[mythtv] [mythtv-commits] mythtv branch master updated by stuartm. v0.28-pre-2267-gad5f589

Stuart Morgan stuart at tase.co.uk
Tue Oct 7 12:52:55 UTC 2014


On Tuesday 07 Oct 2014 08:30:44 George Nassas wrote:
> On Oct 6, 2014, at 3:36 PM, Stuart Morgan <stuart at tase.co.uk> wrote:
> > Can you test the patch attached to this ticket?
> > 
> > https://code.mythtv.org/trac/ticket/12280
> 
> No joy :(
> 
> Core was generated by `/usr/bin/mythtranscode -j 34847 --profile autodetect
> --honorcutlist --verbose g'. Program terminated with signal 6, Aborted.
> #0  0x00007fdec3acb1a5 in *__GI_raise (sig=<optimized out>)
>     at ../nptl/sysdeps/unix/sysv/linux/raise.c:64
> #0  0x00007fdec3acb1a5 in *__GI_raise (sig=<optimized out>) at
> ../nptl/sysdeps/unix/sysv/linux/raise.c:64 #1  0x00007fdec3ace420 in
> *__GI_abort () at abort.c:92
> #2  0x00007fdec3b0625b in __libc_message (do_abort=<optimized out>,
> fmt=<optimized out>) at ../sysdeps/unix/sysv/linux/libc_fatal.c:189 #3 
> 0x00007fdec3b0faa6 in malloc_printerr (action=3, str=0x7fdec3be9598 "double
> free or corruption (out)", ptr=<optimized out>) at malloc.c:6312 #4 
> 0x00007fdec3b1484c in *__GI___libc_free (mem=<optimized out>) at
> malloc.c:3738 #5  0x00007fded00dea7c in av_free (ptr=0x7fdea08750e0) at
> libavutil/mem.c:232 #6  0x00007fded00deaa1 in av_freep (arg=0x7fdea0071a30)
> at libavutil/mem.c:239 #7  0x00007fded00ce636 in av_buffer_unref
> (buf=0x7fdea0071a30) at libavutil/buffer.c:112 #8  0x00007fdeced23790 in
> av_free_packet (pkt=0x7fdea0071a30) at libavcodec/avpacket.c:286 #9 
> 0x0000000000429b4c in MPEG2frame::set_pkt (this=0x7fdea0071a30,
> newpkt=0x7fffdf6789d0) at mpeg2fix.cpp:134 #10 0x0000000000431360 in
> MPEG2fixup::GetPoolFrame (this=0x1346e90, pkt=0x7fffdf6789d0) at
> mpeg2fix.cpp:1328 #11 0x0000000000431bad in MPEG2fixup::GetFrame
> (this=0x1346e90, pkt=0x7fffdf6789d0) at mpeg2fix.cpp:1426 #12
> 0x0000000000436e97 in MPEG2fixup::Start (this=0x1346e90) at
> mpeg2fix.cpp:2106 #13 0x0000000000410aee in main (argc=13,
> argv=0x7fffdf67a928) at main.cpp:676

Big can of worms.

GetFrame() is calling av_free_packet() on the packet which deletes the 
internal buffer. It then carries on using the packet! Eventually we hit a 
double free when av_free_packet() is again called on that same deleted packet.

So much for a quick fix. Seems we'll have to replace all uses of AVPacket with 
our own struct/buffer.
-- 
Stuart Morgan


More information about the mythtv-dev mailing list