Overview
I have found an out-of-bound-write/read vulerability in DNxHD decoder with the help of AFL. The vulnerability is caused by the inconsistence between the intended access size and the buffer’s allocated size. The allocated size is (height * linesizes[0]), however, the access size is (mb_height * linesizes[0]). Arbitrary-address-write can be somewhat archived. It can cause DoS and may cause Remote-Code-Execution.
Software & Environments
Software
FFmpeg-3.3.2 https://github.com/FFmpeg/FFmpeg
Download link https://github.com/FFmpeg/FFmpeg/archive/n3.3.2.tar.gz
Operating System
lsb_release -a
Distributor ID: Ubuntu
Description: Ubuntu 16.04.1 LTS
Release: 16.04
Codename: xenial
uname -a
Linux ubuntu 4.4.0-83-generic #106-Ubuntu SMP Mon Jun 26 17:54:25 UTC 2017 i686 i686 i686 GNU/Linux
Compilers & Debuggers
gcc –version
gcc (Ubuntu 5.4.0-6ubuntu1~16.04.4) 5.4.0 20160609 __clang --version__
clang version 3.8.0-2ubuntu4 (tags/RELEASE_380/final)
Target: i686-pc-linux-gnu
Thread model: posix
InstalledDir: /usr/bin __rr --version__
rr version 4.4.0 # Reproduction __gcc debug__
cd /path of FFmpeg master source code/
mkdir build-gcc-debug && cd build-gcc-debug
../configure –enable-debug
make
./ffmpeg_g -y -i /PoC file/ -f “mov” /dev/null
clang asan debug
cd /* path of FFmpeg master source code*/
mkdir build-clang-debug-asan && cd build-clang-debug-asan
../configure –cc=clang –extra-cflags=” -fsanitize=address -g “ –extra-ldflags=” -fsanitize=address -g “ –enable-debug
make
export ASAN_SYMBOLIZER_PATH=/path/to/llvm_build/bin/llvm-symbolizer
./ffmpeg_g -y -i /* PoC file*/ -f “mov” /dev/null
Exception
The exception caught by AddressSanitizer is shown as the following:
ffmpeg version 3.3.git Copyright (c) 2000-2017 the FFmpeg developers
built with clang version 3.8.0-2ubuntu4 (tags/RELEASE_380/final)
configuration: --cc=clang --extra-cflags=' -fsanitize=address -g ' --extra-ldflags=' -fsanitize=address -g ' --enable-debug
libavutil 55. 67.100 / 55. 67.100
libavcodec 57.100.103 / 57.100.103
libavformat 57. 75.100 / 57. 75.100
libavdevice 57. 7.100 / 57. 7.100
libavfilter 6. 94.100 / 6. 94.100
libswscale 4. 7.101 / 4. 7.101
libswresample 2. 8.100 / 2. 8.100
[dnxhd @ 0xb4203280] Adaptive MB interlace flag in an unsupported profile.
[dnxhd @ 0xb4203280] Adaptive color transform in an unsupported profile.
ASAN:DEADLYSIGNAL
=================================================================
==16833==ERROR: AddressSanitizer: SEGV on unknown address 0x3873404c (pc 0x08d7d5d1 bp 0x0000005a sp 0xbfa4ca60 T0)
#0 0x8d7d5d0 in dnxhd_decode_dct_block /home/fire/bing/afl/libraries/ffmpegs/0704/FFmpeg-master/build-clang-asan-debug-hash/src/libavcodec/dnxhddec.c:409:13
#1 0x8d7d5d0 in dnxhd_decode_dct_block_8 /home/fire/bing/afl/libraries/ffmpegs/0704/FFmpeg-master/build-clang-asan-debug-hash/src/libavcodec/dnxhddec.c:441
#2 0x8d77dc5 in dnxhd_decode_macroblock /home/fire/bing/afl/libraries/ffmpegs/0704/FFmpeg-master/build-clang-asan-debug-hash/src/libavcodec/dnxhddec.c:510:13
#3 0x8d77dc5 in dnxhd_decode_row /home/fire/bing/afl/libraries/ffmpegs/0704/FFmpeg-master/build-clang-asan-debug-hash/src/libavcodec/dnxhddec.c:584
#4 0x9b0bc0a in avcodec_default_execute2 /home/fire/bing/afl/libraries/ffmpegs/0704/FFmpeg-master/build-clang-asan-debug-hash/src/libavcodec/utils.c:553:17
#5 0x8d75178 in dnxhd_decode_frame /home/fire/bing/afl/libraries/ffmpegs/0704/FFmpeg-master/build-clang-asan-debug-hash/src/libavcodec/dnxhddec.c:641:5
#6 0x8d0e3f4 in decode_simple_internal /home/fire/bing/afl/libraries/ffmpegs/0704/FFmpeg-master/build-clang-asan-debug-hash/src/libavcodec/decode.c:417:15
#7 0x8d0e3f4 in decode_simple_receive_frame /home/fire/bing/afl/libraries/ffmpegs/0704/FFmpeg-master/build-clang-asan-debug-hash/src/libavcodec/decode.c:620
#8 0x8d0e3f4 in decode_receive_frame_internal /home/fire/bing/afl/libraries/ffmpegs/0704/FFmpeg-master/build-clang-asan-debug-hash/src/libavcodec/decode.c:638
#9 0x8d0cf1b in avcodec_send_packet /home/fire/bing/afl/libraries/ffmpegs/0704/FFmpeg-master/build-clang-asan-debug-hash/src/libavcodec/decode.c:678:15
#10 0x8ae2b9a in try_decode_frame /home/fire/bing/afl/libraries/ffmpegs/0704/FFmpeg-master/build-clang-asan-debug-hash/src/libavformat/utils.c:3005:19
#11 0x8ad4f4d in avformat_find_stream_info /home/fire/bing/afl/libraries/ffmpegs/0704/FFmpeg-master/build-clang-asan-debug-hash/src/libavformat/utils.c:3822:9
#12 0x8184009 in open_input_file /home/fire/bing/afl/libraries/ffmpegs/0704/FFmpeg-master/build-clang-asan-debug-hash/src/ffmpeg_opt.c:1064:11
#13 0x8181f31 in open_files /home/fire/bing/afl/libraries/ffmpegs/0704/FFmpeg-master/build-clang-asan-debug-hash/src/ffmpeg_opt.c:3258:15
#14 0x818193b in ffmpeg_parse_options /home/fire/bing/afl/libraries/ffmpegs/0704/FFmpeg-master/build-clang-asan-debug-hash/src/ffmpeg_opt.c:3298:11
#15 0x81bc70e in main /home/fire/bing/afl/libraries/ffmpegs/0704/FFmpeg-master/build-clang-asan-debug-hash/src/ffmpeg.c:4803:11
#16 0xb73b2636 in __libc_start_main /build/glibc-KM3i_a/glibc-2.23/csu/../csu/libc-start.c:291
#17 0x809e947 in _start (/home/fire/bing/afl/libraries/ffmpegs/0704/FFmpeg-master/build-clang-asan-debug-hash/ffmpeg_g+0x809e947)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/fire/bing/afl/libraries/ffmpegs/0704/FFmpeg-master/build-clang-asan-debug-hash/src/libavcodec/dnxhddec.c:409:13 in dnxhd_decode_dct_block
==16833==ABORTING
Analysis
The crash happens in function ff_simple_idct_put_sse2 which is declared in simple_idct.h and implemented in simple_idct.asm writen with Assembly language. The following is related debugging info when crash happens:
Program received signal SIGSEGV, Segmentation fault.
0x088bcd12 in ff_simple_idct_put_sse2 ()
LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
[-----------------------------------REGISTERS----------------------------------------------]
*EAX 0x9a4b000
*EBX 0xc0
*ECX 0x40
*EDX 0x9a2cc00 <- 0x800080
*EDI 0x200
ESI 0x0
*EBP 0x8
*ESP 0xbfffc640 <- 0x2020
*EIP 0x88bcd12 (ff_simple_idct_put_sse2+8850) <- movq qword ptr [eax], xmm0
[--------------------------------------CODE------------------------------------------------]
> 0x88bcd12 <ff_simple_idct_put_sse2+8850> movq qword ptr [eax], xmm0
0x88bcd16 <ff_simple_idct_put_sse2+8854> movhps qword ptr [ecx + eax], xmm0
0x88bcd1a <ff_simple_idct_put_sse2+8858> movq qword ptr [eax + ecx*2], xmm1
0x88bcd1f <ff_simple_idct_put_sse2+8863> movhps qword ptr [ebx + eax], xmm1
0x88bcd23 <ff_simple_idct_put_sse2+8867> lea eax, [eax + ecx*4]
0x88bcd26 <ff_simple_idct_put_sse2+8870> movdqa xmm0, xmmword ptr [edx + 0x40]
0x88bcd2b <ff_simple_idct_put_sse2+8875> movdqa xmm1, xmmword ptr [edx + 0x60]
0x88bcd30 <ff_simple_idct_put_sse2+8880> packuswb xmm0, xmmword ptr [edx + 0x50]
0x88bcd35 <ff_simple_idct_put_sse2+8885> packuswb xmm1, xmmword ptr [edx + 0x70]
0x88bcd3a <ff_simple_idct_put_sse2+8890> movq qword ptr [eax], xmm0
0x88bcd3e <ff_simple_idct_put_sse2+8894> movhps qword ptr [ecx + eax], xmm0
[----------------------------------------STACK---------------------------------------------]
00:0000| esp 0xbfffc640 <- 0x2020
...
[--------------------------------------BACKTRACE-------------------------------------------]
> f 0 88bcd12 ff_simple_idct_put_sse2+8850
f 1 2020
f 2 2020
f 3 2020
f 4 2020
f 5 2020
f 6 2020
Program received signal SIGSEGV (fault address 0x9a4b000)
pwndbg> p *(char *)$eax
Cannot access memory at address 0x9a4b000
pwndbg>
Out-of-bound-write happens beacuse EAX points to an invalid address. After debugging, I find EAX holds the first parameter’s value of function ff_simple_idct_put_sse2 which is called in function dnxhd_decode_macroblock at src/libavcodec/dnxhddec.c:536. The around code is:
@src/libavcodec/dnxhddec.c
533 dct_y_offset = interlaced_mb ? frame->linesize[0] : (dct_linesize_luma << 3);
534 dct_x_offset = 8 << shift1;
535 if (!ctx->is_444) {
> 536 ctx->idsp.idct_put(dest_y, dct_linesize_luma, row->blocks[0]);
537 ctx->idsp.idct_put(dest_y + dct_x_offset, dct_linesize_luma, row->blocks[1]);
538 ctx->idsp.idct_put(dest_y + dct_y_offset, dct_linesize_luma, row->blocks[4]);
539 ctx->idsp.idct_put(dest_y + dct_y_offset + dct_x_offset, dct_linesize_luma, row->blocks[5]);
The parameter whose value id hold in EAX is dest_y which is computed at src/libavcodec/dnxhddec.c:519:
dest_y = frame->data[0] + ((y * dct_linesize_luma) << 4) + (x << (4 + shift1));
frame->data[0] is a buffer which is allocated in src/libavutil/buffer.c:85:
85 AVBufferRef *ret = av_buffer_alloc(size);
After debugging, I find size is computed like the following:
size = pool->size @src/libavutil/buffer.c:312
pool->size = size @src/libavutil/buffer.c:246
size = size[0] + 16 + STRIDE_ALIGN - 1 @src/libavcodec/decode.c:1380
size[0] = data[1] - data[0] @src/libavcodec/decode.c:1373
data[1] = data[0] + size[0] @src/libavutil/imgutils.c:139
size[0] = linesizes[0] * height @src/libavutil/imgutils.c:125
linesizes[0] and height is the result values of the related align functions whose inputs are the width and height values coming from input file. i.e.:
linesizes[0] = f_align1(width) = f_align1(PoC[0x1a:0x1b])
height = f_align2(height) = f_align2(PoC[0x18:0x19])
Here, linesizes[0] = 0x40 and height = 0x80, so size = 0x80 * 0x40 + 16 + STRIDE_ALIGN - 1 = 0x202f.
Now, back to
@src/libavcodec/dnxhddec.c:519
dest_y = frame->data[0] + ((y * dct_linesize_luma) << 4) + (x << (4 + shift1));
After several debugging steps, I find dct_linesize_luma comes from linesizes[0]:
dct_linesize_luma = frame->linesize[0] @src/libavcodec/dnxhddec.c:472
frame->linesize[0] = pool->linesize[0] @src/libavcodec/decode.c:1502
pool->linesize[0] = linesize[0] @src/libavcodec/decode.c:1378
I guess the key variable is y. Viewing the call stack:
#0 dnxhd_decode_macroblock (y=57, x=0, frame=0xb2fcf20, row=0xb2fdba0, ctx=0xb2fd220) at src/libavcodec/dnxhddec.c:519
#1 dnxhd_decode_row (avctx=0xb2fc340, data=0xb2fcf20, rownb=57, threadnb=0) at src/libavcodec/dnxhddec.c:584
#2 0x0872011a in avcodec_default_execute2 (c=0xb2fc340, func=0x8400a40 <dnxhd_decode_row>, arg=0xb2fcf20, ret=0x0, count=207)
at src/libavcodec/utils.c:553
#3 0x084005b8 in dnxhd_decode_frame (avctx=0xb2fc340, data=0xb2fcf20, got_frame=0xbfec4200, avpkt=0xbfec4208)
at src/libavcodec/dnxhddec.c:641
#4 0x083e8f16 in decode_simple_internal (avctx=avctx@entry=0xb2fc340, frame=frame@entry=0xb2fcf20) at src/libavcodec/decode.c:417
#5 0x083e9a11 in decode_simple_receive_frame (frame=<optimized out>, avctx=<optimized out>) at src/libavcodec/decode.c:620
#6 decode_receive_frame_internal (frame=0xb2fcf20, avctx=0xb2fc340) at src/libavcodec/decode.c:638
#7 avcodec_send_packet (avctx=0xb2fc340, avpkt=0xbfec42f8) at src/libavcodec/decode.c:678
#8 0x083525ae in try_decode_frame (s=s@entry=0xb2fb200, st=st@entry=0xb2fbb80, avpkt=avpkt@entry=0xbfec4490, options=0xb2fbb40)
at src/libavformat/utils.c:3005
#9 0x0835cbca in avformat_find_stream_info (ic=0xb2fb200, options=0xb2fbb40) at src/libavformat/utils.c:3822
#10 0x080d1907 in open_input_file (o=o@entry=0xbfec47bc, filename=<optimized out>) at src/ffmpeg_opt.c:1064
#11 0x080d44ed in open_files (l=0xb2fb02c, l=0xb2fb02c, open_file=0x80d1450 <open_input_file>, inout=0x8d0605e "input")
at src/ffmpeg_opt.c:3258
#12 ffmpeg_parse_options (argc=7, argv=0xbfec69c4) at src/ffmpeg_opt.c:3298
#13 0x080c2fc9 in main (argc=7, argv=0xbfec69c4) at src/ffmpeg.c:4803
I find y’s value comes from a loop variable i in function avcodec_default_execute2 and the around code is:
548 int avcodec_default_execute2(AVCodecContext *c, int (*func)(AVCodecContext *c2, void *arg2, int jobnr, int threadnr), void *arg, int *ret, int count)
549 {
550 int i;
551
552 for (i = 0; i < count; i++) {
> 553 int r = func(c, arg, i, 0);
554 if (ret)
555 ret[i] = r;
556 }
557 emms_c();
558 return 0;
559 }
So, I infer that the intened access length of buffer frame->data[0] is (count * linesizes[0]) Now the value of count becomes the key factor. With simple debugging:
count = ctx->mb_height @src/libavcodec/dnxhddec.c:src/libavcodec/dnxhddec.c:641
mb->height = AV_RB16(buf + 0x16c) = PoC[0x16c:0x16d] @src/libavcodec/dnxhddec.c:288
So, the intened access length is (mb_height * linesizes[0]) = (PoC[0x16c:0x16d] * linesizes[0]). However, the actual size of buffer frame->data[0] is (height * linesizes[0]). When mb_height is larger than height, out-of-bound access will happen.
So the root cause is that ctx->mb_height is used instead of ctx->height when calling
@src/libavcodec/dnxhddec.c:641
avctx->execute2(avctx, dnxhd_decode_row, picture, NULL, ctx->mb_height);
I guess this is a programming error.
In addition
How much out-of-bound access happens can be easily controlled by modifying the related fields of PoC file, i.e.
height = PoC[0x18:0x19]
width = PoC[0x1a:0x1b]
mb_height = PoC[0x16c:0x16d]
By modifying the three fields, out-of-bound-read can also be triggered. The following is related debugging info:
Program received signal SIGSEGV, Segmentation fault.
0x083fedcf in dnxhd_decode_dct_block (dc_shift=0, level_shift=6, level_bias=32, index_bits=4, n=2, row=0x9a2cba0, ctx=0x9a2c220) at src/libavcodec/dnxhddec.c:430
430 GET_VLC(index1, bs, &row->gb, ctx->ac_vlc.table,
LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
[-------------------------------------REGISTERS----------------------------------------------------]
*EAX 0xbb8b53ab
*EBX 0xffff8383
*ECX 0x67676378 ('xcgg')
*EDX 0x1770edf8
*EDI 0x9a3ab98 <- 0x20000
*ESI 0xa
*EBP 0x60
*ESP 0xbfffc6b0 -> 0xb7dc7780 (main_arena) <- 0x0
*EIP 0x83fedcf (dnxhd_decode_dct_block_8+687) <- movsx ebx, word ptr [ecx + 2]
[--------------------------------------CODE--------------------------------------------------------]
> 0x83fedcf <dnxhd_decode_dct_block_8+687> movsx ebx, word ptr [ecx + 2]
0x83fedd3 <dnxhd_decode_dct_block_8+691> movsx edx, word ptr [ecx]
0x83fedd6 <dnxhd_decode_dct_block_8+694> mov ecx, ebx
0x83fedd8 <dnxhd_decode_dct_block_8+696> add ebp, ebx
0x83fedda <dnxhd_decode_dct_block_8+698> shl eax, cl
0x83feddc <dnxhd_decode_dct_block_8+700> cmp dword ptr [esp + 0x1c], edx
0x83fede0 <dnxhd_decode_dct_block_8+704> jne dnxhd_decode_dct_block_8+522 <0x83fed2a>
0x83fed2a <dnxhd_decode_dct_block_8+522> mov ecx, dword ptr [esp + 0x20]
0x83fed2e <dnxhd_decode_dct_block_8+526> movzx ebx, byte ptr [ecx + edx*2]
0x83fed32 <dnxhd_decode_dct_block_8+530> movzx ecx, byte ptr [ecx + edx*2 + 1]
0x83fed37 <dnxhd_decode_dct_block_8+535> mov edx, eax
[--------------------------------------CODE--------------------------------------------------------]
425 level >>= level_shift;
426
427 block[j] = (level ^ sign) - sign;
428
429 UPDATE_CACHE(bs, &row->gb);
430 GET_VLC(index1, bs, &row->gb, ctx->ac_vlc.table,
431 DNXHD_VLC_BITS, 2);
432 }
433
434 CLOSE_READER(bs, &row->gb);
[--------------------------------------STACK-------------------------------------------------------]
00:0000| esp 0xbfffc6b0 -> 0xb7dc7780 (main_arena) <- 0x0
01:0004| 0xbfffc6b4 -> 0xb7dc7000 (_GLOBAL_OFFSET_TABLE_) <- 0x1b1db0
02:0008| 0xbfffc6b8 -> 0x9a2b340 -> 0x8e3c700 (av_codec_context_class) -> 0x8e39e6a <- ...
03:000c| 0xbfffc6bc -> 0x9a2ff5c <- 0x0
04:0010| 0xbfffc6c0 -> 0x9a3ab98 <- 0x20000
05:0014| 0xbfffc6c4 <- 0x6
06:0018| 0xbfffc6c8 -> 0x9a2cca0 <- 0x420
07:001c| 0xbfffc6cc <- 0x3
[---------------------------------------BACKTRACE--------------------------------------------------]
> f 0 83fedcf dnxhd_decode_dct_block_8+687
f 1 83fedcf dnxhd_decode_dct_block_8+687
f 2 8400c30 dnxhd_decode_row+496
f 3 8400c30 dnxhd_decode_row+496
f 4 872011a avcodec_default_execute2+106
f 5 84005b8 dnxhd_decode_frame+1896
f 6 83e8f16 decode_simple_internal+1206
f 7 83e9a11 avcodec_send_packet+401
f 8 83e9a11 avcodec_send_packet+401
f 9 83e9a11 avcodec_send_packet+401
f 10 83525ae try_decode_frame+670
Program received signal SIGSEGV (fault address 0x6767637a)
pwndbg> p *(char *)($ecx + 2)
Cannot access memory at address 0x6767637a
pwndbg>
Conclusion
This is an out-of-bound-write/read vulnerability which is cause by the inconsistence between the intended access size and the allocated size. The intended size is (mb_heightlinesizes[0])__, however, the allocated size is __(heightlinesize[0]). I guess this is a programming error. This vulnerability is directly related with three fields: height, width and mb_height. By controlling the three fields’ values, arbitrary-address-write can be somewhat archived. So the vulnerabilty can cause DoS and may cause Remote-Code-Execution.
Appendix
0xb770ba20 in _start () from /lib/ld-linux.so.2
(rr) c
Continuing.
ffmpeg version 3.3.git Copyright (c) 2000-2017 the FFmpeg developers
built with gcc 5.4.0 (Ubuntu 5.4.0-6ubuntu1~16.04.4) 20160609
configuration: --enable-debug
libavutil 55. 67.100 / 55. 67.100
libavcodec 57.100.103 / 57.100.103
libavformat 57. 75.100 / 57. 75.100
libavdevice 57. 7.100 / 57. 7.100
libavfilter 6. 94.100 / 6. 94.100
libswscale 4. 7.101 / 4. 7.101
libswresample 2. 8.100 / 2. 8.100
[dnxhd @ 0xb2fc340] Adaptive MB interlace flag in an unsupported profile.
[dnxhd @ 0xb2fc340] Adaptive color transform in an unsupported profile.
Program received signal SIGSEGV, Segmentation fault.
0x088bcd16 in ff_simple_idct_put_sse2 ()
(rr) break src/libavcodec/dnxhddec.c:536
Breakpoint 1 at 0x8400d2a: file src/libavcodec/dnxhddec.c, line 536.
(rr) reverse-continue
Continuing.
Program received signal SIGSEGV, Segmentation fault.
0x088bcd16 in ff_simple_idct_put_sse2 ()
(rr) reverse-continue
Continuing.
Breakpoint 1, dnxhd_decode_macroblock (y=57, x=0, frame=0xb2fcf20, row=0xb2fdba0, ctx=0xb2fd220) at src/libavcodec/dnxhddec.c:536
536 ctx->idsp.idct_put(dest_y, dct_linesize_luma, row->blocks[0]);
(rr) p dest_y
$1 = (uint8_t *) 0xb31bfc0 ""
(rr) p dest_y[0x40]
Cannot access memory at address 0xb31c000
(rr) watch -l dest_y
Hardware watchpoint 2: -location dest_y
(rr) disable 1
(rr) reverse-continue
Continuing.
Hardware watchpoint 2: -location dest_y
Old value = (uint8_t *) 0xb31bfc0 ""
New value = (uint8_t *) 0xe400 <error: Cannot access memory at address 0xe400>
dnxhd_decode_macroblock (y=57, x=0, frame=0xb2fcf20, row=0xb2fdba0, ctx=0xb2fd220) at src/libavcodec/dnxhddec.c:519
519 dest_y = frame->data[0] + ((y * dct_linesize_luma) << 4) + (x << (4 + shift1));
(rr) p frame->data[0]
$2 = (uint8_t *) 0xb30dbc0 "\200\200\200\200\200\200\200\200\201\201\201\201\201\201\201\201"
(rr) p/x y
$3 = 0x39
(rr) p/x dct_linesize_luma
$4 = 0x40
(rr) p (y*dct_linesize_luma)<<4
$5 = 58368
(rr) p/x (y*dct_linesize_luma)<<4
$6 = 0xe400
(rr) p frame
$7 = (AVFrame *) 0xb2fcf20
(rr) p *frame
$8 = {data = {0xb30dbc0 "\200\200\200\200\200\200\200\200\201\201\201\201\201\201\201\201", 0xb30fc20 "\204\204\204\204\204\204\204\204",
0xb310c80 "\200\200\200\200\200\200\200\200\201\201\201\201\201\201\201\201", 0x0, 0x0, 0x0, 0x0, 0x0}, linesize = {64, 32, 32, 0, 0, 0,
0, 0}, extended_data = 0xb2fcf20, width = 2, height = 127, nb_samples = 0, format = 4, key_frame = 1, pict_type = AV_PICTURE_TYPE_I,
sample_aspect_ratio = {num = 0, den = 1}, pts = 9223090561878065151, pkt_pts = 9223090561878065151, pkt_dts = -9223372036854775808,
coded_picture_number = 0, display_picture_number = 0, quality = 0, opaque = 0x0, error = {0, 0, 0, 0, 0, 0, 0, 0}, repeat_pict = 0,
interlaced_frame = 0, top_field_first = 0, palette_has_changed = 0, reordered_opaque = -9223372036854775808, sample_rate = 0,
channel_layout = 0, buf = {0xb2fcac0, 0xb2fb8a0, 0xb2fe6c0, 0x0, 0x0, 0x0, 0x0, 0x0}, extended_buf = 0x0, nb_extended_buf = 0,
side_data = 0x0, nb_side_data = 0, flags = 0, color_range = AVCOL_RANGE_UNSPECIFIED, color_primaries = AVCOL_PRI_UNSPECIFIED,
color_trc = AVCOL_TRC_UNSPECIFIED, colorspace = AVCOL_SPC_BT709, chroma_location = AVCHROMA_LOC_UNSPECIFIED,
best_effort_timestamp = -9223372036854775808, pkt_pos = 0, pkt_duration = 48000, metadata = 0x0, decode_error_flags = 0, channels = 0,
pkt_size = 8192, qscale_table = 0x0, qstride = 0, qscale_type = 0, qp_table_buf = 0x0, hw_frames_ctx = 0x0, opaque_ref = 0x0, crop_top = 0,
crop_bottom = 0, crop_left = 0, crop_right = 0}
(rr) watch -l frame->data[0]
Hardware watchpoint 3: -location frame->data[0]
(rr) disable 2
(rr) reverse-continue
Continuing.
Hardware watchpoint 3: -location frame->data[0]
Old value = (uint8_t *) 0xb30dbc0 ""
New value = (uint8_t *) 0x0
video_get_buffer (pic=0xb2fcf20, s=0xb2fc340) at src/libavcodec/decode.c:1508
1508 pic->data[i] = pic->buf[i]->data;
(rr) p pic->buf[i]->data
Cannot access memory at address 0x4
(rr) p i
$9 = 1
(rr) p pic->buf[0]->data
$10 = (uint8_t *) 0xb30dbc0 ""
(rr) watch -l pic->buf[0]->data
Hardware watchpoint 4: -location pic->buf[0]->data
(rr) disable 3
(rr) reverse-continue
Continuing.
Hardware watchpoint 4: -location pic->buf[0]->data
Old value = (uint8_t *) 0xb30dbc0 ""
New value = (uint8_t *) 0x0
av_buffer_allocz (size=8239) at src/libavutil/buffer.c:85
85 AVBufferRef *ret = av_buffer_alloc(size);
(rr) p size
$11 = 8239
(rr) p/x size
$12 = 0x202f
(rr) b
Breakpoint 5 at 0x8c20937: file src/libavutil/buffer.c, line 56.
(rr) disable 5
(rr) bt
#0 av_buffer_allocz (size=8239) at src/libavutil/buffer.c:85
#1 0x08c211b9 in pool_alloc_buffer (pool=0xb2fc940) at src/libavutil/buffer.c:312
#2 av_buffer_pool_get (pool=0xb2fc940) at src/libavutil/buffer.c:349
#3 0x083ebb47 in video_get_buffer (pic=0xb2fcf20, s=0xb2fc340) at src/libavcodec/decode.c:1504
#4 avcodec_default_get_buffer2 (avctx=0xb2fc340, frame=0xb2fcf20, flags=0) at src/libavcodec/decode.c:1543
#5 0x083ec3db in get_buffer_internal (flags=0, frame=0xb2fcf20, avctx=0xb2fc340) at src/libavcodec/decode.c:1734
#6 ff_get_buffer (avctx=0xb2fc340, frame=0xb2fcf20, flags=0) at src/libavcodec/decode.c:1750
#7 0x086472ff in thread_get_buffer_internal (flags=0, f=0xbfec417c, avctx=0xb2fc340) at src/libavcodec/pthread_frame.c:890
#8 ff_thread_get_buffer (avctx=0xb2fc340, f=0xbfec417c, flags=0) at src/libavcodec/pthread_frame.c:967
#9 0x0840056e in dnxhd_decode_frame (avctx=0xb2fc340, data=0xb2fcf20, got_frame=0xbfec4200, avpkt=0xbfec4208)
at src/libavcodec/dnxhddec.c:633
#10 0x083e8f16 in decode_simple_internal (avctx=avctx@entry=0xb2fc340, frame=frame@entry=0xb2fcf20) at src/libavcodec/decode.c:417
#11 0x083e9a11 in decode_simple_receive_frame (frame=<optimized out>, avctx=<optimized out>) at src/libavcodec/decode.c:620
#12 decode_receive_frame_internal (frame=0xb2fcf20, avctx=0xb2fc340) at src/libavcodec/decode.c:638
#13 avcodec_send_packet (avctx=0xb2fc340, avpkt=0xbfec42f8) at src/libavcodec/decode.c:678
#14 0x083525ae in try_decode_frame (s=s@entry=0xb2fb200, st=st@entry=0xb2fbb80, avpkt=avpkt@entry=0xbfec4490, options=0xb2fbb40)
at src/libavformat/utils.c:3005
#15 0x0835cbca in avformat_find_stream_info (ic=0xb2fb200, options=0xb2fbb40) at src/libavformat/utils.c:3822
#16 0x080d1907 in open_input_file (o=o@entry=0xbfec47bc, filename=<optimized out>) at src/ffmpeg_opt.c:1064
#17 0x080d44ed in open_files (l=0xb2fb02c, l=0xb2fb02c, open_file=0x80d1450 <open_input_file>, inout=0x8d0605e "input")
at src/ffmpeg_opt.c:3258
#18 ffmpeg_parse_options (argc=7, argv=0xbfec69c4) at src/ffmpeg_opt.c:3298
#19 0x080c2fc9 in main (argc=7, argv=0xbfec69c4) at src/ffmpeg.c:4803
(rr) break src/libavutil/buffer.c:312
Breakpoint 6 at 0x8c21140: file src/libavutil/buffer.c, line 312.
(rr) disable 4
(rr) reverse-continue
Continuing.
Breakpoint 6, av_buffer_pool_get (pool=0xb2fc940) at src/libavutil/buffer.c:349
349 ret = pool_alloc_buffer(pool);
(rr) p pool
$13 = (AVBufferPool *) 0xb2fc940
(rr) p pool->size
$14 = 8239
(rr) watch -l pool->size
Hardware watchpoint 7: -location pool->size
(rr) disable 6
(rr) reverse-continue
Continuing.
Hardware watchpoint 7: -location pool->size
Old value = 8239
New value = 0
av_buffer_pool_init (size=8239, alloc=0x8c208b0 <av_buffer_allocz>) at src/libavutil/buffer.c:246
246 pool->size = size;
(rr) bt
#0 av_buffer_pool_init (size=8239, alloc=0x8c208b0 <av_buffer_allocz>) at src/libavutil/buffer.c:246
#1 0x083ebc49 in update_frame_pool (frame=0xb2fcf20, avctx=0xb2fc340) at src/libavcodec/decode.c:1380
#2 avcodec_default_get_buffer2 (avctx=0xb2fc340, frame=0xb2fcf20, flags=0) at src/libavcodec/decode.c:1538
#3 0x083ec3db in get_buffer_internal (flags=0, frame=0xb2fcf20, avctx=0xb2fc340) at src/libavcodec/decode.c:1734
#4 ff_get_buffer (avctx=0xb2fc340, frame=0xb2fcf20, flags=0) at src/libavcodec/decode.c:1750
#5 0x086472ff in thread_get_buffer_internal (flags=0, f=0xbfec417c, avctx=0xb2fc340) at src/libavcodec/pthread_frame.c:890
#6 ff_thread_get_buffer (avctx=0xb2fc340, f=0xbfec417c, flags=0) at src/libavcodec/pthread_frame.c:967
#7 0x0840056e in dnxhd_decode_frame (avctx=0xb2fc340, data=0xb2fcf20, got_frame=0xbfec4200, avpkt=0xbfec4208)
at src/libavcodec/dnxhddec.c:633
#8 0x083e8f16 in decode_simple_internal (avctx=avctx@entry=0xb2fc340, frame=frame@entry=0xb2fcf20) at src/libavcodec/decode.c:417
#9 0x083e9a11 in decode_simple_receive_frame (frame=<optimized out>, avctx=<optimized out>) at src/libavcodec/decode.c:620
#10 decode_receive_frame_internal (frame=0xb2fcf20, avctx=0xb2fc340) at src/libavcodec/decode.c:638
#11 avcodec_send_packet (avctx=0xb2fc340, avpkt=0xbfec42f8) at src/libavcodec/decode.c:678
#12 0x083525ae in try_decode_frame (s=s@entry=0xb2fb200, st=st@entry=0xb2fbb80, avpkt=avpkt@entry=0xbfec4490, options=0xb2fbb40)
at src/libavformat/utils.c:3005
#13 0x0835cbca in avformat_find_stream_info (ic=0xb2fb200, options=0xb2fbb40) at src/libavformat/utils.c:3822
#14 0x080d1907 in open_input_file (o=o@entry=0xbfec47bc, filename=<optimized out>) at src/ffmpeg_opt.c:1064
#15 0x080d44ed in open_files (l=0xb2fb02c, l=0xb2fb02c, open_file=0x80d1450 <open_input_file>, inout=0x8d0605e "input")
at src/ffmpeg_opt.c:3258
#16 ffmpeg_parse_options (argc=7, argv=0xbfec69c4) at src/ffmpeg_opt.c:3298
#17 0x080c2fc9 in main (argc=7, argv=0xbfec69c4) at src/ffmpeg.c:4803
(rr) break src/libavcodec/decode.c:1380
Breakpoint 8 at 0x83ebc38: file src/libavcodec/decode.c, line 1380.
(rr) disable 7
(rr) reverse-continue
Continuing.
Breakpoint 8, update_frame_pool (frame=0xb2fcf20, avctx=0xb2fc340) at src/libavcodec/decode.c:1380
1380 pool->pools[i] = av_buffer_pool_init(size[i] + 16 + STRIDE_ALIGN - 1,
(rr) p size
$15 = {8192, 4096, 4096, 0}
(rr) p STRIDE_ALIGN
No symbol "STRIDE_ALIGN" in current context.
(rr) p/x 8192
$16 = 0x2000
(rr) p/x 8192+16-1
$17 = 0x200f
(rr) p/x 8192+16-1+32
$18 = 0x202f
(rr) p i
$19 = 0
(rr) watch -l size[0]
Hardware watchpoint 9: -location size[0]
(rr) disable 8
(rr) reverse-continue
Continuing.
Hardware watchpoint 9: -location size[0]
Old value = 8192
New value = 0
0x083eb9c4 in update_frame_pool (frame=0xb2fcf20, avctx=0xb2fc340) at src/libavcodec/decode.c:1373
1373 size[i] = data[i + 1] - data[i];
(rr) p i
$20 = 0
(rr) p data[1]
$21 = (uint8_t *) 0x2000 <error: Cannot access memory at address 0x2000>
(rr) p data[0]
$22 = (uint8_t *) 0x0
(rr) watch -l data[1]
Hardware watchpoint 10: -location data[1]
(rr) disable 9
(rr) reverse-continue
Continuing.
Hardware watchpoint 10: -location data[1]
Old value = (uint8_t *) 0x2000 <error: Cannot access memory at address 0x2000>
New value = (uint8_t *) 0x0
0x08c3a0c4 in av_image_fill_pointers (data=0xbfec404c, pix_fmt=AV_PIX_FMT_YUV422P, height=128, ptr=0x0, linesizes=0xbfec405c)
at src/libavutil/imgutils.c:139
139 data[i] = data[i-1] + size[i-1];
(rr) p i
$23 = 1
(rr) p data[0]
$24 = (uint8_t *) 0x0
(rr) p size[0]
$25 = 8192
(rr) watch -l size[0]
Hardware watchpoint 11: -location size[0]
(rr) disable 10
(rr) reverse-continue
Continuing.
Hardware watchpoint 11: -location size[0]
Old value = 8192
New value = 64
av_image_fill_pointers (data=0xbfec404c, pix_fmt=AV_PIX_FMT_YUV422P, height=128, ptr=0x0, linesizes=0xbfec405c)
at src/libavutil/imgutils.c:125
125 size[0] = linesizes[0] * height;
(rr) p linesizes[0]
$26 = 64
(rr) p/x linesizes[0]
$27 = 0x40
(rr) p/x height
$28 = 0x80
(rr) bt
#0 av_image_fill_pointers (data=0xbfec404c, pix_fmt=AV_PIX_FMT_YUV422P, height=128, ptr=0x0, linesizes=0xbfec405c)
at src/libavutil/imgutils.c:125
#1 0x083eb99b in update_frame_pool (frame=0xb2fcf20, avctx=0xb2fc340) at src/libavcodec/decode.c:1367
#2 avcodec_default_get_buffer2 (avctx=0xb2fc340, frame=0xb2fcf20, flags=0) at src/libavcodec/decode.c:1538
#3 0x083ec3db in get_buffer_internal (flags=0, frame=0xb2fcf20, avctx=0xb2fc340) at src/libavcodec/decode.c:1734
#4 ff_get_buffer (avctx=0xb2fc340, frame=0xb2fcf20, flags=0) at src/libavcodec/decode.c:1750
#5 0x086472ff in thread_get_buffer_internal (flags=0, f=0xbfec417c, avctx=0xb2fc340) at src/libavcodec/pthread_frame.c:890
#6 ff_thread_get_buffer (avctx=0xb2fc340, f=0xbfec417c, flags=0) at src/libavcodec/pthread_frame.c:967
#7 0x0840056e in dnxhd_decode_frame (avctx=0xb2fc340, data=0xb2fcf20, got_frame=0xbfec4200, avpkt=0xbfec4208)
at src/libavcodec/dnxhddec.c:633
#8 0x083e8f16 in decode_simple_internal (avctx=avctx@entry=0xb2fc340, frame=frame@entry=0xb2fcf20) at src/libavcodec/decode.c:417
#9 0x083e9a11 in decode_simple_receive_frame (frame=<optimized out>, avctx=<optimized out>) at src/libavcodec/decode.c:620
#10 decode_receive_frame_internal (frame=0xb2fcf20, avctx=0xb2fc340) at src/libavcodec/decode.c:638
#11 avcodec_send_packet (avctx=0xb2fc340, avpkt=0xbfec42f8) at src/libavcodec/decode.c:678
#12 0x083525ae in try_decode_frame (s=s@entry=0xb2fb200, st=st@entry=0xb2fbb80, avpkt=avpkt@entry=0xbfec4490, options=0xb2fbb40)
at src/libavformat/utils.c:3005
#13 0x0835cbca in avformat_find_stream_info (ic=0xb2fb200, options=0xb2fbb40) at src/libavformat/utils.c:3822
#14 0x080d1907 in open_input_file (o=o@entry=0xbfec47bc, filename=<optimized out>) at src/ffmpeg_opt.c:1064
#15 0x080d44ed in open_files (l=0xb2fb02c, l=0xb2fb02c, open_file=0x80d1450 <open_input_file>, inout=0x8d0605e "input")
at src/ffmpeg_opt.c:3258
#16 ffmpeg_parse_options (argc=7, argv=0xbfec69c4) at src/ffmpeg_opt.c:3298
#17 0x080c2fc9 in main (argc=7, argv=0xbfec69c4) at src/ffmpeg.c:4803
(rr) watch -l linesize[0]
No symbol "linesize" in current context.
(rr) watch -l linesizes[0]
Hardware watchpoint 12: -location linesizes[0]
(rr) break src/libavcodec/decode.c:1367
Breakpoint 13 at 0x83eb97d: file src/libavcodec/decode.c, line 1367.
(rr) disable 11
(rr) reverse-continue
Continuing.
Breakpoint 13, update_frame_pool (frame=0xb2fcf20, avctx=0xb2fc340) at src/libavcodec/decode.c:1367
1367 tmpsize = av_image_fill_pointers(data, avctx->pix_fmt, h,
(rr) p h
$29 = 128
(rr) p/x h
$30 = 0x80
(rr) p linesizes
No symbol "linesizes" in current context.
(rr) p linesize
$31 = {64, 32, 32, 0}
(rr) p frame
$32 = (AVFrame *) 0xb2fcf20
(rr) p frame->width
$33 = 2
(rr) p frame->height
$34 = 127
(rr) watch -l h
Hardware watchpoint 14: -location h
(rr) disable 13
(rr) reverse-continue
Continuing.
Hardware watchpoint 12: -location linesizes[0]
Old value = 64
New value = 0
av_image_fill_linesizes (linesizes=0xbfec405c, pix_fmt=AV_PIX_FMT_YUV422P, width=64) at src/libavutil/imgutils.c:105
105 linesizes[i] = ret;
(rr) l
100
101 av_image_fill_max_pixsteps(max_step, max_step_comp, desc);
102 for (i = 0; i < 4; i++) {
103 if ((ret = image_get_linesize(width, i, max_step[i], max_step_comp[i], desc)) < 0)
104 return ret;
105 linesizes[i] = ret;
106 }
107
108 return 0;
109 }
(rr) p width
$35 = 64
(rr) disable 12
(rr) reverse-continue
Continuing.
Hardware watchpoint 14: -location h
Old value = 128
New value = 127
avcodec_align_dimensions2 (s=0xb2fc340, width=0xbfec4044, height=0xbfec4048, linesize_align=0xb2fcafc) at src/libavcodec/utils.c:421
421 *height = FFALIGN(*height, h_align);
(rr) p h_align
$36 = <optimized out>
(rr) l
416 if (s->codec_id == AV_CODEC_ID_IFF_ILBM) {
417 w_align = FFMAX(w_align, 8);
418 }
419
420 *width = FFALIGN(*width, w_align);
421 *height = FFALIGN(*height, h_align);
422 if (s->codec_id == AV_CODEC_ID_H264 || s->lowres) {
423 // some of the optimized chroma MC reads one line too much
424 // which is also done in mpeg decoders with lowres > 0
425 *height += 2;
(rr) p *height
$37 = 127
(rr) p *widht
No symbol "widht" in current context.
(rr) p *width
$38 = 16
(rr) p h_align
$39 = <optimized out>
(rr) p *h_align
value has been optimized out
(rr) n
Hardware watchpoint 14: -location h
Old value = 127
New value = 128
avcodec_align_dimensions2 (s=0xb2fc340, width=0xbfec4044, height=0xbfec4048, linesize_align=0xb2fcafc) at src/libavcodec/utils.c:422
422 if (s->codec_id == AV_CODEC_ID_H264 || s->lowres) {
(rr) p *h_align
value has been optimized out
(rr) p s
$40 = (AVCodecContext *) 0xb2fc340
(rr) p s->pix_fmt
$41 = AV_PIX_FMT_YUV422P
(rr) n
435 linesize_align[i] = STRIDE_ALIGN;
(rr) n
436 }
(rr) n
update_frame_pool (frame=0xb2fcf20, avctx=0xb2fc340) at src/libavcodec/decode.c:1356
1356 ret = av_image_fill_linesizes(linesize, avctx->pix_fmt, w);
(rr) p/x w
$42 = 0x10
(rr) n
1357 if (ret < 0)
(rr) p ret
$43 = 0
(rr) p frame->height
$44 = 127
(rr) watch -l frame->height
Hardware watchpoint 15: -location frame->height
(rr) disable 14
(rr) disable 13
(rr) reverse-continue
Continuing.
Hardware watchpoint 15: -location frame->height
Old value = 127
New value = 0
get_buffer_internal (flags=0, frame=0xb2fcf20, avctx=0xb2fc340) at src/libavcodec/decode.c:1713
1713 frame->height = FFMAX(avctx->height, AV_CEIL_RSHIFT(avctx->coded_height, avctx->lowres));
(rr) p avctx->height
$45 = 127
(rr) watch -l avctx->height
Hardware watchpoint 16: -location avctx->height
(rr) disable 15
(rr) reverse-continue
Continuing.
Hardware watchpoint 16: -location avctx->height
Old value = 127
New value = 0
ff_set_dimensions (s=0xb2fc340, width=<optimized out>, height=<optimized out>) at src/libavcodec/utils.c:221
221 s->height = AV_CEIL_RSHIFT(height, s->lowres);
(rr) p height
$46 = <optimized out>
(rr) bt
#0 ff_set_dimensions (s=0xb2fc340, width=<optimized out>, height=<optimized out>) at src/libavcodec/utils.c:221
#1 0x08400639 in dnxhd_decode_frame (avctx=0xb2fc340, data=0xb2fcf20, got_frame=0xbfec4200, avpkt=0xbfec4208)
at src/libavcodec/dnxhddec.c:628
#2 0x083e8f16 in decode_simple_internal (avctx=avctx@entry=0xb2fc340, frame=frame@entry=0xb2fcf20) at src/libavcodec/decode.c:417
#3 0x083e9a11 in decode_simple_receive_frame (frame=<optimized out>, avctx=<optimized out>) at src/libavcodec/decode.c:620
#4 decode_receive_frame_internal (frame=0xb2fcf20, avctx=0xb2fc340) at src/libavcodec/decode.c:638
#5 avcodec_send_packet (avctx=0xb2fc340, avpkt=0xbfec42f8) at src/libavcodec/decode.c:678
#6 0x083525ae in try_decode_frame (s=s@entry=0xb2fb200, st=st@entry=0xb2fbb80, avpkt=avpkt@entry=0xbfec4490, options=0xb2fbb40)
at src/libavformat/utils.c:3005
#7 0x0835cbca in avformat_find_stream_info (ic=0xb2fb200, options=0xb2fbb40) at src/libavformat/utils.c:3822
#8 0x080d1907 in open_input_file (o=o@entry=0xbfec47bc, filename=<optimized out>) at src/ffmpeg_opt.c:1064
#9 0x080d44ed in open_files (l=0xb2fb02c, l=0xb2fb02c, open_file=0x80d1450 <open_input_file>, inout=0x8d0605e "input")
at src/ffmpeg_opt.c:3258
#10 ffmpeg_parse_options (argc=7, argv=0xbfec69c4) at src/ffmpeg_opt.c:3298
#11 0x080c2fc9 in main (argc=7, argv=0xbfec69c4) at src/ffmpeg.c:4803
(rr) p s->lowres
$47 = 0
(rr) break src/libavcodec/dnxhddec.c:628
Breakpoint 17 at 0x8400532: file src/libavcodec/dnxhddec.c, line 628.
(rr) reverse-continue
Continuing.
Hardware watchpoint 16: -location avctx->height
Old value = 0
New value = -100728704
init_context_defaults (s=s@entry=0xb2fc340, codec=codec@entry=0x0) at src/libavcodec/options.c:95
95 memset(s, 0, sizeof(AVCodecContext));
(rr) disable 16
(rr) reverse-continue
Continuing.
Program stopped.
0xb770ba20 in _start () from /lib/ld-linux.so.2
(rr) c
Continuing.
ffmpeg version 3.3.git Copyright (c) 2000-2017 the FFmpeg developers
built with gcc 5.4.0 (Ubuntu 5.4.0-6ubuntu1~16.04.4) 20160609
configuration: --enable-debug
libavutil 55. 67.100 / 55. 67.100
libavcodec 57.100.103 / 57.100.103
libavformat 57. 75.100 / 57. 75.100
libavdevice 57. 7.100 / 57. 7.100
libavfilter 6. 94.100 / 6. 94.100
libswscale 4. 7.101 / 4. 7.101
libswresample 2. 8.100 / 2. 8.100
[dnxhd @ 0xb2fc340] Adaptive MB interlace flag in an unsupported profile.
[dnxhd @ 0xb2fc340] Adaptive color transform in an unsupported profile.
Program received signal SIGSEGV, Segmentation fault.
0x088bcd16 in ff_simple_idct_put_sse2 ()
(rr) enable 16
(rr) reverse-continue
Continuing.
Program received signal SIGSEGV, Segmentation fault.
0x088bcd16 in ff_simple_idct_put_sse2 ()
(rr) reverse-continue
Continuing.
Hardware watchpoint 16: -location avctx->height
Old value = 127
New value = 0
ff_set_dimensions (s=0xb2fc340, width=<optimized out>, height=<optimized out>) at src/libavcodec/utils.c:221
221 s->height = AV_CEIL_RSHIFT(height, s->lowres);
(rr) break dnxhd_decode_frame
Breakpoint 18 at 0x83ffe50: file src/libavcodec/dnxhddec.c, line 597.
(rr) disable 17
(rr) reverse-continue
Continuing.
Breakpoint 18, dnxhd_decode_frame (avctx=0xb2fc340, data=0xb2fcf20, got_frame=0xbfec4200, avpkt=0xbfec4208) at src/libavcodec/dnxhddec.c:597
597 {
(rr) n
601 ThreadFrame frame = { .f = data };
(rr) p avctx->priv_data
$48 = (void *) 0xb2fd220
(rr) n
597 {
(rr) n
608 for (i = 0; i < avctx->thread_count; i++)
(rr) n
597 {
(rr) n
600 DNXHDContext *ctx = avctx->priv_data;
(rr) n
597 {
(rr) p ctx
$49 = <optimized out>
(rr) n
598 const uint8_t *buf = avpkt->data;
(rr) n
599 int buf_size = avpkt->size;
(rr) p ctx
$50 = <optimized out>
(rr) p (DNXHDContext *)avctx->priv_data
$51 = (DNXHDContext *) 0xb2fd220
(rr) p *(DNXHDContext *)avctx->priv_data
$52 = {avctx = 0xb2fc340, rows = 0xb2fdba0, bdsp = {clear_block = 0x0, clear_blocks = 0x0, fill_block_tab = {0x0, 0x0}}, buf = 0x0,
buf_size = 0, cid = -1, width = 0, height = 0, pix_fmt = AV_PIX_FMT_YUV420P, mb_width = 0, mb_height = 0, mb_scan_index = {
0 <repeats 512 times>}, data_offset = 0, cur_field = 0, ac_vlc = {bits = 0, table = 0x0, table_size = 0, table_allocated = 0}, dc_vlc = {
bits = 0, table = 0x0, table_size = 0, table_allocated = 0}, run_vlc = {bits = 0, table = 0x0, table_size = 0, table_allocated = 0},
idsp = {put_pixels_clamped = 0x0, put_signed_pixels_clamped = 0x0, add_pixels_clamped = 0x0, idct = 0x0, idct_put = 0x0, idct_add = 0x0,
idct_permutation = '\000' <repeats 63 times>, perm_type = FF_IDCT_PERM_NONE}, scantable = {scantable = 0x0,
permutated = '\000' <repeats 63 times>, raster_end = '\000' <repeats 63 times>}, cid_table = 0x0, bit_depth = 0, is_444 = 0, mbaff = 0,
act = 0, decode_dct_block = 0x0}
(rr) n
608 for (i = 0; i < avctx->thread_count; i++)
(rr) n
601 ThreadFrame frame = { .f = data };
(rr) n
599 int buf_size = avpkt->size;
(rr) n
608 for (i = 0; i < avctx->thread_count; i++)
(rr) n
609 ctx->rows[i].format = -1;
(rr) n
608 for (i = 0; i < avctx->thread_count; i++)
(rr) n
612 if ((ret = dnxhd_decode_header(ctx, picture, buf, buf_size, first_field)) < 0)
(rr) n
[dnxhd @ 0xb2fc340] Adaptive MB interlace flag in an unsupported profile.
[dnxhd @ 0xb2fc340] Adaptive color transform in an unsupported profile.
615 if ((avctx->width || avctx->height) &&
(rr) p ctx
$53 = (DNXHDContext *) 0xb2fd220
(rr) p ctx->width
$54 = 2
(rr) p ctx->height
$55 = 127
(rr) watch -l ctx->height
Hardware watchpoint 19: -location ctx->height
(rr) disable 18
(rr) reverse-continue
Continuing.
Hardware watchpoint 19: -location ctx->height
Old value = 127
New value = 0
0x08400023 in dnxhd_decode_header (frame=0xb2fcf20, frame=0xb2fcf20, first_field=1, buf_size=8192, buf=0xb300a48 "", ctx=0xb2fd220)
at src/libavcodec/dnxhddec.c:207
207 ctx->height = AV_RB16(buf + 0x18);
(rr) p buf
$56 = (const uint8_t *) 0xb300a48 ""
(rr) x/32bx buf
0xb300a48: 0x00 0x00 0x0c 0x00 0x03 0x00 0x77 0x00
0xb300a50: 0x00 0x71 0x0d 0x00 0x04 0x04 0x15 0x00
0xb300a58: 0xff 0xfd 0x01 0x00 0x04 0x04 0xb3 0x03
0xb300a60: 0x00 0x7f 0x00 0x02 0x24 0x33 0x4e 0x02
(rr) x/32bx buf-4
0xb300a44: 0x29 0x20 0x00 0x00 0x00 0x00 0x0c 0x00
0xb300a4c: 0x03 0x00 0x77 0x00 0x00 0x71 0x0d 0x00
0xb300a54: 0x04 0x04 0x15 0x00 0xff 0xfd 0x01 0x00
0xb300a5c: 0x04 0x04 0xb3 0x03 0x00 0x7f 0x00 0x02
(rr) p/x 127-0x18
$57 = 0x67
(rr) x/2bx buf+0x18
0xb300a60: 0x00 0x7f
(rr) p 0x7f
$58 = 127
(rr) watch -l buf[0x19]
Hardware watchpoint 20: -location buf[0x19]
(rr) disable 19
(rr) reverse-continue
Continuing.
Hardware watchpoint 20: -location buf[0x19]
Old value = 127 '\177'
New value = 228 '\344'
__memcpy_sse2_unaligned () at ../sysdeps/i386/i686/multiarch/memcpy-sse2-unaligned.S:492
492 ../sysdeps/i386/i686/multiarch/memcpy-sse2-unaligned.S: No such file or directory.
(rr) bt
#0 __memcpy_sse2_unaligned () at ../sysdeps/i386/i686/multiarch/memcpy-sse2-unaligned.S:492
#1 0x083b58be in memcpy (__len=<optimized out>, __src=<optimized out>, __dest=<optimized out>)
at /usr/include/i386-linux-gnu/bits/string3.h:53
#2 av_packet_ref (dst=0xb2fc980, src=0xbfec4164) at src/libavcodec/avpacket.c:639
#3 0x08356152 in add_to_pktbuf (ref=1, plast_pktl=0xb2fb7a0, pkt=<optimized out>, packet_buffer=0xb2fb79c) at src/libavformat/utils.c:435
#4 parse_packet (s=s@entry=0xb2fb200, pkt=pkt@entry=0xbfec4248, stream_index=<optimized out>) at src/libavformat/utils.c:1468
#5 0x08356ea8 in read_frame_internal (s=s@entry=0xb2fb200, pkt=pkt@entry=0xbfec4490) at src/libavformat/utils.c:1611
#6 0x0835c26a in avformat_find_stream_info (ic=0xb2fb200, options=0xb2fbb40) at src/libavformat/utils.c:3698
#7 0x080d1907 in open_input_file (o=o@entry=0xbfec47bc, filename=<optimized out>) at src/ffmpeg_opt.c:1064
#8 0x080d44ed in open_files (l=0xb2fb02c, l=0xb2fb02c, open_file=0x80d1450 <open_input_file>, inout=0x8d0605e "input")
at src/ffmpeg_opt.c:3258
#9 ffmpeg_parse_options (argc=7, argv=0xbfec69c4) at src/ffmpeg_opt.c:3298
#10 0x080c2fc9 in main (argc=7, argv=0xbfec69c4) at src/ffmpeg.c:4803
(rr) info break 1
Num Type Disp Enb Address What
1 breakpoint keep n 0x08400d2a in dnxhd_decode_row at src/libavcodec/dnxhddec.c:536
breakpoint already hit 1 time
(rr) info break 2
Num Type Disp Enb Address What
2 hw watchpoint keep n -location dest_y
breakpoint already hit 1 time
(rr) disable 20
(rr) c
Continuing.
[dnxhd @ 0xb2fc340] Adaptive MB interlace flag in an unsupported profile.
[dnxhd @ 0xb2fc340] Adaptive color transform in an unsupported profile.
Hardware watchpoint 16: -location avctx->height
Old value = 0
New value = 127
ff_set_dimensions (s=0xb2fc340, width=<optimized out>, height=<optimized out>) at src/libavcodec/utils.c:220
220 s->width = AV_CEIL_RSHIFT(width, s->lowres);
(rr) disable 16
(rr) c
Continuing.
Program received signal SIGSEGV, Segmentation fault.
0x088bcd16 in ff_simple_idct_put_sse2 ()
(rr) enable 1
(rr) reverse-continue
Continuing.
Program received signal SIGSEGV, Segmentation fault.
0x088bcd16 in ff_simple_idct_put_sse2 ()
(rr) reverse-continue
Continuing.
Breakpoint 1, dnxhd_decode_macroblock (y=57, x=0, frame=0xb2fcf20, row=0xb2fdba0, ctx=0xb2fd220) at src/libavcodec/dnxhddec.c:536
536 ctx->idsp.idct_put(dest_y, dct_linesize_luma, row->blocks[0]);
(rr) p dest_y
$59 = (uint8_t *) 0xb31bfc0 ""
(rr) p *dest_y
$60 = 0 '\000'
(rr) enable 2
(rr) reverse-continue
Continuing.
Hardware watchpoint 2: -location dest_y
Old value = (uint8_t *) 0xb31bfc0 ""
New value = (uint8_t *) 0xe400 <error: Cannot access memory at address 0xe400>
dnxhd_decode_macroblock (y=57, x=0, frame=0xb2fcf20, row=0xb2fdba0, ctx=0xb2fd220) at src/libavcodec/dnxhddec.c:519
519 dest_y = frame->data[0] + ((y * dct_linesize_luma) << 4) + (x << (4 + shift1));
(rr) p/x frame->data[0]
$61 = 0xb30dbc0
(rr) bt
#0 dnxhd_decode_macroblock (y=57, x=0, frame=0xb2fcf20, row=0xb2fdba0, ctx=0xb2fd220) at src/libavcodec/dnxhddec.c:519
#1 dnxhd_decode_row (avctx=0xb2fc340, data=0xb2fcf20, rownb=57, threadnb=0) at src/libavcodec/dnxhddec.c:584
#2 0x0872011a in avcodec_default_execute2 (c=0xb2fc340, func=0x8400a40 <dnxhd_decode_row>, arg=0xb2fcf20, ret=0x0, count=207)
at src/libavcodec/utils.c:553
#3 0x084005b8 in dnxhd_decode_frame (avctx=0xb2fc340, data=0xb2fcf20, got_frame=0xbfec4200, avpkt=0xbfec4208)
at src/libavcodec/dnxhddec.c:641
#4 0x083e8f16 in decode_simple_internal (avctx=avctx@entry=0xb2fc340, frame=frame@entry=0xb2fcf20) at src/libavcodec/decode.c:417
#5 0x083e9a11 in decode_simple_receive_frame (frame=<optimized out>, avctx=<optimized out>) at src/libavcodec/decode.c:620
#6 decode_receive_frame_internal (frame=0xb2fcf20, avctx=0xb2fc340) at src/libavcodec/decode.c:638
#7 avcodec_send_packet (avctx=0xb2fc340, avpkt=0xbfec42f8) at src/libavcodec/decode.c:678
#8 0x083525ae in try_decode_frame (s=s@entry=0xb2fb200, st=st@entry=0xb2fbb80, avpkt=avpkt@entry=0xbfec4490, options=0xb2fbb40)
at src/libavformat/utils.c:3005
#9 0x0835cbca in avformat_find_stream_info (ic=0xb2fb200, options=0xb2fbb40) at src/libavformat/utils.c:3822
#10 0x080d1907 in open_input_file (o=o@entry=0xbfec47bc, filename=<optimized out>) at src/ffmpeg_opt.c:1064
#11 0x080d44ed in open_files (l=0xb2fb02c, l=0xb2fb02c, open_file=0x80d1450 <open_input_file>, inout=0x8d0605e "input")
at src/ffmpeg_opt.c:3258
#12 ffmpeg_parse_options (argc=7, argv=0xbfec69c4) at src/ffmpeg_opt.c:3298
#13 0x080c2fc9 in main (argc=7, argv=0xbfec69c4) at src/ffmpeg.c:4803
(rr) p y
$62 = 57
(rr) break src/libavcodec/dnxhddec.c:641
Breakpoint 21 at 0x8400583: file src/libavcodec/dnxhddec.c, line 641.
(rr) disable 2
(rr) disable 1
(rr) reverse-continue
Continuing.
Breakpoint 21, dnxhd_decode_frame (avctx=0xb2fc340, data=0xb2fcf20, got_frame=0xbfec4200, avpkt=0xbfec4208) at src/libavcodec/dnxhddec.c:641
641 avctx->execute2(avctx, dnxhd_decode_row, picture, NULL, ctx->mb_height);
(rr) p ctx
$63 = (DNXHDContext *) 0xb2fd220
(rr) p ctx->mb_height
$64 = 207
(rr) watch-l ctx->height
Undefined command: "watch-l". Try "help".
(rr) watch -l ctx->height
Hardware watchpoint 22: -location ctx->height
(rr) disable 21
(rr) reverse-continue
Continuing.
Hardware watchpoint 22: -location ctx->height
Old value = 127
New value = 0
0x08400023 in dnxhd_decode_header (frame=0xb2fcf20, frame=0xb2fcf20, first_field=1, buf_size=8192, buf=0xb300a48 "", ctx=0xb2fd220)
at src/libavcodec/dnxhddec.c:207
207 ctx->height = AV_RB16(buf + 0x18);
(rr) l
202 } else {
203 ctx->cur_field = 0;
204 }
205 ctx->mbaff = (buf[0x6] >> 5) & 1;
206
207 ctx->height = AV_RB16(buf + 0x18);
208 ctx->width = AV_RB16(buf + 0x1a);
209
210 switch(buf[0x21] >> 5) {
211 case 1: bitdepth = 8; break;
(rr) c
Continuing.
Hardware watchpoint 22: -location ctx->height
Old value = 0
New value = 127
dnxhd_decode_header (frame=0xb2fcf20, frame=0xb2fcf20, first_field=1, buf_size=8192, buf=0xb300a48 "", ctx=0xb2fd220)
at src/libavcodec/dnxhddec.c:208
208 ctx->width = AV_RB16(buf + 0x1a);
(rr) c
Continuing.
[dnxhd @ 0xb2fc340] Adaptive MB interlace flag in an unsupported profile.
[dnxhd @ 0xb2fc340] Adaptive color transform in an unsupported profile.
Program received signal SIGSEGV, Segmentation fault.
0x088bcd16 in ff_simple_idct_put_sse2 ()
(rr) enable 1 2
(rr) reverse-continue
Continuing.
Program received signal SIGSEGV, Segmentation fault.
0x088bcd16 in ff_simple_idct_put_sse2 ()
(rr) reverse-continue
Continuing.
Breakpoint 1, dnxhd_decode_macroblock (y=57, x=0, frame=0xb2fcf20, row=0xb2fdba0, ctx=0xb2fd220) at src/libavcodec/dnxhddec.c:536
536 ctx->idsp.idct_put(dest_y, dct_linesize_luma, row->blocks[0]);
(rr) reverse-continue
Continuing.
Hardware watchpoint 2: -location dest_y
Old value = (uint8_t *) 0xb31bfc0 ""
New value = (uint8_t *) 0xe400 <error: Cannot access memory at address 0xe400>
dnxhd_decode_macroblock (y=57, x=0, frame=0xb2fcf20, row=0xb2fdba0, ctx=0xb2fd220) at src/libavcodec/dnxhddec.c:519
519 dest_y = frame->data[0] + ((y * dct_linesize_luma) << 4) + (x << (4 + shift1));
(rr) bt
#0 dnxhd_decode_macroblock (y=57, x=0, frame=0xb2fcf20, row=0xb2fdba0, ctx=0xb2fd220) at src/libavcodec/dnxhddec.c:519
#1 dnxhd_decode_row (avctx=0xb2fc340, data=0xb2fcf20, rownb=57, threadnb=0) at src/libavcodec/dnxhddec.c:584
#2 0x0872011a in avcodec_default_execute2 (c=0xb2fc340, func=0x8400a40 <dnxhd_decode_row>, arg=0xb2fcf20, ret=0x0, count=207)
at src/libavcodec/utils.c:553
#3 0x084005b8 in dnxhd_decode_frame (avctx=0xb2fc340, data=0xb2fcf20, got_frame=0xbfec4200, avpkt=0xbfec4208)
at src/libavcodec/dnxhddec.c:641
#4 0x083e8f16 in decode_simple_internal (avctx=avctx@entry=0xb2fc340, frame=frame@entry=0xb2fcf20) at src/libavcodec/decode.c:417
#5 0x083e9a11 in decode_simple_receive_frame (frame=<optimized out>, avctx=<optimized out>) at src/libavcodec/decode.c:620
#6 decode_receive_frame_internal (frame=0xb2fcf20, avctx=0xb2fc340) at src/libavcodec/decode.c:638
#7 avcodec_send_packet (avctx=0xb2fc340, avpkt=0xbfec42f8) at src/libavcodec/decode.c:678
#8 0x083525ae in try_decode_frame (s=s@entry=0xb2fb200, st=st@entry=0xb2fbb80, avpkt=avpkt@entry=0xbfec4490, options=0xb2fbb40)
at src/libavformat/utils.c:3005
#9 0x0835cbca in avformat_find_stream_info (ic=0xb2fb200, options=0xb2fbb40) at src/libavformat/utils.c:3822
#10 0x080d1907 in open_input_file (o=o@entry=0xbfec47bc, filename=<optimized out>) at src/ffmpeg_opt.c:1064
#11 0x080d44ed in open_files (l=0xb2fb02c, l=0xb2fb02c, open_file=0x80d1450 <open_input_file>, inout=0x8d0605e "input")
at src/ffmpeg_opt.c:3258
#12 ffmpeg_parse_options (argc=7, argv=0xbfec69c4) at src/ffmpeg_opt.c:3298
#13 0x080c2fc9 in main (argc=7, argv=0xbfec69c4) at src/ffmpeg.c:4803
(rr) enable 21
(rr) disable 1 2
(rr) reverse-continue
Continuing.
Breakpoint 21, dnxhd_decode_frame (avctx=0xb2fc340, data=0xb2fcf20, got_frame=0xbfec4200, avpkt=0xbfec4208) at src/libavcodec/dnxhddec.c:641
641 avctx->execute2(avctx, dnxhd_decode_row, picture, NULL, ctx->mb_height);
(rr) p ctx->mb_height
$65 = 207
(rr) watch -l ctx->mb_height
Hardware watchpoint 23: -location ctx->mb_height
(rr) disable 22 21
(rr) reverse-continue
Continuing.
Hardware watchpoint 23: -location ctx->mb_height
Old value = 207
New value = 0
dnxhd_decode_header (frame=0xb2fcf20, frame=0xb2fcf20, first_field=1, buf_size=8192, buf=0xb300a48 "", ctx=0xb2fd220)
at src/libavcodec/dnxhddec.c:288
288 ctx->mb_height = AV_RB16(buf + 0x16c);
(rr) x/2bx buf+0x16c
0xb300bb4: 0x00 0xcf
(rr) disable 23
(rr) c
Continuing.
Program received signal SIGSEGV, Segmentation fault.
0x088bcd16 in ff_simple_idct_put_sse2 ()
(rr) enable 1 2
(rr) reverse-continue
Continuing.
Program received signal SIGSEGV, Segmentation fault.
0x088bcd16 in ff_simple_idct_put_sse2 ()
(rr) reverse-continue
Continuing.
Breakpoint 1, dnxhd_decode_macroblock (y=57, x=0, frame=0xb2fcf20, row=0xb2fdba0, ctx=0xb2fd220) at src/libavcodec/dnxhddec.c:536
536 ctx->idsp.idct_put(dest_y, dct_linesize_luma, row->blocks[0]);
(rr) reverse-continue
Continuing.
Hardware watchpoint 2: -location dest_y
Old value = (uint8_t *) 0xb31bfc0 ""
New value = (uint8_t *) 0xe400 <error: Cannot access memory at address 0xe400>
dnxhd_decode_macroblock (y=57, x=0, frame=0xb2fcf20, row=0xb2fdba0, ctx=0xb2fd220) at src/libavcodec/dnxhddec.c:519
519 dest_y = frame->data[0] + ((y * dct_linesize_luma) << 4) + (x << (4 + shift1));
(rr) p dct_linesize_luma
$66 = 64
(rr) bt
#0 dnxhd_decode_macroblock (y=57, x=0, frame=0xb2fcf20, row=0xb2fdba0, ctx=0xb2fd220) at src/libavcodec/dnxhddec.c:519
#1 dnxhd_decode_row (avctx=0xb2fc340, data=0xb2fcf20, rownb=57, threadnb=0) at src/libavcodec/dnxhddec.c:584
#2 0x0872011a in avcodec_default_execute2 (c=0xb2fc340, func=0x8400a40 <dnxhd_decode_row>, arg=0xb2fcf20, ret=0x0, count=207)
at src/libavcodec/utils.c:553
#3 0x084005b8 in dnxhd_decode_frame (avctx=0xb2fc340, data=0xb2fcf20, got_frame=0xbfec4200, avpkt=0xbfec4208)
at src/libavcodec/dnxhddec.c:641
#4 0x083e8f16 in decode_simple_internal (avctx=avctx@entry=0xb2fc340, frame=frame@entry=0xb2fcf20) at src/libavcodec/decode.c:417
#5 0x083e9a11 in decode_simple_receive_frame (frame=<optimized out>, avctx=<optimized out>) at src/libavcodec/decode.c:620
#6 decode_receive_frame_internal (frame=0xb2fcf20, avctx=0xb2fc340) at src/libavcodec/decode.c:638
#7 avcodec_send_packet (avctx=0xb2fc340, avpkt=0xbfec42f8) at src/libavcodec/decode.c:678
#8 0x083525ae in try_decode_frame (s=s@entry=0xb2fb200, st=st@entry=0xb2fbb80, avpkt=avpkt@entry=0xbfec4490, options=0xb2fbb40)
at src/libavformat/utils.c:3005
#9 0x0835cbca in avformat_find_stream_info (ic=0xb2fb200, options=0xb2fbb40) at src/libavformat/utils.c:3822
#10 0x080d1907 in open_input_file (o=o@entry=0xbfec47bc, filename=<optimized out>) at src/ffmpeg_opt.c:1064
#11 0x080d44ed in open_files (l=0xb2fb02c, l=0xb2fb02c, open_file=0x80d1450 <open_input_file>, inout=0x8d0605e "input")
at src/ffmpeg_opt.c:3258
#12 ffmpeg_parse_options (argc=7, argv=0xbfec69c4) at src/ffmpeg_opt.c:3298
#13 0x080c2fc9 in main (argc=7, argv=0xbfec69c4) at src/ffmpeg.c:4803
(rr) watch -l dct_linesize_luma
Hardware watchpoint 24: -location dct_linesize_luma
(rr) disable 1 2
(rr) reverse-continue
Continuing.
Hardware watchpoint 24: -location dct_linesize_luma
Old value = 64
New value = 138331304
dnxhd_decode_macroblock (y=0, x=0, frame=0xb2fcf20, row=0xb2fdba0, ctx=0xb2fd220) at src/libavcodec/dnxhddec.c:472
472 int dct_linesize_luma = frame->linesize[0];
(rr) watch -l frame->linesize[0]
Hardware watchpoint 25: -location frame->linesize[0]
(rr) disable 23
(rr) disable 24
(rr) reverse-continue
Continuing.
Hardware watchpoint 25: -location frame->linesize[0]
Old value = 64
New value = 0
video_get_buffer (pic=0xb2fcf20, s=0xb2fc340) at src/libavcodec/decode.c:1502
1502 pic->linesize[i] = pool->linesize[i];
(rr) p i
$67 = 0
(rr) p/x pool->linesize
$68 = {0x40, 0x20, 0x20, 0x0}
(rr) watch -l pool->linesize[0]
Hardware watchpoint 26: -location pool->linesize[0]
(rr) disable 25
(rr) reverse-continue
Continuing.
Hardware watchpoint 26: -location pool->linesize[0]
Old value = 64
New value = 0
0x083eba16 in update_frame_pool (frame=0xb2fcf20, avctx=0xb2fc340) at src/libavcodec/decode.c:1378
1378 pool->linesize[i] = linesize[i];
(rr) p i
$69 = 0
(rr) p linesize[0]
$70 = 64
(rr) watch -l linesize[0]
Hardware watchpoint 27: -location linesize[0]
(rr) disable 26
(rr) reverse-continue
Continuing.
Hardware watchpoint 27: -location linesize[0]
Old value = 64
New value = 0
av_image_fill_linesizes (linesizes=0xbfec405c, pix_fmt=AV_PIX_FMT_YUV422P, width=64) at src/libavutil/imgutils.c:105
105 linesizes[i] = ret;
(rr) l
100
101 av_image_fill_max_pixsteps(max_step, max_step_comp, desc);
102 for (i = 0; i < 4; i++) {
103 if ((ret = image_get_linesize(width, i, max_step[i], max_step_comp[i], desc)) < 0)
104 return ret;
105 linesizes[i] = ret;
106 }
107
108 return 0;
109 }
(rr) p width
$71 = 64
(rr) p i
$72 = 0
(rr) p max_step
$73 = {1, 1, 1, 0}
(rr) p *desc
$74 = {name = 0x8c6ab76 "yuv422p", nb_components = 3 '\003', log2_chroma_w = 1 '\001', log2_chroma_h = 0 '\000', flags = 16, comp = , {plane = 1, step = 1, offset = 0, shift = 0, depth = 8, step_minus1 = 0, depth_minus1 = 7, offset_plus1 = 1}, {plane = 2, step = 1, offset = 0, shift = 0, depth = 8, step_minus1 = 0, depth_minus1 = 7, offset_plus1 = 1}, {plane = 0, step = 0, offset = 0, shift = 0, depth = 0, step_minus1 = 0, depth_minus1 = 0, offset_plus1 = 0}}, alias = 0x0}
(rr) p max_step_comp
$75 = {0, 1, 2, 0}
(rr)
Status
The vulnerability has been assigned CVE-2017-11719 and the upstream has patched it.
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11719
CONFIRM:https://github.com/FFmpeg/FFmpeg/commit/296debd213bd6dce7647cedd34eb64e5b94cdc92