After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.
Bug 165398 - [ffdec_mpeg2video] invalid memory access / crash
[ffdec_mpeg2video] invalid memory access / crash
Status: RESOLVED FIXED
Product: GStreamer
Classification: Platform
Component: gst-libav
git master
Other Linux
: Normal normal
: NONE
Assigned To: GStreamer Maintainers
GStreamer Maintainers
Depends on:
Blocks:
 
 
Reported: 2005-01-27 12:34 UTC by Tim-Philipp Müller
Modified: 2005-06-30 15:49 UTC
See Also:
GNOME target: ---
GNOME version: ---



Description Tim-Philipp Müller 2005-01-27 12:34:54 UTC
(gdb) run --gst-fatal-warnings dvdreadsrc device=/dev/sr1 title=1 ! dvddemux !
ffdec_mpeg2video ! xvimagesink

(snip libdvdread output) 

GStreamer-CRITICAL **: gst_data_unref: assertion `data != NULL' failed
aborting...

Program received signal SIGABRT, Aborted.

Thread NaN (LWP 10945)

  • #0 raise
    from /lib/tls/libc.so.6
  • #1 abort
    from /lib/tls/libc.so.6
  • #2 IA__g_logv
    at gmessages.c line 488
  • #3 IA__g_log
    at gmessages.c line 507
  • #4 IA__g_return_if_fail_warning
    at gmessages.c line 522
  • #5 gst_data_unref
    at gstdata.c line 240
  • #6 gst_ffmpegdec_frame
    at gstffmpegdec.c line 611
  • #7 gst_ffmpegdec_chain
    at gstffmpegdec.c line 719
  • #8 gst_pad_call_chain_function
    at gstpad.c line 4476
  • #9 gst_pad_push
    at gstpad.c line 3287
  • #10 gst_dvd_demux_send_subbuffer
    at gstdvddemux.c line 924
  • #11 gst_mpeg_demux_parse_pes
    at gstmpegdemux.c line 919
  • #12 gst_mpeg_parse_loop
    at gstmpegparse.c line 535
  • #13 loop_group_schedule_function
    at gstoptimalscheduler.c line 1342


Might be harmless, or might not. Works okay-ish otherwise if you disregard all
the decoder errors/warnings.



If I run the above in valgrind, I get a crash:

 Invalid free() / delete / delete[]
    at 0x1B9059FF: realloc (vg_replace_malloc.c:197)
    by 0x1C37EF95: av_realloc (mem.c:103)
    by 0x1C37D0E2: av_realloc_static (utils.c:104)
    by 0x1C37CA98: alloc_table (common.c:137)
    by 0x1C37CB0A: build_table (common.c:159)
    by 0x1C37CC9A: build_table (common.c:228)
    by 0x1C37CE3B: init_vlc (common.c:289)
    by 0x1C47F1CC: init_vlcs (mpeg12.c:998)
    by 0x1C481812: mpeg_decode_init (mpeg12.c:1943)
    by 0x1C37DB2B: avcodec_open (utils.c:488)
    by 0x1C332C41: gst_ffmpegdec_open (gstffmpegdec.c:323)
    by 0x1C332E45: gst_ffmpegdec_connect (gstffmpegdec.c:406)
    by 0x1B957014: gst_pad_link_call_link_functions (gstpad.c:1343)
    by 0x1B9574CA: gst_pad_link_try (gstpad.c:1410)
    by 0x1B95B311: gst_pad_set_explicit_caps (gstpad.c:2557)
  Address 0x804EB80 is not stack'd, malloc'd or (recently) free'd

 Invalid read of size 2
    at 0x1C47A2F3: init_2d_vlc_rl (mpeg12.c:122)
    by 0x1C47F3D2: init_vlcs (mpeg12.c:1020)
    by 0x1C481812: mpeg_decode_init (mpeg12.c:1943)
    by 0x1C37DB2B: avcodec_open (utils.c:488)
    by 0x1C332C41: gst_ffmpegdec_open (gstffmpegdec.c:323)
    by 0x1C332E45: gst_ffmpegdec_connect (gstffmpegdec.c:406)
    by 0x1B957014: gst_pad_link_call_link_functions (gstpad.c:1343)
    by 0x1B9574CA: gst_pad_link_try (gstpad.c:1410)
    by 0x1B95B311: gst_pad_set_explicit_caps (gstpad.c:2557)
    by 0x1C2F18FE: gst_dvd_demux_get_video_stream (gstdvddemux.c:529)
    by 0x1C2EEDE5: gst_mpeg_demux_parse_pes (gstmpegdemux.c:917)
    by 0x1C2EAE55: gst_mpeg_parse_loop (gstmpegparse.c:535)
    by 0x1C727255: loop_group_schedule_function (gstoptimalscheduler.c:1342)
    by 0x1C726AA2: schedule_group (gstoptimalscheduler.c:1163)
    by 0x1C726D6E: gst_opt_scheduler_schedule_run_queue (gstoptimalscheduler.c:1215)
  Address 0x2 is not stack'd, malloc'd or (recently) free'd
 Process terminating with default action of signal 11 (SIGSEGV)
  Access not within mapped region at address 0x2
    at 0x1C47A2F3: init_2d_vlc_rl (mpeg12.c:122)
    by 0x1C47F3D2: init_vlcs (mpeg12.c:1020)
    by 0x1C481812: mpeg_decode_init (mpeg12.c:1943)
    by 0x1C37DB2B: avcodec_open (utils.c:488)
    by 0x1C332C41: gst_ffmpegdec_open (gstffmpegdec.c:323)
    by 0x1C332E45: gst_ffmpegdec_connect (gstffmpegdec.c:406)
    by 0x1B957014: gst_pad_link_call_link_functions (gstpad.c:1343)
    by 0x1B9574CA: gst_pad_link_try (gstpad.c:1410)
    by 0x1B95B311: gst_pad_set_explicit_caps (gstpad.c:2557)
    by 0x1C2F18FE: gst_dvd_demux_get_video_stream (gstdvddemux.c:529)
    by 0x1C2EEDE5: gst_mpeg_demux_parse_pes (gstmpegdemux.c:917)
    by 0x1C2EAE55: gst_mpeg_parse_loop (gstmpegparse.c:535)
    by 0x1C727255: loop_group_schedule_function (gstoptimalscheduler.c:1342)
    by 0x1C726AA2: schedule_group (gstoptimalscheduler.c:1163)
    by 0x1C726D6E: gst_opt_scheduler_schedule_run_queue (gstoptimalscheduler.c:1215)

Cheers 
 -Tim

(KuS DVD)
Comment 1 Tim-Philipp Müller 2005-01-27 18:23:09 UTC
Apparently my gst-ffmpeg tree was out of data. The gst_data_unref() is fixed in
current CVS, but I still get the other problem in valgrind.



==14110== Invalid free() / delete / delete[]
==14110==    at 0x1B9059FF: realloc (vg_replace_malloc.c:197)
==14110==    by 0x1C37FAE5: av_realloc (mem.c:103)
==14110==    by 0x1C37DC32: av_realloc_static (utils.c:104)
==14110==    by 0x1C37D5E8: alloc_table (common.c:137)
==14110==    by 0x1C37D65A: build_table (common.c:159)
==14110==    by 0x1C37D7EA: build_table (common.c:228)
==14110==    by 0x1C37D98B: init_vlc (common.c:289)
==14110==    by 0x1C47FD1C: init_vlcs (mpeg12.c:998)
==14110==    by 0x1C482362: mpeg_decode_init (mpeg12.c:1943)
==14110==    by 0x1C37E67B: avcodec_open (utils.c:488)
==14110==    by 0x1C332F6B: gst_ffmpegdec_open (gstffmpegdec.c:334)
==14110==    by 0x1C3331CC: gst_ffmpegdec_connect (gstffmpegdec.c:414)
==14110==    by 0x1B957014: gst_pad_link_call_link_functions (gstpad.c:1343)
==14110==    by 0x1B9574CA: gst_pad_link_try (gstpad.c:1410)
==14110==    by 0x1B95B311: gst_pad_set_explicit_caps (gstpad.c:2557)
==14110==  Address 0x804EB80 is not stack'd, malloc'd or (recently) free'd
==14110==
==14110== Invalid read of size 2
==14110==    at 0x1C47AE43: init_2d_vlc_rl (mpeg12.c:122)
==14110==    by 0x1C47FF22: init_vlcs (mpeg12.c:1020)
==14110==    by 0x1C482362: mpeg_decode_init (mpeg12.c:1943)
==14110==    by 0x1C37E67B: avcodec_open (utils.c:488)
==14110==    by 0x1C332F6B: gst_ffmpegdec_open (gstffmpegdec.c:334)
==14110==    by 0x1C3331CC: gst_ffmpegdec_connect (gstffmpegdec.c:414)
==14110==    by 0x1B957014: gst_pad_link_call_link_functions (gstpad.c:1343)
==14110==    by 0x1B9574CA: gst_pad_link_try (gstpad.c:1410)
==14110==    by 0x1B95B311: gst_pad_set_explicit_caps (gstpad.c:2557)
==14110==    by 0x1C2F18FE: gst_dvd_demux_get_video_stream (gstdvddemux.c:529)
==14110==    by 0x1C2EEDE5: gst_mpeg_demux_parse_pes (gstmpegdemux.c:917)
==14110==    by 0x1C2EAE55: gst_mpeg_parse_loop (gstmpegparse.c:535)
==14110==    by 0x1C73E255: loop_group_schedule_function
(gstoptimalscheduler.c:1342)
==14110==    by 0x1C73DAA2: schedule_group (gstoptimalscheduler.c:1163)
==14110==    by 0x1C73DD6E: gst_opt_scheduler_schedule_run_queue
(gstoptimalscheduler.c:1215)
==14110==  Address 0x2 is not stack'd, malloc'd or (recently) free'd
==14110==
==14110== Process terminating with default action of signal 11 (SIGSEGV)
==14110==  Access not within mapped region at address 0x2
==14110==    at 0x1C47AE43: init_2d_vlc_rl (mpeg12.c:122)
==14110==    by 0x1C47FF22: init_vlcs (mpeg12.c:1020)
==14110==    by 0x1C482362: mpeg_decode_init (mpeg12.c:1943)
==14110==    by 0x1C37E67B: avcodec_open (utils.c:488)
==14110==    by 0x1C332F6B: gst_ffmpegdec_open (gstffmpegdec.c:334)
==14110==    by 0x1C3331CC: gst_ffmpegdec_connect (gstffmpegdec.c:414)
==14110==    by 0x1B957014: gst_pad_link_call_link_functions (gstpad.c:1343)
==14110==    by 0x1B9574CA: gst_pad_link_try (gstpad.c:1410)
==14110==    by 0x1B95B311: gst_pad_set_explicit_caps (gstpad.c:2557)
==14110==    by 0x1C2F18FE: gst_dvd_demux_get_video_stream (gstdvddemux.c:529)
==14110==    by 0x1C2EEDE5: gst_mpeg_demux_parse_pes (gstmpegdemux.c:917)
==14110==    by 0x1C2EAE55: gst_mpeg_parse_loop (gstmpegparse.c:535)
==14110==    by 0x1C73E255: loop_group_schedule_function
(gstoptimalscheduler.c:1342)
==14110==    by 0x1C73DAA2: schedule_group (gstoptimalscheduler.c:1163)
==14110==    by 0x1C73DD6E: gst_opt_scheduler_schedule_run_queue
(gstoptimalscheduler.c:1215)
==14110==

Cheers
 -Tim


Comment 2 Ronald Bultje 2005-04-09 09:02:32 UTC
The invalid free's may be fixed (by using posix_memalign()). Patch is not being
accepted upstream for some reason, but ok, won't bother for now.

The invalid memory accesses are a problem. The ffmpeg devs (Michael) tell me to
pad allocated data by allocating 8 extra bytes, so they can validly overflow
while reading the bitstream. That is gross if you ask me, but it works that way
for them (mplayer & co, see also
http://sourceforge.net/mailarchive/message.php?msg_id=11427473). That's the last
2 valgrind warnings. Seems to work fine oherwise though.
Comment 3 Tim-Philipp Müller 2005-04-22 08:19:52 UTC
Seems to be fixed, at least I can't reproduce it any longer.

Cheers
 -Tim