#11640: Specific combination of timeclamp, fps, and count on showcqt causing
crash
--------------------------------------+------------------------------------
Reporter: Aseer Tayeem | Type: defect
Status: new | Priority: critical
Component: avfilter | Version: 7.1
Keywords: | Blocked By:
Blocking: | Reproduced by developer: 0
Analyzed by developer: 0 |
--------------------------------------+------------------------------------
Summary of the bug:
This bug in showcqt of libavfilter causes a whole array of different
memory errors causing crashes. I don't know how important this is, since a
memory error could do anything, so I put it as critical. This is using
valid inputs to showcqt.
How to reproduce:
{{{
% ffmpeg -f lavfi -i "amovie=test.mp3,
showcqt=timeclamp=0.01:fps=15:count=5 [out0]" out.mp4
ffmpeg version n7.1.1
built with gcc 15.1.1 (GCC) 20250425
% ffplay -f lavfi "amovie=test.mp3, showcqt=timeclamp=0.01:fps=15:count=5
[out0]"
ffplay version n7.1.1
built with gcc 15.1.1 (GCC) 20250425
}}}
I had some complex filtergraph, until I reduced it to this. Removing any
of these three will prevent the crash. Works with any input audio, but I
don't know if this changes the behavior.
Some other quirks:
- Keeping fixed timeclamp=0.01 and count=5. At fps=1-16, it crashes with
SIGSEGV. At fps=17, it doesn't crash until you terminate it, then it
instead has SIGABRT with an error in free(). At fps=18, it doesn't crash.
{{{
# at fps=17
free(): invalid next size (normal)
fish: Job 1, 'ffmpeg -f lavfi -i "amovie=test…' terminated by signal
SIGABRT (Abort)
}}}
- Keeping fixed fps=15 and count=5. timeclamp=0.002 causes a SIGSEGV only
when terminating the program. timeclamp=0.003-0.011 causes an immediate
SIGSEGV. timeclamp=0.012 does nothing.
- Keeping fixed fps=15 and timeclamp=0.01. count=1-5 causes immediate
crashes. count=6 does nothing.
- Overall, these ranges start at the minimum values allowed (fps=1,
timeclamp=0.002, count=1), and end at fps=18, timeclamp=0.012, count=6. I
didn't try using more precision.
- Sometimes it would say something about a `corrupted double-linked list`,
but only in ffplay.
- With some inputs I saw a malloc assertion failure, but only in ffplay
{{{
Fatal glibc error: malloc.c:4434 (_int_malloc): assertion failed:
(unsigned long) (size) >= (unsigned long) (nb)
}}}
- In ffplay at fps=17, I got an error like this:
{{{
double free or corruption (!prev) 0KB vq= 11KB sq= 0B
}}}
--
Ticket URL: <https://trac.ffmpeg.org/ticket/11640>
FFmpeg <https://ffmpeg.org>
FFmpeg issue tracker
_______________________________________________
FFmpeg-trac mailing list
[email protected]
https://ffmpeg.org/mailman/listinfo/ffmpeg-trac
To unsubscribe, visit link above, or email
[email protected] with subject "unsubscribe".
