Segfault with fuzzed file (vobsub) #1420

Closed
tholin opened this Issue Jan 4, 2015 · 4 comments

Projects

None yet

2 participants

@tholin
tholin commented Jan 4, 2015

The file:
https://www.dropbox.com/s/f57xz612bn2pvw6/vobsub_crash.mkv

It's an ffmpeg bug but I'm not able to trigger the crash with ffmpeg's own tools. I let you handle it instead.

$ gdb --args ~/repository/mpv-build_vanilla_debug/mpv/build/mpv vobsub_crash.mkv
GNU gdb (Gentoo 7.7.1 p1) 7.7.1
Copyright (C) 2014 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-pc-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<http://bugs.gentoo.org/>.
Find the GDB manual and other documentation resources online at:
<http://www.gnu.org/software/gdb/documentation/>.
For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from /home/cocobo/repository/mpv-build_vanilla_debug/mpv/build/mpv...done.
(gdb) r
Starting program: /home/cocobo/repository/mpv-build_vanilla_debug/mpv/build/mpv vobsub_crash.mkv
warning: Could not load shared library symbols for linux-vdso.so.1.
Do you need "set solib-search-path" or "set sysroot"?
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib64/libthread_db.so.1".
[New Thread 0x7fffed4e7700 (LWP 9110)]
[New Thread 0x7fffecce6700 (LWP 9111)]
[New Thread 0x7fffe7fff700 (LWP 9112)]
Playing: vobsub_crash.mkv
[New Thread 0x7fffe77fe700 (LWP 9113)]
[Thread 0x7fffe77fe700 (LWP 9113) exited]
[New Thread 0x7fffe77fe700 (LWP 9114)]
[New Thread 0x7fffe6ffd700 (LWP 9115)]
[ffmpeg/demuxer] matroska,webm: Unknown EBML doctype 'matro@ka'
[ffmpeg] ?: Truncating packet of size 106212971 to 1889
[ffmpeg] ?: Truncating packet of size 11581 to 1507                                                    
[ffmpeg/video] h264: missing picture in access unit with size 84                                       
[ffmpeg/video] h264: no frame!                                                                         
[ffmpeg/video] h264: missing picture in access unit with size 186                                      
[ffmpeg/video] h264: no frame!                                                                         
[ffmpeg/video] h264: missing picture in access unit with size 130                                      
[ffmpeg/video] h264: no frame!                                                                         
[ffmpeg/video] h264: missing picture in access unit with size 384                                      
[ffmpeg/video] h264: no frame!                                                                         
[ffmpeg/demuxer] matroska,webm: Read error at pos. 1235 (0x4d3)                                        
[ffmpeg] ?: Truncating packet of size 1056768 to 542                                                   
[ffmpeg/demuxer] matroska,webm: Read error at pos. 1758 (0x6de)                                        
[ffmpeg/demuxer] matroska,webm: Read error at pos. 2024 (0x7e8)                                        
[ffmpeg/demuxer] matroska,webm: Could not find codec parameters for stream 0 (Video: h264 (h264 / 0x34363268), none, 720x432): unspecified pixel format                                                       
[ffmpeg/demuxer] Consider increasing the value for the 'analyzeduration' and 'probesize' options       
[Thread 0x7fffe6ffd700 (LWP 9115) exited]
[stream] Video (+) --vid=1 (*) (h264)
[stream] Subs  (+) --sid=1 --slang=eng (*) (dvd_subtitle)
[New Thread 0x7fffe6ffd700 (LWP 9116)]
[New Thread 0x7fffe67fc700 (LWP 9117)]
[New Thread 0x7fffdf990700 (LWP 9118)]
[New Thread 0x7fffdef8a700 (LWP 9119)]
[New Thread 0x7fffde789700 (LWP 9120)]
[New Thread 0x7fffddf88700 (LWP 9121)]
[New Thread 0x7fffdd787700 (LWP 9122)]
[New Thread 0x7fffdcf86700 (LWP 9123)]
[New Thread 0x7fffd7fff700 (LWP 9124)]
[New Thread 0x7fffd77fe700 (LWP 9125)]
[New Thread 0x7fffd6ffd700 (LWP 9126)]
[sub/lavc] Subtitle with unknown start time.
[ffmpeg/video] h264: no frame!
[sub/lavc] Subtitle with unknown start time.

Program received signal SIGSEGV, Segmentation fault.
0x00000000009da4a8 in get_bits (s=0x7fffffffd290, n=4)
    at /home/cocobo/repository/mpv-build_vanilla_debug/ffmpeg/libavcodec/get_bits.h:265
265         UPDATE_CACHE(re, s);
(gdb) bt full
#0  0x00000000009da4a8 in get_bits (s=0x7fffffffd290, n=4)
    at /home/cocobo/repository/mpv-build_vanilla_debug/ffmpeg/libavcodec/get_bits.h:265
        tmp = 0
        re_index = 0
        re_cache = 4059456702
        re_size_plus8 = 1878814992
#1  0x00000000009da842 in decode_run_2bit (gb=0x7fffffffd290, color=0x7fffffffd274)
    at /home/cocobo/repository/mpv-build_vanilla_debug/ffmpeg/libavcodec/dvdsubdec.c:73
        v = 0
        t = 1
#2  0x00000000009da9f7 in decode_rle (bitmap=0x2a8cb80 "", linesize=2, w=1, h=1, buf=0x2a8c9b0 "", 
    start=302019492, buf_size=453, is_8bit=0)
    at /home/cocobo/repository/mpv-build_vanilla_debug/ffmpeg/libavcodec/dvdsubdec.c:123
        gb = {buffer = 0x14a93d54 <error: Cannot access memory at address 0x14a93d54>, 
          buffer_end = 0x22a8cb75 <error: Cannot access memory at address 0x22a8cb75>, index = 0, 
          size_in_bits = 1878814984, size_in_bits_plus8 = 1878814992}
        bit_len = 1878814984
        x = 0
        y = 0
        len = -11600
        color = 0
        d = 0x2a8cb80 ""
#3  0x00000000009db85e in decode_dvd_subtitles (ctx=0x228bda0, sub_header=0x7fffffffd5a0, 
    buf=0x2a8c9b0 "", buf_size=453)
    at /home/cocobo/repository/mpv-build_vanilla_debug/ffmpeg/libavcodec/dvdsubdec.c:362
        w = 1
        h = 1
        bitmap = 0x2a8cb80 ""
        cmd_pos = 245
        pos = 264
        cmd = 35
        x1 = 0
        y1 = 0
        x2 = 0
        y2 = 0
        offset1 = 302019492
        offset2 = -2147426757
        next_cmd_pos = 24968
        big_offsets = 0
        offset_size = 2
        is_8bit = 0
        yuv_palette = 0x0
        colormap = 0x228bdfc ""
        alpha = 0x228be00 ""
        date = 68
        i = 0
        is_menu = 0
#4  0x00000000009dc1dc in dvdsub_decode (avctx=0x228b8e0, data=0x7fffffffd5a0, 
    data_size=0x7fffffffd534, avpkt=0x7fffffffd450)
    at /home/cocobo/repository/mpv-build_vanilla_debug/ffmpeg/libavcodec/dvdsubdec.c:538
        ctx = 0x228bda0
        buf = 0x2a8c9b0 ""
        buf_size = 453
        sub = 0x7fffffffd5a0
        is_menu = -11
#5  0x0000000000e86904 in avcodec_decode_subtitle2 (avctx=0x228b8e0, sub=0x7fffffffd5a0, 
    got_sub_ptr=0x7fffffffd534, avpkt=0x7fffffffd5c0)
    at /home/cocobo/repository/mpv-build_vanilla_debug/ffmpeg/libavcodec/utils.c:2751
        pkt_recoded = {buf = 0x0, pts = -9223372036854775808, dts = -9223372036854775808, 
          data = 0x7fffd833a290 "", size = 226, stream_index = 0, flags = 0, side_data = 0x0, 
          side_data_elems = 0, duration = 0, destruct = 0x0, priv = 0x7fffffffd610, pos = -1, 
          convergence_duration = 0}
        tmp = {buf = 0x0, pts = -9223372036854775808, dts = -9223372036854775808, 
          data = 0x7fffd833a290 "", size = 226, stream_index = 0, flags = 0, side_data = 0x0, 
          side_data_elems = 0, duration = 0, destruct = 0x0, priv = 0x7fffffffd610, pos = -1, 
          convergence_duration = 0}
        did_split = 0
        i = 0
        ret = 0
#6  0x00000000004d83b4 in decode (sd=0x228b460, packet=0x7fffd0001350) at ../sub/sd_lavc.c:208
        opts = 0x20182a0
        priv = 0x228b720
        ctx = 0x228b8e0
        pts = -9.2233720368547758e+18
        duration = -1
        sub = {format = 0, start_display_time = 0, end_display_time = 0, num_rects = 1, 
          rects = 0x2290140, pts = -9223372036854775808}
        pkt = {buf = 0x0, pts = -9223372036854775808, dts = -9223372036854775808, 
          data = 0x7fffd833a290 "", size = 226, stream_index = 0, flags = 0, side_data = 0x0, 
          side_data_elems = 0, duration = 0, destruct = 0x0, priv = 0x7fffffffd610, pos = -1, 
          convergence_duration = 0}
        got_sub = 0
        res = 0
        endpts = 6.9533558072966704e-310
        current = 0x100000000
        __PRETTY_FUNCTION__ = "decode"
#7  0x00000000004cd8d1 in decode_chain (sd=0x22972d0, num_sd=1, packet=0x7fffd0001350)
    at ../sub/dec_sub.c:255
        dec = 0x228b460
#8  0x00000000004cdab0 in decode_chain_recode (sub=0x2297200, sd=0x22972d0, num_sd=1, 
    packet=0x7fffd0001350) at ../sub/dec_sub.c:294
        recoded = 0x0
#9  0x00000000004cdaff in sub_decode (sub=0x2297200, packet=0x7fffd0001350) at ../sub/dec_sub.c:302
No locals.
#10 0x00000000004a0814 in update_subtitle (mpctx=0x2015050, order=0) at ../player/sub.c:271
        subpts_s = -9.2233720368547758e+18
        pkt = 0x7fffd0001350
        sh_stream = 0x7fffd8339f00
        interleaved = true
        opts = 0x20182a0
        track = 0x2274c40
        dec_sub = 0x2297200
        obj = 0
        state = {dec_sub = 0x2297200, video_offset = 0, render_bitmap_subs = true}
        refpts_s = -9.2233720368547758e+18
        curpts_s = -9.2233720368547758e+18
        __PRETTY_FUNCTION__ = "update_subtitle"
#11 0x00000000004a08e7 in update_subtitles (mpctx=0x2015050) at ../player/sub.c:287
No locals.
#12 0x000000000049dcd4 in run_playloop (mpctx=0x2015050) at ../player/playloop.c:963
        opts = 0x20182a0
        endpts = -9.2233720368547758e+18
        end_is_new_segment = false
        prevent_eof = false
#13 0x00000000004924ca in play_current_file (mpctx=0x2015050) at ../player/loadfile.c:1182
        opts = 0x20182a0
        tmp = 0x204e840
        playback_start = 10.312787999999999
        __PRETTY_FUNCTION__ = "play_current_file"
        stream_flags = 0
        startpos = -9.2233720368547758e+18
        nothing_played = false
        end_event = {reason = -10048, error = 32767}
#14 0x0000000000492be4 in mp_play_files (mpctx=0x2015050) at ../player/loadfile.c:1339
        new_entry = 0x20182a0
#15 0x0000000000493ff3 in mpv_main (argc=2, argv=0x7fffffffda58) at ../player/main.c:550
        mpctx = 0x2015050
        opts = 0x20182a0
        verbose_env = 0x0
        r = 0
#16 0x0000000000411e6d in main (argc=2, argv=0x7fffffffda58) at ../player/main_fn.c:13
No locals.
@wm4 wm4 added the ffmpeg-bug label Jan 4, 2015
@wm4 wm4 closed this Jan 5, 2015
@tholin
tholin commented Jan 7, 2015

c9151de took care of that segfault but I think there are still some gremlins in the dvdsub code.

Here is a file I didn't notice at first because it only segfault occasionally. It doesn't segfault in gdb but valgrind prints an error.
https://www.dropbox.com/s/dft2qh5xen67oo8/vobsub_crash_invalid_write.mkv

With ffmpeg ddae03f69bc1c6ec97c028c91837710944427b83

$ valgrind --tool=memcheck ~/repository/mpv-build_vanilla_debug/mpv/build/mpv  --cache=no --no-config --untimed --no-audio --demuxer-thread=no --vd-lavc-threads=1 --ad-lavc-threads=1 --no-input-terminal --vo null vobsub_crash_invalid_write.mkv 
==3618== Memcheck, a memory error detector
==3618== Copyright (C) 2002-2013, and GNU GPL'd, by Julian Seward et al.
==3618== Using Valgrind-3.10.1 and LibVEX; rerun with -h for copyright info
==3618== Command: /home/cocobo/repository/mpv-build_vanilla_debug/mpv/build/mpv --cache=no --no-config --untimed --no-audio --demuxer-thread=no --vd-lavc-threads=1 --ad-lavc-threads=1 --no-input-terminal --vo null vobsub_crash_invalid_write.mkv
==3618== 
==3618== Warning: invalid file descriptor -1 in syscall close()
==3618== Warning: invalid file descriptor -1 in syscall close()
Playing: vobsub_crash_invalid_write.mkv
[ffmpeg/demuxer] matroska,webm: Unknown EBML doctype 'matro@ka'
[ffmpeg] ?: Truncating packet of size 3956 to 1906
[ffmpeg] ?: Truncating packet of size 13117 to 1514                                                    
[ffmpeg/video] h264: SEI type 27 size 512 truncated at 120                                             
[ffmpeg/video] h264: non-existing PPS 0 referenced                                                     
[ffmpeg/video] h264: SEI type 27 size 512 truncated at 111
[ffmpeg/video] h264: non-existing PPS 0 referenced
[ffmpeg/video] h264: decode_slice_header error
[ffmpeg/video] h264: no frame!
[ffmpeg] ?: Truncating packet of size 1778515 to 856
[ffmpeg] ?: Truncating packet of size 8092 to 839
[ffmpeg/demuxer] matroska,webm: Read error at pos. 1373 (0x55d)
[ffmpeg] ?: Truncating packet of size 11617 to 519
[ffmpeg/demuxer] matroska,webm: Read error at pos. 1780 (0x6f4)
[ffmpeg] ?: Truncating packet of size 126 to 3
[ffmpeg/demuxer] matroska,webm: Could not find codec parameters for stream 0 (Video: h264 (h264 / 0x34363268), none, 720x432): unspecified pixel format
[ffmpeg/demuxer] Consider increasing the value for the 'analyzeduration' and 'probesize' options
[stream] Video (+) --vid=1 (*) (h264)
[stream] Subs  (+) --sid=1 --slang=eng (*) (dvd_subtitle)
[ffmpeg/video] h264: SEI type 27 size 512 truncated at 111
[ffmpeg/video] h264: non-existing PPS 0 referenced
[ffmpeg/video] h264: decode_slice_header error
[ffmpeg/video] h264: no frame!
Error while decoding frame!
[sub/lavc] Subtitle with unknown start time.
[sub/lavc] Subtitle with unknown start time.
==3618== Invalid write of size 1
==3618==    at 0x4C2F7D5: memset (vg_replace_strmem.c:1094)
==3618==    by 0x9DCB7B: decode_rle (dvdsubdec.c:128)
==3618==    by 0x9DD9FE: decode_dvd_subtitles (dvdsubdec.c:368)
==3618==    by 0x9DE33C: dvdsub_decode (dvdsubdec.c:543)
==3618==    by 0xE8932C: avcodec_decode_subtitle2 (utils.c:2751)
==3618==    by 0x4D931F: decode (sd_lavc.c:205)
==3618==    by 0x4CE85B: decode_chain (dec_sub.c:255)
==3618==    by 0x4CEA3A: decode_chain_recode (dec_sub.c:294)
==3618==    by 0x4CEA89: sub_decode (dec_sub.c:302)
==3618==    by 0x4A0881: update_subtitle (sub.c:271)
==3618==    by 0x4A0954: update_subtitles (sub.c:287)
==3618==    by 0x49DD41: run_playloop (playloop.c:963)
==3618==  Address 0x11da7f01 is 0 bytes after a block of size 1 alloc'd
==3618==    at 0x4C2B560: memalign (vg_replace_malloc.c:760)
==3618==    by 0x4C2B677: posix_memalign (vg_replace_malloc.c:913)
==3618==    by 0x1304239: av_malloc (mem.c:95)
==3618==    by 0x9DD911: decode_dvd_subtitles (dvdsubdec.c:360)
==3618==    by 0x9DE33C: dvdsub_decode (dvdsubdec.c:543)
==3618==    by 0xE8932C: avcodec_decode_subtitle2 (utils.c:2751)
==3618==    by 0x4D931F: decode (sd_lavc.c:205)
==3618==    by 0x4CE85B: decode_chain (dec_sub.c:255)
==3618==    by 0x4CEA3A: decode_chain_recode (dec_sub.c:294)
==3618==    by 0x4CEA89: sub_decode (dec_sub.c:302)
==3618==    by 0x4A0881: update_subtitle (sub.c:271)
==3618==    by 0x4A0954: update_subtitles (sub.c:287)
==3618== 
[ffmpeg] ?: Invalid command offset


Exiting... (Errors when loading file)
==3618== 
==3618== HEAP SUMMARY:
==3618==     in use at exit: 222 bytes in 7 blocks
==3618==   total heap usage: 17,554 allocs, 17,547 frees, 21,784,228 bytes allocated
==3618== 
==3618== LEAK SUMMARY:
==3618==    definitely lost: 0 bytes in 0 blocks
==3618==    indirectly lost: 0 bytes in 0 blocks
==3618==      possibly lost: 0 bytes in 0 blocks
==3618==    still reachable: 222 bytes in 7 blocks
==3618==         suppressed: 0 bytes in 0 blocks
==3618== Rerun with --leak-check=full to see details of leaked memory
==3618== 
==3618== For counts of detected and suppressed errors, rerun with: -v
==3618== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)

Here is another file that never segfault for me but valgrind prints an error
https://www.dropbox.com/s/a9sapat1qjrdc2z/vobsub_crash_invalid_read.mkv

$ valgrind --tool=memcheck ~/repository/mpv-build_vanilla_debug/mpv/build/mpv  --cache=no --no-config --untimed --no-audio --demuxer-thread=no --vd-lavc-threads=1 --ad-lavc-threads=1 --no-input-terminal --vo null vobsub_crash_invalid_read.mkv 
==3736== Memcheck, a memory error detector
==3736== Copyright (C) 2002-2013, and GNU GPL'd, by Julian Seward et al.
==3736== Using Valgrind-3.10.1 and LibVEX; rerun with -h for copyright info
==3736== Command: /home/cocobo/repository/mpv-build_vanilla_debug/mpv/build/mpv --cache=no --no-config --untimed --no-audio --demuxer-thread=no --vd-lavc-threads=1 --ad-lavc-threads=1 --no-input-terminal --vo null vobsub_crash_invalid_read.mkv
==3736== 
==3736== Warning: invalid file descriptor -1 in syscall close()
==3736== Warning: invalid file descriptor -1 in syscall close()
Playing: vobsub_crash_invalid_read.mkv
[ffmpeg/demuxer] matroska,webm: Unknown EBML doctype 'matro@ka'
[ffmpeg] ?: Truncating packet of size 106212971 to 3592
[ffmpeg] ?: Truncating packet of size 13164 to 3226                                                    
[ffmpeg/video] h264: SEI type 5 size 4624 truncated at 4288                                            
[ffmpeg/video] h264: missing picture in access unit with size 789                                      
[ffmpeg/video] h264: SEI type 5 size 4624 truncated at 4039                                            
[ffmpeg/video] h264: no frame!                                                                         
[ffmpeg/demuxer] matroska,webm: Invalid EBML number size tag 0x08 at pos 1156 (0x484)                  
[ffmpeg] ?: Truncating packet of size 1513044 to 2574                                                  
[ffmpeg] ?: Truncating packet of size 8081 to 2570                                                     
[ffmpeg] ?: Truncating packet of size 256095861 to 2317                                                
[ffmpeg] ?: Truncating packet of size 202324 to 2073                                                   
[ffmpeg] ?: Truncating packet of size 8081 to 2069                                                     
[ffmpeg] ?: Truncating packet of size 8092 to 2061                                                     
[ffmpeg/demuxer] matroska,webm: Read error at pos. 1685 (0x695)                                        
[ffmpeg] ?: Truncating packet of size 256095861 to 1805                                                
[ffmpeg] ?: Truncating packet of size 256095861 to 1560                                                
[ffmpeg] ?: Truncating packet of size 9277 to 1317                                                     
[ffmpeg] ?: Truncating packet of size 8092 to 1310                                                     
[ffmpeg/demuxer] matroska,webm: Read error at pos. 2442 (0x98a)                                        
[ffmpeg] ?: Truncating packet of size 8081 to 1290                                                     
[ffmpeg] ?: Truncating packet of size 8092 to 1282                                                     
[ffmpeg/demuxer] matroska,webm: Read error at pos. 2470 (0x9a6)                                        
[ffmpeg/demuxer] matroska,webm: Read error at pos. 2717 (0xa9d)                                        
[ffmpeg] ?: Truncating packet of size 8081 to 1015                                                     
[ffmpeg] ?: Truncating packet of size 8092 to 1007                                                     
[ffmpeg/demuxer] matroska,webm: Read error at pos. 2745 (0xab9)                                        
[ffmpeg] ?: Truncating packet of size 256095861 to 743                                                 
[ffmpeg] ?: Truncating packet of size 8563 to 499                                                      
[ffmpeg] ?: Truncating packet of size 11776 to 248                                                     
[ffmpeg/demuxer] matroska,webm: Read error at pos. 3739 (0xe9b)                                        
[ffmpeg/demuxer] matroska,webm: Could not find codec parameters for stream 0 (Video: h264 (h264 / 0x34363268), none, 720x432): unspecified pixel format                                                       
[ffmpeg/demuxer] Consider increasing the value for the 'analyzeduration' and 'probesize' options       
[stream] Video (+) --vid=1 (*) (h264)
[stream] Subs  (+) --sid=1 --slang=eng (*) (dvd_subtitle)
[ffmpeg/video] h264: SEI type 5 size 4624 truncated at 4039
[ffmpeg/video] h264: no frame!                                                                         
Error while decoding frame!
[sub/lavc] Subtitle with unknown start time.                                                           
[sub/lavc] Subtitle with unknown start time.                                                           
==3736== Invalid read of size 2
==3736==    at 0x4C2DC40: memcpy@@GLIBC_2.14 (vg_replace_strmem.c:915)
==3736==    by 0x9DE266: append_to_cached_buf (dvdsubdec.c:518)
==3736==    by 0x9DE365: dvdsub_decode (dvdsubdec.c:546)
==3736==    by 0xE8932C: avcodec_decode_subtitle2 (utils.c:2751)
==3736==    by 0x4D931F: decode (sd_lavc.c:205)
==3736==    by 0x4CE85B: decode_chain (dec_sub.c:255)
==3736==    by 0x4CEA3A: decode_chain_recode (dec_sub.c:294)
==3736==    by 0x4CEA89: sub_decode (dec_sub.c:302)
==3736==    by 0x4A0881: update_subtitle (sub.c:271)
==3736==    by 0x4A0954: update_subtitles (sub.c:287)
==3736==    by 0x49DD41: run_playloop (playloop.c:963)
==3736==    by 0x492537: play_current_file (loadfile.c:1182)
==3736==  Address 0x11b18860 is 0 bytes inside a block of size 452 free'd
==3736==    at 0x4C2B2DE: realloc (vg_replace_malloc.c:692)
==3736==    by 0x13042BA: av_realloc (mem.c:166)
==3736==    by 0x9DE215: append_to_cached_buf (dvdsubdec.c:515)
==3736==    by 0x9DE365: dvdsub_decode (dvdsubdec.c:546)
==3736==    by 0xE8932C: avcodec_decode_subtitle2 (utils.c:2751)
==3736==    by 0x4D931F: decode (sd_lavc.c:205)
==3736==    by 0x4CE85B: decode_chain (dec_sub.c:255)
==3736==    by 0x4CEA3A: decode_chain_recode (dec_sub.c:294)
==3736==    by 0x4CEA89: sub_decode (dec_sub.c:302)
==3736==    by 0x4A0881: update_subtitle (sub.c:271)
==3736==    by 0x4A0954: update_subtitles (sub.c:287)
==3736==    by 0x49DD41: run_playloop (playloop.c:963)
==3736== 
==3736== Invalid read of size 2
==3736==    at 0x4C2DC4F: memcpy@@GLIBC_2.14 (vg_replace_strmem.c:915)
==3736==    by 0x9DE266: append_to_cached_buf (dvdsubdec.c:518)
==3736==    by 0x9DE365: dvdsub_decode (dvdsubdec.c:546)
==3736==    by 0xE8932C: avcodec_decode_subtitle2 (utils.c:2751)
==3736==    by 0x4D931F: decode (sd_lavc.c:205)
==3736==    by 0x4CE85B: decode_chain (dec_sub.c:255)
==3736==    by 0x4CEA3A: decode_chain_recode (dec_sub.c:294)
==3736==    by 0x4CEA89: sub_decode (dec_sub.c:302)
==3736==    by 0x4A0881: update_subtitle (sub.c:271)
==3736==    by 0x4A0954: update_subtitles (sub.c:287)
==3736==    by 0x49DD41: run_playloop (playloop.c:963)
==3736==    by 0x492537: play_current_file (loadfile.c:1182)
==3736==  Address 0x11b18864 is 4 bytes inside a block of size 452 free'd
==3736==    at 0x4C2B2DE: realloc (vg_replace_malloc.c:692)
==3736==    by 0x13042BA: av_realloc (mem.c:166)
==3736==    by 0x9DE215: append_to_cached_buf (dvdsubdec.c:515)
==3736==    by 0x9DE365: dvdsub_decode (dvdsubdec.c:546)
==3736==    by 0xE8932C: avcodec_decode_subtitle2 (utils.c:2751)
==3736==    by 0x4D931F: decode (sd_lavc.c:205)
==3736==    by 0x4CE85B: decode_chain (dec_sub.c:255)
==3736==    by 0x4CEA3A: decode_chain_recode (dec_sub.c:294)
==3736==    by 0x4CEA89: sub_decode (dec_sub.c:302)
==3736==    by 0x4A0881: update_subtitle (sub.c:271)
==3736==    by 0x4A0954: update_subtitles (sub.c:287)
==3736==    by 0x49DD41: run_playloop (playloop.c:963)
==3736== 
[sub/lavc] Subtitle with unknown start time.
[sub/lavc] Subtitle with unknown start time.                                                           
[sub/lavc] Subtitle with unknown start time.                                                           
==3736== Invalid read of size 1
==3736==    at 0x4C2DDB0: memcpy@@GLIBC_2.14 (vg_replace_strmem.c:915)
==3736==    by 0x9DE266: append_to_cached_buf (dvdsubdec.c:518)
==3736==    by 0x9DE365: dvdsub_decode (dvdsubdec.c:546)
==3736==    by 0xE8932C: avcodec_decode_subtitle2 (utils.c:2751)
==3736==    by 0x4D931F: decode (sd_lavc.c:205)
==3736==    by 0x4CE85B: decode_chain (dec_sub.c:255)
==3736==    by 0x4CEA3A: decode_chain_recode (dec_sub.c:294)
==3736==    by 0x4CEA89: sub_decode (dec_sub.c:302)
==3736==    by 0x4A0881: update_subtitle (sub.c:271)
==3736==    by 0x4A0954: update_subtitles (sub.c:287)
==3736==    by 0x49DD41: run_playloop (playloop.c:963)
==3736==    by 0x492537: play_current_file (loadfile.c:1182)
==3736==  Address 0x11b1b9c0 is 0 bytes inside a block of size 5,199 free'd
==3736==    at 0x4C2B2DE: realloc (vg_replace_malloc.c:692)
==3736==    by 0x13042BA: av_realloc (mem.c:166)
==3736==    by 0x9DE215: append_to_cached_buf (dvdsubdec.c:515)
==3736==    by 0x9DE365: dvdsub_decode (dvdsubdec.c:546)
==3736==    by 0xE8932C: avcodec_decode_subtitle2 (utils.c:2751)
==3736==    by 0x4D931F: decode (sd_lavc.c:205)
==3736==    by 0x4CE85B: decode_chain (dec_sub.c:255)
==3736==    by 0x4CEA3A: decode_chain_recode (dec_sub.c:294)
==3736==    by 0x4CEA89: sub_decode (dec_sub.c:302)
==3736==    by 0x4A0881: update_subtitle (sub.c:271)
==3736==    by 0x4A0954: update_subtitles (sub.c:287)
==3736==    by 0x49DD41: run_playloop (playloop.c:963)
==3736== 
==3736== Invalid read of size 1
==3736==    at 0x4C2DDBE: memcpy@@GLIBC_2.14 (vg_replace_strmem.c:915)
==3736==    by 0x9DE266: append_to_cached_buf (dvdsubdec.c:518)
==3736==    by 0x9DE365: dvdsub_decode (dvdsubdec.c:546)
==3736==    by 0xE8932C: avcodec_decode_subtitle2 (utils.c:2751)
==3736==    by 0x4D931F: decode (sd_lavc.c:205)
==3736==    by 0x4CE85B: decode_chain (dec_sub.c:255)
==3736==    by 0x4CEA3A: decode_chain_recode (dec_sub.c:294)
==3736==    by 0x4CEA89: sub_decode (dec_sub.c:302)
==3736==    by 0x4A0881: update_subtitle (sub.c:271)
==3736==    by 0x4A0954: update_subtitles (sub.c:287)
==3736==    by 0x49DD41: run_playloop (playloop.c:963)
==3736==    by 0x492537: play_current_file (loadfile.c:1182)
==3736==  Address 0x11b1b9c2 is 2 bytes inside a block of size 5,199 free'd
==3736==    at 0x4C2B2DE: realloc (vg_replace_malloc.c:692)
==3736==    by 0x13042BA: av_realloc (mem.c:166)
==3736==    by 0x9DE215: append_to_cached_buf (dvdsubdec.c:515)
==3736==    by 0x9DE365: dvdsub_decode (dvdsubdec.c:546)
==3736==    by 0xE8932C: avcodec_decode_subtitle2 (utils.c:2751)
==3736==    by 0x4D931F: decode (sd_lavc.c:205)
==3736==    by 0x4CE85B: decode_chain (dec_sub.c:255)
==3736==    by 0x4CEA3A: decode_chain_recode (dec_sub.c:294)
==3736==    by 0x4CEA89: sub_decode (dec_sub.c:302)
==3736==    by 0x4A0881: update_subtitle (sub.c:271)
==3736==    by 0x4A0954: update_subtitles (sub.c:287)
==3736==    by 0x49DD41: run_playloop (playloop.c:963)
==3736== 
[sub/lavc] Subtitle with unknown start time.
[sub/lavc] Subtitle with unknown start time.
[sub/lavc] Subtitle with unknown start time.
[ffmpeg] dvdsub: Attempt to reconstruct too large SPU packets aborted.
[sub/lavc] Subtitle with unknown start time.
[sub/lavc] Subtitle with unknown start time.


Exiting... (Errors when loading file)
==3736== 
==3736== HEAP SUMMARY:
==3736==     in use at exit: 222 bytes in 7 blocks
==3736==   total heap usage: 17,675 allocs, 17,668 frees, 21,961,337 bytes allocated
==3736== 
==3736== LEAK SUMMARY:
==3736==    definitely lost: 0 bytes in 0 blocks
==3736==    indirectly lost: 0 bytes in 0 blocks
==3736==      possibly lost: 0 bytes in 0 blocks
==3736==    still reachable: 222 bytes in 7 blocks
==3736==         suppressed: 0 bytes in 0 blocks
==3736== Rerun with --leak-check=full to see details of leaked memory
==3736== 
==3736== For counts of detected and suppressed errors, rerun with: -v
==3736== ERROR SUMMARY: 28596 errors from 4 contexts (suppressed: 0 from 0)
@wm4
Member
wm4 commented Jan 7, 2015

Patches posted (but not merged yet).

Thanks, and feel invited to open new issues if you find more (or to ping me on IRC about ffmpeg-only issues).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment