ffmpeg realloc crash |
|||||
Issue descriptionWhile playing http://bumpers.fm in DEBUG mode. (ToT) Received signal 11 SEGV_MAPERR 000000000039 #0 0x7fee094a24ab base::debug::StackTrace::StackTrace() #1 0x7fee094a0aec base::debug::StackTrace::StackTrace() #2 0x7fee094a1fbf base::debug::(anonymous namespace)::StackDumpSignalHandler() #3 0x7fee09909330 <unknown> #4 0x7fee097609b8 tcmalloc::Abort() #5 0x7fee097689ca LogPrintf() #6 0x7fee0976884b RAW_VLOG() #7 0x7fee097ba5ba tc_realloc #8 0x7fee097541d1 (anonymous namespace)::TCRealloc() #9 0x7fee094a8ffe base::debug::(anonymous namespace)::ReallocFn() #10 0x7fee09753b3f ShimRealloc #11 0x7fedf3c249f1 av_reallocp_array #12 0x7fedf3ca05cc ff_h2645_extract_rbsp #13 0x7fedf3ca0b17 ff_h2645_packet_split #14 0x7fedf3ce8f47 h264_decode_frame #15 0x7fedf3bde996 frame_worker_thread #16 0x7fee09901184 start_thread #17 0x7fedf578437d clone
,
Feb 8 2017
,
Feb 11 2017
Hmm, not able to reproduce with an asan build.
,
Feb 11 2017
Can't repro, but found a couple patches which seem relevant from upstream.
,
Feb 13 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/third_party/ffmpeg/+/8e313ca08800178efce00045e07dc494d437b70c commit 8e313ca08800178efce00045e07dc494d437b70c Author: Dale Curtis <dalecurtis@chromium.org> Date: Mon Feb 13 18:30:03 2017 h264dec: handle zero-sized NAL units in get_last_needed_nal() The current code will ignore the init_get_bits() failure and do an invalid read from the uninitialized GetBitContext. BUG= 690184 Change-Id: I2e075ac19f1e5d99f2c1c57f844dea0275c93bcd Found-By: Jan Ruge <jan.s.ruge at gmail.com> Bug-Id: 952 Reviewed-on: https://chromium-review.googlesource.com/441113 Reviewed-by: Fredrik Hubinette <hubbe@chromium.org> [modify] https://crrev.com/8e313ca08800178efce00045e07dc494d437b70c/libavcodec/h264dec.c
,
Feb 13 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/third_party/ffmpeg/+/b7d98b52f6e2908e5ad07c4cf86bef1ca64e5e48 commit b7d98b52f6e2908e5ad07c4cf86bef1ca64e5e48 Author: Dale Curtis <dalecurtis@chromium.org> Date: Mon Feb 13 18:30:34 2017 avcodec/h264dec: Clear ref_count on slice header processing failure Fixes using freed memory Introduced in 744801989099df26e90b00062c645969c5347533 Fixes: 471/fuzz-1-ffmpeg_VIDEO_AV_CODEC_ID_H264_fuzzer BUG= 690184 Change-Id: Ied39a9431a91c1754e1055e44625e66af0198dd9 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
,
Feb 14 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/518d37c3c167ec8f0a790a4eda037b6e643ebc8f commit 518d37c3c167ec8f0a790a4eda037b6e643ebc8f Author: wolenetz <wolenetz@chromium.org> Date: Tue Feb 14 00:54:01 2017 Roll src/third_party/ffmpeg/ a77cdbfeb..38d84d205 (4 commits). https://chromium.googlesource.com/chromium/third_party/ffmpeg.git/+log/a77cdbfeb7b6..38d84d205cd8 (4 commits). $ git log a77cdbfeb..38d84d205 --date=short --no-merges --format='%ad %ae %s' 2017-02-13 wolenetz Remove cherry-picks from chromium/patches/README 2017-02-13 wolenetz lavf/mov.c: Avoid OOB in mov_read_udta_string() 2017-02-10 wolenetz lavf/mov.c: Avoid heap allocation wraps in mov_read_{senc,saiz}() 2017-02-10 dalecurtis h264dec: handle zero-sized NAL units in get_last_needed_nal() Created with: roll-dep src/third_party/ffmpeg R=dalecurtis@chromium.org TBR=hubbe@chromium.org BUG= 643952 , 690184 Review-Url: https://codereview.chromium.org/2694913002 Cr-Commit-Position: refs/heads/master@{#450178} [modify] https://crrev.com/518d37c3c167ec8f0a790a4eda037b6e643ebc8f/DEPS
,
Feb 14 2017
,
Feb 14 2017
Closing as fixed since I couldn't repro, hubbe@ let me know if you see this agian.
,
Sep 13 2017
dalecurtis@, I can reproduce the crash by feeding a particular video frame to ffmpeg's ff_h2645_packet_split while tcmalloc is enabled. It appears to be a difference of opinion about aligned malloc variants, and realloc: debug tcmalloc detects ffmpeg's usage of realloc on pointers coming form posix_memalign as an error. See https://trac.ffmpeg.org/ticket/6403. I don't have an easy repro with a full browser, but have the crashing bit of data extracted, and I'm attaching it here. I believe it's from a high-bitrate version of https://en.wikipedia.org/wiki/Tears_of_Steel (CC-BY licensed). To reproduce: * cd third_party/ffmpeg * cat ~/Downloads/hevc_crashy_frame.bin | xxd -i - crash_data.inc * apply attached patch to add a ffmpeg_crash binary * Build ffmpeg_crash in debug, with ffmpeg_branding="Chrome" (to get the h2645 parser code in ffmpeg) * Run out/ffmpeg_crash, observe "realloc/memalign missmatch" error from tcmalloc
,
Sep 14 2017
,
Sep 14 2017
I guess it's this issue too, but please file a new one since this already has some commits attached to it.
,
Sep 14 2017
,
Sep 14 2017
OK, filed https://bugs.chromium.org/p/chromium/issues/detail?id=765110 I'm fairly certain it's the same case as here which simply wasn't fixed by the speculative changes (callstacks match, etc), but whatever's more convenient. |
|||||
►
Sign in to add a comment |
|||||
Comment 1 by hubbe@chromium.org
, Feb 8 2017