Bug#783616: /usr/bin/avconv: image2pipe ppm input corrupt when header spans fifo blocks

Sebastian Ramacher sramacher at debian.org
Tue Apr 28 13:16:03 UTC 2015 

Control: tags -1 + confirmed upstream

On 2015-04-28 13:37:40, Claude Heiland-Allen wrote:
> Package: libav-tools
> Version: 6:11.3-2
> Severity: normal
> File: /usr/bin/avconv
> 
> Dear Maintainer,
> 
> piping PPM streams to avconv can cause image corruption in the
> (unlikely but possible) case that a frame header overlaps the fifo
> block size in such a way that the partial header is almost valid
> 
> almost valid means that width and at least one (but not all)
> digits of the height are parsed, and then the fifo block size
> boundary occurs.  somehow the output frames remain the correct
> size, but with garbled image data.
> 
> avconv does sometimes output bold red messages stating "picture
> size ... is invalid" or "invalid maxval ..." when this occurs,
> but some can be false-positives (ie, the output is not always
> garbled when the messages occur).
> 
> here is a test case that reliably reproduces the bug on my
> system:
> 
> ====8<====
> #!/bin/sh
> input="$(mktemp 'bug.XXXXXX.ppm')"
> outdir="$(mktemp -d 'bug.XXXXXX.out')"
> (
>   cat << EOF
> P6
> 16 104
> 255
> EOF
>   for i in $(seq 1 192)
>   do
>     echo -n "26 bytes to put in the PPM"
>   done
> ) > "${input}"
> for i in $(seq 1 50)
> do
>   cat "${input}"
> done |
> avconv -f image2pipe -codec ppm -pix_fmt rgb24 -i - \
>        -f image2     -codec ppm -pix_fmt rgb24 "${outdir}/%d.ppm"
> for output in "${outdir}"/*.ppm
> do
>   diff -q "${input}" "${output}"
> done
> ====8<====
> 
> and here is its output:
> 
> ====8<====
> avconv version 11.3-6:11.3-2, Copyright (c) 2000-2014 the Libav developers
>   built on Apr 26 2015 11:19:40 with gcc 4.9.2 (Debian 4.9.2-10)
> [ppm @ 0xebae80] [IMGUTILS @ 0x7ffe7aeffd70] Picture size 16x0 is invalid
>     Last message repeated 1 times
> [ppm @ 0xebae80] Invalid maxval: 0
>     Last message repeated 5 times
> [image2pipe @ 0xea17e0] Estimating duration from bitrate, this may be
> inaccurate
> Input #0, image2pipe, from 'pipe:':
>   Duration: N/A, bitrate: N/A
>     Stream #0.0: Video: ppm, rgb24, 16x104, 25 fps, 25 tbn
> Output #0, image2, to 'bug.qe9Tcp.out/%d.ppm':
>   Metadata:
>     encoder         : Lavf56.1.0
>     Stream #0.0: Video: ppm, rgb24, 16x104, q=2-31, 200 kb/s, 25 tbn, 25 tbc
>     Metadata:
>       encoder         : Lavc56.1.0 ppm
> Stream mapping:
>   Stream #0:0 -> #0:0 (ppm (native) -> ppm (native))
> Press ctrl-c to stop encoding
> Error while decoding stream #0:0
> [ppm @ 0xebb620] Invalid maxval: 0
> pipe:: Input/output error
> frame=   49 fps=  0 q=0.0 Lsize=       0kB time=1.96 bitrate= 0.0kbits/s
> video:240kB audio:0kB other streams:0kB global headers:0kB muxing overhead:
> unknown
> Files bug.vve493.ppm and bug.qe9Tcp.out/37.ppm differ
> Files bug.vve493.ppm and bug.qe9Tcp.out/38.ppm differ
> Files bug.vve493.ppm and bug.qe9Tcp.out/39.ppm differ
> Files bug.vve493.ppm and bug.qe9Tcp.out/40.ppm differ
> Files bug.vve493.ppm and bug.qe9Tcp.out/41.ppm differ
> Files bug.vve493.ppm and bug.qe9Tcp.out/42.ppm differ
> Files bug.vve493.ppm and bug.qe9Tcp.out/43.ppm differ
> Files bug.vve493.ppm and bug.qe9Tcp.out/44.ppm differ
> Files bug.vve493.ppm and bug.qe9Tcp.out/45.ppm differ
> Files bug.vve493.ppm and bug.qe9Tcp.out/46.ppm differ
> Files bug.vve493.ppm and bug.qe9Tcp.out/47.ppm differ
> Files bug.vve493.ppm and bug.qe9Tcp.out/48.ppm differ
> Files bug.vve493.ppm and bug.qe9Tcp.out/49.ppm differ
> ====8<====
> 
> the input file is 5006 bytes, and after 36 frames, the total
> length modulo 4096 (the fifo block size) is -8, which means
> the next block boundary occurs 8 bytes into the header, in
> between the 0 and 4 of the height 104.  the 37th frame is
> garbled from about 1/3 the way down (looks like 8 bytes are
> missing, with the remaining data shifted).

Thanks for your bug report. Could you please forward report it directly to the
libav developers? See https://libav.org/bugreports.html for details.

Cheers
-- 
Sebastian Ramacher
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-multimedia-maintainers/attachments/20150428/9ee70427/attachment-0002.sig>

More information about the pkg-multimedia-maintainers mailing list