From: David DeHaven To: FFmpeg development discussions and patches Reply-To: FFmpeg development discussions and patches Subject: [FFmpeg-devel] libavcodec h264 crashes Date: Fri, 5 Dec 2008 10:41:19 -0800 Sender: ffmpeg-devel-bounces@mplayerhq.hu X-Mailer: Apple Mail (2.929.2) I have a mpeg TS clip with H.264 video recorded at 1080i with 2 channel AC-3 audio. It was captured using a Hauppauge HD-PVR with the latest firmware. FFmpeg decodes it fine, I can transcode and play back the resulting stream and everything looks intact. MPlayer, however, crashes when it tries to decode the first (?) SPS NAL unit: Starting playback... Program received signal EXC_BAD_ACCESS, Could not access memory. Reason: KERN_INVALID_ADDRESS at address: 0x167c3000 0x002e3b96 in get_ue_golomb [inlined] () at golomb.h:57 57 UPDATE_CACHE(re, gb); (gdb) bt #0 0x002e3b96 in get_ue_golomb [inlined] () at golomb.h:57 #1 0x002e3b96 in decode_hrd_parameters [inlined] () at golomb.h:6851 #2 0x002e3b96 in decode_vui_parameters [inlined] () at bitstream.h:6914 #3 0x002e3b96 in decode_vui_parameters [inlined] () at bitstream.h:6914 #4 0x002e3b96 in decode_seq_parameter_set (h=0x15f85000) at h264.c:7098 #5 0x61737365 in ?? () Cannot access memory at address 0x6d5f5f04 (gdb) I dug around a bit.. The crash is pretty obvious, it's getting a garbage cpb_count in decode_hrd_parameters and overrunning the buffer by a considerable amount. I added some debugging statements and came up with the following results: When run through FFmpeg: NAL_SPS: init_get_bits with data (bit length 278): 00000000 4d 40 28 9a 62 80 f0 08 8f bc 07 d4 04 04 05 00 M@(.b........... 00000010 00 03 e9 00 00 ea 60 e8 c0 00 4c 4b 00 02 fa f2 ......`...LK.... 00000020 ef 38 .8 hrd params: cpb_count = 1 hrd params: cpb 0: -> bit_rate_value_minus1 = 19530 -> cpb_size_value_minus1 = 24413 -> cbr_flag = 0 When run through MPlayer: NAL_SPS: init_get_bits with data (bit length 270): 00000000 4d 40 28 9a 62 80 f0 08 8f bc 07 d4 04 04 05 00 M@(.b........... 00000010 00 e9 00 00 ea 60 e8 c0 00 4c 4b 00 02 fa f2 ef .....`...LK..... 00000020 38 8 hrd params: cpb_count = 39062 A single byte is missing in the MPlayer run, value 03 at offset 0x11. It looks like the problem lies between here and decode_nal. Popping the file open in a hex editor, I found this particular NAL unit: 00 00 00 01 27 4D 40 28 9A 62 80 F0 08 8F BC 07 D4 04 04 05 00 00 03 03 E9 00 00 EA 60 E8 C0 00 4C 4B 00 02 FA F2 EF 38 0A It looks like there's an escape code in the middle (00 00 03) that's being decoded twice (?), at least from what I can tell. I am not well versed in h.264 syntax and trying to hand parse this stuff makes my head hurt... Both FFmpeg and MPlayer are using the same snapshots of libavcodec/ libavformat. I'm currently building SVN HEAD completely unmodified as of sometime this morning. Happens on Windows under MinGW/Cygwin and Mac OS X on Intel AND PowerPC, so I think we can rule out platform or processor. I can make a portion of the file available for testing if needed. -DrD- _______________________________________________ ffmpeg-devel mailing list ffmpeg-devel@mplayerhq.hu https://lists.mplayerhq.hu/mailman/listinfo/ffmpeg-devel