[BUG] double free or corruption (out) #659

Closed
opened 2026-01-29 16:50:19 +00:00 by claunia · 3 comments
Owner

Originally created by @techno-disaster on GitHub (Aug 21, 2021).

CCExtractor version: 0.93

In raising this issue, I confirm the following:

  • I have read and understood the contributors guide.
  • I have checked that the bug-fix I am reporting can be replicated, or that the feature I am suggesting isn't already present.
  • I have checked that the issue I'm posting isn't already reported.
  • I have checked that the issue I'm porting isn't already solved and no duplicates exist in closed issues and in opened issues
  • I have checked the pull requests tab for existing solutions/implementations to my issue/suggestion.
  • I have used the latest available version of CCExtractor to verify this issue exists.
  • I have ticked all the boxes in this section and to prove it I'm deleting the section completely to remove boilerplate text.

Necessary information

Video links

Additional information

Happened with several other files when ccx runs together on them, All were from sample platform.

Logs -


<Katbin/>

╭─techno_disaster at pop-os in ~/Projects/Opensource/ccextractorfluttergui/samples on master✘✘✘ 
╰─± ccextractor 85271be4d28a2af0be40572e72ddedf650b314155a2ed935140826ace0ad8167.mpg 73d9313d64b0ddf1542bc3521d19cc8a601967fbbb8ee8eb3e6d03c53d7b55d9.mpg 85c7fc1ad7c3dd56d4e836750b5b309a5bfa9ab9d846844f1aba62bcf9f286db.mpg d41b53b5042771fc645faa7fd9cfb040727336793586b026ec6101908ddd9c92.mpg  
CCExtractor 0.92, Carlos Fernandez Sanz, Volker Quetschke.
Teletext portions taken from Petr Kutalek's telxcc
--------------------------------------------------------------------------
Input: 85271be4d28a2af0be40572e72ddedf650b314155a2ed935140826ace0ad8167.mpg, 73d9313d64b0ddf1542bc3521d19cc8a601967fbbb8ee8eb3e6d03c53d7b55d9.mpg, 85c7fc1ad7c3dd56d4e836750b5b309a5bfa9ab9d846844f1aba62bcf9f286db.mpg, d41b53b5042771fc645faa7fd9cfb040727336793586b026ec6101908ddd9c92.mpg
[Extract: 1] [Stream mode: Autodetect]
[Program : Auto ] [Hauppage mode: No] [Use MythTV code: Auto]
[Timing mode: Auto] [Debug: No] [Buffer input: No]
[Use pic_order_cnt_lsb for H.264: No] [Print CC decoder traces: No]
[Target format: .srt] [Encoding: UTF-8] [Delay: 0] [Trim lines: No]
[Add font color data: Yes] [Add font typesetting: Yes]
[Convert case: No][Filter profanity: No] [Video-edit join: No]
[Extraction start time: not set (from start)]
[Extraction end time: not set (to end)]
[Live stream: No] [Clock frequency: 90000]
[Teletext page: Autodetect]
[Start credits text: None]
[Quantisation-mode: CCExtractor's internal function]

-----------------------------------------------------------------
Opening file: 85271be4d28a2af0be40572e72ddedf650b314155a2ed935140826ace0ad8167.mpg
File seems to be a transport stream, enabling TS mode
Analyzing data in general mode
eng.traineddata not found! No Switching Possible
  3%  |  01:32
-----------------------------------------------------------------
Opening file: 73d9313d64b0ddf1542bc3521d19cc8a601967fbbb8ee8eb3e6d03c53d7b55d9.mpg
File seems to be a transport stream, enabling TS mode
Notice: PAT changed, clearing all variables.
VBI/teletext stream ID 272 (0x110) for SID 1 (0x1)
  8%  |  00:04
-----------------------------------------------------------------
Opening file: 85c7fc1ad7c3dd56d4e836750b5b309a5bfa9ab9d846844f1aba62bcf9f286db.mpg
File seems to be a transport stream, enabling TS mode
Notice: PAT changed, clearing all variables.
double free or corruption (out)
[1]    23827 IOT instruction (core dumped)  ccextractor    
╭─techno_disaster at pop-os in ~/Projects/Opensource/ccextractorfluttergui/samples on master✘✘✘ 
╰─± ccextractor 85271be4d28a2af0be40572e72ddedf650b314155a2ed935140826ace0ad8167.mpg 73d9313d64b0ddf1542bc3521d19cc8a601967fbbb8ee8eb3e6d03c53d7b55d9.mpg d41b53b5042771fc645faa7fd9cfb040727336793586b026ec6101908ddd9c92.mpg  
CCExtractor 0.92, Carlos Fernandez Sanz, Volker Quetschke.
Teletext portions taken from Petr Kutalek's telxcc
--------------------------------------------------------------------------
Input: 85271be4d28a2af0be40572e72ddedf650b314155a2ed935140826ace0ad8167.mpg, 73d9313d64b0ddf1542bc3521d19cc8a601967fbbb8ee8eb3e6d03c53d7b55d9.mpg, d41b53b5042771fc645faa7fd9cfb040727336793586b026ec6101908ddd9c92.mpg
[Extract: 1] [Stream mode: Autodetect]
[Program : Auto ] [Hauppage mode: No] [Use MythTV code: Auto]
[Timing mode: Auto] [Debug: No] [Buffer input: No]
[Use pic_order_cnt_lsb for H.264: No] [Print CC decoder traces: No]
[Target format: .srt] [Encoding: UTF-8] [Delay: 0] [Trim lines: No]
[Add font color data: Yes] [Add font typesetting: Yes]
[Convert case: No][Filter profanity: No] [Video-edit join: No]
[Extraction start time: not set (from start)]
[Extraction end time: not set (to end)]
[Live stream: No] [Clock frequency: 90000]
[Teletext page: Autodetect]
[Start credits text: None]
[Quantisation-mode: CCExtractor's internal function]

-----------------------------------------------------------------
Opening file: 85271be4d28a2af0be40572e72ddedf650b314155a2ed935140826ace0ad8167.mpg
File seems to be a transport stream, enabling TS mode
Analyzing data in general mode
eng.traineddata not found! No Switching Possible
 28%  |  01:49
-----------------------------------------------------------------
Opening file: 73d9313d64b0ddf1542bc3521d19cc8a601967fbbb8ee8eb3e6d03c53d7b55d9.mpg
File seems to be a transport stream, enabling TS mode
Notice: PAT changed, clearing all variables.
VBI/teletext stream ID 272 (0x110) for SID 1 (0x1)
 67%  |  00:04
-----------------------------------------------------------------
Opening file: d41b53b5042771fc645faa7fd9cfb040727336793586b026ec6101908ddd9c92.mpg
File seems to be a transport stream, enabling TS mode
Notice: PAT changed, clearing all variables.
double free or corruption (out)
[1]    23848 IOT instruction (core dumped)  ccextractor   
╭─techno_disaster at pop-os in ~/Projects/Opensource/ccextractorfluttergui/samples on master✘✘✘ 
╰─± ccextractor 85271be4d28a2af0be40572e72ddedf650b314155a2ed935140826ace0ad8167.mpg 73d9313d64b0ddf1542bc3521d19cc8a601967fbbb8ee8eb3e6d03c53d7b55d9.mpg                                                           
CCExtractor 0.92, Carlos Fernandez Sanz, Volker Quetschke.
Teletext portions taken from Petr Kutalek's telxcc
--------------------------------------------------------------------------
Input: 85271be4d28a2af0be40572e72ddedf650b314155a2ed935140826ace0ad8167.mpg, 73d9313d64b0ddf1542bc3521d19cc8a601967fbbb8ee8eb3e6d03c53d7b55d9.mpg
[Extract: 1] [Stream mode: Autodetect]
[Program : Auto ] [Hauppage mode: No] [Use MythTV code: Auto]
[Timing mode: Auto] [Debug: No] [Buffer input: No]
[Use pic_order_cnt_lsb for H.264: No] [Print CC decoder traces: No]
[Target format: .srt] [Encoding: UTF-8] [Delay: 0] [Trim lines: No]
[Add font color data: Yes] [Add font typesetting: Yes]
[Convert case: No][Filter profanity: No] [Video-edit join: No]
[Extraction start time: not set (from start)]
[Extraction end time: not set (to end)]
[Live stream: No] [Clock frequency: 90000]
[Teletext page: Autodetect]
[Start credits text: None]
[Quantisation-mode: CCExtractor's internal function]

-----------------------------------------------------------------
Opening file: 85271be4d28a2af0be40572e72ddedf650b314155a2ed935140826ace0ad8167.mpg
File seems to be a transport stream, enabling TS mode
Analyzing data in general mode
eng.traineddata not found! No Switching Possible
 42%  |  01:49
-----------------------------------------------------------------
Opening file: 73d9313d64b0ddf1542bc3521d19cc8a601967fbbb8ee8eb3e6d03c53d7b55d9.mpg
File seems to be a transport stream, enabling TS mode
Notice: PAT changed, clearing all variables.
VBI/teletext stream ID 272 (0x110) for SID 1 (0x1)
Premature end of file - Transport Stream packet is incomplete (expected 188 bytes, got 128).
100%  |  00:04
Number of NAL_type_7: 0
Number of VCL_HRD: 0
Number of NAL HRD: 0
Number of jump-in-frames: 0
Number of num_unexpected_sei_length: 0

Min PTS:				13:08:15:350
Max PTS:				13:08:19:788
Length:				 00:00:04:438
Done, processing time = 1 seconds
[1]    23868 segmentation fault (core dumped)  ccextractor  
Originally created by @techno-disaster on GitHub (Aug 21, 2021). CCExtractor version: 0.93 # In raising this issue, I confirm the following: - [x] I have read and understood the [contributors guide](https://github.com/CCExtractor/ccextractor/blob/master/.github/CONTRIBUTING.md). - [x] I have checked that the bug-fix I am reporting can be replicated, or that the feature I am suggesting isn't already present. - [x] I have checked that the issue I'm posting isn't already reported. - [x] I have checked that the issue I'm porting isn't already solved and no duplicates exist in [closed issues](https://github.com/CCExtractor/ccextractor/issues?q=is%3Aissue+is%3Aclosed) and in [opened issues](https://github.com/CCExtractor/ccextractor/issues) - [x] I have checked the pull requests tab for existing solutions/implementations to my issue/suggestion. - [x] I have used the latest available version of CCExtractor to verify this issue exists. - [x] I have ticked all the boxes in this section and to prove it I'm deleting the section completely to remove boilerplate text. # Necessary information # Video links * https://sampleplatform.ccextractor.org/sample/download/3 * https://sampleplatform.ccextractor.org/sample/download/21 # Additional information Happened with several other files when ccx runs together on them, All were from sample platform. Logs - ``` <Katbin/> ╭─techno_disaster at pop-os in ~/Projects/Opensource/ccextractorfluttergui/samples on master✘✘✘ ╰─± ccextractor 85271be4d28a2af0be40572e72ddedf650b314155a2ed935140826ace0ad8167.mpg 73d9313d64b0ddf1542bc3521d19cc8a601967fbbb8ee8eb3e6d03c53d7b55d9.mpg 85c7fc1ad7c3dd56d4e836750b5b309a5bfa9ab9d846844f1aba62bcf9f286db.mpg d41b53b5042771fc645faa7fd9cfb040727336793586b026ec6101908ddd9c92.mpg CCExtractor 0.92, Carlos Fernandez Sanz, Volker Quetschke. Teletext portions taken from Petr Kutalek's telxcc -------------------------------------------------------------------------- Input: 85271be4d28a2af0be40572e72ddedf650b314155a2ed935140826ace0ad8167.mpg, 73d9313d64b0ddf1542bc3521d19cc8a601967fbbb8ee8eb3e6d03c53d7b55d9.mpg, 85c7fc1ad7c3dd56d4e836750b5b309a5bfa9ab9d846844f1aba62bcf9f286db.mpg, d41b53b5042771fc645faa7fd9cfb040727336793586b026ec6101908ddd9c92.mpg [Extract: 1] [Stream mode: Autodetect] [Program : Auto ] [Hauppage mode: No] [Use MythTV code: Auto] [Timing mode: Auto] [Debug: No] [Buffer input: No] [Use pic_order_cnt_lsb for H.264: No] [Print CC decoder traces: No] [Target format: .srt] [Encoding: UTF-8] [Delay: 0] [Trim lines: No] [Add font color data: Yes] [Add font typesetting: Yes] [Convert case: No][Filter profanity: No] [Video-edit join: No] [Extraction start time: not set (from start)] [Extraction end time: not set (to end)] [Live stream: No] [Clock frequency: 90000] [Teletext page: Autodetect] [Start credits text: None] [Quantisation-mode: CCExtractor's internal function] ----------------------------------------------------------------- Opening file: 85271be4d28a2af0be40572e72ddedf650b314155a2ed935140826ace0ad8167.mpg File seems to be a transport stream, enabling TS mode Analyzing data in general mode eng.traineddata not found! No Switching Possible 3% | 01:32 ----------------------------------------------------------------- Opening file: 73d9313d64b0ddf1542bc3521d19cc8a601967fbbb8ee8eb3e6d03c53d7b55d9.mpg File seems to be a transport stream, enabling TS mode Notice: PAT changed, clearing all variables. VBI/teletext stream ID 272 (0x110) for SID 1 (0x1) 8% | 00:04 ----------------------------------------------------------------- Opening file: 85c7fc1ad7c3dd56d4e836750b5b309a5bfa9ab9d846844f1aba62bcf9f286db.mpg File seems to be a transport stream, enabling TS mode Notice: PAT changed, clearing all variables. double free or corruption (out) [1] 23827 IOT instruction (core dumped) ccextractor ╭─techno_disaster at pop-os in ~/Projects/Opensource/ccextractorfluttergui/samples on master✘✘✘ ╰─± ccextractor 85271be4d28a2af0be40572e72ddedf650b314155a2ed935140826ace0ad8167.mpg 73d9313d64b0ddf1542bc3521d19cc8a601967fbbb8ee8eb3e6d03c53d7b55d9.mpg d41b53b5042771fc645faa7fd9cfb040727336793586b026ec6101908ddd9c92.mpg CCExtractor 0.92, Carlos Fernandez Sanz, Volker Quetschke. Teletext portions taken from Petr Kutalek's telxcc -------------------------------------------------------------------------- Input: 85271be4d28a2af0be40572e72ddedf650b314155a2ed935140826ace0ad8167.mpg, 73d9313d64b0ddf1542bc3521d19cc8a601967fbbb8ee8eb3e6d03c53d7b55d9.mpg, d41b53b5042771fc645faa7fd9cfb040727336793586b026ec6101908ddd9c92.mpg [Extract: 1] [Stream mode: Autodetect] [Program : Auto ] [Hauppage mode: No] [Use MythTV code: Auto] [Timing mode: Auto] [Debug: No] [Buffer input: No] [Use pic_order_cnt_lsb for H.264: No] [Print CC decoder traces: No] [Target format: .srt] [Encoding: UTF-8] [Delay: 0] [Trim lines: No] [Add font color data: Yes] [Add font typesetting: Yes] [Convert case: No][Filter profanity: No] [Video-edit join: No] [Extraction start time: not set (from start)] [Extraction end time: not set (to end)] [Live stream: No] [Clock frequency: 90000] [Teletext page: Autodetect] [Start credits text: None] [Quantisation-mode: CCExtractor's internal function] ----------------------------------------------------------------- Opening file: 85271be4d28a2af0be40572e72ddedf650b314155a2ed935140826ace0ad8167.mpg File seems to be a transport stream, enabling TS mode Analyzing data in general mode eng.traineddata not found! No Switching Possible 28% | 01:49 ----------------------------------------------------------------- Opening file: 73d9313d64b0ddf1542bc3521d19cc8a601967fbbb8ee8eb3e6d03c53d7b55d9.mpg File seems to be a transport stream, enabling TS mode Notice: PAT changed, clearing all variables. VBI/teletext stream ID 272 (0x110) for SID 1 (0x1) 67% | 00:04 ----------------------------------------------------------------- Opening file: d41b53b5042771fc645faa7fd9cfb040727336793586b026ec6101908ddd9c92.mpg File seems to be a transport stream, enabling TS mode Notice: PAT changed, clearing all variables. double free or corruption (out) [1] 23848 IOT instruction (core dumped) ccextractor ╭─techno_disaster at pop-os in ~/Projects/Opensource/ccextractorfluttergui/samples on master✘✘✘ ╰─± ccextractor 85271be4d28a2af0be40572e72ddedf650b314155a2ed935140826ace0ad8167.mpg 73d9313d64b0ddf1542bc3521d19cc8a601967fbbb8ee8eb3e6d03c53d7b55d9.mpg CCExtractor 0.92, Carlos Fernandez Sanz, Volker Quetschke. Teletext portions taken from Petr Kutalek's telxcc -------------------------------------------------------------------------- Input: 85271be4d28a2af0be40572e72ddedf650b314155a2ed935140826ace0ad8167.mpg, 73d9313d64b0ddf1542bc3521d19cc8a601967fbbb8ee8eb3e6d03c53d7b55d9.mpg [Extract: 1] [Stream mode: Autodetect] [Program : Auto ] [Hauppage mode: No] [Use MythTV code: Auto] [Timing mode: Auto] [Debug: No] [Buffer input: No] [Use pic_order_cnt_lsb for H.264: No] [Print CC decoder traces: No] [Target format: .srt] [Encoding: UTF-8] [Delay: 0] [Trim lines: No] [Add font color data: Yes] [Add font typesetting: Yes] [Convert case: No][Filter profanity: No] [Video-edit join: No] [Extraction start time: not set (from start)] [Extraction end time: not set (to end)] [Live stream: No] [Clock frequency: 90000] [Teletext page: Autodetect] [Start credits text: None] [Quantisation-mode: CCExtractor's internal function] ----------------------------------------------------------------- Opening file: 85271be4d28a2af0be40572e72ddedf650b314155a2ed935140826ace0ad8167.mpg File seems to be a transport stream, enabling TS mode Analyzing data in general mode eng.traineddata not found! No Switching Possible 42% | 01:49 ----------------------------------------------------------------- Opening file: 73d9313d64b0ddf1542bc3521d19cc8a601967fbbb8ee8eb3e6d03c53d7b55d9.mpg File seems to be a transport stream, enabling TS mode Notice: PAT changed, clearing all variables. VBI/teletext stream ID 272 (0x110) for SID 1 (0x1) Premature end of file - Transport Stream packet is incomplete (expected 188 bytes, got 128). 100% | 00:04 Number of NAL_type_7: 0 Number of VCL_HRD: 0 Number of NAL HRD: 0 Number of jump-in-frames: 0 Number of num_unexpected_sei_length: 0 Min PTS: 13:08:15:350 Max PTS: 13:08:19:788 Length: 00:00:04:438 Done, processing time = 1 seconds [1] 23868 segmentation fault (core dumped) ccextractor ```
Author
Owner

@cfsmp3 commented on GitHub (Aug 21, 2021):

Opening file: /mnt/c/Downloads/73d9313d64b0ddf1542bc3521d19cc8a601967fbbb8ee8eb3e6d03c53d7b55d9.mpg
File seems to be a transport stream, enabling TS mode
Notice: PAT changed, clearing all variables.
VBI/teletext stream ID 272 (0x110) for SID 1 (0x1)
==549== Invalid read of size 1
==549==    at 0x17A399: set_tlt_delta (telxcc.c:1261)
==549==    by 0x1814F8: general_loop (general_loop.c:1024)
==549==    by 0x141EE8: api_start (ccextractor.c:204)
==549==    by 0x142C3E: main (ccextractor.c:462)
==549==  Address 0x7ea5339 is 5,273 bytes inside a block of size 17,023 free'd
==549==    at 0x483D74F: operator delete[](void*) (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so)
==549==    by 0x4B99B74: tesseract::LSTMRecognizer::RecognizeLine(tesseract::ImageData const&, bool, bool, double, TBOX const&,
tesseract::PointerVector<WERD_RES>*, int) (in /usr/lib/x86_64-linux-gnu/libtesseract.so.4.0.1)
==549==    by 0x4A60CD7: tesseract::Tesseract::LSTMRecognizeWord(BLOCK const&, ROW*, WERD_RES*, tesseract::PointerVector<WERD_RE
S>*) (in /usr/lib/x86_64-linux-gnu/libtesseract.so.4.0.1)

There's a lot more.
Clearly when we do clean up we're deallocating stuff we later need (and keeping a pointer to it too).

@cfsmp3 commented on GitHub (Aug 21, 2021): ``` Opening file: /mnt/c/Downloads/73d9313d64b0ddf1542bc3521d19cc8a601967fbbb8ee8eb3e6d03c53d7b55d9.mpg File seems to be a transport stream, enabling TS mode Notice: PAT changed, clearing all variables. VBI/teletext stream ID 272 (0x110) for SID 1 (0x1) ==549== Invalid read of size 1 ==549== at 0x17A399: set_tlt_delta (telxcc.c:1261) ==549== by 0x1814F8: general_loop (general_loop.c:1024) ==549== by 0x141EE8: api_start (ccextractor.c:204) ==549== by 0x142C3E: main (ccextractor.c:462) ==549== Address 0x7ea5339 is 5,273 bytes inside a block of size 17,023 free'd ==549== at 0x483D74F: operator delete[](void*) (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so) ==549== by 0x4B99B74: tesseract::LSTMRecognizer::RecognizeLine(tesseract::ImageData const&, bool, bool, double, TBOX const&, tesseract::PointerVector<WERD_RES>*, int) (in /usr/lib/x86_64-linux-gnu/libtesseract.so.4.0.1) ==549== by 0x4A60CD7: tesseract::Tesseract::LSTMRecognizeWord(BLOCK const&, ROW*, WERD_RES*, tesseract::PointerVector<WERD_RE S>*) (in /usr/lib/x86_64-linux-gnu/libtesseract.so.4.0.1) ``` There's a lot more. Clearly when we do clean up we're deallocating stuff we later need (and keeping a pointer to it too).
Author
Owner

@cfsmp3 commented on GitHub (Mar 22, 2023):

Update: Bugs still happening

=================================================================
==1550755==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6070000017c9 at pc 0x55cfb6bb60e7 bp 0x7ffe73d39980 sp 0x7ffe73d39970
READ of size 1 at 0x6070000017c9 thread T0
    #0 0x55cfb6bb60e6 in set_tlt_delta ../src/lib_ccx/telxcc.c:1261
    #1 0x55cfb6bd2f40 in process_non_multiprogram_general_loop ../src/lib_ccx/general_loop.c:967
    #2 0x55cfb6bd3bf3 in general_loop ../src/lib_ccx/general_loop.c:1062
    #3 0x55cfb6ad1986 in api_start ../src/ccextractor.c:205
    #4 0x55cfb6ad3cdb in main ../src/ccextractor.c:463
    #5 0x7f79b822350f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
    #6 0x7f79b82235c8 in __libc_start_main_impl ../csu/libc-start.c:381
    #7 0x55cfb6ad0cc4 in _start (/home/cfsmp3/codebase/ccex/ccextractor/linux/ccextractor+0x17acc4)

0x6070000017c9 is located 1057 bytes to the right of 72-byte region [0x607000001360,0x6070000013a8)
freed by thread T0 here:
    #0 0x7f79b8ec1530 in operator delete(void*, unsigned long) ../../../../src/libsanitizer/asan/asan_new_delete.cpp:164
    #1 0x7f79b8c19327 in tesseract::ELIST::internal_clear(void (*)(void*)) (/lib/x86_64-linux-gnu/libtesseract.so.5+0x219327)

previously allocated by thread T0 here:
    #0 0x7f79b8ec0488 in operator new(unsigned long) ../../../../src/libsanitizer/asan/asan_new_delete.cpp:95
    #1 0x7f79b8ba35fa in tesseract::complete_edge(tesseract::CRACKEDGE*, tesseract::C_OUTLINE_IT*) (/lib/x86_64-linux-gnu/libtesseract.so.5+0x1a35fa)
    #2 0x7ffe73d38247  ([stack]+0x1c247)

SUMMARY: AddressSanitizer: heap-buffer-overflow ../src/lib_ccx/telxcc.c:1261 in set_tlt_delta
Shadow bytes around the buggy address:
  0x0c0e7fff82a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0e7fff82b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0e7fff82c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0e7fff82d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0e7fff82e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c0e7fff82f0: fa fa fa fa fa fa fa fa fa[fa]fa fa fa fa fa fa
  0x0c0e7fff8300: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0e7fff8310: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0e7fff8320: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0e7fff8330: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0e7fff8340: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==1550755==ABORTING
@cfsmp3 commented on GitHub (Mar 22, 2023): Update: Bugs still happening ``` ================================================================= ==1550755==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6070000017c9 at pc 0x55cfb6bb60e7 bp 0x7ffe73d39980 sp 0x7ffe73d39970 READ of size 1 at 0x6070000017c9 thread T0 #0 0x55cfb6bb60e6 in set_tlt_delta ../src/lib_ccx/telxcc.c:1261 #1 0x55cfb6bd2f40 in process_non_multiprogram_general_loop ../src/lib_ccx/general_loop.c:967 #2 0x55cfb6bd3bf3 in general_loop ../src/lib_ccx/general_loop.c:1062 #3 0x55cfb6ad1986 in api_start ../src/ccextractor.c:205 #4 0x55cfb6ad3cdb in main ../src/ccextractor.c:463 #5 0x7f79b822350f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58 #6 0x7f79b82235c8 in __libc_start_main_impl ../csu/libc-start.c:381 #7 0x55cfb6ad0cc4 in _start (/home/cfsmp3/codebase/ccex/ccextractor/linux/ccextractor+0x17acc4) 0x6070000017c9 is located 1057 bytes to the right of 72-byte region [0x607000001360,0x6070000013a8) freed by thread T0 here: #0 0x7f79b8ec1530 in operator delete(void*, unsigned long) ../../../../src/libsanitizer/asan/asan_new_delete.cpp:164 #1 0x7f79b8c19327 in tesseract::ELIST::internal_clear(void (*)(void*)) (/lib/x86_64-linux-gnu/libtesseract.so.5+0x219327) previously allocated by thread T0 here: #0 0x7f79b8ec0488 in operator new(unsigned long) ../../../../src/libsanitizer/asan/asan_new_delete.cpp:95 #1 0x7f79b8ba35fa in tesseract::complete_edge(tesseract::CRACKEDGE*, tesseract::C_OUTLINE_IT*) (/lib/x86_64-linux-gnu/libtesseract.so.5+0x1a35fa) #2 0x7ffe73d38247 ([stack]+0x1c247) SUMMARY: AddressSanitizer: heap-buffer-overflow ../src/lib_ccx/telxcc.c:1261 in set_tlt_delta Shadow bytes around the buggy address: 0x0c0e7fff82a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c0e7fff82b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c0e7fff82c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c0e7fff82d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c0e7fff82e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa =>0x0c0e7fff82f0: fa fa fa fa fa fa fa fa fa[fa]fa fa fa fa fa fa 0x0c0e7fff8300: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c0e7fff8310: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c0e7fff8320: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c0e7fff8330: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c0e7fff8340: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==1550755==ABORTING ```
Author
Owner

@cfsmp3 commented on GitHub (Dec 14, 2025):

Verification Update (December 2025)

Issue #1377 has been verified and is still present in the current codebase.

Background

This issue was previously masked by a separate bug (#1810) that prevented multi-file processing from working at all. After fixing #1810 (PR #1811), multi-file processing now works, which allowed proper verification of this memory corruption issue.

Test Results

Files Processed Order Result
3 files 1→2→3 Works
4 files (different set) A→B→C→D Works
4 files 1→2→3→4 CRASH (panic in ccxr_calculate_ms_gop_time)
2 files 1→4 CRASH
2 files 4→1 Works
File 4 alone - Works

Key Findings

  1. The crash is order-dependent: Processing certain files in a specific sequence triggers the bug
  2. DVD→HDTV transition is problematic: Processing a DVD-type file (4:3, 29.97fps) followed by an HDTV-type file (16:9) can trigger the crash
  3. Reverse order works: The same files in reverse order process successfully
  4. Files work individually: Each file processes correctly when run alone

Crash Location

The crash occurs in the Rust GOP timing code:

Stack trace:
  ccxr_calculate_ms_gop_time
    → ccx_rust::es::gop::read_gop_info
      → ccxr_read_gop_info
        → read_gop_info
          → es_video_sequence
            → process_m2v
              → process_data
                → general_loop

The error message indicates: thread caused non-unwinding panic. aborting.

Root Cause Hypothesis

State from processing earlier files (particularly timing/GOP-related structures) is not being properly reset between files. When transitioning from DVD-type to HDTV-type content, corrupted or stale state causes the GOP timing calculations to fail.

Files Used for Testing

  • File 1: 0069dffd21806a08d21a0f2ef8209c00c84a5a7e5cd5468ad326898f7431eb8e.mpg (DVD-type, 720x480, 4:3)
  • File 4: 70000200c0b9421b983a8cba0f0ccd90ca600a86d39692144eeeeb270d2f8446.mpg (HDTV-type)

Suggested Investigation Areas

  1. src/rust/src/es/gop.rs - GOP timing calculations
  2. State reset logic between files in switch_to_next_file()
  3. Timing structure initialization in the Rust ES code

🤖 Generated with Claude Code

@cfsmp3 commented on GitHub (Dec 14, 2025): ## Verification Update (December 2025) Issue #1377 has been verified and **is still present** in the current codebase. ### Background This issue was previously **masked** by a separate bug (#1810) that prevented multi-file processing from working at all. After fixing #1810 (PR #1811), multi-file processing now works, which allowed proper verification of this memory corruption issue. ### Test Results | Files Processed | Order | Result | |-----------------|-------|--------| | 3 files | 1→2→3 | ✅ Works | | 4 files (different set) | A→B→C→D | ✅ Works | | 4 files | 1→2→3→4 | ❌ **CRASH** (panic in `ccxr_calculate_ms_gop_time`) | | 2 files | 1→4 | ❌ **CRASH** | | 2 files | 4→1 | ✅ Works | | File 4 alone | - | ✅ Works | ### Key Findings 1. **The crash is order-dependent**: Processing certain files in a specific sequence triggers the bug 2. **DVD→HDTV transition is problematic**: Processing a DVD-type file (4:3, 29.97fps) followed by an HDTV-type file (16:9) can trigger the crash 3. **Reverse order works**: The same files in reverse order process successfully 4. **Files work individually**: Each file processes correctly when run alone ### Crash Location The crash occurs in the Rust GOP timing code: ``` Stack trace: ccxr_calculate_ms_gop_time → ccx_rust::es::gop::read_gop_info → ccxr_read_gop_info → read_gop_info → es_video_sequence → process_m2v → process_data → general_loop ``` The error message indicates: `thread caused non-unwinding panic. aborting.` ### Root Cause Hypothesis State from processing earlier files (particularly timing/GOP-related structures) is not being properly reset between files. When transitioning from DVD-type to HDTV-type content, corrupted or stale state causes the GOP timing calculations to fail. ### Files Used for Testing - File 1: `0069dffd21806a08d21a0f2ef8209c00c84a5a7e5cd5468ad326898f7431eb8e.mpg` (DVD-type, 720x480, 4:3) - File 4: `70000200c0b9421b983a8cba0f0ccd90ca600a86d39692144eeeeb270d2f8446.mpg` (HDTV-type) ### Suggested Investigation Areas 1. `src/rust/src/es/gop.rs` - GOP timing calculations 2. State reset logic between files in `switch_to_next_file()` 3. Timing structure initialization in the Rust ES code 🤖 Generated with [Claude Code](https://claude.com/claude-code)
Sign in to join this conversation.
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: starred/ccextractor#659