When using dragon or xine playing the video mentioned above in URL field, both programs get aborted in a similar way. $dragon --nocrashhandler T171_000828.avi *** glibc detected *** dragon: free(): corrupted unsorted chunks: 0x00000fa3672f7780 *** ======= Backtrace: ========= /lib/libc.so.6(+0x72ec7)[0x6fbf04a30ec7] /lib/libc.so.6(cfree+0x6c)[0x6fbf04a35cfc] /usr/lib64/xine/plugins/1.27/xineplug_decode_ff.so(+0x4edb)[0x6fbefb8d7edb] /usr/lib64/libxine.so.1(_x_free_video_decoder+0x2f)[0x6fbf0774164f] /usr/lib64/libxine.so.1(+0x2182e)[0x6fbf0774782e] /lib/libpthread.so.0(+0x74e7)[0x6fbf061384e7] /lib/libc.so.6(clone+0x6d)[0x6fbf04a8fbfd] (full glibc output will be attached) valgrind has suspicious memory reads and writes, stemming from a probably dangling referenced passed to release_buffer in parameter av_frame: Thread 7: ==3289== Invalid read of size 4 ==3289== at 0x133A8DC9: release_buffer (ff_video_decoder.c:241) ==3289== by 0x133A8FAD: ff_dispose (ff_video_decoder.c:1657) ==3289== by 0x611564E: _x_free_video_decoder (load_plugins.c:2011) ==3289== by 0x611B82D: video_decoder_loop (video_decoder.c:151) ==3289== by 0x773C4E6: start_thread (pthread_create.c:297) ==3289== by 0x8E3ABFC: clone (clone.S:112) ==3289== Address 0x10bd15b0 is 224 bytes inside a block of size 98,960 free'd ==3289== at 0x4C259CF: free (vg_replace_malloc.c:325) ==3289== by 0x13F5A55F: av_freep (mem.c:136) ==3289== by 0x1361BE13: avcodec_close (utils.c:700) ==3289== by 0x133A8F82: ff_dispose (ff_video_decoder.c:1649) ==3289== by 0x611564E: _x_free_video_decoder (load_plugins.c:2011) ==3289== by 0x611B82D: video_decoder_loop (video_decoder.c:151) ==3289== by 0x773C4E6: start_thread (pthread_create.c:297) ==3289== by 0x8E3ABFC: clone (clone.S:112) and also some invalid write operations stemming from line 258-261: 238 static void release_buffer(struct AVCodecContext *context, AVFrame *av_frame){ 239 ff_video_decoder_t *this = (ff_video_decoder_t *)context->opaque; 240 241 if (av_frame->type == FF_BUFFER_TYPE_USER) { 242 if ( av_frame->opaque ) { 243 vo_frame_t *img = (vo_frame_t *)av_frame->opaque; 244 245 img->free(img); 246 } 247 248 xine_list_iterator_t it; 249 250 it = xine_list_find(this->dr1_frames, av_frame); 251 assert(it); 252 if( it != NULL ) 253 xine_list_remove(this->dr1_frames, it); 254 } else { 255 avcodec_default_release_buffer(context, av_frame); 256 } 257 258 av_frame->opaque = NULL; 259 av_frame->data[0]= NULL; 260 av_frame->data[1]= NULL; 261 av_frame->data[2]= NULL; 262 }
Created attachment 215548 [details] glibc debug output
Created attachment 215550 [details] valgrind log for dragon I'm not attaching debug logs for xine, because the root of the problem is identical. This is from valgrind log for xine: ==3263== Thread 8: ==3263== Invalid read of size 4 ==3263== at 0xC363DC9: release_buffer (ff_video_decoder.c:241) ==3263== by 0xC363FAD: ff_dispose (ff_video_decoder.c:1657) ==3263== by 0x4E4764E: _x_free_video_decoder (load_plugins.c:2011) ==3263== by 0x4E4D82D: video_decoder_loop (video_decoder.c:151) ==3263== by 0x6CF54E6: start_thread (pthread_create.c:297) ==3263== Address 0x15e63630 is 224 bytes inside a block of size 98,960 free'd ==3263== at 0x4C259CF: free (vg_replace_malloc.c:325) ==3263== by 0xCF1555F: av_freep (mem.c:136) ==3263== by 0xC5D6E13: avcodec_close (utils.c:700) ==3263== by 0xC363F82: ff_dispose (ff_video_decoder.c:1649) ==3263== by 0x4E4764E: _x_free_video_decoder (load_plugins.c:2011) ==3263== by 0x4E4D82D: video_decoder_loop (video_decoder.c:151) ==3263== by 0x6CF54E6: start_thread (pthread_create.c:297)
Created attachment 215552 [details] output of emerge --info =media-libs/xine-lib-1.1.17
Try 1.1.18 and take this to upstream: http://bugs.xine-project.org/
(In reply to comment #4) > Try 1.1.18 and take this to upstream: http://bugs.xine-project.org/ Version 1.1.18 has the same problems, only line numbers have changed.
Try xine-lib-1.2.0 and reopen if this is still a problem.
