[Bug 683517] New: Crash in bmp_decode_frame() when decoding unusual bmp file

GStreamer (bugzilla.gnome.org) bugzilla at gnome.org
Thu Sep 6 10:08:53 PDT 2012 

https://bugzilla.gnome.org/show_bug.cgi?id=683517
  GStreamer | gst-ffmpeg | git

           Summary: Crash in bmp_decode_frame() when decoding unusual bmp
                    file
    Classification: Platform
           Product: GStreamer
           Version: git
        OS/Version: All
            Status: UNCONFIRMED
          Severity: critical
          Priority: Normal
         Component: gst-ffmpeg
        AssignedTo: gstreamer-bugs at lists.freedesktop.org
        ReportedBy: lrn1986 at gmail.com
         QAContact: gstreamer-bugs at lists.freedesktop.org
     GNOME version: ---


Created an attachment (id=223672)
 --> (https://bugzilla.gnome.org/attachment.cgi?id=223672)
Causes the crash.

$ gdb --args gst-discoverer-1.0.exe extractortmp.nlc5JE
GNU gdb (GDB) 7.5
Copyright (C) 2012 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "i686-pc-mingw32".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>...
Reading symbols from /mingw/bin/gst-discoverer-1.0.exe...done.
(gdb) r
Starting program: /mingw/bin/gst-discoverer-1.0.exe extractortmp.nlc5JE
[New Thread 13664.0x179c]
[New Thread 13664.0x1c20]
[New Thread 13664.0x3718]
Analyzing file:///extractortmp.nlc5JE
[New Thread 13664.0x1db8]
[New Thread 13664.0x1930]

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 13664.0x1db8]
0x0318ed8c in bmp_decode_frame (avctx=0x2bec6e0, data=0x2bea380,
data_size=0x2fff9ec, avpkt=0x2fff980) at libavcodec/bmp.c:231
231             memset(p->data[1], 0, 1024);
(gdb) p p
$1 = (AVFrame *) 0x2becb00
(gdb) p p->data
$2 = {0x2c020a0 '\200' <repeats 200 times>..., 0x0, 0x0, 0x0}
(gdb) p *p
$3 = {data = {0x2c020a0 '\200' <repeats 200 times>..., 0x0, 0x0, 0x0}, linesize
= {64, 0, 0, 0}, base = {0x2c020a0 '\200' <repeats 200 times>..., 0x0, 0x0,
0x0},
  key_frame = 1, pict_type = AV_PICTURE_TYPE_I, pts = -9223372036854775808,
coded_picture_number = 0, display_picture_number = 0, quality = 0, age = 0,
  reference = 0, qscale_table = 0x0, qstride = 0, mbskip_table = 0x0,
motion_val = {0x0, 0x0}, mb_type = 0x0, motion_subsample_log2 = 0 '\000',
opaque = 0x2bef080,
  error = {0, 0, 0, 0}, type = 1, repeat_pict = 0, qscale_type = 0,
interlaced_frame = 0, top_field_first = 0, pan_scan = 0x0, palette_has_changed
= 0,
  buffer_hints = 0, dct_coeff = 0x0, ref_index = {0x0, 0x0}, reordered_opaque =
0, hwaccel_picture_private = 0x0, pkt_pts = 0, pkt_dts = 0, owner = 0x0,
  thread_opaque = 0x0, nb_samples = 0, extended_data = 0x2becb00,
sample_aspect_ratio = {num = 0, den = 1}, width = 0, height = 0, format = -1}
(gdb) p *p->data[1]
Cannot access memory at address 0x0
(gdb) bt
#0  0x0318ed8c in bmp_decode_frame (avctx=0x2bec6e0, data=0x2bea380,
data_size=0x2fff9ec, avpkt=0x2fff980) at libavcodec/bmp.c:231
#1  0x030c253e in avcodec_decode_video2 (avctx=0x2bec6e0, picture=0x2bea380,
got_picture_ptr=0x2fff9ec, avpkt=0x2fff980) at libavcodec/utils.c:1152
#2  0x030151d7 in _fu237___gst_debug_min () at gstffmpegviddec.c:1077
#3  0x03015d27 in _fu256___gst_debug_min () at gstffmpegviddec.c:1204
#4  0x03016348 in _fu422__GST_CAT_PERFORMANCE () at gstffmpegviddec.c:1320
#5  0x6d40cf17 in _fu96___gst_debug_min () at gstvideodecoder.c:2520
#6  0x6d41200d in _fu146___gst_debug_min () at gstvideodecoder.c:1644
#7  0x6d41386a in _fu162___gst_debug_min () at gstvideodecoder.c:1905
#8  0x61477bfb in gst_pad_chain_data_unchecked (data=0x2b890c8,
type=(GST_PAD_PROBE_TYPE_BUFFER | GST_PAD_PROBE_TYPE_PUSH), pad=0x2b73560) at
gstpad.c:3611
#9  gst_pad_push_data (pad=0x2b73188, type=(GST_PAD_PROBE_TYPE_BUFFER |
GST_PAD_PROBE_TYPE_PUSH), data=0x2b890c8) at gstpad.c:3824
#10 0x6e0aea49 in _fu593___gst_debug_min () at gsttypefindelement.c:1071
#11 0x614a2aba in gst_task_func (task=0x2b75010) at gsttask.c:316
#12 0x6861ed6e in g_thread_pool_thread_proxy (data=0x97fc60) at
/src/mingw/glib-2.33.1a/glib/gthreadpool.c:309
#13 0x6861e83a in g_thread_proxy (data=0x2b71118) at
/src/mingw/glib-2.33.1a/glib/gthread.c:801
#14 0x6863c354 in g_thread_win32_proxy (data=0x2b71118) at
/src/mingw/glib-2.33.1a/glib/gthread-win32.c:451
#15 0x75dc1287 in msvcrt!_itow_s () from %SYSTEMROOT%\syswow64\msvcrt.dll
#16 0x75dc1328 in msvcrt!_endthreadex () from %SYSTEMROOT%\syswow64\msvcrt.dll
#17 0x7610339a in KERNEL32!BaseCleanupAppcompatCacheSupport () from
%SYSTEMROOT%\syswow64\kernel32.dll
#18 0x02b7f030 in ?? ()
#19 0x77ea9ef2 in ntdll!RtlpNtSetValueKey () from
%SYSTEMROOT%\system32\ntdll.dll
#20 0x02b7f030 in ?? ()
#21 0x77ea9ec5 in ntdll!RtlpNtSetValueKey () from
%SYSTEMROOT%\system32\ntdll.dll
#22 0x75dc12e5 in msvcrt!_endthreadex () from %SYSTEMROOT%\syswow64\msvcrt.dll
#23 0x00000000 in ?? ()

-- 
Configure bugmail: https://bugzilla.gnome.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the QA contact for the bug.
You are the assignee for the bug.

More information about the gstreamer-bugs mailing list