Bug#779789: mpv: free(): invalid pointer: 0xedf28020 ***

Jakub Wilk jwilk at debian.org
Fri Mar 6 14:46:12 UTC 2015 

* Alessandro Ghedini <ghedo at debian.org>, 2015-03-06, 15:05:
>>$ mpv crash.mp4
>>Playing: crash.mp4
>>[libav/video] h264: AVC: nal size 889
>>[libav/video] h264: no frame!
>>[libav/demuxer] mov,mp4,m4a,3gp,3g2,mj2: stream 0, offset 0x8c69: partial file
>>(+) Video --vid=1 (*) (h264)
>>File tags:
>>Title: 860240514032667
>>Opening video filter: [expand aspect=1440/900]
>>[expand] Expand: -1 x -1, -1 ; -1, aspect: 1.600000, round: 1
>>[libav/video] h264: AVC: nal size 889
>>[libav/video] h264: AVC: nal size 889
>>[libav/video] h264: no frame!
>>VO: [xv] 3642x720 => 3642x2276 yuv420p
>>V: 00:00:00 / 00:00:15 (0%)
>>
>>
>>Exiting... (End of file)
>>*** Error in `mpv': free(): invalid pointer: 0xedf28020 ***
>>Aborted
>
>I can't reproduce.

Could you try with these options?

-vo=xv -vf=expand=::::1440/900

Apparently they are needed to trigger the crash. I forgot I had them in 
my mpv.conf.

>Could you please also provide a backtrace (with both mpv and libav 
>debug symbols)?

Here it is:

#0  0xf763d425 in __kernel_vsyscall ()
#1  0xf5b9d307 in __GI_raise (sig=sig at entry=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:56
#2  0xf5b9e9c3 in __GI_abort () at abort.c:89
#3  0xf5bdb6f8 in __libc_message (do_abort=do_abort at entry=1, fmt=fmt at entry=0xf5cd165c "*** Error in `%s': %s: 0x%s ***\n") at ../sysdeps/posix/libc_fatal.c:175
#4  0xf5be176a in malloc_printerr (action=<optimized out>, str=0xf5ccd172 "free(): invalid pointer", ptr=0xedf28020) at malloc.c:4996
#5  0xf5be23bd in _int_free (av=0x80808080, p=<optimized out>, have_lock=0) at malloc.c:3840
#6  0xf7720de2 in m_refcount_unref (ref=0xf87cc910) at ../video/mp_image.c:102
#7  0xf7758736 in ta_free (ptr=0xf87c4970) at ../ta/ta.c:259
#8  0xf77228f2 in unref_image (ptr=0xf87c4970) at ../video/mp_image_pool.c:109
#9  0xf7720de2 in m_refcount_unref (ref=0xf87cc7f0) at ../video/mp_image.c:102
#10 0xf7758736 in ta_free (ptr=0xf88f4178) at ../ta/ta.c:259
#11 0xf774e451 in uninit (vo=0xf87ba090) at ../video/out/vo_xv.c:694
#12 0xf7741e72 in vo_thread (ptr=0xf87ba090) at ../video/out/vo.c:754
#13 0xf63daefb in start_thread (arg=0xefcfcb40) at pthread_create.c:309
#14 0xf5c5862e in clone () at ../sysdeps/unix/sysv/linux/i386/clone.S:129

Although Valgrind output might be more helpful, according to which an 
out-of-bounds write happens early on:

==2574== Invalid write of size 4
==2574==    at 0x482F85D: memset (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
==2574==    by 0x1CA7A0: memset (string3.h:84)
==2574==    by 0x1CA7A0: memset_pic (memcpy_pic.h:57)
==2574==    by 0x1CA7A0: mp_image_clear (mp_image.c:440)
==2574==    by 0x1F86F6: allocate_xvimage (vo_xv.c:542)
==2574==    by 0x1F86F6: reconfig (vo_xv.c:471)
==2574==    by 0x1EA222: run_reconfig (vo.c:345)
==2574==    by 0x16AD5F: mp_dispatch_queue_process (dispatch.c:197)
==2574==    by 0x1EA535: vo_thread (vo.c:720)
==2574==    by 0x5A87EFA: start_thread (pthread_create.c:309)
==2574==    by 0x624162D: clone (clone.S:129)
==2574==  Address 0xefbb000 is not stack'd, malloc'd or (recently) free'd

>It would also be nice if you could test the package in experimental 
>that uses ffmpeg instead of libav.

I'll try it later today.

-- 
Jakub Wilk

More information about the pkg-multimedia-maintainers mailing list