Crash in libavformat/mux.c when processing a corrupted input stream

[Jarda Snajdr]

Summary of the bug:
libavformat/mux.c:compute_pkt_fields2 crashes when trying to set st->priv_pts->val. priv_pts is a NULL pointer.

How to reproduce:

1. Download this mpg file: ​https://www.dropbox.com/s/k6n6yi6f9ngrgxi/stream.mpg?dl=0
2. Try to convert it into a HLS playlist+chunks:

   % ffmpeg -i stream.mpg -c copy plist.m3u8
   

The stream.mpg file is an output of mumudvb trying to stream a DVB-T broadcast when the signal strength is poor - the streams are likely seriously corrupted.

Actual result:
ffmpeg crashes. This is the LLDB output:

* thread #1: tid = 0x5d484, 0x000000010017d47f ffmpeg_g`compute_pkt_fields2(s=<unavailable>, st=0x0000000101d11b00, pkt=0x00007fff5fbfaae0) + 1535 at mux.c:560, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x0)
    frame #0: 0x000000010017d47f ffmpeg_g`compute_pkt_fields2(s=<unavailable>, st=0x0000000101d11b00, pkt=0x00007fff5fbfaae0) + 1535 at mux.c:560
   557 	            av_ts2str(pkt->pts), av_ts2str(pkt->dts));
   558 	
   559 	    st->cur_dts = pkt->dts;
-> 560 	    st->priv_pts->val = pkt->dts;
   561 	
   562 	    /* update pts */
   563 	    switch (st->codec->codec_type) {

The st->priv_pts field is NULL. It's initialized in avformat_write_header, which probably was never called for the affected stream.

Possible fix - wrap all st->priv_pts access with a null check?

[Carl Eugen Hoyos]

For future tickets: Please remember to always post all requested information that includes the console output, disassembly and register content.

The crash is a regression since b84232694ef0c6897e82b52326c9ea4027c69ec4

(gdb) r -i stream.mpg -c copy out.m3u8
Starting program: ffmpeg_g -i stream.mpg -c copy out.m3u8
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib64/libthread_db.so.1".
ffmpeg version N-76179-g00efaa7 Copyright (c) 2000-2015 the FFmpeg developers
  built with gcc 4.7 (SUSE Linux)
  configuration: --enable-gpl
  libavutil      55.  4.100 / 55.  4.100
  libavcodec     57.  8.100 / 57.  8.100
  libavformat    57. 10.101 / 57. 10.101
  libavdevice    57.  0.100 / 57.  0.100
  libavfilter     6. 12.100 /  6. 12.100
  libswscale      4.  0.100 /  4.  0.100
  libswresample   2.  0.100 /  2.  0.100
  libpostproc    54.  0.100 / 54.  0.100
[mpegts @ 0x1cb93c0] PES packet size mismatch
    Last message repeated 4 times
[mpegts @ 0x1cb93c0] DTS discontinuity in stream 4: packet 5 with DTS 2930794871, packet 6 with DTS 4731435029
[mpeg2video @ 0x1cbd8c0] Invalid frame dimensions 0x0.
[mpegts @ 0x1cb93c0] PES packet size mismatch
[mpeg2video @ 0x1cbd8c0] Invalid frame dimensions 0x0.
    Last message repeated 1 times
[mpegts @ 0x1cb93c0] PES packet size mismatch
    Last message repeated 2 times
[mpeg2video @ 0x1cbd8c0] Invalid frame dimensions 0x0.
[mpegts @ 0x1cb93c0] PES packet size mismatch
    Last message repeated 1 times
[mpeg2video @ 0x1cbd8c0] Invalid frame dimensions 0x0.
    Last message repeated 1 times
[mpegts @ 0x1cb93c0] PES packet size mismatch
[mpeg2video @ 0x1cbd8c0] Invalid frame dimensions 0x0.
[mpegts @ 0x1cb93c0] PES packet size mismatch
[mpeg2video @ 0x1cbd8c0] Invalid frame dimensions 0x0.
    Last message repeated 1 times
[mpegts @ 0x1cb93c0] DTS discontinuity in stream 4: packet 12 with DTS 2930830871, packet 13 with DTS 7303702227
[mpeg2video @ 0x1cbd8c0] ac-tex damaged at 18 0
[mpeg2video @ 0x1cbd8c0] slice below image (88 >= 36)
[mpegts @ 0x1cb93c0] PES packet size mismatch
    Last message repeated 7 times
[mpegts @ 0x1cb93c0] DTS discontinuity in stream 4: packet 17 with DTS 2930854052, packet 18 with DTS 10916851472
[mpegts @ 0x1cb93c0] PES packet size mismatch
    Last message repeated 2 times
[mpegts @ 0x1cb93c0] DTS discontinuity in stream 4: packet 21 with DTS 2930881271, packet 22 with DTS 7081162585
[mpegts @ 0x1cb93c0] PES packet size mismatch
[mpegts @ 0x1cb93c0] DTS 2930920319 < 2930925911 out of order
[mpegts @ 0x1cb93c0] PES packet size mismatch
    Last message repeated 2 times
[mpegts @ 0x1cb93c0] DTS discontinuity in stream 4: packet 27 with DTS 2930913671, packet 28 with DTS 9744219690
[mpegts @ 0x1cb93c0] PES packet size mismatch
    Last message repeated 11 times
[mpegts @ 0x1cb93c0] DTS discontinuity in stream 4: packet 36 with DTS 2930960471, packet 37 with DTS 8428438919
[mpegts @ 0x1cb93c0] PES packet size mismatch
    Last message repeated 13 times
[mpegts @ 0x1cb93c0] Could not find codec parameters for stream 3 (Unknown: none ([5][0][0][0] / 0x0005)): unknown codec
Consider increasing the value for the 'analyzeduration' and 'probesize' options
[mpegts @ 0x1cb93c0] Could not find codec parameters for stream 5 (Unknown: none ([11][0][0][0] / 0x000B)): unknown codec
Consider increasing the value for the 'analyzeduration' and 'probesize' options
Input #0, mpegts, from 'stream.mpg':
  Duration: 00:00:07.26, start: 32564.147456, bitrate: 2519 kb/s
  Program 257
    Metadata:
      service_name    : CT 1
      service_provider: Ceska televize
    Stream #0:0[0x101]: Video: mpeg2video (Main) ([2][0][0][0] / 0x0002), yuv420p(tv), 720x576 [SAR 64:45 DAR 16:9], max. 15000 kb/s, 25.83 fps, 25 tbr, 90k tbn, 50 tbc
    Stream #0:1[0x111](cze): Audio: mp2 ([3][0][0][0] / 0x0003), 48000 Hz, stereo, s16p, 192 kb/s
    Stream #0:2[0x113](cze): Audio: mp2 ([3][0][0][0] / 0x0003), 48000 Hz, mono, s16p, 64 kb/s (visual impaired)
    Stream #0:3[0x370]: Unknown: none ([5][0][0][0] / 0x0005)
    Stream #0:4[0x121](cze): Subtitle: dvb_teletext ([6][0][0][0] / 0x0006)
    Stream #0:5[0x161]: Unknown: none ([11][0][0][0] / 0x000B)
[webvtt @ 0x1cf1a20] Exactly one WebVTT stream is needed.
Output #0, hls, to 'out.m3u8':
  Metadata:
    encoder         : Lavf57.10.101
    Stream #0:0: Video: mpeg2video ([2][0][0][0] / 0x0002), yuv420p, 720x576 [SAR 64:45 DAR 16:9], q=2-31, max. 15000 kb/s, 25.83 fps, 25 tbr, 90k tbn, 25 tbc
    Stream #0:1(cze): Audio: mp2 ([3][0][0][0] / 0x0003), 48000 Hz, stereo, 192 kb/s
    Stream #0:2(cze): Subtitle: dvb_teletext ([6][0][0][0] / 0x0006)
Stream mapping:
  Stream #0:0 -> #0:0 (copy)
  Stream #0:1 -> #0:1 (copy)
  Stream #0:4 -> #0:2 (copy)
Press [q] to stop, [?] for help
[mpegts @ 0x1cb93c0] PES packet size mismatch
    Last message repeated 3 times
Program received signal SIGSEGV, Segmentation fault.
compute_pkt_fields2 (s=s@entry=0x1cf1a20, st=0x1cf3140, pkt=pkt@entry=0x7fffffffd260)
    at libavformat/mux.c:560
560         st->priv_pts->val = pkt->dts;
(gdb) bt
#0  compute_pkt_fields2 (s=s@entry=0x1cf1a20, st=0x1cf3140, pkt=pkt@entry=0x7fffffffd260)
    at libavformat/mux.c:560
#1  0x000000000061bc38 in av_write_frame (s=s@entry=0x1cf1a20,
    pkt=pkt@entry=0x7fffffffd260) at libavformat/mux.c:716
#2  0x000000000061cab4 in ff_write_chained (dst=0x1cf1a20, dst_stream=0,
    pkt=0x7fffffffd3d0, src=0x1cfb040, interleave=0) at libavformat/mux.c:1063
#3  0x000000000061a49d in write_packet (s=s@entry=0x1cfb040, pkt=pkt@entry=0x7fffffffd3d0)
    at libavformat/mux.c:660
#4  0x000000000061c5be in av_interleaved_write_frame (s=s@entry=0x1cfb040, pkt=0x0,
    pkt@entry=0x7fffffffd610) at libavformat/mux.c:970
#5  0x000000000048feba in write_frame (s=0x1cfb040, pkt=pkt@entry=0x7fffffffd610,
    ost=ost@entry=0x1cf0700) at ffmpeg.c:774
#6  0x0000000000493e76 in do_streamcopy (ist=ist@entry=0x1d304a0, ost=0x1cf0700,
    pkt=pkt@entry=0x7fffffffda80) at ffmpeg.c:1905
#7  0x00000000004966b3 in process_input_packet (no_eof=0, pkt=0x7fffffffda80,
    ist=0x1d304a0) at ffmpeg.c:2427
#8  process_input (file_index=1800661758) at ffmpeg.c:3941
#9  transcode_step () at ffmpeg.c:4029
#10 transcode () at ffmpeg.c:4082
#11 0x000000000047885b in main (argc=<optimized out>, argv=0x7fffffffdd28)
    at ffmpeg.c:4269
(gdb) disass $pc-32,$pc+32
Dump of assembler code from 0x61a6b0 to 0x61a6f0:
   0x000000000061a6b0 <compute_pkt_fields2+256>:        rolb   (%rax,%rax,1)
   0x000000000061a6b3 <compute_pkt_fields2+259>:        add    %al,(%rcx)
   0x000000000061a6b5 <compute_pkt_fields2+261>:        jne    0x61abd8 <compute_pkt_fields2+1576>
   0x000000000061a6bb <compute_pkt_fields2+267>:        mov    0x8(%rbx),%rdi
   0x000000000061a6bf <compute_pkt_fields2+271>:        mov    0x300(%rbx),%rsi
   0x000000000061a6c6 <compute_pkt_fields2+278>:        mov    %rcx,0xf0(%rbx)
   0x000000000061a6cd <compute_pkt_fields2+285>:        mov    0xc(%rdi),%eax
=> 0x000000000061a6d0 <compute_pkt_fields2+288>:        mov    %rcx,(%rsi)
   0x000000000061a6d3 <compute_pkt_fields2+291>:        test   %eax,%eax
   0x000000000061a6d5 <compute_pkt_fields2+293>:        jne    0x61a718 <compute_pkt_fields2+360>
   0x000000000061a6d7 <compute_pkt_fields2+295>:        movslq 0x8c(%rdi),%rdx
   0x000000000061a6de <compute_pkt_fields2+302>:        movslq 0x34(%rbx),%rax
   0x000000000061a6e2 <compute_pkt_fields2+306>:        mov    0x10(%rsi),%rdi
   0x000000000061a6e6 <compute_pkt_fields2+310>:        imul   %rdx,%rax
   0x000000000061a6ea <compute_pkt_fields2+314>:        add    0x8(%rsi),%rax
   0x000000000061a6ee <compute_pkt_fields2+318>:        js     0x61ad60 <compute_pkt_fields2+1968>
End of assembler dump.
(gdb) info register
rax            0x3      3
rbx            0x1cf3140        30355776
rcx            0x0      0
rdx            0x0      0
rsi            0x0      0
rdi            0x1cf3540        30356800
rbp            0x7fffffffd260   0x7fffffffd260
rsp            0x7fffffffd090   0x7fffffffd090
r8             0x0      0
r9             0x7fffffffd260   140737488343648
r10            0x0      0
r11            0xafc8   45000
r12            0x8000000000000000       -9223372036854775808
r13            0x1cfb040        30388288
r14            0x1cf1a20        30349856
r15            0x1ceff20        30342944
rip            0x61a6d0 0x61a6d0 <compute_pkt_fields2+288>
eflags         0x10246  [ PF ZF IF RF ]
cs             0x33     51
ss             0x2b     43
ds             0x0      0
es             0x0      0
fs             0x0      0
gs             0x0      0

[Carl Eugen Hoyos]

The crash was fixed by Michael in c62d1780fff8a1997dd1707bbc557efc8fe41e3c - see ticket #5067