New submission from Carl Eugen Hoyos <ceho...@rainbow.studorg.tuwien.ac.at>:
ffmpeg (compiled with icc, but not gcc) crashes when I try to decode the sample
from issue 273: samples/V-codecs/h264/Tokeiro/H264_bad_decoding.264
(gdb) r -i H264_bad_decoding.264 -f null /dev/null
Starting program: /home/cehoyos/Projects/FFmpeg/ffmpeg_g -i
H264_bad_decoding.264 -f null /dev/null
[Thread debugging using libthread_db enabled]
FFmpeg version SVN-r22365, Copyright (c) 2000-2010 the FFmpeg developers
built on Mar 9 2010 11:44:24 with icc 1110
configuration: --cc=/opt/intel/Compiler/11.1/059/bin/intel64/icc
libavutil 50.11. 0 / 50.11. 0
libavcodec 52.57. 0 / 52.57. 0
libavformat 52.55. 0 / 52.55. 0
libavdevice 52. 2. 0 / 52. 2. 0
libswscale 0.10. 0 / 0.10. 0
[h264 @ 0x146f7d0]non-existing PPS referenced
[h264 @ 0x146f7d0]non-existing PPS 0 referenced
[h264 @ 0x146f7d0]decode_slice_header error
[h264 @ 0x146f7d0]no frame!
[h264 @ 0x146f7d0]sps_id out of range
[h264 @ 0x146f7d0]non-existing PPS referenced
[h264 @ 0x146f7d0]sps_id out of range
[h264 @ 0x146f7d0]non-existing PPS 0 referenced
[h264 @ 0x146f7d0]decode_slice_header error
[h264 @ 0x146f7d0]no frame!
[h264 @ 0x146f7d0]non-existing PPS referenced
[h264 @ 0x146f7d0]non-existing PPS 0 referenced
[h264 @ 0x146f7d0]decode_slice_header error
[h264 @ 0x146f7d0]no frame!
[h264 @ 0x146f7d0]sps_id out of range
[h264 @ 0x146f7d0]non-existing PPS referenced
[h264 @ 0x146f7d0]sps_id out of range
[h264 @ 0x146f7d0]non-existing PPS 0 referenced
[h264 @ 0x146f7d0]decode_slice_header error
[h264 @ 0x146f7d0]no frame!
[h264 @ 0x146f7d0]non-existing PPS referenced
[h264 @ 0x146f7d0]non-existing PPS 0 referenced
[h264 @ 0x146f7d0]decode_slice_header error
[h264 @ 0x146f7d0]no frame!
[h264 @ 0x146f7d0]negative number of zero coeffs at 19 8
[h264 @ 0x146f7d0]error while decoding MB 19 8
[h264 @ 0x146f7d0]concealing 250 DC, 250 AC, 250 MV errors
[h264 @ 0x146f7d0]missing picture in access unit
[h264 @ 0x1466420]Estimating duration from bitrate, this may be inaccurate
Seems stream 0 codec frame rate differs from container frame rate: 25.00 (25/1)
-> 12.50 (25/2)
Input #0, h264, from 'H264_bad_decoding.264':
Duration: N/A, bitrate: N/A
Stream #0.0: Video: h264, yuv420p, 352x288, 17.24 fps, 12.50 tbr, 1200k tbn,
25 tbc
Output #0, null, to '/dev/null':
Metadata:
encoder : Lavf52.55.0
Stream #0.0: Video: rawvideo, yuv420p, 352x288, q=2-31, 200 kb/s, 90k tbn,
12.50 tbc
Stream mapping:
Stream #0.0 -> #0.0
Press [q] to stop encoding
[h264 @ 0x146f7d0]Missing reference picture
[h264 @ 0x146f7d0]decode_slice_header error
[h264 @ 0x146f7d0]concealing 396 DC, 396 AC, 396 MV errors
[h264 @ 0x146f7d0]out of range intra chroma pred mode at 19 8
[h264 @ 0x146f7d0]error while decoding MB 19 8
[h264 @ 0x146f7d0]concealing 250 DC, 250 AC, 250 MV errors
[h264 @ 0x146f7d0]negative number of zero coeffs at 11 11
[h264 @ 0x146f7d0]error while decoding MB 11 11
[h264 @ 0x146f7d0]concealing 192 DC, 192 AC, 192 MV errors
[h264 @ 0x146f7d0]out of range intra chroma pred mode at 2 9
[h264 @ 0x146f7d0]error while decoding MB 2 9
[h264 @ 0x146f7d0]concealing 245 DC, 245 AC, 245 MV errors
[h264 @ 0x146f7d0]mb_type 57 in I slice too large at 5 10
[h264 @ 0x146f7d0]error while decoding MB 5 10
[h264 @ 0x146f7d0]concealing 220 DC, 220 AC, 220 MV errors
[h264 @ 0x146f7d0]negative number of zero coeffs at 19 8
[h264 @ 0x146f7d0]error while decoding MB 19 8
[h264 @ 0x146f7d0]concealing 250 DC, 250 AC, 250 MV errors
[h264 @ 0x146f7d0]out of range intra chroma pred mode at 1 9
[h264 @ 0x146f7d0]error while decoding MB 1 9
[h264 @ 0x146f7d0]concealing 246 DC, 246 AC, 246 MV errors
[h264 @ 0x146f7d0]number of reference frames exceeds max (probably corrupt
input), discarding one
[New Thread 0x7fb56c31e6f0 (LWP 29492)]
Program received signal SIGBUS, Bus error.
[Switching to Thread 0x7fb56c31e6f0 (LWP 29492)]
0x000000000069ddca in decode_residual (h=0x3, gb=0x14c85c0, block=0x14ea240,
n=0, scantable=0x14ea891 "\004\001\002\005\b\f\t\006\003\a\n\r\016\v\017",
qmul=0x14c96b4, max_coeff=15)
at libavcodec/h264_cavlc.c:483
483 zeros_left= get_vlc2(gb, (total_zeros_vlc-1)[ total_coeff
].table, TOTAL_ZEROS_VLC_BITS, 1);
(gdb) bt full
#0 0x000000000069ddca in decode_residual (h=0x3, gb=0x14c85c0, block=0x14ea240,
n=0, scantable=0x14ea891 "\004\001\002\005\b\f\t\006\003\a\n\r\016\v\017",
qmul=0x14c96b4, max_coeff=15)
at libavcodec/h264_cavlc.c:483
coeff_token_table_index = {0, 0, 1, 1, 2, 2, 2, 2, 3, 3, 3, 3, 3, 3, 3,
3, 3}
level = {1, 1, 1, 1, 1, 3, -2, 2, 1, 1, 1, -14, 2, 0, 6870440, 0}
zeros_left = 21534384
coeff_num = 119277340
coeff_token = 3
trailing_ones = 3
run_before = 21796532
#1 0x000000000069c7d0 in ff_h264_decode_mb_cavlc (h=0x3) at
libavcodec/h264_cavlc.c:950
gb = (GetBitContext *) 0x14c4590
scan = (const uint8_t *) 0x14ea890 ""
scan8x8 = (const uint8_t *) 0x14ea891
"\004\001\002\005\b\f\t\006\003\a\n\r\016\v\017"
partition_count = 21932177
mb_type = 2
cbp = 21930560
dct8x8_allowed = 21932176
#2 0x0000000000677688 in decode_slice (avctx=0x3, arg=0x14c85c0) at
libavcodec/h264.c:2322
h = (H264Context *) 0x14c4590
part_mask = 127
#3 0x000000000067f3fb in decode_nal_units (h=0x3, buf=0x14c85c0 "�\226H\001",
buf_size=21930560) at libavcodec/h264.c:2668
context_count = 1
#4 0x0000000000672e5c in decode_frame (avctx=0x3, data=0x14c85c0,
data_size=0x14ea240, avpkt=0x0) at libavcodec/h264.c:2739
buf = (const uint8_t *) 0x14c85c0 "�\226H\001"
buf_size = 20439
h = (H264Context *) 0x14c4590
#5 0x00000000004ce9ab in avcodec_decode_video2 (avctx=0x3, picture=0x14c85c0,
got_picture_ptr=0x14ea240, avpkt=0x0) at libavcodec/utils.c:606
ret = 21775760
#6 0x00000000004082c3 in output_packet (ist=0x3, ist_index=21792192,
ost_table=0x14ea240, nb_ostreams=0, pkt=0x14ea891) at ffmpeg.c:1364
decoded_data_buf = (uint8_t *) 0x14896b0
"\210\201\201\203\177\001\...@\2004�t"
decoded_data_size = 152064
samples_size = 0
os = (AVFormatContext *) 0x7fff9bb08720
ost = (AVOutputStream *) 0x0
i = 21930560
got_picture = 0
picture = {data = {0x0, 0x0, 0x0, 0x0}, linesize = {0, 0, 0, 0}, base =
{0x0, 0x0, 0x0, 0x0}, key_frame = 1, pict_type = 0, pts = -9223372036854775808,
coded_picture_number = 0,
display_picture_number = 0, quality = 0, age = 0, reference = 0, qscale_table
= 0x0, qstride = 0, mbskip_table = 0x0, motion_val = {0x0, 0x0}, mb_type = 0x0,
motion_subsample_log2 = 0 '\0', opaque = 0x0,
error = {0, 0, 0, 0}, type = 0, repeat_pict = 0, qscale_type = 0,
interlaced_frame = 0, top_field_first = 0, pan_scan = 0x0, palette_has_changed =
0, buffer_hints = 0, dct_coeff = 0x0, ref_index = {0x0,
0x0}, reordered_opaque = 0, hwaccel_picture_private = 0x0}
subtitle = {format = 537, start_display_time = 32693, end_display_time =
1, num_rects = 0, rects = 0x408070, pts = 0}
subtitle_to_free = (AVSubtitle *) 0x0
got_subtitle = 0
avpkt = {pts = -9223372036854775808, dts = -9223372036854775808, data =
0x152d460 "", size = 20439, stream_index = 0, flags = 0, duration = 96000,
destruct = 0x4c4620 <av_destruct_packet>,
priv = 0xd82b830, pos = 202752, convergence_duration = -9223372036854775808}
bps = 0
#7 0x000000000040735d in av_encode (output_files=0x3, nb_output_files=21792192,
input_files=0x14ea240, nb_input_files=0, stream_maps=0x14ea891,
nb_stream_maps=21796532) at ffmpeg.c:2316
ipts = 1.9734560860423623e-312
opts = 6.9601461976219858e-312
ist_index = 21930560
pkt = {pts = -9223372036854775808, dts = -9223372036854775808, data =
0x152d460 "", size = 20439, stream_index = 0, flags = 0, duration = 96000,
destruct = 0x4c4620 <av_destruct_packet>,
priv = 0xd82b830, pos = 202752, convergence_duration = -9223372036854775808}
ipts_min = 0
opts_min = 0
nb_ostreams = 0
is = (AVFormatContext *) 0x1466420
codec = (AVCodecContext *) 0x8000000000000000
icodec = (AVCodecContext *) 0x7fffffffffffffff
ist = (AVInputStream *) 0x14c4590
error =
"�\177\000\000\210\236�\000\000\000\000\000\204��\233�\177\000\000��<\001\000\000\000\000��\fk�\177\000\000\001\200��\000\000\000\000��<\001\000\000\000\000��<\001\000\000\000\000��<\001\000\000\000\000��<\001\000\000\000\000��<\001\000\000\000\000��<\001\000\000\000\000��<\001\000\000\000\000��<\001",
'\0' <repeats 44 times>, " \206�\233\000\000\000\000`�:k�\177", '\0' <repeats 26
times>,
"z�\fk�\177\000\0000�\202\r\000\000\000\000`�:k�\177\000\000\001\000\000\000\000\000\000\000\001\000\000\000\000\000\000\000��<\001\000\000\000\000��\fk�\177\000\000\000\001\000\000\000\000"...
no_packet = '\0' <repeats 99 times>
no_packet_count = 21390368
#8 0x0000000000404cc5 in main (argc=3, argv=0x14c85c0) at ffmpeg.c:4058
ti = 1
(gdb) disass $pc-64 $pc+64
Dump of assembler code from 0x69dd8a to 0x69de0a:
0x000000000069dd8a <decode_residual+1418>: jl 0x69ddb0
<decode_residual+1456>
0x000000000069dd8c <decode_residual+1420>: and %cl,0x3b(%rbp)
0x000000000069dd8f <decode_residual+1423>: repz jne 0x69dd97
<decode_residual+1431>
0x000000000069dd92 <decode_residual+1426>: xor %r10d,%r10d
0x000000000069dd95 <decode_residual+1429>: jmp 0x69dddc
<decode_residual+1500>
0x000000000069dd97 <decode_residual+1431>: cmp $0x1a,%ebx
0x000000000069dd9a <decode_residual+1434>: je 0x69e183
<decode_residual+2435>
0x000000000069dda0 <decode_residual+1440>: lea (%r14,%r14,2),%r11
0x000000000069dda4 <decode_residual+1444>: mov 0x10f5e90(,%r11,8),%rbp
0x000000000069ddac <decode_residual+1452>: mov %r12d,%r11d
0x000000000069ddaf <decode_residual+1455>: shr $0x3,%r11d
0x000000000069ddb3 <decode_residual+1459>: mov (%r11,%r10,1),%r11d
0x000000000069ddb7 <decode_residual+1463>: bswap %r11d
0x000000000069ddba <decode_residual+1466>: mov %r12d,%ecx
0x000000000069ddbd <decode_residual+1469>: and $0x7,%ecx
0x000000000069ddc0 <decode_residual+1472>: shl %cl,%r11d
0x000000000069ddc3 <decode_residual+1475>: shr $0xf7,%r11d
0x000000000069ddc7 <decode_residual+1479>: mov %r11d,%r11d
0x000000000069ddca <decode_residual+1482>: movswl 0x0(%rbp,%r11,4),%r10d
0x000000000069ddd0 <decode_residual+1488>: movswl 0x2(%rbp,%r11,4),%ebp
0x000000000069ddd6 <decode_residual+1494>: add %r12d,%ebp
0x000000000069ddd9 <decode_residual+1497>: mov %ebp,0x10(%rsi)
0x000000000069dddc <decode_residual+1500>: lea -0x1(%r13,%r10,1),%ebp
0x000000000069dde1 <decode_residual+1505>: movslq %ebp,%rbp
0x000000000069dde4 <decode_residual+1508>: movzbl 0x0(%rbp,%r8,1),%r11d
0x000000000069ddea <decode_residual+1514>: cmp $0x18,%ebx
0x000000000069dded <decode_residual+1517>: jle 0x69dece
<decode_residual+1742>
0x000000000069ddf3 <decode_residual+1523>: mov %r15w,(%rdx,%r11,2)
0x000000000069ddf8 <decode_residual+1528>: mov $0x1,%ebx
0x000000000069ddfd <decode_residual+1533>: cmp $0x1,%r14
0x000000000069de01 <decode_residual+1537>: jle 0x69dfb5
<decode_residual+1973>
0x000000000069de07 <decode_residual+1543>: test %r10d,%r10d
(gdb) info registers
rax 0x14c4590 21775760
rbx 0xf 15
rcx 0x0 0
rdx 0x14ea240 21930560
rsi 0x14c85c0 21792192
rdi 0x3 3
rbp 0x7e407e4071c071c 0x7e407e4071c071c
rsp 0x7fff9bb06ec0 0x7fff9bb06ec0
r8 0x14ea891 21932177
r9 0x14c96b4 21796532
r10 0x14896b0 21534384
r11 0x1cf 463
r12 0x13fd0 81872
r13 0xffffffff 4294967295
r14 0xffffffffffffffff -1
r15 0x1 1
rip 0x69ddca 0x69ddca <decode_residual+1482>
eflags 0x10207 [ CF PF IF RF ]
cs 0x33 51
ss 0x2b 43
ds 0x0 0
es 0x0 0
fs 0x0 0
gs 0x0 0
fctrl 0x37f 895
fstat 0x0 0
ftag 0xaaaa 43690
fiseg 0x0 0
fioff 0x0 0
foseg 0x0 0
fooff 0x0 0
fop 0x0 0
mxcsr 0x9fe4 [ ZE PE DAZ IM DM ZM OM UM PM FZ ]
----------
messages: 9712
priority: normal
status: open
substatus: open
title: Crash when decoding invalid H264 sample (only with Intel compiler)
type: bug
________________________________________________
FFmpeg issue tracker <iss...@roundup.ffmpeg.org>
<https://roundup.ffmpeg.org/issue1802>
________________________________________________
