Bug 337785 – [ffmpeg] A particular GIF file crashes rhymbox

After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.

Bug 337785 - [ffmpeg] A particular GIF file crashes rhymbox


Summary:	[ffmpeg] A particular GIF file crashes rhymbox


Status:	RESOLVED NOTGNOME

Product:	GStreamer
Classification:	Platform
Component:	gst-libav
Version:	0.10.1
Hardware:	Other Linux

Importance:	Normal normal
Target Milestone:	git master
Assigned To:	GStreamer Maintainers
QA Contact:	GStreamer Maintainers

URL:
Whiteboard:

Duplicates:	338691 (view as bug list)
Depends on:
Blocks:

Reported:	2006-04-09 10:46 UTC by Sebastien Bacher
Modified:	2009-09-10 07:43 UTC

See Also:
GNOME target:	---
GNOME version:	---

Attachments
vf_freak_0.gif (12.01 KB, image/gif) 2007-12-18 11:57 UTC, Tim-Philipp Müller	Details

Description Sebastien Bacher 2006-04-09 10:46:11 UTC

That bug has been opened on https://launchpad.net/distros/ubuntu/+source/rhythmbox/+bug/38809

"After an upgrade (to 0.9.3.1-0ubuntu3), rhythmbox started crashing while scanning local music files.

The output of 'rhythmbox -d' was:

[0x812b700] [action_thread_main] rhythmdb.c:2016 (11:28:56): executing RHYTHMDB_ACTION_LOAD for "file:///mnt/shared/music/Violent%20Femmes/Freak%20Magnet/vf_freak.gif"
[0x812b700] [rb_metadata_load] rb-metadata-gst.c:760 (11:28:56): loading metadata for uri: file:///mnt/shared/music/Violent%20Femmes/Freak%20Magnet/vf_freak.gif[0x812b700] [rb_metadata_load] rb-metadata-gst.c:832 (11:28:56): going to PAUSED for metadata, uri: file:///mnt/shared/music/Violent%20Femmes/Freak%20Magnet/vf_freak.gif
[0x812b700] [rb_metadata_gst_typefind_cb] rb-metadata-gst.c:563 (11:28:56): found type image/gif
[0x893aab0] [rb_metadata_gst_new_decoded_pad_cb] rb-metadata-gst.c:598 (11:28:56): got decoded video pad of type video/x-raw-rgb
*** glibc detected *** double free or corruption (out): 0x08971e20 ***

Removing this GIF file fixed the issue. When I put the file back, the problem recurred with 100% repeatability. A different GIF file in the same location caused no problem.

A copy of the file is here:
http://clublinux.almatech.net.au/files/images/vf_freak_0.gif"

$ gdb --args gst-launch-0.10 -t filesrc location=bug.gif ! decodebin ! fakesink
...
Program received signal SIGSEGV, Segmentation fault.

+ Trace 67546

Thread NaN (LWP 20237)

#0 gst_structure_foreach
at gststructure.c line 788
#1 gst_caps_is_fixed
at gstcaps.c line 767
#2 gst_pad_set_caps
at gstpad.c line 2169
#3 gst_pad_chain
at gstpad.c line 2243
#4 gst_pad_push
at gstpad.c line 3288
#5 gst_ffmpegdemux_register
from /usr/lib/gstreamer-0.10/libgstffmpeg.so
#6 gst_task_func
at gsttask.c line 193
#7 g_thread_pool_thread_proxy
at gthreadpool.c line 265
#8 g_thread_create_proxy
at gthread.c line 582
#9 start_thread
from /lib/tls/i686/cmov/libpthread.so.0
#10 clone
from /lib/tls/i686/cmov/libc.so.6

Comment 1 Sebastien Bacher 2006-04-09 10:48:57 UTC

due to gst-ffmpeg

Comment 2 Sebastien Bacher 2006-04-09 11:05:49 UTC

Other backtrace:

*** glibc detected *** free(): invalid next size (normal): 0x08260400 ***

Program received signal SIGABRT, Aborted.

+ Trace 67547

Thread NaN (LWP 20413)

#0 __kernel_vsyscall
#1 raise
from /lib/tls/i686/cmov/libc.so.6
#2 abort
from /lib/tls/i686/cmov/libc.so.6
#3 __libc_message
from /lib/tls/i686/cmov/libc.so.6
#4 _int_free
from /lib/tls/i686/cmov/libc.so.6
#5 free
from /lib/tls/i686/cmov/libc.so.6
#6 av_free
from /usr/lib/gstreamer-0.10/libgstffmpeg.so
#7 flvenc_init
from /usr/lib/gstreamer-0.10/libgstffmpeg.so
#8 av_close_input_file
from /usr/lib/gstreamer-0.10/libgstffmpeg.so
#9 gst_ffmpegdec_register
from /usr/lib/gstreamer-0.10/libgstffmpeg.so
#10 gst_ffmpegdec_register
from /usr/lib/gstreamer-0.10/libgstffmpeg.so
#11 gst_element_change_state
at gstelement.c line 2173
#12 gst_element_set_state_func
at gstelement.c line 2135
#13 gst_element_set_state
at gstelement.c line 2045
#14 gst_bin_change_state_func
at gstbin.c line 1710
#15 gst_decode_bin_change_state
at gstdecodebin.c line 1421
#16 gst_element_change_state
at gstelement.c line 2173
#17 gst_element_set_state_func
at gstelement.c line 2135
#18 gst_element_set_state
at gstelement.c line 2045
#19 gst_bin_change_state_func
at gstbin.c line 1710
#20 gst_pipeline_change_state
at gstpipeline.c line 411
#21 gst_element_change_state
at gstelement.c line 2173
#22 gst_element_set_state_func
at gstelement.c line 2135
#23 gst_element_set_state
at gstelement.c line 2045

Comment 3 Wim Taymans 2006-04-18 17:52:43 UTC

*** Bug 338691 has been marked as a duplicate of this bug. ***

Comment 4 Jan Schmidt 2006-05-06 22:12:04 UTC

I can't reproduce this problem. Would it be possible to get a debug log from:

GST_DEBUG=5 gst-launch-0.10 -t filesrc location=bug.gif ! decodebin ! fakesink

Comment 5 Tim-Philipp Müller 2006-05-09 14:03:08 UTC

This bug will only be triggered if the gdkpixbufdec element isn't available.

FWIW, I can still reproduce it with current gst-ffmpeg CVS:

$ gst-launch-0.10 filesrc location=337785.gif ! ffdemux_gif ! fakesink
Setting pipeline to PAUSED ...
Pipeline is PREROLLING ...
Pipeline is PREROLLED ...
Setting pipeline to PLAYING ...
New clock: GstSystemClock
Got EOS from element "pipeline0".
Execution ended after 1474000 ns.
Setting pipeline to PAUSED ...
Setting pipeline to READY ...
*** glibc detected *** free(): invalid next size (normal): 0x0818bc00 ***
Aborted

FWIW, valgrind also complains about this (probably not related though):

==25913== Invalid write of size 1
==25913==    at 0x4956D2D: gif_parse_next_image (gifdec.c:363)
==25913==    by 0x4956F24: gif_read_packet (gifdec.c:575)
==25913==    by 0x4915748: av_read_packet (utils.c:632)
==25913==    by 0x4919C9A: av_read_frame_internal (utils.c:919)
==25913==    by 0x4912044: gst_ffmpegdemux_loop (gstffmpegdemux.c:1110)
==25913==  Address 0x4F3718A is 2 bytes after a block of size 121,800 alloc'd
==25913==    at 0x401C970: memalign (vg_replace_malloc.c:332)
==25913==    by 0x401C9FB: posix_memalign (vg_replace_malloc.c:384)
==25913==    by 0x49617F7: av_malloc (mem.c:62)
==25913==    by 0x495647D: gif_read_header (gifdec.c:549)
==25913==    by 0x49156A9: av_open_input_stream (utils.c:492)
==25913==    by 0x4918487: av_open_input_file (utils.c:605)
==25913==    by 0x4912A38: gst_ffmpegdemux_loop (gstffmpegdemux.c:977)


In gst-ffmpeg CVS the ffdemux_* elements all have a rank of NONE now so they're not getting autoplugged any longer, that should 'fix' this issue as well.

Comment 6 Wim Taymans 2006-05-25 17:10:09 UTC

moving to less critical as the demuxers will be disabled soon and you have to manually select the demuxer. Still keeping it open until we find a way to not make ffmpeg demuxers crash.

Comment 7 Edward Hervey 2007-12-18 10:46:53 UTC

Sebastien, could you make that file available again so we can test it with the latest fixes to ffmpeg and gif decoding/demuxing .

Comment 8 Tim-Philipp Müller 2007-12-18 11:57:12 UTC

Created attachment 101170 [details]
vf_freak_0.gif

Still crashes for me with CVS.

Comment 9 Edward Hervey 2007-12-18 12:52:20 UTC

crashes somewhere else now :

Program received signal SIGSEGV, Segmentation fault.

+ Trace 182228

Thread 1082132816 (LWP 28192)

#0 avcodec_close
at utils.c line 1019
#1 av_find_stream_info
at utils.c line 1928
#2 gst_ffmpeg_av_find_stream_info
at gstffmpeg.c line 76
#3 gst_ffmpegdemux_loop
at gstffmpegdemux.c line 1041
#4 gst_task_func
at gsttask.c line 192
#5 g_thread_pool_thread_proxy
at gthreadpool.c line 265
#6 g_thread_create_proxy
at gthread.c line 635
#7 start_thread
at pthread_create.c line 297
#8 clone
from /lib/libc.so.6

Disabling display 1 to avoid infinite recursion.
1: *avctx->codec = Cannot access memory at address 0x69fde769fde769fd

Comment 10 Sebastian Dröge (slomo) 2009-09-10 07:43:11 UTC

This can be closed now, ffmpeg doesn't contain a GIF animation decoder anymore.