113160 – media-video/ffmpeg seg faults with small PNG files containing a palette

Bug 113160 - media-video/ffmpeg seg faults with small PNG files containing a palette

Summary: media-video/ffmpeg seg faults with small PNG files containing a palette

Status:	RESOLVED DUPLICATE of bug 115760

Alias:	None

Product:	Gentoo Linux
Classification:	Unclassified
Component:	New packages (show other bugs)
Hardware:	All Linux

Importance:	High critical (vote)
Assignee:	Gentoo Media-video project

URL:
Whiteboard:
Keywords:	Inclusion

Depends on:
Blocks:

Reported:	2005-11-21 06:26 UTC by Simon Kilvington
Modified:	2005-12-17 05:10 UTC (History)
CC List:	0 users

See Also:
Package list:
Runtime testing required:	---

Attachments
patch that fixes it (ffmpeg-0.4.9_p20050906-pal8.patch,707 bytes, patch) 2005-11-21 06:28 UTC, Simon Kilvington	Details \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Simon Kilvington 2005-11-21 06:26:54 UTC

there is a bug in ffmpeg when it deals with PIX_FMT_PAL8 format images - the
get_buffer function avcodec_default_get_buffer doesn't alloc enough space for
the palette entries. This will cause a seg fault later (probably the next time
you call free or malloc)

here is a patch against ffmpeg-0.4.9-p20050906 to fix it:

--- libavcodec/utils.c.orig     2005-11-17 15:13:57.000000000 +0000
+++ libavcodec/utils.c  2005-11-17 15:14:51.000000000 +0000
@@ -325,6 +325,15 @@
             const int h_shift= i==0 ? 0 : h_chroma_shift;
             const int v_shift= i==0 ? 0 : v_chroma_shift;

+           if(s->pix_fmt == PIX_FMT_PAL8 && i == 1)
+           {
+               buf->base[i] = av_malloc(256 * 4);
+               if(buf->base[i] == NULL)
+                   return -1;
+               buf->data[i] = buf->base[i];
+               continue;
+           }
+
             //FIXME next ensures that linesize= 2^x uvlinesize, thats needed
because some MC code assumes it
             buf->linesize[i]= ALIGN(pixel_size*w>>h_shift,
STRIDE_ALIGN<<(h_chroma_shift-h_shift));


if someone who is actually able to access mplayerhq.hu could send it on to them
aswell it would be handy



Reproducible: Always
Steps to Reproduce:
1. obtain a 1x1 pixel PNG file which includes a palette
2. use avcodec_decode_video to read it in
3. call avcodec_close or pretty much anything else that uses free/malloc

Actual Results:  
seg fault in glibc, inside free

Expected Results:  
not seg faulted

Comment 1 Simon Kilvington 2005-11-21 06:28:13 UTC

Created attachment 73301 [details, diff]
patch that fixes it

Comment 2 Luca Barbato gentoo-dev

2005-11-21 14:49:05 UTC

could you check the latest snapshot and if still applyes please report upstream?

Comment 3 Simon Kilvington 2005-12-08 06:00:37 UTC

there is now a patch in CVS as of 2 Dec 2005

Comment 4 Diego Elio Pettenò (RETIRED) gentoo-dev

2005-12-17 05:10:58 UTC


*** This bug has been marked as a duplicate of 115760 ***