000000000090d0c2 in CDVDDemuxFFmpeg::Read() ()
#10 0x0000000001079b53 in CDVDPlayer::ReadPacket(DemuxPacket*&, CDemuxStream*&) 
#11 0x000000000107ecd7 in CDVDPlayer::Process() ()
#12 0x00000000012103ff in CThread::Action() ()
#13 0x00000000012106bf in CThread::staticThread(void*) ()
#14 0x00007f1bb23e5464 in start_thread (arg=0x7f1b6bffe700) at 
#15 0x00007f1ba934d30d in clone () at 

Looking at the ParsePacket function reveals [1]:
    AVFrame picture;
    memset(&picture, 0, sizeof(AVFrame));
    picture.pts = picture.pkt_dts = picture.pkt_pts = 
picture.best_effort_timestamp = AV_NOPTS_VALUE;
    picture.pkt_pos = -1;
    picture.key_frame = 1;
    picture.format = -1;

This is using non-public ABI, e.g. the size of AVFrame, while the documentation
explicitly says "sizeof(AVFrame) is not a part of the public ABI" [2].
What's worse is that it doesn't use av_frame_alloc as required [3]:
"AVFrame must be allocated using av_frame_alloc()."

The whole block quoted above should be replaced with:
    AVFrame *picture = av_frame_alloc().

Then the following code should use picture instead of &picture:
    avcodec_decode_video2(st->codec, picture, &got_picture, pkt);

And at the end it can be freed (instead of using av_frame_unref) with:

In the experimental kodi branch there is another occurrence of this bug
in xbmc/cores/VideoPlayer/VideoRenderers/HwDecRender/MMALRenderer.cpp.

Best regards,


pkg-multimedia-maintainers mailing list

Reply via email to