Bug#831591: ffmpeg: kodi crash

Balint Reczey balint at balintreczey.hu
Thu Nov 3 11:54:36 UTC 2016 

Control: forwarded -1 https://github.com/xbmc/xbmc/pull/10846
Control: tags -1 upstream


Hi Andreas,

On Fri, 14 Oct 2016 01:27:47 +0200 Andreas Cadhalpun
<andreas.cadhalpun at googlemail.com> wrote:
...

> 
> Hi,
> 
> The relevant backtrace from the kodi_crashlog is:
> 
> Thread 1 (Thread 0x7f1b6bffe700 (LWP 16893)):
> #0  0x00007f1ba92991c8 in __GI_raise (sig=sig at entry=6) at ../sysdeps/unix/sysv/linux/raise.c:54
> #1  0x00007f1ba929a64a in __GI_abort () at abort.c:89
> #2  0x00007f1ba92d4f4a in __libc_message (do_abort=do_abort at entry=2, fmt=fmt at entry=0x7f1ba93cdb30 "*** Error in `%s': %s: 0x%s ***\n") at ../sysdeps/posix/libc_fatal.c:175
> #3  0x00007f1ba92da6b6 in malloc_printerr (action=3, str=0x7f1ba93ca909 "free(): invalid pointer", ptr=<optimized out>, ar_ptr=<optimized out>) at malloc.c:5004
> #4  0x00007f1ba92dae9e in _int_free (av=0x7f1ba9601b20 <main_arena>, p=<optimized out>, have_lock=0) at malloc.c:3865
> #5  0x00007f1baa6d4a9d in av_buffer_unref () from /usr/lib/x86_64-linux-gnu/libavutil.so.55
> #6  0x00007f1baa6e15d2 in av_frame_unref () from /usr/lib/x86_64-linux-gnu/libavutil.so.55
> #7  0x00007f1bab93cf10 in avcodec_decode_video2 () from /usr/lib/x86_64-linux-gnu/libavcodec.so.57
> #8  0x000000000090b26c in CDVDDemuxFFmpeg::ParsePacket(AVPacket*) ()
> #9  0x000000000090d0c2 in CDVDDemuxFFmpeg::Read() ()
> #10 0x0000000001079b53 in CDVDPlayer::ReadPacket(DemuxPacket*&, CDemuxStream*&) ()
> #11 0x000000000107ecd7 in CDVDPlayer::Process() ()
> #12 0x00000000012103ff in CThread::Action() ()
> #13 0x00000000012106bf in CThread::staticThread(void*) ()
> #14 0x00007f1bb23e5464 in start_thread (arg=0x7f1b6bffe700) at pthread_create.c:333
> #15 0x00007f1ba934d30d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:109
> 
> Looking at the ParsePacket function reveals [1]:
>     AVFrame picture;
>     memset(&picture, 0, sizeof(AVFrame));
>     picture.pts = picture.pkt_dts = picture.pkt_pts = picture.best_effort_timestamp = AV_NOPTS_VALUE;
>     picture.pkt_pos = -1;
>     picture.key_frame = 1;
>     picture.format = -1;
> 
> This is using non-public ABI, e.g. the size of AVFrame, while the documentation
> explicitly says "sizeof(AVFrame) is not a part of the public ABI" [2].
> What's worse is that it doesn't use av_frame_alloc as required [3]:
> "AVFrame must be allocated using av_frame_alloc()."
> 
> The whole block quoted above should be replaced with:
>     AVFrame *picture = av_frame_alloc().
> 
> Then the following code should use picture instead of &picture:
>     avcodec_decode_video2(st->codec, picture, &got_picture, pkt);
> 
> And at the end it can be freed (instead of using av_frame_unref) with:
>     av_frame_free(&picture);
> 
> In the experimental kodi branch there is another occurrence of this bug
> in xbmc/cores/VideoPlayer/VideoRenderers/HwDecRender/MMALRenderer.cpp.

Thank you for the triaging and extensive description of the problem.
I have now forwarded the patch to upstream under your name since I did
not really add anything to the patch.

> 
> Best regards,
> Andreas
> 
> 
> 1: https://anonscm.debian.org/cgit/pkg-multimedia/kodi.git/tree/xbmc/cores/dvdplayer/DVDDemuxers/DVDDemuxFFmpeg.cpp?id=8d5cf423001aa4e7f850c20b158b2811e637e607#n1665
> 2: https://anonscm.debian.org/cgit/pkg-multimedia/ffmpeg.git/tree/libavutil/frame.h?id=87b93f4e3ee2b6253ab9f5a166860a1ff18877d5#n174
> 3: https://anonscm.debian.org/cgit/pkg-multimedia/ffmpeg.git/tree/libavutil/frame.h?id=87b93f4e3ee2b6253ab9f5a166860a1ff18877d5#n154
> 
>

More information about the pkg-multimedia-maintainers mailing list