Bug#831591: ffmpeg: kodi crash

Andreas Cadhalpun andreas.cadhalpun at googlemail.com
Thu Oct 13 23:27:47 UTC 2016 

Control: reopen -1
Control: reassign -1 kodi 16.1+dfsg1-2
Control: severity -1 important

Hi,

The relevant backtrace from the kodi_crashlog is:

Thread 1 (Thread 0x7f1b6bffe700 (LWP 16893)):
#0  0x00007f1ba92991c8 in __GI_raise (sig=sig at entry=6) at ../sysdeps/unix/sysv/linux/raise.c:54
#1  0x00007f1ba929a64a in __GI_abort () at abort.c:89
#2  0x00007f1ba92d4f4a in __libc_message (do_abort=do_abort at entry=2, fmt=fmt at entry=0x7f1ba93cdb30 "*** Error in `%s': %s: 0x%s ***\n") at ../sysdeps/posix/libc_fatal.c:175
#3  0x00007f1ba92da6b6 in malloc_printerr (action=3, str=0x7f1ba93ca909 "free(): invalid pointer", ptr=<optimized out>, ar_ptr=<optimized out>) at malloc.c:5004
#4  0x00007f1ba92dae9e in _int_free (av=0x7f1ba9601b20 <main_arena>, p=<optimized out>, have_lock=0) at malloc.c:3865
#5  0x00007f1baa6d4a9d in av_buffer_unref () from /usr/lib/x86_64-linux-gnu/libavutil.so.55
#6  0x00007f1baa6e15d2 in av_frame_unref () from /usr/lib/x86_64-linux-gnu/libavutil.so.55
#7  0x00007f1bab93cf10 in avcodec_decode_video2 () from /usr/lib/x86_64-linux-gnu/libavcodec.so.57
#8  0x000000000090b26c in CDVDDemuxFFmpeg::ParsePacket(AVPacket*) ()
#9  0x000000000090d0c2 in CDVDDemuxFFmpeg::Read() ()
#10 0x0000000001079b53 in CDVDPlayer::ReadPacket(DemuxPacket*&, CDemuxStream*&) ()
#11 0x000000000107ecd7 in CDVDPlayer::Process() ()
#12 0x00000000012103ff in CThread::Action() ()
#13 0x00000000012106bf in CThread::staticThread(void*) ()
#14 0x00007f1bb23e5464 in start_thread (arg=0x7f1b6bffe700) at pthread_create.c:333
#15 0x00007f1ba934d30d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:109

Looking at the ParsePacket function reveals [1]:
    AVFrame picture;
    memset(&picture, 0, sizeof(AVFrame));
    picture.pts = picture.pkt_dts = picture.pkt_pts = picture.best_effort_timestamp = AV_NOPTS_VALUE;
    picture.pkt_pos = -1;
    picture.key_frame = 1;
    picture.format = -1;

This is using non-public ABI, e.g. the size of AVFrame, while the documentation
explicitly says "sizeof(AVFrame) is not a part of the public ABI" [2].
What's worse is that it doesn't use av_frame_alloc as required [3]:
"AVFrame must be allocated using av_frame_alloc()."

The whole block quoted above should be replaced with:
    AVFrame *picture = av_frame_alloc().

Then the following code should use picture instead of &picture:
    avcodec_decode_video2(st->codec, picture, &got_picture, pkt);

And at the end it can be freed (instead of using av_frame_unref) with:
    av_frame_free(&picture);

In the experimental kodi branch there is another occurrence of this bug
in xbmc/cores/VideoPlayer/VideoRenderers/HwDecRender/MMALRenderer.cpp.

Best regards,
Andreas


1: https://anonscm.debian.org/cgit/pkg-multimedia/kodi.git/tree/xbmc/cores/dvdplayer/DVDDemuxers/DVDDemuxFFmpeg.cpp?id=8d5cf423001aa4e7f850c20b158b2811e637e607#n1665
2: https://anonscm.debian.org/cgit/pkg-multimedia/ffmpeg.git/tree/libavutil/frame.h?id=87b93f4e3ee2b6253ab9f5a166860a1ff18877d5#n174
3: https://anonscm.debian.org/cgit/pkg-multimedia/ffmpeg.git/tree/libavutil/frame.h?id=87b93f4e3ee2b6253ab9f5a166860a1ff18877d5#n154

More information about the pkg-multimedia-maintainers mailing list