After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.
Bug 334707 - ffmpeg reads past the end of data passed to it
ffmpeg reads past the end of data passed to it
Status: RESOLVED FIXED
Product: GStreamer
Classification: Platform
Component: gst-libav
0.10.x
Other All
: Normal critical
: 0.10.4
Assigned To: GStreamer Maintainers
GStreamer Maintainers
: 411220 424809 (view as bug list)
Depends on:
Blocks:
 
 
Reported: 2006-03-15 23:37 UTC by John Stowers
Modified: 2008-01-23 18:46 UTC
See Also:
GNOME target: ---
GNOME version: 2.13/2.14


Description John Stowers 2006-03-15 23:37:45 UTC 
Steps to reproduce:
1. Load the attached file in gstreamer
2. Seek forwards to about half way
3. Seek consecutively backwards a few times by dragging the slider. Totem
(gstreamer will crash)


Stack trace:
Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread -1269171280 (LWP 5585)]
0xb4706b1e in compute_mb_neighboors ()
---Type <return> to continue, or q <return> to quit---
   from /usr/lib/gstreamer-0.10/libgstffmpeg.so
(gdb)     *
Undefined command: "".  Try "help".
(gdb)
Undefined command: "".  Try "help".
(gdb)       thread apply all bt

+ Trace 66971

Thread 1 (Thread -1224853824 (LWP 5569))

  • #0 __kernel_vsyscall
  • #1 pthread_cond_timedwait
    from /lib/tls/i686/cmov/libpthread.so.0
  • #2 g_cond_timed_wait_posix_impl
  • #3 gst_element_sync_state_with_parent
    from /usr/lib/libgstreamer-0.10.so.0
  • #4 gst_bin_iterate_sources
    from /usr/lib/libgstreamer-0.10.so.0
  • #5 gst_element_get_state
    from /usr/lib/libgstreamer-0.10.so.0
  • #6 bacon_video_widget_seek_time
  • #7 bacon_video_widget_seek
  • #8 totem_action_stop
  • #9 IA__g_cclosure_marshal_VOID__VOID
    at gmarshal.c line 77
  • #10 IA__g_closure_invoke
    at gclosure.c line 490
  • #11 signal_emit_unlocked_R
    at gsignal.c line 2438
  • #12 IA__g_signal_emit_valist
    at gsignal.c line 2197
  • #13 IA__g_signal_emit
    at gsignal.c line 2241
  • #14 IA__gtk_adjustment_value_changed
  • #15 IA__gtk_adjustment_set_value
    at gtkadjustment.c line 376
  • #16 gtk_range_real_change_value
    at gtkrange.c line 2475
  • #17 _gtk_marshal_BOOLEAN__ENUM_DOUBLE
    at gtkmarshalers.c line 203
  • #18 g_type_class_meta_marshal
    at gclosure.c line 567
  • #19 IA__g_closure_invoke
    at gclosure.c line 490
  • #20 signal_emit_unlocked_R
    at gsignal.c line 2476
  • #21 IA__g_signal_emit_valist
    at gsignal.c line 2207
  • #22 IA__g_signal_emit
  • #23 page_back
    at gtkrange.c line 1686
  • #24 gtk_range_scroll
    at gtkrange.c line 1792
  • #25 gtk_range_button_press
    at gtkrange.c line 1256
  • #26 _gtk_marshal_BOOLEAN__BOXED
    at gtkmarshalers.c line 83
  • #27 g_type_class_meta_marshal
    at gclosure.c line 567
  • #28 IA__g_closure_invoke
    at gclosure.c line 490
  • #29 signal_emit_unlocked_R
    at gsignal.c line 2476
  • #30 IA__g_signal_emit_valist
    at gsignal.c line 2207
  • #31 IA__g_signal_emit
  • #32 gtk_widget_event_internal
    at gtkwidget.c line 3732
  • #33 IA__gtk_propagate_event
    at gtkmain.c line 2208
  • #34 IA__gtk_main_do_event
    at gtkmain.c line 1445
  • #35 gdk_event_dispatch
    at gdkevents-x11.c line 2291
  • #36 IA__g_main_context_dispatch
    at gmain.c line 1916
  • #37 g_main_context_iterate
    at gmain.c line 2547
  • #38 IA__g_main_loop_run
    at gmain.c line 2751
  • #39 IA__gtk_main
    at gtkmain.c line 1024
  • #40 main
  • #0 compute_mb_neighboors
    from /usr/lib/gstreamer-0.10/libgstffmpeg.so 


Other information:
Running Ubuntu Dapper Flight5 with latest updates. I have installed all
available debug debs.

This doesnt happen when seeking forwards ony when seeking backwards
Comment 1 John Stowers 2006-03-16 00:00:27 UTC 
The file which causes the crash can be found at http://john.greenbirdsystems.com/files/bugs/narf2006_xp_mac.mov
Comment 2 Wim Taymans 2006-03-23 10:27:01 UTC 
crashes in ffmpeg, possibly caused by qtdemux not doing proper keyframe seeks.
Comment 3 Wim Taymans 2006-03-24 20:19:18 UTC 
moving to -bad as this is where qtdemux lives.
Comment 4 Wim Taymans 2006-04-04 08:37:40 UTC 
implementing keyframe seeking makes this file not crash so this bug will technically be fixed in 0.10.2. 

There are however a few cases where ffmpeg reads past the end of the buffer, changing the subject to reflect new bug we're trying to fix.
Comment 5 Edward Hervey 2007-03-02 11:14:14 UTC 
*** Bug 411220 has been marked as a duplicate of this bug. ***
Comment 6 Tim-Philipp Müller 2007-05-11 07:54:11 UTC 
*** Bug 424809 has been marked as a duplicate of this bug. ***
Comment 7 Wim Taymans 2008-01-23 18:46:42 UTC 
        * ext/ffmpeg/gstffmpegdec.c: (gst_ffmpegdec_class_init),
        (gst_ffmpegdec_init), (get_output_buffer), (gst_ffmpegdec_chain),
        (gst_ffmpegdec_change_state), (gst_ffmpegdec_set_property),
        (gst_ffmpegdec_get_property):
        Add padding to input data before feeding it to ffmpeg. Also add option
        to disable this (although it does not seem to cause slowdown).