GNOME Bugzilla – Bug 504672
[ffdeinterlace] crashes with height/width not multiples of 8
Last modified: 2013-07-17 10:59:26 UTC
This is with gst-ffmpeg CVS: $ gst-launch-0.10 videotestsrc ! video/x-raw-yuv,format=\(fourcc\)I420,width=700,height=412 ! ffdeinterlace ! fakesink Caught SIGSEGV accessing address 0x17 In gdb: Program received signal SIGSEGV, Segmentation fault.
+ Trace 182439
Thread 1082132816 (LWP 24517)
basically... all hell breaks loose after the call to avpicture_deinterlace.
For some reason it's writing too far (this happens when converting the last pair of lines when looking through the debug logs). ==32502== Thread 2: ==32502== Invalid write of size 4 ==32502== at 0x8589810: avpicture_deinterlace (imgconvert.c:2709) ==32502== by 0x85270E2: gst_ffmpegdeinterlace_chain (gstffmpegdeinterlace.c:185) ==32502== by 0x4E789D8: gst_pad_chain_unchecked (gstpad.c:3518) ==32502== by 0x4E78FF2: gst_pad_push (gstpad.c:3686) ==32502== by 0x7C4E659: gst_base_transform_chain (gstbasetransform.c:1614) ==32502== by 0x4E789D8: gst_pad_chain_unchecked (gstpad.c:3518) ==32502== by 0x4E78FF2: gst_pad_push (gstpad.c:3686) ==32502== by 0x7C49A0A: gst_base_src_loop (gstbasesrc.c:2063) ==32502== by 0x4E90EC8: gst_task_func (gsttask.c:192) ==32502== by 0x615DC74: g_thread_pool_thread_proxy (gthreadpool.c:265) ==32502== by 0x615C113: g_thread_create_proxy (gthread.c:635) ==32502== by 0x5AED066: start_thread (pthread_create.c:297) ==32502== Address 0x9128648 is 0 bytes after a block of size 432,600 alloc'd ==32502== at 0x4C2101B: malloc (vg_replace_malloc.c:207) ==32502== by 0x614205A: g_malloc (gmem.c:131) ==32502== by 0x4E56BBE: gst_buffer_new_and_alloc (gstbuffer.c:322) ==32502== by 0x4E78253: gst_pad_alloc_buffer_full (gstpad.c:2697) ==32502== by 0x8527069: gst_ffmpegdeinterlace_chain (gstffmpegdeinterlace.c:174) ==32502== by 0x4E789D8: gst_pad_chain_unchecked (gstpad.c:3518) ==32502== by 0x4E78FF2: gst_pad_push (gstpad.c:3686) ==32502== by 0x7C4E659: gst_base_transform_chain (gstbasetransform.c:1614) ==32502== by 0x4E789D8: gst_pad_chain_unchecked (gstpad.c:3518) ==32502== by 0x4E78FF2: gst_pad_push (gstpad.c:3686) ==32502== by 0x7C49A0A: gst_base_src_loop (gstbasesrc.c:2063) ==32502== by 0x4E90EC8: gst_task_func (gsttask.c:192)
Still happens. We should just refuse caps with non-multiple-of-8 width/height.
ffmpeg will use a higher aligned stride for the destination buffer, and not the smaller-aligned stride GStreamer expects (352 instead of 350 for the command line above for the subsampled plane). It only tests for multiple of 4 for both widths and heights though. Patch attached.
Created attachment 196109 [details] [review] ffdeinterlace: reject sizes that ffmpeg will trip on imgconvert does not support widths that aren't multiple of 8, and will overwrite the destination. While there, also reject heights not multiple of 4, which will just be ignored by ffmpeg, yielding an uninitialized buffer.
Works fine in git. Closing.
Not sure if it doesn't just work by coincidence rather than design. I don't see any code in gstavdeinterlace.c that makes sure video frames have sufficient strides or padding..